diff --git a/windows/application-management/apps-in-windows-10.md b/windows/application-management/apps-in-windows-10.md index 5ee9f992a3..02aa19ebf0 100644 --- a/windows/application-management/apps-in-windows-10.md +++ b/windows/application-management/apps-in-windows-10.md @@ -18,124 +18,25 @@ The following types of apps run on Windows 10: - "Win32" apps - traditional Windows applications. Digging into the Windows apps, there are two categories: -- System apps - Apps that are installed in the c:\Windows\* directory. These apps are integral to the OS. -- Apps - All other apps, installed in c:\Program Files\WindowsApps. There are two classes of apps: +- Apps - All other apps, installed in C:\Program Files\WindowsApps. There are two classes of apps: - Provisioned: Installed in user account the first time you sign in with a new user account. - Installed: Installed as part of the OS. +- System apps - Apps that are installed in the C:\Windows\* directory. These apps are integral to the OS. The following tables list the system apps, installed Windows apps, and provisioned Windows apps in a standard Windows 10 Enterprise installation. (If you have a custom image, your specific apps might differ.) The tables list the app, the full name, show the app's status in Windows 10 version 1607, 1703, and 1709, and indicate whether an app can be uninstalled through the UI. Some of the apps show up in multiple tables - that's because their status changed between versions. Make sure to check the version column for the version you are currently running. -> [!TIP] -> Want to see a list of the apps installed on your specific image? You can run the following PowerShell cmdlet: -> ```powershell -> Get-AppxPackage | select Name,PackageFamilyName -> Get-AppxProvisionedPackage -Online | select DisplayName,PackageName -> ``` - -## System apps - -System apps are integral to the operating system. Here are the typical system apps in Windows 10 versions 1703, 1709, and 1803. - -| Name | Full name |1703 | 1709 | 1803 |Uninstall through UI? | -|------------------|-------------------------------------------|:------:|:------:|:------:|-------------------------------------------------------| -| Cortana UI | CortanaListenUIApp | x | | |No | -| | Desktop Learning | x | | |No | -| | DesktopView | x | | |No | -| | EnvironmentsApp | x | | |No | -| Mixed Reality + | HoloCamera | x | | |No | -| Mixed Reality + | HoloItemPlayerApp | x | | |No | -| Mixed Reality + | HoloShell | x | | |No | -| | InputApp | | x | x |No | -| | Microsoft.AAD.Broker.Plugin | x | x | x |No | -| | Microsoft.AccountsControl | x | x | x |No | -| Hello setup UI | Microsoft.BioEnrollment | x | x | x |No | -| | Microsoft.CredDialogHost | x | x | x |No | -| | Microsoft.ECApp | | x | x |No | -| | Microsoft.LockApp | x | x | x |No | -| Microsoft Edge | Microsoft.Microsoft.Edge | x | x | x |No | -| | Microsoft.PPIProjection | x | x | x |No | -| | Microsoft.Windows. Apprep.ChxApp | x | x | x |No | -| | Microsoft.Windows. AssignedAccessLockApp | x | x | x |No | -| | Microsoft.Windows. CloudExperienceHost | x | x | x |No | -| | Microsoft.Windows. ContentDeliveryManager | x | x | x |No | -| Cortana | Microsoft.Windows.Cortana | x | x | x |No | -| | Microsoft.Windows. Holographic.FirstRun | x | x | x |No | -| | Microsoft.Windows. ModalSharePickerHost | x | | |No | -| | Microsoft.Windows. OOBENetworkCaptivePort | x | x | x |No | -| | Microsoft.Windows. OOBENetworkConnectionFlow | x | x | x |No | -| | Microsoft.Windows. ParentalControls | x | x | x |No | -| People Hub | Microsoft.Windows. PeopleExperienceHost | | x | x |No | -| | Microsoft.Windows. PinningConfirmationDialog | | x | x |No | -| | Microsoft.Windows. SecHealthUI | x | x | x |No | -| | Microsoft.Windows. SecondaryTileExperience | x | x | |No | -| | Microsoft.Windows. SecureAssessmentBrowser | x | x | x |No | -| Start | Microsoft.Windows. ShellExperienceHost | x | x | x |No | -| Windows Feedback | Microsoft.WindowsFeedback | * | * | |No | -| | Microsoft.XboxGameCallableUI | x | x | x |No | -| Contact Support* | Windows.ContactSupport | x | * | |Via Optional Features app | -| Settings | Windows.ImmersiveControlPanel | x | x | |No | -| Connect | Windows.MiracastView | x | | |No | -| Print 3D | Windows.Print3D | | x | |Yes | -| Print UI | Windows.PrintDialog | x | x | x |No | -| Purchase UI | Windows.PurchaseDialog | | | x |No | -| | Microsoft.AsyncTextService | | | x |No | -| | Microsoft.MicrosoftEdgeDevToolsClient | | | x |No | -| | Microsoft.Win32WebViewHost | | | x |No | -| | Microsoft.Windows.CapturePicker | | | x |No | -| | Windows.CBSPreview | | | x |No | -|File Picker | 1527c705-839a-4832-9118-54d4Bd6a0c89 | | | x |No | -|File Explorer | c5e2524a-ea46-4f67-841f-6a9465d9d515 | | | x |No | -|App Resolver | E2A4F912-2574-4A75-9BB0-0D023378592B | | | x |No | -|Add Suggested folder Dialog box| F46D4000-FD22-4DB4-AC8E-4E1DDDE828FE|| | x |No | - -> [!NOTE] -> - The Contact Support app changed to Get Help in version 1709. Get Help is a provisioned app (instead of system app like Contact Support). - -## Installed Windows apps - -Here are the typical installed Windows apps in Windows 10 versions 1703, 1709, and 1803. - -| Name | Full name | 1703 | 1709 | 1803 |Uninstall through UI? | -|--------------------|------------------------------------------|:----:|:----:|:----:|:----------------------:| -| Remote Desktop | Microsoft.RemoteDesktop | x | x | | Yes | -| PowerBI | Microsoft.Microsoft PowerBIforWindows | x | | | Yes | -| Code Writer | ActiproSoftwareLLC.562882FEEB491 | x | x | x | Yes | -| Eclipse Manager | 46928bounde.EclipseManager | x | x | x | Yes | -| Pandora | PandoraMediaInc.29680B314EFC2 | x | x | x | Yes | -| Photoshop Express | AdobeSystemIncorporated. AdobePhotoshop | x | x | x | Yes | -| Duolingo | D5EA27B7.Duolingo- LearnLanguagesforFree | x | x | x | Yes | -| Network Speed Test | Microsoft.NetworkSpeedTest | x | x | x | Yes | -| News | Microsoft.BingNews | x | x | x | Yes | -| Flipboard | | | | | Yes | -| | Microsoft.Advertising.Xaml | x | x | x | Yes | -| | Microsoft.NET.Native.Framework.1.2 | x | x | x | Yes | -| | Microsoft.NET.Native.Framework.1.3 | x | x | x | Yes | -| | Microsoft.NET.Native.Framework.1.6 | | x | x | Yes | -| | Microsoft.NET.Native.Framework.1.7 | | | x | Yes | -| | Microsoft.NET.Native.Framework.2.0 | | x | x | Yes | -| | Microsoft.NET.Native.Runtime.1.1 | | x | x | Yes | -| | Microsoft.NET.Native.Runtime.1.3 | x | x | | Yes | -| | Microsoft.NET.Native.Runtime.1.4 | x | x | x | Yes | -| | Microsoft.NET.Native.Runtime.1.6 | | x | x | Yes | -| | Microsoft.NET.Native.Runtime.1.7 | | | x | Yes | -| | Microsoft.NET.Native.Runtime.2.0 | | x | x | Yes | -| | Microsoft.Services.Store.Engagement | | x | x | Yes | -| | Microsoft.VCLibs.120.00 | x | x | x | Yes | -| | Microsoft.VCLibs.140.00 | x | x | x | Yes | -| | Microsoft.VCLibs.120.00.Universal | | x | | Yes | -| | Microsoft.VCLibs.140.00.UWPDesktop | | | x | Yes | -| | Microsoft.WinJS.2.0 | x | | | Yes | ---- ## Provisioned Windows apps Here are the provisioned Windows apps in Windows 10 versions 1703, 1709, 1803 and 1809. -``` -> Get-AppxProvisionedPackage -Online | Select-Object DisplayName, PackageName -``` +> [!TIP] +> You can list all provisioned Windows apps with this PowerShell command: +> ``` +> Get-AppxProvisionedPackage -Online | Format-Table DisplayName, PackageName +> ``` | Package name | App name | 1703 | 1709 | 1803 | 1809 | Uninstall through UI? | |----------------------------------------|--------------------------------------------------------------------------------------------------------------------|:----:|:----:|:----:|:----:|:---------------------:| @@ -152,7 +53,7 @@ Here are the provisioned Windows apps in Windows 10 versions 1703, 1709, 1803 an | Microsoft.MicrosoftStickyNotes | [Microsoft Sticky Notes](ms-windows-store://pdp/?PFN=Microsoft.MicrosoftStickyNotes_8wekyb3d8bbwe) | x | x | x | x | No | | Microsoft.MixedReality.Portal | [Mixed Reality Portal](ms-windows-store://pdp/?PFN=Microsoft.MixedReality.Portal_8wekyb3d8bbwe) | | | | x | No | | Microsoft.MSPaint | [Paint 3D](ms-windows-store://pdp/?PFN=Microsoft.MSPaint_8wekyb3d8bbwe) | x | x | x | x | No | -| Microsoft.Office.OneNote | [OneNote](ms-windows-store://pdp/?PFN=Microsoft.Office.OneNote_8wekyb3d8bbwe) | x | x | x | x | Yes | +| Microsoft.Office.OneNote | [OneNote](ms-windows-store://pdp/?PFN=Microsoft.Office.OneNote_8wekyb3d8bbwe) | x | x | x | x | Yes | | Microsoft.OneConnect | [Paid Wi-Fi & Cellular](ms-windows-store://pdp/?PFN=Microsoft.OneConnect_8wekyb3d8bbwe) | x | x | x | x | No | | Microsoft.People | [Microsoft People](ms-windows-store://pdp/?PFN=Microsoft.People_8wekyb3d8bbwe) | x | x | x | x | No | | Microsoft.Print3D | [Print 3D](ms-windows-store://pdp/?PFN=Microsoft.Print3D_8wekyb3d8bbwe) | | x | x | x | No | @@ -185,4 +86,106 @@ Here are the provisioned Windows apps in Windows 10 versions 1703, 1709, 1803 an --- >[!NOTE] >The Store app can't be removed. If you want to remove and reinstall the Store app, you can only bring Store back by either restoring your system from a backup or resetting your system. Instead of removing the Store app, you should use group policies to hide or disable it. +--- + +## System apps + +System apps are integral to the operating system. Here are the typical system apps in Windows 10 versions 1703, 1709, and 1803. + +> [!TIP] +> You can list all system apps with this PowerShell command: +> ``` +> Get-AppxPackage -PackageTypeFilter Main | ? { $_.SignatureKind -eq "System" } | Sort Name | Format-Table Name, InstallLocation +> ``` + +| Name | Package Name | 1703 | 1709 | 1803 | Uninstall through UI? | +|----------------------------------|---------------------------------------------|:-----:|:----:|:----:|-----------------------| +| File Picker | 1527c705-839a-4832-9118-54d4Bd6a0c89 | | | x | No | +| File Explorer | c5e2524a-ea46-4f67-841f-6a9465d9d515 | | | x | No | +| App Resolver UX | E2A4F912-2574-4A75-9BB0-0D023378592B | | | x | No | +| Add Suggested Folders To Library | F46D4000-FD22-4DB4-AC8E-4E1DDDE828FE | | | x | No | +| | InputApp | | x | x | No | +| Cortana UI | CortanaListenUIApp | x | | | No | +| | Desktop Learning | x | | | No | +| | DesktopView | x | | | No | +| | EnvironmentsApp | x | | | No | +| Mixed Reality + | HoloCamera | x | | | No | +| Mixed Reality + | HoloItemPlayerApp | x | | | No | +| Mixed Reality + | HoloShell | x | | | No | +| | Microsoft.AAD.Broker.Plugin | x | x | x | No | +| | Microsoft.AccountsControl | x | x | x | No | +| | Microsoft.AsyncTextService | | | x | No | +| Hello setup UI | Microsoft.BioEnrollment | x | x | x | No | +| | Microsoft.CredDialogHost | x | x | x | No | +| | Microsoft.ECApp | | x | x | No | +| | Microsoft.LockApp | x | x | x | No | +| Microsoft Edge | Microsoft.MicrosoftEdge | x | x | x | No | +| | Microsoft.MicrosoftEdgeDevToolsClient | | | x | No | +| | Microsoft.PPIProjection | x | x | | No | +| | Microsoft.Win32WebViewHost | | | x | No | +| | Microsoft.Windows.Apprep.ChxApp | x | x | x | No | +| | Microsoft.Windows.AssignedAccessLockApp | x | x | x | No | +| | Microsoft.Windows.CapturePicker | | | x | No | +| | Microsoft.Windows.CloudExperienceHost | x | x | x | No | +| | Microsoft.Windows.ContentDeliveryManager | x | x | x | No | +| Cortana | Microsoft.Windows.Cortana | x | x | x | No | +| | Microsoft.Windows.Holographic.FirstRun | x | x | | No | +| | Microsoft.Windows.ModalSharePickerHost | x | | | No | +| | Microsoft.Windows.OOBENetworkCaptivePort | x | x | x | No | +| | Microsoft.Windows.OOBENetworkConnectionFlow | x | x | x | No | +| | Microsoft.Windows.ParentalControls | x | x | x | No | +| People Hub | Microsoft.Windows.PeopleExperienceHost | | x | x | No | +| | Microsoft.Windows.PinningConfirmationDialog | | x | x | No | +| | Microsoft.Windows.SecHealthUI | x | x | x | No | +| | Microsoft.Windows.SecondaryTileExperience | x | x | | No | +| | Microsoft.Windows.SecureAssessmentBrowser | x | x | x | No | +| Start | Microsoft.Windows.ShellExperienceHost | x | x | x | No | +| Windows Feedback | Microsoft.WindowsFeedback | * | * | | No | +| | Microsoft.XboxGameCallableUI | x | x | x | No | +| | Windows.CBSPreview | | | x | No | +| Contact Support* | Windows.ContactSupport | x | * | | Via Settings App | +| Settings | Windows.immersivecontrolpanel | x | x | x | No | +| Connect | Windows.MiracastView | x | | | No | +| Print 3D | Windows.Print3D | | x | | Yes | +| Print UI | Windows.PrintDialog | x | x | x | No | +| Purchase UI | Windows.PurchaseDialog | | | | No | + + +> [!NOTE] +> - The Contact Support app changed to Get Help in version 1709. Get Help is a provisioned app (instead of system app like Contact Support). + +## Installed Windows apps + +Here are the typical installed Windows apps in Windows 10 versions 1703, 1709, and 1803. + +| Name | Full name | 1703 | 1709 | 1803 |Uninstall through UI? | +|--------------------|------------------------------------------|:----:|:----:|:----:|:---------------------:| +| Remote Desktop | Microsoft.RemoteDesktop | x | x | | Yes | +| PowerBI | Microsoft.Microsoft PowerBIforWindows | x | | | Yes | +| Code Writer | ActiproSoftwareLLC.562882FEEB491 | x | x | x | Yes | +| Eclipse Manager | 46928bounde.EclipseManager | x | x | x | Yes | +| Pandora | PandoraMediaInc.29680B314EFC2 | x | x | x | Yes | +| Photoshop Express | AdobeSystemIncorporated. AdobePhotoshop | x | x | x | Yes | +| Duolingo | D5EA27B7.Duolingo- LearnLanguagesforFree | x | x | x | Yes | +| Network Speed Test | Microsoft.NetworkSpeedTest | x | x | x | Yes | +| News | Microsoft.BingNews | x | x | x | Yes | +| Flipboard | | | | | Yes | +| | Microsoft.Advertising.Xaml | x | x | x | Yes | +| | Microsoft.NET.Native.Framework.1.2 | x | x | x | Yes | +| | Microsoft.NET.Native.Framework.1.3 | x | x | x | Yes | +| | Microsoft.NET.Native.Framework.1.6 | | x | x | Yes | +| | Microsoft.NET.Native.Framework.1.7 | | | x | Yes | +| | Microsoft.NET.Native.Framework.2.0 | | x | x | Yes | +| | Microsoft.NET.Native.Runtime.1.1 | | x | x | Yes | +| | Microsoft.NET.Native.Runtime.1.3 | x | x | | Yes | +| | Microsoft.NET.Native.Runtime.1.4 | x | x | x | Yes | +| | Microsoft.NET.Native.Runtime.1.6 | | x | x | Yes | +| | Microsoft.NET.Native.Runtime.1.7 | | | x | Yes | +| | Microsoft.NET.Native.Runtime.2.0 | | x | x | Yes | +| | Microsoft.Services.Store.Engagement | | x | x | Yes | +| | Microsoft.VCLibs.120.00 | x | x | x | Yes | +| | Microsoft.VCLibs.140.00 | x | x | x | Yes | +| | Microsoft.VCLibs.120.00.Universal | | x | | Yes | +| | Microsoft.VCLibs.140.00.UWPDesktop | | | x | Yes | +| | Microsoft.WinJS.2.0 | x | | | Yes | --- \ No newline at end of file diff --git a/windows/client-management/mdm/passportforwork-ddf.md b/windows/client-management/mdm/passportforwork-ddf.md index 6f65055513..79bf2a8409 100644 --- a/windows/client-management/mdm/passportforwork-ddf.md +++ b/windows/client-management/mdm/passportforwork-ddf.md @@ -21,7 +21,7 @@ Looking for the DDF XML files? See [CSP DDF files download](configuration-servic The XML below is for Windows 10, version 1809. -``` syntax +```xml False - Enables/Disables Dyanamic Lock + Enables/Disables Dynamic Lock @@ -1304,4 +1304,4 @@ Note that enhanced anti-spoofing for Windows Hello face authentication is not re -``` \ No newline at end of file +``` diff --git a/windows/deployment/TOC.md b/windows/deployment/TOC.md index ce9e1629c5..00acdc9318 100644 --- a/windows/deployment/TOC.md +++ b/windows/deployment/TOC.md @@ -215,6 +215,7 @@ ### [Quick guide to Windows as a service](update/waas-quick-start.md) #### [Servicing stack updates](update/servicing-stack-updates.md) ### [Overview of Windows as a service](update/waas-overview.md) +### [Understand how servicing differs in Windows 10](update/waas-servicing-differences.md) ### [Prepare servicing strategy for Windows 10 updates](update/waas-servicing-strategy-windows-10-updates.md) ### [Build deployment rings for Windows 10 updates](update/waas-deployment-rings-windows-10-updates.md) ### [Assign devices to servicing channels for Windows 10 updates](update/waas-servicing-channels-windows-10-updates.md) @@ -260,6 +261,7 @@ ##### [Step 1: Identify apps](upgrade/upgrade-readiness-identify-apps.md) ##### [Step 2: Resolve issues](upgrade/upgrade-readiness-resolve-issues.md) ##### [Step 3: Deploy Windows](upgrade/upgrade-readiness-deploy-windows.md) +##### [Step 4: Monitor deployment](upgrade/upgrade-readiness-monitor-deployment.md) ##### [Additional insights](upgrade/upgrade-readiness-additional-insights.md) ##### [Targeting a new operating system version](upgrade/upgrade-readiness-target-new-OS.md) ### [Monitor Windows Updates with Update Compliance](update/update-compliance-monitor.md) diff --git a/windows/deployment/images/UR-driver-issue-detail.png b/windows/deployment/images/UR-driver-issue-detail.png new file mode 100644 index 0000000000..933b2e2346 Binary files /dev/null and b/windows/deployment/images/UR-driver-issue-detail.png differ diff --git a/windows/deployment/images/UR-example-feedback.png b/windows/deployment/images/UR-example-feedback.png new file mode 100644 index 0000000000..5a05bb54e1 Binary files /dev/null and b/windows/deployment/images/UR-example-feedback.png differ diff --git a/windows/deployment/images/UR-monitor-main.png b/windows/deployment/images/UR-monitor-main.png new file mode 100644 index 0000000000..83904d3be2 Binary files /dev/null and b/windows/deployment/images/UR-monitor-main.png differ diff --git a/windows/deployment/images/UR-update-progress-failed-detail.png b/windows/deployment/images/UR-update-progress-failed-detail.png new file mode 100644 index 0000000000..4e619ae27c Binary files /dev/null and b/windows/deployment/images/UR-update-progress-failed-detail.png differ diff --git a/windows/deployment/update/images/servicing-cadence.png b/windows/deployment/update/images/servicing-cadence.png new file mode 100644 index 0000000000..cb79ff70be Binary files /dev/null and b/windows/deployment/update/images/servicing-cadence.png differ diff --git a/windows/deployment/update/images/servicing-previews.png b/windows/deployment/update/images/servicing-previews.png new file mode 100644 index 0000000000..0914b555ba Binary files /dev/null and b/windows/deployment/update/images/servicing-previews.png differ diff --git a/windows/deployment/update/waas-servicing-differences.md b/windows/deployment/update/waas-servicing-differences.md new file mode 100644 index 0000000000..91ff222523 --- /dev/null +++ b/windows/deployment/update/waas-servicing-differences.md @@ -0,0 +1,106 @@ +--- +title: Servicing differences between Windows 10 and older operating systems +description: Learn the differences between servicing Windows 10 and servicing older operating systems. +keywords: updates, servicing, current, deployment, semi-annual channel, feature, quality, rings, insider, tools +ms.prod: w10 +ms.mktglfcycl: manage +ms.sitesec: library +author: KarenSimWindows +ms.localizationpriority: medium +ms.author: karensim +ms.date: 11/09/2018 +--- +# Understanding the differences between servicing Windows 10-era and legacy Windows operating systems + +>Applies to: Windows 10 + +Today, many enterprise customers have a mix of modern and legacy client and server operating systems. Managing the servicing and updating differences between those legacy operating systems and Windows 10 versions adds a level of complexity that is not well understood. This can be confusing. With the end of support for legacy [Windows 7 SP1](https://support.microsoft.com/help/4057281/windows-7-support-will-end-on-january-14-2020) and Windows Server 2008 R2 variants on January 14, 2020, System Administrators have a critical need critical to understand how best to leverage a modern workplace to support system updates. + +The following provides an initial overview of how updating client and server differs between the Windows 10-era operating systems (such as Windows 10 version 1709, Windows Server 2016) and legacy operating systems (such as Windows 7, Windows 8.1, Windows Server 2008 R2, Windows Server 2012 R2). + +>[!NOTE] +> A note on naming convention in this article: For brevity, "Windows 10" refers to all operating systems across client, server and IoT released since July 2015, while "legacy" refers to all operating systems prior to that period for client and server, including Windows 7, Window 8.1, Windows Server 2008 R2, Windows Server 2012 R2, etc. + +## Infinite fragmentation +Prior to Windows 10, all updates to operating system (OS) components were published individually. On "Update Tuesday," customers would pick and choose individual updates they wanted to apply. Most chose to update security fixes, while far fewer selected non-security fixes, updated drivers, or installed .NET Framework updates. + +As a result, each environment with the global Windows ecosystem that had only a subset of security and non-security fixes installed had a different set of binaries and behaviors than those that consistently installed every available update as tested by Microsoft. + +This resulted in a fragmented ecosystem that created diverse challenges in predictively testing interoperability, resulting in high update failure rates - which were subsequently mitigated by customers removing individual updates that were causing issues. Each customer that selectively removed individual updates amplified this fragmentation by creating more diverse environment permutations across the ecosystem. As an IT Administrator once quipped, "If you’ve seen one Windows 7 PC, you have seen one Windows 7 PC," suggesting no consistency or predictability across more than 250M commercial devices at the time. + +## Windows 10 – Next generation +Windows 10 provided an opportunity to end the era of infinite fragmentation. With Windows 10 and the Windows as a service model, updates came rolled together in the "latest cumulative update" (LCU) packages for both client and server. Every new update published includes all changes from previous updates, as well as new fixes. Since Windows client and server share the same code base, these LCUs This helps simplify servicing. Devices with the original Release to Market (RTM) version of a feature release installed could get up to date by installing the most recent LCU. + +Windows publishes the new LCU packages for each Windows 10 version (1607, 1709, etc.) on the second Tuesday of each month. This package is classified as a required security update and contains contents from the previous LCU as well as new security, non-security and Internet Explorer 11 (IE11) fixes. The security classification, by definition, requires a reboot of the device to complete installation of the update. + +![Servicing cadence](images/servicing-cadence.png) + +Another benefit of the LCU model is fewer steps. Devices that have the original Release to Market (RTM) version of a release can install the most recent LCU to get up to date in one step, rather than having to install multiple updates with reboots after each. + +This cumulative update model for Windows 10 has helped provide the Windows ecosystem with consistent update experiences that can be predicted by baseline testing before release. Even with highly complex updates with hundreds of fixes, the number of incidents with monthly security updates for Windows 10 have fallen month over month since the initial release of Windows 10. + +### Points to consider + +- Windows 10 does not have the concept of a Security-Only or Monthly Rollup for updates. All updates are an LCU package, which includes the last release plus anything new. +- Windows 10 no longer has the concept of a "hotfix" since all individual updates must be rolled into the cumulative packages. (Note: Any private fix is offered for customer validation only, and then rolled into an LCU.) +- [Updates for the .NET Framework](https://blogs.msdn.microsoft.com/dotnet/2016/10/11/net-framework-monthly-rollups-explained/) are NOT included in the Windows 10 LCU. They are separate packages with different behaviors depending on the version of .NET Framework being updated, and on which OS. As of October 2018, .NET Framework updates for Windows 10 will be separate and have their own cumulative update model. +- For Windows 10, available update types vary by publishing channel: + - For customers using Windows Server Update Services (WSUS) and for the Update Catalog, several different updates types for Windows 10 are rolled together for the core OS in a single LCU package, with exception of Servicing Stack Updates. + - Servicing Stack Updates (SSU) are available for download from the Update Catalog and can be imported through WSUS, but will not be automatically synced. (See this [example](https://support.microsoft.com/help/4132650/servicing-stack-update-for-windows-10-version-1709-may-21-2018) for Windows 10, version 1709). For more information on Servicing Stack Updates, please see this [blog](https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/Windows-7-servicing-stack-updates-managing-change-and/ba-p/260434). + - For customers connecting to Windows Update, the new cloud update architecture uses a database of updates which break out all the different update types, including Servicing Stack Updates (SSU) and Dynamic Updates (DU). The update scanning in the Windows 10 servicing stack on the client automatically takes only the updates that are needed by the device to be completely up to date. +- Windows 7 and other legacy operating systems have cumulative updates that operate differently than in Windows 10 (see next section). + +## Windows 7 and legacy OS versions +While Windows 10 updates could have been controlled as cumulative from "Day 1," the legacy OS ecosystem for both client and server was highly fragmented. Recognizing the challenges of update quality in aa fragmented environment, we moved Windows 7 to a cumulative update model in October 2016. + +Customers saw the LCU model used for Windows 10 as having packages that were too large and represented too much of a change for legacy operating systems, so a different model was implemented. Windows instead offered two cumulative package types for all legacy operating systems: Monthly Rollups and Security-only updates. + +The Monthly Rollup includes new non-security, security updates, Internet Explorer (IE) updates, and all updates from the previous month, similar to the Windows 10 model. The Security-only package includes new security updates and all security updates from the previous month. Additionally, a cumulative package is offered for IE, which can be tested and installed separately, reducing the total update package size. The IE cumulative update includes both security and non-security fixes following the same model as Windows 10. + +Moving to the cumulative model for legacy OS versions continues to improve predictability of update quality. The Windows legacy environments have fully updated machines, which means that the baseline against which all legacy OS version updates are tested include all of the updates (security and non-security) prior to and after October 2016. Many customer environments do not have all updates prior to this change installed, which leaves some continued fragmentation in the ecosystem. This remaining fragmentation results in issues like those seen when the September 2016 Servicing Stack Update (SSU) was needed for smooth installation of the August 2018 security update. These environments did not have the SSU applied previously. + +### Points to consider +- Windows 7 and Windows 8 legacy operating system updates [moved from individual to cumulative in October 2016](https://techcommunity.microsoft.com/t5/Windows-Blog-Archive/More-on-Windows-7-and-Windows-8-1-servicing-changes/ba-p/166783). Devices with updates missing prior to that point are still missing those updates, as they were not included in the subsequent cumulative packages. +- "Hotfixes" are no longer published for legacy OS versions. All updates are rolled into the appropriate package depending on their classification as either non-security, security, or Internet Explorer updates. (Note: any private fix is offered for customer validation only. Once validated they are then rolled into a Monthly Rollup or IE cumulative update, as appropriate.) +- Both Monthly Rollups and Security-only updates released on Update Tuesday for legacy OS versions are identified as "security, critical" updates, because both have the full set of security updates in them. The Monthly Rollup has additional non-security updates that are not included in the Security Only update. The "security" classification requires the device be rebooted so the update can be fully installed. +- Despite the cumulative nature of both Monthly Rollups and Security-only updates, switching between these update types is not advised. Small differences in the baselines of these packages may result in installation errors and conflicts. Choosing one and staying on that update type – Monthly Rollup or Security-only – is recommended. +- In [February 2017](https://techcommunity.microsoft.com/t5/Windows-Blog-Archive/Simplified-servicing-for-Windows-7-and-Windows-8-1-the-latest/ba-p/166798), Windows pulled IE updates out of the legacy OS versions Security-only updates, while leaving them in the Monthly Rollup updates. This was done specifically to reduce package size based on customer feedback. +- The IE cumulative update includes both security and non-security updates and is also needed for to help secure the entire environment. This update can be installed separately or as part of the Monthly Rollup. +- [Updates for the .NET Framework](https://blogs.msdn.microsoft.com/dotnet/2016/10/11/net-framework-monthly-rollups-explained/) are NOT included in legacy Monthly Rollup or Security Only packages. They are separate packages with different behaviors depending on the version of the .NET Framework, and which legacy OS, being updated. +- For [Windows Server 2008 SP2](https://cloudblogs.microsoft.com/windowsserver/2018/06/12/windows-server-2008-sp2-servicing-changes/), cumulative updates began in October 2018, and follow the same model as Windows 7. Updates for IE9 are included in those packages, as the last supported version of Internet Explorer for that Legacy OS version. + +## Public preview releases +Lastly, the cumulative update model directly impacts the public Preview releases offered in the 3rd and/or 4th weeks of the month. Update Tuesday, also referred to as the "B" week release occurs on the second Tuesday of the month. It is always a required security update across all operating systems. In addition to this monthly release, Windows also releases non-security update "previews" targeting the 3rd (C) and the 4th (D) weeks of the month. These preview releases include that month’s B-release plus a set of non-security updates for testing and validation as a cumulative package. We recommend IT Administrators uses the C/D previews to test the update in their environments. Any issues identified with the updates in the C/D releases are identified and then fixed or removed, prior to being rolled up in to the next month’s B release package together with new security updates. + +### Examples +Windows 10 version 1709: + +- (9B) September 11, 2018 Update Tuesday / B release - includes security, non-security and IE update. This update is categorized as "Required, Security" it requires a system reboot. +- (9C) September 26, 2018 Preview C release - includes everything from 9B PLUS some non-security updates for testing/validation. This update is qualified as not required, non-security. No system reboot is required. +- (10B) October 9, 2018 Update Tuesday / B release includes all fixes included in 9B, all fixes in 9C and introduces new security fixes and IE updates. This update is qualified as "Required, Security" and requires a system reboot. + +All of these updates are cumulative and build on each other for Windows 10. This is in contrast to legacy OS versions, where the 9C release becomes part of the "Monthly Rollup," but not the "Security Only" update. In other words, a Window 7 SP1 9C update is part of the cumulative "Monthly Rollup" but not included in the "Security Only" update because the fixes are qualified as "non-security". This is an important variation to note on the two models. + +![Servicing preview releases](images/servicing-previews.png) + +### Previews vs. on-demand releases +In 2018, we experienced incidents that required urgent remediation that didn’t map to the monthly update release cadence. These incidents were situations that required an immediate fix to an Update Tuesday release. While Windows engineering worked aggressively to respond within a week of the B-release, these "on-demand" releases created confusion with the C Preview releases. + +#### Points to consider: +- When Windows identifies an issue with a Update Tuesday release, engineering teams work to remediate or fix the issue as quickly as possible. The outcome is often a new update which may be released at any time, including during the 3rd or 4th week of the month. Such updates are independent of the regularly scheduled "C" and "D" update previews. These updates are created on-demand to remediate a customer impacting issue. In most cases they are qualified as a "non-security" update, and do not require a system reboot. +- With the new Windows Update (WU) architecture, updates can be targeted to affected devices. This targeting is not available through the Update Catalog or WSUS channels, however. +- On-demand releases address a specific issue with an Update Tuesday release and are often qualified as "non-security" for one of two reasons. First, the fix may not be an additional security fix, but a non-security change to the update. Second, the "non-security" designation allows individuals or companies to choose when and how to reboot the devices, rather than forcing a system reboot on all Windows devices receiving the update globally. This trade-off is rarely a difficult choice as it has the potential to impact customer experience across client and server, across consumer and commercial customers for more than one billion devices. +- Because the cumulative model is used across Window 10 and legacy Windows OS versions, despite variations between these OS versions, an out of band release will include all of the changes from the Update Tuesday release plus the fix that addresses the issue. And since Windows no longer releases hotfixes, everything is cumulative in some way. + +In closing, I hope this overview of the update model across current and legacy Windows OS versions highlights the benefits of the Windows 10 cumulative update model to help defragment the Windows ecosystem environments, simplify servicing and help make systems more secure. + + +## Resources +- [Simplifying updates for Windows 7 and 8.1](https://techcommunity.microsoft.com/t5/Windows-Blog-Archive/Simplifying-updates-for-Windows-7-and-8-1/ba-p/166530) +- [Further simplifying servicing models for Windows 7 and Windows 8.1](https://techcommunity.microsoft.com/t5/Windows-Blog-Archive/Further-simplifying-servicing-models-for-Windows-7-and-Windows-8/ba-p/166772) +- [More on Windows 7 and Windows 8.1 servicing changes](https://techcommunity.microsoft.com/t5/Windows-Blog-Archive/More-on-Windows-7-and-Windows-8-1-servicing-changes/ba-p/166783) +- [.NET Framework Monthly Rollups Explained](https://blogs.msdn.microsoft.com/dotnet/2016/10/11/net-framework-monthly-rollups-explained/) +- [Simplified servicing for Windows 7 and Windows 8.1: the latest improvements](https://techcommunity.microsoft.com/t5/Windows-Blog-Archive/Simplified-servicing-for-Windows-7-and-Windows-8-1-the-latest/ba-p/166798) +- [Windows Server 2008 SP2 servicing changes](https://cloudblogs.microsoft.com/windowsserver/2018/06/12/windows-server-2008-sp2-servicing-changes/) +- [Windows 10 update servicing cadence](https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/Windows-10-update-servicing-cadence/ba-p/222376) +- [Windows 7 servicing stack updates: managing change and appreciating cumulative updates](https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/Windows-7-servicing-stack-updates-managing-change-and/ba-p/260434) \ No newline at end of file diff --git a/windows/deployment/upgrade/upgrade-readiness-deploy-windows.md b/windows/deployment/upgrade/upgrade-readiness-deploy-windows.md index b5f0b2b68b..3aabb7b13b 100644 --- a/windows/deployment/upgrade/upgrade-readiness-deploy-windows.md +++ b/windows/deployment/upgrade/upgrade-readiness-deploy-windows.md @@ -1,8 +1,8 @@ --- -title: Upgrade Readiness - Get a list of computers that are upgrade-ready (Windows 10) +title: Upgrade Readiness - Get a list of computers that are upgrade ready (Windows 10) description: Describes how to get a list of computers that are ready to be upgraded in Upgrade Readiness. ms.prod: w10 -author: greg-lindsay +author: jaimeo ms.date: 04/19/2017 --- diff --git a/windows/deployment/upgrade/upgrade-readiness-deployment-script.md b/windows/deployment/upgrade/upgrade-readiness-deployment-script.md index 76e0198780..e295b3fa32 100644 --- a/windows/deployment/upgrade/upgrade-readiness-deployment-script.md +++ b/windows/deployment/upgrade/upgrade-readiness-deployment-script.md @@ -93,7 +93,7 @@ The deployment script displays the following exit codes to let you know if it wa N/A - 1 - Unexpected error occurred while executiEng the script. + 1 - Unexpected error occurred while executing the script. The files in the deployment script are likely corrupted. Download the [latest script](https://go.microsoft.com/fwlink/?LinkID=822966) from the download center and try again. diff --git a/windows/deployment/upgrade/upgrade-readiness-monitor-deployment.md b/windows/deployment/upgrade/upgrade-readiness-monitor-deployment.md new file mode 100644 index 0000000000..be3d2aee32 --- /dev/null +++ b/windows/deployment/upgrade/upgrade-readiness-monitor-deployment.md @@ -0,0 +1,48 @@ +--- +title: Monitor deployment with Upgrade Readiness +description: Describes how to use Upgrade Readiness to monitor the deployment after Windows upgrades. +keywords: windows analytics, oms, operations management suite, prerequisites, requirements, upgrades, log analytics, +ms.localizationpriority: medium +ms.prod: w10 +author: jaimeo +ms.author: jaimeo +ms.date: 11/07/2018 +--- + +# Upgrade Readiness - Step 4: Monitor + +Now that you have started deploying an update with Upgrade Readiness, you can use it to monitor important elements. + +![Upgrade Readiness dialog showing "STEP 4: Monitor" and blades for "Update progress," "Driver issues," and "User feedback"](../images/UR-monitor-main.png) + + +## Update progress + +The **Update progress** blade allows you to monitor the progress and status of your deployment. Any device that has attepted to upgrade in the last 30 days displays the **DeploymentStatus** attribute. You'll be able to see the number of computers that have successfully upgraded, failed to upgrade, are stalled, etc. + + +Selecting this blade allows you to view device-level details about the deployment. For example, select **Failed** to view the original operating system version, the target operating system version, and the reason the update failed for each of the devices that failed to upgrade. In the case of the device illustrated in the following image, an attempt was made to upgrade from Windows 10, version 1703 to 1709, but the operation timed out. + +!["Update progress" blade showing detailed information after selecting the "failed" item](../images/UR-update-progress-failed-detail.png) + + +## Driver issues + +The **Driver issues** blade allows you to see Device Manager errors for your upgraded devices. We include data for all compatibility-related device errors, such as "driver not found" and "driver not started." The blade summarizes errors by error type, but you can select a particular error type to see device-level details about which device(s) are failing and where to obtain a driver. + + +For example, by selecting error code **28 - driver not installed**, you would see that the device in the following image is missing the driver for a network controller. Upgrade Readiness also notifies that a suitable driver is available online through Windows Update. If this device is configured to automatically receive updates from Windows Update, this issue would likely resolve itself following the device's next Windows Update scan. If this device does not automatically receive updates from Windows Update, you would need to deliver the driver manually. + +!["Driver issue" blade showing detailed information after selecting a specific driver error](../images/UR-driver-issue-detail.png) + +## User feedback + +The **User Feedback** blade focuses on gathering subjective feedback from your end users. If a user submits feedback through the Feedback Hub app on a device in your workspace, we will make that feedback visible to you in this blade. The Feedback Hub app is built into Windows 10 and can be accessed by typing "Feedback Hub" in the Cortana search bar. + + +We recommend that you encourage your end users to submit any feedback they have through Feedback Hub. Not only will this feedback be sent directly to Microsoft for review, but you'll also be able to see it by using Upgrade Readiness. You should be aware that **feedback submitted through Feedback Hub will be publicly visible**, so it's best to avoid submitting feedback about internal line-of-business applications. + +When viewing user feedback in Upgrade Readiness, you'll be able to see the raw "Title" and "Feedback" text from the user's submission in Feedback Hub, as well as the number of upvotes the submission has received. (Since feedback is publicly visible, the number of upvotes is a global value and not specific to your company.) If a Microsoft engineer has responded to the submission in Feedback Hub, we'll pull in the Microsoft response for you to see as well. + +![Example user feedback item](../images/UR-example-feedback.png) + \ No newline at end of file diff --git a/windows/deployment/windows-autopilot/TOC.md b/windows/deployment/windows-autopilot/TOC.md index 315115e706..dab69519b0 100644 --- a/windows/deployment/windows-autopilot/TOC.md +++ b/windows/deployment/windows-autopilot/TOC.md @@ -6,6 +6,8 @@ ## [Scenarios and Capabilities](windows-autopilot-scenarios.md) ### [Support for existing devices](existing-devices.md) ### [User-driven mode](user-driven.md) +#### [Azure Active Directory joined](user-driven-aad.md) +#### [Hybrid Azure Active Directory joined](user-driven-hybrid.md) ### [Self-deploying mode](self-deploying.md) ### [Enrollment status page](enrollment-status.md) ### [Windows Autopilot Reset](windows-autopilot-reset.md) diff --git a/windows/deployment/windows-autopilot/user-driven-aad.md b/windows/deployment/windows-autopilot/user-driven-aad.md index 6da9e99b33..b63517060d 100644 --- a/windows/deployment/windows-autopilot/user-driven-aad.md +++ b/windows/deployment/windows-autopilot/user-driven-aad.md @@ -1,19 +1,35 @@ ---- -title: User-driven mode for AAD -description: Listing of Autopilot scenarios -keywords: mdm, setup, windows, windows 10, oobe, manage, deploy, autopilot, ztd, zero-touch, partner, msfb, intune -ms.prod: w10 -ms.mktglfcycl: deploy -ms.localizationpriority: low -ms.sitesec: library -ms.pagetype: deploy -author: greg-lindsay -ms.author: greg-lindsay -ms.date: 10/02/2018 ---- - -# Windows Autopilot user-driven mode for Azure Active Directory - -**Applies to: Windows 10** - -PLACEHOLDER. This topic is a placeholder for the AAD-specific instuctions currently in user-driven.md. +--- +title: User-driven mode for AAD +description: Listing of Autopilot scenarios +keywords: mdm, setup, windows, windows 10, oobe, manage, deploy, autopilot, ztd, zero-touch, partner, msfb, intune +ms.prod: w10 +ms.mktglfcycl: deploy +ms.localizationpriority: low +ms.sitesec: library +ms.pagetype: deploy +author: greg-lindsay +ms.author: greg-lindsay +ms.date: 11/07/2018 +--- + +# Windows Autopilot user-driven mode for Azure Active Directory join + +**Applies to: Windows 10** + +## Procedures + +In order to perform a user-driven deployment using Windows Autopilot, the following preparation steps need to be completed: + +- Ensure that the users who will be performing user-driven mode deployments are able to join devices to Azure Active Directory. See [Configure device settings](https://docs.microsoft.com/azure/active-directory/device-management-azure-portal#configure-device-settings) in the Azure Active Directory documentation for more information. +- Create an Autopilot profile for user-driven mode with the desired settings. In Microsoft Intune, this mode is explicitly chosen when creating the profile. With Microsoft Store for Business and Partner Center, user-driven mode is the default and does not need to be selected. +- If using Intune, create a device group in Azure Active Directory and assign the Autopilot profile to that group. + +For each device that will be deployed using user-driven deployment, these additional steps are needed: + +- Ensure that the device has been added to Windows Autopilot. This can be done automatically by an OEM or partner at the time the device is purchased, or it can be done through a manual harvesting process later. See [Adding devices to Windows Autopilot](add-devices.md) for more information. +- Ensure an Autopilot profile has been assigned to the device: + - If using Intune and Azure Active Directory dynamic device groups, this can be done automatically. + - If using Intune and Azure Active Directory static device groups, manually add the device to the device group. + - If using other methods (e.g. Microsoft Store for Business or Partner Center), manually assign an Autopilot profile to the device. + +Also see the **Validation** section in the [Windows Autopilot user-driven mode](user-driven.md) topic. diff --git a/windows/deployment/windows-autopilot/user-driven-hybrid.md b/windows/deployment/windows-autopilot/user-driven-hybrid.md index 6f4a760dcc..88e4a87f15 100644 --- a/windows/deployment/windows-autopilot/user-driven-hybrid.md +++ b/windows/deployment/windows-autopilot/user-driven-hybrid.md @@ -9,12 +9,31 @@ ms.sitesec: library ms.pagetype: deploy author: greg-lindsay ms.author: greg-lindsay -ms.date: 10/02/2018 +ms.date: 11/07/2018 --- -# Windows Autopilot user-driven mode for Hybrid Azure Active Directory Join +# Windows Autopilot user-driven mode for hybrid Azure Active Directory join **Applies to: Windows 10** -PLACEHOLDER. This topic is a placeholder for the AD-specific (hybrid) instuctions. +Windows Autopilot requires that devices be Azure Active Directory joined. If you have an on-premises Active Directory environment and want to also join devices to your on-premises domain, you can accomplish this by configuring Autopilot devices to be [hybrid Azure Active Directory (AAD) joined](https://docs.microsoft.com/azure/active-directory/devices/hybrid-azuread-join-plan). + +## Requirements + +To perform a user-driven hybrid AAD joined deployment using Windows Autopilot: + +- Users must be able to join devices to Azure Active Directory. +- A Windows Autopilot profile for user-driven mode must be created and + - **Hybrid Azure AD joined** must be specified as the selected option under **Join to Azure AD as** in the Autopilot profile. +- If using Intune, a device group in Azure Active Directory must exist with the Windows Autopilot profile assigned to that group. +- The device must be running Windows 10, version 1809 or later. +- The device must be connected to the Internet and have access to an Active Directory domain controller. +- The Intune Connector for Active Directory must be installed. + - Note: The Intune Connector will perform an on-prem AD join, therefore users do not need on-prem AD-join permission, assuming the Connector is [configured to perform this action](https://docs.microsoft.com/intune/windows-autopilot-hybrid#increase-the-computer-account-limit-in-the-organizational-unit) on the user's behalf. + +## Step by step instructions + +See [Deploy hybrid Azure AD joined devices using Intune and Windows Autopilot](https://docs.microsoft.com/intune/windows-autopilot-hybrid). + +Also see the **Validation** section in the [Windows Autopilot user-driven mode](user-driven.md) topic. \ No newline at end of file diff --git a/windows/deployment/windows-autopilot/user-driven.md b/windows/deployment/windows-autopilot/user-driven.md index 1aa1ad5321..4fd86ef3b5 100644 --- a/windows/deployment/windows-autopilot/user-driven.md +++ b/windows/deployment/windows-autopilot/user-driven.md @@ -8,11 +8,13 @@ ms.localizationpriority: medium ms.sitesec: library ms.pagetype: deploy author: greg-lindsay -ms.date: 10/02/2018 +ms.date: 11/07/2018 ms.author: greg-lindsay -ms.date: 10/02/2018 +ms.date: 11/07/2018 --- +# Windows Autopilot user-driven mode + Windows Autopilot user-driven mode is designed to enable new Windows 10 devices to be transformed from their initial state, directly from the factory, into a ready-to-use state without requiring that IT personnel ever touch the device. The process is designed to be simple so that anyone can complete it, enabling devices to be shipped or distributed to the end user directly with simple instructions: - Unbox the device, plug it in, and turn it on. @@ -24,21 +26,12 @@ After completing those simple steps, the remainder of the process is completely Today, Windows Autopilot user-driven mode supports joining devices to Azure Active Directory. Support for Hybrid Azure Active Directory Join (with devices joined to an on-premises Active Directory domain) will be available in a future Windows 10 release. See [Introduction to device management in Azure Active Directory](https://docs.microsoft.com/azure/active-directory/device-management-introduction) for more information about the differences between these two join options. -## Step by step +## Available user-driven modes -In order to perform a user-driven deployment using Windows Autopilot, the following preparation steps need to be completed: +The following options are available for user-driven deployment: -- Ensure that the users who will be performing user-driven mode deployments are able to join devices to Azure Active Directory. See [Configure device settings](https://docs.microsoft.com/azure/active-directory/device-management-azure-portal#configure-device-settings) in the Azure Active Directory documentation for more information. -- Create an Autopilot profile for user-driven mode with the desired settings. In Microsoft Intune, this mode is explicitly chosen when creating the profile. With Microsoft Store for Business and Partner Center, user-driven mode is the default and does not need to be selected. -- If using Intune, create a device group in Azure Active Directory and assign the Autopilot profile to that group. - -For each machine that will be deployed using user-driven deployment, these additional steps are needed: - -- Ensure that the device has been added to Windows Autopilot. This can be done automatically by an OEM or partner at the time the device is purchased, or it can be done through a manual harvesting process later. See [Adding devices to Windows Autopilot](add-devices.md) for more information. -- Ensure an Autopilot profile has been assigned to the device: - - If using Intune and Azure Active Directory dynamic device groups, this can be done automatically. - - If using Intune and Azure Active Directory static device groups, manually add the device to the device group. - - If using other methods (e.g. Microsoft Store for Business or Partner Center), manually assign an Autopilot profile to the device. +- [Azure Active Directory join](user-driven-aad.md) is available if devices do not need to be joined to an on-prem Active Directory domain. +- [Hybrid Azure Active Directory join](user-driven-hybrid.md) is available for devices that must be joined to both Azure Active Directory and your on-prem Active Directory domain. ## Validation diff --git a/windows/privacy/TOC.md b/windows/privacy/TOC.md index a229e2df1a..6148d1201c 100644 --- a/windows/privacy/TOC.md +++ b/windows/privacy/TOC.md @@ -1,6 +1,6 @@ # [Privacy](index.yml) ## [Beginning your General Data Protection Regulation (GDPR) journey for Windows 10](gdpr-win10-whitepaper.md) -## [Windows 10 and the GDPR for IT Decision Makers](gdpr-it-guidance.md) +## [Windows and the GDPR: Information for IT Administrators and Decision Makers](gdpr-it-guidance.md) ## [Windows 10 personal data services configuration](windows-personal-data-services-configuration.md) ## [Configure Windows diagnostic data in your organization](configure-windows-diagnostic-data-in-your-organization.md) ## [Diagnostic Data Viewer Overview](diagnostic-data-viewer-overview.md) diff --git a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1703.md b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1703.md index dce0c91085..c0acd3cd73 100644 --- a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1703.md +++ b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1703.md @@ -9,7 +9,7 @@ ms.pagetype: security localizationpriority: high author: brianlic-msft ms.author: brianlic -ms.date: 09/10/2018 +ms.date: 11/07/2018 --- @@ -28,6 +28,7 @@ Use this article to learn about diagnostic events, grouped by event area, and th You can learn more about Windows functional and diagnostic data through these articles: + - [Windows 10, version 1809 basic diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1809.md) - [Windows 10, version 1803 basic diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1803.md) - [Windows 10, version 1709 basic diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1709.md) @@ -60,15 +61,15 @@ The following fields are available: - **DecisionMatchingInfoPostUpgrade_RS3** The total DecisionMatchingInfoPostUpgrade objects targeting the next release of Windows on this device. - **DecisionMediaCenter_RS3** The total DecisionMediaCenter objects targeting the next release of Windows on this device. - **DecisionSystemBios_RS3** The total DecisionSystemBios objects targeting the next release of Windows on this device. -- **InventoryLanguagePack** The count of DecisionApplicationFile objects present on this machine targeting the next release of Windows -- **InventorySystemBios** The count of DecisionDevicePnp objects present on this machine targeting the next release of Windows -- **PCFP** The count of DecisionDriverPackage objects present on this machine targeting the next release of Windows -- **SystemProcessorCompareExchange** The count of DecisionMatchingInfoBlock objects present on this machine targeting the next release of Windows -- **SystemProcessorNx** The count of DataSourceMatchingInfoPostUpgrade objects present on this machine targeting the next release of Windows -- **SystemProcessorSse2** The count of DecisionMatchingInfoPostUpgrade objects present on this machine targeting the next release of Windows -- **SystemWim** The count of DecisionMediaCenter objects present on this machine targeting the next release of Windows -- **SystemWindowsActivationStatus** The count of DecisionSystemBios objects present on this machine targeting the next release of Windows -- **SystemWlan** The count of InventoryApplicationFile objects present on this machine. +- **InventoryLanguagePack** The total InventoryLanguagePack objects that are present on this device. +- **InventorySystemBios** The total InventorySystemBios objects that are present on this device. +- **PCFP** An ID for the system that is calculated by hashing hardware identifiers. +- **SystemProcessorCompareExchange** The total SystemProcessorCompareExchange objects that are present on this device. +- **SystemProcessorNx** The total SystemProcessorNx objects that are present on this device. +- **SystemProcessorSse2** The total SystemProcessorSse2 objects that are present on this device. +- **SystemWim** The total SystemWim objects that are present on this device +- **SystemWindowsActivationStatus** The total SystemWindowsActivationStatus objects that are present on this device. +- **SystemWlan** The total SystemWlan objects that are present on this device. - **Wmdrm_RS3** The total Wmdrm objects targeting the next release of Windows on this device. @@ -334,7 +335,7 @@ The following fields are available: ### Microsoft.Windows.Appraiser.General.DecisionApplicationFileRemove -This event indicates that the DecisionApplicationFile object is no longer present. +This event indicates Indicates that the DecisionApplicationFile object is no longer present. This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). @@ -670,7 +671,7 @@ The following fields are available: ### Microsoft.Windows.Appraiser.General.InventoryApplicationFileStartSync -This event indicates that a new set of InventoryApplicationFileAdd events will be sent. +This event indicates indicates that a new set of InventoryApplicationFileAdd events will be sent. This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). @@ -1472,6 +1473,12 @@ The following fields are available: - **SocketCount** Number of physical CPU sockets of the machine. +### Census.Security + +Provides information on several important data points about security settings. + + + ### Census.Speech This event is used to gather basic speech settings on the device. @@ -2058,6 +2065,23 @@ The following fields are available: - **devinv.dll** The file version of the Device inventory component. +### Microsoft.Windows.Inventory.Core.FileSigningInfoAdd + +This event enumerates the signatures of files, either driver packages or application executables. For driver packages, this data is collected on demand via Telecommand to limit it only to unrecognized driver packages, saving time for the client and space on the server. For applications, this data is collected for up to 10 random executables on a system. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **CatalogSigners** Signers from catalog. Each signer starts with Chain. +- **DriverPackageStrongName** Optional. Available only if FileSigningInfo is collected on a driver package. +- **EmbeddedSigners** Embedded signers. Each signer starts with Chain. +- **FileName** The file name of the file whose signatures are listed. +- **FileType** Either exe or sys, depending on if a driver package or application executable. +- **InventoryVersion** The version of the inventory file generating the events. +- **Thumbprint** Comma separated hash of the leaf node of each signer. Semicolon is used to separate CatalogSigners from EmbeddedSigners. There will always be a trailing comma. + + ### Microsoft.Windows.Inventory.Core.InventoryApplicationAdd This event sends basic metadata about an application on the system to help keep Windows up to date. @@ -2251,7 +2275,7 @@ The following fields are available: - **Enumerator** The bus that enumerated the device - **HWID** A JSON array that provides the value and order of the HWID tree for the device. See [HWID](#hwid). - **Inf** The INF file name. -- **InstallState** The device installation state. One of these values: https://msdn.microsoft.com/library/windows/hardware/ff543130.aspx +- **InstallState** The device installation state. One of these values: https://msdn.microsoft.com/en-us/library/windows/hardware/ff543130.aspx - **InventoryVersion** The version of the inventory file generating the events. - **LowerClassFilters** Lower filter class drivers IDs installed for the device. - **LowerFilters** Lower filter drivers IDs installed for the device @@ -2379,6 +2403,90 @@ The following fields are available: - **InventoryVersion** The version of the inventory file generating the events. +### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeAddInAdd + +Invalid variant - Provides data on the installed Office Add-ins + + + +### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeAddInRemove + +Indicates that this particular data object represented by the objectInstanceId is no longer present. + + + +### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeAddInStartSync + +This event indicates that a new sync is being generated for this object type. + + + +### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeIdentifiersAdd + +Provides data on the Office identifiers. + + + +### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeIdentifiersStartSync + +Diagnostic event to indicate a new sync is being generated for this object type. + + + +### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeIESettingsAdd + +Provides data on Office-related Internet Explorer features. + + + +### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeIESettingsStartSync + +Diagnostic event to indicate a new sync is being generated for this object type. + + + +### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeInsightsAdd + +This event provides insight data on the installed Office products + + + +### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeProductsAdd + +Describes Office Products installed. + + + +### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeProductsStartSync + +Diagnostic event to indicate a new sync is being generated for this object type. + + + +### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeSettingsAdd + +This event describes various Office settings + + + +### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeSettingsStartSync + +Indicates a new sync is being generated for this object type. + + + +### Microsoft.Windows.Inventory.General.InventoryMiscellaneousUUPInfoAdd + +Provides data on Unified Update Platform (UUP) products and what version they are at. + + + +### Microsoft.Windows.Inventory.General.InventoryMiscellaneousUUPInfoStartSync + +Diagnostic event to indicate a new sync is being generated for this object type. + + + ### Microsoft.Windows.Inventory.Indicators.Checksum This event summarizes the counts for the InventoryMiscellaneousUexIndicatorAdd events. @@ -2546,14 +2654,14 @@ The following fields are available: - **AppVersion** The version of the app. - **BuildArch** Is the architecture x86 or x64? - **Environment** Is the device on the production or int service? -- **IsMSFTInternal** Is this an internal Microsoft device? -- **MachineGuid** The CEIP machine ID. +- **IsMSFTInternal** TRUE if the device is an internal Microsoft device. +- **MachineGuid** The GUID (Globally Unique ID) that identifies the machine for the CEIP (Customer Experience Improvement Program). - **Market** Which market is this in? - **OfficeVersion** The version of Office that is installed. - **OneDriveDeviceId** The OneDrive device ID. - **OSDeviceName** Only if the device is internal to Microsoft, the device name. - **OSUserName** Only if the device is internal to Microsoft, the user name. -- **UserGuid** A unique global user identifier. +- **UserGuid** The GUID (Globally Unique ID) of the user currently logged in. ### Microsoft.OneDrive.Sync.Updater.ComponentInstallState @@ -2605,12 +2713,12 @@ The following fields are available: ### Microsoft.OneDrive.Sync.Updater.UpdateOverallResult -This event determines the outcome of the operation. +This event sends information describing the result of the update. The following fields are available: - **hr** The HResult of the operation. -- **IsLoggingEnabled** Is logging enabled? +- **IsLoggingEnabled** Indicates whether logging is enabled for the updater. - **UpdaterVersion** The version of the updater. @@ -2642,11 +2750,48 @@ The following fields are available: - **winInetError** The HResult of the operation. +## Other events + +### Microsoft.Xbox.XamTelemetry.AppActivationError + +This event indicates whether the system detected an activation error in the app. + +The following fields are available: + +- **ActivationUri** Activation URI (Uniform Resource Identifier) used in the attempt to activate the app. +- **AppId** The Xbox LIVE Title ID. +- **AppUserModelId** The AUMID (Application User Model ID) of the app to activate. +- **Result** The HResult error. +- **UserId** The Xbox LIVE User ID (XUID). + + +### Microsoft.Xbox.XamTelemetry.AppActivity + +This event is triggered whenever the current app state is changed by: launch, switch, terminate, snap, etc. + +The following fields are available: + +- **AppActionId** The ID of the application action. +- **AppCurrentVisibilityState** The ID of the current application visibility state. +- **AppId** The Xbox LIVE Title ID of the app. +- **AppPackageFullName** The full name of the application package. +- **AppPreviousVisibilityState** The ID of the previous application visibility state. +- **AppSessionId** The application session ID. +- **AppType** The type ID of the application (AppType_NotKnown, AppType_Era, AppType_Sra, AppType_Uwa). +- **BCACode** The BCA (Burst Cutting Area) mark code of the optical disc used to launch the application. +- **DurationMs** The amount of time (in milliseconds) since the last application state transition. +- **IsTrialLicense** This boolean value is TRUE if the application is on a trial license. +- **LicenseType** The type of licensed used to authorize the app (0 - Unknown, 1 - User, 2 - Subscription, 3 - Offline, 4 - Disc). +- **LicenseXuid** If the license type is 1 (User), this field contains the XUID (Xbox User ID) of the registered owner of the license. +- **ProductGuid** The Xbox product GUID (Globally-Unique ID) of the application. +- **UserId** The XUID (Xbox User ID) of the current user. + + ## Remediation events ### Microsoft.Windows.Remediation.Applicable -This event indicates a remedial plug-in is applicable if/when such a plug-in is detected. This is used to ensure Windows is up to date. +This event sends simple device connectivity and configuration data about an application installed on the system that helps keep the Windows Update stack healthy. The following fields are available: @@ -2669,7 +2814,7 @@ The following fields are available: - **HResult** The HRESULT for detection or perform action phases of the plugin. - **IsAppraiserLatestResult** The HRESULT from the appraiser task. - **IsConfigurationCorrected** Indicates whether the configuration of SIH task was successfully corrected. -- **LastHresult** The HRESULT for detection or perform action phases of the plugin. +- **LastHresult** The HResult of the operation. - **LastRun** The date of the most recent SIH run. - **NextRun** Date of the next scheduled SIH run. - **PackageVersion** The version of the current remediation package. @@ -2730,7 +2875,7 @@ The following fields are available: ### Microsoft.Windows.Remediation.Completed -This event enables completion tracking of a process that remediates issues preventing security and quality updates. +This event sends simple device connectivity and configuration data about an application installed on the system that helps keep the Windows Update stack healthy. The following fields are available: @@ -2807,7 +2952,7 @@ The following fields are available: - **usoScanIsNoAutoUpdateKeyPresent** TRUE if no Auto Update registry key is set/present. - **usoScanIsUserLoggedOn** TRUE if the user is logged on. - **usoScanPastThreshold** TRUE if the most recent USO (Update Session Orchestrator) scan is past the threshold (late). -- **usoScanType** The type of USO (Update Session Orchestrator) scan (Interactive or Background). +- **usoScanType** The type of USO (Update Session Orchestrator) scan: "Interactive" or "Background". - **WindowsHyberFilSysSizeInMegabytes** The size of the Windows Hibernation file, measured in Megabytes. - **WindowsInstallerFolderSizeInMegabytes** The size of the Windows Installer folder, measured in Megabytes. - **WindowsOldFolderSizeInMegabytes** The size of the Windows.OLD folder, measured in Megabytes. @@ -2819,156 +2964,17 @@ The following fields are available: - **WindowsSxsTempFolderSizeInMegabytes** The size of the WinSxS (Windows Side-by-Side) Temp folder, measured in Megabytes. -### Microsoft.Windows.Remediation.DiskCleanUnExpectedErrorEvent - -This event indicates that an unexpected error occurred during an update and provides information to help address the issue. - -The following fields are available: - -- **CV** The Correlation vector. -- **ErrorMessage** A description of any errors encountered while the plug-in was running. -- **GlobalEventCounter** The client-side counter that indicates ordering of events. -- **Hresult** The result of the event execution. -- **PackageVersion** The version number of the current remediation package. -- **SessionGuid** GUID associated with a given execution of sediment pack. - - -### Microsoft.Windows.Remediation.Error - -This event indicates a Sediment Pack error (update stack failure) has been detected and provides information to help address the issue. - -The following fields are available: - -- **HResult** The result of the event execution. -- **Message** A message containing information about the error that occurred. -- **PackageVersion** The version number of the current remediation package. - - -### Microsoft.Windows.Remediation.FallbackError - -This event indicates an error when Self Update results in a Fallback and provides information to help address the issue. - -The following fields are available: - -- **s0** Indicates the Fallback error level. See [Microsoft.Windows.Remediation.wilResult](#microsoftwindowsremediationwilresult). -- **wilResult** The result of the Windows Installer Logging. See [wilResult](#wilresult). - - -### Microsoft.Windows.Remediation.RemediationNotifyUserFixIssuesInvokeUIEvent - -This event occurs when the Notify User task executes and provides information about the cause of the notification. - -The following fields are available: - -- **CV** The Correlation vector. -- **GlobalEventCounter** The client-side counter that indicates ordering of events. -- **PackageVersion** The version number of the current remediation package. -- **RemediationNotifyUserFixIssuesCallResult** The result of calling the USO (Update Session Orchestrator) sequence steps. -- **RemediationNotifyUserFixIssuesUsoDownloadCalledHr** The error code from the USO (Update Session Orchestrator) download call. -- **RemediationNotifyUserFixIssuesUsoInitializedHr** The error code from the USO (Update Session Orchestrator) initialize call. -- **RemediationNotifyUserFixIssuesUsoProxyBlanketHr** The error code from the USO (Update Session Orchestrator) proxy blanket call. -- **RemediationNotifyUserFixIssuesUsoSetSessionHr** The error code from the USO (Update Session Orchestrator) session call. - - -### Microsoft.Windows.Remediation.RemediationShellFailedAutomaticAppUpdateModifyEventId - -This event provides the modification of the date on which an Automatic App Update scheduled task failed and provides information about the failure. - -The following fields are available: - -- **CV** The Correlation Vector. -- **GlobalEventCounter** The client-side counter that indicates ordering of events. -- **hResult** The result of the event execution. -- **PackageVersion** The version number of the current remediation package. - - -### Microsoft.Windows.Remediation.RemediationShellUnexpectedExceptionId - -This event identifies the remediation plug-in that returned an unexpected exception and provides information about the exception. - -The following fields are available: - -- **CV** The Correlation Vector. -- **GlobalEventCounter** The client-side counter that indicates ordering of events. -- **PackageVersion** The version number of the current remediation package. -- **RemediationShellUnexpectedExceptionId** The ID of the remediation plug-in that caused the exception. - - -### Microsoft.Windows.Remediation.RemediationUHEnableServiceFailed - -This event tracks the health of key update (Remediation) services and whether they are enabled. - -The following fields are available: - -- **CV** The Correlation Vector. -- **GlobalEventCounter** The client-side counter that indicates ordering of events. -- **hResult** The result of the event execution. -- **PackageVersion** The version number of the current remediation package. -- **serviceName** The name associated with the operation. - - -### Microsoft.Windows.Remediation.RemediationUpgradeSucceededDataEventId - -This event returns information about the upgrade upon success to help ensure Windows is up to date. - -The following fields are available: - -- **AppraiserPlugin** TRUE / FALSE depending on whether the Appraiser plug-in task fix was successful. -- **ClearAUOptionsPlugin** TRUE / FALSE depending on whether the AU (Auto Updater) Options registry keys were successfully deleted. -- **CV** The Correlation Vector. -- **DatetimeSyncPlugin** TRUE / FALSE depending on whether the DateTimeSync plug-in ran successfully. -- **DiskCleanupPlugin** TRUE / FALSE depending on whether the DiskCleanup plug-in ran successfully. -- **GlobalEventCounter** The client-side counter that indicates ordering of events. -- **NoisyHammerPlugin** TRUE / FALSE depending on whether the NoisyHammer plug-in ran successfully. -- **PackageVersion** The version number of the current remediation package. -- **RebootRequiredPlugin** TRUE / FALSE depending on whether the Reboot plug-in ran successfully. -- **RemediationNotifyUserFixIssuesPlugin** TRUE / FALSE depending on whether the User Fix Issues plug-in ran successfully -- **RemediationPostUpgradeDiskSpace** The amount of disk space available after the upgrade. -- **RemediationPostUpgradeHibernationSize** The size of the Hibernation file after the upgrade. -- **ServiceHealthPlugin** A list of services updated by the plug-in. -- **SIHHealthPlugin** TRUE / FALSE depending on whether the SIH Health plug-in ran successfully. -- **StackDataResetPlugin** TRUE / FALSE depending on whether the update stack completed successfully. -- **TaskHealthPlugin** A list of tasks updated by the plug-in. -- **UpdateApplicabilityFixerPlugin** TRUE / FALSE depending on whether the update applicability fixer plug-in completed successfully. -- **WindowsUpdateEndpointPlugin** TRUE / FALSE depending on whether the Windows Update Endpoint was successful. - - ### Microsoft.Windows.Remediation.Started -This event reports whether a plug-in started, to help ensure Windows is up to date. +This event sends simple device connectivity and configuration data about an application installed on the system that helps keep the Windows Update stack healthy. The following fields are available: -- **CV** The Correlation Vector. -- **GlobalEventCounter** The client-side counter that indicates ordering of events. -- **PackageVersion** The version number of the current remediation package. -- **PluginName** The name of the plug-in specified for each generic plug-in event. -- **Result** The HRESULT for Detection or Perform Action phases of the plug-in. - - -### Microsoft.Windows.Remediation.wilResult - -This event provides Self Update information to help keep Windows up to date. - -The following fields are available: - -- **callContext** A list of diagnostic activities containing this error. -- **currentContextId** An identifier for the newest diagnostic activity containing this error. -- **currentContextMessage** A message associated with the most recent diagnostic activity containing this error (if any). -- **currentContextName** Name of the most recent diagnostic activity containing this error. -- **failureCount** Number of failures seen within the binary where the error occurred. -- **failureId** The identifier assigned to this failure. -- **failureType** Indicates the type of failure observed (exception, returned, error, logged error, or fail fast). -- **fileName** The source code file name where the error occurred. -- **function** The name of the function where the error occurred. -- **hresult** The failure error code. -- **lineNumber** The Line Number within the source code file where the error occurred. -- **message** A message associated with the failure (if any). -- **module** The name of the binary module in which the error occurred. -- **originatingContextId** The identifier for the oldest diagnostic activity containing this error. -- **originatingContextMessage** A message associated with the oldest diagnostic activity containing this error (if any). -- **originatingContextName** The name of the oldest diagnostic activity containing this error. -- **threadId** The identifier of the thread the error occurred on. +- **CV** Correlation vector. +- **GlobalEventCounter** Client side counter which indicates ordering of events sent by this user. +- **PackageVersion** Current package version of Remediation. +- **PluginName** Name of the plugin specified for each generic plugin event. +- **Result** This is the HRESULT for detection or perform action phases of the plugin. ## Sediment events @@ -3320,15 +3326,17 @@ The following fields are available: - **Time** The system time at which the event occurred. +## Sediment Launcher events + ### Microsoft.Windows.SedimentLauncher.Applicable -Indicates whether a given plugin is applicable. +This event sends simple device connectivity and configuration data about an application installed on the system that helps keep the Windows Update stack healthy. The following fields are available: - **CV** Correlation vector. - **DetectedCondition** Boolean true if detect condition is true and perform action will be run. -- **GlobalEventCounter** Client side counter which indicates ordering of events sent by this user. +- **GlobalEventCounter** Client side counter which indicates ordering of events. - **IsSelfUpdateEnabledInOneSettings** True if self update enabled in Settings. - **IsSelfUpdateNeeded** True if self update needed by device. - **PackageVersion** Current package version of Remediation. @@ -3338,97 +3346,43 @@ The following fields are available: ### Microsoft.Windows.SedimentLauncher.Completed -Indicates whether a given plugin has completed its work. +This event sends simple device connectivity and configuration data about an application installed on the system that helps keep the Windows Update stack healthy. The following fields are available: - **CV** Correlation vector. - **FailedReasons** Concatenated list of failure reasons. -- **GlobalEventCounter** Client side counter which indicates ordering of events sent by this user. +- **GlobalEventCounter** Client side counter which indicates ordering of events. - **PackageVersion** Current package version of Remediation. - **PluginName** Name of the plugin specified for each generic plugin event. - **Result** This is the HRESULT for detection or perform action phases of the plugin. - **SedLauncherExecutionResult** HRESULT for one execution of the Sediment Launcher. -### Microsoft.Windows.SedimentLauncher.Error - -This event indicates an error occurred during the execution of the plug-in. The information provided helps ensure future upgrade/update attempts are more successful. - -The following fields are available: - -- **HResult** The result for the Detection or Perform Action phases of the plug-in. -- **Message** A message containing information about the error that occurred (if any). -- **PackageVersion** The version number of the current remediation package. - - -### Microsoft.Windows.SedimentLauncher.FallbackError - -This event indicates that an error occurred during execution of the plug-in fallback. - -The following fields are available: - -- **s0** Error occurred during execution of the plugin fallback. See [Microsoft.Windows.SedimentLauncher.wilResult](#microsoftwindowssedimentlauncherwilresult). - - -### Microsoft.Windows.SedimentLauncher.Information - -This event provides general information returned from the plug-in. - -The following fields are available: - -- **HResult** This is the HRESULT for detection or perform action phases of the plugin. -- **Message** Information message returned from a plugin containing only information internal to the plugins execution. -- **PackageVersion** Current package version of Remediation. - - ### Microsoft.Windows.SedimentLauncher.Started -This event indicates that a given plug-in has started. +This event sends simple device connectivity and configuration data about an application installed on the system that helps keep the Windows Update stack healthy. The following fields are available: - **CV** Correlation vector. -- **GlobalEventCounter** Client side counter which indicates ordering of events sent by this user. +- **GlobalEventCounter** Client side counter which indicates ordering of events. - **PackageVersion** Current package version of Remediation. - **PluginName** Name of the plugin specified for each generic plugin event. - **Result** This is the HRESULT for detection or perform action phases of the plugin. -### Microsoft.Windows.SedimentLauncher.wilResult - -This event provides the result from the Windows internal library. - -The following fields are available: - -- **callContext** List of telemetry activities containing this error. -- **currentContextId** Identifier for the newest telemetry activity containing this error. -- **currentContextMessage** Custom message associated with the newest telemetry activity containing this error (if any). -- **currentContextName** Name of the newest telemetry activity containing this error. -- **failureCount** Number of failures seen within the binary where the error occurred. -- **failureId** Identifier assigned to this failure. -- **failureType** Indicates what type of failure was observed (exception, returned error, logged error or fail fast). -- **fileName** Source code file name where the error occurred. -- **function** Name of the function where the error occurred. -- **hresult** Failure error code. -- **lineNumber** Line number within the source code file where the error occurred. -- **message** Custom message associated with the failure (if any). -- **module** Name of the binary where the error occurred. -- **originatingContextId** Identifier for the oldest telemetry activity containing this error. -- **originatingContextMessage** Custom message associated with the oldest telemetry activity containing this error (if any). -- **originatingContextName** Name of the oldest telemetry activity containing this error. -- **threadId** Identifier of the thread the error occurred on. - +## Sediment Service events ### Microsoft.Windows.SedimentService.Applicable -This event indicates whether a given plug-in is applicable. +This event sends simple device connectivity and configuration data about a service on the system that helps keep Windows up to date. The following fields are available: - **CV** Correlation vector. - **DetectedCondition** Determine whether action needs to run based on device properties. -- **GlobalEventCounter** Client side counter which indicates ordering of events sent by this user. +- **GlobalEventCounter** Client side counter which indicates ordering of events. - **IsSelfUpdateEnabledInOneSettings** Indicates if self update is enabled in One Settings. - **IsSelfUpdateNeeded** Indicates if self update is needed. - **PackageVersion** Current package version of Remediation. @@ -3438,13 +3392,13 @@ The following fields are available: ### Microsoft.Windows.SedimentService.Completed -This event indicates whether a given plug-in has completed its work. +This event sends simple device connectivity and configuration data about a service on the system that helps keep Windows up to date. The following fields are available: - **CV** Correlation vector. - **FailedReasons** List of reasons when the plugin action failed. -- **GlobalEventCounter** Client side counter which indicates ordering of events sent by this user. +- **GlobalEventCounter** Client side counter which indicates ordering of events. - **PackageVersion** Current package version of Remediation. - **PluginName** Name of the plugin specified for each generic plugin event. - **Result** This is the HRESULT for detection or perform action phases of the plugin. @@ -3458,40 +3412,9 @@ The following fields are available: - **SedimentServiceTotalIterations** Number of 5 second iterations service will wait before running again. -### Microsoft.Windows.SedimentService.Error - -This event indicates whether an error condition occurred in the plug-in. - -The following fields are available: - -- **HResult** This is the HRESULT for detection or perform action phases of the plugin. -- **Message** Custom message associated with the failure (if any). -- **PackageVersion** Current package version of Remediation. - - -### Microsoft.Windows.SedimentService.FallbackError - -This event indicates whether an error occurred for a fallback in the plug-in. - -The following fields are available: - -- **s0** Event returned when an error occurs for a fallback in the plugin. See [Microsoft.Windows.SedimentService.wilResult](#microsoftwindowssedimentservicewilresult). - - -### Microsoft.Windows.SedimentService.Information - -This event provides general information returned from the plug-in. - -The following fields are available: - -- **HResult** This is the HRESULT for detection or perform action phases of the plugin. -- **Message** Custom message associated with the failure (if any). -- **PackageVersion** Current package version of Remediation. - - ### Microsoft.Windows.SedimentService.Started -This event indicates a specified plug-in has started. This information helps ensure Windows is up to date. +This event sends simple device connectivity and configuration data about a service on the system that helps keep Windows up to date. The following fields are available: @@ -3502,31 +3425,6 @@ The following fields are available: - **Result** This is the HRESULT for Detection or Perform Action phases of the plugin. -### Microsoft.Windows.SedimentService.wilResult - -This event provides the result from the Windows internal library. - -The following fields are available: - -- **callContext** List of telemetry activities containing this error. -- **currentContextId** Identifier for the newest telemetry activity containing this error. -- **currentContextMessage** Custom message associated with the newest telemetry activity containing this error (if any). -- **currentContextName** Name of the newest telemetry activity containing this error. -- **failureCount** Number of failures seen within the binary where the error occurred. -- **failureId** Identifier assigned to this failure. -- **failureType** Indicates what type of failure was observed (exception, returned error, logged error or fail fast). -- **fileName** Source code file name where the error occurred. -- **function** Name of the function where the error occurred. -- **hresult** Failure error code. -- **lineNumber** Line number within the source code file where the error occurred. -- **message** Custom message associated with the failure (if any). -- **module** Name of the binary where the error occurred. -- **originatingContextId** Identifier for the oldest telemetry activity containing this error. -- **originatingContextMessage** Custom message associated with the oldest telemetry activity containing this error (if any). -- **originatingContextName** Name of the oldest telemetry activity containing this error. -- **threadId** Identifier of the thread the error occurred on. - - ## Setup events ### SetupPlatformTel.SetupPlatformTelActivityEvent @@ -3821,7 +3719,7 @@ The following fields are available: - **RelatedCV** The previous Correlation Vector that was used before swapping with a new one - **RepeatFailFlag** Indicates whether this specific piece of content had previously failed to download. - **RevisionNumber** Identifies the revision number of this specific piece of content. -- **ServiceGuid** An ID which represents which service the software distribution client is installing content for (Windows Update, Microsoft Store, etc.). +- **ServiceGuid** An ID which represents which service the software distribution client is installing content for (Windows Update, Windows Store, etc.). - **Setup360Phase** If the download is for an operating system upgrade, this datapoint indicates which phase of the upgrade is underway. - **ShippingMobileOperator** The mobile operator that a device shipped on. - **StatusCode** Indicates the result of a Download event (success, cancellation, failure code HResult). @@ -4118,6 +4016,22 @@ The following fields are available: - **UpdateId** Unique ID for each update. +### Update360Telemetry.UpdateAgent_FellBackToCanonical + +This event collects information when Express could not be used, and the update had to fall back to “canonical” during the new UUP (Unified Update Platform) update scenario; which is leveraged by both Mobile and Desktop. + +The following fields are available: + +- **FlightId** Unique ID for the flight (test instance version). +- **ObjectId** The unique value for each Update Agent mode. +- **PackageCount** The number of packages that fell back to “canonical”. +- **PackageList** PackageIDs which fell back to “canonical”. +- **RelatedCV** The correlation vector value generated from the latest USO (Update Service Orchestrator) scan. +- **ScenarioId** The ID of the update scenario. +- **SessionId** The ID of the update attempt. +- **UpdateId** The ID of the update. + + ### Update360Telemetry.UpdateAgent_Initialize This event sends data during the initialize phase of updating Windows. @@ -4152,6 +4066,22 @@ The following fields are available: - **UpdateId** Unique ID for each update. +### Update360Telemetry.UpdateAgent_Merge + +This event sends data on the merge phase when updating Windows. + +The following fields are available: + +- **ErrorCode** The error code returned for the current reboot. +- **FlightId** Unique ID for the flight (test instance version). +- **ObjectId** The unique value for each Update Agent mode. +- **RelatedCV** The correlation vector value generated from the latest USO (Update Service Orchestrator) scan. +- **Result** The HResult of the event. +- **ScenarioId** The ID of the update scenario. +- **SessionId** The ID of the update attempt. +- **UpdateId** The ID of the update. + + ### Update360Telemetry.UpdateAgent_ModeStart This event sends data for the start of each mode during the process of updating Windows. @@ -4184,6 +4114,130 @@ The following fields are available: - **UpdateId** Unique ID for each update. +### Update360Telemetry.UpdateAgentDownloadRequest + +This event sends data for the download request phase of updating Windows via the new Unified Update Platform (UUP) scenario. Applicable to PC and Mobile. + +The following fields are available: + +- **DeletedCorruptFiles** Boolean indicating whether corrupt payload was deleted. +- **DownloadRequests** Number of times a download was retried. +- **ErrorCode** The error code returned for the current download request phase. +- **ExtensionName** Indicates whether the payload is related to Operating System content or a plugin. +- **FlightId** Unique ID for each flight. +- **InternalFailureResult** Indicates a non-fatal error from a plugin. +- **ObjectId** Unique value for each Update Agent mode (same concept as InstanceId for Setup360). +- **PackageCountOptional** # of optional packages requested. +- **PackageCountRequired** # of required packages requested. +- **PackageCountTotal** Total # of packages needed. +- **PackageCountTotalCanonical** Total number of canonical packages. +- **PackageCountTotalDiff** Total number of diff packages. +- **PackageCountTotalExpress** Total number of express packages. +- **PackageExpressType** Type of express package. +- **PackageSizeCanonical** Size of canonical packages in bytes. +- **PackageSizeDiff** Size of diff packages in bytes. +- **PackageSizeExpress** Size of express packages in bytes. +- **RangeRequestState** Indicates the range request type used. +- **RelatedCV** Correlation vector value generated from the latest USO scan. +- **Result** Outcome of the download request phase of update. +- **ScenarioId** Indicates the update scenario. +- **SessionId** Unique value for each attempt (same value for initialize, download, install commit phases). +- **UpdateId** Unique ID for each Update. + + +### Update360Telemetry.UpdateAgentInitialize + +This event sends data for the initialize phase of updating Windows via the new Unified Update Platform (UUP) scenario, which is applicable to both PCs and Mobile. + +The following fields are available: + +- **ErrorCode** The error code returned for the current install phase. +- **FlightId** Unique ID for each flight. +- **FlightMetadata** Contains the FlightId and the build being flighted. +- **ObjectId** Unique value for each Update Agent mode. +- **RelatedCV** Correlation vector value generated from the latest USO scan. +- **Result** Outcome of the install phase of the update. +- **ScenarioId** Indicates the update scenario. +- **SessionData** String containing instructions to update agent for processing FODs and DUICs (Null for other scenarios). +- **SessionId** Unique value for each update attempt. +- **UpdateId** Unique ID for each update. + + +### Update360Telemetry.UpdateAgentMitigationResult + +This event sends data indicating the result of each update agent mitigation. + +The following fields are available: + +- **Applicable** Indicates whether the mitigation is applicable for the current update. +- **CommandCount** The number of command operations in the mitigation entry. +- **CustomCount** The number of custom operations in the mitigation entry. +- **FileCount** The number of file operations in the mitigation entry. +- **FlightId** Unique identifier for each flight. +- **Index** The mitigation index of this particular mitigation. +- **MitigationScenario** The update scenario in which the mitigation was executed. +- **Name** The friendly name of the mitigation. +- **ObjectId** Unique value for each Update Agent mode. +- **OperationIndex** The mitigation operation index (in the event of a failure). +- **OperationName** The friendly name of the mitigation operation (in the event of failure). +- **RegistryCount** The number of registry operations in the mitigation entry. +- **RelatedCV** The correlation vector value generated from the latest USO scan. +- **Result** The HResult of this operation. +- **ScenarioId** The update agent scenario ID. +- **SessionId** Unique value for each update attempt. +- **TimeDiff** The amount of time spent performing the mitigation (in 100-nanosecond increments). +- **UpdateId** Unique ID for each Update. + + +### Update360Telemetry.UpdateAgentMitigationSummary + +This event sends a summary of all the update agent mitigations available for an this update. + + + +### Update360Telemetry.UpdateAgentModeStart + +This event sends data for the start of each mode during the process of updating Windows via the new Unified Update Platform (UUP) scenario. Applicable to both PCs and Mobile. + +The following fields are available: + +- **FlightId** Unique ID for each flight. +- **Mode** Indicates the mode that has started. +- **ObjectId** Unique value for each Update Agent mode. +- **RelatedCV** Correlation vector value generated from the latest USO scan. +- **ScenarioId** Indicates the update scenario. +- **SessionId** Unique value for each update attempt. +- **UpdateId** Unique ID for each update. +- **Version** Version of update + + +### Update360Telemetry.UpdateAgentOneSettings + +This event collects information regarding the post reboot phase of the new UUP (Unified Update Platform) update scenario; which is leveraged by both Mobile and Desktop. + + + +### Update360Telemetry.UpdateAgentSetupBoxLaunch + +The UpdateAgent_SetupBoxLaunch event sends data for the launching of the setup box when updating Windows via the new Unified Update Platform (UUP) scenario. This event is only applicable to PCs. + +The following fields are available: + +- **ContainsExpressPackage** Indicates whether the download package is express. +- **FlightId** Unique ID for each flight. +- **FreeSpace** Free space on OS partition. +- **InstallCount** Number of install attempts using the same sandbox. +- **ObjectId** Unique value for each Update Agent mode. +- **Quiet** Indicates whether setup is running in quiet mode. +- **RelatedCV** Correlation vector value generated from the latest USO scan. +- **SandboxSize** Size of the sandbox. +- **ScenarioId** Indicates the update scenario. +- **SessionId** Unique value for each update attempt. +- **SetupMode** Mode of setup to be launched. +- **UpdateId** Unique ID for each Update. +- **UserSession** Indicates whether install was invoked by user actions. + + ## Upgrade events ### Setup360Telemetry.Downlevel @@ -4242,9 +4296,9 @@ The following fields are available: - **Setup360Extended** Detailed information about the phase or action when the potential failure occurred. - **Setup360Mode** The phase of Setup360. Example: Predownload, Install, Finalize, Rollback. - **Setup360Result** The result of Setup360. This is an HRESULT error code that is used to diagnose errors. -- **Setup360Scenario** The Setup360 flow type. Example: Boot, Media, Update, MCT +- **Setup360Scenario** The Setup360 flow type. Example: Boot, Media, Update, MCT. - **SetupVersionBuildNumber** The build number of Setup360 (build number of target OS). -- **State** Exit state of a Setup360 run. Example: succeeded, failed, blocked, cancelled. +- **State** Exit state of a Setup360 run. Example: succeeded, failed, blocked, cancelled - **TestId** ID that uniquely identifies a group of events. - **WuId** Windows Update client ID. @@ -4375,6 +4429,24 @@ This event helps determine whether the device received supplemental content duri +### Setup360Telemetry.Setup360MitigationResult + +This event sends data indicating the result of each setup mitigation. + + + +### Setup360Telemetry.Setup360MitigationSummary + +This event sends a summary of all the setup mitigations available for this update. + + + +### Setup360Telemetry.Setup360OneSettings + +This event collects information regarding the post reboot phase of the new UUP (Unified Update Platform) update scenario; which is leveraged by both Mobile and Desktop. + + + ### Setup360Telemetry.UnexpectedEvent This event sends data indicating that the device has invoked the unexpected event phase of the upgrade, to help keep Windows up to date. @@ -4388,7 +4460,7 @@ The following fields are available: - **ReportId** With Windows Update, this is the updateID that is passed to Setup. In media setup, this is the GUID for the install.wim. - **Setup360Extended** Detailed information about the phase/action when the potential failure occurred. - **Setup360Mode** The phase of Setup360. Example: Predownload, Install, Finalize, Rollback. -- **Setup360Result** The result of Setup360. This is an HRESULT error code that can be used to diagnose errors. +- **Setup360Result** The result of Setup360. This is an HRESULT error code that can be used used to diagnose errors. - **Setup360Scenario** The Setup360 flow type. Example: Boot, Media, Update, MCT. - **SetupVersionBuildNumber** The build number of Setup360 (build number of target OS). - **State** The exit state of a Setup360 run. Example: succeeded, failed, blocked, cancelled. @@ -4819,11 +4891,11 @@ The following fields are available: - **errorCode** The error code that was returned. - **experimentId** When running a test, this is used to correlate events that are part of the same test. - **fileID** The ID of the file being downloaded. -- **isVpn** Is the device connected to a Virtual Private Network? +- **isVpn** Indicates whether the device is connected to a VPN (Virtual Private Network). - **scenarioID** The ID of the scenario. - **sessionID** The ID of the file download session. - **updateID** The ID of the update being downloaded. -- **usedMemoryStream** Did the download use memory streaming? +- **usedMemoryStream** TRUE if the download is using memory streaming for App downloads. ### Microsoft.OSG.DU.DeliveryOptClient.DownloadCompleted @@ -4862,7 +4934,7 @@ The following fields are available: - **updateID** The ID of the update being downloaded. - **uplinkBps** The maximum measured available upload bandwidth (in bytes per second). - **uplinkUsageBps** The upload speed (in bytes per second). -- **usedMemoryStream** Did the download use memory streaming? +- **usedMemoryStream** TRUE if the download is using memory streaming for App downloads. ### Microsoft.OSG.DU.DeliveryOptClient.DownloadPaused @@ -5146,6 +5218,17 @@ The following fields are available: - **wuDeviceid** The Windows Update device GUID. +### Microsoft.Windows.Update.Orchestrator.DeferRestart + +This event indicates that a restart required for installing updates was postponed. + +The following fields are available: + +- **filteredDeferReason** Applicable filtered reasons why reboot was postponed (such as user active, or low battery). +- **raisedDeferReason** Indicates all potential reasons for postponing restart (such as user active, or low battery). +- **wuDeviceid** Unique device ID used by Windows Update. + + ### Microsoft.Windows.Update.Orchestrator.Detection This event indicates that a scan for a Windows Update occurred. @@ -5192,7 +5275,7 @@ The following fields are available: - **EventPublishedTime** Time when this event was generated. - **flightID** The specific ID of the Windows Insider build. - **revisionNumber** Update revision number. -- **updateId** Unique Windows Update ID. +- **updateId** Unique Update ID. - **updateScenarioType** Update session type. - **UpdateStatus** Last status of update. - **wuDeviceid** Unique Device ID. @@ -5240,6 +5323,30 @@ The following fields are available: - **wuDeviceid** Unique device ID used by Windows Update. +### Microsoft.Windows.Update.Orchestrator.LowUptimes + +This event is sent if a device is identified as not having sufficient uptime to reliably process updates in order to keep secure. + +The following fields are available: + +- **lowUptimeMinHours** Current setting for the minimum number of hours needed to not be considered low uptime. +- **lowUptimeQueryDays** Current setting for the number of recent days to check for uptime. +- **uptimeMinutes** Number of minutes of uptime measured. +- **wuDeviceid** Unique device ID for Windows Update. + + +### Microsoft.Windows.Update.Orchestrator.OneshotUpdateDetection + +This event returns data about scans initiated through settings UI, or background scans that are urgent; to help keep Windows up to date. + +The following fields are available: + +- **externalOneshotupdate** The last time a task-triggered scan was completed. +- **interactiveOneshotupdate** The last time an interactive scan was completed. +- **oldlastscanOneshotupdate** The last time a scan completed successfully. +- **wuDeviceid** The Windows Update Device GUID (Globally-Unique ID). + + ### Microsoft.Windows.Update.Orchestrator.PostInstall This event is sent after a Windows update install completes. @@ -5256,6 +5363,15 @@ The following fields are available: - **wuDeviceid** Unique device ID used by Windows Update. +### Microsoft.Windows.Update.Orchestrator.PreShutdownStart + +This event is generated before the shutdown and commit operations. + +The following fields are available: + +- **wuDeviceid** The unique identifier of a specific device, used to identify how many devices are encountering success or a particular issue. + + ### Microsoft.Windows.Update.Orchestrator.RebootFailed This event sends information about whether an update required a reboot and reasons for failure, to help keep Windows up to date. @@ -5276,6 +5392,18 @@ The following fields are available: - **wuDeviceid** Unique device ID used by Windows Update. +### Microsoft.Windows.Update.Orchestrator.RefreshSettings + +This event sends basic data about the version of upgrade settings applied to the system to help keep Windows up to date. + +The following fields are available: + +- **errorCode** Hex code for the error message, to allow lookup of the specific error. +- **settingsDownloadTime** Timestamp of the last attempt to acquire settings. +- **settingsETag** Version identifier for the settings. +- **wuDeviceid** Unique device ID used by Windows Update. + + ### Microsoft.Windows.Update.Orchestrator.RestoreRebootTask This event sends data indicating that a reboot task is missing unexpectedly on a device and the task is restored because a reboot is still required, to help keep Windows up to date. @@ -5332,6 +5460,32 @@ The following fields are available: - **wuDeviceid** Unique device ID used by Windows Update. +### Microsoft.Windows.Update.Orchestrator.updateSettingsFlushFailed + +This event sends information about an update that encountered problems and was not able to complete. + +The following fields are available: + +- **errorCode** The error code encountered. +- **wuDeviceid** The ID of the device in which the error occurred. + + +### Microsoft.Windows.Update.Orchestrator.UsoSession + +This event represents the state of the USO service at start and completion. + +The following fields are available: + +- **activeSessionid** A unique session GUID. +- **eventScenario** The state of the update action. +- **interactive** Is the USO session interactive? +- **lastErrorcode** The last error that was encountered. +- **lastErrorstate** The state of the update when the last error was encountered. +- **sessionType** A GUID that refers to the update session type. +- **updateScenarioType** A descriptive update session type. +- **wuDeviceid** The Windows Update device GUID. + + ### Microsoft.Windows.Update.UpdateStackServicing.CheckForUpdates This event sends data about the UpdateStackServicing check for updates, to help keep Windows up to date. @@ -5352,6 +5506,28 @@ The following fields are available: - **WUDeviceID** The Windows Update device ID. +### Microsoft.Windows.Update.Ux.MusNotification.EnhancedEngagedRebootUxState + +This event sends information about the configuration of Enhanced Direct-to-Engaged (eDTE), which includes values for the timing of how eDTE will progress through each phase of the reboot. + +The following fields are available: + +- **AcceptAutoModeLimit** The maximum number of days for a device to automatically enter Auto Reboot mode. +- **AutoToAutoFailedLimit** The maximum number of days for Auto Reboot mode to fail before a Reboot Failed dialog will be shown. +- **DeviceLocalTime** The date and time (based on the device date/time settings) the reboot mode changed. +- **EngagedModeLimit** The number of days to switch between DTE (Direct-to-Engaged) dialogs. +- **EnterAutoModeLimit** The maximum number of days a device can enter Auto Reboot mode. +- **ETag** The Entity Tag that represents the OneSettings version. +- **IsForcedEnabled** Identifies whether Forced Reboot mode is enabled for the device. +- **IsUltimateForcedEnabled** Identifies whether Ultimate Forced Reboot mode is enabled for the device. +- **OldestUpdateLocalTime** The date and time (based on the device date/time settings) this update’s reboot began pending. +- **RebootUxState** Identifies the reboot state: Engaged, Auto, Forced, UltimateForced. +- **RebootVersion** The version of the DTE (Direct-to-Engaged). +- **SkipToAutoModeLimit** The maximum number of days to switch to start while in Auto Reboot mode. +- **UpdateId** The ID of the update that is waiting for reboot to finish installation. +- **UpdateRevision** The revision of the update that is waiting for reboot to finish installation. + + ### Microsoft.Windows.Update.Ux.MusNotification.RebootNoLongerNeeded This event is sent when a security update has successfully completed. @@ -5390,7 +5566,7 @@ The following fields are available: ### Microsoft.Windows.Update.Ux.MusUpdateSettings.RebootScheduled -This event sends basic information for scheduling a device restart to install security updates. It's used to help keep Windows up-to-date. +This event sends basic information for scheduling a device restart to install security updates. It's used to help keep Windows up to date. The following fields are available: @@ -5406,6 +5582,14 @@ The following fields are available: - **wuDeviceid** The Windows Update device GUID. +## Windows Update mitigation events + +### Mitigation360Telemetry.MitigationCustom.FixupEditionId + +This event sends data specific to the FixupEditionId mitigation used for OS Updates. + + + ## Winlogon events ### Microsoft.Windows.Security.Winlogon.SetupCompleteLogon diff --git a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1709.md b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1709.md index f1ca2eae5e..7ed5621811 100644 --- a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1709.md +++ b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1709.md @@ -9,7 +9,7 @@ ms.pagetype: security localizationpriority: high author: brianlic-msft ms.author: brianlic -ms.date: 10/10/2018 +ms.date: 11/07/2018 --- @@ -65,20 +65,20 @@ The following fields are available: - **DecisionSystemBios_RS4** The total DecisionSystemBios objects targeting Windows 10 version, 1803 present on this device. - **DecisionTest_RS1** An ID for the system, calculated by hashing hardware identifiers. - **InventoryApplicationFile** The count of the number of this particular object type present on this device. -- **InventoryLanguagePack** The count of InventoryLanguagePack objects present on this machine. +- **InventoryLanguagePack** The count of the number of this particular object type present on this device. - **InventoryMediaCenter** The count of the number of this particular object type present on this device. - **InventorySystemBios** The count of the number of this particular object type present on this device. - **InventoryTest** The count of the number of this particular object type present on this device. - **InventoryUplevelDriverPackage** The count of the number of this particular object type present on this device. -- **PCFP** An ID for the system, calculated by hashing hardware identifiers. +- **PCFP** The count of the number of this particular object type present on this device. - **SystemMemory** The count of the number of this particular object type present on this device. - **SystemProcessorCompareExchange** The count of the number of this particular object type present on this device. - **SystemProcessorLahfSahf** The count of the number of this particular object type present on this device. - **SystemProcessorNx** The count of the number of this particular object type present on this device. -- **SystemProcessorPrefetchW** The count of SystemProcessorPrefetchW objects present on this machine. -- **SystemProcessorSse2** The count of SystemProcessorSse2 objects present on this machine. +- **SystemProcessorPrefetchW** The count of the number of this particular object type present on this device. +- **SystemProcessorSse2** The count of the number of this particular object type present on this device. - **SystemTouch** The count of the number of this particular object type present on this device. -- **SystemWim** The count of SystemWim objects present on this machine. +- **SystemWim** The count of the number of this particular object type present on this device. - **SystemWindowsActivationStatus** The count of the number of this particular object type present on this device. - **SystemWlan** The count of the number of this particular object type present on this device. - **Wmdrm_RS1** An ID for the system, calculated by hashing hardware identifiers. @@ -359,7 +359,7 @@ The following fields are available: ### Microsoft.Windows.Appraiser.General.DecisionApplicationFileRemove -This event indicates that the DecisionApplicationFile object is no longer present. +This event indicates Indicates that the DecisionApplicationFile object is no longer present. This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). @@ -706,7 +706,7 @@ The following fields are available: ### Microsoft.Windows.Appraiser.General.InventoryApplicationFileStartSync -This event indicates that a new set of InventoryApplicationFileAdd events will be sent. +This event indicates indicates that a new set of InventoryApplicationFileAdd events will be sent. This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). @@ -1209,6 +1209,23 @@ The following fields are available: - **AppraiserVersion** The version of the Appraiser file that is generating the events. +### Microsoft.Windows.Appraiser.General.SystemWlanAdd + +This event sends data indicating whether the system has WLAN, and if so, whether it uses an emulated driver that could block an upgrade, to help keep Windows up-to-date. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. +- **Blocking** Is the upgrade blocked because of an emulated WLAN driver? +- **HasWlanBlock** Does the emulated WLAN driver have an upgrade block? +- **WlanEmulatedDriver** Does the device have an emulated WLAN driver? +- **WlanExists** Does the device support WLAN at all? +- **WlanModulePresent** Are any WLAN modules present? +- **WlanNativeDriver** Does the device have a non-emulated WLAN driver? + + ### Microsoft.Windows.Appraiser.General.SystemWlanRemove This event indicates that the SystemWlan object is no longer present. @@ -1525,16 +1542,16 @@ The following fields are available: - **KvaShadow** Microcode info of the processor. - **MMSettingOverride** Microcode setting of the processor. - **MMSettingOverrideMask** Microcode setting override of the processor. -- **ProcessorArchitecture** Retrieves the processor architecture of the installed operating system. -- **ProcessorClockSpeed** Clock speed of the processor in MHz. -- **ProcessorCores** Number of logical cores in the processor. -- **ProcessorIdentifier** Processor Identifier of a manufacturer. -- **ProcessorManufacturer** Name of the processor manufacturer. -- **ProcessorModel** Name of the processor model. +- **ProcessorArchitecture** Retrieves the processor architecture of the installed operating system. The complete list of values can be found in DimProcessorArchitecture. +- **ProcessorClockSpeed** Retrieves the clock speed of the processor in MHz. +- **ProcessorCores** Retrieves the number of cores in the processor. +- **ProcessorIdentifier** The processor identifier of a manufacturer. +- **ProcessorManufacturer** Retrieves the name of the processor's manufacturer. +- **ProcessorModel** Retrieves the name of the processor model. - **ProcessorPhysicalCores** Number of physical cores in the processor. -- **ProcessorUpdateRevision** Microcode revision +- **ProcessorUpdateRevision** Retrieves the processor architecture of the installed operating system. - **ProcessorUpdateStatus** Enum value that represents the processor microcode load status -- **SocketCount** Count of CPU sockets. +- **SocketCount** Number of physical CPU sockets of the machine. - **SpeculationControl** If the system has enabled protections needed to validate the speculation control vulnerability. @@ -1545,14 +1562,14 @@ This event provides information on about security settings used to help keep Win The following fields are available: - **AvailableSecurityProperties** This field helps to enumerate and report state on the relevant security properties for Device Guard. -- **CGRunning** Is Credential Guard running? +- **CGRunning** Credential Guard isolates and hardens key system and user secrets against compromise, helping to minimize the impact and breadth of a Pass the Hash style attack in the event that malicious code is already running via a local or network based vector. This field tells if Credential Guard is running. - **DGState** This field summarizes the Device Guard state. -- **HVCIRunning** Is HVCI running? +- **HVCIRunning** Hypervisor Code Integrity (HVCI) enables Device Guard to help protect kernel mode processes and drivers from vulnerability exploits and zero days. HVCI uses the processor’s functionality to force all software running in kernel mode to safely allocate memory. This field tells if HVCI is running. - **IsSawGuest** Indicates whether the device is running as a Secure Admin Workstation Guest. - **IsSawHost** Indicates whether the device is running as a Secure Admin Workstation Host. - **RequiredSecurityProperties** Describes the required security properties to enable virtualization-based security. -- **SecureBootCapable** Is this device capable of running Secure Boot? -- **VBSState** Is virtualization-based security enabled, disabled, or running? +- **SecureBootCapable** Systems that support Secure Boot can have the feature turned off via BIOS. This field tells if the system is capable of running Secure Boot, regardless of the BIOS setting. +- **VBSState** Virtualization-based security (VBS) uses the hypervisor to help protect the kernel and other parts of the operating system. Credential Guard and Hypervisor Code Integrity (HVCI) both depend on VBS to isolate/protect secrets, and kernel-mode code integrity validation. VBS has a tri-state that can be Disabled, Enabled, or Running. ### Census.Speech @@ -1889,6 +1906,82 @@ The following fields are available: - **VortexHttpResponsesWithDroppedEvents** Number of Vortex responses containing at least 1 dropped event. +## DxgKernelTelemetry events + +### DxgKrnlTelemetry.GPUAdapterInventoryV2 + +This event sends basic GPU and display driver information to keep Windows and display drivers up-to-date. + +The following fields are available: + +- **AdapterTypeValue** The numeric value indicating the type of Graphics adapter. +- **aiSeqId** The event sequence ID. +- **bootId** The system boot ID. +- **ComputePreemptionLevel** The maximum preemption level supported by GPU for compute payload. +- **DedicatedSystemMemoryB** The amount of system memory dedicated for GPU use (in bytes). +- **DedicatedVideoMemoryB** The amount of dedicated VRAM of the GPU (in bytes). +- **DisplayAdapterLuid** The display adapter LUID. +- **DriverDate** The date of the display driver. +- **DriverRank** The rank of the display driver. +- **DriverVersion** The display driver version. +- **GPUDeviceID** The GPU device ID. +- **GPUPreemptionLevel** The maximum preemption level supported by GPU for graphics payload. +- **GPURevisionID** The GPU revision ID. +- **GPUVendorID** The GPU vendor ID. +- **InterfaceId** The GPU interface ID. +- **IsDisplayDevice** Does the GPU have displaying capabilities? +- **IsHybridDiscrete** Does the GPU have discrete GPU capabilities in a hybrid device? +- **IsHybridIntegrated** Does the GPU have integrated GPU capabilities in a hybrid device? +- **IsLDA** Is the GPU comprised of Linked Display Adapters? +- **IsMiracastSupported** Does the GPU support Miracast? +- **IsMismatchLDA** Is at least one device in the Linked Display Adapters chain from a different vendor? +- **IsMPOSupported** Does the GPU support Multi-Plane Overlays? +- **IsMsMiracastSupported** Are the GPU Miracast capabilities driven by a Microsoft solution? +- **IsPostAdapter** Is this GPU the POST GPU in the device? +- **IsRemovable** TRUE if the adapter supports being disabled or removed. +- **IsRenderDevice** Does the GPU have rendering capabilities? +- **IsSoftwareDevice** Is this a software implementation of the GPU? +- **MeasureEnabled** Is the device listening to MICROSOFT_KEYWORD_MEASURES? +- **NumVidPnSources** The number of supported display output sources. +- **NumVidPnTargets** The number of supported display output targets. +- **SharedSystemMemoryB** The amount of system memory shared by GPU and CPU (in bytes). +- **SubSystemID** The subsystem ID. +- **SubVendorID** The GPU sub vendor ID. +- **TelemetryEnabled** Is the device listening to MICROSOFT_KEYWORD_TELEMETRY? +- **TelInvEvntTrigger** What triggered this event to be logged? Example: 0 (GPU enumeration) or 1 (DxgKrnlTelemetry provider toggling) +- **version** The event version. +- **WDDMVersion** The Windows Display Driver Model version. + + +## Fault Reporting events + +### Microsoft.Windows.FaultReporting.AppCrashEvent + +This event sends data about crashes for both native and managed applications, to help keep Windows up to date. The data includes information about the crashing process and a summary of its exception record. It does not contain any Watson bucketing information. The bucketing information is recorded in a Windows Error Reporting (WER) event that is generated when the WER client reports the crash to the Watson service, and the WER event will contain the same ReportID (see field 14 of crash event, field 19 of WER event) as the crash event for the crash being reported. AppCrash is emitted once for each crash handled by WER (e.g. from an unhandled exception or FailFast or ReportException). Note that Generic Watson event types (e.g. from PLM) that may be considered crashes\" by a user DO NOT emit this event. + +The following fields are available: + +- **AppName** The name of the app that has crashed. +- **AppSessionGuid** GUID made up of process ID and is used as a correlation vector for process instances in the telemetry backend. +- **AppTimeStamp** The date/time stamp of the app. +- **AppVersion** The version of the app that has crashed. +- **ExceptionCode** The exception code returned by the process that has crashed. +- **ExceptionOffset** The address where the exception had occurred. +- **Flags** Flags indicating how reporting is done. For example, queue the report, do not offer JIT debugging, or do not terminate the process after reporting. +- **ModName** Exception module name (e.g. bar.dll). +- **ModTimeStamp** The date/time stamp of the module. +- **ModVersion** The version of the module that has crashed. +- **PackageFullName** Store application identity. +- **PackageRelativeAppId** Store application identity. +- **ProcessArchitecture** Architecture of the crashing process, as one of the PROCESSOR_ARCHITECTURE_* constants: 0: PROCESSOR_ARCHITECTURE_INTEL. 5: PROCESSOR_ARCHITECTURE_ARM. 9: PROCESSOR_ARCHITECTURE_AMD64. 12: PROCESSOR_ARCHITECTURE_ARM64. +- **ProcessCreateTime** The time of creation of the process that has crashed. +- **ProcessId** The ID of the process that has crashed. +- **ReportId** A GUID used to identify the report. This can used to track the report across Watson. +- **TargetAppId** The kernel reported AppId of the application being reported. +- **TargetAppVer** The specific version of the application being reported +- **TargetAsId** The sequence number for the hanging process. + + ## Feature update events ### Microsoft.Windows.Upgrade.Uninstall.UninstallFailed @@ -1916,6 +2009,33 @@ This event sends basic metadata about the starting point of uninstalling a featu +## Hang Reporting events + +### Microsoft.Windows.HangReporting.AppHangEvent + +This event sends data about hangs for both native and managed applications, to help keep Windows up to date. It does not contain any Watson bucketing information. The bucketing information is recorded in a Windows Error Reporting (WER) event that is generated when the WER client reports the hang to the Watson service, and the WER event will contain the same ReportID (see field 13 of hang event, field 19 of WER event) as the hang event for the hang being reported. AppHang is reported only on PC devices. It handles classic Win32 hangs and is emitted only once per report. Some behaviors that may be perceived by a user as a hang are reported by app managers (e.g. PLM/RM/EM) as Watson Generics and will not produce AppHang events. + +The following fields are available: + +- **AppName** The name of the app that has hung. +- **AppSessionGuid** GUID made up of process id used as a correlation vector for process instances in the telemetry backend. +- **AppVersion** The version of the app that has hung. +- **PackageFullName** Store application identity. +- **PackageRelativeAppId** Store application identity. +- **ProcessArchitecture** Architecture of the hung process, as one of the PROCESSOR_ARCHITECTURE_* constants: 0: PROCESSOR_ARCHITECTURE_INTEL. 5: PROCESSOR_ARCHITECTURE_ARM. 9: PROCESSOR_ARCHITECTURE_AMD64. 12: PROCESSOR_ARCHITECTURE_ARM64. +- **ProcessCreateTime** The time of creation of the process that has hung. +- **ProcessId** The ID of the process that has hung. +- **ReportId** A GUID used to identify the report. This can used to track the report across Watson. +- **TargetAppId** The kernel reported AppId of the application being reported. +- **TargetAppVer** The specific version of the application being reported. +- **TargetAsId** The sequence number for the hanging process. +- **TypeCode** Bitmap describing the hang type. +- **WaitingOnAppName** If this is a cross process hang waiting for an application, this has the name of the application. +- **WaitingOnAppVersion** If this is a cross process hang, this has the version of the application for which it is waiting. +- **WaitingOnPackageFullName** If this is a cross process hang waiting for a package, this has the full name of the package for which it is waiting. +- **WaitingOnPackageRelativeAppId** If this is a cross process hang waiting for a package, this has the relative application id of the package. + + ## Inventory events ### Microsoft.Windows.Inventory.Core.AmiTelCacheChecksum @@ -1992,13 +2112,13 @@ This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedevic The following fields are available: -- **InventoryVersion** The version of the inventory component +- **InventoryVersion** The version of the inventory component. - **ProgramIds** The unique program identifier the driver is associated with. ### Microsoft.Windows.Inventory.Core.InventoryApplicationDriverStartSync -The InventoryApplicationDriverStartSync event indicates that a new set of InventoryApplicationDriverStartAdd events will be sent. +This event indicates that a new set of InventoryApplicationDriverStartAdd events will be sent. This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). @@ -2185,12 +2305,12 @@ This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedevic The following fields are available: - **BusReportedDescription** System-supplied GUID that uniquely groups the functional devices associated with a single-function or multifunction device installed in the computer. -- **Class** System-supplied GUID that uniquely groups the functional devices associated with a single-function or multifunction device installed in the computer. -- **ClassGuid** A unique identifier for the driver installed. -- **COMPID** Name of the .sys image file (or wudfrd.sys if using user mode driver framework). -- **ContainerId** INF file name (the name could be renamed by OS, such as oemXX.inf) -- **Description** The version of the inventory binary generating the events. -- **DeviceState** The current error code for the device. +- **Class** The device setup class of the driver loaded for the device. +- **ClassGuid** The device setup class guid of the driver loaded for the device. +- **COMPID** The list of compat ids for the device. +- **ContainerId** System-supplied GUID that uniquely groups the functional devices associated with a single-function or multifunction device installed in the computer. +- **Description** The device description. +- **DeviceState** DeviceState is a bitmask of the following: DEVICE_IS_CONNECTED 0x0001 (currently only for container). DEVICE_IS_NETWORK_DEVICE 0x0002 (currently only for container). DEVICE_IS_PAIRED 0x0004 (currently only for container). DEVICE_IS_ACTIVE 0x0008 (currently never set). DEVICE_IS_MACHINE 0x0010 (currently only for container). DEVICE_IS_PRESENT 0x0020 (currently always set). DEVICE_IS_HIDDEN 0x0040. DEVICE_IS_PRINTER 0x0080 (currently only for container). DEVICE_IS_WIRELESS 0x0100. DEVICE_IS_WIRELESS_FAT 0x0200. The most common values are therefore: 32 (0x20)= device is present. 96 (0x60)= device is present but hidden. 288 (0x120)= device is a wireless device that is present - **DriverId** A unique identifier for the driver installed. - **DriverName** Name of the .sys image file (or wudfrd.sys if using user mode driver framework). - **DriverPackageStrongName** The immediate parent directory name in the Directory field of InventoryDriverPackage. @@ -2703,11 +2823,188 @@ The following fields are available: - **UserInputTime** The amount of time the loader application spent waiting for user input. +## OneDrive events + +### Microsoft.OneDrive.Sync.Setup.APIOperation + +This event includes basic data about install and uninstall OneDrive API operations. + +The following fields are available: + +- **APIName** The name of the API. +- **Duration** How long the operation took. +- **IsSuccess** Was the operation successful? +- **ResultCode** The result code. +- **ScenarioName** The name of the scenario. + + +### Microsoft.OneDrive.Sync.Setup.EndExperience + +This event includes a success or failure summary of the installation. + +The following fields are available: + +- **APIName** The name of the API. +- **HResult** The result code of the last action performed before this operation +- **IsSuccess** Was the operation successful? +- **ScenarioName** The name of the scenario. + + +### Microsoft.OneDrive.Sync.Setup.OSUpgradeInstallationOperation + +This event is related to the OS version when the OS is upgraded with OneDrive installed. + +The following fields are available: + +- **CurrentOneDriveVersion** The current version of OneDrive. +- **CurrentOSBuildBranch** The current branch of the operating system. +- **CurrentOSBuildNumber** The current build number of the operating system. +- **CurrentOSVersion** The current version of the operating system. +- **HResult** The HResult of the operation. +- **SourceOSBuildBranch** The source branch of the operating system. +- **SourceOSBuildNumber** The source build number of the operating system. +- **SourceOSVersion** The source version of the operating system. + + +### Microsoft.OneDrive.Sync.Setup.RegisterStandaloneUpdaterAPIOperation + +This event is related to registering or unregistering the OneDrive update task. + +The following fields are available: + +- **APIName** The name of the API. +- **IsSuccess** Was the operation successful? +- **RegisterNewTaskResult** The HResult of the RegisterNewTask operation. +- **ScenarioName** The name of the scenario. +- **UnregisterOldTaskResult** The HResult of the UnregisterOldTask operation. + + +### Microsoft.OneDrive.Sync.Updater.ComponentInstallState + +This event includes basic data about the installation state of dependent OneDrive components. + +The following fields are available: + +- **ComponentName** The name of the dependent component. +- **isInstalled** Is the dependent component installed? + + +### Microsoft.OneDrive.Sync.Updater.OverlayIconStatus + +This event indicates if the OneDrive overlay icon is working correctly. 0 = healthy; 1 = can be fixed; 2 = broken + +The following fields are available: + +- **32bit** The status of the OneDrive overlay icon on a 32-bit operating system. +- **64bit** The status of the OneDrive overlay icon on a 64-bit operating system. + + +### Microsoft.OneDrive.Sync.Updater.UpdateOverallResult + +This event sends information describing the result of the update. + +The following fields are available: + +- **hr** The HResult of the operation. +- **IsLoggingEnabled** Indicates whether logging is enabled for the updater. +- **UpdaterVersion** The version of the updater. + + +### Microsoft.OneDrive.Sync.Updater.UpdateXmlDownloadHResult + +This event determines the status when downloading the OneDrive update configuration file. + +The following fields are available: + +- **hr** The HResult of the operation. + + +### Microsoft.OneDrive.Sync.Updater.WebConnectionStatus + +This event determines the error code that was returned when verifying Internet connectivity. + +The following fields are available: + +- **winInetError** The HResult of the operation. + + +## Other events + +### CbsServicingProvider.CbsCapabilityEnumeration + +This event reports on the results of scanning for optional Windows content on Windows Update. + +The following fields are available: + +- **architecture** Indicates the scan was limited to the specified architecture. +- **capabilityCount** The number of optional content packages found during the scan. +- **clientId** The name of the application requesting the optional content. +- **duration** The amount of time it took to complete the scan. +- **hrStatus** The HReturn code of the scan. +- **language** Indicates the scan was limited to the specified language. +- **majorVersion** Indicates the scan was limited to the specified major version. +- **minorVersion** Indicates the scan was limited to the specified minor version. +- **namespace** Indicates the scan was limited to packages in the specified namespace. +- **sourceFilter** A bitmask indicating the scan checked for locally available optional content. +- **stackBuild** The build number of the servicing stack. +- **stackMajorVersion** The major version number of the servicing stack. +- **stackMinorVersion** The minor version number of the servicing stack. +- **stackRevision** The revision number of the servicing stack. + + +### CbsServicingProvider.CbsCapabilitySessionFinalize + +This event provides information about the results of installing or uninstalling optional Windows content from Windows Update. + +The following fields are available: + +- **capabilities** The names of the optional content packages that were installed. +- **clientId** The name of the application requesting the optional content. +- **highestState** The highest final install state of the optional content. +- **hrStatus** The HReturn code of the install operation. +- **rebootCount** The number of reboots required to complete the install. +- **stackBuild** The build number of the servicing stack. +- **stackMajorVersion** The major version number of the servicing stack. +- **stackMinorVersion** The minor version number of the servicing stack. +- **stackRevision** The revision number of the servicing stack. + + +### CbsServicingProvider.CbsCapabilitySessionPended + +This event provides information about the results of installing optional Windows content that requires a reboot to keep Windows up to date. + +The following fields are available: + +- **clientId** The name of the application requesting the optional content. +- **pendingDecision** Indicates the cause of reboot, if applicable. + + +### Microsoft.Windows.WaaSAssessment.Error + +This event returns the name of the missing setting needed to determine the Operating System build age. + +The following fields are available: + +- **m** The WaaS (“Workspace as a Service”—cloud-based “workspace”) Assessment Error String. + + +### Microsoft.Xbox.XamTelemetry.AppActivationError + +This event indicates whether the system detected an activation error in the app. + + + +### Microsoft.Xbox.XamTelemetry.AppActivity + +This event is triggered whenever the current app state is changed by: launch, switch, terminate, snap, etc. + + + ## Remediation events ### Microsoft.Windows.Remediation.Applicable -This event indicates a remedial plug-in is applicable if/when such a plug-in is detected. This is used to ensure Windows is up to date. +This event sends simple device connectivity and configuration data about an application installed on the system that helps keep the Windows Update stack healthy. The following fields are available: @@ -2716,7 +3013,6 @@ The following fields are available: - **AppraiserDetectCondition** Indicates whether the plug-in passed the appraiser's check. - **AppraiserRegistryValidResult** Indicates whether the registry entry checks out as valid. - **AppraiserTaskDisabled** Indicates the appraiser task is disabled. -- **AppraiserTaskValidFailed** Indicates the Appraiser task did not function and requires intervention. - **CV** Correlation vector - **DateTimeDifference** The difference between local and reference clock times. - **DateTimeSyncEnabled** Indicates whether the datetime sync plug-in is enabled. @@ -2726,7 +3022,7 @@ The following fields are available: - **EvalAndReportAppraiserBinariesFailed** Indicates the EvalAndReportAppraiserBinaries event failed. - **EvalAndReportAppraiserRegEntries** Indicates the EvalAndReportAppraiserRegEntriesFailed event failed. - **EvalAndReportAppraiserRegEntriesFailed** Indicates the EvalAndReportAppraiserRegEntriesFailed event failed. -- **GlobalEventCounter** Client side counter that indicates ordering of events sent by the remediation system. +- **GlobalEventCounter** Client side counter that indicates ordering of events. - **HResult** The HRESULT for detection or perform action phases of the plugin. - **IsAppraiserLatestResult** The HRESULT from the appraiser task. - **IsConfigurationCorrected** Indicates whether the configuration of SIH task was successfully corrected. @@ -2789,29 +3085,9 @@ The following fields are available: - **TimeServiceSyncType** Type of sync behavior for Date & Time service on device. -### Microsoft.Windows.Remediation.ChangePowerProfileDetection - -Indicates whether the remediation system can put in a request to defer a system-initiated sleep to enable installation of security or quality updates. - -The following fields are available: - -- **ActionName** A descriptive name for the plugin action -- **CurrentPowerPlanGUID** The ID of the current power plan configured on the device -- **CV** Correlation vector -- **GlobalEventCounter** Counter that indicates the ordering of events on the device -- **PackageVersion** Current package version of remediation service -- **RemediationBatteryPowerBatteryLevel** Integer between 0 and 100 indicating % battery power remaining (if not on battery, expect 0) -- **RemediationFUInProcess** Result that shows whether the device is currently installing a feature update -- **RemediationFURebootRequred** Indicates that a feature update reboot required was detected so the plugin will exit. -- **RemediationScanInProcess** Result that shows whether the device is currently scanning for updates -- **RemediationTargetMachine** Result that shows whether this device is a candidate for remediation(s) that will fix update issues -- **SetupMutexAvailable** Result that shows whether setup mutex is available or not -- **SysPowerStatusAC** Result that shows whether system is on AC power or not - - ### Microsoft.Windows.Remediation.Completed -This event enables completion tracking of a process that remediates issues preventing security and quality updates. +This event sends simple device connectivity and configuration data about an application installed on the system that helps keep the Windows Update stack healthy. The following fields are available: @@ -2833,7 +3109,7 @@ The following fields are available: - **DiskMbFreeAfterCleanup** The amount of free hard disk space after cleanup, measured in Megabytes. - **DiskMbFreeBeforeCleanup** The amount of free hard disk space before cleanup, measured in Megabytes. - **ForcedAppraiserTaskTriggered** TRUE if Appraiser task ran from the plug-in. -- **GlobalEventCounter** Client-side counter that indicates ordering of events sent by the active user. +- **GlobalEventCounter** Client-side counter that indicates ordering of events. - **HandlerCleanupFreeDiskInMegabytes** The amount of hard disk space cleaned by the storage sense handlers, measured in Megabytes. - **hasRolledBack** Indicates whether the client machine has rolled back. - **hasUninstalled** Indicates whether the client machine has uninstalled a later version of the OS. @@ -2911,7 +3187,7 @@ The following fields are available: - **usoScanIsNoAutoUpdateKeyPresent** TRUE if no Auto Update registry key is set/present. - **usoScanIsUserLoggedOn** TRUE if the user is logged on. - **usoScanPastThreshold** TRUE if the most recent USO (Update Session Orchestrator) scan is past the threshold (late). -- **usoScanType** The type of USO (Update Session Orchestrator) scan (Interactive or Background). +- **usoScanType** The type of USO (Update Session Orchestrator) scan: "Interactive" or "Background". - **windows10UpgraderBlockWuUpdates** Event to report the value of Windows 10 Upgrader BlockWuUpdates Key. - **windowsEditionId** Event to report the value of Windows Edition ID. - **WindowsHyberFilSysSizeInMegabytes** The size of the Windows Hibernation file, measured in Megabytes. @@ -2926,30 +3202,14 @@ The following fields are available: - **windowsUpgradeRecoveredFromRs4** Event to report the value of the Windows Upgrade Recovered key. -### Microsoft.Windows.Remediation.RemediationShellMainExeEventId - -Enables tracking of completion of process that remediates issues preventing security and quality updates. - -The following fields are available: - -- **CV** Client side counter which indicates ordering of events sent by the remediation system. -- **GlobalEventCounter** Client side counter which indicates ordering of events sent by the remediation system. -- **PackageVersion** Current package version of Remediation. -- **RemediationShellCanAcquireSedimentMutex** True if the remediation was able to acquire the sediment mutex. False if it is already running. -- **RemediationShellExecuteShellResult** Indicates if the remediation system completed without errors. -- **RemediationShellFoundDriverDll** Result whether the remediation system found its component files to run properly. -- **RemediationShellLoadedShellDriver** Result whether the remediation system loaded its component files to run properly. -- **RemediationShellLoadedShellFunction** Result whether the remediation system loaded the functions from its component files to run properly. - - ### Microsoft.Windows.Remediation.Started -This event reports whether a plug-in started, to help ensure Windows is up to date. +This event sends simple device connectivity and configuration data about an application installed on the system that helps keep the Windows Update stack healthy. The following fields are available: - **CV** Correlation vector. -- **GlobalEventCounter** Client side counter which indicates ordering of events sent by this user. +- **GlobalEventCounter** Client side counter which indicates ordering of events. - **PackageVersion** Current package version of Remediation. - **PluginName** Name of the plugin specified for each generic plugin event. - **Result** This is the HRESULT for detection or perform action phases of the plugin. @@ -2970,6 +3230,41 @@ The following fields are available: - **Time** The time the event was fired. +### Microsoft.Windows.Sediment.Info.Error + +This event indicates an error in the updater payload. This information assists in keeping Windows up to date. + + + +### Microsoft.Windows.Sediment.OSRSS.CheckingOneSettings + +This event indicates the parameters that the Operating System Remediation System Service (OSRSS) uses for a secure ping to Microsoft to help ensure Windows is up to date. + +The following fields are available: + +- **CustomVer** The registry value for targeting. +- **IsMetered** TRUE if the machine is on a metered network. +- **LastVer** The version of the last successful run. +- **ServiceVersionMajor** The Major version information of the component. +- **ServiceVersionMinor** The Minor version information of the component. +- **Time** The system time at which the event occurred. + + +### Microsoft.Windows.Sediment.OSRSS.Error + +This event indicates an error occurred in the Operating System Remediation System Service (OSRSS). The information provided helps ensure future upgrade/update attempts are more successful. + +The following fields are available: + +- **FailureType** The type of error encountered. +- **FileName** The code file in which the error occurred. +- **HResult** The failure error code. +- **LineNumber** The line number in the code file at which the error occurred. +- **ServiceVersionMajor** The Major version information of the component. +- **ServiceVersionMinor** The Minor version information of the component. +- **Time** The system time at which the event occurred. + + ### Microsoft.Windows.Sediment.OSRSS.UrlState This event indicates the state the Operating System Remediation System Service (OSRSS) is in while attempting a download from the URL. @@ -2984,15 +3279,17 @@ The following fields are available: - **Time** System timestamp the event was fired +## Sediment Launcher events + ### Microsoft.Windows.SedimentLauncher.Applicable -Indicates whether a given plugin is applicable. +This event sends simple device connectivity and configuration data about an application installed on the system that helps keep the Windows Update stack healthy. The following fields are available: - **CV** Correlation vector. - **DetectedCondition** Boolean true if detect condition is true and perform action will be run. -- **GlobalEventCounter** Client side counter which indicates ordering of events sent by this user. +- **GlobalEventCounter** Client side counter which indicates ordering of events. - **IsSelfUpdateEnabledInOneSettings** True if self update enabled in Settings. - **IsSelfUpdateNeeded** True if self update needed by device. - **PackageVersion** Current package version of Remediation. @@ -3002,98 +3299,43 @@ The following fields are available: ### Microsoft.Windows.SedimentLauncher.Completed -Indicates whether a given plugin has completed its work. +This event sends simple device connectivity and configuration data about an application installed on the system that helps keep the Windows Update stack healthy. The following fields are available: - **CV** Correlation vector. - **FailedReasons** Concatenated list of failure reasons. -- **GlobalEventCounter** Client side counter which indicates ordering of events sent by this user. +- **GlobalEventCounter** Client side counter which indicates ordering of events. - **PackageVersion** Current package version of Remediation. - **PluginName** Name of the plugin specified for each generic plugin event. - **Result** This is the HRESULT for detection or perform action phases of the plugin. - **SedLauncherExecutionResult** HRESULT for one execution of the Sediment Launcher. -### Microsoft.Windows.SedimentLauncher.Error - -Error occurred during execution of the plugin. - -The following fields are available: - -- **HResult** The result for the Detection or Perform Action phases of the plug-in. -- **Message** A message containing information about the error that occurred (if any). -- **PackageVersion** The version number of the current remediation package. - - -### Microsoft.Windows.SedimentLauncher.FallbackError - -This event indicates that an error occurred during execution of the plug-in fallback. - -The following fields are available: - -- **s0** Error occurred during execution of the plugin fallback. See [Microsoft.Windows.SedimentLauncher.wilResult](#microsoftwindowssedimentlauncherwilresult). -- **wilResult** Result from executing wil based function. See [wilResult](#wilresult). - - -### Microsoft.Windows.SedimentLauncher.Information - -This event provides general information returned from the plug-in. - -The following fields are available: - -- **HResult** This is the HRESULT for detection or perform action phases of the plugin. -- **Message** Information message returned from a plugin containing only information internal to the plugins execution. -- **PackageVersion** Current package version of Remediation. - - ### Microsoft.Windows.SedimentLauncher.Started -This event indicates that a given plug-in has started. +This event sends simple device connectivity and configuration data about an application installed on the system that helps keep Windows up to date. The following fields are available: - **CV** Correlation vector. -- **GlobalEventCounter** Client side counter which indicates ordering of events sent by this user. +- **GlobalEventCounter** Client side counter which indicates ordering of events. - **PackageVersion** Current package version of Remediation. - **PluginName** Name of the plugin specified for each generic plugin event. - **Result** This is the HRESULT for detection or perform action phases of the plugin. -### Microsoft.Windows.SedimentLauncher.wilResult - -This event provides the result from the Windows internal library. - -The following fields are available: - -- **callContext** List of telemetry activities containing this error. -- **currentContextId** Identifier for the newest telemetry activity containing this error. -- **currentContextMessage** Custom message associated with the newest telemetry activity containing this error (if any). -- **currentContextName** Name of the newest telemetry activity containing this error. -- **failureCount** Number of failures seen within the binary where the error occurred. -- **failureId** Identifier assigned to this failure. -- **failureType** Indicates what type of failure was observed (exception, returned error, logged error or fail fast). -- **fileName** Source code file name where the error occurred. -- **function** Name of the function where the error occurred. -- **hresult** Failure error code. -- **lineNumber** Line number within the source code file where the error occurred. -- **message** Custom message associated with the failure (if any). -- **module** Name of the binary where the error occurred. -- **originatingContextId** Identifier for the oldest telemetry activity containing this error. -- **originatingContextMessage** Custom message associated with the oldest telemetry activity containing this error (if any). -- **originatingContextName** Name of the oldest telemetry activity containing this error. -- **threadId** Identifier of the thread the error occurred on. - +## Sediment Service events ### Microsoft.Windows.SedimentService.Applicable -This event indicates whether a given plug-in is applicable. +This event sends simple device connectivity and configuration data about a service on the system that helps keep Windows up to date. The following fields are available: - **CV** Correlation vector. - **DetectedCondition** Determine whether action needs to run based on device properties. -- **GlobalEventCounter** Client side counter which indicates ordering of events sent by this user. +- **GlobalEventCounter** Client side counter which indicates ordering of events. - **IsSelfUpdateEnabledInOneSettings** Indicates if self update is enabled in One Settings. - **IsSelfUpdateNeeded** Indicates if self update is needed. - **PackageVersion** Current package version of Remediation. @@ -3103,13 +3345,13 @@ The following fields are available: ### Microsoft.Windows.SedimentService.Completed -This event indicates whether a given plug-in has completed its work. +This event sends simple device connectivity and configuration data about a service on the system that helps keep Windows up to date. The following fields are available: - **CV** Correlation vector. - **FailedReasons** List of reasons when the plugin action failed. -- **GlobalEventCounter** Client side counter which indicates ordering of events sent by this user. +- **GlobalEventCounter** Client side counter which indicates ordering of events. - **PackageVersion** Current package version of Remediation. - **PluginName** Name of the plugin specified for each generic plugin event. - **Result** This is the HRESULT for detection or perform action phases of the plugin. @@ -3123,41 +3365,9 @@ The following fields are available: - **SedimentServiceTotalIterations** Number of 5 second iterations service will wait before running again. -### Microsoft.Windows.SedimentService.Error - -This event indicates whether an error condition occurred in the plug-in. - -The following fields are available: - -- **HResult** This is the HRESULT for detection or perform action phases of the plugin. -- **Message** Custom message associated with the failure (if any). -- **PackageVersion** Current package version of Remediation. - - -### Microsoft.Windows.SedimentService.FallbackError - -This event indicates whether an error occurred for a fallback in the plug-in. - -The following fields are available: - -- **s0** Event returned when an error occurs for a fallback in the plugin. See [Microsoft.Windows.SedimentService.wilResult](#microsoftwindowssedimentservicewilresult). -- **wilResult** Result for wil based function. See [wilResult](#wilresult). - - -### Microsoft.Windows.SedimentService.Information - -This event provides general information returned from the plug-in. - -The following fields are available: - -- **HResult** This is the HRESULT for detection or perform action phases of the plugin. -- **Message** Custom message associated with the failure (if any). -- **PackageVersion** Current package version of Remediation. - - ### Microsoft.Windows.SedimentService.Started -This event indicates a specified plug-in has started. This information helps ensure Windows is up to date. +This event sends simple device connectivity and configuration data about a service on the system that helps keep Windows up to date. The following fields are available: @@ -3168,32 +3378,33 @@ The following fields are available: - **Result** This is the HRESULT for Detection or Perform Action phases of the plugin. -### Microsoft.Windows.SedimentService.wilResult +## Setup events -This event provides the result from the Windows internal library. +### SetupPlatformTel.SetupPlatformTelActivityEvent + +This event sends basic metadata about the SetupPlatform update installation process, to help keep Windows up to date. The following fields are available: -- **callContext** List of telemetry activities containing this error. -- **currentContextId** Identifier for the newest telemetry activity containing this error. -- **currentContextMessage** Custom message associated with the newest telemetry activity containing this error (if any). -- **currentContextName** Name of the newest telemetry activity containing this error. -- **failureCount** Number of failures seen within the binary where the error occurred. -- **failureId** Identifier assigned to this failure. -- **failureType** Indicates what type of failure was observed (exception, returned error, logged error or fail fast). -- **fileName** Source code file name where the error occurred. -- **function** Name of the function where the error occurred. -- **hresult** Failure error code. -- **lineNumber** Line number within the source code file where the error occurred. -- **message** Custom message associated with the failure (if any). -- **module** Name of the binary where the error occurred. -- **originatingContextId** Identifier for the oldest telemetry activity containing this error. -- **originatingContextMessage** Custom message associated with the oldest telemetry activity containing this error (if any). -- **originatingContextName** Name of the oldest telemetry activity containing this error. -- **threadId** Identifier of the thread the error occurred on. +- **FieldName** Retrieves the event name/data point. Examples: InstallStartTime, InstallEndtime, OverallResult etc. +- **GroupName** Retrieves the groupname the event belongs to. Example: Install Information, DU Information, Disk Space Information etc. +- **Value** Value associated with the corresponding event name. For example, time-related events will include the system time + + +### SetupPlatformTel.SetupPlatformTelActivityStarted + +This event sends basic metadata about the update installation process generated by SetupPlatform to help keep Windows up to date. + +The following fields are available: + +- **Name** The name of the dynamic update type. Example: GDR driver + + +### SetupPlatformTel.SetupPlatformTelActivityStopped + +This event sends basic metadata about the update installation process generated by SetupPlatform to help keep Windows up to date. -## Setup events ### SetupPlatformTel.SetupPlatformTelEvent @@ -3780,6 +3991,131 @@ The following fields are available: ## Update events +### Update360Telemetry.UpdateAgent_DownloadRequest + +This event sends data during the download request phase of updating Windows. + +The following fields are available: + +- **DeletedCorruptFiles** Boolean indicating whether corrupt payload was deleted. +- **ErrorCode** The error code returned for the current download request phase. +- **FlightId** Unique ID for each flight. +- **ObjectId** Unique value for each Update Agent mode (same concept as InstanceId for Setup360). +- **PackageCountOptional** # of optional packages requested. +- **PackageCountRequired** # of required packages requested. +- **PackageCountTotal** Total # of packages needed. +- **PackageCountTotalCanonical** Total number of canonical packages. +- **PackageCountTotalDiff** Total number of diff packages. +- **PackageCountTotalExpress** Total number of express packages. +- **PackageSizeCanonical** Size of canonical packages in bytes. +- **PackageSizeDiff** Size of diff packages in bytes. +- **PackageSizeExpress** Size of express packages in bytes. +- **RangeRequestState** Indicates the range request type used. +- **RelatedCV** Correlation vector value generated from the latest USO scan. +- **Result** Outcome of the download request phase of update. +- **ScenarioId** Indicates the update scenario. +- **SessionId** Unique value for each attempt (same value for initialize, download, install commit phases) +- **UpdateId** Unique ID for each Update. + + +### Update360Telemetry.UpdateAgent_FellBackToCanonical + +This event collects information when Express could not be used, and the update had to fall back to “canonical” during the new UUP (Unified Update Platform) update scenario; which is leveraged by both Mobile and Desktop. + +The following fields are available: + +- **FlightId** Unique ID for the flight (test instance version). +- **ObjectId** The unique value for each Update Agent mode. +- **PackageCount** The number of packages that fell back to “canonical”. +- **PackageList** PackageIDs which fell back to “canonical”. +- **RelatedCV** The correlation vector value generated from the latest USO (Update Service Orchestrator) scan. +- **ScenarioId** The ID of the update scenario. +- **SessionId** The ID of the update attempt. +- **UpdateId** The ID of the update. + + +### Update360Telemetry.UpdateAgent_Initialize + +This event sends data during the initialize phase of updating Windows. + +The following fields are available: + +- **ErrorCode** The error code returned for the current initialize phase. +- **FlightId** Unique ID for each flight. +- **FlightMetadata** Contains the FlightId and the build being flighted. +- **ObjectId** Unique value for each Update Agent mode. +- **RelatedCV** Correlation vector value generated from the latest USO scan. +- **Result** Result of the initialize phase of update. 0 = Succeeded, 1 = Failed, 2 = Cancelled, 3 = Blocked, 4 = BlockCancelled +- **ScenarioId** The scenario ID. Example: MobileUpdate, DesktopLanguagePack, DesktopFeatureOnDemand, or DesktopDriverUpdate +- **SessionData** Contains instructions to update agent for processing FODs and DUICs (Null for other scenarios). +- **SessionId** Unique value for each Update Agent mode attempt . +- **UpdateId** Unique ID for each update. + + +### Update360Telemetry.UpdateAgent_Install + +This event sends data during the install phase of updating Windows. + +The following fields are available: + +- **ErrorCode** The error code returned for the current install phase. +- **FlightId** Unique ID for each flight. +- **ObjectId** Unique value for each Update Agent mode. +- **RelatedCV** Correlation vector value generated from the latest scan. +- **Result** Result of the install phase of update. 0 = Succeeded 1 = Failed, 2 = Cancelled, 3 = Blocked, 4 = BlockCancelled +- **ScenarioId** The scenario ID. Example: MobileUpdate, DesktopLanguagePack, DesktopFeatureOnDemand, or DesktopDriverUpdate +- **SessionId** Unique value for each Update Agent mode attempt. +- **UpdateId** Unique ID for each update. + + +### Update360Telemetry.UpdateAgent_Merge + +This event sends data on the merge phase when updating Windows. + +The following fields are available: + +- **ErrorCode** The error code returned for the current reboot. +- **FlightId** Unique ID for the flight (test instance version). +- **ObjectId** The unique value for each Update Agent mode. +- **RelatedCV** The correlation vector value generated from the latest USO (Update Service Orchestrator) scan. +- **Result** The HResult of the event. +- **ScenarioId** The ID of the update scenario. +- **SessionId** The ID of the update attempt. +- **UpdateId** The ID of the update. + + +### Update360Telemetry.UpdateAgent_ModeStart + +This event sends data for the start of each mode during the process of updating Windows. + +The following fields are available: + +- **FlightId** Unique ID for each flight. +- **Mode** Indicates that the Update Agent mode that has started. 1 = Initialize, 2 = DownloadRequest, 3 = Install, 4 = Commit +- **ObjectId** Unique value for each Update Agent mode. +- **RelatedCV** The correlation vector value generated from the latest scan. +- **ScenarioId** The scenario ID. Example: MobileUpdate, DesktopLanguagePack, DesktopFeatureOnDemand, or DesktopDriverUpdate +- **SessionId** Unique value for each Update Agent mode attempt. +- **UpdateId** Unique ID for each update. + + +### Update360Telemetry.UpdateAgent_SetupBoxLaunch + +This event sends data during the launching of the setup box when updating Windows. + +The following fields are available: + +- **FlightId** Unique ID for each flight. +- **ObjectId** Unique value for each Update Agent mode. +- **Quiet** Indicates whether setup is running in quiet mode. 0 = false 1 = true +- **RelatedCV** Correlation vector value generated from the latest scan. +- **SandboxSize** The size of the sandbox folder on the device. +- **ScenarioId** The scenario ID. Example: MobileUpdate, DesktopLanguagePack, DesktopFeatureOnDemand, or DesktopDriverUpdate +- **SessionId** Unique value for each Update Agent mode attempt. +- **SetupMode** Setup mode 1 = predownload, 2 = install, 3 = finalize +- **UpdateId** Unique ID for each update. + + ### Update360Telemetry.UpdateAgentCommit This event collects information regarding the commit phase of the new Unified Update Platform (UUP) update scenario, which is leveraged by both Mobile and Desktop. @@ -3975,6 +4311,24 @@ The following fields are available: - **Version** Version of update +### Update360Telemetry.UpdateAgentOneSettings + +This event collects information regarding the post reboot phase of the new UUP (Unified Update Platform) update scenario; which is leveraged by both Mobile and Desktop. + +The following fields are available: + +- **Count** The count of applicable OneSettings for the device. +- **FlightId** Unique ID for the flight (test instance version). +- **ObjectId** The unique value for each Update Agent mode. +- **Parameters** The set of name value pair parameters sent to OneSettings to determine if there are any applicable OneSettings. +- **RelatedCV** The correlation vector value generated from the latest USO (Update Service Orchestrator) scan. +- **Result** The HResult of the event. +- **ScenarioId** The ID of the update scenario. +- **SessionId** The ID of the update attempt. +- **UpdateId** The ID of the update. +- **Values** The values sent back to the device, if applicable. + + ### Update360Telemetry.UpdateAgentPostRebootResult This event collects information for both Mobile and Desktop regarding the post reboot phase of the new Unified Update Platform (UUP) update scenario. @@ -4028,7 +4382,7 @@ The following fields are available: - **CV** Correlation vector. - **DetectorVersion** Most recently run detector version for the current campaign. - **GlobalEventCounter** Client side counter that indicates the ordering of events sent by this user. -- **key1** UI interaction data +- **key1** Interaction data for the UI - **key10** UI interaction data - **key11** UI interaction data - **key12** UI interaction data @@ -4039,9 +4393,9 @@ The following fields are available: - **key17** UI interaction data - **key18** UI interaction data - **key19** UI interaction data -- **key2** UI interaction data +- **key2** Interaction data for the UI - **key20** UI interaction data -- **key21** Interaction data for the UI +- **key21** UI interaction data - **key22** UI interaction data - **key23** UI interaction data - **key24** UI interaction data @@ -4050,12 +4404,12 @@ The following fields are available: - **key27** UI interaction data - **key28** UI interaction data - **key29** UI interaction data -- **key3** UI interaction data +- **key3** Interaction data for the UI - **key30** UI interaction data -- **key4** UI interaction data -- **key5** UI interaction data -- **key6** UI interaction data -- **key7** UI interaction data +- **key4** Interaction data for the UI +- **key5** UI interaction type +- **key6** Current package version of UNP +- **key7** UI interaction type - **key8** UI interaction data - **key9** UI interaction data - **PackageVersion** Current package version of the update notification. @@ -4353,6 +4707,12 @@ This event sends a summary of all the setup mitigations available for this updat +### Setup360Telemetry.Setup360OneSettings + +This event collects information regarding the post reboot phase of the new UUP (Unified Update Platform) update scenario; which is leveraged by both Mobile and Desktop. + + + ### Setup360Telemetry.UnexpectedEvent This event sends data indicating that the device has invoked the unexpected event phase of the upgrade, to help keep Windows up to date. @@ -4366,7 +4726,7 @@ The following fields are available: - **ReportId** With Windows Update, this is the updateID that is passed to Setup. In media setup, this is the GUID for the install.wim. - **Setup360Extended** Detailed information about the phase/action when the potential failure occurred. - **Setup360Mode** The phase of Setup360. Example: Predownload, Install, Finalize, Rollback. -- **Setup360Result** The result of Setup360. This is an HRESULT error code that can be used to diagnose errors. +- **Setup360Result** The result of Setup360. This is an HRESULT error code that can be used used to diagnose errors. - **Setup360Scenario** The Setup360 flow type. Example: Boot, Media, Update, MCT. - **SetupVersionBuildNumber** The build number of Setup360 (build number of target OS). - **State** The exit state of a Setup360 run. Example: succeeded, failed, blocked, cancelled. @@ -4402,17 +4762,37 @@ This event provides the results from the WaaSMedic engine The following fields are available: - **detectionSummary** Result of each applicable detection that was run. -- **featureAssessmentImpact** Windows as a Service (WaaS) Assessment impact on feature updates +- **featureAssessmentImpact** WaaS Assessment impact for feature updates. - **hrEngineResult** Indicates the WaaSMedic engine operation error codes -- **insufficientSessions** True, if the device has enough activity to be eligible for update diagnostics. False, if otherwise -- **isManaged** Indicates the device is managed for updates -- **isWUConnected** Indicates the device is connected to Windows Update -- **noMoreActions** All available WaaSMedic diagnostics have run. There are no pending diagnostics and corresponding actions -- **qualityAssessmentImpact** Windows as a Service (WaaS) Assessment impact for quality updates +- **insufficientSessions** Device not eligible for diagnostics. +- **isManaged** Device is managed for updates. +- **isWUConnected** Device is connected to Windows Update. +- **noMoreActions** No more applicable diagnostics. +- **qualityAssessmentImpact** WaaS Assessment impact for quality updates. - **remediationSummary** Result of each operation performed on a device to fix an invalid state or configuration that's preventing the device from getting updates. For example, if Windows Update service is turned off, the fix is to turn the it back on. -- **usingBackupFeatureAssessment** The WaaSMedic engine contacts Windows as a Service (WaaS) Assessment to determine whether the device is up-to-date. If WaaS Assessment isn't available, the engine falls back to backup feature assessments, which are determined programmatically on the client -- **usingBackupQualityAssessment** The WaaSMedic engine contacts Windows as a Service (WaaS) Assessment to determine whether the device is up-to-date. If WaaS Assessment isn't available, the engine falls back to backup quality assessments, which are determined programmatically on the client -- **versionString** Installed version of the WaaSMedic engine +- **usingBackupFeatureAssessment** Relying on backup feature assessment. +- **usingBackupQualityAssessment** Relying on backup quality assessment. +- **versionString** Version of the WaaSMedic engine. + + +## Windows Error Reporting events + +### Microsoft.Windows.WERVertical.OSCrash + +This event sends binary data from the collected dump file wheneveer a bug check occurs, to help keep Windows up to date. The is the OneCore version of this event. + +The following fields are available: + +- **BootId** Uint32 identifying the boot number for this device. +- **BugCheckCode** Uint64 "bugcheck code" that identifies a proximate cause of the bug check. +- **BugCheckParameter1** Uint64 parameter providing additional information. +- **BugCheckParameter2** Uint64 parameter providing additional information. +- **BugCheckParameter3** Uint64 parameter providing additional information. +- **BugCheckParameter4** Uint64 parameter providing additional information. +- **DumpFileAttributes** Codes that identify the type of data contained in the dump file +- **DumpFileSize** Size of the dump file +- **IsValidDumpFile** True if the dump file is valid for the debugger, false otherwise +- **ReportId** WER Report Id associated with this bug check (used for finding the corresponding report archive in Watson). ## Windows Store events @@ -4798,144 +5178,6 @@ The following fields are available: ## Windows Update Delivery Optimization events -### Microsoft.OSG.DU.DeliveryOptClient.DownloadCanceled - -This event describes when a download was canceled with Delivery Optimization. It's used to understand and address problems regarding downloads. - -The following fields are available: - -- **background** Is the download being done in the background? -- **bytesFromCacheServer** Bytes received from a cache host. -- **bytesFromCDN** The number of bytes received from a CDN source. -- **bytesFromGroupPeers** The number of bytes received from a peer in the same group. -- **bytesFromIntPeers** The number of bytes received from peers not in the same LAN or in the same group. -- **bytesFromLocalCache** Bytes copied over from local (on disk) cache. -- **bytesFromPeers** The number of bytes received from a peer in the same LAN. -- **callerName** Name of the API caller. -- **cdnErrorCodes** A list of CDN connection errors since the last FailureCDNCommunication event. -- **cdnErrorCounts** The number of times each error in cdnErrorCodes was encountered. -- **clientTelId** A random number used for device sampling. -- **dataSourcesTotal** Bytes received per source type, accumulated for the whole session. -- **doErrorCode** The Delivery Optimization error code that was returned. -- **errorCode** The error code that was returned. -- **experimentId** When running a test, this is used to correlate events that are part of the same test. -- **fileID** The ID of the file being downloaded. -- **gCurMemoryStreamBytes** Current usage for memory streaming. -- **gMaxMemoryStreamBytes** Maximum usage for memory streaming. -- **isVpn** Is the device connected to a Virtual Private Network? -- **jobID** Identifier for the Windows Update job. -- **reasonCode** Reason the action or event occurred. -- **scenarioID** The ID of the scenario. -- **sessionID** The ID of the file download session. -- **updateID** The ID of the update being downloaded. -- **usedMemoryStream** Did the download use memory streaming? - - -### Microsoft.OSG.DU.DeliveryOptClient.DownloadCompleted - -This event describes when a download has completed with Delivery Optimization. It's used to understand and address problems regarding downloads. - -The following fields are available: - -- **background** Is the download a background download? -- **bytesFromCacheServer** Bytes received from a cache host. -- **bytesFromCDN** The number of bytes received from a CDN source. -- **bytesFromGroupPeers** The number of bytes received from a peer in the same domain group. -- **bytesFromIntPeers** The number of bytes received from peers not in the same LAN or in the same domain group. -- **bytesFromLocalCache** Bytes copied over from local (on disk) cache. -- **bytesFromPeers** The number of bytes received from a peer in the same LAN. -- **bytesRequested** The total number of bytes requested for download. -- **cacheServerConnectionCount** Number of connections made to cache hosts. -- **callerName** Name of the API caller. -- **cdnConnectionCount** The total number of connections made to the CDN. -- **cdnErrorCodes** A list of CDN connection errors since the last FailureCDNCommunication event. -- **cdnErrorCounts** The number of times each error in cdnErrorCodes was encountered. -- **cdnIp** The IP address of the source CDN. -- **clientTelId** A random number used for device sampling. -- **dataSourcesTotal** Bytes received per source type, accumulated for the whole session. -- **doErrorCode** The Delivery Optimization error code that was returned. -- **downlinkBps** The maximum measured available download bandwidth (in bytes per second). -- **downlinkUsageBps** The download speed (in bytes per second). -- **downloadMode** The download mode used for this file download session. -- **downloadModeSrc** Source of the DownloadMode setting (KvsProvider = 0, GeoProvider = 1, GeoVerProvider = 2, CpProvider = 3, DiscoveryProvider = 4, RegistryProvider = 5, GroupPolicyProvider = 6, MdmProvider = 7, SettingsProvider = 8, InvalidProviderType = 9). -- **experimentId** When running a test, this is used to correlate with other events that are part of the same test. -- **fileID** The ID of the file being downloaded. -- **fileSize** The size of the file being downloaded. -- **gCurMemoryStreamBytes** Current usage for memory streaming. -- **gMaxMemoryStreamBytes** Maximum usage for memory streaming. -- **groupConnectionCount** The total number of connections made to peers in the same group. -- **internetConnectionCount** The total number of connections made to peers not in the same LAN or the same group. -- **isVpn** Is the device connected to a Virtual Private Network? -- **jobID** Identifier for the Windows Update job. -- **lanConnectionCount** The total number of connections made to peers in the same LAN. -- **numPeers** The total number of peers used for this download. -- **restrictedUpload** Is the upload restricted? -- **scenarioID** The ID of the scenario. -- **sessionID** The ID of the download session. -- **totalTimeMs** Duration of the download (in seconds). -- **updateID** The ID of the update being downloaded. -- **uplinkBps** The maximum measured available upload bandwidth (in bytes per second). -- **uplinkUsageBps** The upload speed (in bytes per second). -- **usedMemoryStream** Did the download use memory streaming? - - -### Microsoft.OSG.DU.DeliveryOptClient.DownloadPaused - -This event represents a temporary suspension of a download with Delivery Optimization. It's used to understand and address problems regarding downloads. - -The following fields are available: - -- **background** Is the download a background download? -- **callerName** The name of the API caller. -- **clientTelId** A random number used for device sampling. -- **errorCode** The error code that was returned. -- **experimentId** When running a test, this is used to correlate with other events that are part of the same test. -- **fileID** The ID of the file being paused. -- **isVpn** Is the device connected to a Virtual Private Network? -- **jobID** Identifier for the Windows Update job. -- **reasonCode** The reason for pausing the download. -- **scenarioID** The ID of the scenario. -- **sessionID** The ID of the download session. -- **updateID** The ID of the update being paused. - - -### Microsoft.OSG.DU.DeliveryOptClient.DownloadStarted - -This event sends data describing the start of a new download to enable Delivery Optimization. It's used to understand and address problems regarding downloads. - -The following fields are available: - -- **background** Indicates whether the download is happening in the background. -- **bytesRequested** Number of bytes requested for the download. -- **callerName** Name of the API caller. -- **cdnUrl** The URL of the source CDN. -- **clientTelId** Random number used for device selection -- **costFlags** A set of flags representing network cost. -- **deviceProfile** Identifies the usage or form factor (such as Desktop, Xbox, or VM). -- **diceRoll** Random number used for determining if a client will use peering. -- **doClientVersion** The version of the Delivery Optimization client. -- **doErrorCode** The Delivery Optimization error code that was returned. -- **downloadMode** The download mode used for this file download session (CdnOnly = 0, Lan = 1, Group = 2, Internet = 3, Simple = 99, Bypass = 100). -- **downloadModeSrc** Source of the DownloadMode setting (KvsProvider = 0, GeoProvider = 1, GeoVerProvider = 2, CpProvider = 3, DiscoveryProvider = 4, RegistryProvider = 5, GroupPolicyProvider = 6, MdmProvider = 7, SettingsProvider = 8, InvalidProviderType = 9). -- **errorCode** The error code that was returned. -- **experimentId** ID used to correlate client/services calls that are part of the same test during A/B testing. -- **fileID** The ID of the file being downloaded. -- **filePath** The path to where the downloaded file will be written. -- **fileSize** Total file size of the file that was downloaded. -- **fileSizeCaller** Value for total file size provided by our caller. -- **groupID** ID for the group. -- **isVpn** Indicates whether the device is connected to a Virtual Private Network. -- **jobID** The ID of the Windows Update job. -- **minDiskSizeGB** The minimum disk size (in GB) policy set for the device to allow peering with delivery optimization. -- **minDiskSizePolicyEnforced** Indicates whether there is an enforced minimum disk size requirement for peering. -- **minFileSizePolicy** The minimum content file size policy to allow the download using peering with delivery optimization. -- **peerID** The ID for this delivery optimization client. -- **scenarioID** The ID of the scenario. -- **sessionID** The ID for the file download session. -- **updateID** The ID of the update being downloaded. -- **usedMemoryStream** Indicates whether the download used memory streaming. - - ### Microsoft.OSG.DU.DeliveryOptClient.FailureCdnCommunication This event represents a failure to download from a CDN with Delivery Optimization. It's used to understand and address problems regarding downloads. @@ -4959,20 +5201,6 @@ The following fields are available: - **sessionID** The ID of the download session. -### Microsoft.OSG.DU.DeliveryOptClient.JobError - -This event represents a Windows Update job error. It allows for investigation of top errors. - -The following fields are available: - -- **clientTelId** A random number used for device sampling. -- **doErrorCode** Error code returned for delivery optimization. -- **errorCode** The error code returned. -- **experimentId** When running a test, this is used to correlate with other events that are part of the same test. -- **fileID** The ID of the file being downloaded. -- **jobID** The Windows Update job ID. - - ## Windows Update events ### Microsoft.Windows.Update.DeviceUpdateAgent.UpdateAgentCommit @@ -5067,6 +5295,24 @@ The following fields are available: - **updateId** Unique ID for each Update. +### Microsoft.Windows.Update.NotificationUx.DialogNotificationToBeDisplayed + +This event indicates that a notification dialog box is about to be displayed to user. + + + +### Microsoft.Windows.Update.NotificationUx.EnhancedEngagedRebootRebootFailedDialog + +This event indicates that the Enhanced Engaged restart "restart failed" dialog box was displayed. + + + +### Microsoft.Windows.Update.NotificationUx.EnhancedEngagedRebootRebootImminentDialog + +This event indicates that the Enhanced Engaged restart "restart imminent" dialog box was displayed. + + + ### Microsoft.Windows.Update.NotificationUx.RebootScheduled Indicates when a reboot is scheduled by the system or a user for a security, quality, or feature update. @@ -5085,6 +5331,18 @@ The following fields are available: - **wuDeviceid** Unique device ID used by Windows Update. +### Microsoft.Windows.Update.Orchestrator.ActivityRestrictedByActiveHoursPolicy + +This event indicates a policy is present that may restrict update activity to outside of active hours. + + + +### Microsoft.Windows.Update.Orchestrator.BlockedByActiveHours + +This event indicates that update activity was blocked because it is within the active hours window. + + + ### Microsoft.Windows.Update.Orchestrator.CommitFailed This event indicates that a device was unable to restart after an update. @@ -5114,16 +5372,16 @@ This event indicates that a scan for a Windows Update occurred. The following fields are available: - **deferReason** Reason why the device could not check for updates. -- **detectionBlockreason** Reason for detection not completing. +- **detectionBlockreason** Reason for blocking detection - **detectionRetryMode** Indicates whether we will try to scan again. -- **errorCode** The returned error code. -- **eventScenario** End-to-end update session ID, or indicates the purpose of sending this event - whether because the software distribution just started installing content, or whether it was cancelled, succeeded, or failed. +- **errorCode** Error value +- **eventScenario** End to end update session ID, or indicates the purpose of sending this event - whether because the software distribution just started installing content, or whether it was cancelled, succeeded, or failed. - **flightID** The specific ID of the Windows Insider build the device is getting. - **interactive** Indicates whether the session was user initiated. - **revisionNumber** Update revision number. - **updateId** Update ID. -- **updateScenarioType** Update Session type -- **wuDeviceid** Device ID +- **updateScenarioType** The update session type. +- **wuDeviceid** Unique device ID used by Windows Update. ### Microsoft.Windows.Update.Orchestrator.DisplayNeeded @@ -5142,6 +5400,23 @@ The following fields are available: - **wuDeviceid** The unique identifier of a specific device, used to identify how many devices are encountering success or a particular issue +### Microsoft.Windows.Update.Orchestrator.Download + +This event sends launch data for a Windows Update download to help keep Windows up to date. + +The following fields are available: + +- **deferReason** Reason for download not completing. +- **errorCode** An error code represented as a hexadecimal value. +- **eventScenario** End-to-end update session ID. +- **flightID** The specific ID of the Windows Insider build the device is getting. +- **interactive** Indicates whether the session is user initiated. +- **revisionNumber** Update revision number. +- **updateId** Update ID. +- **updateScenarioType** The update session type. +- **wuDeviceid** Unique device ID used by Windows Update. + + ### Microsoft.Windows.Update.Orchestrator.FlightInapplicable This event indicates that the update is no longer applicable to this device. @@ -5169,6 +5444,48 @@ The following fields are available: - **wuDeviceid** The unique identifier of a specific device, used to identify how many devices are encountering success or a particular issue. +### Microsoft.Windows.Update.Orchestrator.InitiatingReboot + +This event sends data about an Orchestrator requesting a reboot from power management to help keep Windows up to date. + +The following fields are available: + +- **EventPublishedTime** Time of the event. +- **flightID** Unique update ID +- **interactive** Indicates whether the reboot initiation stage of the update process was entered as a result of user action. +- **rebootOutsideOfActiveHours** Indicates whether the reboot was to occur outside of active hours. +- **revisionNumber** Revision number of the update. +- **updateId** Update ID. +- **updateScenarioType** The update session type. +- **uxRebootstate** Indicates the exact state of the user experience at the time the required reboot was initiated. +- **wuDeviceid** Unique device ID used by Windows Update. + + +### Microsoft.Windows.Update.Orchestrator.Install + +This event sends launch data for a Windows Update install to help keep Windows up to date. + +The following fields are available: + +- **batteryLevel** Current battery capacity in mWh or percentage left. +- **deferReason** Reason for install not completing. +- **errorCode** The error code reppresented by a hexadecimal value. +- **eventScenario** End-to-end update session ID. +- **flightID** The specific ID of the Windows Insider build the device is getting. +- **flightUpdate** Indicates whether the update is a Windows Insider build. +- **ForcedRebootReminderSet** A boolean value that indicates if a forced reboot will happen for updates. +- **installCommitfailedtime** The time it took for a reboot to happen but the upgrade failed to progress. +- **installRebootinitiatetime** The time it took for a reboot to be attempted. +- **interactive** Identifies if session is user initiated. +- **minutesToCommit** The time it took to install updates. +- **rebootOutsideOfActiveHours** Indicates whether a reboot is scheduled outside of active hours. +- **revisionNumber** Update revision number. +- **updateId** Update ID. +- **updateScenarioType** The update session type. +- **uxRebootstate** Indicates the exact state of the user experience at the time the required reboot was initiated to ensure the correct update process and experience is provided to keep Windows up to date. +- **wuDeviceid** Unique device ID used by Windows Update. + + ### Microsoft.Windows.Update.Orchestrator.LowUptimes This event is sent if a device is identified as not having sufficient uptime to reliably process updates in order to keep secure. @@ -5182,6 +5499,18 @@ The following fields are available: - **wuDeviceid** Unique device ID for Windows Update. +### Microsoft.Windows.Update.Orchestrator.OneshotUpdateDetection + +This event returns data about scans initiated through settings UI, or background scans that are urgent; to help keep Windows up to date. + +The following fields are available: + +- **externalOneshotupdate** The last time a task-triggered scan was completed. +- **interactiveOneshotupdate** The last time an interactive scan was completed. +- **oldlastscanOneshotupdate** The last time a scan completed successfully. +- **wuDeviceid** The Windows Update Device GUID (Globally-Unique ID). + + ### Microsoft.Windows.Update.Orchestrator.PreShutdownStart This event is generated before the shutdown and commit operations. @@ -5191,6 +5520,166 @@ The following fields are available: - **wuDeviceid** The unique identifier of a specific device, used to identify how many devices are encountering success or a particular issue. +### Microsoft.Windows.Update.Orchestrator.RebootFailed + +This event sends information about whether an update required a reboot and reasons for failure, to help keep Windows up to date. + +The following fields are available: + +- **batteryLevel** Current battery capacity in mWh or percentage left. +- **deferReason** Reason for install not completing. +- **EventPublishedTime** The time that the reboot failure occurred. +- **flightID** Unique update ID. +- **rebootOutsideOfActiveHours** Indicates whether a reboot was scheduled outside of active hours. +- **RebootResults** Hex code indicating failure reason. Typically, we expect this to be a specific USO generated hex code. +- **revisionNumber** Update revision number. +- **updateId** Update ID. +- **updateScenarioType** The update session type. +- **uxRebootstate** Indicates the exact state of the user experience at the time the required reboot was initiated to ensure the correct update process and experience is provided to keep Windows up to date. +- **wuDeviceid** Unique device ID used by Windows Update. + + +### Microsoft.Windows.Update.Orchestrator.RefreshSettings + +This event sends basic data about the version of upgrade settings applied to the system to help keep Windows up to date. + +The following fields are available: + +- **errorCode** Hex code for the error message, to allow lookup of the specific error. +- **settingsDownloadTime** Timestamp of the last attempt to acquire settings. +- **settingsETag** Version identifier for the settings. +- **wuDeviceid** Unique device ID used by Windows Update. + + +### Microsoft.Windows.Update.Orchestrator.RestoreRebootTask + +This event sends data indicating that a reboot task is missing unexpectedly on a device and the task is restored because a reboot is still required, to help keep Windows up to date. + +The following fields are available: + +- **RebootTaskRestoredTime** Time at which this reboot task was restored. +- **wuDeviceid** Device ID for the device on which the reboot is restored. + + +### Microsoft.Windows.Update.Orchestrator.SystemNeeded + +This event sends data about why a device is unable to reboot, to help keep Windows up to date. + +The following fields are available: + +- **eventScenario** End-to-end update session ID. +- **rebootOutsideOfActiveHours** Indicates whether a reboot is scheduled outside of active hours. +- **revisionNumber** Update revision number. +- **systemNeededReason** List of apps or tasks that are preventing the system from restarting. +- **updateId** Update ID. +- **updateScenarioType** The update session type. +- **uxRebootstate** Indicates the exact state of the user experience at the time the required reboot was initiated to ensure the correct update process and experience is provided to keep Windows up to date. +- **wuDeviceid** Unique device ID used by Windows Update. + + +### Microsoft.Windows.Update.Orchestrator.UpdatePolicyCacheRefresh + +This event sends data on whether Update Management Policies were enabled on a device, to help keep Windows up to date. + +The following fields are available: + +- **configuredPoliciescount** Number of policies on the device. +- **policiesNamevaluesource** Policy name and source of policy (group policy, MDM or flight). +- **policyCacherefreshtime** Time when policy cache was refreshed. +- **updateInstalluxsetting** Indicates whether a user has set policies via a user experience option. +- **wuDeviceid** Unique device ID used by Windows Update. + + +### Microsoft.Windows.Update.Orchestrator.updateSettingsFlushFailed + +This event sends information about an update that encountered problems and was not able to complete. + +The following fields are available: + +- **errorCode** The error code encountered. +- **wuDeviceid** The ID of the device in which the error occurred. + + +### Microsoft.Windows.Update.Orchestrator.USODiagnostics + +This event sends data on whether the state of the update attempt, to help keep Windows up to date. + +The following fields are available: + +- **errorCode** result showing success or failure of current update +- **LastApplicableUpdateFoundTime** The time when the last applicable update was found. +- **LastDownloadDeferredReason** The last reason download was deferred. +- **LastDownloadDeferredTime** The time of the download deferral. +- **LastDownloadFailureError** The last download failure. +- **LastDownloadFailureTime** The time of the last download failure. +- **LastInstallCompletedTime** The time when the last successful install completed. +- **LastInstallDeferredReason** The reason the last install was deferred. +- **LastInstallDeferredTime** The time when the last install was deferred. +- **LastInstallFailureError** The error code associated with the last install failure. +- **LastInstallFailureTime** The time when the last install failed to complete. +- **LastRebootDeferredReason** The reason the last reboot was deferred. +- **LastRebootDeferredTime** The time when the last reboot was deferred. +- **LastRebootPendingTime** The time when the last reboot state was set to “Pending”. +- **LastScanDeferredReason** The reason the last scan was deferred. +- **LastScanDeferredTime** The time when the last scan was deferred. +- **LastScanFailureError** The error code for the last scan failure. +- **LastScanFailureTime** The time when the last scan failed. +- **LastUpdateCheckTime** The time of the last update check. +- **LastUpdateDownloadTime** The time when the last update was downloaded. +- **LastUpgradeInstallFailureError** The error code for the last upgrade install failure. +- **LastUpgradeInstallFailureTime** The time of the last upgrade install failure. +- **LowUpTimeDetectTime** The last time “low up-time” was detected. +- **NoLowUpTimeDetectTime** The last time no “low up-time” was detected. +- **RebootRequired** Indicates reboot is required. +- **revisionNumber** Unique revision number of the Update +- **updateId** Unique ID for Update +- **updateState** Progress within an update state +- **UpgradeInProgressTime** The amount of time a feature update has been in progress. +- **WaaSFeatureAssessmentDays** The number of days Feature Update Assessment has been out of date. +- **WaaSFeatureAssessmentImpact** The impact of the Feature Update Assessment. +- **WaaSUpToDateAssessmentDays** The number of days Quality Update Assessment has been out of date. +- **WaaSUpToDateAssessmentImpact** The impact of Quality Update Assessment. +- **wuDeviceid** Unique ID for Device + + +### Microsoft.Windows.Update.Orchestrator.UsoSession + +This event represents the state of the USO service at start and completion. + +The following fields are available: + +- **activeSessionid** A unique session GUID. +- **eventScenario** The state of the update action. +- **interactive** Is the USO session interactive? +- **lastErrorcode** The last error that was encountered. +- **lastErrorstate** The state of the update when the last error was encountered. +- **sessionType** A GUID that refers to the update session type. +- **updateScenarioType** A descriptive update session type. +- **wuDeviceid** The Windows Update device GUID. + + +### Microsoft.Windows.Update.Ux.MusNotification.EnhancedEngagedRebootUxState + +This event sends information about the configuration of Enhanced Direct-to-Engaged (eDTE), which includes values for the timing of how eDTE will progress through each phase of the reboot. + +The following fields are available: + +- **AcceptAutoModeLimit** The maximum number of days for a device to automatically enter Auto Reboot mode. +- **AutoToAutoFailedLimit** The maximum number of days for Auto Reboot mode to fail before a Reboot Failed dialog will be shown. +- **DeviceLocalTime** The date and time (based on the device date/time settings) the reboot mode changed. +- **EngagedModeLimit** The number of days to switch between DTE (Direct-to-Engaged) dialogs. +- **EnterAutoModeLimit** The maximum number of days a device can enter Auto Reboot mode. +- **ETag** The Entity Tag that represents the OneSettings version. +- **IsForcedEnabled** Identifies whether Forced Reboot mode is enabled for the device. +- **IsUltimateForcedEnabled** Identifies whether Ultimate Forced Reboot mode is enabled for the device. +- **OldestUpdateLocalTime** The date and time (based on the device date/time settings) this update’s reboot began pending. +- **RebootUxState** Identifies the reboot state: Engaged, Auto, Forced, UltimateForced. +- **RebootVersion** The version of the DTE (Direct-to-Engaged). +- **SkipToAutoModeLimit** The maximum number of days to switch to start while in Auto Reboot mode. +- **UpdateId** The ID of the update that is waiting for reboot to finish installation. +- **UpdateRevision** The revision of the update that is waiting for reboot to finish installation. + + ### Microsoft.Windows.Update.Ux.MusNotification.RebootNoLongerNeeded This event is sent when a security update has successfully completed. @@ -5209,6 +5698,25 @@ The following fields are available: - **Reason** The reason sent which will cause the reboot to defer. +### Microsoft.Windows.Update.Ux.MusNotification.RebootScheduled + +This event sends basic information about scheduling an update-related reboot, to get security updates and to help keep Windows up-to-date. + +The following fields are available: + +- **activeHoursApplicable** Indicates whether Active Hours applies on this device. +- **forcedReboot** True, if a reboot is forced on the device. Otherwise, this is False +- **rebootArgument** Argument for the reboot task. It also represents specific reboot related action. +- **rebootOutsideOfActiveHours** True, if a reboot is scheduled outside of active hours. False, otherwise. +- **rebootScheduledByUser** True, if a reboot is scheduled by user. False, if a reboot is scheduled automatically. +- **rebootState** Current state of the reboot. +- **revisionNumber** Revision number of the update that is getting installed with this reboot. +- **scheduledRebootTime** Time scheduled for the reboot. +- **scheduledRebootTimeInUTC** Time scheduled for the reboot, in UTC. +- **updateId** Identifies which update is being scheduled. +- **wuDeviceid** Unique device ID used by Windows Update. + + ### Microsoft.Windows.Update.Ux.MusNotification.UxBrokerFirstReadyToReboot This event is fired the first time when the reboot is required. @@ -5227,7 +5735,7 @@ The following fields are available: ### Microsoft.Windows.Update.Ux.MusUpdateSettings.RebootScheduled -This event sends basic information for scheduling a device restart to install security updates. It's used to help keep Windows up-to-date +This event sends basic information for scheduling a device restart to install security updates. It's used to help keep Windows up to date. The following fields are available: @@ -5244,6 +5752,32 @@ The following fields are available: - **wuDeviceid** The Windows Update device GUID. +## Windows Update mitigation events + +### Mitigation360Telemetry.MitigationCustom.CleanupSafeOsImages + +This event sends data specific to the CleanupSafeOsImages mitigation used for OS Updates. + +The following fields are available: + +- **ClientId** In the WU scenario, this will be the WU client ID that is passed to Setup. In Media setup, default value is Media360, but can be overwritten by the caller to a unique value. +- **FlightId** Unique identifier for each flight. +- **InstanceId** Unique GUID that identifies each instances of setuphost.exe. +- **MitigationScenario** The update scenario in which the mitigation was executed. +- **MountedImageCount** Number of mounted images. +- **MountedImageMatches** Number of mounted images that were under %systemdrive%\$Windows.~BT. +- **MountedImagesFailed** Number of mounted images under %systemdrive%\$Windows.~BT that could not be removed. +- **MountedImagesRemoved** Number of mounted images under %systemdrive%\$Windows.~BT that were successfully removed. +- **MountedImagesSkipped** Number of mounted images that were not under %systemdrive%\$Windows.~BT. +- **RelatedCV** Correlation vector value generated from the latest USO scan. +- **Result** HResult of this operation. +- **ScenarioId** ID indicating the mitigation scenario. +- **ScenarioSupported** Indicates whether the scenario was supported. +- **SessionId** Unique value for each update attempt. +- **UpdateId** Unique ID for each Update. +- **WuId** Unique ID for the Windows Update client. + + ## Winlogon events ### Microsoft.Windows.Security.Winlogon.SetupCompleteLogon diff --git a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1803.md b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1803.md index 9af3127db4..1a5a1aa9c7 100644 --- a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1803.md +++ b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1803.md @@ -9,7 +9,7 @@ ms.pagetype: security localizationpriority: high author: brianlic-msft ms.author: brianlic -ms.date: 09/10/2018 +ms.date: 11/07/2018 --- @@ -28,6 +28,7 @@ Use this article to learn about diagnostic events, grouped by event area, and th You can learn more about Windows functional and diagnostic data through these articles: + - [Windows 10, version 1809 basic diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1809.md) - [Windows 10, version 1709 basic diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1709.md) - [Windows 10, version 1703 basic diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1703.md) @@ -35,6 +36,8 @@ You can learn more about Windows functional and diagnostic data through these ar - [Configure Windows diagnostic data in your organization](configure-windows-diagnostic-data-in-your-organization.md) + + ## Appraiser events ### Microsoft.Windows.Appraiser.General.ChecksumTotalPictureCount @@ -75,7 +78,7 @@ The following fields are available: - **DecisionSystemBios_RS3** The total DecisionSystemBios objects targeting the next release of Windows on this device. - **DecisionTest_RS1** An ID for the system, calculated by hashing hardware identifiers. - **InventoryApplicationFile** The count of the number of this particular object type present on this device. -- **InventoryLanguagePack** The count of the number of this particular object type present on this device. +- **InventoryLanguagePack** The count of InventoryLanguagePack objects present on this machine. - **InventoryMediaCenter** The count of the number of this particular object type present on this device. - **InventorySystemBios** The count of the number of this particular object type present on this device. - **InventoryTest** The count of the number of this particular object type present on this device. @@ -369,7 +372,7 @@ The following fields are available: ### Microsoft.Windows.Appraiser.General.DecisionApplicationFileRemove -This event indicates that the DecisionApplicationFile object is no longer present. +This event indicates Indicates that the DecisionApplicationFile object is no longer present. This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). @@ -575,6 +578,17 @@ The following fields are available: - **AppraiserVersion** The version of the Appraiser file that is generating the events. +### Microsoft.Windows.Appraiser.General.DecisionMatchingInfoPostUpgradeStartSync + +This event indicates that a new set of DecisionMatchingInfoPostUpgradeAdd events will be sent. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + ### Microsoft.Windows.Appraiser.General.DecisionMediaCenterAdd This event sends decision data about the presence of Windows Media Center, to help keep Windows up to date. @@ -701,7 +715,7 @@ The following fields are available: ### Microsoft.Windows.Appraiser.General.InventoryApplicationFileStartSync -This event indicates that a new set of InventoryApplicationFileAdd events will be sent. +This event indicates indicates that a new set of InventoryApplicationFileAdd events will be sent. This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). @@ -822,6 +836,31 @@ The following fields are available: - **AppraiserVersion** The version of the Appraiser file that is generating the events. +### Microsoft.Windows.Appraiser.General.InventoryUplevelDriverPackageAdd + +This event is only runs during setup. It provides a listing of the uplevel driver packages that were downloaded before the upgrade. Is critical to understanding if failures in setup can be traced to not having sufficient uplevel drivers before the upgrade. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. +- **BootCritical** Is the driver package marked as boot critical? +- **Build** The build value from the driver package. +- **CatalogFile** The name of the catalog file within the driver package. +- **Class** The device class from the driver package. +- **ClassGuid** The device class unique ID from the driver package. +- **Date** The date from the driver package. +- **Inbox** Is the driver package of a driver that is included with Windows? +- **OriginalName** The original name of the INF file before it was renamed. Generally a path under $WINDOWS.~BT\Drivers\DU. +- **Provider** The provider of the driver package. +- **PublishedName** The name of the INF file after it was renamed. +- **Revision** The revision of the driver package. +- **SignatureStatus** Indicates if the driver package is signed. Unknown = 0, Unsigned = 1, Signed = 2. +- **VersionMajor** The major version of the driver package. +- **VersionMinor** The minor version of the driver package. + + ### Microsoft.Windows.Appraiser.General.InventoryUplevelDriverPackageRemove This event indicates that the InventoryUplevelDriverPackage object is no longer present. @@ -1179,6 +1218,23 @@ The following fields are available: - **AppraiserVersion** The version of the Appraiser file that is generating the events. +### Microsoft.Windows.Appraiser.General.SystemWlanAdd + +This event sends data indicating whether the system has WLAN, and if so, whether it uses an emulated driver that could block an upgrade, to help keep Windows up-to-date. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. +- **Blocking** Is the upgrade blocked because of an emulated WLAN driver? +- **HasWlanBlock** Does the emulated WLAN driver have an upgrade block? +- **WlanEmulatedDriver** Does the device have an emulated WLAN driver? +- **WlanExists** Does the device support WLAN at all? +- **WlanModulePresent** Are any WLAN modules present? +- **WlanNativeDriver** Does the device have a non-emulated WLAN driver? + + ### Microsoft.Windows.Appraiser.General.SystemWlanRemove This event indicates that the SystemWlan object is no longer present. @@ -1292,7 +1348,7 @@ The following fields are available: - **AppraiserTaskExitCode** The Appraiser task exist code. - **AppraiserTaskLastRun** The last runtime for the Appraiser task. - **CensusVersion** The version of Census that generated the current data for this device. -- **IEVersion** Retrieves which version of Internet Explorer is running on this device. +- **IEVersion** IE version running on the device. ### Census.Battery @@ -2594,6 +2650,91 @@ The following fields are available: - **CV** Correlation vector. +## DxgKernelTelemetry events + +### DxgKrnlTelemetry.GPUAdapterInventoryV2 + +This event sends basic GPU and display driver information to keep Windows and display drivers up-to-date. + +The following fields are available: + +- **AdapterTypeValue** The numeric value indicating the type of Graphics adapter. +- **aiSeqId** The event sequence ID. +- **bootId** The system boot ID. +- **BrightnessVersionViaDDI** The version of the Display Brightness Interface. +- **ComputePreemptionLevel** The maximum preemption level supported by GPU for compute payload. +- **DedicatedSystemMemoryB** The amount of system memory dedicated for GPU use (in bytes). +- **DedicatedVideoMemoryB** The amount of dedicated VRAM of the GPU (in bytes). +- **DisplayAdapterLuid** The display adapter LUID. +- **DriverDate** The date of the display driver. +- **DriverRank** The rank of the display driver. +- **DriverVersion** The display driver version. +- **DX10UMDFilePath** The file path to the location of the DirectX 10 Display User Mode Driver in the Driver Store. +- **DX11UMDFilePath** The file path to the location of the DirectX 11 Display User Mode Driver in the Driver Store. +- **DX12UMDFilePath** The file path to the location of the DirectX 12 Display User Mode Driver in the Driver Store. +- **DX9UMDFilePath** The file path to the location of the DirectX 9 Display User Mode Driver in the Driver Store. +- **GPUDeviceID** The GPU device ID. +- **GPUPreemptionLevel** The maximum preemption level supported by GPU for graphics payload. +- **GPURevisionID** The GPU revision ID. +- **GPUVendorID** The GPU vendor ID. +- **InterfaceId** The GPU interface ID. +- **IsDisplayDevice** Does the GPU have displaying capabilities? +- **IsHybridDiscrete** Does the GPU have discrete GPU capabilities in a hybrid device? +- **IsHybridIntegrated** Does the GPU have integrated GPU capabilities in a hybrid device? +- **IsLDA** Is the GPU comprised of Linked Display Adapters? +- **IsMiracastSupported** Does the GPU support Miracast? +- **IsMismatchLDA** Is at least one device in the Linked Display Adapters chain from a different vendor? +- **IsMPOSupported** Does the GPU support Multi-Plane Overlays? +- **IsMsMiracastSupported** Are the GPU Miracast capabilities driven by a Microsoft solution? +- **IsPostAdapter** Is this GPU the POST GPU in the device? +- **IsRemovable** TRUE if the adapter supports being disabled or removed. +- **IsRenderDevice** Does the GPU have rendering capabilities? +- **IsSoftwareDevice** Is this a software implementation of the GPU? +- **KMDFilePath** The file path to the location of the Display Kernel Mode Driver in the Driver Store. +- **MeasureEnabled** Is the device listening to MICROSOFT_KEYWORD_MEASURES? +- **NumVidPnSources** The number of supported display output sources. +- **NumVidPnTargets** The number of supported display output targets. +- **SharedSystemMemoryB** The amount of system memory shared by GPU and CPU (in bytes). +- **SubSystemID** The subsystem ID. +- **SubVendorID** The GPU sub vendor ID. +- **TelemetryEnabled** Is the device listening to MICROSOFT_KEYWORD_TELEMETRY? +- **TelInvEvntTrigger** What triggered this event to be logged? Example: 0 (GPU enumeration) or 1 (DxgKrnlTelemetry provider toggling) +- **version** The event version. +- **WDDMVersion** The Windows Display Driver Model version. + + +## Fault Reporting events + +### Microsoft.Windows.FaultReporting.AppCrashEvent + +This event sends data about crashes for both native and managed applications, to help keep Windows up to date. The data includes information about the crashing process and a summary of its exception record. It does not contain any Watson bucketing information. The bucketing information is recorded in a Windows Error Reporting (WER) event that is generated when the WER client reports the crash to the Watson service, and the WER event will contain the same ReportID (see field 14 of crash event, field 19 of WER event) as the crash event for the crash being reported. AppCrash is emitted once for each crash handled by WER (e.g. from an unhandled exception or FailFast or ReportException). Note that Generic Watson event types (e.g. from PLM) that may be considered crashes\" by a user DO NOT emit this event. + +The following fields are available: + +- **AppName** The name of the app that has crashed. +- **AppSessionGuid** GUID made up of process ID and is used as a correlation vector for process instances in the telemetry backend. +- **AppTimeStamp** The date/time stamp of the app. +- **AppVersion** The version of the app that has crashed. +- **ExceptionCode** The exception code returned by the process that has crashed. +- **ExceptionOffset** The address where the exception had occurred. +- **Flags** Flags indicating how reporting is done. For example, queue the report, do not offer JIT debugging, or do not terminate the process after reporting. +- **FriendlyAppName** The description of the app that has crashed, if different from the AppName. Otherwise, the process name. +- **IsCrashFatal** (Deprecated) True/False to indicate whether the crash resulted in process termination. +- **IsFatal** True/False to indicate whether the crash resulted in process termination. +- **ModName** Exception module name (e.g. bar.dll). +- **ModTimeStamp** The date/time stamp of the module. +- **ModVersion** The version of the module that has crashed. +- **PackageFullName** Store application identity. +- **PackageRelativeAppId** Store application identity. +- **ProcessArchitecture** Architecture of the crashing process, as one of the PROCESSOR_ARCHITECTURE_* constants: 0: PROCESSOR_ARCHITECTURE_INTEL. 5: PROCESSOR_ARCHITECTURE_ARM. 9: PROCESSOR_ARCHITECTURE_AMD64. 12: PROCESSOR_ARCHITECTURE_ARM64. +- **ProcessCreateTime** The time of creation of the process that has crashed. +- **ProcessId** The ID of the process that has crashed. +- **ReportId** A GUID used to identify the report. This can used to track the report across Watson. +- **TargetAppId** The kernel reported AppId of the application being reported. +- **TargetAppVer** The specific version of the application being reported +- **TargetAsId** The sequence number for the hanging process. + + ## Feature update events ### Microsoft.Windows.Upgrade.Uninstall.UninstallFailed @@ -2618,6 +2759,34 @@ This event sends basic metadata about the starting point of uninstalling a featu +## Hang Reporting events + +### Microsoft.Windows.HangReporting.AppHangEvent + +This event sends data about hangs for both native and managed applications, to help keep Windows up to date. It does not contain any Watson bucketing information. The bucketing information is recorded in a Windows Error Reporting (WER) event that is generated when the WER client reports the hang to the Watson service, and the WER event will contain the same ReportID (see field 13 of hang event, field 19 of WER event) as the hang event for the hang being reported. AppHang is reported only on PC devices. It handles classic Win32 hangs and is emitted only once per report. Some behaviors that may be perceived by a user as a hang are reported by app managers (e.g. PLM/RM/EM) as Watson Generics and will not produce AppHang events. + +The following fields are available: + +- **AppName** The name of the app that has hung. +- **AppSessionGuid** GUID made up of process id used as a correlation vector for process instances in the telemetry backend. +- **AppVersion** The version of the app that has hung. +- **IsFatal** True/False based on whether the hung application caused the creation of a Fatal Hang Report. +- **PackageFullName** Store application identity. +- **PackageRelativeAppId** Store application identity. +- **ProcessArchitecture** Architecture of the hung process, as one of the PROCESSOR_ARCHITECTURE_* constants: 0: PROCESSOR_ARCHITECTURE_INTEL. 5: PROCESSOR_ARCHITECTURE_ARM. 9: PROCESSOR_ARCHITECTURE_AMD64. 12: PROCESSOR_ARCHITECTURE_ARM64. +- **ProcessCreateTime** The time of creation of the process that has hung. +- **ProcessId** The ID of the process that has hung. +- **ReportId** A GUID used to identify the report. This can used to track the report across Watson. +- **TargetAppId** The kernel reported AppId of the application being reported. +- **TargetAppVer** The specific version of the application being reported. +- **TargetAsId** The sequence number for the hanging process. +- **TypeCode** Bitmap describing the hang type. +- **WaitingOnAppName** If this is a cross process hang waiting for an application, this has the name of the application. +- **WaitingOnAppVersion** If this is a cross process hang, this has the version of the application for which it is waiting. +- **WaitingOnPackageFullName** If this is a cross process hang waiting for a package, this has the full name of the package for which it is waiting. +- **WaitingOnPackageRelativeAppId** If this is a cross process hang waiting for a package, this has the relative application id of the package. + + ## Inventory events ### Microsoft.Windows.Inventory.Core.AmiTelCacheChecksum @@ -2693,6 +2862,18 @@ The following fields are available: - **Version** The version number of the program. +### Microsoft.Windows.Inventory.Core.InventoryApplicationDriverAdd + +This event represents what drivers an application installs. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **InventoryVersion** The version of the inventory component. +- **ProgramIds** The unique program identifier the driver is associated with. + + ### Microsoft.Windows.Inventory.Core.InventoryApplicationFrameworkAdd This event provides the basic metadata about the frameworks an application may depend on. @@ -2839,6 +3020,17 @@ The following fields are available: - **InventoryVersion** The version of the inventory file generating the events. +### Microsoft.Windows.Inventory.Core.InventoryDeviceMediaClassRemove + +This event indicates that the InventoryDeviceMediaClassRemove object is no longer present. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **InventoryVersion** The version of the inventory file generating the events. + + ### Microsoft.Windows.Inventory.Core.InventoryDeviceMediaClassStartSync This event indicates that a new set of InventoryDeviceMediaClassSAdd events will be sent. @@ -2873,7 +3065,7 @@ The following fields are available: - **Enumerator** The date of the driver loaded for the device. - **HWID** The version of the driver loaded for the device. - **Inf** The bus that enumerated the device. -- **InstallState** The device installation state. One of these values: https://msdn.microsoft.com/library/windows/hardware/ff543130.aspx +- **InstallState** The device installation state. One of these values: https://msdn.microsoft.com/en-us/library/windows/hardware/ff543130.aspx - **InventoryVersion** List of hardware ids for the device. - **LowerClassFilters** Lower filter class drivers IDs installed for the device - **LowerFilters** Lower filter drivers IDs installed for the device @@ -3438,6 +3630,557 @@ The following fields are available: - **UptimeDeltaMS** Total time (in milliseconds) added to Uptime since the last event +## OneDrive events + +### Microsoft.OneDrive.Sync.Setup.APIOperation + +This event includes basic data about install and uninstall OneDrive API operations. + +The following fields are available: + +- **APIName** The name of the API. +- **Duration** How long the operation took. +- **IsSuccess** Was the operation successful? +- **ResultCode** The result code. +- **ScenarioName** The name of the scenario. + + +### Microsoft.OneDrive.Sync.Setup.EndExperience + +This event includes a success or failure summary of the installation. + +The following fields are available: + +- **APIName** The name of the API. +- **HResult** HResult of the operation +- **IsSuccess** Whether the operation is successful or not +- **ScenarioName** The name of the scenario. + + +### Microsoft.OneDrive.Sync.Setup.OSUpgradeInstallationOperation + +This event is related to the OS version when the OS is upgraded with OneDrive installed. + +The following fields are available: + +- **CurrentOneDriveVersion** The current version of OneDrive. +- **CurrentOSBuildBranch** The current branch of the operating system. +- **CurrentOSBuildNumber** The current build number of the operating system. +- **CurrentOSVersion** The current version of the operating system. +- **HResult** The HResult of the operation. +- **SourceOSBuildBranch** The source branch of the operating system. +- **SourceOSBuildNumber** The source build number of the operating system. +- **SourceOSVersion** The source version of the operating system. + + +### Microsoft.OneDrive.Sync.Setup.RegisterStandaloneUpdaterAPIOperation + +This event is related to registering or unregistering the OneDrive update task. + +The following fields are available: + +- **APIName** The name of the API. +- **IsSuccess** Was the operation successful? +- **RegisterNewTaskResult** The HResult of the RegisterNewTask operation. +- **ScenarioName** The name of the scenario. +- **UnregisterOldTaskResult** The HResult of the UnregisterOldTask operation. + + +### Microsoft.OneDrive.Sync.Updater.ComponentInstallState + +This event includes basic data about the installation state of dependent OneDrive components. + +The following fields are available: + +- **ComponentName** The name of the dependent component. +- **isInstalled** Is the dependent component installed? + + +### Microsoft.OneDrive.Sync.Updater.OverlayIconStatus + +This event indicates if the OneDrive overlay icon is working correctly. 0 = healthy; 1 = can be fixed; 2 = broken + +The following fields are available: + +- **32bit** The status of the OneDrive overlay icon on a 32-bit operating system. +- **64bit** The status of the OneDrive overlay icon on a 64-bit operating system. + + +### Microsoft.OneDrive.Sync.Updater.UpdateOverallResult + +This event sends information describing the result of the update. + +The following fields are available: + +- **hr** The HResult of the operation. +- **IsLoggingEnabled** Indicates whether logging is enabled for the updater. +- **UpdaterVersion** The version of the updater. + + +### Microsoft.OneDrive.Sync.Updater.UpdateXmlDownloadHResult + +This event determines the status when downloading the OneDrive update configuration file. + +The following fields are available: + +- **hr** The HResult of the operation. + + +### Microsoft.OneDrive.Sync.Updater.WebConnectionStatus + +This event determines the error code that was returned when verifying Internet connectivity. + +The following fields are available: + +- **winInetError** The HResult of the operation. + + +## Other events + +### CbsServicingProvider.CbsCapabilityEnumeration + +This event reports on the results of scanning for optional Windows content on Windows Update. + +The following fields are available: + +- **architecture** Indicates the scan was limited to the specified architecture. +- **capabilityCount** The number of optional content packages found during the scan. +- **clientId** The name of the application requesting the optional content. +- **duration** The amount of time it took to complete the scan. +- **hrStatus** The HReturn code of the scan. +- **language** Indicates the scan was limited to the specified language. +- **majorVersion** Indicates the scan was limited to the specified major version. +- **minorVersion** Indicates the scan was limited to the specified minor version. +- **namespace** Indicates the scan was limited to packages in the specified namespace. +- **sourceFilter** A bitmask indicating the scan checked for locally available optional content. +- **stackBuild** The build number of the servicing stack. +- **stackMajorVersion** The major version number of the servicing stack. +- **stackMinorVersion** The minor version number of the servicing stack. +- **stackRevision** The revision number of the servicing stack. + + +### CbsServicingProvider.CbsCapabilitySessionFinalize + +This event provides information about the results of installing or uninstalling optional Windows content from Windows Update. + +The following fields are available: + +- **capabilities** The names of the optional content packages that were installed. +- **clientId** The name of the application requesting the optional content. +- **currentID** The ID of the current install session. +- **highestState** The highest final install state of the optional content. +- **hrStatus** The HReturn code of the install operation. +- **rebootCount** The number of reboots required to complete the install. +- **retryID** The session ID that will be used to retry a failed operation. +- **retryStatus** Indicates whether the install will be retried in the event of failure. +- **stackBuild** The build number of the servicing stack. +- **stackMajorVersion** The major version number of the servicing stack. +- **stackMinorVersion** The minor version number of the servicing stack. +- **stackRevision** The revision number of the servicing stack. + + +### CbsServicingProvider.CbsCapabilitySessionPended + +This event provides information about the results of installing optional Windows content that requires a reboot to keep Windows up to date. + +The following fields are available: + +- **clientId** The name of the application requesting the optional content. +- **pendingDecision** Indicates the cause of reboot, if applicable. + + +### CbsServicingProvider.CbsPackageRemoval + +This event provides information about the results of uninstalling a Windows Cumulative Security Update to help keep Windows up to date. + +The following fields are available: + +- **buildVersion** The build number of the security update being uninstalled. +- **clientId** The name of the application requesting the uninstall. +- **currentStateEnd** The final state of the update after the operation. +- **failureDetails** Information about the cause of a failure, if applicable. +- **failureSourceEnd** The stage during the uninstall where the failure occurred. +- **hrStatusEnd** The overall exit code of the operation. +- **initiatedOffline** Indicates if the uninstall was initiated for a mounted Windows image. +- **majorVersion** The major version number of the security update being uninstalled. +- **minorVersion** The minor version number of the security update being uninstalled. +- **originalState** The starting state of the update before the operation. +- **pendingDecision** Indicates the cause of reboot, if applicable. +- **primitiveExecutionContext** The state during system startup when the uninstall was completed. +- **revisionVersion** The revision number of the security update being uninstalled. +- **transactionCanceled** Indicates whether the uninstall was cancelled. + + +### Microsoft.Windows.Remediation.Applicable + +This event indicates a remedial plug-in is applicable if/when such a plug-in is detected. This is used to ensure Windows is up to date. + +The following fields are available: + +- **ActionName** The name of the action to be taken by the plug-in. +- **AppraiserBinariesValidResult** Indicates whether plug-in was appraised as valid. +- **AppraiserDetectCondition** Indicates whether the plug-in passed the appraiser's check. +- **AppraiserRegistryValidResult** Indicates whether the registry entry checks out as valid. +- **AppraiserTaskDisabled** Indicates the appraiser task is disabled. +- **AppraiserTaskValidFailed** Indicates the Appraiser task did not function and requires intervention. +- **CV** Correlation vector +- **DateTimeDifference** The difference between local and reference clock times. +- **DateTimeSyncEnabled** Indicates whether the datetime sync plug-in is enabled. +- **DaysSinceLastSIH** The number of days since the most recent SIH executed. +- **DaysToNextSIH** The number of days until the next scheduled SIH execution. +- **DetectedCondition** Indicates whether detect condition is true and the perform action will be run. +- **EvalAndReportAppraiserBinariesFailed** Indicates the EvalAndReportAppraiserBinaries event failed. +- **EvalAndReportAppraiserRegEntries** Indicates the EvalAndReportAppraiserRegEntriesFailed event failed. +- **EvalAndReportAppraiserRegEntriesFailed** Indicates the EvalAndReportAppraiserRegEntriesFailed event failed. +- **GlobalEventCounter** Client side counter that indicates ordering of events sent by the remediation system. +- **HResult** The HRESULT for detection or perform action phases of the plugin. +- **IsAppraiserLatestResult** The HRESULT from the appraiser task. +- **IsConfigurationCorrected** Indicates whether the configuration of SIH task was successfully corrected. +- **LastHresult** The HRESULT for detection or perform action phases of the plugin. +- **LastRun** The date of the most recent SIH run. +- **NextRun** Date of the next scheduled SIH run. +- **PackageVersion** The version of the current remediation package. +- **PluginName** Name of the plugin specified for each generic plugin event. +- **Reload** True if SIH reload is required. +- **RemediationNoisyHammerAcLineStatus** Event that indicates the AC Line Status of the machine. +- **RemediationNoisyHammerAutoStartCount** The number of times hammer auto-started. +- **RemediationNoisyHammerCalendarTaskEnabled** Event that indicates Update Assistant Calendar Task is enabled. +- **RemediationNoisyHammerCalendarTaskExists** Event that indicates an Update Assistant Calendar Task exists. +- **RemediationNoisyHammerCalendarTaskTriggerEnabledCount** Event that indicates calendar triggers are enabled in the task. +- **RemediationNoisyHammerDaysSinceLastTaskRunTime** The number of days since the most recent hammer task ran. +- **RemediationNoisyHammerGetCurrentSize** Size in MB of the $GetCurrent folder. +- **RemediationNoisyHammerIsInstalled** TRUE if the noisy hammer is installed. +- **RemediationNoisyHammerLastTaskRunResult** The result of the last hammer task run. +- **RemediationNoisyHammerMeteredNetwork** TRUE if the machine is on a metered network. +- **RemediationNoisyHammerTaskEnabled** Indicates whether the Update Assistant Task (Noisy Hammer) is enabled. +- **RemediationNoisyHammerTaskExists** Indicates whether the Update Assistant Task (Noisy Hammer) exists. +- **RemediationNoisyHammerTaskTriggerEnabledCount** Indicates whether counting is enabled for the Update Assistant (Noisy Hammer) task trigger. +- **RemediationNoisyHammerUAExitCode** The exit code of the Update Assistant (Noisy Hammer) task. +- **RemediationNoisyHammerUAExitState** The code for the exit state of the Update Assistant (Noisy Hammer) task. +- **RemediationNoisyHammerUserLoggedIn** TRUE if there is a user logged in. +- **RemediationNoisyHammerUserLoggedInAdmin** TRUE if there is the user currently logged in is an Admin. +- **RemediationShellDeviceManaged** TRUE if the device is WSUS managed or Windows Updated disabled. +- **RemediationShellDeviceNewOS** TRUE if the device has a recently installed OS. +- **RemediationShellDeviceSccm** TRUE if the device is managed by SCCM (Microsoft System Center Configuration Manager). +- **RemediationShellDeviceZeroExhaust** TRUE if the device has opted out of Windows Updates completely. +- **RemediationTargetMachine** Indicates whether the device is a target of the specified fix. +- **RemediationTaskHealthAutochkProxy** True/False based on the health of the AutochkProxy task. +- **RemediationTaskHealthChkdskProactiveScan** True/False based on the health of the Check Disk task. +- **RemediationTaskHealthDiskCleanup_SilentCleanup** True/False based on the health of the Disk Cleanup task. +- **RemediationTaskHealthMaintenance_WinSAT** True/False based on the health of the Health Maintenance task. +- **RemediationTaskHealthServicing_ComponentCleanupTask** True/False based on the health of the Health Servicing Component task. +- **RemediationTaskHealthUSO_ScheduleScanTask** True/False based on the health of the USO (Update Session Orchestrator) Schedule task. +- **RemediationTaskHealthWindowsUpdate_ScheduledStartTask** True/False based on the health of the Windows Update Scheduled Start task. +- **RemediationTaskHealthWindowsUpdate_SihbootTask** True/False based on the health of the Sihboot task. +- **RemediationUHServiceBitsServiceEnabled** Indicates whether BITS service is enabled. +- **RemediationUHServiceDeviceInstallEnabled** Indicates whether Device Install service is enabled. +- **RemediationUHServiceDoSvcServiceEnabled** Indicates whether DO service is enabled. +- **RemediationUHServiceDsmsvcEnabled** Indicates whether DSMSVC service is enabled. +- **RemediationUHServiceLicensemanagerEnabled** Indicates whether License Manager service is enabled. +- **RemediationUHServiceMpssvcEnabled** Indicates whether MPSSVC service is enabled. +- **RemediationUHServiceTokenBrokerEnabled** Indicates whether Token Broker service is enabled. +- **RemediationUHServiceTrustedInstallerServiceEnabled** Indicates whether Trusted Installer service is enabled. +- **RemediationUHServiceUsoServiceEnabled** Indicates whether USO (Update Session Orchestrator) service is enabled. +- **RemediationUHServicew32timeServiceEnabled** Indicates whether W32 Time service is enabled. +- **RemediationUHServiceWecsvcEnabled** Indicates whether WECSVC service is enabled. +- **RemediationUHServiceWinmgmtEnabled** Indicates whether WMI service is enabled. +- **RemediationUHServiceWpnServiceEnabled** Indicates whether WPN service is enabled. +- **RemediationUHServiceWuauservServiceEnabled** Indicates whether WUAUSERV service is enabled. +- **Result** This is the HRESULT for Detection or Perform Action phases of the plugin. +- **RunAppraiserFailed** Indicates RunAppraiser failed to run correctly. +- **RunTask** TRUE if SIH task should be run by the plug-in. +- **TimeServiceNTPServer** The URL for the NTP time server used by device. +- **TimeServiceStartType** The startup type for the NTP time service. +- **TimeServiceSyncDomainJoined** True if device domain joined and hence uses DC for clock. +- **TimeServiceSyncType** Type of sync behavior for Date & Time service on device. + + +### Microsoft.Windows.Remediation.ChangePowerProfileDetection + +Indicates whether the remediation system can put in a request to defer a system-initiated sleep to enable installation of security or quality updates. + +The following fields are available: + +- **ActionName** A descriptive name for the plugin action +- **CurrentPowerPlanGUID** The ID of the current power plan configured on the device +- **CV** Correlation vector +- **GlobalEventCounter** Counter that indicates the ordering of events on the device +- **PackageVersion** Current package version of remediation service +- **RemediationBatteryPowerBatteryLevel** Integer between 0 and 100 indicating % battery power remaining (if not on battery, expect 0) +- **RemediationFUInProcess** Result that shows whether the device is currently installing a feature update +- **RemediationFURebootRequred** Indicates that a feature update reboot required was detected so the plugin will exit. +- **RemediationScanInProcess** Result that shows whether the device is currently scanning for updates +- **RemediationTargetMachine** Result that shows whether this device is a candidate for remediation(s) that will fix update issues +- **SetupMutexAvailable** Result that shows whether setup mutex is available or not +- **SysPowerStatusAC** Result that shows whether system is on AC power or not + + +### Microsoft.Windows.Remediation.Completed + +This event enables completion tracking of a process that remediates issues preventing security and quality updates. + +The following fields are available: + +- **ActionName** Name of the action to be completed by the plug-in. +- **AppraiserTaskCreationFailed** TRUE if the appraiser task creation failed to complete successfully. +- **AppraiserTaskDeleteFailed** TRUE if deletion of appraiser task failed to complete successfully. +- **AppraiserTaskExistFailed** TRUE if detection of the appraiser task failed to complete successfully. +- **AppraiserTaskLoadXmlFailed** TRUE if the Appraiser XML Loader failed to complete successfully. +- **AppraiserTaskMissing** TRUE if the Appraiser task is missing. +- **AppraiserTaskTimeTriggerUpdateFailedId** TRUE if the Appraiser Task Time Trigger failed to update successfully. +- **AppraiserTaskValidateTaskXmlFailed** TRUE if the Appraiser Task XML failed to complete successfully. +- **branchReadinessLevel** Branch readiness level policy. +- **cloudControlState** Value indicating whether the shell is enabled on the cloud control settings. +- **CrossedDiskSpaceThreshold** Indicates if cleanup resulted in hard drive usage threshold required for feature update to be exceeded. +- **CV** The Correlation Vector. +- **DateTimeDifference** The difference between the local and reference clocks. +- **DaysSinceOsInstallation** The number of days since the installation of the Operating System. +- **DiskMbCleaned** The amount of space cleaned on the hard disk, measured in Megabytes. +- **DiskMbFreeAfterCleanup** The amount of free hard disk space after cleanup, measured in Megabytes. +- **DiskMbFreeBeforeCleanup** The amount of free hard disk space before cleanup, measured in Megabytes. +- **ForcedAppraiserTaskTriggered** TRUE if Appraiser task ran from the plug-in. +- **GlobalEventCounter** Client-side counter that indicates ordering of events sent by the active user. +- **HandlerCleanupFreeDiskInMegabytes** The amount of hard disk space cleaned by the storage sense handlers, measured in Megabytes. +- **hasRolledBack** Indicates whether the client machine has rolled back. +- **hasUninstalled** Indicates whether the client machine has uninstalled a later version of the OS. +- **hResult** The result of the event execution. +- **HResult** The result of the event execution. +- **installDate** The value of installDate registry key. Indicates the install date. +- **isNetworkMetered** Indicates whether the client machine has uninstalled a later version of the OS. +- **LatestState** The final state of the plug-in component. +- **MicrosoftCompatibilityAppraiser** The name of the component targeted by the Appraiser plug-in. +- **PackageVersion** The package version for the current Remediation. +- **PageFileCount** The number of Windows Page files. +- **PageFileCurrentSize** The size of the Windows Page file, measured in Megabytes. +- **PageFileLocation** The storage location (directory path) of the Windows Page file. +- **PageFilePeakSize** The maximum amount of hard disk space used by the Windows Page file, measured in Megabytes. +- **PluginName** The name of the plug-in specified for each generic plug-in event. +- **RanCleanup** TRUE if the plug-in ran disk cleanup. +- **RemediationBatteryPowerBatteryLevel** Indicates the battery level at which it is acceptable to continue operation. +- **RemediationBatteryPowerExitDueToLowBattery** True when we exit due to low battery power. +- **RemediationBatteryPowerOnBattery** True if we allow execution on battery. +- **RemediationConfigurationTroubleshooterExecuted** True/False based on whether the Remediation Configuration Troubleshooter executed successfully. +- **RemediationConfigurationTroubleshooterIpconfigFix** TRUE if IPConfig Fix completed successfully. +- **RemediationConfigurationTroubleshooterNetShFix** TRUE if network card cache reset ran successfully. +- **RemediationDiskCleanSizeBtWindowsFolderInMegabytes** The size of the Windows BT folder (used to store Windows upgrade files), measured in Megabytes. +- **RemediationDiskCleanupBTFolderEsdSizeInMB** The size of the Windows BT folder (used to store Windows upgrade files) ESD (Electronic Software Delivery), measured in Megabytes. +- **RemediationDiskCleanupGetCurrentEsdSizeInMB** The size of any existing ESD (Electronic Software Delivery) folder, measured in Megabytes. +- **RemediationDiskCleanupSearchFileSizeInMegabytes** The size of the Cleanup Search index file, measured in Megabytes. +- **RemediationDiskCleanupUpdateAssistantSizeInMB** The size of the Update Assistant folder, measured in Megabytes. +- **RemediationDoorstopChangeSucceeded** TRUE if Doorstop registry key was successfully modified. +- **RemediationDoorstopExists** TRUE if there is a One Settings Doorstop value. +- **RemediationDoorstopRegkeyError** TRUE if an error occurred accessing the Doorstop registry key. +- **RemediationDRFKeyDeleteSucceeded** TRUE if the RecoveredFrom (Doorstop) registry key was successfully deleted. +- **RemediationDUABuildNumber** The build number of the DUA. +- **RemediationDUAKeyDeleteSucceeded** TRUE if the UninstallActive registry key was successfully deleted. +- **RemediationDuplicateTokenSucceeded** TRUE if the user token was successfully duplicated. +- **remediationExecution** Remediation shell is in "applying remediation" state. +- **RemediationHibernationMigrated** TRUE if hibernation was migrated. +- **RemediationHibernationMigrationSucceeded** TRUE if hibernation migration succeeded. +- **RemediationImpersonateUserSucceeded** TRUE if the user was successfully impersonated. +- **RemediationNoisyHammerTaskKickOffIsSuccess** TRUE if the NoisyHammer task started successfully. +- **RemediationQueryTokenSucceeded** TRUE if the user token was successfully queried. +- **RemediationRanHibernation** TRUE if the system entered Hibernation. +- **RemediationRevertToSystemSucceeded** TRUE if reversion to the system context succeeded. +- **RemediationShellHasUpgraded** TRUE if the device upgraded. +- **RemediationShellMinimumTimeBetweenShellRuns** Indicates the time between shell runs exceeded the minimum required to execute plugins. +- **RemediationShellRunFromService** TRUE if the shell driver was run from the service. +- **RemediationShellSessionIdentifier** Unique identifier tracking a shell session. +- **RemediationShellSessionTimeInSeconds** Indicates the time the shell session took in seconds. +- **RemediationShellTaskDeleted** Indicates that the shell task has been deleted so no additional sediment pack runs occur for this installation. +- **RemediationUpdateServiceHealthRemediationResult** The result of the Update Service Health plug-in. +- **RemediationUpdateTaskHealthRemediationResult** The result of the Update Task Health plug-in. +- **RemediationUpdateTaskHealthTaskList** A list of tasks fixed by the Update Task Health plug-in. +- **RemediationWindowsLogSpaceFound** The size of the Windows log files found, measured in Megabytes. +- **RemediationWindowsLogSpaceFreed** The amount of disk space freed by deleting the Windows log files, measured in Megabytes. +- **RemediationWindowsSecondaryDriveFreeSpace** The amount of free space on the secondary drive, measured in Megabytes. +- **RemediationWindowsSecondaryDriveLetter** The letter designation of the first secondary drive with a total capacity of 10GB or more. +- **RemediationWindowsSecondaryDriveTotalSpace** The total storage capacity of the secondary drive, measured in Megabytes. +- **RemediationWindowsTotalSystemDiskSize** The total storage capacity of the System Disk Drive, measured in Megabytes. +- **Result** The HRESULT for Detection or Perform Action phases of the plug-in. +- **RunResult** The HRESULT for Detection or Perform Action phases of the plug-in. +- **ServiceHealthPlugin** The nae of the Service Health plug-in. +- **StartComponentCleanupTask** TRUE if the Component Cleanup task started successfully. +- **systemDriveFreeDiskSpace** Indicates the free disk space on system drive in MBs. +- **systemUptimeInHours** Indicates the amount of time the system in hours has been on since the last boot. +- **TotalSizeofOrphanedInstallerFilesInMegabytes** The size of any orphaned Windows Installer files, measured in Megabytes. +- **TotalSizeofStoreCacheAfterCleanupInMegabytes** The size of the Windows Store cache after cleanup, measured in Megabytes. +- **TotalSizeofStoreCacheBeforeCleanupInMegabytes** The size of the Windows Store cache (prior to cleanup), measured in Megabytes. +- **uninstallActive** TRUE if previous uninstall has occurred for current OS +- **usoScanDaysSinceLastScan** The number of days since the last USO (Update Session Orchestrator) scan. +- **usoScanInProgress** TRUE if a USO (Update Session Orchestrator) scan is in progress, to prevent multiple simultaneous scans. +- **usoScanIsAllowAutoUpdateKeyPresent** TRUE if the AllowAutoUpdate registry key is set. +- **usoScanIsAllowAutoUpdateProviderSetKeyPresent** TRUE if AllowAutoUpdateProviderSet registry key is set. +- **usoScanIsAuOptionsPresent** TRUE if Auto Update Options registry key is set. +- **usoScanIsFeatureUpdateInProgress** TRUE if a USO (Update Session Orchestrator) scan is in progress, to prevent multiple simultaneous scans. +- **usoScanIsNetworkMetered** TRUE if the device is currently connected to a metered network. +- **usoScanIsNoAutoUpdateKeyPresent** TRUE if no Auto Update registry key is set/present. +- **usoScanIsUserLoggedOn** TRUE if the user is logged on. +- **usoScanPastThreshold** TRUE if the most recent USO (Update Session Orchestrator) scan is past the threshold (late). +- **usoScanType** The type of USO (Update Session Orchestrator) scan: "Interactive" or "Background". +- **windows10UpgraderBlockWuUpdates** Event to report the value of Windows 10 Upgrader BlockWuUpdates Key. +- **windowsEditionId** Event to report the value of Windows Edition ID. +- **WindowsHyberFilSysSizeInMegabytes** The size of the Windows Hibernation file, measured in Megabytes. +- **WindowsInstallerFolderSizeInMegabytes** The size of the Windows Installer folder, measured in Megabytes. +- **WindowsOldFolderSizeInMegabytes** The size of the Windows.OLD folder, measured in Megabytes. +- **WindowsOldSpaceCleanedInMB** The amount of disk space freed by removing the Windows.OLD folder, measured in Megabytes. +- **WindowsPageFileSysSizeInMegabytes** The size of the Windows Page file, measured in Megabytes. +- **WindowsSoftwareDistributionFolderSizeInMegabytes** The size of the SoftwareDistribution folder, measured in Megabytes. +- **WindowsSwapFileSysSizeInMegabytes** The size of the Windows Swap file, measured in Megabytes. +- **WindowsSxsFolderSizeInMegabytes** The size of the WinSxS (Windows Side-by-Side) folder, measured in Megabytes. +- **WindowsSxsTempFolderSizeInMegabytes** The size of the WinSxS (Windows Side-by-Side) Temp folder, measured in Megabytes. +- **windowsUpgradeRecoveredFromRs4** Event to report the value of the Windows Upgrade Recovered key. + + +### Microsoft.Windows.Remediation.RemediationShellMainExeEventId + +Enables tracking of completion of process that remediates issues preventing security and quality updates. + +The following fields are available: + +- **CV** Client side counter which indicates ordering of events sent by the remediation system. +- **GlobalEventCounter** Client side counter which indicates ordering of events sent by the remediation system. +- **PackageVersion** Current package version of Remediation. +- **RemediationShellCanAcquireSedimentMutex** True if the remediation was able to acquire the sediment mutex. False if it is already running. +- **RemediationShellExecuteShellResult** Indicates if the remediation system completed without errors. +- **RemediationShellFoundDriverDll** Result whether the remediation system found its component files to run properly. +- **RemediationShellLoadedShellDriver** Result whether the remediation system loaded its component files to run properly. +- **RemediationShellLoadedShellFunction** Result whether the remediation system loaded the functions from its component files to run properly. + + +### Microsoft.Windows.Remediation.Started + +This event reports whether a plug-in started, to help ensure Windows is up to date. + +The following fields are available: + +- **CV** Correlation vector. +- **GlobalEventCounter** Client side counter which indicates ordering of events sent by this user. +- **PackageVersion** Current package version of Remediation. +- **PluginName** Name of the plugin specified for each generic plugin event. +- **Result** This is the HRESULT for detection or perform action phases of the plugin. + + +### Microsoft.Windows.SedimentLauncher.Applicable + +Indicates whether a given plugin is applicable. + +The following fields are available: + +- **CV** Correlation vector. +- **DetectedCondition** Boolean true if detect condition is true and perform action will be run. +- **GlobalEventCounter** Client side counter which indicates ordering of events sent by this user. +- **IsSelfUpdateEnabledInOneSettings** True if self update enabled in Settings. +- **IsSelfUpdateNeeded** True if self update needed by device. +- **PackageVersion** Current package version of Remediation. +- **PluginName** Name of the plugin specified for each generic plugin event. +- **Result** This is the HRESULT for detection or perform action phases of the plugin. + + +### Microsoft.Windows.SedimentLauncher.Completed + +Indicates whether a given plugin has completed its work. + +The following fields are available: + +- **CV** Correlation vector. +- **GlobalEventCounter** Client side counter which indicates ordering of events sent by this user. +- **PackageVersion** Current package version of Remediation. +- **PluginName** Name of the plugin specified for each generic plugin event. +- **Result** This is the HRESULT for detection or perform action phases of the plugin. +- **SedLauncherExecutionResult** HRESULT for one execution of the Sediment Launcher. + + +### Microsoft.Windows.SedimentLauncher.Started + +This event indicates that a given plug-in has started. + +The following fields are available: + +- **CV** Correlation vector. +- **GlobalEventCounter** Client side counter which indicates ordering of events sent by this user. +- **PackageVersion** Current package version of Remediation. +- **PluginName** Name of the plugin specified for each generic plugin event. +- **Result** This is the HRESULT for detection or perform action phases of the plugin. + + +### Microsoft.Windows.SedimentService.Applicable + +This event indicates whether a given plug-in is applicable. + +The following fields are available: + +- **CV** Correlation vector. +- **DetectedCondition** Determine whether action needs to run based on device properties. +- **GlobalEventCounter** Client side counter which indicates ordering of events sent by this user. +- **PackageVersion** Current package version of Remediation. +- **PluginName** Name of the plugin. +- **Result** This is the HRESULT for detection or perform action phases of the plugin. + + +### Microsoft.Windows.SedimentService.Completed + +This event indicates whether a given plug-in has completed its work. + +The following fields are available: + +- **CV** Correlation vector. +- **FailedReasons** List of reasons when the plugin action failed. +- **GlobalEventCounter** Client side counter which indicates ordering of events sent by this user. +- **PackageVersion** Current package version of Remediation. +- **PluginName** Name of the plugin specified for each generic plugin event. +- **Result** This is the HRESULT for detection or perform action phases of the plugin. +- **SedimentServiceCheckTaskFunctional** True/False if scheduled task check succeeded. +- **SedimentServiceCurrentBytes** Number of current private bytes of memory consumed by sedsvc.exe. +- **SedimentServiceKillService** True/False if service is marked for kill (Shell.KillService). +- **SedimentServiceMaximumBytes** Maximum bytes allowed for the service. +- **SedimentServiceRetrievedKillService** True/False if result of One Settings check for kill succeeded - we only send back one of these indicators (not for each call). +- **SedimentServiceStopping** True/False indicating whether the service is stopping. +- **SedimentServiceTaskFunctional** True/False if scheduled task is functional. If task is not functional this indicates plugins will be run. +- **SedimentServiceTotalIterations** Number of 5 second iterations service will wait before running again. + + +### Microsoft.Windows.SedimentService.Started + +This event indicates a specified plug-in has started. This information helps ensure Windows is up to date. + +The following fields are available: + +- **CV** The Correlation Vector. +- **GlobalEventCounter** The client-side counter that indicates ordering of events. +- **PackageVersion** The version number of the current remediation package. +- **PluginName** Name of the plugin specified for each generic plugin event. +- **Result** This is the HRESULT for Detection or Perform Action phases of the plugin. + + +### Microsoft.Xbox.XamTelemetry.AppActivationError + +This event indicates whether the system detected an activation error in the app. + + + +### Microsoft.Xbox.XamTelemetry.AppActivity + +This event is triggered whenever the current app state is changed by: launch, switch, terminate, snap, etc. + +The following fields are available: + +- **AppActionId** The ID of the application action. +- **AppCurrentVisibilityState** The ID of the current application visibility state. +- **AppId** The Xbox LIVE Title ID of the app. +- **AppPackageFullName** The full name of the application package. +- **AppPreviousVisibilityState** The ID of the previous application visibility state. +- **AppSessionId** The application session ID. +- **AppType** The type ID of the application (AppType_NotKnown, AppType_Era, AppType_Sra, AppType_Uwa). +- **BCACode** The BCA (Burst Cutting Area) mark code of the optical disc used to launch the application. +- **DurationMs** The amount of time (in milliseconds) since the last application state transition. +- **IsTrialLicense** This boolean value is TRUE if the application is on a trial license. +- **LicenseType** The type of licensed used to authorize the app (0 - Unknown, 1 - User, 2 - Subscription, 3 - Offline, 4 - Disc). +- **LicenseXuid** If the license type is 1 (User), this field contains the XUID (Xbox User ID) of the registered owner of the license. +- **ProductGuid** The Xbox product GUID (Globally-Unique ID) of the application. +- **UserId** The XUID (Xbox User ID) of the current user. + + ## Privacy consent logging events ### Microsoft.Windows.Shell.PrivacyConsentLogging.PrivacyConsentCompleted @@ -3465,8 +4208,272 @@ The following fields are available: - **userRegionCode** The current user's region setting +## Remediation events + +### Microsoft.Windows.Remediation.Applicable + +This event sends simple device connectivity and configuration data about an application installed on the system that helps keep the Windows Update stack healthy. + +The following fields are available: + +- **ActionName** The name of the action to be taken by the plug-in. +- **AppraiserBinariesValidResult** Indicates whether plug-in was appraised as valid. +- **AppraiserDetectCondition** Indicates whether the plug-in passed the appraiser's check. +- **AppraiserRegistryValidResult** Indicates whether the registry entry checks out as valid. +- **AppraiserTaskDisabled** Indicates the appraiser task is disabled. +- **AppraiserTaskValidFailed** Indicates the Appraiser task did not function and requires intervention. +- **CV** Correlation vector +- **DateTimeDifference** The difference between local and reference clock times. +- **DateTimeSyncEnabled** Indicates whether the datetime sync plug-in is enabled. +- **DaysSinceLastSIH** The number of days since the most recent SIH executed. +- **DaysToNextSIH** The number of days until the next scheduled SIH execution. +- **DetectedCondition** Indicates whether detect condition is true and the perform action will be run. +- **EvalAndReportAppraiserBinariesFailed** Indicates the EvalAndReportAppraiserBinaries event failed. +- **EvalAndReportAppraiserRegEntries** Indicates the EvalAndReportAppraiserRegEntriesFailed event failed. +- **EvalAndReportAppraiserRegEntriesFailed** Indicates the EvalAndReportAppraiserRegEntriesFailed event failed. +- **GlobalEventCounter** Client side counter that indicates ordering of events. +- **HResult** The HRESULT for detection or perform action phases of the plugin. +- **IsAppraiserLatestResult** The HRESULT from the appraiser task. +- **IsConfigurationCorrected** Indicates whether the configuration of SIH task was successfully corrected. +- **LastHresult** The HRESULT for detection or perform action phases of the plugin. +- **LastRun** The date of the most recent SIH run. +- **NextRun** Date of the next scheduled SIH run. +- **PackageVersion** The version of the current remediation package. +- **PluginName** Name of the plugin specified for each generic plugin event. +- **Reload** True if SIH reload is required. +- **RemediationNoisyHammerAcLineStatus** Event that indicates the AC Line Status of the machine. +- **RemediationNoisyHammerAutoStartCount** The number of times hammer auto-started. +- **RemediationNoisyHammerCalendarTaskEnabled** Event that indicates Update Assistant Calendar Task is enabled. +- **RemediationNoisyHammerCalendarTaskExists** Event that indicates an Update Assistant Calendar Task exists. +- **RemediationNoisyHammerCalendarTaskTriggerEnabledCount** Event that indicates calendar triggers are enabled in the task. +- **RemediationNoisyHammerDaysSinceLastTaskRunTime** The number of days since the most recent hammer task ran. +- **RemediationNoisyHammerGetCurrentSize** Size in MB of the $GetCurrent folder. +- **RemediationNoisyHammerIsInstalled** TRUE if the noisy hammer is installed. +- **RemediationNoisyHammerLastTaskRunResult** The result of the last hammer task run. +- **RemediationNoisyHammerMeteredNetwork** TRUE if the machine is on a metered network. +- **RemediationNoisyHammerTaskEnabled** Indicates whether the Update Assistant Task (Noisy Hammer) is enabled. +- **RemediationNoisyHammerTaskExists** Indicates whether the Update Assistant Task (Noisy Hammer) exists. +- **RemediationNoisyHammerTaskTriggerEnabledCount** Indicates whether counting is enabled for the Update Assistant (Noisy Hammer) task trigger. +- **RemediationNoisyHammerUAExitCode** The exit code of the Update Assistant (Noisy Hammer) task. +- **RemediationNoisyHammerUAExitState** The code for the exit state of the Update Assistant (Noisy Hammer) task. +- **RemediationNoisyHammerUserLoggedIn** TRUE if there is a user logged in. +- **RemediationNoisyHammerUserLoggedInAdmin** TRUE if there is the user currently logged in is an Admin. +- **RemediationShellDeviceManaged** TRUE if the device is WSUS managed or Windows Updated disabled. +- **RemediationShellDeviceNewOS** TRUE if the device has a recently installed OS. +- **RemediationShellDeviceSccm** TRUE if the device is managed by SCCM (Microsoft System Center Configuration Manager). +- **RemediationShellDeviceZeroExhaust** TRUE if the device has opted out of Windows Updates completely. +- **RemediationTargetMachine** Indicates whether the device is a target of the specified fix. +- **RemediationTaskHealthAutochkProxy** True/False based on the health of the AutochkProxy task. +- **RemediationTaskHealthChkdskProactiveScan** True/False based on the health of the Check Disk task. +- **RemediationTaskHealthDiskCleanup_SilentCleanup** True/False based on the health of the Disk Cleanup task. +- **RemediationTaskHealthMaintenance_WinSAT** True/False based on the health of the Health Maintenance task. +- **RemediationTaskHealthServicing_ComponentCleanupTask** True/False based on the health of the Health Servicing Component task. +- **RemediationTaskHealthUSO_ScheduleScanTask** True/False based on the health of the USO (Update Session Orchestrator) Schedule task. +- **RemediationTaskHealthWindowsUpdate_ScheduledStartTask** True/False based on the health of the Windows Update Scheduled Start task. +- **RemediationTaskHealthWindowsUpdate_SihbootTask** True/False based on the health of the Sihboot task. +- **RemediationUHServiceBitsServiceEnabled** Indicates whether BITS service is enabled. +- **RemediationUHServiceDeviceInstallEnabled** Indicates whether Device Install service is enabled. +- **RemediationUHServiceDoSvcServiceEnabled** Indicates whether DO service is enabled. +- **RemediationUHServiceDsmsvcEnabled** Indicates whether DSMSVC service is enabled. +- **RemediationUHServiceLicensemanagerEnabled** Indicates whether License Manager service is enabled. +- **RemediationUHServiceMpssvcEnabled** Indicates whether MPSSVC service is enabled. +- **RemediationUHServiceTokenBrokerEnabled** Indicates whether Token Broker service is enabled. +- **RemediationUHServiceTrustedInstallerServiceEnabled** Indicates whether Trusted Installer service is enabled. +- **RemediationUHServiceUsoServiceEnabled** Indicates whether USO (Update Session Orchestrator) service is enabled. +- **RemediationUHServicew32timeServiceEnabled** Indicates whether W32 Time service is enabled. +- **RemediationUHServiceWecsvcEnabled** Indicates whether WECSVC service is enabled. +- **RemediationUHServiceWinmgmtEnabled** Indicates whether WMI service is enabled. +- **RemediationUHServiceWpnServiceEnabled** Indicates whether WPN service is enabled. +- **RemediationUHServiceWuauservServiceEnabled** Indicates whether WUAUSERV service is enabled. +- **Result** This is the HRESULT for Detection or Perform Action phases of the plugin. +- **RunAppraiserFailed** Indicates RunAppraiser failed to run correctly. +- **RunTask** TRUE if SIH task should be run by the plug-in. +- **TimeServiceNTPServer** The URL for the NTP time server used by device. +- **TimeServiceStartType** The startup type for the NTP time service. +- **TimeServiceSyncDomainJoined** True if device domain joined and hence uses DC for clock. +- **TimeServiceSyncType** Type of sync behavior for Date & Time service on device. + + +### Microsoft.Windows.Remediation.Completed + +This event sends simple device connectivity and configuration data about an application installed on the system that helps keep the Windows Update stack healthy. + +The following fields are available: + +- **ActionName** Name of the action to be completed by the plug-in. +- **AppraiserTaskCreationFailed** TRUE if the appraiser task creation failed to complete successfully. +- **AppraiserTaskDeleteFailed** TRUE if deletion of appraiser task failed to complete successfully. +- **AppraiserTaskExistFailed** TRUE if detection of the appraiser task failed to complete successfully. +- **AppraiserTaskLoadXmlFailed** TRUE if the Appraiser XML Loader failed to complete successfully. +- **AppraiserTaskMissing** TRUE if the Appraiser task is missing. +- **AppraiserTaskTimeTriggerUpdateFailedId** TRUE if the Appraiser Task Time Trigger failed to update successfully. +- **AppraiserTaskValidateTaskXmlFailed** TRUE if the Appraiser Task XML failed to complete successfully. +- **branchReadinessLevel** Branch readiness level policy. +- **cloudControlState** Value indicating whether the shell is enabled on the cloud control settings. +- **CrossedDiskSpaceThreshold** Indicates if cleanup resulted in hard drive usage threshold required for feature update to be exceeded. +- **CV** The Correlation Vector. +- **DateTimeDifference** The difference between the local and reference clocks. +- **DaysSinceOsInstallation** The number of days since the installation of the Operating System. +- **DiskMbCleaned** The amount of space cleaned on the hard disk, measured in Megabytes. +- **DiskMbFreeAfterCleanup** The amount of free hard disk space after cleanup, measured in Megabytes. +- **DiskMbFreeBeforeCleanup** The amount of free hard disk space before cleanup, measured in Megabytes. +- **ForcedAppraiserTaskTriggered** TRUE if Appraiser task ran from the plug-in. +- **GlobalEventCounter** Client-side counter that indicates ordering of events. +- **HandlerCleanupFreeDiskInMegabytes** The amount of hard disk space cleaned by the storage sense handlers, measured in Megabytes. +- **hasRolledBack** Indicates whether the client machine has rolled back. +- **hasUninstalled** Indicates whether the client machine has uninstalled a later version of the OS. +- **hResult** The result of the event execution. +- **HResult** The result of the event execution. +- **installDate** The value of installDate registry key. Indicates the install date. +- **isNetworkMetered** Indicates whether the client machine has uninstalled a later version of the OS. +- **LatestState** The final state of the plug-in component. +- **MicrosoftCompatibilityAppraiser** The name of the component targeted by the Appraiser plug-in. +- **PackageVersion** The package version for the current Remediation. +- **PageFileCount** The number of Windows Page files. +- **PageFileCurrentSize** The size of the Windows Page file, measured in Megabytes. +- **PageFileLocation** The storage location (directory path) of the Windows Page file. +- **PageFilePeakSize** The maximum amount of hard disk space used by the Windows Page file, measured in Megabytes. +- **PluginName** The name of the plug-in specified for each generic plug-in event. +- **RanCleanup** TRUE if the plug-in ran disk cleanup. +- **RemediationBatteryPowerBatteryLevel** Indicates the battery level at which it is acceptable to continue operation. +- **RemediationBatteryPowerExitDueToLowBattery** True when we exit due to low battery power. +- **RemediationBatteryPowerOnBattery** True if we allow execution on battery. +- **RemediationConfigurationTroubleshooterExecuted** True/False based on whether the Remediation Configuration Troubleshooter executed successfully. +- **RemediationConfigurationTroubleshooterIpconfigFix** TRUE if IPConfig Fix completed successfully. +- **RemediationConfigurationTroubleshooterNetShFix** TRUE if network card cache reset ran successfully. +- **RemediationDiskCleanSizeBtWindowsFolderInMegabytes** The size of the Windows BT folder (used to store Windows upgrade files), measured in Megabytes. +- **RemediationDiskCleanupBTFolderEsdSizeInMB** The size of the Windows BT folder (used to store Windows upgrade files) ESD (Electronic Software Delivery), measured in Megabytes. +- **RemediationDiskCleanupGetCurrentEsdSizeInMB** The size of any existing ESD (Electronic Software Delivery) folder, measured in Megabytes. +- **RemediationDiskCleanupSearchFileSizeInMegabytes** The size of the Cleanup Search index file, measured in Megabytes. +- **RemediationDiskCleanupUpdateAssistantSizeInMB** The size of the Update Assistant folder, measured in Megabytes. +- **RemediationDoorstopChangeSucceeded** TRUE if Doorstop registry key was successfully modified. +- **RemediationDoorstopExists** TRUE if there is a One Settings Doorstop value. +- **RemediationDoorstopRegkeyError** TRUE if an error occurred accessing the Doorstop registry key. +- **RemediationDRFKeyDeleteSucceeded** TRUE if the RecoveredFrom (Doorstop) registry key was successfully deleted. +- **RemediationDUABuildNumber** The build number of the DUA. +- **RemediationDUAKeyDeleteSucceeded** TRUE if the UninstallActive registry key was successfully deleted. +- **RemediationDuplicateTokenSucceeded** TRUE if the user token was successfully duplicated. +- **remediationExecution** Remediation shell is in "applying remediation" state. +- **RemediationHibernationMigrated** TRUE if hibernation was migrated. +- **RemediationHibernationMigrationSucceeded** TRUE if hibernation migration succeeded. +- **RemediationImpersonateUserSucceeded** TRUE if the user was successfully impersonated. +- **RemediationNoisyHammerTaskKickOffIsSuccess** TRUE if the NoisyHammer task started successfully. +- **RemediationQueryTokenSucceeded** TRUE if the user token was successfully queried. +- **RemediationRanHibernation** TRUE if the system entered Hibernation. +- **RemediationRevertToSystemSucceeded** TRUE if reversion to the system context succeeded. +- **RemediationShellHasUpgraded** TRUE if the device upgraded. +- **RemediationShellMinimumTimeBetweenShellRuns** Indicates the time between shell runs exceeded the minimum required to execute plugins. +- **RemediationShellRunFromService** TRUE if the shell driver was run from the service. +- **RemediationShellSessionIdentifier** Unique identifier tracking a shell session. +- **RemediationShellSessionTimeInSeconds** Indicates the time the shell session took in seconds. +- **RemediationShellTaskDeleted** Indicates that the shell task has been deleted so no additional sediment pack runs occur for this installation. +- **RemediationUpdateServiceHealthRemediationResult** The result of the Update Service Health plug-in. +- **RemediationUpdateTaskHealthRemediationResult** The result of the Update Task Health plug-in. +- **RemediationUpdateTaskHealthTaskList** A list of tasks fixed by the Update Task Health plug-in. +- **RemediationWindowsLogSpaceFound** The size of the Windows log files found, measured in Megabytes. +- **RemediationWindowsLogSpaceFreed** The amount of disk space freed by deleting the Windows log files, measured in Megabytes. +- **RemediationWindowsSecondaryDriveFreeSpace** The amount of free space on the secondary drive, measured in Megabytes. +- **RemediationWindowsSecondaryDriveLetter** The letter designation of the first secondary drive with a total capacity of 10GB or more. +- **RemediationWindowsSecondaryDriveTotalSpace** The total storage capacity of the secondary drive, measured in Megabytes. +- **RemediationWindowsTotalSystemDiskSize** The total storage capacity of the System Disk Drive, measured in Megabytes. +- **Result** The HRESULT for Detection or Perform Action phases of the plug-in. +- **RunResult** The HRESULT for Detection or Perform Action phases of the plug-in. +- **ServiceHealthPlugin** The nae of the Service Health plug-in. +- **StartComponentCleanupTask** TRUE if the Component Cleanup task started successfully. +- **systemDriveFreeDiskSpace** Indicates the free disk space on system drive in MBs. +- **systemUptimeInHours** Indicates the amount of time the system in hours has been on since the last boot. +- **TotalSizeofOrphanedInstallerFilesInMegabytes** The size of any orphaned Windows Installer files, measured in Megabytes. +- **TotalSizeofStoreCacheAfterCleanupInMegabytes** The size of the Windows Store cache after cleanup, measured in Megabytes. +- **TotalSizeofStoreCacheBeforeCleanupInMegabytes** The size of the Windows Store cache (prior to cleanup), measured in Megabytes. +- **uninstallActive** TRUE if previous uninstall has occurred for current OS +- **usoScanDaysSinceLastScan** The number of days since the last USO (Update Session Orchestrator) scan. +- **usoScanInProgress** TRUE if a USO (Update Session Orchestrator) scan is in progress, to prevent multiple simultaneous scans. +- **usoScanIsAllowAutoUpdateKeyPresent** TRUE if the AllowAutoUpdate registry key is set. +- **usoScanIsAllowAutoUpdateProviderSetKeyPresent** TRUE if AllowAutoUpdateProviderSet registry key is set. +- **usoScanIsAuOptionsPresent** TRUE if Auto Update Options registry key is set. +- **usoScanIsFeatureUpdateInProgress** TRUE if a USO (Update Session Orchestrator) scan is in progress, to prevent multiple simultaneous scans. +- **usoScanIsNetworkMetered** TRUE if the device is currently connected to a metered network. +- **usoScanIsNoAutoUpdateKeyPresent** TRUE if no Auto Update registry key is set/present. +- **usoScanIsUserLoggedOn** TRUE if the user is logged on. +- **usoScanPastThreshold** TRUE if the most recent USO (Update Session Orchestrator) scan is past the threshold (late). +- **usoScanType** The type of USO (Update Session Orchestrator) scan (Interactive or Background). +- **windows10UpgraderBlockWuUpdates** Event to report the value of Windows 10 Upgrader BlockWuUpdates Key. +- **windowsEditionId** Event to report the value of Windows Edition ID. +- **WindowsHyberFilSysSizeInMegabytes** The size of the Windows Hibernation file, measured in Megabytes. +- **WindowsInstallerFolderSizeInMegabytes** The size of the Windows Installer folder, measured in Megabytes. +- **WindowsOldFolderSizeInMegabytes** The size of the Windows.OLD folder, measured in Megabytes. +- **WindowsOldSpaceCleanedInMB** The amount of disk space freed by removing the Windows.OLD folder, measured in Megabytes. +- **WindowsPageFileSysSizeInMegabytes** The size of the Windows Page file, measured in Megabytes. +- **WindowsSoftwareDistributionFolderSizeInMegabytes** The size of the SoftwareDistribution folder, measured in Megabytes. +- **WindowsSwapFileSysSizeInMegabytes** The size of the Windows Swap file, measured in Megabytes. +- **WindowsSxsFolderSizeInMegabytes** The size of the WinSxS (Windows Side-by-Side) folder, measured in Megabytes. +- **WindowsSxsTempFolderSizeInMegabytes** The size of the WinSxS (Windows Side-by-Side) Temp folder, measured in Megabytes. +- **windowsUpgradeRecoveredFromRs4** Event to report the value of the Windows Upgrade Recovered key. + + +### Microsoft.Windows.Remediation.Started + +This event sends simple device connectivity and configuration data about an application installed on the system that helps keep Windows up to date. + +The following fields are available: + +- **CV** Correlation vector. +- **GlobalEventCounter** Client side counter which indicates ordering of events within Remediation application. +- **PackageVersion** Current package version of Remediation application. +- **PluginName** Name of the plugin specified for each generic plugin event. +- **Result** This is the HRESULT for detection or perform action phases of the plugin. + + ## Sediment events +### Microsoft.Windows.Sediment.Info.DetailedState + +This event is sent when detailed state information is needed from an update trial run. + +The following fields are available: + +- **Data** Data relevant to the state, such as what percent of disk space the directory takes up. +- **Id** Identifies the trial being run, such as a disk related trial. +- **ReleaseVer** The version of the component. +- **State** The state of the reporting data from the trial, such as the top-level directory analysis. +- **Time** The time the event was fired. + + +### Microsoft.Windows.Sediment.Info.Error + +This event indicates an error in the updater payload. This information assists in keeping Windows up to date. + + + +### Microsoft.Windows.Sediment.OSRSS.CheckingOneSettings + +This event indicates the parameters that the Operating System Remediation System Service (OSRSS) uses for a secure ping to Microsoft to help ensure Windows is up to date. + +The following fields are available: + +- **CustomVer** The registry value for targeting. +- **IsMetered** TRUE if the machine is on a metered network. +- **LastVer** The version of the last successful run. +- **ServiceVersionMajor** The Major version information of the component. +- **ServiceVersionMinor** The Minor version information of the component. +- **Time** The system time at which the event occurred. + + +### Microsoft.Windows.Sediment.OSRSS.Error + +This event indicates an error occurred in the Operating System Remediation System Service (OSRSS). The information provided helps ensure future upgrade/update attempts are more successful. + +The following fields are available: + +- **FailureType** The type of error encountered. +- **FileName** The code file in which the error occurred. +- **HResult** The failure error code. +- **LineNumber** The line number in the code file at which the error occurred. +- **ServiceVersionMajor** The Major version information of the component. +- **ServiceVersionMinor** The Minor version information of the component. +- **Time** The system time at which the event occurred. + + ### Microsoft.Windows.Sediment.OSRSS.UrlState This event indicates the state the Operating System Remediation System Service (OSRSS) is in while attempting a download from the URL. @@ -3481,8 +4488,116 @@ The following fields are available: - **Time** System timestamp when the event was started. +## Sediment Service events + +### Microsoft.Windows.SedimentService.Applicable + +This event sends simple device connectivity and configuration data about a service installed on the system that helps keep Windows up to date. + +The following fields are available: + +- **CV** Correlation vector. +- **GlobalEventCounter** Client side counter which indicates ordering of events within Remediation application. +- **PackageVersion** Current package version of Remediation application. +- **PluginName** Name of the plugin specified for each generic plugin event. +- **Result** This is the HRESULT for detection or perform action phases of the plugin. + + +### Microsoft.Windows.SedimentService.Completed + +This event sends simple device connectivity and configuration data about a service installed on the system that helps keep Windows up to date. + +The following fields are available: + +- **CV** Correlation vector. +- **GlobalEventCounter** Client side counter which indicates ordering of events within Remediation application. +- **PackageVersion** Current package version of Remediation application. +- **PluginName** Name of the plugin specified for each generic plugin event. +- **Result** This is the HRESULT for detection or perform action phases of the plugin. + + +### Microsoft.Windows.SedimentService.Started + +This event sends simple device connectivity and configuration data about a service installed on the system that helps keep Windows up to date. + +The following fields are available: + +- **CV** Correlation vector. +- **GlobalEventCounter** Client side counter which indicates ordering of events within Remediation application. +- **PackageVersion** Current package version of Remediation application. +- **PluginName** Name of the plugin specified for each generic plugin event. +- **Result** This is the HRESULT for detection or perform action phases of the plugin. + + +## Sediment Launcher events + +### Microsoft.Windows.SedimentLauncher.Applicable + +This event sends simple device connectivity and configuration data about an application installed on the system that helps keep Windows up to date. + +The following fields are available: + +- **CV** Correlation vector. +- **GlobalEventCounter** Client side counter which indicates ordering of events within Remediation application. +- **PackageVersion** Current package version of Remediation application. +- **PluginName** Name of the plugin specified for each generic plugin event. +- **Result** This is the HRESULT for detection or perform action phases of the plugin. + + +### Microsoft.Windows.SedimentLauncher.Completed + +This event sends simple device connectivity and configuration data about an application installed on the system that helps keep Windows up to date. + +The following fields are available: + +- **CV** Correlation vector. +- **GlobalEventCounter** Client side counter which indicates ordering of events within Remediation application. +- **PackageVersion** Current package version of Remediation application. +- **PluginName** Name of the plugin specified for each generic plugin event. +- **Result** This is the HRESULT for detection or perform action phases of the plugin. + + +### Microsoft.Windows.SedimentLauncher.Started + +This event sends simple device connectivity and configuration data about an application installed on the system that helps keep Windows up to date. + +The following fields are available: + +- **CV** Correlation vector. +- **GlobalEventCounter** Client side counter which indicates ordering of events within Remediation application. +- **PackageVersion** Current package version of Remediation application. +- **PluginName** Name of the plugin specified for each generic plugin event. +- **Result** This is the HRESULT for detection or perform action phases of the plugin. + + ## Setup events +### SetupPlatformTel.SetupPlatformTelActivityEvent + +This event sends basic metadata about the SetupPlatform update installation process, to help keep Windows up to date. + +The following fields are available: + +- **FieldName** Retrieves the event name/data point. Examples: InstallStartTime, InstallEndtime, OverallResult etc. +- **GroupName** Retrieves the groupname the event belongs to. Example: Install Information, DU Information, Disk Space Information etc. +- **Value** Value associated with the corresponding event name. For example, time-related events will include the system time + + +### SetupPlatformTel.SetupPlatformTelActivityStarted + +This event sends basic metadata about the update installation process generated by SetupPlatform to help keep Windows up to date. + +The following fields are available: + +- **Name** The name of the dynamic update type. Example: GDR driver + + +### SetupPlatformTel.SetupPlatformTelActivityStopped + +This event sends basic metadata about the update installation process generated by SetupPlatform to help keep Windows up to date. + + + ### SetupPlatformTel.SetupPlatformTelEvent This service retrieves events generated by SetupPlatform, the engine that drives the various deployment scenarios. @@ -3961,14 +5076,31 @@ The following fields are available: - **SignatureAlgorithm** Hash algorithm for the metadata signature - **SLSPrograms** A test program a machine may be opted in. Examples include "Canary" and "Insider Fast". - **StatusCode** Result code of the event (success, cancellation, failure code HResult) -- **TimestampTokenCertThumbprint** The thumbprint of the encoded timestamp token. +- **TimestampTokenCertThumbprint** Thumbprint of the encoded timestamp token. - **TimestampTokenId** Created time encoded in the timestamp blob. This will be zeroed if the token is itself malformed and decoding failed. - **UpdateId** Identifier associated with the specific piece of content -- **ValidityWindowInDays** The validity window that's in effect when verifying the timestamp. +- **ValidityWindowInDays** Validity window in effect when verifying the timestamp ## Update events +### Update360Telemetry.Revert + +This event sends data relating to the Revert phase of updating Windows. + +The following fields are available: + +- **ErrorCode** The error code returned for the Revert phase. +- **FlightId** Unique ID for the flight (test instance version). +- **ObjectId** The unique value for each Update Agent mode. +- **RebootRequired** Indicates reboot is required. +- **RelatedCV** The correlation vector value generated from the latest USO (Update Service Orchestrator) scan. +- **Result** The HResult of the event. +- **ScenarioId** The ID of the update scenario. +- **SessionId** The ID of the update attempt. +- **UpdateId** The ID of the update. + + ### Update360Telemetry.UpdateAgentCommit This event collects information regarding the commit phase of the new Unified Update Platform (UUP) update scenario, which is leveraged by both Mobile and Desktop. @@ -4104,6 +5236,52 @@ The following fields are available: - **UpdateId** Unique ID for each update. +### Update360Telemetry.UpdateAgentMitigationResult + +This event sends data indicating the result of each update agent mitigation. + +The following fields are available: + +- **Applicable** Indicates whether the mitigation is applicable for the current update. +- **CommandCount** The number of command operations in the mitigation entry. +- **CustomCount** The number of custom operations in the mitigation entry. +- **FileCount** The number of file operations in the mitigation entry. +- **FlightId** Unique identifier for each flight. +- **Index** The mitigation index of this particular mitigation. +- **MitigationScenario** The update scenario in which the mitigation was executed. +- **Name** The friendly name of the mitigation. +- **ObjectId** Unique value for each Update Agent mode. +- **OperationIndex** The mitigation operation index (in the event of a failure). +- **OperationName** The friendly name of the mitigation operation (in the event of failure). +- **RegistryCount** The number of registry operations in the mitigation entry. +- **RelatedCV** The correlation vector value generated from the latest USO scan. +- **Result** The HResult of this operation. +- **ScenarioId** The update agent scenario ID. +- **SessionId** Unique value for each update attempt. +- **TimeDiff** The amount of time spent performing the mitigation (in 100-nanosecond increments). +- **UpdateId** Unique ID for each Update. + + +### Update360Telemetry.UpdateAgentMitigationSummary + +This event sends a summary of all the update agent mitigations available for an this update. + +The following fields are available: + +- **Applicable** The count of mitigations that were applicable to the system and scenario. +- **Failed** The count of mitigations that failed. +- **FlightId** Unique identifier for each flight. +- **MitigationScenario** The update scenario in which the mitigations were attempted. +- **ObjectId** The unique value for each Update Agent mode. +- **RelatedCV** The correlation vector value generated from the latest USO scan. +- **Result** The HResult of this operation. +- **ScenarioId** The update agent scenario ID. +- **SessionId** Unique value for each update attempt. +- **TimeDiff** The amount of time spent performing all mitigations (in 100-nanosecond increments). +- **Total** Total number of mitigations that were available. +- **UpdateId** Unique ID for each update. + + ### Update360Telemetry.UpdateAgentModeStart This event sends data for the start of each mode during the process of updating Windows via the new Unified Update Platform (UUP) scenario. Applicable to both PCs and Mobile. @@ -4120,6 +5298,24 @@ The following fields are available: - **Version** Version of update +### Update360Telemetry.UpdateAgentOneSettings + +This event collects information regarding the post reboot phase of the new UUP (Unified Update Platform) update scenario; which is leveraged by both Mobile and Desktop. + +The following fields are available: + +- **Count** The count of applicable OneSettings for the device. +- **FlightId** Unique ID for the flight (test instance version). +- **ObjectId** The unique value for each Update Agent mode. +- **Parameters** The set of name value pair parameters sent to OneSettings to determine if there are any applicable OneSettings. +- **RelatedCV** The correlation vector value generated from the latest USO (Update Service Orchestrator) scan. +- **Result** The HResult of the event. +- **ScenarioId** The ID of the update scenario. +- **SessionId** The ID of the update attempt. +- **UpdateId** The ID of the update. +- **Values** The values sent back to the device, if applicable. + + ### Update360Telemetry.UpdateAgentPostRebootResult This event collects information for both Mobile and Desktop regarding the post reboot phase of the new Unified Update Platform (UUP) update scenario. @@ -4136,6 +5332,12 @@ The following fields are available: - **UpdateId** Unique ID for each update. +### Update360Telemetry.UpdateAgentReboot + +This event sends information indicating that a request has been sent to suspend an update. + + + ### Update360Telemetry.UpdateAgentSetupBoxLaunch The UpdateAgent_SetupBoxLaunch event sends data for the launching of the setup box when updating Windows via the new Unified Update Platform (UUP) scenario. This event is only applicable to PCs. @@ -4185,7 +5387,7 @@ The following fields are available: - **key19** UI interaction data - **key2** Interaction data for the UI - **key20** UI interaction data -- **key21** Interaction data for the UI +- **key21** UI interaction data - **key22** UI interaction data - **key23** UI interaction data - **key24** UI interaction data @@ -4197,10 +5399,10 @@ The following fields are available: - **key3** Interaction data for the UI - **key30** UI interaction data - **key4** Interaction data for the UI -- **key5** UI interaction data -- **key6** UI interaction data -- **key7** Interaction data for the UI -- **key8** Interaction data for the UI +- **key5** UI interaction type +- **key6** Current package version of UNP +- **key7** UI interaction type +- **key8** UI interaction data - **key9** UI interaction data - **PackageVersion** Current package version of the update notification. - **schema** UI interaction type. @@ -4314,6 +5516,7 @@ The following fields are available: - **DownloadRequestAttributes** The attributes we send to DCAT. - **ResultCode** The result returned from the initialization of Facilitator with the URL/attributes. - **Scenario** Dynamic Update scenario (Image DU, or Setup DU). +- **Url** The Delivery Catalog (DCAT) URL we send the request to. - **Version** Version of Facilitator. @@ -4376,9 +5579,9 @@ The following fields are available: - **Setup360Extended** Detailed information about the phase or action when the potential failure occurred. - **Setup360Mode** The phase of Setup360. Example: Predownload, Install, Finalize, Rollback. - **Setup360Result** The result of Setup360. This is an HRESULT error code that is used to diagnose errors. -- **Setup360Scenario** The Setup360 flow type. Example: Boot, Media, Update, MCT +- **Setup360Scenario** The Setup360 flow type. Example: Boot, Media, Update, MCT. - **SetupVersionBuildNumber** The build number of Setup360 (build number of target OS). -- **State** Exit state of a Setup360 run. Example: succeeded, failed, blocked, cancelled. +- **State** Exit state of a Setup360 run. Example: succeeded, failed, blocked, cancelled - **TestId** ID that uniquely identifies a group of events. - **WuId** Windows Update client ID. @@ -4524,6 +5727,67 @@ The following fields are available: - **TargetBuild** Build of the target OS. +### Setup360Telemetry.Setup360MitigationResult + +This event sends data indicating the result of each setup mitigation. + +The following fields are available: + +- **Applicable** TRUE if the mitigation is applicable for the current update. +- **ClientId** In the Windows Update scenario, this is the client ID passed to Setup. In Media setup, default value is Media360, but can be overwritten by the caller to a unique value. +- **CommandCount** The number of command operations in the mitigation entry. +- **CustomCount** The number of custom operations in the mitigation entry. +- **FileCount** The number of file operations in the mitigation entry. +- **FlightData** The unique identifier for each flight (test release). +- **Index** The mitigation index of this particular mitigation. +- **InstanceId** The GUID (Globally Unique ID) that identifies each instance of SetupHost.EXE. +- **MitigationScenario** The update scenario in which the mitigation was executed. +- **Name** The friendly (descriptive) name of the mitigation. +- **OperationIndex** The mitigation operation index (in the event of a failure). +- **OperationName** The friendly (descriptive) name of the mitigation operation (in the event of failure). +- **RegistryCount** The number of registry operations in the mitigation entry. +- **ReportId** In the Windows Update scenario, the Update ID that is passed to Setup. In media setup, this is the GUID for the INSTALL.WIM. +- **Result** HResult of this operation. +- **ScenarioId** Setup360 flow type. +- **TimeDiff** The amount of time spent performing the mitigation (in 100-nanosecond increments). + + +### Setup360Telemetry.Setup360MitigationSummary + +This event sends a summary of all the setup mitigations available for this update. + +The following fields are available: + +- **Applicable** The count of mitigations that were applicable to the system and scenario. +- **ClientId** The Windows Update client ID passed to Setup. +- **Failed** The count of mitigations that failed. +- **FlightData** The unique identifier for each flight (test release). +- **InstanceId** The GUID (Globally Unique ID) that identifies each instance of SetupHost.EXE. +- **MitigationScenario** The update scenario in which the mitigations were attempted. +- **ReportId** In the Windows Update scenario, the Update ID that is passed to Setup. In media setup, this is the GUID for the INSTALL.WIM. +- **Result** HResult of this operation. +- **ScenarioId** Setup360 flow type. +- **TimeDiff** The amount of time spent performing the mitigation (in 100-nanosecond increments). +- **Total** The total number of mitigations that were available. + + +### Setup360Telemetry.Setup360OneSettings + +This event collects information regarding the post reboot phase of the new UUP (Unified Update Platform) update scenario; which is leveraged by both Mobile and Desktop. + +The following fields are available: + +- **ClientId** The Windows Update client ID passed to Setup. +- **Count** The count of applicable OneSettings for the device. +- **FlightData** The ID for the flight (test instance version). +- **InstanceId** The GUID (Globally-Unique ID) that identifies each instance of setuphost.exe. +- **Parameters** The set of name value pair parameters sent to OneSettings to determine if there are any applicable OneSettings. +- **ReportId** The Update ID passed to Setup. +- **Result** The HResult of the event error. +- **ScenarioId** The update scenario ID. +- **Values** Values sent back to the device, if applicable. + + ### Setup360Telemetry.UnexpectedEvent This event sends data indicating that the device has invoked the unexpected event phase of the upgrade, to help keep Windows up to date. @@ -4538,7 +5802,7 @@ The following fields are available: - **ReportId** With Windows Update, this is the updateID that is passed to Setup. In media setup, this is the GUID for the install.wim. - **Setup360Extended** Detailed information about the phase/action when the potential failure occurred. - **Setup360Mode** The phase of Setup360. Example: Predownload, Install, Finalize, Rollback. -- **Setup360Result** The result of Setup360. This is an HRESULT error code that can be used to diagnose errors. +- **Setup360Result** The result of Setup360. This is an HRESULT error code that can be used used to diagnose errors. - **Setup360Scenario** The Setup360 flow type. Example: Boot, Media, Update, MCT. - **SetupVersionBuildNumber** The build number of Setup360 (build number of target OS). - **State** The exit state of a Setup360 run. Example: succeeded, failed, blocked, cancelled. @@ -4570,6 +5834,26 @@ The following fields are available: - **versionString** Version of the WaaSMedic engine. +## Windows Error Reporting events + +### Microsoft.Windows.WERVertical.OSCrash + +This event sends binary data from the collected dump file wheneveer a bug check occurs, to help keep Windows up to date. The is the OneCore version of this event. + +The following fields are available: + +- **BootId** Uint32 identifying the boot number for this device. +- **BugCheckCode** Uint64 "bugcheck code" that identifies a proximate cause of the bug check. +- **BugCheckParameter1** Uint64 parameter providing additional information. +- **BugCheckParameter2** Uint64 parameter providing additional information. +- **BugCheckParameter3** Uint64 parameter providing additional information. +- **BugCheckParameter4** Uint64 parameter providing additional information. +- **DumpFileAttributes** Codes that identify the type of data contained in the dump file +- **DumpFileSize** Size of the dump file +- **IsValidDumpFile** True if the dump file is valid for the debugger, false otherwise +- **ReportId** WER Report Id associated with this bug check (used for finding the corresponding report archive in Watson). + + ## Windows Error Reporting MTT events ### Microsoft.Windows.WER.MTT.Denominator @@ -4982,7 +6266,7 @@ The following fields are available: - **current** Result of currency check. - **dismOperationSucceeded** Dism uninstall operation status. -- **hResult** Failure error code. +- **hResult** Failure Error code. - **oSVersion** Build number of the device. - **paused** Indicates whether the device is paused. - **rebootRequestSucceeded** Reboot Configuration Service Provider (CSP) call success status. @@ -5023,7 +6307,7 @@ The following fields are available: - **current** Result of currency check. - **dismOperationSucceeded** Dism uninstall operation status. -- **hResult** Failure error code. +- **hResult** Failure Error code. - **oSVersion** Build number of the device. - **paused** Indicates whether the device is paused. - **rebootRequestSucceeded** Reboot Configuration Service Provider (CSP) call success status. @@ -5058,45 +6342,128 @@ This event sends basic telemetry on the success of the rollback of the Quality/L ## Windows Update Delivery Optimization events -### Microsoft.OSG.DU.DeliveryOptClient.DownloadStarted +### Microsoft.OSG.DU.DeliveryOptClient.DownloadCanceled -This event sends data describing the start of a new download to enable Delivery Optimization. It's used to understand and address problems regarding downloads. +This event describes when a download was canceled with Delivery Optimization. It's used to understand and address problems regarding downloads. The following fields are available: -- **background** Indicates whether the download is happening in the background. -- **bytesRequested** Number of bytes requested for the download. +- **background** Is the download being done in the background? +- **bytesFromCacheServer** Bytes received from a cache host. +- **bytesFromCDN** The number of bytes received from a CDN source. +- **bytesFromGroupPeers** The number of bytes received from a peer in the same group. +- **bytesFromIntPeers** The number of bytes received from peers not in the same LAN or in the same group. +- **bytesFromLocalCache** Bytes copied over from local (on disk) cache. +- **bytesFromPeers** The number of bytes received from a peer in the same LAN. - **callerName** Name of the API caller. -- **cdnUrl** The URL of the source CDN -- **costFlags** A set of flags representing network cost. -- **deviceProfile** Identifies the usage or form factor (such as Desktop, Xbox, or VM). -- **diceRoll** Random number used for determining if a client will use peering. -- **doClientVersion** The version of the Delivery Optimization client. -- **doErrorCode** The Delivery Optimization error code that was returned. -- **downloadMode** The download mode used for this file download session (CdnOnly = 0, Lan = 1, Group = 2, Internet = 3, Simple = 99, Bypass = 100). -- **downloadModeSrc** Source of the DownloadMode setting (KvsProvider = 0, GeoProvider = 1, GeoVerProvider = 2, CpProvider = 3, DiscoveryProvider = 4, RegistryProvider = 5, GroupPolicyProvider = 6, MdmProvider = 7, SettingsProvider = 8, InvalidProviderType = 9). +- **cdnErrorCodes** A list of CDN connection errors since the last FailureCDNCommunication event. +- **cdnErrorCounts** The number of times each error in cdnErrorCodes was encountered. +- **dataSourcesTotal** Bytes received per source type, accumulated for the whole session. - **errorCode** The error code that was returned. -- **experimentId** ID used to correlate client/services calls that are part of the same test during A/B testing. +- **experimentId** When running a test, this is used to correlate events that are part of the same test. - **fileID** The ID of the file being downloaded. -- **filePath** The path to where the downloaded file will be written. -- **fileSize** Total file size of the file that was downloaded. -- **fileSizeCaller** Value for total file size provided by our caller. -- **groupID** ID for the group. -- **isEncrypted** Indicates whether the download is encrypted. -- **isVpn** Indicates whether the device is connected to a Virtual Private Network. -- **jobID** The ID of the Windows Update job. -- **minDiskSizeGB** The minimum disk size (in GB) policy set for the device to allow peering with delivery optimization. -- **minDiskSizePolicyEnforced** Indicates whether there is an enforced minimum disk size requirement for peering. -- **minFileSizePolicy** The minimum content file size policy to allow the download using peering with delivery optimization. -- **peerID** The ID for this delivery optimization client. -- **predefinedCallerName** Name of the API caller. +- **gCurMemoryStreamBytes** Current usage for memory streaming. +- **gMaxMemoryStreamBytes** Maximum usage for memory streaming. +- **isVpn** Indicates whether the device is connected to a VPN (Virtual Private Network). +- **jobID** Identifier for the Windows Update job. +- **predefinedCallerName** The name of the API Caller. +- **reasonCode** Reason the action or event occurred. - **scenarioID** The ID of the scenario. -- **sessionID** The ID for the file download session. -- **setConfigs** A JSON representation of the configurations that have been set, and their sources. +- **sessionID** The ID of the file download session. - **updateID** The ID of the update being downloaded. -- **usedMemoryStream** Indicates whether the download used memory streaming. +- **usedMemoryStream** TRUE if the download is using memory streaming for App downloads. +### Microsoft.OSG.DU.DeliveryOptClient.DownloadCompleted + +This event describes when a download has completed with Delivery Optimization. It's used to understand and address problems regarding downloads. + +The following fields are available: + +- **background** Is the download a background download? +- **bytesFromCacheServer** Bytes received from a cache host. +- **bytesFromCDN** The number of bytes received from a CDN source. +- **bytesFromGroupPeers** The number of bytes received from a peer in the same domain group. +- **bytesFromIntPeers** The number of bytes received from peers not in the same LAN or in the same domain group. +- **bytesFromLocalCache** Bytes copied over from local (on disk) cache. +- **bytesFromPeers** The number of bytes received from a peer in the same LAN. +- **bytesRequested** The total number of bytes requested for download. +- **cacheServerConnectionCount** Number of connections made to cache hosts. +- **callerName** Name of the API caller. +- **cdnConnectionCount** The total number of connections made to the CDN. +- **cdnErrorCodes** A list of CDN connection errors since the last FailureCDNCommunication event. +- **cdnErrorCounts** The number of times each error in cdnErrorCodes was encountered. +- **cdnIp** The IP address of the source CDN. +- **dataSourcesTotal** Bytes received per source type, accumulated for the whole session. +- **doErrorCode** The Delivery Optimization error code that was returned. +- **downlinkBps** The maximum measured available download bandwidth (in bytes per second). +- **downlinkUsageBps** The download speed (in bytes per second). +- **downloadMode** The download mode used for this file download session. +- **downloadModeSrc** Source of the DownloadMode setting (KvsProvider = 0, GeoProvider = 1, GeoVerProvider = 2, CpProvider = 3, DiscoveryProvider = 4, RegistryProvider = 5, GroupPolicyProvider = 6, MdmProvider = 7, SettingsProvider = 8, InvalidProviderType = 9). +- **experimentId** When running a test, this is used to correlate with other events that are part of the same test. +- **fileID** The ID of the file being downloaded. +- **fileSize** The size of the file being downloaded. +- **gCurMemoryStreamBytes** Current usage for memory streaming. +- **gMaxMemoryStreamBytes** Maximum usage for memory streaming. +- **groupConnectionCount** The total number of connections made to peers in the same group. +- **internetConnectionCount** The total number of connections made to peers not in the same LAN or the same group. +- **isEncrypted** TRUE if the file is encrypted and will be decrypted after download. +- **isVpn** Is the device connected to a Virtual Private Network? +- **jobID** Identifier for the Windows Update job. +- **lanConnectionCount** The total number of connections made to peers in the same LAN. +- **numPeers** The total number of peers used for this download. +- **predefinedCallerName** The name of the API Caller. +- **restrictedUpload** Is the upload restricted? +- **scenarioID** The ID of the scenario. +- **sessionID** The ID of the download session. +- **totalTimeMs** Duration of the download (in seconds). +- **updateID** The ID of the update being downloaded. +- **uplinkBps** The maximum measured available upload bandwidth (in bytes per second). +- **uplinkUsageBps** The upload speed (in bytes per second). +- **usedMemoryStream** TRUE if the download is using memory streaming for App downloads. + + +### Microsoft.OSG.DU.DeliveryOptClient.DownloadPaused + +This event represents a temporary suspension of a download with Delivery Optimization. It's used to understand and address problems regarding downloads. + +The following fields are available: + +- **background** Is the download a background download? +- **callerName** The name of the API caller. +- **errorCode** The error code that was returned. +- **experimentId** When running a test, this is used to correlate with other events that are part of the same test. +- **fileID** The ID of the file being paused. +- **isVpn** Is the device connected to a Virtual Private Network? +- **jobID** Identifier for the Windows Update job. +- **predefinedCallerName** The name of the API Caller object. +- **reasonCode** The reason for pausing the download. +- **scenarioID** The ID of the scenario. +- **sessionID** The ID of the download session. +- **updateID** The ID of the update being paused. + +### Microsoft.OSG.DU.DeliveryOptClient.FailureCdnCommunication + +This event represents a failure to download from a CDN with Delivery Optimization. It's used to understand and address problems regarding downloads. + +The following fields are available: + +- **cdnHeaders** The HTTP headers returned by the CDN. +- **cdnIp** The IP address of the CDN. +- **cdnUrl** The URL of the CDN. +- **clientTelId** A random number used for device sampling. +- **errorCode** The error code that was returned. +- **errorCount** The total number of times this error code was seen since the last FailureCdnCommunication event was encountered. +- **experimentId** When running a test, this is used to correlate with other events that are part of the same test. +- **fileID** The ID of the file being downloaded. +- **httpStatusCode** The HTTP status code returned by the CDN. +- **isHeadRequest** The type of HTTP request that was sent to the CDN. Example: HEAD or GET +- **peerType** The type of peer (LAN, Group, Internet, CDN, Cache Host, etc.). +- **requestOffset** The byte offset within the file in the sent request. +- **requestSize** The size of the range requested from the CDN. +- **responseSize** The size of the range response received from the CDN. +- **sessionID** The ID of the download session. + ## Windows Update events ### Microsoft.Windows.Update.DeviceUpdateAgent.UpdateAgentAnalysisSummary @@ -5443,7 +6810,7 @@ The following fields are available: - **displayNeededReason** List of reasons for needing display. - **eventScenario** Indicates the purpose of the event (scan started, succeeded, failed, etc.). -- **filteredDeferReason** Applicable filtered reasons why reboot was postponed (such as user active, or low battery). +- **filteredDeferReason** Applicable filtered reasons why reboot was postponed (such as user active, or low battery).. - **gameModeReason** Name of the executable that caused the game mode state check to start. - **ignoredReason** List of reasons that were intentionally ignored. - **raisedDeferReason** Indicates all potential reasons for postponing restart (such as user active, or low battery). @@ -5462,9 +6829,9 @@ The following fields are available: - **deferReason** Reason why the device could not check for updates. - **detectionBlockingPolicy** State of update action. -- **detectionBlockreason** Reason for blocking detection +- **detectionBlockreason** If we retry to scan - **detectionRetryMode** Indicates whether we will try to scan again. -- **errorCode** Error info +- **errorCode** State of update action - **eventScenario** End-to-end update session ID, or indicates the purpose of sending this event - whether because the software distribution just started installing content, or whether it was cancelled, succeeded, or failed. - **flightID** The specific ID of the Windows Insider build the device is getting. - **interactive** Indicates whether the session was user initiated. @@ -5472,7 +6839,7 @@ The following fields are available: - **revisionNumber** Update revision number. - **scanTriggerSource** Source of the triggered scan. - **updateId** Update ID. -- **updateScenarioType** Source of the triggered scan +- **updateScenarioType** Update Session type - **wuDeviceid** Device ID @@ -5557,7 +6924,7 @@ This event is sent during update scan, download, or install, and indicates that The following fields are available: -- **configVersion** Escalation config version on device . +- **configVersion** Escalation config version on device. - **downloadElapsedTime** Indicates how long since the download is required on device. - **downloadRiskLevel** At-risk level of download phase. - **installElapsedTime** Indicates how long since the install is required on device. @@ -5585,7 +6952,7 @@ This event indicates that the update is no longer applicable to this device. The following fields are available: -- **EventPublishedTime** Time when this event was generated +- **EventPublishedTime** Time when this event was generated. - **flightID** The specific ID of the Windows Insider build. - **revisionNumber** Update revision number. - **updateId** Unique Windows Update ID. @@ -5633,7 +7000,7 @@ The following fields are available: - **deferReason** Reason for install not completing. - **errorCode** The error code reppresented by a hexadecimal value. - **eventScenario** End-to-end update session ID. -- **flightID** The specific ID of the Windows Insider build the device is getting. +- **flightID** Unique update ID - **flightUpdate** Indicates whether the update is a Windows Insider build. - **ForcedRebootReminderSet** A boolean value that indicates if a forced reboot will happen for updates. - **installCommitfailedtime** The time it took for a reboot to happen but the upgrade failed to progress. @@ -5648,6 +7015,31 @@ The following fields are available: - **wuDeviceid** Unique device ID used by Windows Update. +### Microsoft.Windows.Update.Orchestrator.LowUptimes + +This event is sent if a device is identified as not having sufficient uptime to reliably process updates in order to keep secure. + +The following fields are available: + +- **isLowUptimeMachine** Is the machine considered low uptime or not. +- **lowUptimeMinHours** Current setting for the minimum number of hours needed to not be considered low uptime. +- **lowUptimeQueryDays** Current setting for the number of recent days to check for uptime. +- **uptimeMinutes** Number of minutes of uptime measured. +- **wuDeviceid** Unique device ID for Windows Update. + + +### Microsoft.Windows.Update.Orchestrator.OneshotUpdateDetection + +This event returns data about scans initiated through settings UI, or background scans that are urgent; to help keep Windows up to date. + +The following fields are available: + +- **externalOneshotupdate** The last time a task-triggered scan was completed. +- **interactiveOneshotupdate** The last time an interactive scan was completed. +- **oldlastscanOneshotupdate** The last time a scan completed successfully. +- **wuDeviceid** The Windows Update Device GUID (Globally-Unique ID). + + ### Microsoft.Windows.Update.Orchestrator.PostInstall This event is sent after a Windows update install completes. @@ -5723,6 +7115,18 @@ The following fields are available: - **wuDeviceid** Unique device ID used by Windows Update. +### Microsoft.Windows.Update.Orchestrator.RefreshSettings + +This event sends basic data about the version of upgrade settings applied to the system to help keep Windows up to date. + +The following fields are available: + +- **errorCode** Hex code for the error message, to allow lookup of the specific error. +- **settingsDownloadTime** Timestamp of the last attempt to acquire settings. +- **settingsETag** Version identifier for the settings. +- **wuDeviceid** Unique device ID used by Windows Update. + + ### Microsoft.Windows.Update.Orchestrator.RestoreRebootTask This event sends data indicating that a reboot task is missing unexpectedly on a device and the task is restored because a reboot is still required, to help keep Windows up to date. @@ -5819,6 +7223,76 @@ The following fields are available: - **wuDeviceid** Unique device ID used by Windows Update. +### Microsoft.Windows.Update.Orchestrator.updateSettingsFlushFailed + +This event sends information about an update that encountered problems and was not able to complete. + +The following fields are available: + +- **errorCode** The error code encountered. +- **wuDeviceid** The ID of the device in which the error occurred. + + +### Microsoft.Windows.Update.Orchestrator.USODiagnostics + +This event sends data on whether the state of the update attempt, to help keep Windows up to date. + +The following fields are available: + +- **LastApplicableUpdateFoundTime** The time when the last applicable update was found. +- **LastDownloadDeferredReason** The last reason download was deferred. +- **LastDownloadDeferredTime** The time of the download deferral. +- **LastDownloadFailureError** The last download failure. +- **LastDownloadFailureTime** The time of the last download failure. +- **LastInstallCompletedTime** The time when the last successful install completed. +- **LastInstallDeferredReason** The reason the last install was deferred. +- **LastInstallDeferredTime** The time when the last install was deferred. +- **LastInstallFailureError** The error code associated with the last install failure. +- **LastInstallFailureTime** The time when the last install failed to complete. +- **LastRebootDeferredReason** The reason the last reboot was deferred. +- **LastRebootDeferredTime** The time when the last reboot was deferred. +- **LastRebootPendingTime** The time when the last reboot state was set to “Pending”. +- **LastScanDeferredReason** The reason the last scan was deferred. +- **LastScanDeferredTime** The time when the last scan was deferred. +- **LastScanFailureError** The error code for the last scan failure. +- **LastScanFailureTime** The time when the last scan failed. +- **LastUpdateCheckTime** The time of the last update check. +- **LastUpdateDownloadTime** The time when the last update was downloaded. +- **LastUpgradeInstallFailureError** The error code for the last upgrade install failure. +- **LastUpgradeInstallFailureTime** The time of the last upgrade install failure. +- **LowUpTimeDetectTime** The last time “low up-time” was detected. +- **NoLowUpTimeDetectTime** The last time no “low up-time” was detected. +- **RebootRequired** Indicates reboot is required. +- **UpgradeInProgressTime** The amount of time a feature update has been in progress. +- **WaaSFeatureAssessmentDays** The number of days Feature Update Assessment has been out of date. +- **WaaSFeatureAssessmentImpact** The impact of the Feature Update Assessment. +- **WaaSUpToDateAssessmentDays** The number of days Quality Update Assessment has been out of date. +- **WaaSUpToDateAssessmentImpact** The impact of Quality Update Assessment. +- **wuDeviceid** Unique ID for Device + + +### Microsoft.Windows.Update.Ux.MusNotification.EnhancedEngagedRebootUxState + +This event sends information about the configuration of Enhanced Direct-to-Engaged (eDTE), which includes values for the timing of how eDTE will progress through each phase of the reboot. + +The following fields are available: + +- **AcceptAutoModeLimit** The maximum number of days for a device to automatically enter Auto Reboot mode. +- **AutoToAutoFailedLimit** The maximum number of days for Auto Reboot mode to fail before a Reboot Failed dialog will be shown. +- **DeviceLocalTime** The date and time (based on the device date/time settings) the reboot mode changed. +- **EngagedModeLimit** The number of days to switch between DTE (Direct-to-Engaged) dialogs. +- **EnterAutoModeLimit** The maximum number of days a device can enter Auto Reboot mode. +- **ETag** The Entity Tag that represents the OneSettings version. +- **IsForcedEnabled** Identifies whether Forced Reboot mode is enabled for the device. +- **IsUltimateForcedEnabled** Identifies whether Ultimate Forced Reboot mode is enabled for the device. +- **OldestUpdateLocalTime** The date and time (based on the device date/time settings) this update’s reboot began pending. +- **RebootUxState** Identifies the reboot state: Engaged, Auto, Forced, UltimateForced. +- **RebootVersion** The version of the DTE (Direct-to-Engaged). +- **SkipToAutoModeLimit** The maximum number of days to switch to start while in Auto Reboot mode. +- **UpdateId** The ID of the update that is waiting for reboot to finish installation. +- **UpdateRevision** The revision of the update that is waiting for reboot to finish installation. + + ### Microsoft.Windows.Update.Ux.MusNotification.RebootNoLongerNeeded This event is sent when a security update has successfully completed. @@ -5872,6 +7346,25 @@ The following fields are available: - **TaskName** Name of the task +### Microsoft.Windows.Update.Ux.MusUpdateSettings.RebootScheduled + +This event sends basic information for scheduling a device restart to install security updates. It's used to help keep Windows up to date. + +The following fields are available: + +- **activeHoursApplicable** Is the restart respecting Active Hours? +- **IsEnhancedEngagedReboot** TRUE if the reboot path is Enhanced Engaged. Otherwise, FALSE. +- **rebootArgument** The arguments that are passed to the OS for the restarted. +- **rebootOutsideOfActiveHours** Was the restart scheduled outside of Active Hours? +- **rebootScheduledByUser** Was the restart scheduled by the user? If the value is false, the restart was scheduled by the device. +- **rebootState** The state of the restart. +- **revisionNumber** The revision number of the OS being updated. +- **scheduledRebootTime** Time of the scheduled reboot +- **scheduledRebootTimeInUTC** Time of the scheduled restart, in Coordinated Universal Time. +- **updateId** The Windows Update device GUID. +- **wuDeviceid** The Windows Update device GUID. + + ## Windows Update mitigation events ### Mitigation360Telemetry.MitigationCustom.CleanupSafeOsImages @@ -5880,21 +7373,21 @@ This event sends data specific to the CleanupSafeOsImages mitigation used for OS The following fields are available: -- **ClientId** Unique identifier for each flight. -- **FlightId** Unique GUID that identifies each instances of setuphost.exe. -- **InstanceId** The update scenario in which the mitigation was executed. -- **MitigationScenario** Number of mounted images. -- **MountedImageCount** Number of mounted images that were under %systemdrive%\$Windows.~BT. -- **MountedImageMatches** Number of mounted images under %systemdrive%\$Windows.~BT that could not be removed. -- **MountedImagesFailed** Number of mounted images under %systemdrive%\$Windows.~BT that were successfully removed. -- **MountedImagesRemoved** Number of mounted images that were not under %systemdrive%\$Windows.~BT. -- **MountedImagesSkipped** Correlation vector value generated from the latest USO scan. -- **RelatedCV** HResult of this operation. -- **Result** ID indicating the mitigation scenario. -- **ScenarioId** Indicates whether the scenario was supported. -- **ScenarioSupported** Unique value for each update attempt. -- **SessionId** Unique ID for each Update. -- **UpdateId** Unique ID for the Windows Update client. +- **ClientId** In the WU scenario, this will be the WU client ID that is passed to Setup. In Media setup, default value is Media360, but can be overwritten by the caller to a unique value. +- **FlightId** Unique identifier for each flight. +- **InstanceId** Unique GUID that identifies each instances of setuphost.exe. +- **MitigationScenario** The update scenario in which the mitigation was executed. +- **MountedImageCount** Number of mounted images. +- **MountedImageMatches** Number of mounted images that were under %systemdrive%\$Windows.~BT. +- **MountedImagesFailed** Number of mounted images under %systemdrive%\$Windows.~BT that could not be removed. +- **MountedImagesRemoved** Number of mounted images under %systemdrive%\$Windows.~BT that were successfully removed. +- **MountedImagesSkipped** Number of mounted images that were not under %systemdrive%\$Windows.~BT. +- **RelatedCV** Correlation vector value generated from the latest USO scan. +- **Result** HResult of this operation. +- **ScenarioId** ID indicating the mitigation scenario. +- **ScenarioSupported** Indicates whether the scenario was supported. +- **SessionId** Unique value for each update attempt. +- **UpdateId** Unique ID for each Update. - **WuId** Unique ID for the Windows Update client. diff --git a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1809.md b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1809.md index 0755ce1e09..b83547ea2a 100644 --- a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1809.md +++ b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1809.md @@ -9,7 +9,7 @@ ms.pagetype: security localizationpriority: high author: brianlic-msft ms.author: brianlic -ms.date: 10/03/2018 +ms.date: 11/07/2018 --- @@ -20,7 +20,7 @@ ms.date: 10/03/2018 - Windows 10, version 1809 -The Basic level gathers a limited set of information that is critical for understanding the device and its configuration including: basic device information, quality-related information, app compatibility, and Microsoft Store. When the level is set to Basic, it also includes the Security level information. +The Basic level gathers a limited set of information that is critical for understanding the device and its configuration including: basic device information, quality-related information, app compatibility, and Windows Store. When the level is set to Basic, it also includes the Security level information. The Basic level helps to identify problems that can occur on a particular device hardware or software configuration. For example, it can help determine if crashes are more frequent on devices with a specific amount of memory or that are running a particular driver version. This helps Microsoft fix operating system or app problems. @@ -281,7 +281,7 @@ The following fields are available: - **DatasourceApplicationFile_TH1** The count of the number of this particular object type present on this device. - **DatasourceApplicationFile_TH2** The count of the number of this particular object type present on this device. - **DatasourceDevicePnp_RS1** The total DataSourceDevicePnp objects targeting Windows 10 version 1607 on this device. -- **DatasourceDevicePnp_RS2** The count of DatasourceApplicationFile objects present on this machine targeting the next release of Windows +- **DatasourceDevicePnp_RS2** The total DatasourceDevicePnp objects targeting Windows 10 version 1703 present on this device. - **DatasourceDevicePnp_RS3** The total DatasourceDevicePnp objects targeting the next release of Windows on this device. - **DatasourceDevicePnp_RS4** The count of the number of this particular object type present on this device. - **DatasourceDevicePnp_RS4Setup** The count of the number of this particular object type present on this device. @@ -295,7 +295,7 @@ The following fields are available: - **DatasourceDriverPackage_TH1** The count of the number of this particular object type present on this device. - **DatasourceDriverPackage_TH2** The count of the number of this particular object type present on this device. - **DataSourceMatchingInfoBlock_RS1** The total DataSourceMatchingInfoBlock objects targeting Windows 10 version 1607 on this device. -- **DataSourceMatchingInfoBlock_RS2** The count of DatasourceDevicePnp objects present on this machine targeting the next release of Windows +- **DataSourceMatchingInfoBlock_RS2** The total DataSourceMatchingInfoBlock objects targeting Windows 10 version 1703 present on this device. - **DataSourceMatchingInfoBlock_RS3** The total DataSourceMatchingInfoBlock objects targeting the next release of Windows on this device. - **DataSourceMatchingInfoBlock_RS4** The count of the number of this particular object type present on this device. - **DataSourceMatchingInfoBlock_RS4Setup** The count of the number of this particular object type present on this device. @@ -309,7 +309,7 @@ The following fields are available: - **DataSourceMatchingInfoPassive_TH1** The count of the number of this particular object type present on this device. - **DataSourceMatchingInfoPassive_TH2** The count of the number of this particular object type present on this device. - **DataSourceMatchingInfoPostUpgrade_RS1** The total DataSourceMatchingInfoPostUpgrade objects targeting Windows 10 version 1607 on this device. -- **DataSourceMatchingInfoPostUpgrade_RS2** The count of DatasourceDriverPackage objects present on this machine targeting the next release of Windows +- **DataSourceMatchingInfoPostUpgrade_RS2** The total DataSourceMatchingInfoPostUpgrade objects targeting Windows 10 version 1703 present on this device. - **DataSourceMatchingInfoPostUpgrade_RS3** The total DataSourceMatchingInfoPostUpgrade objects targeting the next release of Windows on this device. - **DataSourceMatchingInfoPostUpgrade_RS4** The count of the number of this particular object type present on this device. - **DataSourceMatchingInfoPostUpgrade_RS4Setup** The count of the number of this particular object type present on this device. @@ -330,7 +330,7 @@ The following fields are available: - **DecisionApplicationFile_TH1** The count of the number of this particular object type present on this device. - **DecisionApplicationFile_TH2** The count of the number of this particular object type present on this device. - **DecisionDevicePnp_RS1** The total DecisionDevicePnp objects targeting Windows 10 version 1607 on this device. -- **DecisionDevicePnp_RS2** The count of DataSourceMatchingInfoBlock objects present on this machine targeting the next release of Windows +- **DecisionDevicePnp_RS2** The total DecisionDevicePnp objects targeting Windows 10 version 1703 present on this device. - **DecisionDevicePnp_RS3** The total DecisionDevicePnp objects targeting the next release of Windows on this device. - **DecisionDevicePnp_RS4** The count of the number of this particular object type present on this device. - **DecisionDevicePnp_RS4Setup** The count of the number of this particular object type present on this device. @@ -344,7 +344,7 @@ The following fields are available: - **DecisionDriverPackage_TH1** The count of the number of this particular object type present on this device. - **DecisionDriverPackage_TH2** The count of the number of this particular object type present on this device. - **DecisionMatchingInfoBlock_RS1** The total DecisionMatchingInfoBlock objects targeting Windows 10 version 1607 present on this device. -- **DecisionMatchingInfoBlock_RS2** The count of DataSourceMatchingInfoPassive objects present on this machine targeting the next release of Windows +- **DecisionMatchingInfoBlock_RS2** The total DecisionMatchingInfoBlock objects targeting Windows 10 version 1703 present on this device. - **DecisionMatchingInfoBlock_RS3** The total DecisionMatchingInfoBlock objects targeting the next release of Windows on this device. - **DecisionMatchingInfoBlock_RS4** The count of the number of this particular object type present on this device. - **DecisionMatchingInfoBlock_RS4Setup** The count of the number of this particular object type present on this device. @@ -358,14 +358,14 @@ The following fields are available: - **DecisionMatchingInfoPassive_TH1** The count of the number of this particular object type present on this device. - **DecisionMatchingInfoPassive_TH2** The count of the number of this particular object type present on this device. - **DecisionMatchingInfoPostUpgrade_RS1** The total DecisionMatchingInfoPostUpgrade objects targeting Windows 10 version 1607 on this device. -- **DecisionMatchingInfoPostUpgrade_RS2** The count of DataSourceMatchingInfoPostUpgrade objects present on this machine targeting the next release of Windows +- **DecisionMatchingInfoPostUpgrade_RS2** The total DecisionMatchingInfoPostUpgrade objects targeting Windows 10 version 1703 present on this device. - **DecisionMatchingInfoPostUpgrade_RS3** The total DecisionMatchingInfoPostUpgrade objects targeting the next release of Windows on this device. - **DecisionMatchingInfoPostUpgrade_RS4** The count of the number of this particular object type present on this device. - **DecisionMatchingInfoPostUpgrade_RS4Setup** The count of the number of this particular object type present on this device. - **DecisionMatchingInfoPostUpgrade_TH1** The count of the number of this particular object type present on this device. - **DecisionMatchingInfoPostUpgrade_TH2** The count of the number of this particular object type present on this device. - **DecisionMediaCenter_RS1** The total DecisionMediaCenter objects targeting Windows 10 version 1607 present on this device. -- **DecisionMediaCenter_RS2** The count of DatasourceSystemBios objects present on this machine targeting the next release of Windows +- **DecisionMediaCenter_RS2** The total DecisionMediaCenter objects targeting Windows 10 version 1703 present on this device. - **DecisionMediaCenter_RS3** The total DecisionMediaCenter objects targeting the next release of Windows on this device. - **DecisionMediaCenter_RS4** The count of the number of this particular object type present on this device. - **DecisionMediaCenter_RS4Setup** The count of the number of this particular object type present on this device. @@ -395,7 +395,7 @@ The following fields are available: - **SystemWindowsActivationStatus** The count of the number of this particular object type present on this device. - **SystemWlan** The count of the number of this particular object type present on this device. - **Wmdrm_RS1** An ID for the system, calculated by hashing hardware identifiers. -- **Wmdrm_RS2** The count of InventoryLanguagePack objects present on this machine. +- **Wmdrm_RS2** The total Wmdrm objects targeting Windows 10 version 1703 present on this device. - **Wmdrm_RS3** The total Wmdrm objects targeting the next release of Windows on this device. - **Wmdrm_RS4** The total Wmdrm objects targeting Windows 10, version 1803 present on this device. - **Wmdrm_RS4Setup** The count of the number of this particular object type present on this device. @@ -666,7 +666,7 @@ The following fields are available: ### Microsoft.Windows.Appraiser.General.DecisionApplicationFileRemove -This event indicates that the DecisionApplicationFile object is no longer present. +This event indicates Indicates that the DecisionApplicationFile object is no longer present. This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). @@ -1013,7 +1013,7 @@ The following fields are available: ### Microsoft.Windows.Appraiser.General.InventoryApplicationFileStartSync -This event indicates that a new set of InventoryApplicationFileAdd events will be sent. +This event indicates indicates that a new set of InventoryApplicationFileAdd events will be sent. This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). @@ -1818,14 +1818,18 @@ The following fields are available: - **AdvertisingId** Current state of the advertising ID setting. - **AppDiagnostics** Current state of the app diagnostics setting. - **Appointments** Current state of the calendar setting. +- **AppointmentsSystem** Current state of the calendar setting. - **Bluetooth** Current state of the Bluetooth capability setting. - **BluetoothSync** Current state of the Bluetooth sync capability setting. - **BroadFileSystemAccess** Current state of the broad file system access setting. - **CellularData** Current state of the cellular data capability setting. - **Chat** Current state of the chat setting. +- **ChatSystem** Current state of the chat setting. - **Contacts** Current state of the contacts setting. +- **ContactsSystem** Current state of the Contacts setting. - **DocumentsLibrary** Current state of the documents library setting. - **Email** Current state of the email setting. +- **EmailSystem** Current state of the email setting. - **FindMyDevice** Current state of the "find my device" setting. - **GazeInput** Current state of the gaze input setting. - **HumanInterfaceDevice** Current state of the human interface device setting. @@ -1837,6 +1841,7 @@ The following fields are available: - **Microphone** Current state of the microphone setting. - **PhoneCall** Current state of the phone call setting. - **PhoneCallHistory** Current state of the call history setting. +- **PhoneCallHistorySystem** Current state of the call history setting. - **PicturesLibrary** Current state of the pictures library setting. - **Radios** Current state of the radios setting. - **SensorsCustom** Current state of the custom sensor setting. @@ -1846,6 +1851,7 @@ The following fields are available: - **USB** Current state of the USB setting. - **UserAccountInformation** Current state of the account information setting. - **UserDataTasks** Current state of the tasks setting. +- **UserDataTasksSystem** Current state of the tasks setting. - **UserNotificationListener** Current state of the notifications setting. - **VideosLibrary** Current state of the videos library setting. - **Webcam** Current state of the camera setting. @@ -1979,14 +1985,18 @@ The following fields are available: - **AdvertisingId** Current state of the advertising ID setting. - **AppDiagnostics** Current state of the app diagnostics setting. - **Appointments** Current state of the calendar setting. +- **AppointmentsSystem** Current state of the calendar setting. - **Bluetooth** Current state of the Bluetooth capability setting. - **BluetoothSync** Current state of the Bluetooth sync capability setting. - **BroadFileSystemAccess** Current state of the broad file system access setting. - **CellularData** Current state of the cellular data capability setting. - **Chat** Current state of the chat setting. +- **ChatSystem** Current state of the chat setting. - **Contacts** Current state of the contacts setting. +- **ContactsSystem** Current state of the contacts setting. - **DocumentsLibrary** Current state of the documents library setting. - **Email** Current state of the email setting. +- **EmailSystem** Current state of the email setting. - **GazeInput** Current state of the gaze input setting. - **HumanInterfaceDevice** Current state of the human interface device setting. - **InkTypeImprovement** Current state of the improve inking and typing setting. @@ -1998,6 +2008,7 @@ The following fields are available: - **Microphone** Current state of the microphone setting. - **PhoneCall** Current state of the phone call setting. - **PhoneCallHistory** Current state of the call history setting. +- **PhoneCallHistorySystem** Current state of the call history setting. - **PicturesLibrary** Current state of the pictures library setting. - **Radios** Current state of the radios setting. - **SensorsCustom** Current state of the custom sensor setting. @@ -2007,6 +2018,7 @@ The following fields are available: - **USB** Current state of the USB setting. - **UserAccountInformation** Current state of the account information setting. - **UserDataTasks** Current state of the tasks setting. +- **UserDataTasksSystem** Current state of the tasks setting. - **UserNotificationListener** Current state of the notifications setting. - **VideosLibrary** Current state of the videos library setting. - **Webcam** Current state of the camera setting. @@ -2256,6 +2268,59 @@ The following fields are available: ## Component-based servicing events +### CbsServicingProvider.CbsCapabilityEnumeration + +This event reports on the results of scanning for optional Windows content on Windows Update. + +The following fields are available: + +- **architecture** Indicates the scan was limited to the specified architecture. +- **capabilityCount** The number of optional content packages found during the scan. +- **clientId** The name of the application requesting the optional content. +- **duration** The amount of time it took to complete the scan. +- **hrStatus** The HReturn code of the scan. +- **language** Indicates the scan was limited to the specified language. +- **majorVersion** Indicates the scan was limited to the specified major version. +- **minorVersion** Indicates the scan was limited to the specified minor version. +- **namespace** Indicates the scan was limited to packages in the specified namespace. +- **sourceFilter** A bitmask indicating the scan checked for locally available optional content. +- **stackBuild** The build number of the servicing stack. +- **stackMajorVersion** The major version number of the servicing stack. +- **stackMinorVersion** The minor version number of the servicing stack. +- **stackRevision** The revision number of the servicing stack. + + +### CbsServicingProvider.CbsCapabilitySessionFinalize + +This event provides information about the results of installing or uninstalling optional Windows content from Windows Update. + +The following fields are available: + +- **capabilities** The names of the optional content packages that were installed. +- **clientId** The name of the application requesting the optional content. +- **currentID** The ID of the current install session. +- **highestState** The highest final install state of the optional content. +- **hrLCUReservicingStatus** Indicates whether the optional content was updated to the latest available version. +- **hrStatus** The HReturn code of the install operation. +- **rebootCount** The number of reboots required to complete the install. +- **retryID** The session ID that will be used to retry a failed operation. +- **retryStatus** Indicates whether the install will be retried in the event of failure. +- **stackBuild** The build number of the servicing stack. +- **stackMajorVersion** The major version number of the servicing stack. +- **stackMinorVersion** The minor version number of the servicing stack. +- **stackRevision** The revision number of the servicing stack. + + +### CbsServicingProvider.CbsCapabilitySessionPended + +This event provides information about the results of installing optional Windows content that requires a reboot to keep Windows up to date. + +The following fields are available: + +- **clientId** The name of the application requesting the optional content. +- **pendingDecision** Indicates the cause of reboot, if applicable. + + ### CbsServicingProvider.CbsLateAcquisition This event sends data to indicate if some Operating System packages could not be updated as part of an upgrade, to help keep Windows up to date. @@ -2266,6 +2331,28 @@ The following fields are available: - **RetryID** The ID identifying the retry attempt to update the listed packages. +### CbsServicingProvider.CbsPackageRemoval + +This event provides information about the results of uninstalling a Windows Cumulative Security Update to help keep Windows up to date. + +The following fields are available: + +- **buildVersion** The build number of the security update being uninstalled. +- **clientId** The name of the application requesting the uninstall. +- **currentStateEnd** The final state of the update after the operation. +- **failureDetails** Information about the cause of a failure, if applicable. +- **failureSourceEnd** The stage during the uninstall where the failure occurred. +- **hrStatusEnd** The overall exit code of the operation. +- **initiatedOffline** Indicates if the uninstall was initiated for a mounted Windows image. +- **majorVersion** The major version number of the security update being uninstalled. +- **minorVersion** The minor version number of the security update being uninstalled. +- **originalState** The starting state of the update before the operation. +- **pendingDecision** Indicates the cause of reboot, if applicable. +- **primitiveExecutionContext** The state during system startup when the uninstall was completed. +- **revisionVersion** The revision number of the security update being uninstalled. +- **transactionCanceled** Indicates whether the uninstall was cancelled. + + ## Deployment extensions ### DeploymentTelemetry.Deployment_End @@ -3009,6 +3096,87 @@ The following fields are available: - **CV** Correlation vector. +## DxgKernelTelemetry events + +### DxgKrnlTelemetry.GPUAdapterInventoryV2 + +This event sends basic GPU and display driver information to keep Windows and display drivers up-to-date. + +The following fields are available: + +- **AdapterTypeValue** The numeric value indicating the type of Graphics adapter. +- **aiSeqId** The event sequence ID. +- **bootId** The system boot ID. +- **BrightnessVersionViaDDI** The version of the Display Brightness Interface. +- **ComputePreemptionLevel** The maximum preemption level supported by GPU for compute payload. +- **DedicatedSystemMemoryB** The amount of system memory dedicated for GPU use (in bytes). +- **DedicatedVideoMemoryB** The amount of dedicated VRAM of the GPU (in bytes). +- **DisplayAdapterLuid** The display adapter LUID. +- **DriverDate** The date of the display driver. +- **DriverRank** The rank of the display driver. +- **DriverVersion** The display driver version. +- **DX10UMDFilePath** The file path to the location of the DirectX 10 Display User Mode Driver in the Driver Store. +- **DX11UMDFilePath** The file path to the location of the DirectX 11 Display User Mode Driver in the Driver Store. +- **DX12UMDFilePath** The file path to the location of the DirectX 12 Display User Mode Driver in the Driver Store. +- **DX9UMDFilePath** The file path to the location of the DirectX 9 Display User Mode Driver in the Driver Store. +- **GPUDeviceID** The GPU device ID. +- **GPUPreemptionLevel** The maximum preemption level supported by GPU for graphics payload. +- **GPURevisionID** The GPU revision ID. +- **GPUVendorID** The GPU vendor ID. +- **InterfaceId** The GPU interface ID. +- **IsDisplayDevice** Does the GPU have displaying capabilities? +- **IsHybridDiscrete** Does the GPU have discrete GPU capabilities in a hybrid device? +- **IsHybridIntegrated** Does the GPU have integrated GPU capabilities in a hybrid device? +- **IsLDA** Is the GPU comprised of Linked Display Adapters? +- **IsMiracastSupported** Does the GPU support Miracast? +- **IsMismatchLDA** Is at least one device in the Linked Display Adapters chain from a different vendor? +- **IsMPOSupported** Does the GPU support Multi-Plane Overlays? +- **IsMsMiracastSupported** Are the GPU Miracast capabilities driven by a Microsoft solution? +- **IsPostAdapter** Is this GPU the POST GPU in the device? +- **IsRemovable** TRUE if the adapter supports being disabled or removed. +- **IsRenderDevice** Does the GPU have rendering capabilities? +- **IsSoftwareDevice** Is this a software implementation of the GPU? +- **KMDFilePath** The file path to the location of the Display Kernel Mode Driver in the Driver Store. +- **MeasureEnabled** Is the device listening to MICROSOFT_KEYWORD_MEASURES? +- **NumVidPnSources** The number of supported display output sources. +- **NumVidPnTargets** The number of supported display output targets. +- **SharedSystemMemoryB** The amount of system memory shared by GPU and CPU (in bytes). +- **SubSystemID** The subsystem ID. +- **SubVendorID** The GPU sub vendor ID. +- **TelemetryEnabled** Is the device listening to MICROSOFT_KEYWORD_TELEMETRY? +- **TelInvEvntTrigger** What triggered this event to be logged? Example: 0 (GPU enumeration) or 1 (DxgKrnlTelemetry provider toggling) +- **version** The event version. +- **WDDMVersion** The Windows Display Driver Model version. + + +## Hang Reporting events + +### Microsoft.Windows.HangReporting.AppHangEvent + +This event sends data about hangs for both native and managed applications, to help keep Windows up to date. It does not contain any Watson bucketing information. The bucketing information is recorded in a Windows Error Reporting (WER) event that is generated when the WER client reports the hang to the Watson service, and the WER event will contain the same ReportID (see field 13 of hang event, field 19 of WER event) as the hang event for the hang being reported. AppHang is reported only on PC devices. It handles classic Win32 hangs and is emitted only once per report. Some behaviors that may be perceived by a user as a hang are reported by app managers (e.g. PLM/RM/EM) as Watson Generics and will not produce AppHang events. + +The following fields are available: + +- **AppName** The name of the app that has hung. +- **AppSessionGuid** GUID made up of process id used as a correlation vector for process instances in the telemetry backend. +- **AppVersion** The version of the app that has hung. +- **IsFatal** True/False based on whether the hung application caused the creation of a Fatal Hang Report. +- **PackageFullName** Store application identity. +- **PackageRelativeAppId** Store application identity. +- **ProcessArchitecture** Architecture of the hung process, as one of the PROCESSOR_ARCHITECTURE_* constants: 0: PROCESSOR_ARCHITECTURE_INTEL. 5: PROCESSOR_ARCHITECTURE_ARM. 9: PROCESSOR_ARCHITECTURE_AMD64. 12: PROCESSOR_ARCHITECTURE_ARM64. +- **ProcessCreateTime** The time of creation of the process that has hung. +- **ProcessId** The ID of the process that has hung. +- **ReportId** A GUID used to identify the report. This can used to track the report across Watson. +- **TargetAppId** The kernel reported AppId of the application being reported. +- **TargetAppVer** The specific version of the application being reported. +- **TargetAsId** The sequence number for the hanging process. +- **TypeCode** Bitmap describing the hang type. +- **WaitingOnAppName** If this is a cross process hang waiting for an application, this has the name of the application. +- **WaitingOnAppVersion** If this is a cross process hang, this has the version of the application for which it is waiting. +- **WaitingOnPackageFullName** If this is a cross process hang waiting for a package, this has the full name of the package for which it is waiting. +- **WaitingOnPackageRelativeAppId** If this is a cross process hang waiting for a package, this has the relative application id of the package. + + ## Inventory events ### Microsoft.Windows.Inventory.Core.AmiTelCacheChecksum @@ -3104,8 +3272,8 @@ This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedevic The following fields are available: -- **InventoryVersion** The version of the inventory component -- **ProgramIds** The unique program identifier the driver is associated with +- **InventoryVersion** The version of the inventory component. +- **ProgramIds** The unique program identifier the driver is associated with. ### Microsoft.Windows.Inventory.Core.InventoryApplicationDriverStartSync @@ -3308,9 +3476,10 @@ The following fields are available: - **DriverVerDate** Name of the .sys image file (or wudfrd.sys if using user mode driver framework). - **DriverVerVersion** The immediate parent directory name in the Directory field of InventoryDriverPackage. - **Enumerator** The date of the driver loaded for the device. +- **ExtendedInfs** The extended INF file names. - **HWID** The version of the driver loaded for the device. - **Inf** The bus that enumerated the device. -- **InstallState** The device installation state. One of these values: https://msdn.microsoft.com/library/windows/hardware/ff543130.aspx +- **InstallState** The device installation state. One of these values: https://msdn.microsoft.com/en-us/library/windows/hardware/ff543130.aspx - **InventoryVersion** List of hardware ids for the device. - **LowerClassFilters** Lower filter class drivers IDs installed for the device - **LowerFilters** Lower filter drivers IDs installed for the device @@ -3463,6 +3632,18 @@ The following fields are available: - **InventoryVersion** The version of the inventory file generating the events. +### Microsoft.Windows.Inventory.Core.StartUtcJsonTrace + +This event collects traces of all other Core events, not used in typical customer scenarios. This event signals the beginning of the event download, and that tracing should begin. + + + +### Microsoft.Windows.Inventory.Core.StopUtcJsonTrace + +This event collects traces of all other Core events, not used in typical customer scenarios. This event signals the end of the event download, and that tracing should end. + + + ### Microsoft.Windows.Inventory.General.AppHealthStaticAdd This event sends details collected for a specific application on the source device. @@ -3510,27 +3691,27 @@ This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedevic The following fields are available: -- **AddinCLSID** The CLSID for the Office add-in. -- **AddInId** Office add-in ID. -- **AddinType** Office add-in Type. -- **BinFileTimestamp** Timestamp of the Office add-in. -- **BinFileVersion** Version of the Office add-in. -- **Description** Office add-in description. -- **FileId** FileId of the Office add-in. -- **FileSize** File size of the Office add-in. -- **FriendlyName** Friendly name for office add-in. -- **FullPath** Unexpanded path to the office add-in. +- **AddinCLSID** The CLSID for the Office addin +- **AddInId** Office addin ID +- **AddinType** The type of the Office addin. +- **BinFileTimestamp** Timestamp of the Office addin +- **BinFileVersion** Version of the Office addin +- **Description** Office addin description +- **FileId** FileId of the Office addin +- **FileSize** File size of the Office addin +- **FriendlyName** Friendly name for office addin +- **FullPath** Unexpanded path to the office addin - **InventoryVersion** The version of the inventory binary generating the events. -- **LoadBehavior** Uint32 that describes the load behavior. -- **OfficeApplication** The office application for this add-in. -- **OfficeArchitecture** Architecture of the add-in. -- **OfficeVersion** The office version for this add-in. -- **OutlookCrashingAddin** Boolean that indicates if crashes have been found for this add-in. -- **ProductCompany** The name of the company associated with the Office add-in. -- **ProductName** The product name associated with the Office add-in. -- **ProductVersion** The version associated with the Office add-in. -- **ProgramId** The unique program identifier of the Office add-in. -- **Provider** Name of the provider for this add-in. +- **LoadBehavior** Uint32 that describes the load behavior +- **OfficeApplication** The office application for this addin +- **OfficeArchitecture** Architecture of the addin +- **OfficeVersion** The office version for this addin +- **OutlookCrashingAddin** Boolean that indicates if crashes have been found for this addin +- **ProductCompany** The name of the company associated with the Office addin +- **ProductName** The product name associated with the Office addin +- **ProductVersion** The version associated with the Office addin +- **ProgramId** The unique program identifier of the Office addin +- **Provider** Name of the provider for this addin ### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeAddInRemove @@ -3908,6 +4089,153 @@ The following fields are available: - **UserInputTime** The amount of time the loader application spent waiting for user input. +## OneDrive events + +### Microsoft.OneDrive.Sync.Updater.ComponentInstallState + +This event includes basic data about the installation state of dependent OneDrive components. + +The following fields are available: + +- **ComponentName** The name of the dependent component. +- **isInstalled** Is the dependent component installed? + + +### Microsoft.OneDrive.Sync.Updater.OverlayIconStatus + +This event indicates if the OneDrive overlay icon is working correctly. 0 = healthy; 1 = can be fixed; 2 = broken + +The following fields are available: + +- **32bit** The status of the OneDrive overlay icon on a 32-bit operating system. +- **64bit** The status of the OneDrive overlay icon on a 64-bit operating system. + + +### Microsoft.OneDrive.Sync.Updater.UpdateOverallResult + +This event sends information describing the result of the update. + +The following fields are available: + +- **hr** The HResult of the operation. +- **IsLoggingEnabled** Indicates whether logging is enabled for the updater. +- **UpdaterVersion** The version of the updater. + + +### Microsoft.OneDrive.Sync.Updater.UpdateXmlDownloadHResult + +This event determines the status when downloading the OneDrive update configuration file. + +The following fields are available: + +- **hr** The HResult of the operation. + + +### Microsoft.OneDrive.Sync.Updater.WebConnectionStatus + +This event determines the error code that was returned when verifying Internet connectivity. + +The following fields are available: + +- **winInetError** The HResult of the operation. + + +## Other events + +### Microsoft.Windows.Kits.WSK.WskImageCreate + +This event sends simple Product and Service usage data when a user is using the Windows System Kit to create new OS “images”. The data includes the version of the Windows System Kit and the state of the event and is used to help investigate “image” creation failures. + +The following fields are available: + +- **Phase** The image creation phase. Values are “Start” or “End”. +- **WskVersion** The version of the Windows System Kit being used. + + +### Microsoft.Windows.Kits.WSK.WskImageCustomization + +This event sends simple Product and Service usage data when a user is using the Windows System Kit to create/modify configuration files allowing the customization of a new OS image with Apps or Drivers. The data includes the version of the Windows System Kit, the state of the event, the customization type (drivers or apps) and the mode (new or updating) and is used to help investigate configuration file creation failures. + +The following fields are available: + +- **Mode** The mode of update to image configuration files. Values are “New” or “Update”. +- **Phase** The image creation phase. Values are “Start” or “End”. +- **Type** The type of update to image configuration files. Values are “Apps” or “Drivers”. +- **WskVersion** The version of the Windows System Kit being used. + + +### Microsoft.Windows.Kits.WSK.WskWorkspaceCreate + +This event sends simple Product and Service usage data when a user is using the Windows System Kit to create new workspace for generating OS “images”. The data includes the version of the Windows System Kit and the state of the event and is used to help investigate workspace creation failures. + +The following fields are available: + +- **Architecture** The OS architecture that the workspace will target. Values are one of: “AMD64”, “ARM64”, “x86”, or “ARM”. +- **OsEdition** The Operating System Edition that the workspace will target. +- **Phase** The image creation phase. Values are “Start” or “End”. +- **WskVersion** The version of the Windows System Kit being used. + + +### Microsoft.Windows.Mitigation.AccountTraceLoggingProvider.General + +This event provides information about application properties to indicate the successful execution. + +The following fields are available: + +- **AppMode** Indicates the mode the app is being currently run around privileges. +- **ExitCode** Indicates the exit code of the app. +- **Help** Indicates if the app needs to be launched in the help mode. +- **ParseError** Indicates if there was a parse error during the execution. +- **RightsAcquired** Indicates if the right privileges were acquired for successful execution. +- **RightsWereEnabled** Indicates if the right privileges were enabled for successful execution. +- **TestMode** Indicates whether the app is being run in test mode. + + +### Microsoft.Windows.Mitigation.AccountTraceLoggingProvider.GetCount + +This event provides information about the properties of user accounts in the Administrator group. + +The following fields are available: + +- **Internal** Indicates the internal property associated with the count group. +- **LastError** The error code (if applicable) for the cause of the failure to get the count of the user account. + + +### Microsoft.Xbox.XamTelemetry.AppActivationError + +This event indicates whether the system detected an activation error in the app. + +The following fields are available: + +- **ActivationUri** Activation URI (Uniform Resource Identifier) used in the attempt to activate the app. +- **AppId** The Xbox LIVE Title ID. +- **AppUserModelId** The AUMID (Application User Model ID) of the app to activate. +- **Result** The HResult error. +- **UserId** The Xbox LIVE User ID (XUID). + + +### Microsoft.Xbox.XamTelemetry.AppActivity + +This event is triggered whenever the current app state is changed by: launch, switch, terminate, snap, etc. + +The following fields are available: + +- **AppActionId** The ID of the application action. +- **AppCurrentVisibilityState** The ID of the current application visibility state. +- **AppId** The Xbox LIVE Title ID of the app. +- **AppPackageFullName** The full name of the application package. +- **AppPreviousVisibilityState** The ID of the previous application visibility state. +- **AppSessionId** The application session ID. +- **AppType** The type ID of the application (AppType_NotKnown, AppType_Era, AppType_Sra, AppType_Uwa). +- **BCACode** The BCA (Burst Cutting Area) mark code of the optical disc used to launch the application. +- **DurationMs** The amount of time (in milliseconds) since the last application state transition. +- **IsTrialLicense** This boolean value is TRUE if the application is on a trial license. +- **LicenseType** The type of licensed used to authorize the app (0 - Unknown, 1 - User, 2 - Subscription, 3 - Offline, 4 - Disc). +- **LicenseXuid** If the license type is 1 (User), this field contains the XUID (Xbox User ID) of the registered owner of the license. +- **ProductGuid** The Xbox product GUID (Globally-Unique ID) of the application. +- **UserId** The XUID (Xbox User ID) of the current user. + + ## Privacy consent logging events ### Microsoft.Windows.Shell.PrivacyConsentLogging.PrivacyConsentCompleted @@ -3936,6 +4264,43 @@ The following fields are available: - **userRegionCode** The current user's region setting +## Setup events + +### SetupPlatformTel.SetupPlatformTelActivityEvent + +This event sends basic metadata about the SetupPlatform update installation process, to help keep Windows up to date. + +The following fields are available: + +- **FieldName** Retrieves the event name/data point. Examples: InstallStartTime, InstallEndtime, OverallResult etc. +- **GroupName** Retrieves the groupname the event belongs to. Example: Install Information, DU Information, Disk Space Information etc. +- **Value** Value associated with the corresponding event name. For example, time-related events will include the system time + + +### SetupPlatformTel.SetupPlatformTelActivityStarted + +This event sends basic metadata about the update installation process generated by SetupPlatform to help keep Windows up to date. + +The following fields are available: + +- **Name** The name of the dynamic update type. Example: GDR driver + + +### SetupPlatformTel.SetupPlatformTelActivityStopped + +This event sends basic metadata about the update installation process generated by SetupPlatform to help keep Windows up to date. + + + +### SetupPlatformTel.SetupPlatfOrmTelEvent + +This service retrieves events generated by SetupPlatform, the engine that drives the various deployment scenarios. + +The following fields are available: + +- **GroupName** Retrieves the groupname the event belongs to. Example: Install Information, DU Information, Disk Space Information etc. + + ## Software update events ### SoftwareUpdateClientTelemetry.CheckForUpdates @@ -4010,7 +4375,7 @@ The following fields are available: - **ScanDurationInSeconds** The number of seconds a scan took - **ScanEnqueueTime** The number of seconds it took to initialize a scan - **ScanProps** This is a 32-bit integer containing Boolean properties for a given Windows Update scan. The following bits are used; all remaining bits are reserved and set to zero. Bit 0 (0x1): IsInteractive - is set to 1 if the scan is requested by a user, or 0 if the scan is requested by Automatic Updates. Bit 1 (0x2): IsSeeker - is set to 1 if the Windows Update client's Seeker functionality is enabled. Seeker functionality is enabled on certain interactive scans, and results in the scans returning certain updates that are in the initial stages of release (not yet released for full adoption via Automatic Updates). -- **ServiceGuid** An ID which represents which service the software distribution client is checking for content (Windows Update, Microsoft Store, etc.). +- **ServiceGuid** An ID which represents which service the software distribution client is checking for content (Windows Update, Windows Store, etc.). - **ServiceUrl** The environment URL a device is configured to scan with - **ShippingMobileOperator** The mobile operator that a device shipped on. - **StatusCode** Indicates the result of a CheckForUpdates event (success, cancellation, failure code HResult). @@ -4092,7 +4457,7 @@ The following fields are available: - **RepeatFailCount** Indicates whether this specific piece of content has previously failed. - **RepeatFailFlag** Indicates whether this specific piece of content had previously failed to download. - **RevisionNumber** Identifies the revision number of this specific piece of content. -- **ServiceGuid** An ID that represents which service the software distribution client is installing content for (Windows Update, Microsoft Store, etc.). +- **ServiceGuid** An ID that represents which service the software distribution client is installing content for (Windows Update, Windows Store, etc.). - **Setup360Phase** If the download is for an operating system upgrade, this datapoint indicates which phase of the upgrade is underway. - **ShippingMobileOperator** The mobile operator that a device shipped on. - **SizeCalcTime** Time taken (in seconds) to calculate the total download size of the payload. @@ -4169,7 +4534,7 @@ The following fields are available: - **RepeatFailCount** Indicates whether this specific piece of content has previously failed. - **RepeatFailFlag** Indicates whether this specific piece of content previously failed to install. - **RevisionNumber** The revision number of this specific piece of content. -- **ServiceGuid** An ID which represents which service the software distribution client is installing content for (Windows Update, Microsoft Store, etc.). +- **ServiceGuid** An ID which represents which service the software distribution client is installing content for (Windows Update, Windows Store, etc.). - **Setup360Phase** If the install is for an operating system upgrade, indicates which phase of the upgrade is underway. - **ShippingMobileOperator** The mobile operator that a device shipped on. - **StatusCode** Indicates the result of an installation event (success, cancellation, failure code HResult). @@ -4219,7 +4584,7 @@ The following fields are available: - **RelatedCV** The previous correlation vector that was used by the client before swapping with a new one. - **RepeatFailCount** Indicates whether this specific piece of content has previously failed. - **RevisionNumber** Identifies the revision number of this specific piece of content. -- **ServiceGuid** Identifier for the service to which the software distribution client is connecting (Windows Update, Microsoft Store, etc.). +- **ServiceGuid** Identifier for the service to which the software distribution client is connecting (Windows Update, Windows Store, etc.). - **StatusCode** Result code of the event (success, cancellation, failure code HResult). - **TargetGroupId** For drivers targeted to a specific device model, this ID indicates the distribution group of devices receiving that driver. - **TargetingVersion** For drivers targeted to a specific device model, this is the version number of the drivers being distributed to the device. @@ -4240,7 +4605,7 @@ The following fields are available: - **CmdLineArgs** Command line arguments passed in by the caller. - **EventInstanceID** A globally unique identifier for the event instance. - **EventScenario** Indicates the purpose of the event (scan started, succeeded, failed, etc.). -- **ServiceGuid** Identifier for the service to which the software distribution client is connecting (Windows Update, Microsoft Store, etc.). +- **ServiceGuid** Identifier for the service to which the software distribution client is connecting (Windows Update, Windows Store, etc.). - **StatusCode** Result code of the event (success, cancellation, failure code HResult). - **WUDeviceID** Unique device ID controlled by the software distribution client. @@ -4279,7 +4644,7 @@ The following fields are available: - **RelatedCV** The previous correlation vector that was used by the client before swapping with a new one. - **RepeatFailCount** Indicates whether this specific piece of content previously failed. - **RevisionNumber** Identifies the revision number of this specific piece of content. -- **ServiceGuid** Identifier for the service to which the software distribution client is connecting (Windows Update, Microsoft Store, etc.). +- **ServiceGuid** Identifier for the service to which the software distribution client is connecting (Windows Update, Windows Store, etc.). - **StatusCode** Result code of the event (success, cancellation, failure code HResult). - **TargetGroupId** For drivers targeted to a specific device model, this ID indicates the distribution group of devices receiving that driver. - **TargetingVersion** For drivers targeted to a specific device model, this is the version number of the drivers being distributed to the device. @@ -4300,7 +4665,7 @@ The following fields are available: - **IntentPFNs** Intended application-set metadata for atomic update scenarios. - **NumberOfApplicableUpdates** The number of updates ultimately deemed applicable to the system after the detection process is complete. - **RelatedCV** The previous Correlation Vector that was used before swapping with a new one. -- **ServiceGuid** An ID that represents which service the software distribution client is connecting to (Windows Update, Microsoft Store, etc.). +- **ServiceGuid** An ID that represents which service the software distribution client is connecting to (Windows Update, Windows Store, etc.). - **WUDeviceID** The unique device ID controlled by the software distribution client. @@ -4334,6 +4699,296 @@ The following fields are available: - **LinkSpeed** The adapter link speed. +## Update events + +### Update360Telemetry.Revert + +This event sends data relating to the Revert phase of updating Windows. + +The following fields are available: + +- **ErrorCode** The error code returned for the Revert phase. +- **FlightId** Unique ID for the flight (test instance version). +- **ObjectId** The unique value for each Update Agent mode. +- **RebootRequired** Indicates reboot is required. +- **RelatedCV** The correlation vector value generated from the latest USO (Update Service Orchestrator) scan. +- **Result** The HResult of the event. +- **RevertResult** The result code returned for the Revert operation. +- **ScenarioId** The ID of the update scenario. +- **SessionId** The ID of the update attempt. +- **UpdateId** The ID of the update. + + +### Update360Telemetry.UpdateAgentCommit + +This event collects information regarding the commit phase of the new Unified Update Platform (UUP) update scenario, which is leveraged by both Mobile and Desktop. + +The following fields are available: + +- **ErrorCode** The error code returned for the current install phase. +- **FlightId** Unique ID for each flight. +- **ObjectId** Unique value for each Update Agent mode. +- **RelatedCV** Correlation vector value generated from the latest USO scan. +- **Result** Outcome of the install phase of the update. +- **ScenarioId** Indicates the update scenario. +- **SessionId** Unique value for each update attempt. +- **UpdateId** Unique ID for each update. + + +### Update360Telemetry.UpdateAgentDownloadRequest + +This event sends data for the download request phase of updating Windows via the new Unified Update Platform (UUP) scenario. Applicable to PC and Mobile. + +The following fields are available: + +- **DeletedCorruptFiles** Boolean indicating whether corrupt payload was deleted. +- **DownloadRequests** Number of times a download was retried. +- **ErrorCode** The error code returned for the current download request phase. +- **ExtensionName** Indicates whether the payload is related to Operating System content or a plugin. +- **FlightId** Unique ID for each flight. +- **InternalFailureResult** Indicates a non-fatal error from a plugin. +- **ObjectId** Unique value for each Update Agent mode (same concept as InstanceId for Setup360). +- **PackageCategoriesSkipped** Indicates package categories that were skipped, if applicable. +- **PackageCountOptional** Number of optional packages requested. +- **PackageCountRequired** Number of required packages requested. +- **PackageCountTotal** Total number of packages needed. +- **PackageCountTotalCanonical** Total number of canonical packages. +- **PackageCountTotalDiff** Total number of diff packages. +- **PackageCountTotalExpress** Total number of express packages. +- **PackageExpressType** Type of express package. +- **PackageSizeCanonical** Size of canonical packages in bytes. +- **PackageSizeDiff** Size of diff packages in bytes. +- **PackageSizeExpress** Size of express packages in bytes. +- **RangeRequestState** Indicates the range request type used. +- **RelatedCV** Correlation vector value generated from the latest USO scan. +- **Result** Outcome of the download request phase of update. +- **ScenarioId** Indicates the update scenario. +- **SessionId** Unique value for each attempt (same value for initialize, download, install commit phases). +- **UpdateId** Unique ID for each update. + + +### Update360Telemetry.UpdateAgentExpand + +This event collects information regarding the expansion phase of the new Unified Update Platform (UUP) update scenario, which is leveraged by both Mobile and Desktop. + +The following fields are available: + +- **ElapsedTickCount** Time taken for expand phase. +- **EndFreeSpace** Free space after expand phase. +- **EndSandboxSize** Sandbox size after expand phase. +- **ErrorCode** The error code returned for the current install phase. +- **FlightId** Unique ID for each flight. +- **ObjectId** Unique value for each Update Agent mode. +- **RelatedCV** Correlation vector value generated from the latest USO scan. +- **ScenarioId** Indicates the update scenario. +- **SessionId** Unique value for each update attempt. +- **StartFreeSpace** Free space before expand phase. +- **StartSandboxSize** Sandbox size after expand phase. +- **UpdateId** Unique ID for each update. + + +### Update360Telemetry.UpdateAgentFellBackToCanonical + +This event collects information when express could not be used and we fall back to canonical during the new Unified Update Platform (UUP) update scenario, which is leveraged by both Mobile and Desktop. + +The following fields are available: + +- **FlightId** Unique ID for each flight. +- **ObjectId** Unique value for each Update Agent mode. +- **PackageCount** Number of packages that feel back to canonical. +- **PackageList** PackageIds which fell back to canonical. +- **RelatedCV** Correlation vector value generated from the latest USO scan. +- **ScenarioId** Indicates the update scenario. +- **SessionId** Unique value for each update attempt. +- **UpdateId** Unique ID for each update. + + +### Update360Telemetry.UpdateAgentInitialize + +This event sends data for the initialize phase of updating Windows via the new Unified Update Platform (UUP) scenario, which is applicable to both PCs and Mobile. + +The following fields are available: + +- **ErrorCode** The error code returned for the current install phase. +- **FlightId** Unique ID for each flight. +- **FlightMetadata** Contains the FlightId and the build being flighted. +- **ObjectId** Unique value for each Update Agent mode. +- **RelatedCV** Correlation vector value generated from the latest USO scan. +- **Result** Outcome of the install phase of the update. +- **ScenarioId** Indicates the update scenario. +- **SessionData** String containing instructions to update agent for processing FODs and DUICs (Null for other scenarios). +- **SessionId** Unique value for each update attempt. +- **UpdateId** Unique ID for each update. + + +### Update360Telemetry.UpdateAgentInstall + +This event sends data for the install phase of updating Windows. + +The following fields are available: + +- **ErrorCode** The error code returned for the current install phase. +- **ExtensionName** Indicates whether the payload is related to Operating System content or a plugin. +- **FlightId** Unique value for each Update Agent mode (same concept as InstanceId for Setup360). +- **InternalFailureResult** Indicates a non-fatal error from a plugin. +- **ObjectId** Correlation vector value generated from the latest USO scan. +- **RelatedCV** Correlation vector value generated from the latest USO scan. +- **Result** The result for the current install phase. +- **ScenarioId** Indicates the update scenario. +- **SessionId** Unique value for each update attempt. +- **UpdateId** Unique ID for each update. + + +### Update360Telemetry.UpdateAgentMerge + +The UpdateAgentMerge event sends data on the merge phase when updating Windows. + +The following fields are available: + +- **ErrorCode** The error code returned for the current merge phase. +- **FlightId** Unique ID for each flight. +- **MergeId** The unique ID to join two update sessions being merged. +- **ObjectId** Unique value for each Update Agent mode. +- **RelatedCV** Related correlation vector value. +- **Result** Outcome of the merge phase of the update. +- **ScenarioId** Indicates the update scenario. +- **SessionId** Unique value for each attempt. +- **UpdateId** Unique ID for each update. + + +### Update360Telemetry.UpdateAgentMitigationResult + +This event sends data indicating the result of each update agent mitigation. + +The following fields are available: + +- **Applicable** Indicates whether the mitigation is applicable for the current update. +- **CommandCount** The number of command operations in the mitigation entry. +- **CustomCount** The number of custom operations in the mitigation entry. +- **FileCount** The number of file operations in the mitigation entry. +- **FlightId** Unique identifier for each flight. +- **Index** The mitigation index of this particular mitigation. +- **MitigationScenario** The update scenario in which the mitigation was executed. +- **Name** The friendly name of the mitigation. +- **ObjectId** Unique value for each Update Agent mode. +- **OperationIndex** The mitigation operation index (in the event of a failure). +- **OperationName** The friendly name of the mitigation operation (in the event of failure). +- **RegistryCount** The number of registry operations in the mitigation entry. +- **RelatedCV** The correlation vector value generated from the latest USO scan. +- **Result** The HResult of this operation. +- **ScenarioId** The update agent scenario ID. +- **SessionId** Unique value for each update attempt. +- **TimeDiff** The amount of time spent performing the mitigation (in 100-nanosecond increments). +- **UpdateId** Unique ID for each Update. + + +### Update360Telemetry.UpdateAgentMitigationSummary + +This event sends a summary of all the update agent mitigations available for an this update. + +The following fields are available: + +- **Applicable** The count of mitigations that were applicable to the system and scenario. +- **Failed** The count of mitigations that failed. +- **FlightId** Unique identifier for each flight. +- **MitigationScenario** The update scenario in which the mitigations were attempted. +- **ObjectId** The unique value for each Update Agent mode. +- **RelatedCV** The correlation vector value generated from the latest USO scan. +- **Result** The HResult of this operation. +- **ScenarioId** The update agent scenario ID. +- **SessionId** Unique value for each update attempt. +- **TimeDiff** The amount of time spent performing all mitigations (in 100-nanosecond increments). +- **Total** Total number of mitigations that were available. +- **UpdateId** Unique ID for each update. + + +### Update360Telemetry.UpdateAgentModeStart + +This event sends data for the start of each mode during the process of updating Windows via the new Unified Update Platform (UUP) scenario. Applicable to both PCs and Mobile. + +The following fields are available: + +- **FlightId** Unique ID for each flight. +- **Mode** Indicates the mode that has started. +- **ObjectId** Unique value for each Update Agent mode. +- **RelatedCV** Correlation vector value generated from the latest USO scan. +- **ScenarioId** Indicates the update scenario. +- **SessionId** Unique value for each update attempt. +- **UpdateId** Unique ID for each update. +- **Version** Version of update + + +### Update360Telemetry.UpdateAgentOneSettings + +This event collects information regarding the post reboot phase of the new UUP (Unified Update Platform) update scenario; which is leveraged by both Mobile and Desktop. + +The following fields are available: + +- **Count** The count of applicable OneSettings for the device. +- **FlightId** Unique ID for the flight (test instance version). +- **ObjectId** The unique value for each Update Agent mode. +- **Parameters** The set of name value pair parameters sent to OneSettings to determine if there are any applicable OneSettings. +- **RelatedCV** The correlation vector value generated from the latest USO (Update Service Orchestrator) scan. +- **Result** The HResult of the event. +- **ScenarioId** The ID of the update scenario. +- **SessionId** The ID of the update attempt. +- **UpdateId** The ID of the update. +- **Values** The values sent back to the device, if applicable. + + +### Update360Telemetry.UpdateAgentPostRebootResult + +This event collects information for both Mobile and Desktop regarding the post reboot phase of the new Unified Update Platform (UUP) update scenario. + +The following fields are available: + +- **ErrorCode** The error code returned for the current post reboot phase. +- **FlightId** The specific ID of the Windows Insider build the device is getting. +- **ObjectId** Unique value for each Update Agent mode. +- **PostRebootResult** Indicates the Hresult. +- **RelatedCV** Correlation vector value generated from the latest USO scan. +- **ScenarioId** The scenario ID. Example: MobileUpdate, DesktopLanguagePack, DesktopFeatureOnDemand, or DesktopDriverUpdate. +- **SessionId** Unique value for each update attempt. +- **UpdateId** Unique ID for each update. + + +### Update360Telemetry.UpdateAgentReboot + +This event sends information indicating that a request has been sent to suspend an update. + +The following fields are available: + +- **ErrorCode** The error code returned for the current reboot. +- **FlightId** Unique ID for the flight (test instance version). +- **ObjectId** The unique value for each Update Agent mode. +- **RelatedCV** The correlation vector value generated from the latest USO (Update Service Orchestrator) scan. +- **Result** The HResult of the event. +- **ScenarioId** The ID of the update scenario. +- **SessionId** The ID of the update attempt. +- **UpdateId** The ID of the update. + + +### Update360Telemetry.UpdateAgentSetupBoxLaunch + +The UpdateAgent_SetupBoxLaunch event sends data for the launching of the setup box when updating Windows via the new Unified Update Platform (UUP) scenario. This event is only applicable to PCs. + +The following fields are available: + +- **ContainsExpressPackage** Indicates whether the download package is express. +- **FlightId** Unique ID for each flight. +- **FreeSpace** Free space on OS partition. +- **InstallCount** Number of install attempts using the same sandbox. +- **ObjectId** Unique value for each Update Agent mode. +- **Quiet** Indicates whether setup is running in quiet mode. +- **RelatedCV** Correlation vector value generated from the latest USO scan. +- **SandboxSize** Size of the sandbox. +- **ScenarioId** Indicates the update scenario. +- **SessionId** Unique value for each update attempt. +- **SetupMode** Mode of setup to be launched. +- **UpdateId** Unique ID for each Update. +- **UserSession** Indicates whether install was invoked by user actions. + + ## Upgrade events ### FacilitatorTelemetry.DCATDownload @@ -4364,6 +5019,197 @@ The following fields are available: - **Version** Version of Facilitator. +### Setup360Telemetry.Downlevel + +This event sends data indicating that the device has started the downlevel phase of the upgrade, to help keep Windows up-to-date and secure. + +The following fields are available: + +- **ClientId** If using Windows Update, this will be the Windows Update client ID that is passed to Setup. In Media setup, the default value is Media360, but it can be overwritten by the caller to a unique value. +- **FlightData** Unique value that identifies the flight. +- **HostOSBuildNumber** The build number of the downlevel OS. +- **HostOsSkuName** The operating system edition which is running Setup360 instance (downlevel OS). +- **InstanceId** A unique GUID that identifies each instance of setuphost.exe. +- **ReportId** In the Windows Update scenario, this is the updateID that is passed to Setup. In media setup, this is the GUID for the install.wim. +- **Setup360Extended** More detailed information about phase/action when the potential failure occurred. +- **Setup360Mode** The phase of Setup360 (for example, Predownload, Install, Finalize, Rollback). +- **Setup360Result** The result of Setup360 (HRESULT used to diagnose errors). +- **Setup360Scenario** The Setup360 flow type (for example, Boot, Media, Update, MCT). +- **SetupVersionBuildNumber** The build number of Setup360 (build number of the target OS). +- **State** Exit state of given Setup360 run. Example: succeeded, failed, blocked, cancelled. +- **TestId** An ID that uniquely identifies a group of events. +- **WuId** This is the Windows Update Client ID. In the Windows Update scenario, this is the same as the clientId. + + +### Setup360Telemetry.Finalize + +This event sends data indicating that the device has started the phase of finalizing the upgrade, to help keep Windows up-to-date and secure. + +The following fields are available: + +- **ClientId** With Windows Update, this will be the Windows Update client ID that is passed to Setup. In Media setup, default value is Media360, but can be overwritten by the caller to a unique value. +- **FlightData** Unique value that identifies the flight. +- **HostOSBuildNumber** The build number of the previous OS. +- **HostOsSkuName** The OS edition which is running Setup360 instance (previous OS). +- **InstanceId** A unique GUID that identifies each instance of setuphost.exe +- **ReportId** With Windows Update, this is the updateID that is passed to Setup. In media setup, this is the GUID for the install.wim. +- **Setup360Extended** More detailed information about the phase/action when the potential failure occurred. +- **Setup360Mode** The phase of Setup360. Example: Predownload, Install, Finalize, Rollback. +- **Setup360Result** The result of Setup360. This is an HRESULT error code that is used to diagnose errors. +- **Setup360Scenario** The Setup360 flow type. Example: Boot, Media, Update, MCT. +- **SetupVersionBuildNumber** The build number of Setup360 (build number of target OS). +- **State** The exit state of a Setup360 run. Example: succeeded, failed, blocked, cancelled. +- **TestId** ID that uniquely identifies a group of events. +- **WuId** This is the Windows Update Client ID. With Windows Update, this is the same as the clientId. + + +### Setup360Telemetry.OsUninstall + +This event sends data regarding OS updates and upgrades from Windows 7, Windows 8, and Windows 10. Specifically, it indicates the outcome of an OS uninstall. + +The following fields are available: + +- **ClientId** For Windows Update, this will be the Windows Update client ID that is passed to Setup. In Media setup, default value is Media360, but can be overwritten by the caller to a unique value. +- **FlightData** Unique value that identifies the flight. +- **HostOSBuildNumber** The build number of the previous OS. +- **HostOsSkuName** The OS edition which is running the Setup360 instance (previous OS). +- **InstanceId** A unique GUID that identifies each instance of setuphost.exe. +- **ReportId** For Windows Update, this will be the Windows Update client ID that is passed to Setup. In Media setup, this is the GUID for the install.wim. +- **Setup360Extended** Detailed information about the phase or action when the potential failure occurred. +- **Setup360Mode** The phase of Setup360. Example: Predownload, Install, Finalize, Rollback. +- **Setup360Result** The result of Setup360. This is an HRESULT error code that is used to diagnose errors. +- **Setup360Scenario** The Setup360 flow type. Example: Boot, Media, Update, MCT. +- **SetupVersionBuildNumber** The build number of Setup360 (build number of target OS). +- **State** Exit state of a Setup360 run. Example: succeeded, failed, blocked, cancelled +- **TestId** ID that uniquely identifies a group of events. +- **WuId** Windows Update client ID. + + +### Setup360Telemetry.PostRebootInstall + +This event sends data indicating that the device has invoked the post reboot install phase of the upgrade, to help keep Windows up-to-date. + +The following fields are available: + +- **ClientId** With Windows Update, this is the Windows Update client ID that is passed to Setup. In Media setup, the default value is Media360, but can be overwritten by the caller to a unique value. +- **FlightData** Unique value that identifies the flight. +- **HostOSBuildNumber** The build number of the previous OS. +- **HostOsSkuName** The OS edition which is running Setup360 instance (previous OS). +- **InstanceId** A unique GUID that identifies each instance of setuphost.exe. +- **ReportId** With Windows Update, this is the updateID that is passed to Setup. In media setup, this is the GUID for the install.wim. +- **Setup360Extended** Extension of result - more granular information about phase/action when the potential failure happened +- **Setup360Mode** The phase of Setup360. Example: Predownload, Install, Finalize, Rollback +- **Setup360Result** The result of Setup360. This is an HRESULT error code that's used to diagnose errors. +- **Setup360Scenario** The Setup360 flow type. Example: Boot, Media, Update, MCT +- **SetupVersionBuildNumber** The build number of Setup360 (build number of target OS). +- **State** The exit state of a Setup360 run. Example: succeeded, failed, blocked, cancelled +- **TestId** A string to uniquely identify a group of events. +- **WuId** This is the Windows Update Client ID. With Windows Update, this is the same as ClientId. + + +### Setup360Telemetry.PreDownloadQuiet + +This event sends data indicating that the device has invoked the predownload quiet phase of the upgrade, to help keep Windows up to date. + +The following fields are available: + +- **ClientId** Using Windows Update, this will be the Windows Update client ID that is passed to Setup. In Media setup, default value is Media360, but can be overwritten by the caller to a unique value. +- **FlightData** Unique value that identifies the flight. +- **HostOSBuildNumber** The build number of the previous OS. +- **HostOsSkuName** The OS edition which is running Setup360 instance (previous operating system). +- **InstanceId** A unique GUID that identifies each instance of setuphost.exe. +- **ReportId** Using Windows Update, this is the updateID that is passed to Setup. In media setup, this is the GUID for the install.wim. +- **Setup360Extended** Detailed information about the phase/action when the potential failure occurred. +- **Setup360Mode** The phase of Setup360. Example: Predownload, Install, Finalize, Rollback. +- **Setup360Result** The result of Setup360. This is an HRESULT error code that is used to diagnose errors. +- **Setup360Scenario** The Setup360 flow type. Example: Boot, Media, Update, MCT. +- **SetupVersionBuildNumber** The build number of Setup360 (build number of target OS). +- **State** The exit state of a Setup360 run. Example: succeeded, failed, blocked, canceled. +- **TestId** ID that uniquely identifies a group of events. +- **WuId** This is the Windows Update Client ID. Using Windows Update, this is the same as the clientId. + + +### Setup360Telemetry.PreDownloadUX + +This event sends data regarding OS Updates and Upgrades from Windows 7.X, Windows 8.X, Windows 10 and RS, to help keep Windows up-to-date and secure. Specifically, it indicates the outcome of the PredownloadUX portion of the update process. + +The following fields are available: + +- **ClientId** For Windows Update, this will be the Windows Update client ID that is passed to Setup. In Media setup, default value is Media360, but can be overwritten by the caller to a unique value. +- **FlightData** In the WU scenario, this will be the WU client ID that is passed to Setup. In Media setup, default value is Media360, but can be overwritten by the caller to a unique value. +- **HostOSBuildNumber** The build number of the previous operating system. +- **HostOsSkuName** The OS edition which is running the Setup360 instance (previous operating system). +- **InstanceId** Unique GUID that identifies each instance of setuphost.exe. +- **ReportId** For Windows Update, this will be the Windows Update client ID that is passed to Setup. In Media setup, this is the GUID for the install.wim. +- **Setup360Extended** Detailed information about the phase/action when the potential failure occurred. +- **Setup360Mode** The phase of Setup360. Example: Predownload, Install, Finalize, Rollback. +- **Setup360Result** The result of Setup360. This is an HRESULT error code that can be used to diagnose errors. +- **Setup360Scenario** The Setup360 flow type. Example: Boot, Media, Update, MCT. +- **SetupVersionBuildNumber** The build number of Setup360 (build number of the target OS). +- **State** The exit state of the Setup360 run. Example: succeeded, failed, blocked, cancelled. +- **TestId** ID that uniquely identifies a group of events. +- **WuId** Windows Update client ID. + + +### Setup360Telemetry.PreInstallQuiet + +This event sends data indicating that the device has invoked the preinstall quiet phase of the upgrade, to help keep Windows up-to-date. + +The following fields are available: + +- **ClientId** With Windows Update, this will be the Windows Update client ID that is passed to Setup. In Media setup, default value is Media360, but can be overwritten by the caller to a unique value. +- **FlightData** Unique value that identifies the flight. +- **HostOSBuildNumber** The build number of the previous OS. +- **HostOsSkuName** The OS edition which is running Setup360 instance (previous OS). +- **InstanceId** A unique GUID that identifies each instance of setuphost.exe +- **ReportId** With Windows Update, this is the updateID that is passed to Setup. In media setup, this is the GUID for the install.wim. +- **Setup360Extended** Detailed information about the phase/action when the potential failure occurred. +- **Setup360Mode** The phase of Setup360. Example: Predownload, Install, Finalize, Rollback. +- **Setup360Result** The result of Setup360. This is an HRESULT error code that can be used to diagnose errors. +- **Setup360Scenario** Setup360 flow type (Boot, Media, Update, MCT). +- **SetupVersionBuildNumber** The build number of Setup360 (build number of target OS). +- **State** The exit state of a Setup360 run. Example: succeeded, failed, blocked, cancelled. +- **TestId** A string to uniquely identify a group of events. +- **WuId** This is the Windows Update Client ID. With Windows Update, this is the same as the clientId. + + +### Setup360Telemetry.PreInstallUX + +This event sends data regarding OS updates and upgrades from Windows 7, Windows 8, and Windows 10, to help keep Windows up-to-date. Specifically, it indicates the outcome of the PreinstallUX portion of the update process. + +The following fields are available: + +- **ClientId** For Windows Update, this will be the Windows Update client ID that is passed to Setup. In Media setup, default value is Media360, but can be overwritten by the caller to a unique value. +- **FlightData** Unique value that identifies the flight. +- **HostOSBuildNumber** The build number of the previous OS. +- **HostOsSkuName** The OS edition which is running the Setup360 instance (previous OS). +- **InstanceId** A unique GUID that identifies each instance of setuphost.exe. +- **ReportId** For Windows Update, this will be the Windows Update client ID that is passed to Setup. In Media setup, this is the GUID for the install.wim. +- **Setup360Extended** Detailed information about the phase/action when the potential failure occurred. +- **Setup360Mode** The phase of Setup360. Example: Predownload, Install, Finalize, Rollback. +- **Setup360Result** The result of Setup360. This is an HRESULT error code that is used to diagnose errors. +- **Setup360Scenario** The Setup360 flow type, Example: Boot, Media, Update, MCT. +- **SetupVersionBuildNumber** The build number of Setup360 (build number of target OS). +- **State** The exit state of a Setup360 run. Example: succeeded, failed, blocked, cancelled. +- **TestId** A string to uniquely identify a group of events. +- **WuId** Windows Update client ID. + + +### Setup360Telemetry.Setup360 + +This event sends data about OS deployment scenarios, to help keep Windows up-to-date. + +The following fields are available: + +- **ClientId** Retrieves the upgrade ID. In the Windows Update scenario, this will be the Windows Update client ID. In Media setup, default value is Media360, but can be overwritten by the caller to a unique value. +- **FieldName** Retrieves the data point. +- **FlightData** Specifies a unique identifier for each group of Windows Insider builds. +- **InstanceId** Retrieves a unique identifier for each instance of a setup session. +- **ReportId** Retrieves the report ID. +- **ScenarioId** Retrieves the deployment scenario. +- **Value** Retrieves the value associated with the corresponding FieldName. + + ### Setup360Telemetry.Setup360DynamicUpdate This event helps determine whether the device received supplemental content during an operating system upgrade, to help keep Windows up-to-date. @@ -4381,6 +5227,89 @@ The following fields are available: - **TargetBuild** Build of the target OS. +### Setup360Telemetry.Setup360MitigationResult + +This event sends data indicating the result of each setup mitigation. + +The following fields are available: + +- **Applicable** TRUE if the mitigation is applicable for the current update. +- **ClientId** In the Windows Update scenario, this is the client ID passed to Setup. In Media setup, default value is Media360, but can be overwritten by the caller to a unique value. +- **CommandCount** The number of command operations in the mitigation entry. +- **CustomCount** The number of custom operations in the mitigation entry. +- **FileCount** The number of file operations in the mitigation entry. +- **FlightData** The unique identifier for each flight (test release). +- **Index** The mitigation index of this particular mitigation. +- **InstanceId** The GUID (Globally Unique ID) that identifies each instance of SetupHost.EXE. +- **MitigationScenario** The update scenario in which the mitigation was executed. +- **Name** The friendly (descriptive) name of the mitigation. +- **OperationIndex** The mitigation operation index (in the event of a failure). +- **OperationName** The friendly (descriptive) name of the mitigation operation (in the event of failure). +- **RegistryCount** The number of registry operations in the mitigation entry. +- **ReportId** In the Windows Update scenario, the Update ID that is passed to Setup. In media setup, this is the GUID for the INSTALL.WIM. +- **Result** HResult of this operation. +- **ScenarioId** Setup360 flow type. +- **TimeDiff** The amount of time spent performing the mitigation (in 100-nanosecond increments). + + +### Setup360Telemetry.Setup360MitigationSummary + +This event sends a summary of all the setup mitigations available for this update. + +The following fields are available: + +- **Applicable** The count of mitigations that were applicable to the system and scenario. +- **ClientId** The Windows Update client ID passed to Setup. +- **Failed** The count of mitigations that failed. +- **FlightData** The unique identifier for each flight (test release). +- **InstanceId** The GUID (Globally Unique ID) that identifies each instance of SetupHost.EXE. +- **MitigationScenario** The update scenario in which the mitigations were attempted. +- **ReportId** In the Windows Update scenario, the Update ID that is passed to Setup. In media setup, this is the GUID for the INSTALL.WIM. +- **Result** HResult of this operation. +- **ScenarioId** Setup360 flow type. +- **TimeDiff** The amount of time spent performing the mitigation (in 100-nanosecond increments). +- **Total** The total number of mitigations that were available. + + +### Setup360Telemetry.Setup360OneSettings + +This event collects information regarding the post reboot phase of the new UUP (Unified Update Platform) update scenario; which is leveraged by both Mobile and Desktop. + +The following fields are available: + +- **ClientId** The Windows Update client ID passed to Setup. +- **Count** The count of applicable OneSettings for the device. +- **FlightData** The ID for the flight (test instance version). +- **InstanceId** The GUID (Globally-Unique ID) that identifies each instance of setuphost.exe. +- **Parameters** The set of name value pair parameters sent to OneSettings to determine if there are any applicable OneSettings. +- **ReportId** The Update ID passed to Setup. +- **Result** The HResult of the event error. +- **ScenarioId** The update scenario ID. +- **Values** Values sent back to the device, if applicable. + + +### Setup360Telemetry.UnexpectedEvent + +This event sends data indicating that the device has invoked the unexpected event phase of the upgrade, to help keep Windows up to date. + +The following fields are available: + +- **ClientId** With Windows Update, this will be the Windows Update client ID that is passed to Setup. In Media setup, default value is Media360, but can be overwritten by the caller to a unique value. +- **FlightData** Unique value that identifies the flight. +- **HostOSBuildNumber** The build number of the previous OS. +- **HostOsSkuName** The OS edition which is running Setup360 instance (previous OS). +- **InstanceId** A unique GUID that identifies each instance of setuphost.exe +- **ReportId** With Windows Update, this is the updateID that is passed to Setup. In media setup, this is the GUID for the install.wim. +- **Setup360Extended** Detailed information about the phase/action when the potential failure occurred. +- **Setup360Mode** The phase of Setup360. Example: Predownload, Install, Finalize, Rollback. +- **Setup360Result** The result of Setup360. This is an HRESULT error code that can be used used to diagnose errors. +- **Setup360Scenario** The Setup360 flow type. Example: Boot, Media, Update, MCT. +- **SetupVersionBuildNumber** The build number of Setup360 (build number of target OS). +- **State** The exit state of a Setup360 run. Example: succeeded, failed, blocked, cancelled. +- **TestId** A string to uniquely identify a group of events. +- **WuId** This is the Windows Update Client ID. With Windows Update, this is the same as the clientId. + + ## Windows as a Service diagnostic events ### Microsoft.Windows.WaaSMedic.SummaryEvent @@ -4407,6 +5336,50 @@ The following fields are available: - **waasMedicRunMode** Indicates whether this was a background regular run of the medic or whether it was triggered by a user launching Windows Update Troubleshooter. +## Windows Error Reporting events + +### Microsoft.Windows.WERVertical.OSCrash + +This event sends binary data from the collected dump file wheneveer a bug check occurs, to help keep Windows up to date. The is the OneCore version of this event. + +The following fields are available: + +- **BootId** Uint32 identifying the boot number for this device. +- **BugCheckCode** Uint64 "bugcheck code" that identifies a proximate cause of the bug check. +- **BugCheckParameter1** Uint64 parameter providing additional information. +- **BugCheckParameter2** Uint64 parameter providing additional information. +- **BugCheckParameter3** Uint64 parameter providing additional information. +- **BugCheckParameter4** Uint64 parameter providing additional information. +- **DumpFileAttributes** Codes that identify the type of data contained in the dump file +- **DumpFileSize** Size of the dump file +- **IsValidDumpFile** True if the dump file is valid for the debugger, false otherwise +- **ReportId** WER Report Id associated with this bug check (used for finding the corresponding report archive in Watson). + + +## Windows Update Delivery Optimization events + +### Microsoft.OSG.DU.DeliveryOptClient.FailureCdnCommunication + +This event represents a failure to download from a CDN with Delivery Optimization. It's used to understand and address problems regarding downloads. + +The following fields are available: + +- **cdnHeaders** The HTTP headers returned by the CDN. +- **cdnIp** The IP address of the CDN. +- **cdnUrl** The URL of the CDN. +- **errorCode** The error code that was returned. +- **errorCount** The total number of times this error code was seen since the last FailureCdnCommunication event was encountered. +- **experimentId** When running a test, this is used to correlate with other events that are part of the same test. +- **fileID** The ID of the file being downloaded. +- **httpStatusCode** The HTTP status code returned by the CDN. +- **isHeadRequest** The type of HTTP request that was sent to the CDN. Example: HEAD or GET +- **peerType** The type of peer (LAN, Group, Internet, CDN, Cache Host, etc.). +- **requestOffset** The byte offset within the file in the sent request. +- **requestSize** The size of the range requested from the CDN. +- **responseSize** The size of the range response received from the CDN. +- **sessionID** The ID of the download session. + + ## Windows Update events ### Microsoft.Windows.Update.DeviceUpdateAgent.UpdateAgentAnalysisSummary @@ -4525,6 +5498,32 @@ The following fields are available: - **updateId** Unique identifier for each update. +### Microsoft.Windows.Update.NotificationUx.DialogNotificationToBeDisplayed + +This event indicates that a notification dialog box is about to be displayed to user. + +The following fields are available: + +- **AcceptAutoModeLimit** The maximum number of days for a device to automatically enter Auto Reboot mode. +- **AutoToAutoFailedLimit** The maximum number of days for Auto Reboot mode to fail before the RebootFailed dialog box is shown. +- **DaysSinceRebootRequired** Number of days since restart was required. +- **DeviceLocalTime** The local time on the device sending the event. +- **EngagedModeLimit** The number of days to switch between DTE dialog boxes. +- **EnterAutoModeLimit** The maximum number of days for a device to enter Auto Reboot mode. +- **ETag** OneSettings versioning value. +- **IsForcedEnabled** Indicates whether Forced Reboot mode is enabled for this device. +- **IsUltimateForcedEnabled** Indicates whether Ultimate Forced Reboot mode is enabled for this device. +- **NotificationUxState** Indicates which dialog box is shown. +- **NotificationUxStateString** Indicates which dialog box is shown. +- **RebootUxState** Indicates the state of the restart (Engaged, Auto, Forced, or UltimateForced). +- **RebootUxStateString** Indicates the state of the restart (Engaged, Auto, Forced, or UltimateForced). +- **RebootVersion** Version of DTE. +- **SkipToAutoModeLimit** The minimum length of time to pass in restart pending before a device can be put into auto mode. +- **UpdateId** The ID of the update that is pending restart to finish installation. +- **UpdateRevision** The revision of the update that is pending restart to finish installation. +- **UtcTime** The time the dialog box notification will be displayed, in Coordinated Universal Time. + + ### Microsoft.Windows.Update.NotificationUx.EnhancedEngagedRebootFirstReminderDialog This event indicates that the Enhanced Engaged restart "first reminder" dialog box was displayed.. @@ -4541,6 +5540,65 @@ The following fields are available: - **UtcTime** The time that the dialog box was displayed, in Coordinated Universal Time. +### Microsoft.Windows.Update.NotificationUx.EnhancedEngagedRebootRebootFailedDialog + +This event indicates that the Enhanced Engaged restart "restart failed" dialog box was displayed. + +The following fields are available: + +- **DeviceLocalTime** The local time of the device sending the event. +- **ETag** OneSettings versioning value. +- **ExitCode** Indicates how users exited the dialog box. +- **RebootVersion** Version of DTE. +- **UpdateId** The ID of the update that is pending restart to finish installation. +- **UpdateRevision** The revision of the update that is pending restart to finish installation. +- **UserResponseString** The option that the user chose in this dialog box. +- **UtcTime** The time that the dialog box was displayed, in Coordinated Universal Time. + + +### Microsoft.Windows.Update.NotificationUx.EnhancedEngagedRebootRebootImminentDialog + +This event indicates that the Enhanced Engaged restart "restart imminent" dialog box was displayed. + +The following fields are available: + +- **DeviceLocalTime** Time the dialog box was shown on the local device. +- **ETag** OneSettings versioning value. +- **ExitCode** Indicates how users exited the dialog box. +- **RebootVersion** Version of DTE. +- **UpdateId** The ID of the update that is pending restart to finish installation. +- **UpdateRevision** The revision of the update that is pending restart to finish installation. +- **UserResponseString** The option that user chose in this dialog box. +- **UtcTime** The time that dialog box was displayed, in Coordinated Universal Time. + + +### Microsoft.Windows.Update.NotificationUx.EnhancedEngagedRebootReminderDialog + +This event returns information relating to the Enhanced Engaged reboot reminder dialog that was displayed. + +The following fields are available: + +- **DeviceLocalTime** The time at which the reboot reminder dialog was shown (based on the local device time settings). +- **ETag** The OneSettings versioning value. +- **ExitCode** Indicates how users exited the reboot reminder dialog box. +- **RebootVersion** The version of the DTE (Direct-to-Engaged). +- **UpdateId** The ID of the update that is waiting for reboot to finish installation. +- **UpdateRevision** The revision of the update that is waiting for reboot to finish installation. +- **UserResponseString** The option chosen by the user on the reboot dialog box. +- **UtcTime** The time at which the reboot reminder dialog was shown (in UTC). + + +### Microsoft.Windows.Update.Orchestrator.ActivityRestrictedByActiveHoursPolicy + +This event indicates a policy is present that may restrict update activity to outside of active hours. + +The following fields are available: + +- **activeHoursEnd** The end of the active hours window. +- **activeHoursStart** The start of the active hours window. +- **wuDeviceid** Unique device ID used by Windows Update. + + ### Microsoft.Windows.Update.Orchestrator.BlockedByBatteryLevel This event indicates that Windows Update activity was blocked due to low battery level. @@ -4553,6 +5611,22 @@ The following fields are available: - **wuDeviceid** Device ID. +### Microsoft.Windows.Update.Orchestrator.DisplayNeeded + +This event indicates the reboot was postponed due to needing a display. + +The following fields are available: + +- **displayNeededReason** Reason the display is needed. +- **eventScenario** Indicates the purpose of sending this event - whether because the software distribution just started checking for content, or whether it was cancelled, succeeded, or failed. +- **rebootOutsideOfActiveHours** Indicates whether the reboot was to occur outside of active hours. +- **revisionNumber** Revision number of the update. +- **updateId** Update ID. +- **updateScenarioType** The update session type. +- **uxRebootstate** Indicates the exact state of the user experience at the time the required reboot was initiated. +- **wuDeviceid** The unique identifier of a specific device, used to identify how many devices are encountering success or a particular issue + + ### Microsoft.Windows.Update.Orchestrator.DTUCompletedWhenWuFlightPendingCommit This event indicates that DTU completed installation of the electronic software delivery (ESD), when Windows Update was already in Pending Commit phase of the feature update. @@ -4592,6 +5666,162 @@ The following fields are available: - **wuDeviceid** The Windows Update device ID. +### Microsoft.Windows.Update.Orchestrator.FlightInapplicable + +This event indicates that the update is no longer applicable to this device. + +The following fields are available: + +- **EventPublishedTime** Time when this event was generated. +- **flightID** The specific ID of the Windows Insider build. +- **revisionNumber** Update revision number. +- **updateId** Unique Windows Update ID. +- **updateScenarioType** Update session type. +- **UpdateStatus** Last status of update. +- **UUPFallBackConfigured** Indicates whether UUP fallback is configured. +- **wuDeviceid** Unique Device ID. + + +### Microsoft.Windows.Update.Orchestrator.InitiatingReboot + +This event sends data about an Orchestrator requesting a reboot from power management to help keep Windows up to date. + +The following fields are available: + +- **EventPublishedTime** Time of the event. +- **flightID** Unique update ID +- **interactive** Indicates whether the reboot initiation stage of the update process was entered as a result of user action. +- **rebootOutsideOfActiveHours** Indicates whether the reboot was to occur outside of active hours. +- **revisionNumber** Revision number of the update. +- **updateId** Update ID. +- **updateScenarioType** The update session type. +- **uxRebootstate** Indicates the exact state of the user experience at the time the required reboot was initiated. +- **wuDeviceid** Unique device ID used by Windows Update. + + +### Microsoft.Windows.Update.Orchestrator.Install + +This event sends launch data for a Windows Update install to help keep Windows up to date. + +The following fields are available: + +- **batteryLevel** Current battery capacity in mWh or percentage left. +- **deferReason** Reason for install not completing. +- **errorCode** The error code reppresented by a hexadecimal value. +- **eventScenario** End-to-end update session ID. +- **flightID** Unique update ID +- **flightUpdate** Indicates whether the update is a Windows Insider build. +- **ForcedRebootReminderSet** A boolean value that indicates if a forced reboot will happen for updates. +- **IgnoreReasonsForRestart** The reason(s) a Postpone Restart command was ignored. +- **installCommitfailedtime** The time it took for a reboot to happen but the upgrade failed to progress. +- **installRebootinitiatetime** The time it took for a reboot to be attempted. +- **interactive** Identifies if session is user initiated. +- **minutesToCommit** The time it took to install updates. +- **rebootOutsideOfActiveHours** Indicates whether a reboot is scheduled outside of active hours. +- **revisionNumber** Update revision number. +- **updateId** Update ID. +- **updateScenarioType** The update session type. +- **uxRebootstate** Indicates the exact state of the user experience at the time the required reboot was initiated to ensure the correct update process and experience is provided to keep Windows up to date. +- **wuDeviceid** Unique device ID used by Windows Update. + + +### Microsoft.Windows.Update.Orchestrator.LowUptimes + +This event is sent if a device is identified as not having sufficient uptime to reliably process updates in order to keep secure. + +The following fields are available: + +- **availableHistoryMinutes** The number of minutes available from the local machine activity history. +- **isLowUptimeMachine** Is the machine considered low uptime or not. +- **lowUptimeMinHours** Current setting for the minimum number of hours needed to not be considered low uptime. +- **lowUptimeQueryDays** Current setting for the number of recent days to check for uptime. +- **uptimeMinutes** Number of minutes of uptime measured. +- **wuDeviceid** Unique device ID for Windows Update. + + +### Microsoft.Windows.Update.Orchestrator.OneshotUpdateDetection + +This event returns data about scans initiated through settings UI, or background scans that are urgent; to help keep Windows up to date. + +The following fields are available: + +- **externalOneshotupdate** The last time a task-triggered scan was completed. +- **interactiveOneshotupdate** The last time an interactive scan was completed. +- **oldlastscanOneshotupdate** The last time a scan completed successfully. +- **wuDeviceid** The Windows Update Device GUID (Globally-Unique ID). + + +### Microsoft.Windows.Update.Orchestrator.PreShutdownStart + +This event is generated before the shutdown and commit operations. + +The following fields are available: + +- **wuDeviceid** The unique identifier of a specific device, used to identify how many devices are encountering success or a particular issue. + + +### Microsoft.Windows.Update.Orchestrator.RebootFailed + +This event sends information about whether an update required a reboot and reasons for failure, to help keep Windows up to date. + +The following fields are available: + +- **batteryLevel** Current battery capacity in mWh or percentage left. +- **deferReason** Reason for install not completing. +- **EventPublishedTime** The time that the reboot failure occurred. +- **flightID** Unique update ID. +- **rebootOutsideOfActiveHours** Indicates whether a reboot was scheduled outside of active hours. +- **RebootResults** Hex code indicating failure reason. Typically, we expect this to be a specific USO generated hex code. +- **revisionNumber** Update revision number. +- **updateId** Update ID. +- **updateScenarioType** The update session type. +- **uxRebootstate** Indicates the exact state of the user experience at the time the required reboot was initiated to ensure the correct update process and experience is provided to keep Windows up to date. +- **wuDeviceid** Unique device ID used by Windows Update. + + +### Microsoft.Windows.Update.Orchestrator.RefreshSettings + +This event sends basic data about the version of upgrade settings applied to the system to help keep Windows up to date. + +The following fields are available: + +- **errorCode** Hex code for the error message, to allow lookup of the specific error. +- **settingsDownloadTime** Timestamp of the last attempt to acquire settings. +- **settingsETag** Version identifier for the settings. +- **wuDeviceid** Unique device ID used by Windows Update. + + +### Microsoft.Windows.Update.Orchestrator.RestoreRebootTask + +This event sends data indicating that a reboot task is missing unexpectedly on a device and the task is restored because a reboot is still required, to help keep Windows up to date. + +The following fields are available: + +- **RebootTaskMissedTimeUTC** The time when the reboot task was scheduled to run, but did not. +- **RebootTaskNextTimeUTC** The time when the reboot task was rescheduled for. +- **RebootTaskRestoredTime** Time at which this reboot task was restored. +- **wuDeviceid** Device ID for the device on which the reboot is restored. + + +### Microsoft.Windows.Update.Orchestrator.ScanTriggered + +This event indicates that Update Orchestrator has started a scan operation. + +The following fields are available: + +- **errorCode** The error code returned for the current scan operation. +- **eventScenario** Indicates the purpose of sending this event. +- **interactive** Indicates whether the scan is interactive. +- **isDTUEnabled** Indicates whether DTU (internal abbreviation for Direct Feature Update) channel is enabled on the client system. +- **isScanPastSla** Indicates whether the SLA has elapsed for scanning. +- **isScanPastTriggerSla** Indicates whether the SLA has elapsed for triggering a scan. +- **minutesOverScanSla** Indicates how many minutes the scan exceeded the scan SLA. +- **minutesOverScanTriggerSla** Indicates how many minutes the scan exceeded the scan trigger SLA. +- **scanTriggerSource** Indicates what caused the scan. +- **updateScenarioType** The update session type. +- **wuDeviceid** Unique device ID used by Windows Update. + + ### Microsoft.Windows.Update.Orchestrator.StickUpdate This event is sent when the update service orchestrator (USO) indicates the update cannot be superseded by a newer update. @@ -4602,6 +5832,22 @@ The following fields are available: - **wuDeviceid** Unique device ID controlled by the software distribution client. +### Microsoft.Windows.Update.Orchestrator.SystemNeeded + +This event sends data about why a device is unable to reboot, to help keep Windows up to date. + +The following fields are available: + +- **eventScenario** End-to-end update session ID. +- **rebootOutsideOfActiveHours** Indicates whether a reboot is scheduled outside of active hours. +- **revisionNumber** Update revision number. +- **systemNeededReason** List of apps or tasks that are preventing the system from restarting. +- **updateId** Update ID. +- **updateScenarioType** The update session type. +- **uxRebootstate** Indicates the exact state of the user experience at the time the required reboot was initiated to ensure the correct update process and experience is provided to keep Windows up to date. +- **wuDeviceid** Unique device ID used by Windows Update. + + ### Microsoft.Windows.Update.Orchestrator.TerminatedByActiveHours This event indicates that update activity was stopped due to active hours starting. @@ -4636,6 +5882,111 @@ The following fields are available: - **wuDeviceid** Unique device ID controlled by the software distribution client. +### Microsoft.Windows.Update.Orchestrator.UpdatePolicyCacheRefresh + +This event sends data on whether Update Management Policies were enabled on a device, to help keep Windows up to date. + +The following fields are available: + +- **configuredPoliciescount** Number of policies on the device. +- **policiesNamevaluesource** Policy name and source of policy (group policy, MDM or flight). +- **policyCacherefreshtime** Time when policy cache was refreshed. +- **updateInstalluxsetting** Indicates whether a user has set policies via a user experience option. +- **wuDeviceid** Unique device ID used by Windows Update. + + +### Microsoft.Windows.Update.Orchestrator.UpdateRebootRequired + +This event sends data about whether an update required a reboot to help keep Windows up to date. + +The following fields are available: + +- **flightID** The specific ID of the Windows Insider build the device is getting. +- **interactive** Indicates whether the reboot initiation stage of the update process was entered as a result of user action. +- **revisionNumber** Update revision number. +- **updateId** Update ID. +- **updateScenarioType** The update session type. +- **uxRebootstate** Indicates the exact state of the user experience at the time the required reboot was initiated to ensure the correct update process and experience is provided to keep Windows up to date. +- **wuDeviceid** Unique device ID used by Windows Update. + + +### Microsoft.Windows.Update.Orchestrator.updateSettingsFlushFailed + +This event sends information about an update that encountered problems and was not able to complete. + +The following fields are available: + +- **errorCode** The error code encountered. +- **wuDeviceid** The ID of the device in which the error occurred. + + +### Microsoft.Windows.Update.Orchestrator.UsoSession + +This event represents the state of the USO service at start and completion. + +The following fields are available: + +- **activeSessionid** A unique session GUID. +- **eventScenario** The state of the update action. +- **interactive** Is the USO session interactive? +- **lastErrorcode** The last error that was encountered. +- **lastErrorstate** The state of the update when the last error was encountered. +- **sessionType** A GUID that refers to the update session type. +- **updateScenarioType** A descriptive update session type. +- **wuDeviceid** The Windows Update device GUID. + + +### Microsoft.Windows.Update.Ux.MusNotification.EnhancedEngagedRebootUxState + +This event sends information about the configuration of Enhanced Direct-to-Engaged (eDTE), which includes values for the timing of how eDTE will progress through each phase of the reboot. + +The following fields are available: + +- **AcceptAutoModeLimit** The maximum number of days for a device to automatically enter Auto Reboot mode. +- **AutoToAutoFailedLimit** The maximum number of days for Auto Reboot mode to fail before a Reboot Failed dialog will be shown. +- **DeviceLocalTime** The date and time (based on the device date/time settings) the reboot mode changed. +- **EngagedModeLimit** The number of days to switch between DTE (Direct-to-Engaged) dialogs. +- **EnterAutoModeLimit** The maximum number of days a device can enter Auto Reboot mode. +- **ETag** The Entity Tag that represents the OneSettings version. +- **IsForcedEnabled** Identifies whether Forced Reboot mode is enabled for the device. +- **IsUltimateForcedEnabled** Identifies whether Ultimate Forced Reboot mode is enabled for the device. +- **OldestUpdateLocalTime** The date and time (based on the device date/time settings) this update’s reboot began pending. +- **RebootUxState** Identifies the reboot state: Engaged, Auto, Forced, UltimateForced. +- **RebootVersion** The version of the DTE (Direct-to-Engaged). +- **SkipToAutoModeLimit** The maximum number of days to switch to start while in Auto Reboot mode. +- **UpdateId** The ID of the update that is waiting for reboot to finish installation. +- **UpdateRevision** The revision of the update that is waiting for reboot to finish installation. + + +### Microsoft.Windows.Update.Ux.MusNotification.RebootNoLongerNeeded + +This event is sent when a security update has successfully completed. + +The following fields are available: + +- **UtcTime** The Coordinated Universal Time that the restart was no longer needed. + + +### Microsoft.Windows.Update.Ux.MusNotification.RebootScheduled + +This event sends basic information about scheduling an update-related reboot, to get security updates and to help keep Windows up-to-date. + +The following fields are available: + +- **activeHoursApplicable** Indicates whether Active Hours applies on this device. +- **IsEnhancedEngagedReboot** Indicates whether Enhanced reboot was enabled. +- **rebootArgument** Argument for the reboot task. It also represents specific reboot related action. +- **rebootOutsideOfActiveHours** True, if a reboot is scheduled outside of active hours. False, otherwise. +- **rebootScheduledByUser** True, if a reboot is scheduled by user. False, if a reboot is scheduled automatically. +- **rebootState** Current state of the reboot. +- **rebootUsingSmartScheduler** Indicates that the reboot is scheduled by SmartScheduler. +- **revisionNumber** Revision number of the OS. +- **scheduledRebootTime** Time scheduled for the reboot. +- **scheduledRebootTimeInUTC** Time scheduled for the reboot, in UTC. +- **updateId** Identifies which update is being scheduled. +- **wuDeviceid** Unique DeviceID + + ### Microsoft.Windows.Update.Ux.MusNotification.UxBrokerScheduledTask This event is sent when MUSE broker schedules a task. @@ -4646,4 +5997,73 @@ The following fields are available: - **TaskName** Name of the task. +### Microsoft.Windows.Update.Ux.MusUpdateSettings.RebootScheduled + +This event sends basic information for scheduling a device restart to install security updates. It's used to help keep Windows up to date. + +The following fields are available: + +- **activeHoursApplicable** Is the restart respecting Active Hours? +- **IsEnhancedEngagedReboot** TRUE if the reboot path is Enhanced Engaged. Otherwise, FALSE. +- **rebootArgument** The arguments that are passed to the OS for the restarted. +- **rebootOutsideOfActiveHours** Was the restart scheduled outside of Active Hours? +- **rebootScheduledByUser** Was the restart scheduled by the user? If the value is false, the restart was scheduled by the device. +- **rebootState** The state of the restart. +- **rebootUsingSmartScheduler** TRUE if the reboot should be performed by the Smart Scheduler. Otherwise, FALSE. +- **revisionNumber** The revision number of the OS being updated. +- **scheduledRebootTime** Time of the scheduled reboot +- **scheduledRebootTimeInUTC** Time of the scheduled restart, in Coordinated Universal Time. +- **updateId** The Windows Update device GUID. +- **wuDeviceid** The Windows Update device GUID. + + +## Windows Update mitigation events + +### Mitigation360Telemetry.MitigationCustom.CleanupSafeOsImages + +This event sends data specific to the CleanupSafeOsImages mitigation used for OS Updates. + +The following fields are available: + +- **ClientId** Unique identifier for each flight. +- **FlightId** Unique GUID that identifies each instances of setuphost.exe. +- **InstanceId** The update scenario in which the mitigation was executed. +- **MitigationScenario** Number of mounted images. +- **MountedImageCount** Number of mounted images that were under %systemdrive%\$Windows.~BT. +- **MountedImageMatches** Number of mounted images under %systemdrive%\$Windows.~BT that could not be removed. +- **MountedImagesFailed** Number of mounted images under %systemdrive%\$Windows.~BT that were successfully removed. +- **MountedImagesRemoved** Number of mounted images that were not under %systemdrive%\$Windows.~BT. +- **MountedImagesSkipped** Correlation vector value generated from the latest USO scan. +- **RelatedCV** HResult of this operation. +- **Result** ID indicating the mitigation scenario. +- **ScenarioId** Indicates whether the scenario was supported. +- **ScenarioSupported** Unique value for each update attempt. +- **SessionId** Unique ID for each Update. +- **UpdateId** Unique ID for the Windows Update client. +- **WuId** Unique ID for the Windows Update client. + + +### Mitigation360Telemetry.MitigationCustom.FixupEditionId + +This event sends data specific to the FixupEditionId mitigation used for OS updates. + +The following fields are available: + +- **ClientId** In the WU scenario, this will be the WU client ID that is passed to Setup. In Media setup, default value is Media360, but can be overwritten by the caller to a unique value. +- **EditionIdUpdated** Determine whether EditionId was changed. +- **FlightId** Unique identifier for each flight. +- **InstanceId** Unique GUID that identifies each instances of setuphost.exe. +- **MitigationScenario** The update scenario in which the mitigation was executed. +- **ProductEditionId** Expected EditionId value based on GetProductInfo. +- **ProductType** Value returned by GetProductInfo. +- **RegistryEditionId** EditionId value in the registry. +- **RelatedCV** Correlation vector value generated from the latest USO scan. +- **Result** HResult of this operation. +- **ScenarioId** ID indicating the mitigation scenario. +- **ScenarioSupported** Indicates whether the scenario was supported. +- **SessionId** Unique value for each update attempt. +- **UpdateId** Unique ID for each update. +- **WuId** Unique ID for the Windows Update client. + + diff --git a/windows/privacy/gdpr-it-guidance.md b/windows/privacy/gdpr-it-guidance.md index dd46e67249..d7673c5f3d 100644 --- a/windows/privacy/gdpr-it-guidance.md +++ b/windows/privacy/gdpr-it-guidance.md @@ -1,5 +1,5 @@ --- -title: Windows 10 and the GDPR for IT Decision Makers +title: Windows and the GDPR-Information for IT Administrators and Decision Makers description: Use this topic to understand the relationship between users in your organization and Microsoft in the context of the GDPR (General Data Protection Regulation). keywords: privacy, GDPR, windows, IT ms.prod: w10 @@ -11,12 +11,17 @@ author: danihalfin ms.author: daniha ms.date: 05/11/2018 --- -# Windows 10 and the GDPR for IT Decision Makers +# Windows and the GDPR: Information for IT Administrators and Decision Makers Applies to: +- Windows 10, version 1809 - Windows 10, version 1803 - Windows 10, version 1709 - Windows 10, version 1703 +- Windows 10 Team Edition, version 1703 for Surface Hub +- Windows Server 2019 +- Windows Server 2016 +- Windows Analytics This topic provides IT Decision Makers with a basic understanding of the relationship between users in an organization and Microsoft in the context of the GDPR (General Data Protection Regulation). You will also learn what role an IT organization plays for that relationship. @@ -35,7 +40,7 @@ Here are some GDPR fundamentals: * The European law establishes strict global data privacy requirements governing how organizations manage and protect personal data while respecting individual choice – no matter where data is sent, processed, or stored. * A request by an individual to an organization to take an action on their personal data is referred to here as a *data subject request*, or *DSR*. -Microsoft believes data privacy is a fundamental right, and that the GDPR is an important step forward for clarifying and enabling individual privacy rights. We also recognize that the GDPR requires significant changes by organizations all over the world with regard to the discovery, management, protection, and reporting of personal data that is collected, processed, and stored within an organization. +Microsoft believes data privacy is a fundamental right, and that the GDPR is an important step forward for clarifying and enabling individual privacy rights. We also recognize that the GDPR required significant changes by organizations all over the world with regard to the discovery, management, protection, and reporting of personal data that is collected, processed, and stored within an organization. ### What is personal data under the GDPR? @@ -87,7 +92,7 @@ It is important to differentiate between two distinct types of data Windows serv A user action, such as performing a Skype call, usually triggers the collection and transmission of Windows *functional data*. Some Windows components and applications connecting to Microsoft services also exchange Windows functional data to provide user functionality. Some other examples of Windows functional data: -* The Weather app which uses the device’s location to retrieve local weather or community news. +* The Weather app which can use the device’s location to retrieve local weather or community news. * Wallpaper and desktop settings that are synchronized across multiple devices. For more info on how IT Professionals can manage Windows functional data sent from an organization to Microsoft, see [Manage connections from Windows operating system components to Microsoft services](manage-connections-from-windows-operating-system-components-to-microsoft-services.md). @@ -100,10 +105,10 @@ Some examples of diagnostic data include: * The type of hardware being used, information about installed apps and usage details, and reliability data on drivers running on the device. * For users who have turned on “Tailored experiences”, it can be used to offer personalized tips, ads, and recommendations to enhance Microsoft products and services for the needs of the user. -To find more about what information is collected, how it is handled, and the available Windows diagnostic data levels, see [Understanding Windows diagnostic data](configure-windows-diagnostic-data-in-your-organization.md#understanding-windows-diagnostic-data) and [Configure Windows diagnostic data in your organization](configure-windows-diagnostic-data-in-your-organization.md). +Diagnostic data is categorized into the levels "Security", "Basic", "Enhanced", and "Full". For a detailed discussion about these diagnostic data levels please see [Configure Windows diagnostic data in your organization](configure-windows-diagnostic-data-in-your-organization.md). To find more about what information is collected and how it is handled, see [Understanding Windows diagnostic data](configure-windows-diagnostic-data-in-your-organization.md#understanding-windows-diagnostic-data). >[!IMPORTANT] ->Other Microsoft services as well as 3rd party applications and drivers running on Windows devices may implement their own functionality, independently from Windows, to transport their diagnostic data to the respective publisher. Please contact them for further guidance on how to control the diagnostic data collection level and transmission of these publishers. +>Other Microsoft services as well as 3rd party applications and drivers running on Windows devices may implement their own functionality, independently from Windows, to transport their diagnostic data. Please contact the publisher for further guidance on how to control the diagnostic data collection level and transmission of these applications and services. ### Windows services where Microsoft is the processor under the GDPR @@ -123,7 +128,7 @@ As a result, in terms of the GDPR, the organization that has subscribed to Windo >The IT organization must explicitly enable Windows Analytics for a device after the organization subscribes. >[!IMPORTANT] ->Windows Analytics does not collect Windows Diagnostic data by itself. Instead, Windows Analytics only uses a subset of Windows Diagnostic data that is collected by Windows for a particular device. The Windows Diagnostic data collection is controlled by the IT department of an organization or the user of a device. +>Windows Analytics does not collect Windows Diagnostic data by itself. Instead, Windows Analytics only uses a subset of Windows Diagnostic data that is collected by Windows for an enrolled device. The Windows Diagnostic data collection is controlled by the IT department of an organization or the user of a device. #### Windows Defender ATP @@ -140,27 +145,43 @@ The following table lists in what GDPR mode – controller or processor – Wind | Service | Microsoft GDPR mode of operation | | --- | --- | -| Windows Functional data | Controller | +| Windows Functional data | Controller or Processor* | | Windows Diagnostic data | Controller | | Windows Analytics | Processor | | Windows Defender Advanced Threat Detection (ATP) | Processor | *Table 1: Windows 10 GDPR modes of operations for different Windows 10 services* -## Recommended diagnostic data level settings +*/*Depending on which application/feature this is referring to.* -Windows diagnostic data collection level can be set by a user in Windows (*Start > Settings > Privacy > Diagnostics & feedback*) or by the IT department of an organization, using Group Policy or Mobile Device Management (MDM) techniques. +## Windows diagnostic data and Windows 10 -* For Windows 10, version 1803, Microsoft recommends setting the Windows diagnostic level to “Enhanced”. This enables organizations to get the full functionality of [Windows Analytics](#windows-analytics). Those organizations who wish to share the smallest set of events for Windows Analytics can use the “Limit Enhanced diagnostic data to the minimum required by Windows Analytics” filtering mechanism that Microsoft introduced in Windows 10, version 1709. When enabled, this feature limits the operating system diagnostic data events included in the Enhanced level to the smallest set of data required by Windows Analytics. + +### Recommended Windows 10 settings + +Windows diagnostic data collection level for Windows 10 can be set by a user in Windows (*Start > Settings > Privacy > Diagnostics & feedback*) or by the IT department of an organization, using Group Policy or Mobile Device Management (MDM) techniques. + +* For Windows 10, version 1803 and version 1809, Microsoft recommends setting the Windows diagnostic level to “Enhanced”. This enables organizations to get the full functionality of [Windows Analytics](#windows-analytics). >[!NOTE] >For more information on the Enhanced level, see [Configure Windows diagnostic data in your organization](configure-windows-diagnostic-data-in-your-organization.md). * For Windows 10, version 1709, and Windows 10, version 1703, the recommended Windows diagnostic level configuration for EEA and Switzerland commercial users is “Basic”. -* For Windows 7, Microsoft recommends configuring enterprise devices for Windows Analytics to facilitate upgrade planning to Windows 10. +>[!NOTE] +>For Windows 7, Microsoft recommends [configuring enterprise devices for Windows Analytics](/windows/deployment/update/windows-analytics-get-started) to facilitate upgrade planning to Windows 10. -## Controlling the data collection and notification about it +### Additional information for Windows Analytics + +Some Windows Analytics solutions and functionality, such as Update Compliance, works with “Basic” as minimum Windows diagnostic level. Other solutions and functionality of Windows Analytics, such as Device Health, require “Enhanced”. + +Those organizations who wish to share the smallest set of events for Windows Analytics and have set the Windows diagnostic level to “Enhanced” can use the “Limit Enhanced diagnostic data to the minimum required by Windows Analytics” setting. This filtering mechanism was that Microsoft introduced in Windows 10, version 1709. When enabled, this feature limits the operating system diagnostic data events included in the Enhanced level to the smallest set of data required by Windows Analytics. + +>[!NOTE] +>Additional information can be found at [Windows Analytics and privacy](/windows/deployment/update/windows-analytics-privacy +). + +## Controlling Windows 10 data collection and notification about it Windows 10 sends diagnostic data to Microsoft services, and some of that data can contain personal data. Both the user and the IT organization have the ability to control the transmission of that data to Microsoft. @@ -200,10 +221,38 @@ IT Professionals that are interested in this configuration, see [Windows 10 pers To find out more about the network connections that Windows components make to Microsoft as well as the privacy settings that affect data shared with either Microsoft or apps, see [Manage connections from Windows operating system components to Microsoft services](manage-connections-from-windows-operating-system-components-to-microsoft-services.md) and [Manage Windows 10 connection endpoints](manage-windows-endpoints.md). These articles describe how these settings can be managed by an IT Professional. -## At-a-glance: the relationship between an IT organization and the GDPR +### At-a-glance: the relationship between an IT organization and the GDPR Because Microsoft is a controller for data collected by Windows 10, the user can work with Microsoft to satisfy GDPR requirements. While this relationship between Microsoft and a user is evident in a consumer scenario, an IT organization can influence that relationship in an enterprise scenario. For example, the IT organization has the ability to centrally configure the Windows diagnostic data level by using Group Policy or MDM settings. +## Windows Server + +Windows Server follows the same mechanisms as Windows 10 for handling of personal data – for example, when collecting Windows diagnostic data. + +More detailed information about Windows Server and the GDPR is available at Beginning your General Data Protection Regulation (GDPR) journey for Windows Server. + +### Windows diagnostic data and Windows Server + +The lowest diagnostic data setting level supported on Windows Server 2016 and Windows Server 2019 through management policies is “Security”. The lowest diagnostic data setting supported through the Settings UI is “Basic”. The default diagnostic data level for all Windows Server 2016 and Windows Server 2019 editions is “Enhanced”. + +IT administrators can configure the Windows Server diagnostic data settings using familiar management tools, such as Group Policy, MDM, or Windows Provisioning. IT administrators can also manually change settings using Registry Editor. Setting the Windows Server diagnostic data levels through a management policy overrides any device-level settings. + +### Backups and Windows Server + +Backups, including live backups and backups that are stored locally within an organization or in the cloud, can contain personal data. + +- Backups an organizations creates, for example by using Windows Server Backup (WSB), are under its control. For example, for exporting personal data contained in a backup, the organization needs to restore the appropriate backup sets to facilitate the respective data subject request (DSR). +- The GDPR also applies when storing backups in the cloud. For example, an organization can use Microsoft Azure Backup to backup files and folders from physical or virtual Windows Server machines (located on-premises or in Azure) to the cloud. The organization that is subscribed to this backup service also has the obligation to restore the data in order to exercise the respective DSR. + +## Windows 10 Team Edition, Version 1703 for Surface Hub + +Surface Hub is a shared device used within an organization. The device identifier collected as part of diagnostic data is not connected to a user. For removing Windows diagnostic data sent to Microsoft for a Surface Hub, Microsoft created the Surface Hub Delete Diagnostic Data tool available in the Microsoft Store. + +>[!NOTE] +>Additional apps running on the device, that are not delivered as part of the in-box experience of Surface Hub, may implement their own diagnostic data collection and transmission functionality independently to collect and process personal data. Please contact the app publisher for further guidance on how to control this. + +An IT administrator can configure privacy- related settings, such as setting the Windows diagnostic data level to Basic. Surface Hub does not support group policy for centralized management; however, IT administrators can use MDM to apply these settings to Surface Hub. For more information about Surface Hub and MDM, please see [Manage settings with an MDM provider](https://docs.microsoft.com/surface-hub/manage-settings-with-mdm-for-surface-hub). + ## Further reading ### Optional settings / features that further improve the protection of personal data @@ -215,11 +264,11 @@ Personal data protection is one of the goals of the GDPR. One way of improving p ### Windows Security Baselines -Microsoft has created Windows Security Baselines to efficiently configure Windows 10. For more information, please visit [Windows Security Baselines](/windows/security/threat-protection/windows-security-baselines). +Microsoft has created Windows Security Baselines to efficiently configure Windows 10 and Windows Server. For more information, please visit [Windows Security Baselines](/windows/security/threat-protection/windows-security-baselines). ### Windows Restricted Traffic Limited Functionality Baseline -To make it easier to deploy settings that restrict connections from Windows 10 to Microsoft, IT Professionals can apply the Windows Restricted Traffic Limited Functionality Baseline, available [here](https://go.microsoft.com/fwlink/?linkid=828887). +To make it easier to deploy settings that restrict connections from Windows 10 and Windows Server to Microsoft, IT Professionals can apply the Windows Restricted Traffic Limited Functionality Baseline, available [here](https://go.microsoft.com/fwlink/?linkid=828887). >[!IMPORTANT] >Some of the settings of the Windows Restricted Traffic Limited Functionality Baseline will reduce the functionality and security configuration of a device in the organization and are therefore not recommended. diff --git a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md index 865d98939f..3ac0a072a3 100644 --- a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md +++ b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md @@ -18,6 +18,7 @@ ms.date: 06/05/2018 - Windows 10 Enterprise, version 1607 and newer - Windows Server 2016 +- Windows Server 2019 If you're looking for content on what each diagnostic data level means and how to configure it in your organization, see [Configure Windows diagnostic data in your organization](configure-windows-diagnostic-data-in-your-organization.md). @@ -43,6 +44,12 @@ Note that **Get Help** and **Give us Feedback** links no longer work after the W We are always striving to improve our documentation and welcome your feedback. You can provide feedback by contacting telmhelp@microsoft.com. +## What's new in Windows 10, version 1809 Enterprise edition + +Here's a list of changes that were made to this article for Windows 10, version 1809: + +- Added a policy to disable Windows Defender SmartScreen + ## What's new in Windows 10, version 1803 Enterprise edition Here's a list of changes that were made to this article for Windows 10, version 1803: @@ -99,19 +106,19 @@ The following table lists management options for each setting, beginning with Wi | Setting | UI | Group Policy | MDM policy | Registry | Command line | | - | :-: | :-: | :-: | :-: | :-: | -| [1. Automatic Root Certificates Update](#automatic-root-certificates-update) | | ![Check mark](images/checkmark.png) | | | | +| [1. Automatic Root Certificates Update](#automatic-root-certificates-update) | | ![Check mark](images/checkmark.png) | | ![Check mark](images/checkmark.png) | | | [2. Cortana and Search](#bkmk-cortana) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | | [3. Date & Time](#bkmk-datetime) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | ![Check mark](images/checkmark.png) | | -| [4. Device metadata retrieval](#bkmk-devinst) | | ![Check mark](images/checkmark.png) | | ![Check mark](images/checkmark.png) | | -| [5. Find My Device](#find-my-device) | | ![Check mark](images/checkmark.png) | | | | -| [6. Font streaming](#font-streaming) | | ![Check mark](images/checkmark.png) | | ![Check mark](images/checkmark.png) | | +| [4. Device metadata retrieval](#bkmk-devinst) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | +| [5. Find My Device](#find-my-device) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | ![Check mark](images/checkmark.png) | | +| [6. Font streaming](#font-streaming) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | | [7. Insider Preview builds](#bkmk-previewbuilds) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | | [8. Internet Explorer](#bkmk-ie) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | ![Check mark](images/checkmark.png) | | | [9. Live Tiles](#live-tiles) | | ![Check mark](images/checkmark.png) | | ![Check mark](images/checkmark.png) | | | [10. Mail synchronization](#bkmk-mailsync) | ![Check mark](images/checkmark.png) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | | [11. Microsoft Account](#bkmk-microsoft-account) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | | [12. Microsoft Edge](#bkmk-edge) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | -| [13. Network Connection Status Indicator](#bkmk-ncsi) | | ![Check mark](images/checkmark.png) | | ![Check mark](images/checkmark.png) | | +| [13. Network Connection Status Indicator](#bkmk-ncsi) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | | [14. Offline maps](#bkmk-offlinemaps) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | ![Check mark](images/checkmark.png) | | | [15. OneDrive](#bkmk-onedrive) | | ![Check mark](images/checkmark.png) | | ![Check mark](images/checkmark.png) | | | [16. Preinstalled apps](#bkmk-preinstalledapps) | ![Check mark](images/checkmark.png) | | | | ![Check mark](images/checkmark.png) | @@ -142,6 +149,7 @@ The following table lists management options for each setting, beginning with Wi | [21. Teredo](#bkmk-teredo) | | ![Check mark](images/checkmark.png) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | [22. Wi-Fi Sense](#bkmk-wifisense) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | ![Check mark](images/checkmark.png) | | | [23. Windows Defender](#bkmk-defender) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | +|     [23.1 Windows Defender Smartscreen](#bkmk-defender-smartscreen) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | | [24. Windows Media Player](#bkmk-wmp) | ![Check mark](images/checkmark.png) | | | | ![Check mark](images/checkmark.png) | | [25. Windows Spotlight](#bkmk-spotlight) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | | [26. Microsoft Store](#bkmk-windowsstore) | | ![Check mark](images/checkmark.png) | | ![Check mark](images/checkmark.png) | | @@ -202,6 +210,63 @@ See the following table for a summary of the management settings for Windows Ser | [21. Teredo](#bkmk-teredo) | | ![Check mark](images/checkmark.png) | | [28. Windows Update](#bkmk-wu) | ![Check mark](images/checkmark.png) | | +### Settings for Windows Server 2019 + +See the following table for a summary of the management settings for Windows Server 2019. + +| Setting | UI | Group Policy | MDM policy | Registry | Command line | +| - | :-: | :-: | :-: | :-: | :-: | +| [1. Automatic Root Certificates Update](#automatic-root-certificates-update) | | ![Check mark](images/checkmark.png) | | ![Check mark](images/checkmark.png) | | +| [2. Cortana and Search](#bkmk-cortana) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | +| [3. Date & Time](#bkmk-datetime) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | ![Check mark](images/checkmark.png) | | +| [4. Device metadata retrieval](#bkmk-devinst) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | +| [5. Find My Device](#find-my-device) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | ![Check mark](images/checkmark.png) | | +| [6. Font streaming](#font-streaming) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | +| [7. Insider Preview builds](#bkmk-previewbuilds) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | +| [8. Internet Explorer](#bkmk-ie) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | ![Check mark](images/checkmark.png) | | +| [9. Live Tiles](#live-tiles) | | ![Check mark](images/checkmark.png) | | ![Check mark](images/checkmark.png) | | +| [10. Mail synchronization](#bkmk-mailsync) | ![Check mark](images/checkmark.png) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | +| [11. Microsoft Account](#bkmk-microsoft-account) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | +| [12. Microsoft Edge](#bkmk-edge) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | +| [13. Network Connection Status Indicator](#bkmk-ncsi) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | +| [14. Offline maps](#bkmk-offlinemaps) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | ![Check mark](images/checkmark.png) | | +| [15. OneDrive](#bkmk-onedrive) | | ![Check mark](images/checkmark.png) | | ![Check mark](images/checkmark.png) | | +| [16. Preinstalled apps](#bkmk-preinstalledapps) | ![Check mark](images/checkmark.png) | | | | ![Check mark](images/checkmark.png) | +| [17. Settings > Privacy](#bkmk-settingssection) | | | | | | +|     [17.1 General](#bkmk-general) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | +|     [17.2 Location](#bkmk-priv-location) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | +|     [17.3 Camera](#bkmk-priv-camera) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | +|     [17.4 Microphone](#bkmk-priv-microphone) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | +|     [17.5 Notifications](#bkmk-priv-notifications) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png)| ![Check mark](images/checkmark.png) | | +|     [17.6 Speech, inking, & typing](#bkmk-priv-speech) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | +|     [17.7 Account info](#bkmk-priv-accounts) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | +|     [17.8 Contacts](#bkmk-priv-contacts) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | +|     [17.9 Calendar](#bkmk-priv-calendar) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | +|     [17.10 Call history](#bkmk-priv-callhistory) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | +|     [17.11 Email](#bkmk-priv-email) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | +|     [17.12 Messaging](#bkmk-priv-messaging) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | +|     [17.13 Phone calls](#bkmk-priv-phone-calls) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | +|     [17.14 Radios](#bkmk-priv-radios) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | +|     [17.15 Other devices](#bkmk-priv-other-devices) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | +|     [17.16 Feedback & diagnostics](#bkmk-priv-feedback) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | +|     [17.17 Background apps](#bkmk-priv-background) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | | +|     [17.18 Motion](#bkmk-priv-motion) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | +|     [17.19 Tasks](#bkmk-priv-tasks) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | +|     [17.20 App Diagnostics](#bkmk-priv-diag) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | +| [18. Software Protection Platform](#bkmk-spp) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | +| [19. Storage Health](#bkmk-storage-health) | | ![Check mark](images/checkmark.png) | | | | +| [20. Sync your settings](#bkmk-syncsettings) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | +| [21. Teredo](#bkmk-teredo) | | ![Check mark](images/checkmark.png) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | +| [22. Wi-Fi Sense](#bkmk-wifisense) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | ![Check mark](images/checkmark.png) | | +| [23. Windows Defender](#bkmk-defender) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | +|     [23.1 Windows Defender Smartscreen](#bkmk-defender-smartscreen) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | +| [24. Windows Media Player](#bkmk-wmp) | ![Check mark](images/checkmark.png) | | | | ![Check mark](images/checkmark.png) | +| [25. Windows Spotlight](#bkmk-spotlight) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | +| [26. Microsoft Store](#bkmk-windowsstore) | | ![Check mark](images/checkmark.png) | | ![Check mark](images/checkmark.png) | | +|     [26.1 Apps for websites](#bkmk-apps-for-websites) | | ![Check mark](images/checkmark.png) | | | +| [27. Windows Update Delivery Optimization](#bkmk-updates) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | +| [28. Windows Update](#bkmk-wu) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | | + ## How to configure each setting Use the following sections for more information about how to configure each setting. @@ -336,9 +401,17 @@ After that, configure the following: ### 4. Device metadata retrieval -To prevent Windows from retrieving device metadata from the Internet, apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **System** > **Device Installation** > **Prevent device metadata retrieval from the Internet**. +To prevent Windows from retrieving device metadata from the Internet: -You can also create a new REG\_DWORD registry setting named **PreventDeviceMetadataFromNetwork** in **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Device Metadata** and set it to 1 (one). +- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **System** > **Device Installation** > **Prevent device metadata retrieval from the Internet**. + + -or - + +- Create a new REG\_DWORD registry setting named **PreventDeviceMetadataFromNetwork** in **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Device Metadata** and set it to 1 (one). + + -or - + +- Apply the DeviceInstallation/PreventDeviceMetadataFromNetwork MDM policy from the [Policy CSP](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-deviceinstallation#deviceinstallation-preventdevicemetadatafromnetwork). ### 5. Find My Device @@ -608,7 +681,7 @@ You can turn off NCSI by doing one of the following: - Enable the Group Policy: **Computer Configuration** > **Administrative Templates** > **System** > **Internet Communication Management** > **Internet Communication Settings** > **Turn off Windows Network Connectivity Status Indicator active tests** -- In Windows 10, version 1703 and later, apply the Connectivity/DisallowNetworkConnectivityActiveTests MDM policy. +- In Windows 10, version 1703 and later, apply the Connectivity/DisallowNetworkConnectivityActiveTests MDM policy from the [Policy CSP](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-connectivity#connectivity-disallownetworkconnectivityactivetests) with a value of 1. > [!NOTE] > After you apply this policy, you must restart the device for the policy setting to take effect. @@ -879,31 +952,13 @@ To turn off **Turn on SmartScreen Filter to check web content (URLs) that Micros -or- -- In Windows Server 2016, apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Microsoft Edge** > **Configure SmartScreen Filter**. - In Windows 10, version 1703, apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Microsoft Edge** > **Configure Windows Defender SmartScreen Filter**. - - In Windows Server 2016, apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **File Explorer** > **Configure Windows SmartScreen**. - In Windows 10, version 1703 , apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **File Explorer** > **Configure Windows Defender SmartScreen**. - - -or- - -- Apply the Browser/AllowSmartScreen MDM policy from the [Policy CSP](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx) where 0 is turned off and 1 is turned on. - - -or- - - Create a provisioning package, using: - - - For Internet Explorer: **Runtime settings** > **Policies** > **Browser** > **AllowSmartScreen** - - - For Microsoft Edge: **Runtime settings** > **Policies** > **MicrosoftEdge** > **AllowSmartScreen** + - For Internet Explorer: **Runtime settings > Policies > Browser > AllowSmartScreen** + - For Microsoft Edge: **Runtime settings > Policies > MicrosoftEdge > AllowSmartScreen** -or- -- Create a REG\_DWORD registry setting named **EnableWebContentEvaluation** in **HKEY\_CURRENT\_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppHost** with a value of 0 (zero). - - -or- - -- Create a REG\_DWORD registry setting named **EnableSmartScreen** in **HKEY\_LOCAL\_MACHINE\\Sofware\\Policies\\Microsoft\\Windows\\System** with a value of 0 (zero). +- Create a REG_DWORD registry setting named **EnableWebContentEvaluation** in **HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\AppHost** with a value of 0 (zero). To turn off **Send Microsoft info about how I write to help us improve typing and writing in the future**: @@ -1793,6 +1848,36 @@ For Windows 10 only, you can stop Enhanced Notifications: You can also use the registry to turn off Malicious Software Reporting Tool diagnostic data by setting the REG\_DWORD value **HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\MRT\\DontReportInfectionInformation** to 1. +### 23.1 Windows Defender SmartScreen + +To disable Windows Defender Smartscreen: + +- In Group Policy, configure - **Computer Configuration > Administrative Templates > Windows Components > Windows Defender SmartScreen > Explorer > Configure Windows Defender SmartScreen** : **Disable** + + -or- + +- **Computer Configuration > Administrative Templates > Windows Components > File Explorer > Configure Windows Defender SmartScreen** : **Disable** + + -and- + +- **Computer Configuration > Administrative Templates > Windows Components > Windows Defender SmartScreen > Explorer > Configure app install control** : **Enable** + + -or- + +- Create a REG_DWORD registry setting named **EnableSmartScreen** in **HKEY_LOCAL_MACHINE\Sofware\Policies\Microsoft\Windows\System** with a value of 0 (zero). + + -and- + +- Create a REG_DWORD registry setting named **ConfigureAppInstallControlEnabled** in **HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\SmartScreen** with a value of 1. + + -and- + +- Create a SZ registry setting named **ConfigureAppInstallControl** in **HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\SmartScreen** with a value of **Anywhere**. + + -or- + +- Apply the Browser/AllowSmartScreen MDM policy from the [Policy CSP](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx) where 0 is turned off and 1 is turned on. + ### 24. Windows Media Player To remove Windows Media Player on Windows 10: diff --git a/windows/privacy/manage-windows-endpoints.md b/windows/privacy/manage-windows-endpoints.md index 721814aabe..c324f877dd 100644 --- a/windows/privacy/manage-windows-endpoints.md +++ b/windows/privacy/manage-windows-endpoints.md @@ -145,13 +145,9 @@ If you [turn off traffic for this endpoint](manage-connections-from-windows-oper ## Certificates -The following endpoint is used by the Automatic Root Certificates Update component to automatically check the list of trusted authorities on Windows Update to see if an update is available. It is possible to [turn off traffic to this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#automatic-root-certificates-update), but that is not recommended because when root certificates are updated over time, applications and websites may stop working because they did not receive an updated root certificate the application uses. +The following endpoint is used by the Automatic Root Certificates Update component to automatically check the list of trusted authorities on Windows Update to see if an update is available. It is possible to [turn off traffic to this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#automatic-root-certificates-update), but that is not recommended because when root certificates are updated over time, applications and websites may stop working because they did not receive an updated root certificate the application uses. -| Source process | Protocol | Destination | Applies from Windows 10 version | -|----------------|----------|------------|----------------------------------| -| svchost | HTTP | ctldl.windowsupdate.com | 1709 | - -The following endpoints are used to download certificates that are publicly known to be fraudulent. +Additionally, it is used to download certificates that are publicly known to be fraudulent. These settings are critical for both Windows security and the overall security of the Internet. We do not recommend blocking this endpoint. If traffic to this endpoint is turned off, Windows no longer automatically downloads certificates known to be fraudulent, which increases the attack vector on the device. diff --git a/windows/security/information-protection/windows-information-protection/protect-enterprise-data-using-wip.md b/windows/security/information-protection/windows-information-protection/protect-enterprise-data-using-wip.md index 8ce020a25f..33ec5598fe 100644 --- a/windows/security/information-protection/windows-information-protection/protect-enterprise-data-using-wip.md +++ b/windows/security/information-protection/windows-information-protection/protect-enterprise-data-using-wip.md @@ -8,7 +8,7 @@ ms.mktglfcycl: explore ms.sitesec: library ms.pagetype: security ms.author: justinha -ms.date: 06/18/2018 +ms.date: 11/08/2018 ms.localizationpriority: medium --- @@ -24,6 +24,10 @@ With the increase of employee-owned devices in the enterprise, there’s also an Windows Information Protection (WIP), previously known as enterprise data protection (EDP), helps to protect against this potential data leakage without otherwise interfering with the employee experience. WIP also helps to protect enterprise apps and data against accidental data leak on enterprise-owned devices and personal devices that employees bring to work without requiring changes to your environment or other apps. Finally, another data protection technology, Azure Rights Management also works alongside WIP to extend data protection for data that leaves the device, such as when email attachments are sent from an enterprise aware version of a rights management mail client. +## Video: Protect enterprise data from being accidentally copied to the wrong place + +> [!Video https://www.microsoft.com/en-us/videoplayer/embed/RE2IGhh] + ## Prerequisites You’ll need this software to run WIP in your enterprise: diff --git a/windows/security/threat-protection/TOC.md b/windows/security/threat-protection/TOC.md index 3145f56988..a328d38a24 100644 --- a/windows/security/threat-protection/TOC.md +++ b/windows/security/threat-protection/TOC.md @@ -186,7 +186,7 @@ ### [Configure and manage capabilities](windows-defender-atp/onboard.md) #### [Configure attack surface reduction](windows-defender-atp/configure-attack-surface-reduction.md) ##### [Hardware-based isolation](windows-defender-application-guard/install-wd-app-guard.md) -###### [Confguration settings](windows-defender-application-guard/configure-wd-app-guard.md) +###### [Configuration settings](windows-defender-application-guard/configure-wd-app-guard.md) ##### [Application control](windows-defender-application-control/windows-defender-application-control.md) ##### [Device control](device-guard/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md) ###### [Memory integrity](windows-defender-exploit-guard/memory-integrity.md) diff --git a/windows/security/threat-protection/index.md b/windows/security/threat-protection/index.md index a83dc7afac..028116204e 100644 --- a/windows/security/threat-protection/index.md +++ b/windows/security/threat-protection/index.md @@ -63,8 +63,8 @@ To further reinforce the security perimeter of your network, Windows Defender AT -**[Endpoint protection and response](windows-defender-atp/overview-endpoint-detection-response.md)**
-Endpoint protection and response capabilities are put in place to detect, investigate, and respond to advanced threats that may have made it past the first two security pillars. +**[Endpoint detection and response](windows-defender-atp/overview-endpoint-detection-response.md)**
+Endpoint detection and response capabilities are put in place to detect, investigate, and respond to advanced threats that may have made it past the first two security pillars. - [Alerts](windows-defender-atp/alerts-queue-windows-defender-advanced-threat-protection.md) - [Historical endpoint data](windows-defender-atp/investigate-machines-windows-defender-advanced-threat-protection.md#machine-timeline) diff --git a/windows/security/threat-protection/intelligence/top-scoring-industry-antivirus-tests.md b/windows/security/threat-protection/intelligence/top-scoring-industry-antivirus-tests.md index 43bef2e93e..34297ac109 100644 --- a/windows/security/threat-protection/intelligence/top-scoring-industry-antivirus-tests.md +++ b/windows/security/threat-protection/intelligence/top-scoring-industry-antivirus-tests.md @@ -1,14 +1,14 @@ --- title: Top scoring in industry antivirus tests description: Windows Defender Antivirus consistently achieves high scores in independent tests. View the latest scores and analysis. -keywords: security, malware, av-comparatives, av-test, av, antivirus +keywords: security, malware, av-comparatives, av-test, av, antivirus, windows, defender, scores ms.prod: w10 ms.mktglfcycl: secure ms.sitesec: library ms.localizationpriority: medium ms.author: ellevin author: levinec -ms.date: 09/05/2018 +ms.date: 11/07/2018 --- # Top scoring in industry antivirus tests @@ -18,18 +18,16 @@ ms.date: 09/05/2018 We want to be transparent and have gathered top industry reports that demonstrate our enterprise antivirus capabilities. Note that these tests only provide results for antivirus and do not test for additional security protections. In the real world, millions of devices are protected from cyberattacks every day, sometimes [milliseconds after a campaign starts](https://cloudblogs.microsoft.com/microsoftsecure/2018/03/07/behavior-monitoring-combined-with-machine-learning-spoils-a-massive-dofoil-coin-mining-campaign?ocid=cx-docs-avreports). Windows Defender Antivirus is part of the [next generation](https://www.youtube.com/watch?v=Xy3MOxkX_o4) Windows Defender Advanced Threat Protection ([Windows Defender ATP](https://www.microsoft.com/WindowsForBusiness/windows-atp?ocid=cx-docs-avreports)) security stack which addresses the latest and most sophisticated threats today. In many cases, customers might not even know they were protected. That's because Windows Defender Antivirus detects and stops malware at first sight by using [machine learning](https://cloudblogs.microsoft.com/microsoftsecure/2018/06/07/machine-learning-vs-social-engineering?ocid=cx-docs-avreports), [artificial intelligence](https://cloudblogs.microsoft.com/microsoftsecure/2018/02/14/how-artificial-intelligence-stopped-an-emotet-outbreak?ocid=cx-docs-avreports), behavioral analysis, and other advanced technologies. - -> [!TIP] -> Learn why [Windows Defender Antivirus is the most deployed in the enterprise](https://cloudblogs.microsoft.com/microsoftsecure/2018/03/22/why-windows-defender-antivirus-is-the-most-deployed-in-the-enterprise?ocid=cx-docs-avreports). -



![AV-TEST logo](./images/av-test-logo.png) ## AV-TEST: Perfect protection score of 6.0/6.0 in the latest test The AV-TEST Product Review and Certification Report tests on three categories: protection, performance, and usability. The scores listed below are for the Protection category which has two scores: Real-World Testing and the AV-TEST reference set (known as "Prevalent Malware"). +> [!NOTE] +> [Download our latest analysis: Examining the AV-TEST July-August results](https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE2IL3Y) -### July-August 2018 AV-TEST Business User test: [Protection score 6.0/6.0](https://www.av-test.org/en/antivirus/business-windows-client/windows-10/august-2018/microsoft-windows-defender-antivirus-4.12--4.18-183212/) | [Analysis](https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE2IL3Y) **Latest** +### July-August 2018 AV-TEST Business User test: [Protection score 6.0/6.0](https://www.av-test.org/en/antivirus/business-windows-client/windows-10/august-2018/microsoft-windows-defender-antivirus-4.12--4.18-183212/) | [Analysis](https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE2IL3Y) Windows Defender Antivirus achieved an overall Protection score of 6.0/6.0, detecting 100% of 20,022 malware samples. With the latest results, Windows Defender Antivirus has achieved 100% on 14 of the 16 most recent antivirus tests (combined "Real-World" and "Prevalent malware"). diff --git a/windows/security/threat-protection/intelligence/worms-malware.md b/windows/security/threat-protection/intelligence/worms-malware.md index b76c90029c..c9e7ce8541 100644 --- a/windows/security/threat-protection/intelligence/worms-malware.md +++ b/windows/security/threat-protection/intelligence/worms-malware.md @@ -25,7 +25,7 @@ Jenxcus (also known as Dunihi), Gamarue (also known as Androm), and Bondat have * **Gamarue** typically arrives through spam campaigns, exploits, downloaders, social networking sites, and removable drives. When Gamarue infects a device, it becomes a distribution channel for other malware. We’ve seen it distribute other malware such as infostealers, spammers, clickers, downloaders, and rogues. -* **Bondat** typically arrives through fictitious Nullsoft Sciptable Install System (NSIS) Java installers and removable drives. When Bondat infects a system, it gathers information about the machine such as device name, Globally Unique Identifier (GUID), and OS build. It then sends that information to a remote server. +* **Bondat** typically arrives through fictitious Nullsoft Scriptable Install System (NSIS), Java installers, and removable drives. When Bondat infects a system, it gathers information about the machine such as device name, Globally Unique Identifier (GUID), and OS build. It then sends that information to a remote server. Both Bondat and Gamarue have clever ways of obscuring themselves to evade detection. By hiding what they are doing, they try to avoid detection by security software. @@ -45,4 +45,4 @@ Download [Microsoft Security Essentials](https://www.microsoft.com/download/deta In case threat removal is unsuccessful, read about [troubleshooting malware detection and removal problems](https://www.microsoft.com/wdsi/help/troubleshooting-infection). -For more general tips, see [prevent malware infection](prevent-malware-infection.md). \ No newline at end of file +For more general tips, see [prevent malware infection](prevent-malware-infection.md). diff --git a/windows/security/threat-protection/windows-defender-atp/advanced-hunting-reference-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/advanced-hunting-reference-windows-defender-advanced-threat-protection.md index dcda5f43d8..9366ed298f 100644 --- a/windows/security/threat-protection/windows-defender-atp/advanced-hunting-reference-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/advanced-hunting-reference-windows-defender-advanced-threat-protection.md @@ -113,4 +113,4 @@ To effectively build queries that span multiple tables, you need to understand t ## Related topic - [Query data using Advanced hunting](advanced-hunting-windows-defender-advanced-threat-protection.md) -- [Advanced hunting query language best practices](/advanced-hunting-best-practices-windows-defender-advanced-threat-protection.md) \ No newline at end of file +- [Advanced hunting query language best practices](advanced-hunting-best-practices-windows-defender-advanced-threat-protection.md) \ No newline at end of file diff --git a/windows/security/threat-protection/windows-defender-atp/basic-permissions-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/basic-permissions-windows-defender-advanced-threat-protection.md index 11611c7741..f5f0d320e5 100644 --- a/windows/security/threat-protection/windows-defender-atp/basic-permissions-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/basic-permissions-windows-defender-advanced-threat-protection.md @@ -11,7 +11,7 @@ ms.pagetype: security ms.author: macapara author: mjcaparas ms.localizationpriority: medium -ms.date: 09/13/2018 +ms.date: 11/09/2018 --- # Use basic permissions to access the portal @@ -79,9 +79,10 @@ For more information see, [Manage Azure AD group and role membership](https://te 6. Select **Manage** > **Directory role**. -7. Under **Directory role**, select **Limited administrator**, then **Security Reader** or **Security Administrator**. +7. Select **Add role** and choose the role you'd like to assign, then click **Select**. - ![Image of Microsoft Azure portal](images/atp-azure-ui-user-access.png) + + ![Image of Microsoft Azure portal](images/atp-azure-assign-role.png) ## Related topic - [Manage portal access using RBAC](rbac-windows-defender-advanced-threat-protection.md) diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-azure-assign-role.png b/windows/security/threat-protection/windows-defender-atp/images/atp-azure-assign-role.png new file mode 100644 index 0000000000..93e294ec2b Binary files /dev/null and b/windows/security/threat-protection/windows-defender-atp/images/atp-azure-assign-role.png differ diff --git a/windows/security/threat-protection/windows-defender-atp/investigate-alerts-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/investigate-alerts-windows-defender-advanced-threat-protection.md index 87f2d65c02..55f697cb46 100644 --- a/windows/security/threat-protection/windows-defender-atp/investigate-alerts-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/investigate-alerts-windows-defender-advanced-threat-protection.md @@ -54,14 +54,11 @@ Some actor profiles include a link to download a more comprehensive threat intel The detailed alert profile helps you understand who the attackers are, who they target, what techniques, tools, and procedures (TTPs) they use, which geolocations they are active in, and finally, what recommended actions you may take. In many cases, you can download a more detailed Threat Intelligence report about this attacker or campaign for offline reading. ## Alert process tree -The **Alert process tree** takes alert triage and investigation to the next level, displaying the alert and related evidence, together with other events that occurred within the same execution context and time. This rich triage context of the alert and surrounding events is available on the alert page. +The **Alert process tree** takes alert triage and investigation to the next level, displaying the aggregated alert and surrounding evidence that occurred within the same execution context and time period. This rich triage and investigation context is available on the alert page. ![Image of the alert process tree](images/atp-alert-process-tree.png) -The **Alert process tree** expands to display the execution path of the alert, its evidence, and related events that occurred in the minutes - before and after - the alert. - -The alert and related events or evidence have circles with thunderbolt icons inside them. - +The **Alert process tree** expands to display the execution path of the alert and related evidence that occurred around the same period. Items marked with a thunderbolt icon should be given priority during investigation. >[!NOTE] >The alert process tree might not be available in some alerts. diff --git a/windows/security/threat-protection/windows-defender-atp/minimum-requirements-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/minimum-requirements-windows-defender-advanced-threat-protection.md index 4d2d4dc628..e9577e41f5 100644 --- a/windows/security/threat-protection/windows-defender-atp/minimum-requirements-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/minimum-requirements-windows-defender-advanced-threat-protection.md @@ -11,7 +11,7 @@ ms.pagetype: security ms.author: macapara author: mjcaparas ms.localizationpriority: medium -ms.date: 07/01/2018 +ms.date: 11/06/2018 --- # Minimum requirements for Windows Defender ATP @@ -30,7 +30,9 @@ Windows Defender Advanced Threat Protection requires one of the following Micros - Windows 10 Education E5 - Microsoft 365 E5 (M365 E5) which includes Windows 10 Enterprise E5 -For more information, see [Windows 10 Licensing](https://www.microsoft.com/en-us/Licensing/product-licensing/windows10.aspx#tab=2). +For more information on the array of features in Windows 10 editions, see [Compare Windows 10 editions](https://www.microsoft.com/en-us/windowsforbusiness/compare). + +For a detailed comparison table of Windows 10 commercial edition comparison, see the [comparison PDF](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf). ## Related topic diff --git a/windows/security/threat-protection/windows-defender-atp/onboard-configure-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/onboard-configure-windows-defender-advanced-threat-protection.md index d53fe2abfd..aa40fd346e 100644 --- a/windows/security/threat-protection/windows-defender-atp/onboard-configure-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/onboard-configure-windows-defender-advanced-threat-protection.md @@ -42,7 +42,7 @@ For more information, see [Windows 10 Licensing](https://www.microsoft.com/en-us - Windows 7 SP1 Pro - Windows 8.1 Enterprise - Windows 8.1 Pro -- Windows 10 +- Windows 10, version 1607 or later - Windows 10 Enterprise - Windows 10 Education - Windows 10 Pro diff --git a/windows/security/threat-protection/windows-defender-atp/troubleshoot-siem-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/troubleshoot-siem-windows-defender-advanced-threat-protection.md index ec2722306c..8c7c0f5e5f 100644 --- a/windows/security/threat-protection/windows-defender-atp/troubleshoot-siem-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/troubleshoot-siem-windows-defender-advanced-threat-protection.md @@ -11,7 +11,7 @@ ms.pagetype: security ms.author: macapara author: mjcaparas ms.localizationpriority: medium -ms.date: 02/13/2018 +ms.date: 11/08/2018 --- # Troubleshoot SIEM tool integration issues @@ -67,6 +67,12 @@ If you encounter an error when trying to get a refresh token when using the thre 6. Click **Save**. +## Error while enabling the SIEM connector application +If you encounter an error when trying to enable the SIEM connector application, check the pop-up blocker settings of your browser. It might be blocking the new window being opened when you enable the capability. + + + + >Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-troubleshootsiem-belowfoldlink) ## Related topics diff --git a/windows/security/threat-protection/windows-defender-atp/windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/windows-defender-advanced-threat-protection.md index abe99e8194..6d9b834f75 100644 --- a/windows/security/threat-protection/windows-defender-atp/windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/windows-defender-advanced-threat-protection.md @@ -11,7 +11,7 @@ ms.pagetype: security ms.author: macapara author: mjcaparas ms.localizationpriority: medium -ms.date: 10/26/2018 +ms.date: 11/07/2018 --- # Windows Defender Advanced Threat Protection @@ -76,8 +76,8 @@ To further reinforce the security perimeter of your network, Windows Defender AT -**[Endpoint protection and response](overview-endpoint-detection-response.md)**
-Endpoint protection and response capabilities are put in place to detect, investigate, and respond to advanced threats that may have made it past the first two security pillars. +**[Endpoint detection and response](overview-endpoint-detection-response.md)**
+Endpoint detection and response capabilities are put in place to detect, investigate, and respond to advanced threats that may have made it past the first two security pillars. diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/customize-attack-surface-reduction.md b/windows/security/threat-protection/windows-defender-exploit-guard/customize-attack-surface-reduction.md index a948e7db7e..8bbe633287 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/customize-attack-surface-reduction.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/customize-attack-surface-reduction.md @@ -58,7 +58,7 @@ Block JavaScript or VBScript from launching downloaded executable content | [!in Block executable content from email client and webmail | [!include[Check mark no](images/svg/check-no.svg)] | BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550 Block executable files from running unless they meet a prevalence, age, or trusted list criteria | [!include[Check mark yes](images/svg/check-yes.svg)] | 01443614-cd74-433a-b99e-2ecdc07bfc25 Use advanced protection against ransomware | [!include[Check mark yes](images/svg/check-yes.svg)] | c1db55ab-c21a-4637-bb3f-a12568109d35 -Block credential stealing from the Windows local security authority subsystem (lsass.exe) | [!include[Check mark no](images/svg/check-no.svg)] | 9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2 +Block credential stealing from the Windows local security authority subsystem (lsass.exe) | [!include[Check mark yes](images/svg/check-yes.svg)] | 9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2 Block process creations originating from PSExec and WMI commands | [!include[Check mark yes](images/svg/check-yes.svg)] | d1e49aac-8f56-4280-b9ba-993a6d77406c Block untrusted and unsigned processes that run from USB | [!include[Check mark yes](images/svg/check-yes.svg)] | b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4 Block Office communication applications from creating child processes | [!include[Check mark yes](images/svg/check-yes.svg)] | 26190899-1602-49e8-8b27-eb1d0a1ce869