Merge pull request #5242 from MicrosoftDocs/repo_sync_working_branch

Confirm merge from repo_sync_working_branch to master to sync with https://github.com/MicrosoftDocs/windows-itpro-docs (branch public)

windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md

@@ -14,7 +14,7 @@ author: jsuther1974
 ms.reviewer: isbrahm
 ms.author: dansimp
 manager: dansimp
-ms.date: 3/17/2020
+ms.date: 06/02/2021
 ms.technology: mde
 ---
 
@@ -22,14 +22,14 @@ ms.technology: mde
 
 A Windows Defender Application Control (WDAC) policy logs events locally in Windows Event Viewer in either enforced or audit mode. These events are generated under two locations:
 
-- Event IDs beginning with 30 appear in Applications and Services logs | Microsoft | Windows | CodeIntegrity | Operational
+- Event IDs beginning with 30 appear in **Applications and Services logs** > **Microsoft** > **Windows** > **CodeIntegrity** > **Operational**
 
-- Event IDs beginning with 80 appear in Applications and Services logs | Microsoft | Windows | AppLocker | MSI and Script
+- Event IDs beginning with 80 appear in **Applications and Services logs** > **Microsoft** > **Windows** > **AppLocker** > **MSI and Script**
 
 ## Microsoft Windows CodeIntegrity Operational log event IDs
 
 | Event ID | Explanation |
-|---|----------|
+|--------|-----------|
 | 3076 | Audit executable/dll file |
 | 3077 | Block executable/dll file |
 | 3089 | Signing information event correlated with either a 3076 or 3077 event. One 3089 event is generated for each signature of a file. Contains the total number of signatures on a file and an index as to which signature it is. Unsigned files will generate a single 3089 event with TotalSignatureCount 0. Correlated in the "System" portion of the event data under "Correlation ActivityID". |
@@ -38,7 +38,7 @@ A Windows Defender Application Control (WDAC) policy logs events locally in Wind
 ## Microsoft Windows AppLocker MSI and Script log event IDs
 
 | Event ID | Explanation |
-|---|----------|
+|--------|-----------|
 | 8028 | Audit script/MSI file generated by Windows LockDown Policy (WLDP) being called by the script hosts themselves. Note: there is no WDAC enforcement on third-party script hosts. |
 | 8029 | Block script/MSI file |
 | 8038 | Signing information event correlated with either an 8028 or 8029 event. One 8038 event is generated for each signature of a script file. Contains the total number of signatures on a script file and an index as to which signature it is. Unsigned script files will generate a single 8038 event with TotalSignatureCount 0. Correlated in the "System" portion of the event data under "Correlation ActivityID". | |
@@ -48,7 +48,7 @@ A Windows Defender Application Control (WDAC) policy logs events locally in Wind
 If either the ISG or MI is enabled in a WDAC policy, you can optionally choose to enable 3090, 3091, and 3092 events to provide more diagnostic information.
 
 | Event ID | Explanation |
-|---|----------|
+|--------|---------|
 | 3090 | Allow executable/dll file |
 | 3091 | Audit executable/dll file |
 | 3092 | Block executable/dll file |
@@ -60,7 +60,7 @@ If either the ISG or MI is enabled in a WDAC policy, you can optionally choose t
 Below are the fields that help to diagnose what a 3090, 3091, or 3092 event indicates.
 
 | Name | Explanation |
-|---|----------|
+|------|------|
 | StatusCode | STATUS_SUCCESS indicates a binary passed the active WDAC policies. If so, a 3090 event is generated. If not, a 3091 event is generated if the blocking policy is in audit mode, and a 3092 event is generated if the policy is in enforce mode. |
 | ManagedInstallerEnabled | Policy trusts a MI |
 | PassesManagedInstaller | File originated from a trusted MI |
@@ -81,3 +81,43 @@ To enable 3090 allow events, and 3091 and 3092 events, you must instead create a
 ```powershell
 reg add hklm\system\currentcontrolset\control\ci -v TestFlags -t REG_DWORD -d 0x300
 ```
+
+## Appendix
+A list of other relevant event IDs and their corresponding description.
+
+| Event ID | Description |
+|-------|------|
+| 3001 | An unsigned driver was attempted to load on the system. | 
+| 3002 | Code Integrity could not verify the boot image as the page hash could not be found. |
+| 3004 | Code Integrity could not verify the file as the page hash could not be found. |
+| 3010 | The catalog containing the signature for the file under validation is invalid. |
+| 3011 | Code Integrity finished loading the signature catalog. |
+| 3012 | Code Integrity started loading the signature catalog. |
+| 3023 | The driver file under validation did not meet the requirements to pass the application control policy. |
+| 3024 | Windows application control was unable to refresh the boot catalog file. |
+| 3026 | The catalog loaded is signed by a signing certificate that has been revoked by Microsoft and/or the certificate issuing authority. |
+| 3033 | The file under validation did not meet the requirements to pass the application control policy. |
+| 3034 | The file under validation would not meet the requirements to pass the application control policy if the policy was enforced. The file was allowed since the policy is in audit mode. | 
+| 3036 | The signed file under validation is signed by a code signing certificate that has been revoked by Microsoft or the certificate issuing authority. |
+| 3064 | If the policy was enforced, a user mode DLL under validation would not meet the requirements to pass the application control policy. The DLL was allowed since the policy is in audit mode. | 
+| 3065 | [Ignored] If the policy was enforced, a user mode DLL under validation would not meet the requirements to pass the application control policy. | 
+| 3074 | Page hash failure while hypervisor-protected code integrity was enabled. |
+| 3075 | This event monitors the performance of the Code Integrity policy check a file. |
+| 3079 | The file under validation did not meet the requirements to pass the application control policy. |
+| 3080 | If the policy was in enforced mode, the file under validation would not have met the requirements to pass the application control policy. |
+| 3081 | The file under validation did not meet the requirements to pass the application control policy. |
+| 3082 | If the policy was in enforced mode, the non-WHQL driver would have been denied by the policy. | 
+| 3084 | Code Integrity will enforce the WHQL Required policy setting on this session. |
+| 3085 | Code Integrity will not enforce the WHQL Required policy setting on this session. |
+| 3086 | COM object was blocked. Learn more about COM object authorization: Allow COM object registration in a WDAC policy (Windows 10) - Windows security - Microsoft Docs|
+| 3095 | This Code Integrity policy cannot be refreshed and must be rebooted instead. | 
+| 3097 | The Code Integrity policy cannot be refreshed. | 
+| 3100 | The application control policy was refreshed but was unsuccessfully activated. Retry. |
+| 3101 | Code Integrity started refreshing the policy. | 
+| 3102 | Code Integrity finished refreshing the policy. | 
+| 3103 | Code Integrity is ignoring the policy refresh. | 
+| 3104 | The file under validation does not meet the signing requirements for a PPL (protected process light) process. | 
+| 3105 | Code Integrity is attempting to refresh the policy. | 
+| 3108 | Windows mode change event was successful. |
+| 3110 | Windows mode change event was unsuccessful. |
+| 3111 | The file under validation did not meet the hypervisor-protected code integrity (HVCI) policy. |