| Edition | -Windows 10 | -Windows 11 | -
|---|---|---|
| Home | -No | -No | -
| Pro | -Yes | -Yes | -
| Business | -Yes | -Yes | -
| Enterprise | -Yes | -Yes | -
| Education | -Yes | -Yes | -
| Edition | -Windows 10 | -Windows 11 | -
|---|---|---|
| Home | -No | -No | -
| Pro | -Yes | -Yes | -
| Business | -Yes | -Yes | -
| Enterprise | -Yes | -Yes | -
| Education | -Yes | -Yes | -
| Edition | -Windows 10 | -Windows 11 | -
|---|---|---|
| Home | -No | -No | -
| Pro | -Yes | -Yes | -
| Business | -Yes | -Yes | -
| Enterprise | -Yes | -Yes | -
| Education | -Yes | -Yes | -
| Edition | -Windows 10 | -Windows 11 | -
|---|---|---|
| Home | -No | -No | -
| Pro | -Yes | -Yes | -
| Business | -Yes | -Yes | -
| Enterprise | -Yes | -Yes | -
| Education | -Yes | -Yes | -
| Edition | -Windows 10 | -Windows 11 | -
|---|---|---|
| Home | -No | -No | -
| Pro | -Yes | -Yes | -
| Business | -Yes | -Yes | -
| Enterprise | -Yes | -Yes | -
| Education | -Yes | -Yes | -
IT admins can easily detect and remediate configuration mismatches in their environments or issues that prevent devices from having one or more software update workloads (Windows quality, feature updates, Microsoft Office, Microsoft Teams, or Microsoft Edge) fully managed by the Windows Autopatch service. Configuration mismatches can leave devices in a vulnerable state, out of compliance and exposed to security threats.
| + +### Device readiness checks available for each scenario + +| Required device readiness (prerequisite checks) prior to device registration (powered by Intune Graph API) | Required post-device registration readiness checks (powered by Microsoft Cloud Managed Desktop Extension) | +| ----- | ----- | +|Once devices are remediated, it can take up to **24 hours** to show up in the **Ready** tab.
| + +## Additional resources + +- [Device registration overview](windows-autopatch-device-registration-overview.md) +- [Register your devices](windows-autopatch-register-devices.md) diff --git a/windows/deployment/windows-autopatch/media/windows-autopatch-post-device-registration-readiness-checks.png b/windows/deployment/windows-autopatch/media/windows-autopatch-post-device-registration-readiness-checks.png new file mode 100644 index 0000000000..c6abcd6790 Binary files /dev/null and b/windows/deployment/windows-autopatch/media/windows-autopatch-post-device-registration-readiness-checks.png differ diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-maintain-environment.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-maintain-environment.md index 2515a08a9a..9fa7e60794 100644 --- a/windows/deployment/windows-autopatch/operate/windows-autopatch-maintain-environment.md +++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-maintain-environment.md @@ -27,3 +27,7 @@ After you've completed enrollment in Windows Autopatch, some management settings | Setting | Description | | ----- | ----- | | Update rings for Windows 10 or later | For any update rings for Windows 10 or later policies you've created, exclude the **Modern Workplace Devices - All** Azure AD group from each policy. For more information, see [Create and assign update rings](/mem/intune/protect/windows-10-update-rings#create-and-assign-update-rings).Windows Autopatch will also have created some update ring policies. all of which The policies will have "**Modern Workplace**" in the name. For example:
When you update your own policies, ensure that you don't exclude the **Modern Workplace Devices - All** Azure AD group from the policies that Windows Autopatch created.
**To resolve the Not ready result:**
After enrolling into Autopatch, make sure that any update ring policies you have **exclude** the **Modern Workplace Devices - All** Azure Active Directory (AD) group.For more information, see [Manage Windows 10 software updates in Intune](/mem/intune/protect/windows-update-for-business-configure).
**To resolve the Advisory result:**
For more information, see [Manage Windows 10 software updates in Intune](/mem/intune/protect/windows-update-for-business-configure).
| + +## Windows Autopatch configurations + +Windows Autopatch deploys, manages and maintains all configurations related to the operation of the service, as described in [Changes made at tenant enrollment](../references/windows-autopatch-changes-to-tenant.md). Don't make any changes to any of the Windows Autopatch configurations. diff --git a/windows/deployment/windows-autopatch/overview/windows-autopatch-faq.yml b/windows/deployment/windows-autopatch/overview/windows-autopatch-faq.yml index e5fa5a92ef..df7c2b8966 100644 --- a/windows/deployment/windows-autopatch/overview/windows-autopatch-faq.yml +++ b/windows/deployment/windows-autopatch/overview/windows-autopatch-faq.yml @@ -71,6 +71,9 @@ sections: - question: Can I run Autopatch on my Windows 365 Business Workloads? answer: | No. Autopatch is only available on enterprise workloads. For more information, see [Windows Autopatch on Windows 365 Enterprise Workloads](/windows/deployment/windows-autopatch/deploy/windows-autopatch-register-devices#windows-autopatch-on-windows-365-enterprise-workloads). + - question: Can you change the policies and configurations created by Windows Autopatch? + answer: | + No. Don't change, edit, add to, or remove any of the configurations. Doing so might cause unintended configuration conflicts and impact the Windows Autopatch service. For more information about policies and configurations, see [Changes made at tenant enrollment](/windows/deployment/windows-autopatch/references/windows-autopatch-changes-to-tenant). - name: Update Management questions: - question: What systems does Windows Autopatch update? @@ -99,7 +102,7 @@ sections: No, you can't customize update scheduling. However, you can specify [active hours](../operate/windows-autopatch-wqu-end-user-exp.md#servicing-window) to prevent users from updating during business hours. - question: Does Autopatch support include and exclude groups, or dynamic groups to define deployment ring membership? answer: | - Windows autopatch doesn't support managing update deployment ring membership using your Azure AD groups. For more information, see [Moving devices in between deployment rings](../operate/windows-autopatch-update-management.md#moving-devices-in-between-deployment-rings). + Windows Autopatch doesn't support managing update deployment ring membership using your Azure AD groups. For more information, see [Moving devices in between deployment rings](../operate/windows-autopatch-update-management.md#moving-devices-in-between-deployment-rings). - question: Does Autopatch have two release cadences per update or are there two release cadences per-ring? answer: | The release cadences are defined based on the update type. For example, a [regular cadence](../operate/windows-autopatch-wqu-overview.md#windows-quality-update-releases) (for a Windows quality update would be a gradual rollout from the Test ring to the Broad ring over 14 days whereas an [expedited release](../operate/windows-autopatch-wqu-overview.md#expedited-releases) would roll out more rapidly. diff --git a/windows/deployment/windows-autopatch/prepare/windows-autopatch-prerequisites.md b/windows/deployment/windows-autopatch/prepare/windows-autopatch-prerequisites.md index f5d9508b37..0b64d2adfa 100644 --- a/windows/deployment/windows-autopatch/prepare/windows-autopatch-prerequisites.md +++ b/windows/deployment/windows-autopatch/prepare/windows-autopatch-prerequisites.md @@ -1,7 +1,7 @@ --- title: Prerequisites description: This article details the prerequisites needed for Windows Autopatch -ms.date: 08/04/2022 +ms.date: 09/16/2022 ms.prod: w11 ms.technology: windows ms.topic: conceptual @@ -24,7 +24,7 @@ Getting started with Windows Autopatch has been designed to be easy. This articl | Licensing | Windows Autopatch requires Windows 10/11 Enterprise E3 (or higher) to be assigned to your users. Additionally, Azure Active Directory Premium and Microsoft Intune are required. For details about the specific service plans, see [more about licenses](#more-about-licenses).For more information on available licenses, see [Microsoft 365 licensing](https://www.microsoft.com/microsoft-365/compare-microsoft-365-enterprise-plans).
For more information about licensing terms and conditions for products and services purchased through Microsoft Commercial Volume Licensing Programs, see the [Product Terms site](https://www.microsoft.com/licensing/terms/). | | Connectivity | All Windows Autopatch devices require connectivity to multiple Microsoft service endpoints from the corporate network.
For the full list of required IPs and URLs, see [Configure your network](../prepare/windows-autopatch-configure-network.md). |
| Azure Active Directory | Azure Active Directory must either be the source of authority for all user accounts, or user accounts must be synchronized from on-premises Active Directory using the latest supported version of Azure Active Directory Connect to enable Hybrid Azure Active Directory join.
At a minimum, the Windows Update, Device configuration and Office Click-to-Run apps workloads must be set to Pilot Intune or Intune. You must also ensure that the devices you intend on bringing to Windows Autopatch are in the targeted device collection. For more information, see Co-management requirements for Windows Autopatch below.
Other device management prerequisites include:
See [Register your devices](/windows/deployment/windows-autopatch/deploy/windows-autopatch-register-devices) for more details on device prerequisites and on how the device registration process works.
For more information on co-management, see [Co-management for Windows devices](/mem/configmgr/comanage/overview).
| +| Device management | Windows Autopatch devices must be managed by Microsoft Intune. Intune must be set as the Mobile Device Management (MDM) authority or co-management must be turned on and enabled on the target devices.At a minimum, the Windows Update, Device configuration and Office Click-to-Run apps workloads must be set to Pilot Intune or Intune. You must also ensure that the devices you intend on bringing to Windows Autopatch are in the targeted device collection. For more information, see [co-management requirements for Windows Autopatch](#configuration-manager-co-management-requirements).
Other device management prerequisites include:
See [Register your devices](/windows/deployment/windows-autopatch/deploy/windows-autopatch-register-devices) for more details on device prerequisites and on how the device registration process works.
For more information on co-management, see [co-management for Windows devices](/mem/configmgr/comanage/overview).
| | Data and privacy | For more information on Windows Autopatch privacy practices, see [Windows Autopatch Privacy](../references/windows-autopatch-privacy.md). | ## More about licenses @@ -45,13 +45,13 @@ The following Windows OS 10 editions, 1809 builds and architecture are supported - Windows 10 (1809+)/11 Enterprise - Windows 10 (1809+)/11 Pro for Workstations -## Configuration Manager Co-management requirements +## Configuration Manager co-management requirements Windows Autopatch fully supports co-management. The following co-management requirements apply: - Use a currently supported [Configuration Manager version](/mem/configmgr/core/servers/manage/updates#supported-versions). -- ConfigMgr must be [cloud-attached with Intune (Co-management)](/mem/configmgr/cloud-attach/overview) and must have the following Co-management workloads enabled: - - Set the [Windows Update workload](/mem/configmgr/comanage/workloads#windows-update-policies) to Pilot Intune or Intune. +- ConfigMgr must be [cloud-attached with Intune (co-management)](/mem/configmgr/cloud-attach/overview) and must have the following co-management workloads enabled: + - Set the [Windows Update policies workload](/mem/configmgr/comanage/workloads#windows-update-policies) to Pilot Intune or Intune. - Set the [Device configuration workload](/mem/configmgr/comanage/workloads#device-configuration) to Pilot Intune or Intune. - Set the [Office Click-to-Run apps workload](/mem/configmgr/comanage/workloads#office-click-to-run-apps) to Pilot Intune or Intune. diff --git a/windows/deployment/windows-autopatch/references/windows-autopatch-changes-to-tenant.md b/windows/deployment/windows-autopatch/references/windows-autopatch-changes-to-tenant.md index 5f31bb4692..698612aa82 100644 --- a/windows/deployment/windows-autopatch/references/windows-autopatch-changes-to-tenant.md +++ b/windows/deployment/windows-autopatch/references/windows-autopatch-changes-to-tenant.md @@ -14,6 +14,11 @@ msreviewer: hathind # Changes made at tenant enrollment +The following configuration details are provided as information to help you understand the changes made to your tenant when enrolling into the Windows Autopatch service. + +> [!IMPORTANT] +> The service manages and maintains the following configuration items. Don't change, edit, add to, or remove any of the configurations. Doing so might cause unintended configuration conflicts and impact the Windows Autopatch service. + ## Service principal Windows Autopatch will create a service principal in your tenant allowing the service to establish an identity and restrict access to what resources the service has access to within the tenant. For more information, see [Application and service principal objects in Azure Active Directory](/azure/active-directory/develop/app-objects-and-service-principals#service-principal-object). The service principal created by Windows Autopatch is: diff --git a/windows/device-security/docfx.json b/windows/device-security/docfx.json deleted file mode 100644 index ce2b043c43..0000000000 --- a/windows/device-security/docfx.json +++ /dev/null @@ -1,61 +0,0 @@ -{ - "build": { - "content": [ - { - "files": [ - "**/*.md", - "**/*.yml" - ], - "exclude": [ - "**/obj/**", - "**/includes/**", - "README.md", - "LICENSE", - "LICENSE-CODE", - "ThirdPartyNotices" - ] - } - ], - "resource": [ - { - "files": [ - "**/*.png", - "**/*.jpg", - "**/*.gif" - ], - "exclude": [ - "**/obj/**", - "**/includes/**" - ] - } - ], - "overwrite": [], - "externalReference": [], - "globalMetadata": { - "recommendations": true, - "breadcrumb_path": "/windows/windows-10/breadcrumb/toc.json", - "ms.technology": "windows", - "ms.topic": "article", - "ms.date": "04/05/2017", - "_op_documentIdPathDepotMapping": { - "./": { - "depot_name": "MSDN.win-device-security", - "folder_relative_path_in_docset": "./" - } - }, - "contributors_to_exclude": [ - "rjagiewich", - "traya1", - "rmca14", - "claydetels19", - "jborsecnik", - "tiburd", - "garycentric" - ] - }, - "fileMetadata": {}, - "template": [], - "dest": "win-device-security", - "markdownEngineName": "markdig" - } -} diff --git a/windows/eulas/docfx.json b/windows/eulas/docfx.json deleted file mode 100644 index 2834682ce7..0000000000 --- a/windows/eulas/docfx.json +++ /dev/null @@ -1,57 +0,0 @@ -{ - "build": { - "content": [ - { - "files": [ - "**/*.md", - "**/*.yml" - ], - "exclude": [ - "**/obj/**", - "**/includes/**", - "_themes/**", - "_themes.pdf/**", - "README.md", - "LICENSE", - "LICENSE-CODE", - "ThirdPartyNotices" - ] - } - ], - "resource": [ - { - "files": [ - "**/*.png", - "**/*.jpg" - ], - "exclude": [ - "**/obj/**", - "**/includes/**", - "_themes/**", - "_themes.pdf/**" - ] - } - ], - "overwrite": [], - "externalReference": [], - "globalMetadata": { - "recommendations": true, - "breadcrumb_path": "/windows/eulas/breadcrumb/toc.json", - "extendBreadcrumb": true, - "feedback_system": "None", - "contributors_to_exclude": [ - "rjagiewich", - "traya1", - "rmca14", - "claydetels19", - "jborsecnik", - "tiburd", - "garycentric" - ] - }, - "fileMetadata": {}, - "template": [], - "dest": "eula-vsts", - "markdownEngineName": "markdig" - } -} \ No newline at end of file diff --git a/windows/hub/index.yml b/windows/hub/index.yml index 3ef3314bf4..0794c284fd 100644 --- a/windows/hub/index.yml +++ b/windows/hub/index.yml @@ -105,7 +105,7 @@ conceptualContent: - url: /windows/configuration/provisioning-packages/provisioning-packages itemType: how-to-guide text: Use Provisioning packages to configure new devices - - url: /windows/configuration/windows-10-accessibility-for-itpros + - url: /windows/configuration/windows-accessibility-for-itpros itemType: overview text: Accessibility information for IT Pros - url: /windows/configuration/customize-start-menu-layout-windows-11 diff --git a/windows/keep-secure/docfx.json b/windows/keep-secure/docfx.json deleted file mode 100644 index aa250a2f5c..0000000000 --- a/windows/keep-secure/docfx.json +++ /dev/null @@ -1,57 +0,0 @@ -{ - "build": { - "content": [ - { - "files": [ - "**/*.md", - "**/*.yml" - ], - "exclude": [ - "**/obj/**", - "**/includes/**", - "README.md", - "LICENSE", - "LICENSE-CODE", - "ThirdPartyNotices" - ] - } - ], - "resource": [ - { - "files": [ - "**/*.png", - "**/*.jpg" - ], - "exclude": [ - "**/obj/**", - "**/includes/**" - ] - } - ], - "overwrite": [], - "externalReference": [], - "globalMetadata": { - "recommendations": true, - "feedback_system": "None", - "_op_documentIdPathDepotMapping": { - "./": { - "depot_name": "MSDN.keep-secure", - "folder_relative_path_in_docset": "./" - } - }, - "contributors_to_exclude": [ - "rjagiewich", - "traya1", - "rmca14", - "claydetels19", - "jborsecnik", - "tiburd", - "garycentric" - ] - }, - "fileMetadata": {}, - "template": [], - "dest": "keep-secure", - "markdownEngineName": "markdig" - } -} diff --git a/windows/known-issues/docfx.json b/windows/known-issues/docfx.json deleted file mode 100644 index 2119242b44..0000000000 --- a/windows/known-issues/docfx.json +++ /dev/null @@ -1,58 +0,0 @@ -{ - "build": { - "content": [ - { - "files": [ - "**/*.md", - "**/*.yml" - ], - "exclude": [ - "**/obj/**", - "**/includes/**", - "_themes/**", - "_themes.pdf/**", - "README.md", - "LICENSE", - "LICENSE-CODE", - "ThirdPartyNotices" - ] - } - ], - "resource": [ - { - "files": [ - "**/*.png", - "**/*.jpg" - ], - "exclude": [ - "**/obj/**", - "**/includes/**", - "_themes/**", - "_themes.pdf/**" - ] - } - ], - "overwrite": [], - "externalReference": [], - "globalMetadata": { - "recommendations": true, - "breadcrumb_path": "/windows/windows-10/breadcrumb/toc.json", - "feedback_system": "GitHub", - "feedback_github_repo": "MicrosoftDocs/windows-itpro-docs", - "feedback_product_url": "https://support.microsoft.com/windows/send-feedback-to-microsoft-with-the-feedback-hub-app-f59187f8-8739-22d6-ba93-f66612949332", - "contributors_to_exclude": [ - "rjagiewich", - "traya1", - "rmca14", - "claydetels19", - "jborsecnik", - "tiburd", - "garycentric" - ] - }, - "fileMetadata": {}, - "template": [], - "dest": "known-issues", - "markdownEngineName": "markdig" - } -} \ No newline at end of file diff --git a/windows/manage/TOC.yml b/windows/manage/TOC.yml deleted file mode 100644 index 892ce64421..0000000000 --- a/windows/manage/TOC.yml +++ /dev/null @@ -1,2 +0,0 @@ -- name: Test - href: test.md diff --git a/windows/manage/docfx.json b/windows/manage/docfx.json deleted file mode 100644 index c5275101bf..0000000000 --- a/windows/manage/docfx.json +++ /dev/null @@ -1,56 +0,0 @@ -{ - "build": { - "content": [ - { - "files": [ - "**/*.md", - "**/*.yml" - ], - "exclude": [ - "**/obj/**", - "**/includes/**", - "README.md", - "LICENSE", - "LICENSE-CODE", - "ThirdPartyNotices" - ] - } - ], - "resource": [ - { - "files": [ - "**/*.png", - "**/*.jpg" - ], - "exclude": [ - "**/obj/**", - "**/includes/**" - ] - } - ], - "overwrite": [], - "externalReference": [], - "globalMetadata": { - "recommendations": true, - "_op_documentIdPathDepotMapping": { - "./": { - "depot_name": "MSDN.windows-manage", - "folder_relative_path_in_docset": "./" - } - }, - "contributors_to_exclude": [ - "rjagiewich", - "traya1", - "rmca14", - "claydetels19", - "jborsecnik", - "tiburd", - "garycentric" - ] - }, - "fileMetadata": {}, - "template": [], - "dest": "windows-manage", - "markdownEngineName": "markdig" - } -} diff --git a/windows/manage/test.md b/windows/manage/test.md deleted file mode 100644 index 36d16a3f6b..0000000000 --- a/windows/manage/test.md +++ /dev/null @@ -1,19 +0,0 @@ ---- -title: Test -description: Test -ms.prod: w11 -ms.mktglfcycl: deploy -ms.sitesec: library -author: dstrome -ms.author: dstrome -ms.reviewer: -manager: dstrome -ms.topic: article ---- - -# Test - -## Deployment planning - -This article provides guidance to help you plan for Windows 11 in your organization. - diff --git a/windows/plan/docfx.json b/windows/plan/docfx.json deleted file mode 100644 index 9a47bdcced..0000000000 --- a/windows/plan/docfx.json +++ /dev/null @@ -1,56 +0,0 @@ -{ - "build": { - "content": [ - { - "files": [ - "**/*.md", - "**/*.yml" - ], - "exclude": [ - "**/obj/**", - "**/includes/**", - "README.md", - "LICENSE", - "LICENSE-CODE", - "ThirdPartyNotices" - ] - } - ], - "resource": [ - { - "files": [ - "**/*.png", - "**/*.jpg" - ], - "exclude": [ - "**/obj/**", - "**/includes/**" - ] - } - ], - "overwrite": [], - "externalReference": [], - "globalMetadata": { - "recommendations": true, - "_op_documentIdPathDepotMapping": { - "./": { - "depot_name": "MSDN.windows-plan", - "folder_relative_path_in_docset": "./" - } - }, - "contributors_to_exclude": [ - "rjagiewich", - "traya1", - "rmca14", - "claydetels19", - "jborsecnik", - "tiburd", - "garycentric" - ] - }, - "fileMetadata": {}, - "template": [], - "dest": "windows-plan", - "markdownEngineName": "markdig" - } -} diff --git a/windows/privacy/index.yml b/windows/privacy/index.yml index ea38374d15..dee456d738 100644 --- a/windows/privacy/index.yml +++ b/windows/privacy/index.yml @@ -13,9 +13,9 @@ metadata: ms.collection: - M365-security-compliance - highpri - author: dansimp - ms.author: dansimp - manager: dansimp + author: DHB-MSFT + ms.author: danbrown + manager: dougeby ms.date: 09/08/2021 #Required; mm/dd/yyyy format. ms.localizationpriority: high @@ -47,7 +47,7 @@ productDirectory: # imageSrc should be square in ratio with no whitespace imageSrc: /media/common/i_extend.svg summary: Learn more about basic Windows diagnostic data events and fields collected. - url: required-windows-11-diagnostic-events-and-fields.md + url: required-diagnostic-events-fields-windows-11-22H2.md # Card - title: Windows 10 required diagnostic data imageSrc: /media/common/i_build.svg diff --git a/windows/privacy/required-diagnostic-events-fields-windows-11-22H2.md b/windows/privacy/required-diagnostic-events-fields-windows-11-22H2.md new file mode 100644 index 0000000000..aa6f04328c --- /dev/null +++ b/windows/privacy/required-diagnostic-events-fields-windows-11-22H2.md @@ -0,0 +1,3459 @@ +--- +description: Learn more about the Windows 11, version 22H2 diagnostic data gathered. +title: Required diagnostic events and fields for Windows 11, version 22H2 +keywords: privacy, telemetry +ms.prod: w10 +localizationpriority: high +author: DHB-MSFT +ms.author: danbrown +manager: dougeby +ms.collection: M365-security-compliance +ms.topic: article +audience: ITPro +ms.date: 09/20/2022 +--- + + +# Required diagnostic events and fields for Windows 11, version 22H2 + + **Applies to** + +- Windows 11, version 22H2 + +Required diagnostic data gathers a limited set of information that is critical for understanding the device and its configuration including: basic device information, quality-related information, app compatibility, and Microsoft Store. + +Required diagnostic data helps to identify problems that can occur on a particular device hardware or software configuration. For example, it can help determine if crashes are more frequent on devices with a specific amount of memory or that are running a particular driver version. This helps Microsoft fix operating system or app problems. + +Use this article to learn about diagnostic events, grouped by event area, and the fields within each event. A brief description is provided for each field. Every event generated includes common data, which collects device data. + +You can learn more about Windows functional and diagnostic data through these articles: + +- [Required diagnostic events and fields for Windows 11, version 21H2](required-windows-11-diagnostic-events-and-fields.md) +- [Windows 10, version 21H2, Windows 10, version 21H1, Windows 10, version 20H2 and Windows 10, version 2004 basic diagnostic events and fields](required-windows-diagnostic-data-events-and-fields-2004.md) +- [Windows 10, version 1809 basic diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1809.md) +- [Windows 10, version 1803 basic diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1803.md) +- [Windows 10, version 1709 basic diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1709.md) +- [Windows 10, version 1703 basic diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1703.md) +- [Manage connections from Windows operating system components to Microsoft services](manage-connections-from-windows-operating-system-components-to-microsoft-services.md) +- [Configure Windows diagnostic data in your organization](configure-windows-diagnostic-data-in-your-organization.md) + + + + +## Appraiser events + +### Microsoft.Windows.Appraiser.General.ChecksumTotalPictureCount + +This event lists the types of objects and how many of each exist on the client device. This allows for a quick way to ensure that the records present on the server match what is present on the client. The data collected with this event is used to help keep Windows up to date. + +The following fields are available: + +- **DatasourceApplicationFile_CO21H2Setup** The total number of objects of this type present on this device. +- **DatasourceDevicePnp_CO21H2Setup** The total number of objects of this type present on this device. +- **DatasourceDriverPackage_CO21H2Setup** The total number of objects of this type present on this device. +- **DataSourceMatchingInfoBlock_CO21H2Setup** The total number of objects of this type present on this device. +- **DataSourceMatchingInfoPassive_CO21H2Setup** The total number of objects of this type present on this device. +- **DataSourceMatchingInfoPostUpgrade_CO21H2Setup** The total number of objects of this type present on this device. +- **DatasourceSystemBios_20H1Setup** The count of the number of this particular object type present on this device. +- **DatasourceSystemBios_CO21H2Setup** The total number of objects of this type present on this device. +- **DecisionApplicationFile_CO21H2Setup** The total number of objects of this type present on this device. +- **DecisionDevicePnp_CO21H2Setup** The total number of objects of this type present on this device. +- **DecisionDriverPackage_CO21H2Setup** The total number of objects of this type present on this device. +- **DecisionMatchingInfoBlock_CO21H2Setup** The total number of objects of this type present on this device. +- **DecisionMatchingInfoPassive_CO21H2Setup** The total number of objects of this type present on this device. +- **DecisionMatchingInfoPostUpgrade_CO21H2Setup** The total number of objects of this type present on this device. +- **DecisionMediaCenter_CO21H2Setup** The total number of objects of this type present on this device. +- **DecisionSModeState_CO21H2Setup** The total number of objects of this type present on this device. +- **DecisionSystemBios_20H1Setup** The total number of objects of this type present on this device. +- **DecisionSystemBios_CO21H2Setup** The total number of objects of this type present on this device. +- **DecisionSystemDiskSize_CO21H2Setup** The total number of objects of this type present on this device. +- **DecisionSystemMemory_CO21H2Setup** The total number of objects of this type present on this device. +- **DecisionSystemProcessorCpuCores_CO21H2Setup** The total number of objects of this type present on this device. +- **DecisionSystemProcessorCpuModel_CO21H2Setup** The total number of objects of this type present on this device. +- **DecisionSystemProcessorCpuSpeed_CO21H2Setup** The total number of objects of this type present on this device. +- **DecisionTest_CO21H2Setup** The total number of objects of this type present on this device. +- **DecisionTpmVersion_CO21H2Setup** The total number of objects of this type present on this device. +- **DecisionUefiSecureBoot_CO21H2Setup** The total number of objects of this type present on this device. +- **InventoryApplicationFile** The count of the number of this particular object type present on this device. +- **InventoryLanguagePack** The count of the number of this particular object type present on this device. +- **InventoryMediaCenter** The count of the number of this particular object type present on this device. +- **InventorySystemBios** The count of the number of this particular object type present on this device. +- **InventoryTest** The count of the number of this particular object type present on this device. +- **InventoryUplevelDriverPackage** The count of the number of this particular object type present on this device. +- **PCFP** The count of the number of this particular object type present on this device. +- **SystemMemory** The count of the number of this particular object type present on this device. +- **SystemProcessorCompareExchange** The count of the number of this particular object type present on this device. +- **SystemProcessorLahfSahf** The count of the number of this particular object type present on this device. +- **SystemProcessorNx** The total number of objects of this type present on this device. +- **SystemProcessorPrefetchW** The total number of objects of this type present on this device. +- **SystemProcessorSse2** The total number of objects of this type present on this device. +- **SystemTouch** The count of the number of this particular object type present on this device. +- **SystemWim** The total number of objects of this type present on this device. +- **SystemWindowsActivationStatus** The count of the number of this particular object type present on this device. +- **SystemWlan** The total number of objects of this type present on this device. +- **Wmdrm_CO21H2Setup** The total number of objects of this type present on this device. + + +### Microsoft.Windows.Appraiser.General.DatasourceApplicationFileAdd + +This event represents the basic metadata about specific application files installed on the system. The data collected with this event is used to help keep Windows up to date. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the appraiser file that is generating the events. +- **AvDisplayName** If the app is an anti-virus app, this is its display name. +- **CompatModelIndex** The compatibility prediction for this file. +- **HasCitData** Indicates whether the file is present in CIT data. +- **HasUpgradeExe** Indicates whether the anti-virus app has an upgrade.exe file. +- **IsAv** Is the file an anti-virus reporting EXE? +- **ResolveAttempted** This will always be an empty string when sending diagnostic data. +- **SdbEntries** An array of fields that indicates the SDB entries that apply to this file. + + +### Microsoft.Windows.Appraiser.General.DatasourceApplicationFileRemove + +This event indicates that the DatasourceApplicationFile object is no longer present. The data collected with this event is used to help keep Windows up to date. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.DatasourceApplicationFileStartSync + +This event indicates that a new set of DatasourceApplicationFileAdd events will be sent. The data collected with this event is used to help keep Windows up to date. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.DatasourceDevicePnpRemove + +This event indicates that the DatasourceDevicePnp object is no longer present. The data collected with this event is used to help keep Windows up to date. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.DatasourceDevicePnpStartSync + +This event indicates that a new set of DatasourceDevicePnpAdd events will be sent. The data collected with this event is used to help keep Windows up to date. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.DatasourceDriverPackageRemove + +This event indicates that the DatasourceDriverPackage object is no longer present. The data collected with this event is used to help keep Windows up to date. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.DatasourceDriverPackageStartSync + +This event indicates that a new set of DatasourceDriverPackageAdd events will be sent. The data collected with this event is used to help keep Windows up to date. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.DataSourceMatchingInfoBlockAdd + +This event sends blocking data about any compatibility blocking entries on the system that are not directly related to specific applications or devices, to help keep Windows up to date. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the appraiser file generating the events. +- **SdbEntries** Deprecated in RS3. + + +### Microsoft.Windows.Appraiser.General.DataSourceMatchingInfoBlockRemove + +This event indicates that the DataSourceMatchingInfoBlock object is no longer present. The data collected with this event is used to help keep Windows up to date. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.DataSourceMatchingInfoPostUpgradeAdd + +This event sends compatibility database information about entries requiring reinstallation after an upgrade on the system that are not keyed by either applications or devices, to help keep Windows up to date. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the appraiser file generating the events. +- **SdbEntries** Deprecated in RS3. + + +### Microsoft.Windows.Appraiser.General.DatasourceSystemBiosAdd + +This event sends compatibility database information about the BIOS to help keep Windows up to date. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file generating the events. +- **SdbEntries** Deprecated in RS3. + + +### Microsoft.Windows.Appraiser.General.DatasourceSystemBiosStartSync + +This event indicates that a new set of DatasourceSystemBiosAdd events will be sent. The data collected with this event is used to help keep Windows up to date. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + + + +### Microsoft.Windows.Appraiser.General.DecisionApplicationFileRemove + +This event indicates that the DecisionApplicationFile object is no longer present. The data collected with this event is used to help keep Windows up to date. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.DecisionDevicePnpAdd + +This event sends compatibility decision data about a Plug and Play (PNP) device to help keep Windows up to date. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the appraiser file generating the events. +- **AssociatedDriverIsBlocked** Is the driver associated with this PNP device blocked? +- **AssociatedDriverWillNotMigrate** Will the driver associated with this plug-and-play device migrate? +- **BlockAssociatedDriver** Should the driver associated with this PNP device be blocked? +- **BlockingDevice** Is this PNP device blocking upgrade? +- **BlockUpgradeIfDriverBlocked** Is the PNP device both boot critical and does not have a driver included with the OS? +- **BlockUpgradeIfDriverBlockedAndOnlyActiveNetwork** Is this PNP device the only active network device? +- **DisplayGenericMessage** Will a generic message be shown during Setup for this PNP device? +- **DisplayGenericMessageGated** Indicates whether a generic message will be shown during Setup for this PNP device. +- **DriverAvailableInbox** Is a driver included with the operating system for this PNP device? +- **DriverAvailableOnline** Is there a driver for this PNP device on Windows Update? +- **DriverAvailableUplevel** Is there a driver on Windows Update or included with the operating system for this PNP device? +- **DriverBlockOverridden** Is there is a driver block on the device that has been overridden? +- **NeedsDismissAction** Will the user would need to dismiss a warning during Setup for this device? +- **NotRegressed** Does the device have a problem code on the source OS that is no better than the one it would have on the target OS? +- **SdbDeviceBlockUpgrade** Is there an SDB block on the PNP device that blocks upgrade? +- **SdbDriverBlockOverridden** Is there an SDB block on the PNP device that blocks upgrade, but that block was overridden? + + +### Microsoft.Windows.Appraiser.General.DecisionDriverPackageRemove + +This event indicates that the DecisionDriverPackage object represented by the objectInstanceId is no longer present. This event is used to make compatibility decisions about driver packages to help keep Windows up to date. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.DecisionDriverPackageStartSync + +The DecisionDriverPackageStartSync event indicates that a new set of DecisionDriverPackageAdd events will be sent. This event is used to make compatibility decisions about driver packages to help keep Windows up to date. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.DecisionMatchingInfoBlockAdd + +This event sends compatibility decision data about blocking entries on the system that are not keyed by either applications or devices, to help keep Windows up to date. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the appraiser file generating the events. +- **BlockingApplication** Are there are any application issues that interfere with upgrade due to matching info blocks? +- **DisplayGenericMessage** Will a generic message be shown for this block? +- **NeedsUninstallAction** Does the user need to take an action in setup due to a matching info block? +- **SdbBlockUpgrade** Is a matching info block blocking upgrade? +- **SdbBlockUpgradeCanReinstall** Is a matching info block blocking upgrade, but has the can reinstall tag? +- **SdbBlockUpgradeUntilUpdate** Is a matching info block blocking upgrade but has the until update tag? + + +### Microsoft.Windows.Appraiser.General.DecisionMatchingInfoBlockRemove + +This event indicates that the DecisionMatchingInfoBlock object is no longer present. The data collected with this event is used to help keep Windows up to date. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.DecisionMatchingInfoBlockStartSync + +This event indicates that a new set of DecisionMatchingInfoBlockAdd events will be sent. The data collected with this event is used to help keep Windows up to date. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.DecisionMatchingInfoPassiveAdd + +This event sends compatibility decision data about non-blocking entries on the system that are not keyed by either applications or devices, to help keep Windows up to date. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. +- **BlockingApplication** Are there any application issues that interfere with upgrade due to matching info blocks? +- **DisplayGenericMessageGated** Indicates whether a generic offer block message will be shown due to matching info blocks. +- **MigApplication** Is there a matching info block with a mig for the current mode of upgrade? + + +### Microsoft.Windows.Appraiser.General.DecisionMatchingInfoPassiveRemove + +This event Indicates that the DecisionMatchingInfoPassive object is no longer present. The data collected with this event is used to help keep Windows up to date. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.DecisionMatchingInfoPassiveStartSync + +This event indicates that a new set of DecisionMatchingInfoPassiveAdd events will be sent. The data collected with this event is used to help keep Windows up to date. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.DecisionMatchingInfoPostUpgradeAdd + +This event sends compatibility decision data about entries that require reinstall after upgrade. It's used to help keep Windows up to date. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. +- **NeedsInstallPostUpgradeData** Will the file have a notification after upgrade to install a replacement for the app? +- **NeedsNotifyPostUpgradeData** Should a notification be shown for this file after upgrade? +- **NeedsReinstallPostUpgradeData** Will the file have a notification after upgrade to reinstall the app? +- **SdbReinstallUpgrade** The file is tagged as needing to be reinstalled after upgrade in the compatibility database (but is not blocking upgrade). + + +### Microsoft.Windows.Appraiser.General.DecisionSModeStateAdd + +This event sends true/false compatibility decision data about the S mode state. The data collected with this event is used to help keep Windows up to date. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. +- **Blocking** Appraiser decision about eligibility to upgrade. +- **LockdownMode** S mode lockdown mode. + + +### Microsoft.Windows.Appraiser.General.DecisionSModeStateStartSync + +The DecisionSModeStateStartSync event indicates that a new set of DecisionSModeStateAdd events will be sent. This event is used to make compatibility decisions about the S mode state. Microsoft uses this information to understand and address problems regarding the S mode state for computers receiving updates. The data collected with this event is used to help keep Windows up to date. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.DecisionSystemBiosStartSync + +This event indicates that a new set of DecisionSystemBiosAdd events will be sent. The data collected with this event is used to help keep Windows up to date. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.DecisionSystemProcessorCpuModelStartSync + +The DecisionSystemProcessorCpuModelStartSync event indicates that a new set of DecisionSystemProcessorCpuModelAdd events will be sent. This event is used to make compatibility decisions about the CPU. Microsoft uses this information to understand and address problems regarding the CPU for computers receiving updates. The data collected with this event is used to help keep Windows up to date. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the appraiser file generating the events. + + +### Microsoft.Windows.Appraiser.General.DecisionTpmVersionStartSync + +The DecisionTpmVersionStartSync event indicates that a new set of DecisionTpmVersionAdd events will be sent. This event is used to make compatibility decisions about the TPM. Microsoft uses this information to understand and address problems regarding the TPM for computers receiving updates. The data collected with this event is used to help keep Windows up to date. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the appraiser file generating the events. + + +### Microsoft.Windows.Appraiser.General.DecisionUefiSecureBootAdd + +This event collects information about data on support and state of UEFI Secure boot. UEFI is a verification mechanism for ensuring that code launched by firmware is trusted. The data collected with this event is used to help keep Windows up to date. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the appraiser file generating the events. +- **Blocking** Appraiser upgradeability decision when checking for UEFI support. +- **SecureBootCapable** Is UEFI supported? +- **SecureBootEnabled** Is UEFI enabled? + + +### Microsoft.Windows.Appraiser.General.GatedRegChange + +This event sends data about the results of running a set of quick-blocking instructions, to help keep Windows up to date. + +The following fields are available: + +- **NewData** The data in the registry value after the scan completed. +- **OldData** The previous data in the registry value before the scan ran. +- **PCFP** An ID for the system calculated by hashing hardware identifiers. +- **RegKey** The registry key name for which a result is being sent. +- **RegValue** The registry value for which a result is being sent. +- **Time** The client time of the event. + + +### Microsoft.Windows.Appraiser.General.InventoryApplicationFileAdd + +This event represents the basic metadata about a file on the system. The file must be part of an app and either have a block in the compatibility database or be part of an antivirus program. The data collected with this event is used to help keep Windows up to date. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file generating the events. +- **AvDisplayName** If the app is an antivirus app, this is its display name. +- **AvProductState** Indicates whether the antivirus program is turned on and the signatures are up to date. +- **BinaryType** A binary type. Example: UNINITIALIZED, ZERO_BYTE, DATA_ONLY, DOS_MODULE, NE16_MODULE, PE32_UNKNOWN, PE32_I386, PE32_ARM, PE64_UNKNOWN, PE64_AMD64, PE64_ARM64, PE64_IA64, PE32_CLR_32, PE32_CLR_IL, PE32_CLR_IL_PREFER32, PE64_CLR_64. +- **BinFileVersion** An attempt to clean up FileVersion at the client that tries to place the version into 4 octets. +- **BinProductVersion** An attempt to clean up ProductVersion at the client that tries to place the version into 4 octets. +- **BoeProgramId** If there is no entry in Add/Remove Programs, this is the ProgramID that is generated from the file metadata. +- **CompanyName** The company name of the vendor who developed this file. +- **FileId** A hash that uniquely identifies a file. +- **FileVersion** The File version field from the file metadata under Properties -> Details. +- **HasUpgradeExe** Indicates whether the antivirus app has an upgrade.exe file. +- **IsAv** Indicates whether the file an antivirus reporting EXE. +- **LinkDate** The date and time that this file was linked on. +- **LowerCaseLongPath** The full file path to the file that was inventoried on the device. +- **Name** The name of the file that was inventoried. +- **ProductName** The Product name field from the file metadata under Properties -> Details. +- **ProductVersion** The Product version field from the file metadata under Properties -> Details. +- **ProgramId** A hash of the Name, Version, Publisher, and Language of an application used to identify it. +- **Size** The size of the file (in hexadecimal bytes). + + +### Microsoft.Windows.Appraiser.General.InventoryApplicationFileRemove + +This event indicates that the InventoryApplicationFile object is no longer present. The data collected with this event is used to help keep Windows up to date. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.InventoryApplicationFileStartSync + +This event indicates that a new set of InventoryApplicationFileAdd events will be sent. The data collected with this event is used to help keep Windows up to date. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.InventoryLanguagePackAdd + +This event sends data about the number of language packs installed on the system, to help keep Windows up to date. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. +- **HasLanguagePack** Indicates whether this device has 2 or more language packs. +- **LanguagePackCount** The number of language packs are installed. + + +### Microsoft.Windows.Appraiser.General.InventoryLanguagePackStartSync + +This event indicates that a new set of InventoryLanguagePackAdd events will be sent. The data collected with this event is used to help keep Windows up to date. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.InventoryMediaCenterAdd + +This event sends true/false data about decision points used to understand whether Windows Media Center is used on the system, to help keep Windows up to date. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file generating the events. +- **EverLaunched** Has Windows Media Center ever been launched? +- **HasConfiguredTv** Has the user configured a TV tuner through Windows Media Center? +- **HasExtendedUserAccounts** Are any Windows Media Center Extender user accounts configured? +- **HasWatchedFolders** Are any folders configured for Windows Media Center to watch? +- **IsDefaultLauncher** Is Windows Media Center the default app for opening music or video files? +- **IsPaid** Is the user running a Windows Media Center edition that implies they paid for Windows Media Center? +- **IsSupported** Does the running OS support Windows Media Center? + + +### Microsoft.Windows.Appraiser.General.InventoryMediaCenterStartSync + +This event indicates that a new set of InventoryMediaCenterAdd events will be sent. The data collected with this event is used to help keep Windows up to date. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.InventorySystemBiosAdd + +This event sends basic metadata about the BIOS to determine whether it has a compatibility block. The data collected with this event is used to help keep Windows up to date. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. +- **biosDate** The release date of the BIOS in UTC format. +- **BiosDate** The release date of the BIOS in UTC format. +- **biosName** The name field from Win32_BIOS. +- **BiosName** The name field from Win32_BIOS. +- **manufacturer** The manufacturer field from Win32_ComputerSystem. +- **Manufacturer** The manufacturer field from Win32_ComputerSystem. +- **model** The model field from Win32_ComputerSystem. +- **Model** The model field from Win32_ComputerSystem. + + +### Microsoft.Windows.Appraiser.General.InventorySystemBiosStartSync + +This event indicates that a new set of InventorySystemBiosAdd events will be sent. The data collected with this event is used to help keep Windows up to date. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser binary (executable) generating the events. + + +### Microsoft.Windows.Appraiser.General.InventoryUplevelDriverPackageRemove + +This event indicates that the InventoryUplevelDriverPackage object is no longer present. The data collected with this event is used to help keep Windows up to date. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.InventoryUplevelDriverPackageStartSync + +This event indicates that a new set of InventoryUplevelDriverPackageAdd events will be sent. The data collected with this event is used to help keep Windows up to date. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.RunContext + +This event is sent at the beginning of an appraiser run, the RunContext indicates what should be expected in the following data payload. This event is used with the other Appraiser events to make compatibility decisions to keep Windows up to date. + +The following fields are available: + +- **AppraiserBranch** The source branch in which the currently running version of Appraiser was built. +- **AppraiserProcess** The name of the process that launched Appraiser. +- **AppraiserVersion** The version of the Appraiser file generating the events. +- **Context** Indicates what mode Appraiser is running in. Example: Setup or Telemetry. +- **PCFP** An ID for the system calculated by hashing hardware identifiers. +- **Subcontext** Indicates what categories of incompatibilities appraiser is scanning for. Can be N/A, Resolve, or a semicolon-delimited list that can include App, Dev, Sys, Gat, or Rescan. +- **Time** The client time of the event. + + +### Microsoft.Windows.Appraiser.General.SystemMemoryAdd + +This event sends data on the amount of memory on the system and whether it meets requirements, to help keep Windows up to date. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file generating the events. +- **Blocking** Is the device from upgrade due to memory restrictions? +- **MemoryRequirementViolated** Was a memory requirement violated? +- **pageFile** The current committed memory limit for the system or the current process, whichever is smaller (in bytes). +- **ram** The amount of memory on the device. +- **ramKB** The amount of memory (in KB). +- **virtual** The size of the user-mode portion of the virtual address space of the calling process (in bytes). +- **virtualKB** The amount of virtual memory (in KB). + + +### Microsoft.Windows.Appraiser.General.SystemMemoryStartSync + +This event indicates that a new set of SystemMemoryAdd events will be sent. The data collected with this event is used to help keep Windows up to date. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.SystemProcessorCompareExchangeAdd + +This event sends data indicating whether the system supports the CompareExchange128 CPU requirement, to help keep Windows up to date. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file generating the events. +- **Blocking** Is the upgrade blocked due to the processor? +- **CompareExchange128Support** Does the CPU support CompareExchange128? + + +### Microsoft.Windows.Appraiser.General.SystemProcessorCompareExchangeStartSync + +This event indicates that a new set of SystemProcessorCompareExchangeAdd events will be sent. The data collected with this event is used to help keep Windows up to date. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.SystemProcessorLahfSahfAdd + +This event sends data indicating whether the system supports the LAHF & SAHF CPU requirement, to help keep Windows up to date. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file generating the events. +- **Blocking** Is the upgrade blocked due to the processor? +- **LahfSahfSupport** Does the CPU support LAHF/SAHF? + + +### Microsoft.Windows.Appraiser.General.SystemProcessorLahfSahfStartSync + +This event indicates that a new set of SystemProcessorLahfSahfAdd events will be sent. The data collected with this event is used to help keep Windows up to date. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.SystemProcessorNxAdd + +This event sends data indicating whether the system supports the NX CPU requirement, to help keep Windows up to date. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. +- **Blocking** Is the upgrade blocked due to the processor? +- **NXDriverResult** The result of the driver used to do a non-deterministic check for NX support. +- **NXProcessorSupport** Does the processor support NX? + + +### Microsoft.Windows.Appraiser.General.SystemProcessorNxStartSync + +This event indicates that a new set of SystemProcessorNxAdd events will be sent. The data collected with this event is used to help keep Windows up to date. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.SystemProcessorPrefetchWAdd + +This event sends data indicating whether the system supports the PrefetchW CPU requirement, to help keep Windows up to date. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. +- **Blocking** Is the upgrade blocked due to the processor? +- **PrefetchWSupport** Does the processor support PrefetchW? + + +### Microsoft.Windows.Appraiser.General.SystemProcessorPrefetchWStartSync + +This event indicates that a new set of SystemProcessorPrefetchWAdd events will be sent. The data collected with this event is used to help keep Windows up to date. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.SystemProcessorSse2StartSync + +This event indicates that a new set of SystemProcessorSse2Add events will be sent. The data collected with this event is used to help keep Windows up to date. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.SystemTouchAdd + +This event sends data indicating whether the system supports touch, to help keep Windows up to date. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. +- **IntegratedTouchDigitizerPresent** Is there an integrated touch digitizer? +- **MaximumTouches** The maximum number of touch points supported by the device hardware. + + +### Microsoft.Windows.Appraiser.General.SystemTouchStartSync + +This event indicates that a new set of SystemTouchAdd events will be sent. The data collected with this event is used to help keep Windows up to date. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.SystemWimAdd + +This event sends data indicating whether the operating system is running from a compressed Windows Imaging Format (WIM) file, to help keep Windows up to date. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. +- **IsWimBoot** Is the current operating system running from a compressed WIM file? +- **RegistryWimBootValue** The raw value from the registry that is used to indicate if the device is running from a WIM. + + +### Microsoft.Windows.Appraiser.General.SystemWimStartSync + +This event indicates that a new set of SystemWimAdd events will be sent. The data collected with this event is used to help keep Windows up to date. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.SystemWindowsActivationStatusAdd + +This event sends data indicating whether the current operating system is activated, to help keep Windows up to date. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. +- **WindowsIsLicensedApiValue** The result from the API that's used to indicate if operating system is activated. +- **WindowsNotActivatedDecision** Is the current operating system activated? + + +### Microsoft.Windows.Appraiser.General.SystemWindowsActivationStatusStartSync + +This event indicates that a new set of SystemWindowsActivationStatusAdd events will be sent. The data collected with this event is used to help keep Windows up to date. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.SystemWlanAdd + +This event sends data indicating whether the system has WLAN, and if so, whether it uses an emulated driver that could block an upgrade, to help keep Windows up to date. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. +- **Blocking** Is the upgrade blocked because of an emulated WLAN driver? +- **HasWlanBlock** Does the emulated WLAN driver have an upgrade block? +- **WlanEmulatedDriver** Does the device have an emulated WLAN driver? +- **WlanExists** Does the device support WLAN at all? +- **WlanModulePresent** Are any WLAN modules present? +- **WlanNativeDriver** Does the device have a non-emulated WLAN driver? + + +### Microsoft.Windows.Appraiser.General.SystemWlanStartSync + +This event indicates that a new set of SystemWlanAdd events will be sent. The data collected with this event is used to help keep Windows up to date. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.TelemetryRunHealth + +This event indicates the parameters and result of a diagnostic data run. This allows the rest of the data sent over the course of the run to be properly contextualized and understood, which is then used to keep Windows up to date. + +The following fields are available: + +- **AppraiserBranch** The source branch in which the version of Appraiser that is running was built. +- **AppraiserDataVersion** The version of the data files being used by the Appraiser diagnostic data run. +- **AppraiserProcess** The name of the process that launched Appraiser. +- **AppraiserVersion** The file version (major, minor and build) of the Appraiser DLL, concatenated without dots. +- **AuxFinal** Obsolete, always set to false. +- **AuxInitial** Obsolete, indicates if Appraiser is writing data files to be read by the Get Windows 10 app. +- **CountCustomSdbs** The number of custom Sdbs used by Appraiser. +- **CustomSdbGuids** Guids of the custom Sdbs used by Appraiser; Semicolon delimited list. +- **DeadlineDate** A timestamp representing the deadline date, which is the time until which appraiser will wait to do a full scan. +- **EnterpriseRun** Indicates whether the diagnostic data run is an enterprise run, which means appraiser was run from the command line with an extra enterprise parameter. +- **FullSync** Indicates if Appraiser is performing a full sync, which means that full set of events representing the state of the machine are sent. Otherwise, only the changes from the previous run are sent. +- **InboxDataVersion** The original version of the data files before retrieving any newer version. +- **IndicatorsWritten** Indicates if all relevant UEX indicators were successfully written or updated. +- **InventoryFullSync** Indicates if inventory is performing a full sync, which means that the full set of events representing the inventory of machine are sent. +- **PCFP** An ID for the system calculated by hashing hardware identifiers. +- **PerfBackoff** Indicates if the run was invoked with logic to stop running when a user is present. Helps to understand why a run may have a longer elapsed time than normal. +- **PerfBackoffInsurance** Indicates if appraiser is running without performance backoff because it has run with perf backoff and failed to complete several times in a row. +- **RunAppraiser** Indicates if Appraiser was set to run at all. If this if false, it is understood that data events will not be received from this device. +- **RunDate** The date that the diagnostic data run was stated, expressed as a filetime. +- **RunGeneralTel** Indicates if the generaltel.dll component was run. Generaltel collects additional diagnostic data on an infrequent schedule and only from machines at diagnostic data levels higher than Basic. +- **RunOnline** Indicates if appraiser was able to connect to Windows Update and theefore is making decisions using up-to-date driver coverage information. +- **RunResult** The hresult of the Appraiser diagnostic data run. +- **ScheduledUploadDay** The day scheduled for the upload. +- **SendingUtc** Indicates whether the Appraiser client is sending events during the current diagnostic data run. +- **StoreHandleIsNotNull** Obsolete, always set to false +- **TelementrySent** Indicates whether diagnostic data was successfully sent. +- **ThrottlingUtc** Indicates whether the Appraiser client is throttling its output of CUET events to avoid being disabled. This increases runtime but also diagnostic data reliability. +- **Time** The client time of the event. +- **VerboseMode** Indicates if appraiser ran in Verbose mode, which is a test-only mode with extra logging. +- **WhyFullSyncWithoutTablePrefix** Indicates the reason or reasons that a full sync was generated. + + +### Microsoft.Windows.Appraiser.General.WmdrmAdd + +This event sends data about the usage of older digital rights management on the system, to help keep Windows up to date. This data does not indicate the details of the media using the digital rights management, only whether any such files exist. Collecting this data was critical to ensuring the correct mitigation for customers, and should be able to be removed once all mitigations are in place. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. +- **BlockingApplication** Same as NeedsDismissAction. +- **NeedsDismissAction** Indicates if a dismissible message is needed to warn the user about a potential loss of data due to DRM deprecation. +- **WmdrmApiResult** Raw value of the API used to gather DRM state. +- **WmdrmCdRipped** Indicates if the system has any files encrypted with personal DRM, which was used for ripped CDs. +- **WmdrmIndicators** WmdrmCdRipped OR WmdrmPurchased. +- **WmdrmInUse** WmdrmIndicators AND dismissible block in setup was not dismissed. +- **WmdrmNonPermanent** Indicates if the system has any files with non-permanent licenses. +- **WmdrmPurchased** Indicates if the system has any files with permanent licenses. + + +## Census events + +### Census.App + +This event sends version data about the Apps running on this device, to help keep Windows up to date. + +The following fields are available: + +- **AppraiserTaskEnabled** Whether the Appraiser task is enabled. +- **CensusVersion** The version of Census that generated the current data for this device. + + +### Census.Enterprise + +This event sends data about Azure presence, type, and cloud domain use in order to provide an understanding of the use and integration of devices in an enterprise, cloud, and server environment. The data collected with this event is used to help keep Windows secure. + +The following fields are available: + +- **AADDeviceId** Azure Active Directory device ID. +- **AzureOSIDPresent** Represents the field used to identify an Azure machine. +- **AzureVMType** Represents whether the instance is Azure VM PAAS, Azure VM IAAS or any other VMs. +- **CDJType** Represents the type of cloud domain joined for the machine. +- **CommercialId** Represents the GUID for the commercial entity which the device is a member of. Will be used to reflect insights back to customers. +- **ContainerType** The type of container, such as process or virtual machine hosted. +- **EnrollmentType** Defines the type of MDM enrollment on the device. +- **HashedDomain** The hashed representation of the user domain used for login. +- **IsCloudDomainJoined** Is this device joined to an Azure Active Directory (AAD) tenant? true/false +- **IsDERequirementMet** Represents if the device can do device encryption. +- **IsDeviceProtected** Represents if Device protected by BitLocker/Device Encryption +- **IsEDPEnabled** Represents if Enterprise data protected on the device. +- **IsMDMEnrolled** Whether the device has been MDM Enrolled or not. +- **MDMServiceProvider** A hash of the specific MDM authority, such as Microsoft Intune, that is managing the device. +- **MPNId** Returns the Partner ID/MPN ID from Regkey. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\DeployID +- **SCCMClientId** This ID correlate systems that send data to Compat Analytics (OMS) and other OMS based systems with systems in an Enterprise SCCM environment. +- **ServerFeatures** Represents the features installed on a Windows Server. This can be used by developers and administrators who need to automate the process of determining the features installed on a set of server computers. +- **SystemCenterID** The SCCM ID is an anonymized one-way hash of the Active Directory Organization identifier + + +### Census.Memory + +This event sends data about the memory on the device, including ROM and RAM. The data collected with this event is used to help keep Windows secure and up to date. + +The following fields are available: + +- **TotalPhysicalRAM** Represents the physical memory (in MB). +- **TotalVisibleMemory** Represents the memory that is not reserved by the system. + + +### Census.Network + +This event sends data about the mobile and cellular network used by the device (mobile service provider, network, device ID, and service cost factors). The data collected with this event is used to help keep Windows secure and up to date. + +The following fields are available: + +- **CellularModemHWInstanceId0** HardwareInstanceId of the embedded Mobile broadband modem, as reported and used by PnP system to identify the WWAN modem device in Windows system. Empty string (null string) indicates that this property is unknown for telemetry. +- **IMEI0** Represents the International Mobile Station Equipment Identity. This number is usually unique and used by the mobile operator to distinguish different phone hardware. Microsoft does not have access to mobile operator billing data so collecting this data does not expose or identify the user. The two fields represent phone with dual sim coverage. +- **IMEI1** Represents the International Mobile Station Equipment Identity. This number is usually unique and used by the mobile operator to distinguish different phone hardware. Microsoft does not have access to mobile operator billing data so collecting this data does not expose or identify the user. The two fields represent phone with dual sim coverage. +- **MCC0** Represents the Mobile Country Code (MCC). It used with the Mobile Network Code (MNC) to uniquely identify a mobile network operator. The two fields represent phone with dual sim coverage. +- **MCC1** Represents the Mobile Country Code (MCC). It used with the Mobile Network Code (MNC) to uniquely identify a mobile network operator. The two fields represent phone with dual sim coverage. +- **MNC0** Retrieves the Mobile Network Code (MNC). It used with the Mobile Country Code (MCC) to uniquely identify a mobile network operator. The two fields represent phone with dual sim coverage. +- **MNC1** Retrieves the Mobile Network Code (MNC). It used with the Mobile Country Code (MCC) to uniquely identify a mobile network operator. The two fields represent phone with dual sim coverage. +- **MobileOperatorNetwork0** Represents the operator of the current mobile network that the device is used on. (AT&T, T-Mobile, Vodafone). The two fields represent phone with dual sim coverage. +- **MobileOperatorNetwork1** Represents the operator of the current mobile network that the device is used on. (AT&T, T-Mobile, Vodafone). The two fields represent phone with dual sim coverage. +- **ModemOptionalCapabilityBitMap0** A bit map of optional capabilities in modem, such as eSIM support. +- **NetworkAdapterGUID** The GUID of the primary network adapter. +- **SPN0** Retrieves the Service Provider Name (SPN). For example, these might be AT&T, Sprint, T-Mobile, or Verizon. The two fields represent phone with dual sim coverage. +- **SPN1** Retrieves the Service Provider Name (SPN). For example, these might be AT&T, Sprint, T-Mobile, or Verizon. The two fields represent phone with dual sim coverage. +- **SupportedDataClassBitMap0** A bit map of the supported data classes (i.g, 5g 4g...) that the modem is capable of. +- **SupportedDataSubClassBitMap0** A bit map of data subclasses that the modem is capable of. + + +### Census.OS + +This event sends data about the operating system such as the version, locale, update service configuration, when and how it was originally installed, and whether it is a virtual device. The data collected with this event is used to help keep Windows secure and up to date. + +The following fields are available: + +- **ActivationChannel** Retrieves the retail license key or Volume license key for a machine. +- **AssignedAccessStatus** Kiosk configuration mode. +- **CompactOS** Indicates if the Compact OS feature from Win10 is enabled. +- **DeveloperUnlockStatus** Represents if a device has been developer unlocked by the user or Group Policy. +- **DeviceTimeZone** The time zone that is set on the device. Example: Pacific Standard Time +- **GenuineState** Retrieves the ID Value specifying the OS Genuine check. +- **InstallationType** Retrieves the type of OS installation. (Clean, Upgrade, Reset, Refresh, Update). +- **InstallLanguage** The first language installed on the user machine. +- **IsDeviceRetailDemo** Retrieves if the device is running in demo mode. +- **IsEduData** Returns Boolean if the education data policy is enabled. +- **IsPortableOperatingSystem** Retrieves whether OS is running Windows-To-Go +- **IsSecureBootEnabled** Retrieves whether Boot chain is signed under UEFI. +- **LanguagePacks** The list of language packages installed on the device. +- **LicenseStateReason** Retrieves why (or how) a system is licensed or unlicensed. The HRESULT may indicate an error code that indicates a key blocked error, or it may indicate that we are running an OS License granted by the MS store. +- **OA3xOriginalProductKey** Retrieves the License key stamped by the OEM to the machine. +- **OSEdition** Retrieves the version of the current OS. +- **OSInstallType** Retrieves a numeric description of what install was used on the device i.e. clean, upgrade, refresh, reset, etc +- **OSOOBEDateTime** Retrieves Out of Box Experience (OOBE) Date in Coordinated Universal Time (UTC). +- **OSSKU** Retrieves the Friendly Name of OS Edition. +- **OSSubscriptionStatus** Represents the existing status for enterprise subscription feature for PRO machines. +- **OSSubscriptionTypeId** Returns boolean for enterprise subscription feature for selected PRO machines. +- **OSUILocale** Retrieves the locale of the UI that is currently used by the OS. +- **ProductActivationResult** Returns Boolean if the OS Activation was successful. +- **ProductActivationTime** Returns the OS Activation time for tracking piracy issues. +- **ProductKeyID2** Retrieves the License key if the machine is updated with a new license key. +- **RACw7Id** Retrieves the Microsoft Reliability Analysis Component (RAC) Win7 Identifier. RAC is used to monitor and analyze system usage and reliability. +- **ServiceMachineIP** Retrieves the IP address of the KMS host used for anti-piracy. +- **ServiceMachinePort** Retrieves the port of the KMS host used for anti-piracy. +- **ServiceProductKeyID** Retrieves the License key of the KMS +- **SharedPCMode** Returns Boolean for education devices used as shared cart +- **Signature** Retrieves if it is a signature machine sold by Microsoft store. +- **SLICStatus** Whether a SLIC table exists on the device. +- **SLICVersion** Returns OS type/version from SLIC table. + + +### Census.Speech + +This event is used to gather basic speech settings on the device. The data collected with this event is used to help keep Windows secure. + +The following fields are available: + +- **AboveLockEnabled** Cortana setting that represents if Cortana can be invoked when the device is locked. +- **GPAllowInputPersonalization** Indicates if a Group Policy setting has enabled speech functionalities. +- **HolographicSpeechInputDisabled** Holographic setting that represents if the attached HMD devices have speech functionality disabled by the user. +- **HolographicSpeechInputDisabledRemote** Indicates if a remote policy has disabled speech functionalities for the HMD devices. +- **KeyVer** Version information for the census speech event. +- **KWSEnabled** Cortana setting that represents if a user has enabled the "Hey Cortana" keyword spotter (KWS). +- **MDMAllowInputPersonalization** Indicates if an MDM policy has enabled speech functionalities. +- **RemotelyManaged** Indicates if the device is being controlled by a remote administrator (MDM or Group Policy) in the context of speech functionalities. +- **SpeakerIdEnabled** Cortana setting that represents if keyword detection has been trained to try to respond to a single user's voice. +- **SpeechServicesEnabled** Windows setting that represents whether a user is opted-in for speech services on the device. +- **SpeechServicesValueSource** Indicates the deciding factor for the effective online speech recognition privacy policy settings: remote admin, local admin, or user preference. + + +### Census.UserDisplay + +This event sends data about the logical/physical display size, resolution and number of internal/external displays, and VRAM on the system. The data collected with this event is used to help keep Windows secure and up to date. + +The following fields are available: + +- **InternalPrimaryDisplayLogicalDPIX** Retrieves the logical DPI in the x-direction of the internal display. +- **InternalPrimaryDisplayLogicalDPIY** Retrieves the logical DPI in the y-direction of the internal display. +- **InternalPrimaryDisplayPhysicalDPIX** Retrieves the physical DPI in the x-direction of the internal display. +- **InternalPrimaryDisplayPhysicalDPIY** Retrieves the physical DPI in the y-direction of the internal display. +- **InternalPrimaryDisplayResolutionHorizontal** Retrieves the number of pixels in the horizontal direction of the internal display. +- **InternalPrimaryDisplayResolutionVertical** Retrieves the number of pixels in the vertical direction of the internal display. +- **InternalPrimaryDisplaySizePhysicalH** Retrieves the physical horizontal length of the display in mm. Used for calculating the diagonal length in inches . +- **InternalPrimaryDisplaySizePhysicalY** Retrieves the physical vertical length of the display in mm. Used for calculating the diagonal length in inches +- **NumberofExternalDisplays** Retrieves the number of external displays connected to the machine +- **NumberofInternalDisplays** Retrieves the number of internal displays in a machine. +- **VRAMDedicated** Retrieves the video RAM in MB. +- **VRAMDedicatedSystem** Retrieves the amount of memory on the dedicated video card. +- **VRAMSharedSystem** Retrieves the amount of RAM memory that the video card can use. + + +### Census.Xbox + +This event sends data about the Xbox Console, such as Serial Number and DeviceId, to help keep Windows up to date. + +The following fields are available: + +- **XboxConsolePreferredLanguage** Retrieves the preferred language selected by the user on Xbox console. +- **XboxConsoleSerialNumber** Retrieves the serial number of the Xbox console. +- **XboxLiveDeviceId** Retrieves the unique device ID of the console. +- **XboxLiveSandboxId** Retrieves the developer sandbox ID if the device is internal to Microsoft. + + +## Code Integrity events + +### Microsoft.Windows.Security.CodeIntegrity.HVCISysprep.IsRegionDisabledLanguage + +Fires when an incompatible language pack is detected. + +The following fields are available: + +- **Language** String containing the incompatible language pack detected. + + +## Common data extensions + +### Common Data Extensions.app + +Describes the properties of the running application. This extension could be populated by a client app or a web app. + +The following fields are available: + +- **asId** An integer value that represents the app session. This value starts at 0 on the first app launch and increments after each subsequent app launch per boot session. +- **env** The environment from which the event was logged. +- **expId** Associates a flight, such as an OS flight, or an experiment, such as a web site UX experiment, with an event. +- **id** Represents a unique identifier of the client application currently loaded in the process producing the event; and is used to group events together and understand usage pattern, errors by application. +- **locale** The locale of the app. +- **name** The name of the app. +- **userId** The userID as known by the application. +- **ver** Represents the version number of the application. Used to understand errors by Version, Usage by Version across an app. + + +### Common Data Extensions.container + +Describes the properties of the container for events logged within a container. + +The following fields are available: + +- **epoch** An ID that's incremented for each SDK initialization. +- **localId** The device ID as known by the client. +- **osVer** The operating system version. +- **seq** An ID that's incremented for each event. +- **type** The container type. Examples: Process or VMHost + + +### Common Data Extensions.device + +Describes the device-related fields. + +The following fields are available: + +- **deviceClass** The device classification. For example, Desktop, Server, or Mobile. +- **localId** A locally-defined unique ID for the device. This is not the human-readable device name. Most likely equal to the value stored at HKLM\Software\Microsoft\SQMClient\MachineId +- **make** Device manufacturer. +- **model** Device model. + + +### Common Data Extensions.Envelope + +Represents an envelope that contains all of the common data extensions. + +The following fields are available: + +- **data** Represents the optional unique diagnostic data for a particular event schema. +- **ext_app** Describes the properties of the running application. This extension could be populated by either a client app or a web app. See [Common Data Extensions.app](#common-data-extensionsapp). +- **ext_container** Describes the properties of the container for events logged within a container. See [Common Data Extensions.container](#common-data-extensionscontainer). +- **ext_device** Describes the device-related fields. See [Common Data Extensions.device](#common-data-extensionsdevice). +- **ext_mscv** Describes the correlation vector-related fields. See [Common Data Extensions.mscv](#common-data-extensionsmscv). +- **ext_os** Describes the operating system properties that would be populated by the client. See [Common Data Extensions.os](#common-data-extensionsos). +- **ext_sdk** Describes the fields related to a platform library required for a specific SDK. See [Common Data Extensions.sdk](#common-data-extensionssdk). +- **ext_user** Describes the fields related to a user. See [Common Data Extensions.user](#common-data-extensionsuser). +- **ext_utc** Describes the fields that might be populated by a logging library on Windows. See [Common Data Extensions.utc](#common-data-extensionsutc). +- **ext_xbl** Describes the fields related to XBOX Live. See [Common Data Extensions.xbl](#common-data-extensionsxbl). +- **iKey** Represents an ID for applications or other logical groupings of events. +- **name** Represents the uniquely qualified name for the event. +- **time** Represents the event date time in Coordinated Universal Time (UTC) when the event was generated on the client. This should be in ISO 8601 format. +- **ver** Represents the major and minor version of the extension. + + +### Common Data Extensions.mscv + +Describes the correlation vector-related fields. + +The following fields are available: + +- **cV** Represents the Correlation Vector: A single field for tracking partial order of related events across component boundaries. + + +### Common Data Extensions.os + +Describes some properties of the operating system. + +The following fields are available: + +- **bootId** An integer value that represents the boot session. This value starts at 0 on first boot after OS install and increments after every reboot. +- **expId** Represents the experiment ID. The standard for associating a flight, such as an OS flight (pre-release build), or an experiment, such as a web site UX experiment, with an event is to record the flight / experiment IDs in Part A of the common schema. +- **locale** Represents the locale of the operating system. +- **name** Represents the operating system name. +- **ver** Represents the major and minor version of the extension. + + +### Common Data Extensions.sdk + +Used by platform specific libraries to record fields that are required for a specific SDK. + +The following fields are available: + +- **epoch** An ID that is incremented for each SDK initialization. +- **installId** An ID that's created during the initialization of the SDK for the first time. +- **libVer** The SDK version. +- **seq** An ID that is incremented for each event. +- **ver** The version of the logging SDK. + + +### Common Data Extensions.user + +Describes the fields related to a user. + +The following fields are available: + +- **authId** This is an ID of the user associated with this event that is deduced from a token such as a Microsoft Account ticket or an XBOX token. +- **locale** The language and region. +- **localId** Represents a unique user identity that is created locally and added by the client. This is not the user's account ID. + + +### Common Data Extensions.utc + +Describes the properties that could be populated by a logging library on Windows. + +The following fields are available: + +- **aId** Represents the ETW ActivityId. Logged via TraceLogging or directly via ETW. +- **bSeq** Upload buffer sequence number in the format: buffer identifier:sequence number +- **cat** Represents a bitmask of the ETW Keywords associated with the event. +- **cpId** The composer ID, such as Reference, Desktop, Phone, Holographic, Hub, IoT Composer. +- **epoch** Represents the epoch and seqNum fields, which help track how many events were fired and how many events were uploaded, and enables identification of data lost during upload and de-duplication of events on the ingress server. +- **eventFlags** Represents a collection of bits that describe how the event should be processed by the Connected User Experience and Telemetry component pipeline. The lowest-order byte is the event persistence. The next byte is the event latency. +- **flags** Represents the bitmap that captures various Windows specific flags. +- **loggingBinary** The binary (executable, library, driver, etc.) that fired the event. +- **mon** Combined monitor and event sequence numbers in the format: monitor sequence : event sequence +- **op** Represents the ETW Op Code. +- **pgName** The short form of the provider group name associated with the event. +- **popSample** Represents the effective sample rate for this event at the time it was generated by a client. +- **providerGuid** The ETW provider ID associated with the provider name. +- **raId** Represents the ETW Related ActivityId. Logged via TraceLogging or directly via ETW. +- **seq** Represents the sequence field used to track absolute order of uploaded events. It is an incrementing identifier for each event added to the upload queue. The Sequence helps track how many events were fired and how many events were uploaded and enables identification of data lost during upload and de-duplication of events on the ingress server. +- **sqmId** The Windows SQM (Software Quality Metrics—a precursor of Windows 10 Diagnostic Data collection) device identifier. +- **stId** Represents the Scenario Entry Point ID. This is a unique GUID for each event in a diagnostic scenario. This used to be Scenario Trigger ID. +- **wcmp** The Windows Shell Composer ID. +- **wPId** The Windows Core OS product ID. +- **wsId** The Windows Core OS session ID. + + +### Common Data Extensions.xbl + +Describes the fields that are related to XBOX Live. + +The following fields are available: + +- **claims** Any additional claims whose short claim name hasn't been added to this structure. +- **did** XBOX device ID +- **dty** XBOX device type +- **dvr** The version of the operating system on the device. +- **eid** A unique ID that represents the developer entity. +- **exp** Expiration time +- **ip** The IP address of the client device. +- **nbf** Not before time +- **pid** A comma separated list of PUIDs listed as base10 numbers. +- **sbx** XBOX sandbox identifier +- **sid** The service instance ID. +- **sty** The service type. +- **tid** The XBOX Live title ID. +- **tvr** The XBOX Live title version. +- **uts** A bit field, with 2 bits being assigned to each user ID listed in xid. This field is omitted if all users are retail accounts. +- **xid** A list of base10-encoded XBOX User IDs. + +## Common data fields + +### Ms.Device.DeviceInventoryChange + +Describes the installation state for all hardware and software components available on a particular device. + +The following fields are available: + +- **action** The change that was invoked on a device inventory object. +- **inventoryId** Device ID used for Compatibility testing +- **objectInstanceId** Object identity which is unique within the device scope. +- **objectType** Indicates the object type that the event applies to. +- **syncId** A string used to group StartSync, EndSync, Add, and Remove operations that belong together. This field is unique by Sync period and is used to disambiguate in situations where multiple agents perform overlapping inventories for the same object. + +## Component-based servicing events + +### CbsServicingProvider.CbsCapabilitySessionFinalize + +This event provides information about the results of installing or uninstalling optional Windows content from Windows Update. The data collected with this event is used to help keep Windows up to date. + +The following fields are available: + +- **capabilities** The names of the optional content packages that were installed. +- **clientId** The name of the application requesting the optional content. +- **currentID** The ID of the current install session. +- **downloadSource** The source of the download. +- **highestState** The highest final install state of the optional content. +- **hrLCUReservicingStatus** Indicates whether the optional content was updated to the latest available version. +- **hrStatus** The HReturn code of the install operation. +- **rebootCount** The number of reboots required to complete the install. +- **retryID** The session ID that will be used to retry a failed operation. +- **retryStatus** Indicates whether the install will be retried in the event of failure. +- **stackBuild** The build number of the servicing stack. +- **stackMajorVersion** The major version number of the servicing stack. +- **stackMinorVersion** The minor version number of the servicing stack. +- **stackRevision** The revision number of the servicing stack. + + +### CbsServicingProvider.CbsLateAcquisition + +This event sends data to indicate if some Operating System packages could not be updated as part of an upgrade, to help keep Windows up to date. + +The following fields are available: + +- **Features** The list of feature packages that could not be updated. +- **RetryID** The ID identifying the retry attempt to update the listed packages. + + +### CbsServicingProvider.CbsQualityUpdateInstall + +This event reports on the performance and reliability results of installing Servicing content from Windows Update to keep Windows up to date. + +The following fields are available: + +- **buildVersion** The build version number of the update package. +- **clientId** The name of the application requesting the optional content. +- **corruptionHistoryFlags** A bitmask of the types of component store corruption that have caused update failures on the device. +- **corruptionType** An enumeration listing the type of data corruption responsible for the current update failure. +- **currentStateEnd** The final state of the package after the operation has completed. +- **doqTimeSeconds** The time in seconds spent updating drivers. +- **executeTimeSeconds** The number of seconds required to execute the install. +- **failureDetails** The driver or installer that caused the update to fail. +- **failureSourceEnd** An enumeration indicating at what phase of the update a failure occurred. +- **hrStatusEnd** The return code of the install operation. +- **initiatedOffline** A true or false value indicating whether the package was installed into an offline Windows Imaging Format (WIM) file. +- **majorVersion** The major version number of the update package. +- **minorVersion** The minor version number of the update package. +- **originalState** The starting state of the package. +- **overallTimeSeconds** The time (in seconds) to perform the overall servicing operation. +- **planTimeSeconds** The time in seconds required to plan the update operations. +- **poqTimeSeconds** The time in seconds processing file and registry operations. +- **postRebootTimeSeconds** The time (in seconds) to do startup processing for the update. +- **preRebootTimeSeconds** The time (in seconds) between execution of the installation and the reboot. +- **primitiveExecutionContext** An enumeration indicating at what phase of shutdown or startup the update was installed. +- **rebootCount** The number of reboots required to install the update. +- **rebootTimeSeconds** The time (in seconds) before startup processing begins for the update. +- **resolveTimeSeconds** The time in seconds required to resolve the packages that are part of the update. +- **revisionVersion** The revision version number of the update package. +- **rptTimeSeconds** The time in seconds spent executing installer plugins. +- **shutdownTimeSeconds** The time (in seconds) required to do shutdown processing for the update. +- **stackRevision** The revision number of the servicing stack. +- **stageTimeSeconds** The time (in seconds) required to stage all files that are part of the update. + + +### CbsServicingProvider.CbsSelectableUpdateChangeV2 + +This event reports the results of enabling or disabling optional Windows Content to keep Windows up to date. + +The following fields are available: + +- **applicableUpdateState** Indicates the highest applicable state of the optional content. +- **buildVersion** The build version of the package being installed. +- **clientId** The name of the application requesting the optional content change. +- **downloadSource** Indicates if optional content was obtained from Windows Update or a locally accessible file. +- **downloadtimeInSeconds** Indicates if optional content was obtained from Windows Update or a locally accessible file. +- **executionID** A unique ID used to identify events associated with a single servicing operation and not reused for future operations. +- **executionSequence** A counter that tracks the number of servicing operations attempted on the device. +- **firstMergedExecutionSequence** The value of a pervious executionSequence counter that is being merged with the current operation, if applicable. +- **firstMergedID** A unique ID of a pervious servicing operation that is being merged with this operation, if applicable. +- **hrDownloadResult** The return code of the download operation. +- **hrStatusUpdate** The return code of the servicing operation. +- **identityHash** A pseudonymized (hashed) identifier for the Windows Package that is being installed or uninstalled. +- **initiatedOffline** Indicates whether the operation was performed against an offline Windows image file or a running instance of Windows. +- **majorVersion** The major version of the package being installed. +- **minorVersion** The minor version of the package being installed. +- **packageArchitecture** The architecture of the package being installed. +- **packageLanguage** The language of the package being installed. +- **packageName** The name of the package being installed. +- **rebootRequired** Indicates whether a reboot is required to complete the operation. +- **revisionVersion** The revision number of the package being installed. +- **stackBuild** The build number of the servicing stack binary performing the installation. +- **stackMajorVersion** The major version number of the servicing stack binary performing the installation. +- **stackMinorVersion** The minor version number of the servicing stack binary performing the installation. +- **stackRevision** The revision number of the servicing stack binary performing the installation. +- **updateName** The name of the optional Windows Operation System feature being enabled or disabled. +- **updateStartState** A value indicating the state of the optional content before the operation started. +- **updateTargetState** A value indicating the desired state of the optional content. + + +## Diagnostic data events + +### TelClientSynthetic.AbnormalShutdown_0 + +This event sends data about boot IDs for which a normal clean shutdown was not observed. The data collected with this event is used to help keep Windows up to date, secure, and performing properly. + +The following fields are available: + +- **AbnormalShutdownBootId** BootId of the abnormal shutdown being reported by this event. +- **AbsCausedbyAutoChk** This flag is set when AutoCheck forces a device restart to indicate that the shutdown was not an abnormal shutdown. +- **AcDcStateAtLastShutdown** Identifies if the device was on battery or plugged in. +- **BatteryLevelAtLastShutdown** The last recorded battery level. +- **BatteryPercentageAtLastShutdown** The battery percentage at the last shutdown. +- **CrashDumpEnabled** Are crash dumps enabled? +- **CumulativeCrashCount** Cumulative count of operating system crashes since the BootId reset. +- **CurrentBootId** BootId at the time the abnormal shutdown event was being reported. +- **Firmwaredata->ResetReasonEmbeddedController** The reset reason that was supplied by the firmware. +- **Firmwaredata->ResetReasonEmbeddedControllerAdditional** Additional data related to reset reason provided by the firmware. +- **Firmwaredata->ResetReasonPch** The reset reason that was supplied by the hardware. +- **Firmwaredata->ResetReasonPchAdditional** Additional data related to the reset reason supplied by the hardware. +- **Firmwaredata->ResetReasonSupplied** Indicates whether the firmware supplied any reset reason or not. +- **FirmwareType** ID of the FirmwareType as enumerated in DimFirmwareType. +- **HardwareWatchdogTimerGeneratedLastReset** Indicates whether the hardware watchdog timer caused the last reset. +- **HardwareWatchdogTimerPresent** Indicates whether hardware watchdog timer was present or not. +- **InvalidBootStat** This is a sanity check flag that ensures the validity of the bootstat file. +- **LastBugCheckBootId** bootId of the last captured crash. +- **LastBugCheckCode** Code that indicates the type of error. +- **LastBugCheckContextFlags** Additional crash dump settings. +- **LastBugCheckOriginalDumpType** The type of crash dump the system intended to save. +- **LastBugCheckOtherSettings** Other crash dump settings. +- **LastBugCheckParameter1** The first parameter with additional info on the type of the error. +- **LastBugCheckProgress** Progress towards writing out the last crash dump. +- **LastBugCheckVersion** The version of the information struct written during the crash. +- **LastSuccessfullyShutdownBootId** BootId of the last fully successful shutdown. +- **LongPowerButtonPressDetected** Identifies if the user was pressing and holding power button. +- **LongPowerButtonPressInstanceGuid** The Instance GUID for the user state of pressing and holding the power button. +- **OOBEInProgress** Identifies if OOBE is running. +- **OSSetupInProgress** Identifies if the operating system setup is running. +- **PowerButtonCumulativePressCount** How many times has the power button been pressed? +- **PowerButtonCumulativeReleaseCount** How many times has the power button been released? +- **PowerButtonErrorCount** Indicates the number of times there was an error attempting to record power button metrics. +- **PowerButtonLastPressBootId** BootId of the last time the power button was pressed. +- **PowerButtonLastPressTime** Date and time of the last time the power button was pressed. +- **PowerButtonLastReleaseBootId** BootId of the last time the power button was released. +- **PowerButtonLastReleaseTime** Date and time of the last time the power button was released. +- **PowerButtonPressCurrentCsPhase** Represents the phase of Connected Standby exit when the power button was pressed. +- **PowerButtonPressIsShutdownInProgress** Indicates whether a system shutdown was in progress at the last time the power button was pressed. +- **PowerButtonPressLastPowerWatchdogStage** Progress while the monitor is being turned on. +- **PowerButtonPressPowerWatchdogArmed** Indicates whether or not the watchdog for the monitor was active at the time of the last power button press. +- **ShutdownDeviceType** Identifies who triggered a shutdown. Is it because of battery, thermal zones, or through a Kernel API. +- **SleepCheckpoint** Provides the last checkpoint when there is a failure during a sleep transition. +- **SleepCheckpointSource** Indicates whether the source is the EFI variable or bootstat file. +- **SleepCheckpointStatus** Indicates whether the checkpoint information is valid. +- **StaleBootStatData** Identifies if the data from bootstat is stale. +- **TransitionInfoBootId** BootId of the captured transition info. +- **TransitionInfoCSCount** l number of times the system transitioned from Connected Standby mode. +- **TransitionInfoCSEntryReason** Indicates the reason the device last entered Connected Standby mode. +- **TransitionInfoCSExitReason** Indicates the reason the device last exited Connected Standby mode. +- **TransitionInfoCSInProgress** At the time the last marker was saved, the system was in or entering Connected Standby mode. +- **TransitionInfoLastBootDiagCode** Tells us about the last boot with a diagnostic code. +- **TransitionInfoLastBootDiagStatus** Tells us whether the last boot diagnostic code is valid. +- **TransitionInfoLastReferenceTimeChecksum** The checksum of TransitionInfoLastReferenceTimestamp, +- **TransitionInfoLastReferenceTimestamp** The date and time that the marker was last saved. +- **TransitionInfoLidState** Describes the state of the laptop lid. +- **TransitionInfoPowerButtonTimestamp** The date and time of the last time the power button was pressed. +- **TransitionInfoSleepInProgress** At the time the last marker was saved, the system was in or entering sleep mode. +- **TransitionInfoSleepTranstionsToOn** Total number of times the device transitioned from sleep mode. +- **TransitionInfoSystemRunning** At the time the last marker was saved, the device was running. +- **TransitionInfoSystemShutdownInProgress** Indicates whether a device shutdown was in progress when the power button was pressed. +- **TransitionInfoUserShutdownInProgress** Indicates whether a user shutdown was in progress when the power button was pressed. +- **TransitionLatestCheckpointId** Represents a unique identifier for a checkpoint during the device state transition. +- **TransitionLatestCheckpointSeqNumber** Represents the chronological sequence number of the checkpoint. +- **TransitionLatestCheckpointType** Represents the type of the checkpoint, which can be the start of a phase, end of a phase, or just informational. +- **VirtualMachineId** If the operating system is on a virtual Machine, it gives the virtual Machine ID (GUID) that can be used to correlate events on the host. + + +### TelClientSynthetic.AuthorizationInfo_Startup + +This event is fired by UTC at startup to signal what data we are allowed to collect. The data collected with this event is used to help keep Windows up to date, secure, and performing properly. + +The following fields are available: + +- **CanAddMsaToMsTelemetry** True if we can add MSA PUID and CID to telemetry, false otherwise. +- **CanCollectAnyTelemetry** True if we are allowed to collect partner telemetry, false otherwise. +- **CanCollectClearUserIds** True if we are allowed to collect clear user IDs, false if we can only collect omitted IDs. +- **CanCollectCoreTelemetry** True if we can collect CORE/Basic telemetry, false otherwise. +- **CanCollectHeartbeats** True if we can collect heartbeat telemetry, false otherwise. +- **CanCollectOsTelemetry** True if we can collect diagnostic data telemetry, false otherwise. +- **CanCollectWindowsAnalyticsEvents** True if we can collect Windows Analytics data, false otherwise. +- **CanIncludeDeviceNameInDiagnosticData** True if we are allowed to add the device name to diagnostic data, false otherwise. +- **CanPerformDiagnosticEscalations** True if we can perform diagnostic escalation collection, false otherwise. +- **CanPerformSiufEscalations** True if we can perform System Initiated User Feedback escalation collection, false otherwise. +- **CanReportScenarios** True if we can report scenario completions, false otherwise. +- **CanReportUifEscalations** True if we can perform User Initiated Feedback escalation collection, false otherwise. +- **CanUseAuthenticatedProxy** True if we can use an authenticated proxy to send data, false otherwise. +- **IsProcessorMode** True if it is Processor Mode, false otherwise. +- **PreviousPermissions** Bitmask of previous telemetry state. +- **TransitionFromEverythingOff** True if we are transitioning from all telemetry being disabled, false otherwise. + + +### TelClientSynthetic.ConnectivityHeartBeat_0 + +This event sends data about the connectivity status of the Connected User Experience and Telemetry component that uploads telemetry events. If an unrestricted free network (such as Wi-Fi) is available, this event updates the last successful upload time. Otherwise, it checks whether a Connectivity Heartbeat event was fired in the past 24 hours, and if not, it sends an event. A Connectivity Heartbeat event is also sent when a device recovers from costed network to free network. + +The following fields are available: + +- **CensusExitCode** Last exit code of Census task +- **CensusStartTime** Returns timestamp corresponding to last successful census run. +- **CensusTaskEnabled** Returns Boolean value for the census task (Enable/Disable) on client machine. +- **LastConnectivityLossTime** The FILETIME at which the last free network loss occurred. +- **NetworkState** Retrieves the network state: 0 = No network. 1 = Restricted network. 2 = Free network. +- **NoNetworkTime** Retrieves the time spent with no network (since the last time) in seconds. +- **RestrictedNetworkTime** The total number of seconds with restricted network during this heartbeat period. + + +### TelClientSynthetic.HeartBeat_5 + +This event sends data about the health and quality of the diagnostic data from the given device, to help keep Windows up to date. It also enables data analysts to determine how 'trusted' the data is from a given device. + +The following fields are available: + +- **AgentConnectionErrorsCount** Number of non-timeout errors associated with the host/agent channel. +- **CensusExitCode** The last exit code of the Census task. +- **CensusStartTime** Time of last Census run. +- **CensusTaskEnabled** True if Census is enabled, false otherwise. +- **CompressedBytesUploaded** Number of compressed bytes uploaded. +- **ConsumerDroppedCount** Number of events dropped at consumer layer of telemetry client. +- **CriticalDataDbDroppedCount** Number of critical data sampled events dropped at the database layer. +- **CriticalDataThrottleDroppedCount** The number of critical data sampled events that were dropped because of throttling. +- **CriticalOverflowEntersCounter** Number of times critical overflow mode was entered in event DB. +- **DbCriticalDroppedCount** Total number of dropped critical events in event DB. +- **DbDroppedCount** Number of events dropped due to DB fullness. +- **DbDroppedFailureCount** Number of events dropped due to DB failures. +- **DbDroppedFullCount** Number of events dropped due to DB fullness. +- **DecodingDroppedCount** Number of events dropped due to decoding failures. +- **EnteringCriticalOverflowDroppedCounter** Number of events dropped due to critical overflow mode being initiated. +- **EtwDroppedBufferCount** Number of buffers dropped in the UTC ETW session. +- **EtwDroppedCount** Number of events dropped at ETW layer of telemetry client. +- **EventsPersistedCount** Number of events that reached the PersistEvent stage. +- **EventStoreLifetimeResetCounter** Number of times event DB was reset for the lifetime of UTC. +- **EventStoreResetCounter** Number of times event DB was reset. +- **EventStoreResetSizeSum** Total size of event DB across all resets reports in this instance. +- **EventsUploaded** Number of events uploaded. +- **Flags** Flags indicating device state such as network state, battery state, and opt-in state. +- **FullTriggerBufferDroppedCount** Number of events dropped due to trigger buffer being full. +- **HeartBeatSequenceNumber** The sequence number of this heartbeat. +- **InvalidHttpCodeCount** Number of invalid HTTP codes received from contacting Vortex. +- **LastAgentConnectionError** Last non-timeout error encountered in the host/agent channel. +- **LastEventSizeOffender** Event name of last event which exceeded max event size. +- **LastInvalidHttpCode** Last invalid HTTP code received from Vortex. +- **MaxActiveAgentConnectionCount** The maximum number of active agents during this heartbeat timeframe. +- **MaxInUseScenarioCounter** Soft maximum number of scenarios loaded by UTC. +- **PreviousHeartBeatTime** Time of last heartbeat event (allows chaining of events). +- **PrivacyBlockedCount** The number of events blocked due to privacy settings or tags. +- **RepeatedUploadFailureDropped** Number of events lost due to repeated upload failures for a single buffer. +- **SettingsHttpAttempts** Number of attempts to contact OneSettings service. +- **SettingsHttpFailures** The number of failures from contacting the OneSettings service. +- **ThrottledDroppedCount** Number of events dropped due to throttling of noisy providers. +- **TopUploaderErrors** List of top errors received from the upload endpoint. +- **UploaderDroppedCount** Number of events dropped at the uploader layer of telemetry client. +- **UploaderErrorCount** Number of errors received from the upload endpoint. +- **VortexFailuresTimeout** The number of timeout failures received from Vortex. +- **VortexHttpAttempts** Number of attempts to contact Vortex. +- **VortexHttpFailures4xx** Number of 400-499 error codes received from Vortex. +- **VortexHttpFailures5xx** Number of 500-599 error codes received from Vortex. +- **VortexHttpResponseFailures** Number of Vortex responses that are not 2XX or 400. +- **VortexHttpResponsesWithDroppedEvents** Number of Vortex responses containing at least 1 dropped event. + + +### TelClientSynthetic.PrivacyGuardReport + +Reports that the Connected User Experiences and Telemetry service encountered an event that may contain privacy data. The event contains information needed to identify and study the source event that triggered the report. The data collected with this event is used to help keep Windows up to date, secure, and performing properly. + +The following fields are available: + +- **EventEpoch** The epoch in which the source event that triggered the report was fired. +- **EventName** The name of the source event that triggered the report. +- **EventSeq** The sequence number of the source event that triggered the report. +- **FieldName** The field of interest in the source event that triggered the report. +- **IsAllowedToSend** True if the field of interest was sent unmodified in the source event that triggered the report, false if the field of interest was anonymized. +- **IsDebug** True if the event was logged in a debug build of Windows. +- **TelemetryApi** The application programming interface used to log the source event that triggered the report. Current values for this field can be "etw" or "rpc". +- **TypeAsText** The type of issue detected in the source event that triggered the report. Current values for this field can be "UserName" or "DeviceName". + + +## Driver installation events + +### Microsoft.Windows.DriverInstall.NewDevInstallDeviceEnd + +This event sends data about the driver installation once it is completed. The data collected with this event is used to help keep Windows up to date and performing properly. + +The following fields are available: + +- **DeviceInstanceId** The unique identifier of the device in the system. +- **DriverUpdated** Indicates whether the driver was updated. +- **Error** The Win32 error code of the installation. +- **InstallDate** The date the driver was installed. +- **InstallFlags** The driver installation flags. +- **OptionalData** Metadata specific to WU (Windows Update) associated with the driver (flight IDs, recovery IDs, etc.) +- **RebootRequired** Indicates whether a reboot is required after the installation. +- **RollbackPossible** Indicates whether this driver can be rolled back. + + +### Microsoft.Windows.DriverInstall.NewDevInstallDeviceStart + +This event sends data about the driver that the new driver installation is replacing. The data collected with this event is used to help keep Windows up to date and performing properly. + +The following fields are available: + +- **DeviceInstanceId** The unique identifier of the device in the system. +- **FirstInstallDate** The first time a driver was installed on this device. +- **InstallFlags** Flag indicating how driver setup was called. +- **LastDriverDate** Date of the driver that is being replaced. +- **LastDriverInbox** Indicates whether the previous driver was included with Windows. +- **LastDriverInfName** Name of the INF file (the setup information file) of the driver being replaced. +- **LastDriverPackageId** ID of the driver package installed on the device before the current install operation began. ID contains the name + architecture + hash. +- **LastDriverVersion** The version of the driver that is being replaced. +- **LastFirmwareDate** The date of the last firmware reported from the EFI System Resource Table (ESRT). +- **LastFirmwareRevision** The last firmware revision number reported from EFI System Resource Table (ESRT). +- **LastFirmwareVersion** The last firmware version reported from the EFI System Resource Table (ESRT). +- **LastInstallDate** The date a driver was last installed on this device. +- **LastMatchingDeviceId** The hardware ID or compatible ID that Windows last used to install the device instance. +- **LastProblem** The previous problem code that was set on the device. +- **LastProblemStatus** The previous problem code that was set on the device. +- **LastSubmissionId** The driver submission identifier of the driver that is being replaced. + + +## Fault Reporting events + +### Microsoft.Windows.FaultReporting.AppCrashEvent + +This event sends data about crashes for both native and managed applications, to help keep Windows up to date. The data includes information about the crashing process and a summary of its exception record. It does not contain any Watson bucketing information. The bucketing information is recorded in a Windows Error Reporting (WER) event that is generated when the WER client reports the crash to the Watson service, and the WER event will contain the same ReportID (see field 14 of crash event, field 19 of WER event) as the crash event for the crash being reported. AppCrash is emitted once for each crash handled by WER (e.g. from an unhandled exception or FailFast or ReportException). Note that Generic Watson event types (e.g. from PLM) that may be considered crashes\" by a user DO NOT emit this event. + +The following fields are available: + +- **AppName** The name of the app that has crashed. +- **AppSessionGuid** GUID made up of process ID and is used as a correlation vector for process instances in the telemetry backend. +- **AppTimeStamp** The date/time stamp of the app. +- **AppVersion** The version of the app that has crashed. +- **ExceptionCode** The exception code returned by the process that has crashed. +- **ExceptionOffset** The address where the exception had occurred. +- **Flags** Flags indicating how reporting is done. For example, queue the report, do not offer JIT debugging, or do not terminate the process after reporting. +- **FriendlyAppName** The description of the app that has crashed, if different from the AppName. Otherwise, the process name. +- **IsFatal** True/False to indicate whether the crash resulted in process termination. +- **ModName** Exception module name (e.g. bar.dll). +- **ModTimeStamp** The date/time stamp of the module. +- **ModVersion** The version of the module that has crashed. +- **PackageFullName** Store application identity. +- **PackageRelativeAppId** Store application identity. +- **ProcessArchitecture** Architecture of the crashing process, as one of the PROCESSOR_ARCHITECTURE_* constants: 0: PROCESSOR_ARCHITECTURE_INTEL. 5: PROCESSOR_ARCHITECTURE_ARM. 9: PROCESSOR_ARCHITECTURE_AMD64. 12: PROCESSOR_ARCHITECTURE_ARM64. +- **ProcessCreateTime** The time of creation of the process that has crashed. +- **ProcessId** The ID of the process that has crashed. +- **ReportId** A GUID used to identify the report. This can used to track the report across Watson. +- **TargetAppId** The kernel reported AppId of the application being reported. +- **TargetAppVer** The specific version of the application being reported +- **TargetAsId** The sequence number for the hanging process. + + +## Feature quality events + +### Microsoft.Windows.FeatureQuality.Heartbeat + +This event indicates the feature status heartbeat. The data collected with this event is used to help keep Windows up to date, secure, and performing properly. + +The following fields are available: + +- **Features** Array of features. + + +### Microsoft.Windows.FeatureQuality.StateChange + +This event indicates the change of feature state. The data collected with this event is used to help keep Windows up to date, secure, and performing properly. + +The following fields are available: + +- **flightId** Flight id. +- **state** New state. + + +### Microsoft.Windows.FeatureQuality.Status + +This event indicates the feature status. The data collected with this event is used to help keep Windows up to date, secure, and performing properly. + +The following fields are available: + +- **featureId** Feature id. +- **flightId** Flight id. +- **time** Time of status change. +- **variantId** Variant id. + + +## Hang Reporting events + +### Microsoft.Windows.HangReporting.AppHangEvent + +This event sends data about hangs for both native and managed applications, to help keep Windows up to date. It does not contain any Watson bucketing information. The bucketing information is recorded in a Windows Error Reporting (WER) event that is generated when the WER client reports the hang to the Watson service, and the WER event will contain the same ReportID (see field 13 of hang event, field 19 of WER event) as the hang event for the hang being reported. AppHang is reported only on PC devices. It handles classic Win32 hangs and is emitted only once per report. Some behaviors that may be perceived by a user as a hang are reported by app managers (e.g. PLM/RM/EM) as Watson Generics and will not produce AppHang events. + +The following fields are available: + +- **AppName** The name of the app that has hung. +- **AppSessionGuid** GUID made up of process id used as a correlation vector for process instances in the telemetry backend. +- **AppVersion** The version of the app that has hung. +- **IsFatal** True/False based on whether the hung application caused the creation of a Fatal Hang Report. +- **PackageFullName** Store application identity. +- **PackageRelativeAppId** Store application identity. +- **ProcessArchitecture** Architecture of the hung process, as one of the PROCESSOR_ARCHITECTURE_* constants: 0: PROCESSOR_ARCHITECTURE_INTEL. 5: PROCESSOR_ARCHITECTURE_ARM. 9: PROCESSOR_ARCHITECTURE_AMD64. 12: PROCESSOR_ARCHITECTURE_ARM64. +- **ProcessCreateTime** The time of creation of the process that has hung. +- **ProcessId** The ID of the process that has hung. +- **ReportId** A GUID used to identify the report. This can used to track the report across Watson. +- **TargetAppId** The kernel reported AppId of the application being reported. +- **TargetAppVer** The specific version of the application being reported. +- **TargetAsId** The sequence number for the hanging process. +- **TypeCode** Bitmap describing the hang type. +- **WaitingOnAppName** If this is a cross process hang waiting for an application, this has the name of the application. +- **WaitingOnAppVersion** If this is a cross process hang, this has the version of the application for which it is waiting. +- **WaitingOnPackageFullName** If this is a cross process hang waiting for a package, this has the full name of the package for which it is waiting. +- **WaitingOnPackageRelativeAppId** If this is a cross process hang waiting for a package, this has the relative application id of the package. + + +## Holographic events + +### Microsoft.Windows.Shell.HolographicFirstRun.AppActivated + +This event indicates Windows Mixed Reality Portal app activation state. This event also used to count WMR device. The data collected with this event is used to keep Windows performing properly. + +The following fields are available: + +- **IsDemoMode** Windows Mixed Reality Portal app state of demo mode. +- **IsDeviceSetupComplete** Windows Mixed Reality Portal app state of device setup completion. +- **PackageVersion** Windows Mixed Reality Portal app package version. +- **PreviousExecutionState** Windows Mixed Reality Portal app prior execution state. +- **wilActivity** Windows Mixed Reality Portal app wilActivity ID. + + +### TraceLoggingOasisUsbHostApiProvider.DeviceInformation + +This event provides Windows Mixed Reality device information. This event is also used to count WMR device and device type. The data collected with this event is used to keep Windows performing properly. + +The following fields are available: + +- **BootloaderMajorVer** Windows Mixed Reality device boot loader major version. +- **BootloaderMinorVer** Windows Mixed Reality device boot loader minor version. +- **BootloaderRevisionNumber** Windows Mixed Reality device boot loader revision number. +- **CalibrationBlobSize** Windows Mixed Reality device calibration blob size. +- **CalibrationFwMajorVer** Windows Mixed Reality device calibration firmware major version. +- **CalibrationFwMinorVer** Windows Mixed Reality device calibration firmware minor version. +- **CalibrationFwRevNum** Windows Mixed Reality device calibration firmware revision number. +- **DeviceInfoFlags** Windows Mixed Reality device info flags. +- **FirmwareMajorVer** Windows Mixed Reality device firmware major version. +- **FirmwareMinorVer** Windows Mixed Reality device firmware minor version. +- **FirmwareRevisionNumber** Windows Mixed Reality device calibration firmware revision number. +- **FpgaFwMajorVer** Windows Mixed Reality device FPGA firmware major version. +- **FpgaFwMinorVer** Windows Mixed Reality device FPGA firmware minor version. +- **FpgaFwRevisionNumber** Windows Mixed Reality device FPGA firmware revision number. +- **FriendlyName** Windows Mixed Reality device friendly name. +- **HashedSerialNumber** Windows Mixed Reality device hashed serial number. +- **HeaderSize** Windows Mixed Reality device header size. +- **HeaderVersion** Windows Mixed Reality device header version. +- **LicenseKey** Windows Mixed Reality device header license key. +- **Make** Windows Mixed Reality device make. +- **ManufacturingDate** Windows Mixed Reality device manufacturing date. +- **Model** Windows Mixed Reality device model. +- **PresenceSensorHidVendorPage** Windows Mixed Reality device presence sensor HID vendor page. +- **PresenceSensorHidVendorUsage** Windows Mixed Reality device presence sensor HID vendor usage. +- **PresenceSensorUsbVid** Windows Mixed Reality device presence sensor USB VId. +- **ProductBoardRevision** Windows Mixed Reality device product board revision number. +- **SerialNumber** Windows Mixed Reality device serial number. + + +## Inventory events + +### Microsoft.Windows.Inventory.Core.AmiTelCacheChecksum + +This event captures basic checksum data about the device inventory items stored in the cache for use in validating data completeness for Microsoft.Windows.Inventory.Core events. The fields in this event may change over time, but they will always represent a count of a given object. The data collected with this event is used to keep Windows performing properly. + +The following fields are available: + +- **DriverPackageExtended** A count of driverpackageextended objects in cache. +- **InventoryAcpiPhatHealthRecord** A count of ACPI PHAT Health Record objects in cache. +- **InventoryAcpiPhatVersionElement** A count of ACPI PHAT Version Element objects in cache. +- **InventoryApplication** A count of application objects in cache. +- **InventoryApplicationDriver** A count of application driver objects in cache +- **InventoryApplicationFramework** A count of application framework objects in cache +- **InventoryDeviceContainer** A count of device container objects in cache. +- **InventoryDeviceInterface** A count of Plug and Play device interface objects in cache. +- **InventoryDeviceMediaClass** A count of device media objects in cache. +- **InventoryDevicePnp** A count of device Plug and Play objects in cache. +- **InventoryDeviceSensor** A count of device sensor objects in cache. +- **InventoryDeviceUsbHubClass** A count of device usb objects in cache +- **InventoryDriverBinary** A count of driver binary objects in cache. +- **InventoryDriverPackage** A count of device objects in cache. +- **InventoryVersion** test + + +### Microsoft.Windows.Inventory.Core.InventoryApplicationFrameworkAdd + +This event provides the basic metadata about the frameworks an application may depend on. The data collected with this event is used to keep Windows performing properly. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **FileId** A hash that uniquely identifies a file. +- **Frameworks** The list of frameworks this file depends on. +- **InventoryVersion** The version of the inventory file generating the events. + + +### Microsoft.Windows.Inventory.Core.InventoryApplicationFrameworkStartSync + +This event indicates that a new set of InventoryApplicationFrameworkAdd events will be sent. The data collected with this event is used to keep Windows performing properly. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **InventoryVersion** The version of the inventory file generating the events. + + +### Microsoft.Windows.Inventory.Core.InventoryApplicationRemove + +This event indicates that a new set of InventoryDevicePnpAdd events will be sent. The data collected with this event is used to keep Windows performing properly. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **InventoryVersion** The version of the inventory file generating the events. + + +### Microsoft.Windows.Inventory.Core.InventoryDeviceContainerAdd + +This event sends basic metadata about a device container (such as a monitor or printer as opposed to a Plug and Play device). The data collected with this event is used to help keep Windows up to date and to keep Windows performing properly. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **Categories** A comma separated list of functional categories in which the container belongs. +- **DiscoveryMethod** The discovery method for the device container. +- **FriendlyName** The name of the device container. +- **InventoryVersion** The version of the inventory file generating the events. +- **IsActive** Is the device connected, or has it been seen in the last 14 days? +- **IsConnected** For a physically attached device, this value is the same as IsPresent. For wireless a device, this value represents a communication link. +- **IsMachineContainer** Is the container the root device itself? +- **IsNetworked** Is this a networked device? +- **IsPaired** Does the device container require pairing? +- **Manufacturer** The manufacturer name for the device container. +- **ModelId** A unique model ID. +- **ModelName** The model name. +- **ModelNumber** The model number for the device container. +- **PrimaryCategory** The primary category for the device container. + + +### Microsoft.Windows.Inventory.Core.InventoryDeviceContainerStartSync + +This event indicates that a new set of InventoryDeviceContainerAdd events will be sent. The data collected with this event is used to keep Windows performing properly. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **InventoryVersion** The version of the inventory file generating the events. + + +### Microsoft.Windows.Inventory.Core.InventoryDeviceInterfaceAdd + +This event retrieves information about what sensor interfaces are available on the device. The data collected with this event is used to keep Windows performing properly. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **Accelerometer3D** Indicates if an Accelerator3D sensor is found. +- **ActivityDetection** Indicates if an Activity Detection sensor is found. +- **AmbientLight** Indicates if an Ambient Light sensor is found. +- **Barometer** Indicates if a Barometer sensor is found. +- **Custom** Indicates if a Custom sensor is found. +- **EnergyMeter** Indicates if an Energy sensor is found. +- **FloorElevation** Indicates if a Floor Elevation sensor is found. +- **GeomagneticOrientation** Indicates if a Geo Magnetic Orientation sensor is found. +- **GravityVector** Indicates if a Gravity Detector sensor is found. +- **Gyrometer3D** Indicates if a Gyrometer3D sensor is found. +- **Humidity** Indicates if a Humidity sensor is found. +- **InventoryVersion** The version of the inventory file generating the events. +- **LinearAccelerometer** Indicates if a Linear Accelerometer sensor is found. +- **Magnetometer3D** Indicates if a Magnetometer3D sensor is found. +- **Orientation** Indicates if an Orientation sensor is found. +- **Pedometer** Indicates if a Pedometer sensor is found. +- **Proximity** Indicates if a Proximity sensor is found. +- **RelativeOrientation** Indicates if a Relative Orientation sensor is found. +- **SimpleDeviceOrientation** Indicates if a Simple Device Orientation sensor is found. +- **Temperature** Indicates if a Temperature sensor is found. + + +### Microsoft.Windows.Inventory.Core.InventoryDeviceInterfaceStartSync + +This event indicates that a new set of InventoryDeviceInterfaceAdd events will be sent. The data collected with this event is used to keep Windows performing properly. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **InventoryVersion** The version of the inventory file generating the events. + + +### Microsoft.Windows.Inventory.Core.InventoryDevicePnpRemove + +This event indicates that the InventoryDevicePnpRemove object is no longer present. The data collected with this event is used to keep Windows performing properly. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **InventoryVersion** The version of the inventory file generating the events. + + +### Microsoft.Windows.Inventory.Core.InventoryDevicePnpStartSync + +This event indicates that a new set of InventoryDevicePnpAdd events will be sent. The data collected with this event is used to keep Windows performing properly. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **InventoryVersion** The version of the inventory file generating the events. + + +### Microsoft.Windows.Inventory.Core.InventoryDeviceSensorAdd + +This event sends basic metadata about sensor devices on a machine. The data collected with this event is used to help keep Windows up to date. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **InventoryVersion** The version of the inventory binary generating the events. +- **Manufacturer** Sensor manufacturer. + + +### Microsoft.Windows.Inventory.Core.InventoryDeviceUsbHubClassAdd + +This event sends basic metadata about the USB hubs on the device. The data collected with this event is used to keep Windows performing properly. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **InventoryVersion** The version of the inventory file generating the events. +- **TotalUserConnectablePorts** Total number of connectable USB ports. +- **TotalUserConnectableTypeCPorts** Total number of connectable USB Type C ports. + + +### Microsoft.Windows.Inventory.Core.InventoryDriverBinaryStartSync + +This event indicates that a new set of InventoryDriverBinaryAdd events will be sent. The data collected with this event is used to keep Windows performing properly. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **InventoryVersion** The version of the inventory file generating the events. + + +### Microsoft.Windows.Inventory.Core.InventoryDriverPackageAdd + +This event sends basic metadata about drive packages installed on the system. The data collected with this event is used to help keep Windows up to date and performing properly. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **Class** The class name for the device driver. +- **ClassGuid** The class GUID for the device driver. +- **Date** The driver package date. +- **Directory** The path to the driver package. +- **DriverInBox** Is the driver included with the operating system? +- **FlightIds** Driver Flight IDs. +- **Inf** The INF name of the driver package. +- **InventoryVersion** The version of the inventory file generating the events. +- **Provider** The provider for the driver package. +- **RecoveryIds** Driver recovery IDs. +- **SubmissionId** The HLK submission ID for the driver package. +- **Version** The version of the driver package. + + +### Microsoft.Windows.Inventory.General.InventoryMiscellaneousMemorySlotArrayInfoRemove + +This event indicates that this particular data object represented by the objectInstanceId is no longer present. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + + + +### Microsoft.Windows.Inventory.General.InventoryMiscellaneousMemorySlotArrayInfoStartSync + +This diagnostic event indicates a new sync is being generated for this object type. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + + + +### Microsoft.Windows.Inventory.General.InventoryMiscellaneousUUPInfoAdd + +This event provides data on Unified Update Platform (UUP) products and what version they are at. The data collected with this event is used to keep Windows performing properly. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **Identifier** UUP identifier +- **LastActivatedVersion** Last activated version +- **PreviousVersion** Previous version +- **Source** UUP source +- **Version** UUP version + + +### Microsoft.Windows.Inventory.General.InventoryMiscellaneousUUPInfoStartSync + +This is a diagnostic event that indicates a new sync is being generated for this object type. The data collected with this event is used to keep Windows performing properly. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + + + +### Microsoft.Windows.Inventory.Indicators.Checksum + +This event summarizes the counts for the InventoryMiscellaneousUexIndicatorAdd events. The data collected with this event is used to keep Windows performing properly. + +The following fields are available: + +- **ChecksumDictionary** A count of each operating system indicator. +- **PCFP** Equivalent to the InventoryId field that is found in other core events. + + +### Microsoft.Windows.Inventory.Indicators.InventoryMiscellaneousUexIndicatorAdd + +This event represents the basic metadata about the OS indicators installed on the system. The data collected with this event helps ensure the device is up to date and keeps Windows performing properly. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **IndicatorValue** The indicator value. + + +### Microsoft.Windows.Inventory.Indicators.InventoryMiscellaneousUexIndicatorRemove + +This event indicates that this particular data object represented by the objectInstanceId is no longer present. This event is used to understand the OS indicators installed on the system. The data collected with this event helps ensure the device is current and Windows is up to date and performing properly. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + + + +### Microsoft.Windows.Inventory.Indicators.InventoryMiscellaneousUexIndicatorStartSync + +This event indicates that this particular data object represented by the objectInstanceId is no longer present. This event is used to understand the OS indicators installed on the system. The data collected with this event helps ensure the device is current and Windows is up to date and performing properly. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + + + +## Kernel events + +### Microsoft.Windows.Kernel.PnP.AggregateClearDevNodeProblem + +This event is sent when a problem code is cleared from a device. The data collected with this event is used to help keep Windows up to date and performing properly. + +The following fields are available: + +- **Count** The total number of events. +- **DeviceInstanceId** The unique identifier of the device on the system. +- **LastProblem** The previous problem that was cleared. +- **LastProblemStatus** The previous NTSTATUS value that was cleared. +- **ServiceName** The name of the driver or service attached to the device. + + +## Microsoft Edge events + +### Aria.af397ef28e484961ba48646a5d38cf54.Microsoft.WebBrowser.Installer.EdgeUpdate.Ping + +This Ping event sends a detailed inventory of software and hardware information about the EdgeUpdate service, Edge applications, and the current system environment including app configuration, update configuration, and hardware capabilities. This event contains Device Connectivity and Configuration, Product and Service Performance, and Software Setup and Inventory data. One or more events is sent each time any installation, update, or uninstallation occurs with the EdgeUpdate service or with Edge applications. This event is used to measure the reliability and performance of the EdgeUpdate service and if Edge applications are up to date. This is an indication that the event is designed to keep Windows secure and up to date. + +The following fields are available: + +- **appAp** Any additional parameters for the specified application. Default: ''. +- **appAppId** The GUID that identifies the product. Compatible clients must transmit this attribute. Please see the wiki for additional information. Default: undefined. +- **appBrandCode** The brand code under which the product was installed, if any. A brand code is a short (4-character) string used to identify installations that took place as a result of partner deals or website promotions. Default: ''. +- **appChannel** An integer indicating the channel of the installation (i.e. Canary or Dev). +- **appClientId** A generalized form of the brand code that can accept a wider range of values and is used for similar purposes. Default: ''. +- **appCohort** A machine-readable string identifying the release cohort (channel) that the app belongs to. Limited to ASCII characters 32 to 127 (inclusive) and a maximum length of 1024 characters. Default: ''. +- **appCohortHint** A machine-readable enum indicating that the client has a desire to switch to a different release cohort. The exact legal values are app-specific and should be shared between the server and app implementations. Limited to ASCII characters 32 to 127 (inclusive) and a maximum length of 1024 characters. Default: ''. +- **appCohortName** A stable non-localized human-readable enum indicating which (if any) set of messages the app should display to the user. For example, an app with a cohort Name of 'beta' might display beta-specific branding to the user. Limited to ASCII characters 32 to 127 (inclusive) and a maximum length of 1024 characters. Default: ''. +- **appConsentState** Bit flags describing the diagnostic data disclosure and response flow where 1 indicates the affirmative and 0 indicates the negative or unspecified data. Bit 1 indicates consent was given, bit 2 indicates data originated from the download page, bit 18 indicates choice for sending data about how the browser is used, and bit 19 indicates choice for sending data about websites visited. +- **appDayOfInstall** The date-based counting equivalent of appInstallTimeDiffSec (the numeric calendar day that the app was installed on). This value is provided by the server in the response to the first request in the installation flow. The client MAY fuzz this value to the week granularity (e.g. send '0' for 0 through 6, '7' for 7 through 13, etc.). The first communication to the server should use a special value of '-1'. A value of '-2' indicates that this value is not known. Please see the wiki for additional information. Default: '-2'. +- **appExperiments** A key/value list of experiment identifiers. Experiment labels are used to track membership in different experimental groups, and may be set at install or update time. The experiments string is formatted as a semicolon-delimited concatenation of experiment label strings. An experiment label string is an experiment Name, followed by the '=' character, followed by an experimental label value. For example: 'crdiff=got_bsdiff;optimized=O3'. The client should not transmit the expiration date of any experiments it has, even if the server previously specified a specific expiration date. Default: ''. +- **appInstallTime** The product install time in seconds. '0' if unknown. Default: '-1'. +- **appInstallTimeDiffSec** The difference between the current time and the install date in seconds. '0' if unknown. Default: '-1'. +- **appLang** The language of the product install, in IETF BCP 47 representation. Default: ''. +- **appLastLaunchTime** The time when browser was last launched. +- **appNextVersion** The version of the app that the update flow to which this event belongs attempted to reach, regardless of the success or failure of the update operation. Please see the wiki for additional information. Default: '0.0.0.0'. +- **appPingEventAppSize** The total number of bytes of all downloaded packages. Default: '0'. +- **appPingEventDoneBeforeOOBEComplete** Indicates whether the install or update was completed before Windows Out of the Box Experience ends. 1 means event completed before OOBE finishes; 0 means event was not completed before OOBE finishes; -1 means the field does not apply. +- **appPingEventDownloadMetricsCdnCCC** ISO 2 character country code that matches to the country updated binaries are delivered from. E.g.: US. +- **appPingEventDownloadMetricsCdnCID** Numeric value used to internally track the origins of the updated binaries. For example, 2. +- **appPingEventDownloadMetricsDownloadedBytes** For events representing a download, the number of bytes expected to be downloaded. For events representing an entire update flow, the sum of all such expected bytes over the course of the update flow. Default: '0'. +- **appPingEventDownloadMetricsDownloader** A string identifying the download algorithm and/or stack. Example values include: 'bits', 'direct', 'winhttp', 'p2p'. Sent in events that have an event type of '14' only. Default: ''. +- **appPingEventDownloadMetricsDownloadTimeMs** For events representing a download, the time elapsed between the start of the download and the end of the download, in milliseconds. For events representing an entire update flow, the sum of all such download times over the course of the update flow. Sent in events that have an event type of '1', '2', '3', and '14' only. Default: '0'. +- **appPingEventDownloadMetricsError** The error code (if any) of the operation, encoded as a signed base-10 integer. Default: '0'. +- **appPingEventDownloadMetricsServerIpHint** For events representing a download, the CDN Host IP address that corresponds to the update file server. The CDN host is controlled by Microsoft servers and always maps to IP addresses hosting *.delivery.mp.microsoft.com or msedgesetup.azureedge.net. Default: ''. +- **appPingEventDownloadMetricsTotalBytes** For events representing a download, the number of bytes expected to be downloaded. For events representing an entire update flow, the sum of all such expected bytes over the course of the update flow. Default: '0'. +- **appPingEventDownloadMetricsUrl** For events representing a download, the CDN URL provided by the update server for the client to download the update, the URL is controlled by Microsoft servers and always maps back to either *.delivery.mp.microsoft.com or msedgesetup.azureedge.net. Default: ''. +- **appPingEventDownloadTimeMs** For events representing a download, the time elapsed between the start of the download and the end of the download, in milliseconds. For events representing an entire update flow, the sum of all such download times over the course of the update flow. Sent in events that have an event type of '1', '2', '3', and '14' only. Default: '0'. +- **appPingEventErrorCode** The error code (if any) of the operation, encoded as a signed, base-10 integer. Default: '0'. +- **appPingEventEventResult** An enum indicating the result of the event. Please see the wiki for additional information. Default: '0'. +- **appPingEventEventType** An enum indicating the type of the event. Compatible clients MUST transmit this attribute. Please see the wiki for additional information. +- **appPingEventExtraCode1** Additional numeric information about the operation's result, encoded as a signed, base-10 integer. Default: '0'. +- **appPingEventInstallTimeMs** For events representing an install, the time elapsed between the start of the install and the end of the install, in milliseconds. For events representing an entire update flow, the sum of all such durations. Sent in events that have an event type of '2' and '3' only. Default: '0'. +- **appPingEventNumBytesDownloaded** The number of bytes downloaded for the specified application. Default: '0'. +- **appPingEventPackageCacheResult** Whether there is an existing package cached in the system to update or install. 1 means that there's a cache hit under the expected key, 2 means there's a cache hit under a different key, 0 means that there's a cache miss. -1 means the field does not apply. +- **appPingEventSequenceId** An id that uniquely identifies particular events within one requestId. Since a request can contain multiple ping events, this field is necessary to uniquely identify each possible event. +- **appPingEventSourceUrlIndex** For events representing a download, the position of the download URL in the list of URLs supplied by the server in a "urls" tag. +- **appPingEventUpdateCheckTimeMs** For events representing an entire update flow, the time elapsed between the start of the update check and the end of the update check, in milliseconds. Sent in events that have an event type of '2' and '3' only. Default: '0'. +- **appReferralHash** The hash of the referral code used to install the product. '0' if unknown. Default: '0'. +- **appUpdateCheckIsUpdateDisabled** The state of whether app updates are restricted by group policy. True if updates have been restricted by group policy or false if they have not. +- **appUpdateCheckTargetVersionPrefix** A component-wise prefix of a version number, or a complete version number suffixed with the $ character. The server should not return an update instruction to a version number that does not match the prefix or complete version number. The prefix is interpreted a dotted-tuple that specifies the exactly-matching elements; it is not a lexical prefix (for example, '1.2.3' must match '1.2.3.4' but must not match '1.2.34'). Default: ''. +- **appUpdateCheckTtToken** An opaque access token that can be used to identify the requesting client as a member of a trusted-tester group. If non-empty, the request should be sent over SSL or another secure protocol. Default: ''. +- **appVersion** The version of the product install. Please see the wiki for additional information. Default: '0.0.0.0'. +- **EventInfo.Level** The minimum Windows diagnostic data level required for the event where 1 is basic, 2 is enhanced, and 3 is full. +- **eventType** A string indicating the type of the event. Please see the wiki for additional information. +- **expETag** An identifier representing all service applied configurations and experiments when current update happens. Used for testing only. +- **hwDiskType** Device’s hardware disk type. +- **hwHasAvx** '1' if the client's hardware supports the AVX instruction set. '0' if the client's hardware does not support the AVX instruction set. '-1' if unknown. Default: '-1'. +- **hwHasSse** '1' if the client's hardware supports the SSE instruction set. '0' if the client's hardware does not support the SSE instruction set. '-1' if unknown. Default: '-1'. +- **hwHasSse2** '1' if the client's hardware supports the SSE2 instruction set. '0' if the client's hardware does not support the SSE2 instruction set. '-1' if unknown. Default: '-1'. +- **hwHasSse3** '1' if the client's hardware supports the SSE3 instruction set. '0' if the client's hardware does not support the SSE3 instruction set. '-1' if unknown. Default: '-1'. +- **hwHasSse41** '1' if the client's hardware supports the SSE4.1 instruction set. '0' if the client's hardware does not support the SSE4.1 instruction set. '-1' if unknown. Default: '-1'. +- **hwHasSse42** '1' if the client's hardware supports the SSE4.2 instruction set. '0' if the client's hardware does not support the SSE4.2 instruction set. '-1' if unknown. Default: '-1'. +- **hwHasSsse3** '1' if the client's hardware supports the SSSE3 instruction set. '0' if the client's hardware does not support the SSSE3 instruction set. '-1' if unknown. Default: '-1'. +- **hwLogicalCpus** Number of logical CPUs of the device. +- **hwPhysmemory** The physical memory available to the client, truncated down to the nearest gibibyte. '-1' if unknown. This value is intended to reflect the maximum theoretical storage capacity of the client, not including any hard drive or paging to a hard drive or peripheral. Default: '-1'. +- **isMsftDomainJoined** '1' if the client is a member of a Microsoft domain. '0' otherwise. Default: '0'. +- **oemProductManufacturer** The device manufacturer name. +- **oemProductName** The product name of the device defined by device manufacturer. +- **osArch** The architecture of the operating system (e.g. 'x86', 'x64', 'arm'). '' if unknown. Default: ''. +- **osPlatform** The operating system family that the within which the Omaha client is running (e.g. 'win', 'mac', 'linux', 'ios', 'android'). '' if unknown. The operating system Name should be transmitted in lowercase with minimal formatting. Default: ''. +- **osServicePack** The secondary version of the operating system. '' if unknown. Default: ''. +- **osVersion** The primary version of the operating system. '' if unknown. Default: ''. +- **requestCheckPeriodSec** The update interval in seconds. The value is read from the registry. Default: '-1'. +- **requestDlpref** A comma-separated list of values specifying the preferred download URL behavior. The first value is the highest priority, further values reflect secondary, tertiary, et cetera priorities. Legal values are '' (in which case the entire list must be empty, indicating unknown or no-preference) or 'cacheable' (the server should prioritize sending URLs that are easily cacheable). Default: ''. +- **requestDomainJoined** '1' if the machine is part of a managed enterprise domain. Otherwise '0'. +- **requestInstallSource** A string specifying the cause of the update flow. For example: 'ondemand', or 'scheduledtask'. Default: ''. +- **requestIsMachine** '1' if the client is known to be installed with system-level or administrator privileges. '0' otherwise. Default: '0'. +- **requestOmahaShellVersion** The version of the Omaha installation folder. Default: ''. +- **requestOmahaVersion** The version of the Omaha updater itself (the entity sending this request). Default: '0.0.0.0'. +- **requestProtocolVersion** The version of the Omaha protocol. Compatible clients MUST provide a value of '3.0'. Compatible clients must always transmit this attribute. Default: undefined. +- **requestRequestId** A randomly-generated (uniformly distributed) GUID, corresponding to the Omaha request. Each request attempt should have (with high probability) a unique request id. Default: ''. +- **requestSessionCorrelationVectorBase** A client generated random MS Correlation Vector base code used to correlate the update session with update and CDN servers. Default: ''. +- **requestSessionId** A randomly-generated (uniformly distributed) GUID. Each single update flow (e.g. update check, update application, event ping sequence) should have (with high probability) a single unique session ID. Default: ''. +- **requestTestSource** Either '', 'dev', 'qa', 'prober', 'auto', or 'ossdev'. Any value except '' indicates that the request is a test and should not be counted toward normal metrics. Default: ''. +- **requestUid** A randomly-generated (uniformly distributed) GUID, corresponding to the Omaha user. Each request attempt SHOULD have (with high probability) a unique request id. Default: ''. + + +## OneSettings events + +### Microsoft.Windows.OneSettingsClient.Status + +This event indicates the config usage of status update. The data collected with this event is used to help keep Windows up to date, secure, and performing properly. + +The following fields are available: + +- **flightId** Flight id. +- **time** Time. + + +## OOBE events + +### Microsoft.Windows.Shell.Oobe.ZDP.ZdpTaskCancelled + +This event is the result of an attempt to cancel ZDP task. + +The following fields are available: + +- **cancelReason** Enum for source/reason to cancel. +- **resultCode** HR result of the cancellation. + + +## Other events + +### Microsoft.Edge.Crashpad.HangEvent + +This event sends simple Product and Service Performance data on a hanging/frozen Microsoft Edge browser process to help mitigate future instances of the hang. + +The following fields are available: + +- **app_name** The name of the hanging process. +- **app_session_guid** Encodes the boot session, process, and process start time. +- **app_version** The version of the hanging process. +- **client_id_hash** Hash of the browser client id to help identify the installation. +- **etag** Identifier to help identify running browser experiments. +- **hang_source** Identifies how the hang was detected. +- **process_type** The type of the hanging browser process, for example, gpu-process, renderer, etc. +- **stack_hash** A hash of the hanging stack. Currently not used or set to zero. + + +### Microsoft.Gaming.Critical.Error + +Common error event used by the Gaming Telemetry Library to provide centralized monitoring for critical errors logged by callers using the library. + +The following fields are available: + +- **callStack** List of active subroutines running during error occurrence. +- **componentName** Friendly name meant to represent what feature area this error should be attributed to. Used for aggregations and pivots of data. +- **customAttributes** List of custom attributes. +- **errorCode** Error code. +- **extendedData** JSON blob representing additional, provider-level properties common to the component. +- **featureName** Friendly name meant to represent which feature this should be attributed to. +- **identifier** Error identifier. +- **message** Error message. +- **properties** List of properties attributed to the error. + + +### Microsoft.Gaming.Critical.ProviderRegistered + +Indicates that a telemetry provider has been registered with the Gaming Telemetry Library. + +The following fields are available: + +- **providerNamespace** The telemetry Namespace for the registered provider. + + +### Microsoft.Gaming.OOBE.HDDBackup + +This event describes whether an External HDD back up has been found. + +The following fields are available: + +- **backupVersion** version number of backup. +- **extendedData** JSON blob representing additional, provider-level properties common to the component. +- **hasConsoleSettings** Indicates whether the console settings stored. +- **hasUserSettings** Indicates whether the user settings stored. +- **hasWirelessProfile** Indicates whether the wireless profile stored. +- **hddBackupFound** Indicates whether hdd backup is found. +- **osVersion** Operating system version. + + +### Microsoft.Gaming.OOBE.OobeComplete + +This event is triggered when OOBE activation is complete. + +The following fields are available: + +- **allowAutoUpdate** Allows auto update. +- **allowAutoUpdateApps** Allows auto update for apps. +- **appliedTransferToken** Applied transfer token. +- **connectionType** Connection type. +- **curSessionId** Current session id. +- **extendedData** JSON blob representing additional, provider-level properties common to the component. +- **instantOn** Instant on. +- **moobeAcceptedState** Moobe accepted state. +- **phaseOneElapsedTimeMs** Total elapsed time in milliseconds for phase 1. +- **phaseOneVersion** Version of phase 1. +- **phaseTwoElapsedTimeMs** Total elapsed time in milliseconds for phase 2. +- **phaseTwoVersion** Version of phase 2. +- **systemUpdateRequired** Indicates whether a system update required. +- **totalElapsedTimeMs** Total elapsed time in milliseconds of all phases. +- **usedCloudBackup** Indicates whether cloud backup is used. +- **usedHDDBackup** Indicates whether HDD backup is used. +- **usedOffConsole** Indicates whether off console is used. + + +### Microsoft.Gaming.OOBE.SessionStarted + +This event is sent at the start of OOBE session. + +The following fields are available: + +- **customAttributes** customAttributes. +- **extendedData** extendedData. + + +### Microsoft.Windows.UpdateAssistantApp.UpdateAssistantStartState + +This event marks the start of an Update Assistant State. The data collected with this event is used to help keep Windows up to date. + +The following fields are available: + +- **CV** The correlation vector. +- **GlobalEventCounter** The global event counter for all telemetry on the device. +- **UpdateAssistantStateDownloading** True at the start Downloading. +- **UpdateAssistantStateInitializingApplication** True at the start of the state InitializingApplication. +- **UpdateAssistantStateInitializingStates** True at the start of InitializingStates. +- **UpdateAssistantStateInstalling** True at the start of Installing. +- **UpdateAssistantStatePostInstall** True at the start of PostInstall. +- **UpdateAssistantVersion** Current package version of UpdateAssistant. + + +### MicrosoftWindowsCodeIntegrityTraceLoggingProvider.CodeIntegrityHvciSysprepHvciAlreadyEnabled + +This event fires when HVCI is already enabled so no need to continue auto-enablement. + + + +## Privacy consent logging events + +### Microsoft.Windows.Shell.PrivacyConsentLogging.PrivacyConsentCompleted + +This event is used to determine whether the user successfully completed the privacy consent experience. The data collected with this event is used to help keep Windows up to date. + +The following fields are available: + +- **presentationVersion** Which display version of the privacy consent experience the user completed +- **privacyConsentState** The current state of the privacy consent experience +- **settingsVersion** Which setting version of the privacy consent experience the user completed +- **userOobeExitReason** The exit reason of the privacy consent experience + + +## Setup events + +### SetupPlatformTel.SetupPlatformTelEvent + +This service retrieves events generated by SetupPlatform, the engine that drives the various deployment scenarios, to help keep Windows up to date. + +The following fields are available: + +- **FieldName** Retrieves the event name/data point. Examples: InstallStartTime, InstallEndtime, OverallResult etc. +- **GroupName** Retrieves the groupname the event belongs to. Example: Install Information, DU Information, Disk Space Information etc. +- **Value** Retrieves the value associated with the corresponding event name (Field Name). For example: For time related events this will include the system time. + + +## Surface events + +### Microsoft.Surface.Battery.Prod.BatteryInfoEvent + +deny + +The following fields are available: + +- **batteryData.data()** Battery performance data. +- **BatteryDataSize:** Size of the battery performance data. + + +### Microsoft.Surface.Battery.Prod.BatteryInfoEventV2_BPM + +This event includes the hardware level data about battery performance. The data collected with this event is used to keep Windows performing properly. + +The following fields are available: + +- **BPMCurrentlyEngaged** Instantaneous snapshot if BPM is engaged on device. +- **BPMExitCriteria** What is the BPM exit criteria - 20%SOC or 50%SOC? +- **BPMHvtCountA** Current HVT count for BPM counter A. +- **BPMHvtCountB** Current HVT count for BPM counter B. +- **bpmOptOutLifetimeCount** BPM OptOut Lifetime Count. +- **BPMRsocBucketsHighTemp_Values** Time in temperature range 46°C -60°C and in the following true RSOC ranges: 0%-49%; 50%-79%; 80%-89%; 90%-94%; 95%-100%. +- **BPMRsocBucketsLowTemp_Values** Time in temperature range 0°C -20°C and in the following true RSOC ranges: 0%-49%; 50%-79%; 80%-89%; 90%-94%; 95%-100%. +- **BPMRsocBucketsMediumHighTemp_Values** Time in temperature range 36°C -45°C and in the following true RSOC ranges: 0%-49%; 50%-79%; 80%-89%; 90%-94%; 95%-100%. +- **BPMRsocBucketsMediumLowTemp_Values** Time in temperature range 21°C-35°C and in the following true RSOC ranges: 0%-49%; 50%-79%; 80%-89%; 90%-94%; 95%-100%. +- **BPMTotalEngagedMinutes** Total time that BPM was engaged. +- **BPMTotalEntryEvents** Total number of times entering BPM. +- **ComponentId** Component ID. +- **FwVersion** FW version that created this log. +- **LogClass** Log Class. +- **LogInstance** Log instance within class (1..n). +- **LogVersion** Log MGR version. +- **MCUInstance** Instance id used to identify multiple MCU's in a product. +- **ProductId** Product ID. +- **SeqNum** Sequence Number. +- **TimeStamp** UTC seconds when log was created. +- **Ver** Schema version. + + +### Microsoft.Surface.Battery.Prod.BatteryInfoEventV2_CTT + +This event includes the hardware level data about battery performance. The data collected with this event is used to keep Windows performing properly. + +The following fields are available: + +- **BPMKioskModeStartDateInSeconds** First time Battery Limit was turned on. +- **BPMKioskModeTotalEngagedMinutes** Total time Battery Limit was on (SOC value at 50%). +- **CTTMinSOC1day** Rolling 1 day minimum SOC. Value set to 0 initially. +- **CTTMinSOC28day** Rolling 28 day minimum SOC. Value set to 0 initially. +- **CTTMinSOC3day** Rolling 3 day minimum SOC. Value set to 0 initially. +- **CTTMinSOC7day** Rolling 7 day minimum SOC. Value set to 0 initially. +- **CTTStartDateInSeconds** Start date from when device was starting to be used. +- **currentAuthenticationState** Current Authentication State. +- **ProtectionPolicy** Battery limit engaged. True (0 False). +- **SeqNum** Sequence Number. +- **Ver** Schema version. +- **VoltageOptimization** Current CTT reduction in mV. + + +### Microsoft.Surface.Battery.Prod.BatteryInfoEventV2_GG + +This event includes the hardware level data about battery performance. The data collected with this event is used to keep Windows performing properly. + +The following fields are available: + +- **cbTimeCell_Values** cb time for different cells. +- **ComponentId** Component ID. +- **cycleCount** Cycle Count. +- **deltaVoltage** Delta voltage. +- **eocChargeVoltage_Values** EOC Charge voltage values. +- **fullChargeCapacity** Full Charge Capacity. +- **FwVersion** FW version that created this log. +- **lastCovEvent** Last Cov event. +- **lastCuvEvent** Last Cuv event. +- **LogClass** LOG_CLASS. +- **LogInstance** Log instance within class (1..n). +- **LogVersion** LOG_MGR_VERSION. +- **manufacturerName** Manufacturer name. +- **maxChargeCurrent** Max charge current. +- **maxDeltaCellVoltage** Max delta cell voltage. +- **maxDischargeCurrent** Max discharge current. +- **maxTempCell** Max temp cell. +- **maxVoltage_Values** Max voltage values. +- **MCUInstance** Instance id used to identify multiple MCU's in a product. +- **minTempCell** Min temp cell. +- **minVoltage_Values** Min voltage values. +- **numberOfCovEvents** Number of Cov events. +- **numberOfCuvEvents** Number of Cuv events. +- **numberOfOCD1Events** Number of OCD1 events. +- **numberOfOCD2Events** Number of OCD2 events. +- **numberOfQmaxUpdates** Number of Qmax updates. +- **numberOfRaUpdates** Number of Ra updates. +- **numberOfShutdowns** Number of shutdowns. +- **pfStatus_Values** pf status values. +- **ProductId** Product ID. +- **qmax_Values** Qmax values for different cells. +- **SeqNum** Sequence Number. +- **TimeStamp** UTC seconds when log was created. +- **Ver** Schema version. + + +### Microsoft.Surface.Battery.Prod.BatteryInfoEventV3 + +This event includes the hardware level data about battery performance. The data collected with this event is used to keep Windows performing properly. + +The following fields are available: + +- **BatteryTelemetry** Hardware Level Data about battery performance. +- **ComponentId** Component ID. +- **FwVersion** FW version that created this log. +- **LogClass** LOG CLASS. +- **LogInstance** Log instance within class (1..n). +- **LogVersion** LOG MGR VERSION. +- **MCUInstance** Instance id used to identify multiple MCU's in a product. +- **ProductId** ProductId ID. +- **SeqNum** Sequence Number. +- **TimeStamp** UTC seconds when log was created. +- **Ver** Schema version. + + +### Microsoft.Surface.SystemReset.Prod.ResetCauseEventV2 + +This event sends reason for SAM, PCH and SoC reset. The data collected with this event is used to keep Windows performing properly. + +The following fields are available: + +- **HostResetCause** Host reset cause. +- **PchResetCause** PCH reset cause. +- **SamResetCause** SAM reset cause. + + +## UEFI events + +### Microsoft.Windows.UEFI.ESRT + +This event sends basic data during boot about the firmware loaded or recently installed on the machine. The data collected with this event is used to help keep Windows up to date and performing properly. + +The following fields are available: + +- **DriverFirmwareFilename** The firmware file name reported by the device hardware key. +- **DriverFirmwareIntegrityFilename** Filename of the integrity package that is supplied in the firmware package. +- **DriverFirmwarePolicy** The optional version update policy value. +- **DriverFirmwareStatus** The firmware status reported by the device hardware key. +- **DriverFirmwareVersion** The firmware version reported by the device hardware key. +- **FirmwareId** The UEFI (Unified Extensible Firmware Interface) identifier. +- **FirmwareLastAttemptStatus** The reported status of the most recent firmware installation attempt, as reported by the EFI System Resource Table (ESRT). +- **FirmwareLastAttemptVersion** The version of the most recent attempted firmware installation, as reported by the EFI System Resource Table (ESRT). +- **FirmwareType** The UEFI (Unified Extensible Firmware Interface) type. +- **FirmwareVersion** The UEFI (Unified Extensible Firmware Interface) version as reported by the EFI System Resource Table (ESRT). +- **InitiateUpdate** Indicates whether the system is ready to initiate an update. +- **LastAttemptDate** The date of the most recent attempted firmware installation. +- **LastAttemptStatus** The result of the most recent attempted firmware installation. +- **LastAttemptVersion** The version of the most recent attempted firmware installation. +- **LowestSupportedFirmwareVersion** The oldest (lowest) version of firmware supported. +- **MaxRetryCount** The maximum number of retries, defined by the firmware class key. +- **RetryCount** The number of attempted installations (retries), reported by the driver software key. +- **Status** The status returned to the PnP (Plug-and-Play) manager. +- **UpdateAttempted** Indicates if installation of the current update has been attempted before. + + +## Update events + +### Update360Telemetry.UpdateAgentDownloadRequest + +This event sends data for the download request phase of updating Windows via the new Unified Update Platform (UUP) scenario. Applicable to PC and Mobile. The data collected with this event is used to help keep Windows secure and up to date. + +The following fields are available: + +- **CancelRequested** Boolean indicating whether a cancel was requested. +- **ContainsSafeOSDUPackage** Boolean indicating whether Safe DU packages are part of the payload. +- **DeletedCorruptFiles** Boolean indicating whether corrupt payload was deleted. +- **DownloadComplete** Indicates if the download is complete. +- **DownloadedSizeBundle** Cumulative size (in bytes) of the downloaded bundle content. +- **DownloadedSizeCanonical** Cumulative size (in bytes) of downloaded canonical content. +- **DownloadedSizeDiff** Cumulative size (in bytes) of downloaded diff content. +- **DownloadedSizeExpress** Cumulative size (in bytes) of downloaded express content. +- **DownloadedSizePSFX** Cumulative size (in bytes) of downloaded PSFX content. +- **DownloadRequests** Number of times a download was retried. +- **ErrorCode** The error code returned for the current download request phase. +- **ExtensionName** Indicates whether the payload is related to Operating System content or a plugin. +- **FlightId** Unique ID for each flight. +- **InternalFailureResult** Indicates a non-fatal error from a plugin. +- **NumberOfHops** Number of intermediate packages used to reach target version. +- **ObjectId** Unique value for each Update Agent mode (same concept as InstanceId for Setup360). +- **PackageCategoriesSkipped** Indicates package categories that were skipped, if applicable. +- **PackageCountOptional** Number of optional packages requested. +- **PackageCountRequired** Number of required packages requested. +- **PackageCountTotal** Total number of packages needed. +- **PackageCountTotalBundle** Total number of bundle packages. +- **PackageCountTotalCanonical** Total number of canonical packages. +- **PackageCountTotalDiff** Total number of diff packages. +- **PackageCountTotalExpress** Total number of express packages. +- **PackageCountTotalPSFX** The total number of PSFX packages. +- **PackageExpressType** Type of express package. +- **PackageSizeCanonical** Size of canonical packages in bytes. +- **PackageSizeDiff** Size of diff packages in bytes. +- **PackageSizeExpress** Size of express packages in bytes. +- **PackageSizePSFX** The size of PSFX packages, in bytes. +- **RangeRequestState** Indicates the range request type used. +- **RelatedCV** Correlation vector value generated from the latest USO scan. +- **Result** Outcome of the download request phase of update. +- **SandboxTaggedForReserves** The sandbox for reserves. +- **ScenarioId** Indicates the update scenario. +- **SessionId** Unique value for each attempt (same value for initialize, download, install commit phases). +- **UpdateId** Unique ID for each update. + + +### Update360Telemetry.UpdateAgentExpand + +This event collects information regarding the expansion phase of the new Unified Update Platform (UUP) update scenario, which is leveraged by both Mobile and Desktop. The data collected with this event is used to help keep Windows secure and up to date. + +The following fields are available: + +- **CancelRequested** Boolean that indicates whether a cancel was requested. +- **CanonicalRequestedOnError** Indicates if an error caused a reversion to a different type of compressed update (TRUE or FALSE). +- **ElapsedTickCount** Time taken for expand phase. +- **EndFreeSpace** Free space after expand phase. +- **EndSandboxSize** Sandbox size after expand phase. +- **ErrorCode** The error code returned for the current install phase. +- **FlightId** Unique ID for each flight. +- **ObjectId** Unique value for each Update Agent mode. +- **RelatedCV** Correlation vector value generated from the latest USO scan. +- **ScenarioId** Indicates the update scenario. +- **SessionId** Unique value for each update attempt. +- **StartFreeSpace** Free space before expand phase. +- **StartSandboxSize** Sandbox size after expand phase. +- **UpdateId** Unique ID for each update. + + +### Update360Telemetry.UpdateAgentInitialize + +This event sends data for the initialize phase of updating Windows via the new Unified Update Platform (UUP) scenario, which is applicable to both PCs and Mobile. The data collected with this event is used to help keep Windows secure and up to date. + +The following fields are available: + +- **ErrorCode** The error code returned for the current install phase. +- **FlightId** Unique ID for each flight. +- **FlightMetadata** Contains the FlightId and the build being flighted. +- **ObjectId** Unique value for each Update Agent mode. +- **RelatedCV** Correlation vector value generated from the latest USO scan. +- **Result** Outcome of the install phase of the update. +- **ScenarioId** Indicates the update scenario. +- **SessionData** String containing instructions to update agent for processing FODs and DUICs (Null for other scenarios). +- **SessionId** Unique value for each update attempt. +- **UpdateId** Unique ID for each update. + + +### Update360Telemetry.UpdateAgentInstall + +This event sends data for the install phase of updating Windows. The data collected with this event is used to help keep Windows secure and up to date. + +The following fields are available: + +- **CancelRequested** Boolean to indicate whether a cancel was requested. +- **ErrorCode** The error code returned for the current install phase. +- **ExtensionName** Indicates whether the payload is related to Operating System content or a plugin. +- **FlightId** Unique value for each Update Agent mode (same concept as InstanceId for Setup360). +- **InternalFailureResult** Indicates a non-fatal error from a plugin. +- **ObjectId** Correlation vector value generated from the latest USO scan. +- **RelatedCV** Correlation vector value generated from the latest USO scan. +- **Result** The result for the current install phase. +- **ScenarioId** Indicates the update scenario. +- **SessionId** Unique value for each update attempt. +- **UpdateId** Unique ID for each update. +- **UpdatePriority** Indicates the priority that Update Agent is requested to run in for the install phase of an update. + + +### Update360Telemetry.UpdateAgentMitigationResult + +This event sends data indicating the result of each update agent mitigation. The data collected with this event is used to help keep Windows secure and up to date. + +The following fields are available: + +- **Applicable** Indicates whether the mitigation is applicable for the current update. +- **CommandCount** The number of command operations in the mitigation entry. +- **CustomCount** The number of custom operations in the mitigation entry. +- **FileCount** The number of file operations in the mitigation entry. +- **FlightId** Unique identifier for each flight. +- **Index** The mitigation index of this particular mitigation. +- **MitigationScenario** The update scenario in which the mitigation was executed. +- **Name** The friendly name of the mitigation. +- **ObjectId** Unique value for each Update Agent mode. +- **OperationIndex** The mitigation operation index (in the event of a failure). +- **OperationName** The friendly name of the mitigation operation (in the event of failure). +- **RegistryCount** The number of registry operations in the mitigation entry. +- **RelatedCV** The correlation vector value generated from the latest USO scan. +- **Result** The HResult of this operation. +- **ScenarioId** The update agent scenario ID. +- **SessionId** Unique value for each update attempt. +- **TimeDiff** The amount of time spent performing the mitigation (in 100-nanosecond increments). +- **UpdateId** Unique ID for each Update. + + +### Update360Telemetry.UpdateAgentMitigationSummary + +This event sends a summary of all the update agent mitigations available for an this update. The data collected with this event is used to help keep Windows secure and up to date. + +The following fields are available: + +- **Applicable** The count of mitigations that were applicable to the system and scenario. +- **Failed** The count of mitigations that failed. +- **FlightId** Unique identifier for each flight. +- **MitigationScenario** The update scenario in which the mitigations were attempted. +- **ObjectId** The unique value for each Update Agent mode. +- **RelatedCV** The correlation vector value generated from the latest USO scan. +- **Result** The HResult of this operation. +- **ScenarioId** The update agent scenario ID. +- **SessionId** Unique value for each update attempt. +- **TimeDiff** The amount of time spent performing all mitigations (in 100-nanosecond increments). +- **Total** Total number of mitigations that were available. +- **UpdateId** Unique ID for each update. + + +### Update360Telemetry.UpdateAgentModeStart + +This event sends data for the start of each mode during the process of updating Windows via the new Unified Update Platform (UUP) scenario. Applicable to both PCs and Mobile. The data collected with this event is used to help keep Windows secure and up to date. + +The following fields are available: + +- **FlightId** Unique ID for each flight. +- **Mode** Indicates the mode that has started. +- **ObjectId** Unique value for each Update Agent mode. +- **RelatedCV** Correlation vector value generated from the latest USO scan. +- **ScenarioId** Indicates the update scenario. +- **SessionId** Unique value for each update attempt. +- **UpdateId** Unique ID for each update. +- **Version** Version of update + + +### Update360Telemetry.UpdateAgentPostRebootResult + +This event collects information for both Mobile and Desktop regarding the post reboot phase of the new Unified Update Platform (UUP) update scenario. The data collected with this event is used to help keep Windows secure and up to date. + +The following fields are available: + +- **ErrorCode** The error code returned for the current post reboot phase. +- **FlightId** The specific ID of the Windows Insider build the device is getting. +- **ObjectId** Unique value for each Update Agent mode. +- **PostRebootResult** Indicates the Hresult. +- **RelatedCV** Correlation vector value generated from the latest USO scan. +- **ScenarioId** The scenario ID. Example: MobileUpdate, DesktopLanguagePack, DesktopFeatureOnDemand, or DesktopDriverUpdate. +- **SessionId** Unique value for each update attempt. +- **UpdateId** Unique ID for each update. + + +### Update360Telemetry.UpdateAgentReboot + +This event sends information indicating that a request has been sent to suspend an update. The data collected with this event is used to help keep Windows secure and up to date. + +The following fields are available: + +- **ErrorCode** The error code returned for the current reboot. +- **FlightId** Unique ID for the flight (test instance version). +- **IsSuspendable** Indicates whether the update has the ability to be suspended and resumed at the time of reboot. When the machine is rebooted and the update is in middle of Predownload or Install and Setup.exe is running, this field is TRUE, if not its FALSE. +- **ObjectId** The unique value for each Update Agent mode. +- **Reason** Indicates the HResult why the machine could not be suspended. If it is successfully suspended, the result is 0. +- **RelatedCV** The correlation vector value generated from the latest USO (Update Service Orchestrator) scan. +- **ScenarioId** The ID of the update scenario. +- **SessionId** The ID of the update attempt. +- **UpdateId** The ID of the update. +- **UpdateState** Indicates the state of the machine when Suspend is called. For example, Install, Download, Commit. + + +### Update360Telemetry.UpdateAgentSetupBoxLaunch + +The UpdateAgent_SetupBoxLaunch event sends data for the launching of the setup box when updating Windows via the new Unified Update Platform (UUP) scenario. This event is only applicable to PCs. The data collected with this event is used to help keep Windows secure and up to date. + +The following fields are available: + +- **ContainsExpressPackage** Indicates whether the download package is express. +- **FlightId** Unique ID for each flight. +- **FreeSpace** Free space on OS partition. +- **InstallCount** Number of install attempts using the same sandbox. +- **ObjectId** Unique value for each Update Agent mode. +- **Quiet** Indicates whether setup is running in quiet mode. +- **RelatedCV** Correlation vector value generated from the latest USO scan. +- **SandboxSize** Size of the sandbox. +- **ScenarioId** Indicates the update scenario. +- **SessionId** Unique value for each update attempt. +- **SetupLaunchAttemptCount** Indicates the count of attempts to launch setup for the current Update Agent instance. +- **SetupMode** Mode of setup to be launched. +- **UpdateId** Unique ID for each Update. +- **UserSession** Indicates whether install was invoked by user actions. + + +## Upgrade events + +### Setup360Telemetry.Finalize + +This event sends data indicating that the device has started the phase of finalizing the upgrade, to help keep Windows up-to-date and secure. + +The following fields are available: + +- **ClientId** With Windows Update, this will be the Windows Update client ID that is passed to Setup. In Media setup, default value is Media360, but can be overwritten by the caller to a unique value. +- **FlightData** Unique value that identifies the flight. +- **HostOSBuildNumber** The build number of the previous OS. +- **HostOsSkuName** The OS edition which is running Setup360 instance (previous OS). +- **InstanceId** A unique GUID that identifies each instance of setuphost.exe +- **ReportId** With Windows Update, this is the updateID that is passed to Setup. In media setup, this is the GUID for the install.wim. +- **Setup360Extended** More detailed information about the phase/action when the potential failure occurred. +- **Setup360Mode** The phase of Setup360. Example: Predownload, Install, Finalize, Rollback. +- **Setup360Result** The result of Setup360. This is an HRESULT error code that is used to diagnose errors. +- **Setup360Scenario** The Setup360 flow type. Example: Boot, Media, Update, MCT. +- **SetupVersionBuildNumber** The build number of Setup360 (build number of target OS). +- **State** The exit state of a Setup360 run. Example: succeeded, failed, blocked, cancelled. +- **TestId** ID that uniquely identifies a group of events. +- **WuId** This is the Windows Update Client ID. With Windows Update, this is the same as the clientId. + + +### Setup360Telemetry.OsUninstall + +This event sends data regarding OS updates and upgrades from Windows 7, Windows 8, and Windows 10. Specifically, it indicates the outcome of an OS uninstall. The data collected with this event is used to help keep Windows secure and up to date. + +The following fields are available: + +- **ClientId** For Windows Update, this will be the Windows Update client ID that is passed to Setup. In Media setup, default value is Media360, but can be overwritten by the caller to a unique value. +- **FlightData** Unique value that identifies the flight. +- **HostOSBuildNumber** The build number of the previous OS. +- **HostOsSkuName** The OS edition which is running the Setup360 instance (previous OS). +- **InstanceId** A unique GUID that identifies each instance of setuphost.exe. +- **ReportId** For Windows Update, this will be the Windows Update client ID that is passed to Setup. In Media setup, this is the GUID for the install.wim. +- **Setup360Extended** Detailed information about the phase or action when the potential failure occurred. +- **Setup360Mode** The phase of Setup360. Example: Predownload, Install, Finalize, Rollback. +- **Setup360Result** The result of Setup360. This is an HRESULT error code that is used to diagnose errors. +- **Setup360Scenario** The Setup360 flow type. Example: Boot, Media, Update, MCT +- **SetupVersionBuildNumber** The build number of Setup360 (build number of target OS). +- **State** Exit state of a Setup360 run. Example: succeeded, failed, blocked, cancelled. +- **TestId** ID that uniquely identifies a group of events. +- **WuId** Windows Update client ID. + + +### Setup360Telemetry.PreInstallUX + +This event sends data regarding OS updates and upgrades from Windows 7, Windows 8, and Windows 10, to help keep Windows up-to-date. Specifically, it indicates the outcome of the PreinstallUX portion of the update process. + +The following fields are available: + +- **ClientId** For Windows Update, this will be the Windows Update client ID that is passed to Setup. In Media setup, default value is Media360, but can be overwritten by the caller to a unique value. +- **FlightData** Unique value that identifies the flight. +- **HostOSBuildNumber** The build number of the previous OS. +- **HostOsSkuName** The OS edition which is running the Setup360 instance (previous OS). +- **InstanceId** A unique GUID that identifies each instance of setuphost.exe. +- **ReportId** For Windows Update, this will be the Windows Update client ID that is passed to Setup. In Media setup, this is the GUID for the install.wim. +- **Setup360Extended** Detailed information about the phase/action when the potential failure occurred. +- **Setup360Mode** The phase of Setup360. Example: Predownload, Install, Finalize, Rollback. +- **Setup360Result** The result of Setup360. This is an HRESULT error code that is used to diagnose errors. +- **Setup360Scenario** The Setup360 flow type, Example: Boot, Media, Update, MCT. +- **SetupVersionBuildNumber** The build number of Setup360 (build number of target OS). +- **State** The exit state of a Setup360 run. Example: succeeded, failed, blocked, cancelled. +- **TestId** A string to uniquely identify a group of events. +- **WuId** Windows Update client ID. + + +### Setup360Telemetry.Setup360MitigationResult + +This event sends data indicating the result of each setup mitigation. The data collected with this event is used to help keep Windows secure and up to date. + +The following fields are available: + +- **Applicable** TRUE if the mitigation is applicable for the current update. +- **ClientId** In the Windows Update scenario, this is the client ID passed to Setup. In Media setup, default value is Media360, but can be overwritten by the caller to a unique value. +- **CommandCount** The number of command operations in the mitigation entry. +- **CustomCount** The number of custom operations in the mitigation entry. +- **FileCount** The number of file operations in the mitigation entry. +- **FlightData** The unique identifier for each flight (test release). +- **Index** The mitigation index of this particular mitigation. +- **InstanceId** The GUID (Globally Unique ID) that identifies each instance of SetupHost.EXE. +- **MitigationScenario** The update scenario in which the mitigation was executed. +- **Name** The friendly (descriptive) name of the mitigation. +- **OperationIndex** The mitigation operation index (in the event of a failure). +- **OperationName** The friendly (descriptive) name of the mitigation operation (in the event of failure). +- **RegistryCount** The number of registry operations in the mitigation entry. +- **ReportId** In the Windows Update scenario, the Update ID that is passed to Setup. In media setup, this is the GUID for the INSTALL.WIM. +- **Result** HResult of this operation. +- **ScenarioId** Setup360 flow type. +- **TimeDiff** The amount of time spent performing the mitigation (in 100-nanosecond increments). + + +### Setup360Telemetry.Setup360MitigationSummary + +This event sends a summary of all the setup mitigations available for this update. The data collected with this event is used to help keep Windows secure and up to date. + +The following fields are available: + +- **Applicable** The count of mitigations that were applicable to the system and scenario. +- **ClientId** The Windows Update client ID passed to Setup. +- **Failed** The count of mitigations that failed. +- **FlightData** The unique identifier for each flight (test release). +- **InstanceId** The GUID (Globally Unique ID) that identifies each instance of SetupHost.EXE. +- **MitigationScenario** The update scenario in which the mitigations were attempted. +- **ReportId** In the Windows Update scenario, the Update ID that is passed to Setup. In media setup, this is the GUID for the INSTALL.WIM. +- **Result** HResult of this operation. +- **ScenarioId** Setup360 flow type. +- **TimeDiff** The amount of time spent performing the mitigation (in 100-nanosecond increments). +- **Total** The total number of mitigations that were available. + + +### Setup360Telemetry.Setup360OneSettings + +This event collects information regarding the post reboot phase of the new UUP (Unified Update Platform) update scenario; which is leveraged by both Mobile and Desktop. The data collected with this event is used to help keep Windows secure and up to date. + +The following fields are available: + +- **ClientId** The Windows Update client ID passed to Setup. +- **Count** The count of applicable OneSettings for the device. +- **FlightData** The ID for the flight (test instance version). +- **InstanceId** The GUID (Globally-Unique ID) that identifies each instance of setuphost.exe. +- **Parameters** The set of name value pair parameters sent to OneSettings to determine if there are any applicable OneSettings. +- **ReportId** The Update ID passed to Setup. +- **Result** The HResult of the event error. +- **ScenarioId** The update scenario ID. +- **Values** Values sent back to the device, if applicable. + + +### Setup360Telemetry.UnexpectedEvent + +This event sends data indicating that the device has invoked the unexpected event phase of the upgrade, to help keep Windows up to date. + +The following fields are available: + +- **ClientId** With Windows Update, this will be the Windows Update client ID that is passed to Setup. In Media setup, default value is Media360, but can be overwritten by the caller to a unique value. +- **HostOSBuildNumber** The build number of the previous OS. +- **HostOsSkuName** The OS edition which is running Setup360 instance (previous OS). +- **InstanceId** A unique GUID that identifies each instance of setuphost.exe +- **ReportId** With Windows Update, this is the updateID that is passed to Setup. In media setup, this is the GUID for the install.wim. +- **Setup360Extended** Detailed information about the phase/action when the potential failure occurred. +- **Setup360Mode** The phase of Setup360. Example: Predownload, Install, Finalize, Rollback. +- **Setup360Result** The result of Setup360. This is an HRESULT error code that can be used used to diagnose errors. +- **Setup360Scenario** The Setup360 flow type. Example: Boot, Media, Update, MCT. +- **SetupVersionBuildNumber** The build number of Setup360 (build number of target OS). +- **State** The exit state of a Setup360 run. Example: succeeded, failed, blocked, cancelled. +- **TestId** A string to uniquely identify a group of events. +- **WuId** This is the Windows Update Client ID. With Windows Update, this is the same as the clientId. + + +## Windows as a Service diagnostic events + +### Microsoft.Windows.WaaSMedic.StackDataResetPerformAction + +This event removes the datastore allowing for corrupt devices to reattempt an update. The data collected with this event is used to help keep Windows secure and up to date. + +The following fields are available: + +- **DatastoreSizeInMB** Size of Datastore.edb file. Default: -1 if not set/unknown. +- **FreeSpaceInGB** Free space on the device before deleting the datastore. Default: -1 if not set/unknown. +- **HrLastFailure** Error code from the failed removal. +- **HrResetDatastore** Result of the attempted removal. +- **HrStopGroupOfServices** Result of stopping the services. +- **MaskServicesStopped** Bit field to indicate which services were stopped succesfully. Bit on means success. List of services: usosvc(1<<0), dosvc(1<<1), wuauserv(1<<2), bits(1<<3). +- **NumberServicesToStop** The number of services that require manual stopping. + + +### Microsoft.Windows.WaaSMedic.SummaryEvent + +This event provides the result of the WaaSMedic operation. The data collected with this event is used to help keep Windows secure and up to date. + +The following fields are available: + +- **callerApplication** The name of the calling application. +- **capsuleCount** The number of Sediment Pack capsules. +- **capsuleFailureCount** The number of capsule failures. +- **detectionSummary** Result of each applicable detection that was run. +- **featureAssessmentImpact** WaaS Assessment impact for feature updates. +- **hrEngineBlockReason** Indicates the reason for stopping WaaSMedic. +- **hrEngineResult** Error code from the engine operation. +- **hrLastSandboxError** The last error sent by the WaaSMedic sandbox. +- **initSummary** Summary data of the initialization method. +- **isInteractiveMode** The user started a run of WaaSMedic. +- **isManaged** Device is managed for updates. +- **isWUConnected** Device is connected to Windows Update. +- **noMoreActions** No more applicable diagnostics. +- **pluginFailureCount** The number of plugins that have failed. +- **pluginsCount** The number of plugins. +- **qualityAssessmentImpact** WaaS Assessment impact for quality updates. +- **remediationSummary** Result of each operation performed on a device to fix an invalid state or configuration that's preventing the device from getting updates. For example, if Windows Update service is turned off, the fix is to turn the it back on. +- **usingBackupFeatureAssessment** Relying on backup feature assessment. +- **usingBackupQualityAssessment** Relying on backup quality assessment. +- **usingCachedFeatureAssessment** WaaS Medic run did not get OS build age from the network on the previous run. +- **usingCachedQualityAssessment** WaaS Medic run did not get OS revision age from the network on the previous run. +- **uusVersion** The version of the UUS package. +- **versionString** Version of the WaaSMedic engine. +- **waasMedicRunMode** Indicates whether this was a background regular run of the medic or whether it was triggered by a user launching Windows Update Troubleshooter. + + +## Windows Store events + +### Microsoft.Windows.StoreAgent.Telemetry.BeginGetInstalledContentIds + +This event is sent when an inventory of the apps installed is started to determine whether updates for those apps are available. It's used to help keep Windows up-to-date and secure. + + + +### Microsoft.Windows.StoreAgent.Telemetry.BeginUpdateMetadataPrepare + +This event is sent when the Store Agent cache is refreshed with any available package updates. It's used to help keep Windows up-to-date and secure. + + + +### Microsoft.Windows.StoreAgent.Telemetry.CompleteInstallOperationRequest + +This event is sent at the end of app installations or updates to help keep Windows up-to-date and secure. + +The following fields are available: + +- **CatalogId** The Store Product ID of the app being installed. +- **HResult** HResult code of the action being performed. +- **IsBundle** Is this a bundle? +- **PackageFamilyName** The name of the package being installed. +- **ProductId** The Store Product ID of the product being installed. +- **SkuId** Specific edition of the item being installed. + + +### Microsoft.Windows.StoreAgent.Telemetry.EndAcquireLicense + +This event is sent after the license is acquired when a product is being installed. It's used to help keep Windows up-to-date and secure. + +The following fields are available: + +- **AggregatedPackageFullNames** Includes a set of package full names for each app that is part of an atomic set. +- **AttemptNumber** The total number of attempts to acquire this product. +- **BundleId** The bundle ID +- **CategoryId** The identity of the package or packages being installed. +- **ClientAppId** The identity of the app that initiated this operation. +- **HResult** HResult code to show the result of the operation (success/failure). +- **IsBundle** Is this a bundle? +- **IsInteractive** Did the user initiate the installation? +- **IsMandatory** Is this a mandatory update? +- **IsRemediation** Is this repairing a previous installation? +- **IsRestore** Is this happening after a device restore? +- **IsUpdate** Is this an update? +- **ParentBundleId** The parent bundle ID (if it's part of a bundle). +- **PFN** Product Family Name of the product being installed. +- **ProductId** The Store Product ID for the product being installed. +- **SystemAttemptNumber** The number of attempts by the system to acquire this product. +- **UserAttemptNumber** The number of attempts by the user to acquire this product +- **WUContentId** The Windows Update content ID. + + +### Microsoft.Windows.StoreAgent.Telemetry.EndDownload + +This event is sent after an app is downloaded to help keep Windows up-to-date and secure. + +The following fields are available: + +- **AggregatedPackageFullNames** The name of all packages to be downloaded and installed. +- **AttemptNumber** Number of retry attempts before it was canceled. +- **BundleId** The identity of the Windows Insider build associated with this product. +- **CategoryId** The identity of the package or packages being installed. +- **ClientAppId** The identity of the app that initiated this operation. +- **DownloadSize** The total size of the download. +- **ExtendedHResult** Any extended HResult error codes. +- **HResult** The result code of the last action performed. +- **IsBundle** Is this a bundle? +- **IsInteractive** Is this initiated by the user? +- **IsMandatory** Is this a mandatory installation? +- **IsRemediation** Is this repairing a previous installation? +- **IsRestore** Is this a restore of a previously acquired product? +- **IsUpdate** Is this an update? +- **ParentBundleId** The parent bundle ID (if it's part of a bundle). +- **PFN** The Product Family Name of the app being download. +- **ProductId** The Store Product ID for the product being installed. +- **SystemAttemptNumber** The number of attempts by the system to download. +- **UserAttemptNumber** The number of attempts by the user to download. +- **WUContentId** The Windows Update content ID. + + +### Microsoft.Windows.StoreAgent.Telemetry.EndGetInstalledContentIds + +This event is sent after sending the inventory of the products installed to determine whether updates for those products are available. It's used to help keep Windows up-to-date and secure. + +The following fields are available: + +- **HResult** The result code of the last action performed before this operation. + + +### Microsoft.Windows.StoreAgent.Telemetry.EndInstall + +This event is sent after a product has been installed to help keep Windows up-to-date and secure. + +The following fields are available: + +- **AggregatedPackageFullNames** The names of all packages to be downloaded and installed. +- **AttemptNumber** The number of retry attempts before it was canceled. +- **BundleId** The identity of the build associated with this product. +- **CategoryId** The identity of the package or packages being installed. +- **ClientAppId** The identity of the app that initiated this operation. +- **ExtendedHResult** The extended HResult error code. +- **HResult** The result code of the last action performed. +- **IsBundle** Is this a bundle? +- **IsInteractive** Is this an interactive installation? +- **IsMandatory** Is this a mandatory installation? +- **IsRemediation** Is this repairing a previous installation? +- **IsRestore** Is this automatically restoring a previously acquired product? +- **IsUpdate** Is this an update? +- **ParentBundleId** The product ID of the parent (if this product is part of a bundle). +- **PFN** Product Family Name of the product being installed. +- **ProductId** The Store Product ID for the product being installed. +- **SystemAttemptNumber** The total number of system attempts. +- **UserAttemptNumber** The total number of user attempts. +- **WUContentId** The Windows Update content ID. + + +### Microsoft.Windows.StoreAgent.Telemetry.EndScanForUpdates + +This event is sent after a scan for product updates to determine if there are packages to install. It's used to help keep Windows up-to-date and secure. + +The following fields are available: + +- **AutoUpdateWorkScheduledWithUOTime** The time when work was first scheduled with UO. Value deleted when UO calls UnblockLowPriorityWorkItems. +- **ClientAppId** The identity of the app that initiated this operation. +- **HResult** The result code of the last action performed. +- **IsApplicability** Is this request to only check if there are any applicable packages to install? +- **IsInteractive** Is this user requested? +- **IsOnline** Is the request doing an online check? +- **NumberOfApplicableUpdates** The number of packages returned by this operation. +- **PFN** The PackageFullName of the app currently installed on the machine. This operation is scanning for an update for this app. Value will be empty if operation is scanning for updates for more than one app. + + +### Microsoft.Windows.StoreAgent.Telemetry.EndSearchUpdatePackages + +This event is sent after searching for update packages to install. It is used to help keep Windows up-to-date and secure. + +The following fields are available: + +- **AggregatedPackageFullNames** The names of all packages to be downloaded and installed. +- **AttemptNumber** The total number of retry attempts before it was canceled. +- **BundleId** The identity of the build associated with this product. +- **CategoryId** The identity of the package or packages being installed. +- **ClientAppId** The identity of the app that initiated this operation. +- **HResult** The result code of the last action performed. +- **IsBundle** Is this a bundle? +- **IsInteractive** Is this user requested? +- **IsMandatory** Is this a mandatory update? +- **IsRemediation** Is this repairing a previous installation? +- **IsRestore** Is this restoring previously acquired content? +- **IsUpdate** Is this an update? +- **ParentBundleId** The product ID of the parent (if this product is part of a bundle). +- **PFN** The name of the package or packages requested for install. +- **ProductId** The Store Product ID for the product being installed. +- **SystemAttemptNumber** The total number of system attempts. +- **UserAttemptNumber** The total number of user attempts. +- **WUContentId** The Windows Update content ID. + + +### Microsoft.Windows.StoreAgent.Telemetry.EndUpdateMetadataPrepare + +This event is sent after a scan for available app updates to help keep Windows up-to-date and secure. + +The following fields are available: + +- **HResult** The result code of the last action performed. + + +### Microsoft.Windows.StoreAgent.Telemetry.FulfillmentComplete + +This event is sent at the end of an app install or update to help keep Windows up-to-date and secure. + +The following fields are available: + +- **CatalogId** The name of the product catalog from which this app was chosen. +- **FailedRetry** Indicates whether the installation or update retry was successful. +- **HResult** The HResult code of the operation. +- **PFN** The Package Family Name of the app that is being installed or updated. +- **ProductId** The product ID of the app that is being updated or installed. + + +### Microsoft.Windows.StoreAgent.Telemetry.FulfillmentInitiate + +This event is sent at the beginning of an app install or update to help keep Windows up-to-date and secure. + +The following fields are available: + +- **CatalogId** The name of the product catalog from which this app was chosen. +- **FulfillmentPluginId** The ID of the plugin needed to install the package type of the product. +- **PFN** The Package Family Name of the app that is being installed or updated. +- **PluginTelemetryData** Diagnostic information specific to the package-type plug-in. +- **ProductId** The product ID of the app that is being updated or installed. + + +### Microsoft.Windows.StoreAgent.Telemetry.InstallOperationRequest + +This event is sent when a product install or update is initiated, to help keep Windows up-to-date and secure. + +The following fields are available: + +- **BundleId** The identity of the build associated with this product. +- **CatalogId** If this product is from a private catalog, the Store Product ID for the product being installed. +- **ProductId** The Store Product ID for the product being installed. +- **SkuId** Specific edition ID being installed. +- **VolumePath** The disk path of the installation. + + +### Microsoft.Windows.StoreAgent.Telemetry.ResumeInstallation + +This event is sent when a product install or update is resumed (either by a user or the system), to help keep Windows up-to-date and secure. + +The following fields are available: + +- **AggregatedPackageFullNames** The names of all packages to be downloaded and installed. +- **AttemptNumber** The number of retry attempts before it was canceled. +- **BundleId** The identity of the build associated with this product. +- **CategoryId** The identity of the package or packages being installed. +- **ClientAppId** The identity of the app that initiated this operation. +- **HResult** The result code of the last action performed before this operation. +- **IsBundle** Is this a bundle? +- **IsInteractive** Is this user requested? +- **IsMandatory** Is this a mandatory update? +- **IsRemediation** Is this repairing a previous installation? +- **IsRestore** Is this restoring previously acquired content? +- **IsUpdate** Is this an update? +- **IsUserRetry** Did the user initiate the retry? +- **ParentBundleId** The product ID of the parent (if this product is part of a bundle). +- **PFN** The name of the package or packages requested for install. +- **PreviousHResult** The previous HResult error code. +- **PreviousInstallState** Previous state before the installation was paused. +- **ProductId** The Store Product ID for the product being installed. +- **RelatedCV** Correlation Vector for the original install before it was resumed. +- **ResumeClientId** The ID of the app that initiated the resume operation. +- **SystemAttemptNumber** The total number of system attempts. +- **UserAttemptNumber** The total number of user attempts. +- **WUContentId** The Windows Update content ID. + + +### Microsoft.Windows.StoreAgent.Telemetry.StateTransition + +Products in the process of being fulfilled (installed or updated) are maintained in a list. This event is sent any time there is a change in a product's fulfillment status (pending, working, paused, cancelled, or complete), to help keep Windows up to date and secure. + +The following fields are available: + +- **CatalogId** The ID for the product being installed if the product is from a private catalog, such as the Enterprise catalog. +- **FulfillmentPluginId** The ID of the plugin needed to install the package type of the product. +- **HResult** The resulting HResult error/success code of this operation. +- **NewState** The current fulfillment state of this product. +- **PFN** The Package Family Name of the app that is being installed or updated. +- **PluginLastStage** The most recent product fulfillment step that the plug-in has reported (different than its state). +- **PluginTelemetryData** Diagnostic information specific to the package-type plug-in. +- **Prevstate** The previous fulfillment state of this product. +- **ProductId** Product ID of the app that is being updated or installed. + + +## Windows Update CSP events + +### Microsoft.Windows.UpdateCsp.ExecuteRollBackFeatureNotApplicable + +This event sends basic telemetry on whether Feature Rollback (rolling back features updates) is applicable to a device. The data collected with this event is used to help keep Windows secure and up to date. + +The following fields are available: + +- **current** Result of currency check. +- **dismOperationSucceeded** Dism uninstall operation status. +- **oSVersion** Build number of the device. +- **paused** Indicates whether the device is paused. +- **rebootRequestSucceeded** Reboot Configuration Service Provider (CSP) call success status. +- **sacDevice** Represents the device info. +- **wUfBConnected** Result of WUfB connection check. + + +### Microsoft.Windows.UpdateCsp.ExecuteRollBackFeatureStarted + +This event sends basic information indicating that Feature Rollback has started. The data collected with this event is used to help keep Windows secure and up to date. + + + +## Windows Update Delivery Optimization events + +### Microsoft.OSG.DU.DeliveryOptClient.DownloadCompleted + +This event describes when a download has completed with Delivery Optimization. It's used to understand and address problems regarding downloads. The data collected with this event is used to help keep Windows up to date. + +The following fields are available: + +- **background** Is the download a background download? +- **bytesFromCacheServer** Bytes received from a cache host. +- **bytesFromCDN** The number of bytes received from a CDN source. +- **bytesFromGroupPeers** The number of bytes received from a peer in the same domain group. +- **bytesFromIntPeers** The number of bytes received from peers not in the same LAN or in the same domain group. +- **bytesFromLedbat** The number of bytes received from source using an Ledbat enabled connection. +- **bytesFromLinkLocalPeers** The number of bytes received from local peers. +- **bytesFromLocalCache** Bytes copied over from local (on disk) cache. +- **bytesFromPeers** The number of bytes received from a peer in the same LAN. +- **bytesRequested** The total number of bytes requested for download. +- **cacheServerConnectionCount** Number of connections made to cache hosts. +- **cdnConnectionCount** The total number of connections made to the CDN. +- **cdnErrorCodes** A list of CDN connection errors since the last FailureCDNCommunication event. +- **cdnErrorCounts** The number of times each error in cdnErrorCodes was encountered. +- **cdnIp** The IP address of the source CDN. +- **cdnUrl** Url of the source Content Distribution Network (CDN). +- **congestionPrevention** Indicates a download may have been suspended to prevent network congestion. +- **dataSourcesTotal** Bytes received per source type, accumulated for the whole session. +- **downlinkBps** The maximum measured available download bandwidth (in bytes per second). +- **downlinkUsageBps** The download speed (in bytes per second). +- **downloadMode** The download mode used for this file download session. +- **downloadModeReason** Reason for the download. +- **downloadModeSrc** Source of the DownloadMode setting. +- **experimentId** When running a test, this is used to correlate with other events that are part of the same test. +- **expiresAt** The time when the content will expire from the Delivery Optimization Cache. +- **fileID** The ID of the file being downloaded. +- **fileSize** The size of the file being downloaded. +- **groupConnectionCount** The total number of connections made to peers in the same group. +- **groupID** A GUID representing a custom group of devices. +- **internetConnectionCount** The total number of connections made to peers not in the same LAN or the same group. +- **isEncrypted** TRUE if the file is encrypted and will be decrypted after download. +- **isThrottled** Event Rate throttled (event represents aggregated data). +- **isVpn** Is the device connected to a Virtual Private Network? +- **jobID** Identifier for the Windows Update job. +- **lanConnectionCount** The total number of connections made to peers in the same LAN. +- **linkLocalConnectionCount** The number of connections made to peers in the same Link-local network. +- **numPeers** The total number of peers used for this download. +- **numPeersLocal** The total number of local peers used for this download. +- **predefinedCallerName** The name of the API Caller. +- **restrictedUpload** Is the upload restricted? +- **routeToCacheServer** The cache server setting, source, and value. +- **rttMs** Min, Max, Avg round-trip time to the source. +- **rttRLedbatMs** Min, Max, Avg round-trip time to a Ledbat enabled source. +- **sessionID** The ID of the download session. +- **sessionTimeMs** The duration of the session, in milliseconds. +- **totalTimeMs** Duration of the download (in seconds). +- **updateID** The ID of the update being downloaded. +- **uplinkBps** The maximum measured available upload bandwidth (in bytes per second). +- **uplinkUsageBps** The upload speed (in bytes per second). + + +### Microsoft.OSG.DU.DeliveryOptClient.FailureCdnCommunication + +This event represents a failure to download from a CDN with Delivery Optimization. It's used to understand and address problems regarding downloads. The data collected with this event is used to help keep Windows up to date. + +The following fields are available: + +- **cdnHeaders** The HTTP headers returned by the CDN. +- **cdnIp** The IP address of the CDN. +- **cdnUrl** The URL of the CDN. +- **errorCode** The error code that was returned. +- **errorCount** The total number of times this error code was seen since the last FailureCdnCommunication event was encountered. +- **experimentId** When running a test, this is used to correlate with other events that are part of the same test. +- **fileID** The ID of the file being downloaded. +- **httpStatusCode** The HTTP status code returned by the CDN. +- **isHeadRequest** The type of HTTP request that was sent to the CDN. Example: HEAD or GET +- **peerType** The type of peer (LAN, Group, Internet, CDN, Cache Host, etc.). +- **requestOffset** The byte offset within the file in the sent request. +- **requestSize** The size of the range requested from the CDN. +- **responseSize** The size of the range response received from the CDN. +- **sessionID** The ID of the download session. + + +## Windows Update events + +### Microsoft.Windows.Update.DeviceUpdateAgent.UpdateAgentAnalysisSummary + +This event collects information regarding the state of devices and drivers on the system following a reboot after the install phase of the new device manifest UUP (Unified Update Platform) update scenario which is used to install a device manifest describing a set of driver packages. The data collected with this event is used to help keep Windows secure and up to date. + +The following fields are available: + +- **activated** Whether the entire device manifest update is considered activated and in use. +- **analysisErrorCount** The number of driver packages that could not be analyzed because errors occurred during analysis. +- **flightId** Unique ID for each flight. +- **missingDriverCount** The number of driver packages delivered by the device manifest that are missing from the system. +- **missingUpdateCount** The number of updates in the device manifest that are missing from the system. +- **objectId** Unique value for each diagnostics session. +- **publishedCount** The number of drivers packages delivered by the device manifest that are published and available to be used on devices. +- **relatedCV** Correlation vector value generated from the latest USO scan. +- **scenarioId** Indicates the update scenario. +- **sessionId** Unique value for each update session. +- **summary** A summary string that contains basic information about driver packages that are part of the device manifest and any devices on the system that those driver packages match. +- **summaryAppendError** A Boolean indicating if there was an error appending more information to the summary string. +- **truncatedDeviceCount** The number of devices missing from the summary string because there is not enough room in the string. +- **truncatedDriverCount** The number of driver packages missing from the summary string because there is not enough room in the string. +- **unpublishedCount** How many drivers packages that were delivered by the device manifest that are still unpublished and unavailable to be used on devices. +- **updateId** The unique ID for each update. + + +### Microsoft.Windows.Update.DeviceUpdateAgent.UpdateAgentDownloadRequest + +This event collects information regarding the download request phase of the new device manifest UUP (Unified Update Platform) update scenario, which is used to install a device manifest describing a set of driver packages. The data collected with this event is used to help keep Windows secure and up to date. + +The following fields are available: + +- **deletedCorruptFiles** Indicates if UpdateAgent found any corrupt payload files and whether the payload was deleted. +- **errorCode** The error code returned for the current session initialization. +- **flightId** The unique identifier for each flight. +- **objectId** Unique value for each Update Agent mode. +- **packageCountOptional** Number of optional packages requested. +- **packageCountRequired** Number of required packages requested. +- **packageCountTotal** Total number of packages needed. +- **packageCountTotalCanonical** Total number of canonical packages. +- **packageCountTotalDiff** Total number of diff packages. +- **packageCountTotalExpress** Total number of express packages. +- **packageSizeCanonical** Size of canonical packages in bytes. +- **packageSizeDiff** Size of diff packages in bytes. +- **packageSizeExpress** Size of express packages in bytes. +- **rangeRequestState** Represents the state of the download range request. +- **relatedCV** Correlation vector value generated from the latest USO scan. +- **result** Result of the download request phase of update. +- **scenarioId** The scenario ID. Example: MobileUpdate, DesktopLanguagePack, DesktopFeatureOnDemand, or DesktopDriverUpdate. +- **sessionId** Unique value for each Update Agent mode attempt. +- **updateId** Unique ID for each update. + + +### Microsoft.Windows.Update.DeviceUpdateAgent.UpdateAgentInitialize + +This event sends data for initializing a new update session for the new device manifest UUP (Unified Update Platform) update scenario, which is used to install a device manifest describing a set of driver packages. The data collected with this event is used to help keep Windows secure and up to date. + +The following fields are available: + +- **errorCode** The error code returned for the current session initialization. +- **flightId** The unique identifier for each flight. +- **flightMetadata** Contains the FlightId and the build being flighted. +- **objectId** Unique value for each Update Agent mode. +- **relatedCV** Correlation vector value generated from the latest USO scan. +- **result** Result of the initialize phase of the update. 0 = Succeeded, 1 = Failed, 2 = Cancelled, 3 = Blocked, 4 = BlockCancelled. +- **scenarioId** The scenario ID. Example: MobileUpdate, DesktopLanguagePack, DesktopFeatureOnDemand, or DesktopDriverUpdate. +- **sessionData** Contains instructions to update agent for processing FODs and DUICs (Null for other scenarios). +- **sessionId** Unique value for each Update Agent mode attempt. +- **updateId** Unique ID for each update. + + +### Microsoft.Windows.Update.DeviceUpdateAgent.UpdateAgentInstall + +This event collects information regarding the install phase of the new device manifest UUP (Unified Update Platform) update scenario, which is used to install a device manifest describing a set of driver packages. The data collected with this event is used to help keep Windows secure and up to date. + +The following fields are available: + +- **errorCode** The error code returned for the current install phase. +- **flightId** The unique identifier for each flight. +- **objectId** The unique identifier for each diagnostics session. +- **relatedCV** Correlation vector value generated from the latest USO scan. +- **result** Outcome of the install phase of the update. +- **scenarioId** The unique identifier for the update scenario. +- **sessionId** The unique identifier for each update session. +- **updateId** The unique identifier for each update. + + +### Microsoft.Windows.Update.DeviceUpdateAgent.UpdateAgentModeStart + +This event sends data for the start of each mode during the process of updating device manifest assets via the UUP (Unified Update Platform) update scenario, which is used to install a device manifest describing a set of driver packages. The data collected with this event is used to help keep Windows secure and up to date. + +The following fields are available: + +- **flightId** The unique identifier for each flight. +- **mode** The mode that is starting. +- **objectId** The unique value for each diagnostics session. +- **relatedCV** Correlation vector value generated from the latest USO scan. +- **scenarioId** The scenario ID. Example: MobileUpdate, DesktopLanguagePack, DesktopFeatureOnDemand, or DesktopDriverUpdate. +- **sessionId** Unique value for each Update Agent mode attempt. +- **updateId** Unique identifier for each update. + + +### Microsoft.Windows.Update.SIHClient.TaskRunCompleted + +This event is a launch event for Server Initiated Healing client. + +The following fields are available: + +- **CallerApplicationName** Name of the application making the Windows Update Request. Used to identify context of the request. +- **CmdLineArgs** Command line arguments passed in by the caller. +- **EventInstanceID** A globally unique identifier for event instance. +- **ServiceGuid** Identifier for the service to which the software distribution client is connecting (Windows Update, Windows Store, etc). +- **StatusCode** Result code of the event (success, cancellation, failure code HResult). +- **UusVersion** The version of the Update Undocked Stack. +- **WUDeviceID** Identifier for the service to which the software distribution client is connecting (Windows Update, Windows Store, etc). + + +### Microsoft.Windows.Update.SIHClient.TaskRunStarted + +This event is a launch event for Server Initiated Healing client. + +The following fields are available: + +- **CallerApplicationName** Name of the application making the Windows Update Request. Used to identify context of the request. +- **CmdLineArgs** Command line arguments passed in by the caller. +- **EventInstanceID** A globally unique identifier for event instance. +- **ServiceGuid** Identifier for the service to which the software distribution client is connecting (Windows Update, Windows Store, etc). +- **UusVersion** The version of the Update Undocked Stack. +- **WUDeviceID** Unique device id controlled by the software distribution client. + + +### Microsoft.Windows.Update.Ux.MusUpdateSettings.Derived.ClientAggregated.LaunchPageDuration + +This event is derived event results for the LaunchPageDuration scenario. + + + +### Microsoft.Windows.WindowsUpdate.RUXIM.ICSExit + +This event is generated when the RUXIM Interaction Campaign Scheduler (RUXIMICS) exits. The data collected with this event is used to help keep Windows up to date and performing properly. + + + +### Microsoft.Windows.WindowsUpdate.RUXIM.ICSLaunch + +This event is generated when the RUXIM Interaction Campaign Scheduler (RUXIMICS.EXE) is launched. The data collected with this event is used to help keep Windows up to date and performing properly. + +The following fields are available: + +- **CommandLine** The command line used to launch RUXIMICS. + + +### Microsoft.Windows.WindowsUpdate.RUXIM.ICSOneSettingsSyncExit + +This event is sent when RUXIM completes checking with OneSettings to retrieve any UX interaction campaigns that may need to be displayed. The data collected with this event is used to help keep Windows up to date. + +The following fields are available: + +- **ETagValue** eTag for sync. +- **hrInitialize** Error, if any, that occurred while initializing OneSettings. +- **hrQuery** Error, if any, that occurred while retrieving UX interaction campaign data from OneSettings. + + +### Microsoft.Windows.WindowsUpdate.RUXIM.ICSOneSettingsSyncLaunch + +This event is sent when RUXIM begins checking with OneSettings to retrieve any UX interaction campaigns that may need to be displayed. The data collected with this event is used to help keep Windows up to date. + + + +## Windows Update mitigation events + +### Mitigation360Telemetry.MitigationCustom.FixupWimmountSysPath + +This event sends data specific to the FixupWimmountSysPath mitigation used for OS Updates. The data collected with this event is used to help keep Windows up to date. + +The following fields are available: + +- **ClientId** In the WU scenario, this will be the WU client ID that is passed to Setup. In Media setup, default value is Media360, but can be overwritten by the caller to a unique value. +- **FlightId** Unique identifier for each flight. +- **ImagePathDefault** Default path to wimmount.sys driver defined in the system registry. +- **ImagePathFixedup** Boolean indicating whether the wimmount.sys driver path was fixed by this mitigation. +- **InstanceId** Unique GUID that identifies each instances of setuphost.exe. +- **MitigationScenario** The update scenario in which the mitigations were attempted. +- **RelatedCV** Correlation vector value. +- **Result** HResult of this operation. +- **ScenarioId** Setup360 flow type. +- **ScenarioSupported** Whether the updated scenario that was passed in was supported. +- **SessionId** The UpdateAgent “SessionId” value. +- **UpdateId** Unique identifier for the Update. +- **WuId** Unique identifier for the Windows Update client. + + + diff --git a/windows/privacy/required-windows-11-diagnostic-events-and-fields.md b/windows/privacy/required-windows-11-diagnostic-events-and-fields.md index 0d5c7f865c..c5f8c39e62 100644 --- a/windows/privacy/required-windows-11-diagnostic-events-and-fields.md +++ b/windows/privacy/required-windows-11-diagnostic-events-and-fields.md @@ -1,6 +1,6 @@ --- description: Learn more about the Windows 11 diagnostic data gathered at the basic level. -title: Required Windows 11 diagnostic events and fields +title: Required diagnostic events and fields for Windows 11, version 21H2 ms.prod: m365-security localizationpriority: high author: DHB-MSFT @@ -15,7 +15,7 @@ ms.technology: privacy --- -# Required Windows 11 diagnostic events and fields +# Required diagnostic events and fields for Windows 11, version 21H2 > [!IMPORTANT] > Windows is moving to classifying the data collected from customer’s devices as either Required or Optional. @@ -23,7 +23,7 @@ ms.technology: privacy **Applies to** -- Windows 11 +- Windows 11, version 21H2 Required diagnostic data gathers a limited set of information that is critical for understanding the device and its configuration including: basic device information, quality-related information, app compatibility, and Microsoft Store. @@ -34,6 +34,7 @@ Use this article to learn about diagnostic events, grouped by event area, and th You can learn more about Windows functional and diagnostic data through these articles: +- [Required diagnostic events and fields for Windows 11, version 22H2](required-diagnostic-events-fields-windows-11-22H2.md) - [Windows 10, version 21H2, Windows 10, version 21H1, Windows 10, version 20H2 and Windows 10, version 2004 required Windows diagnostic events and fields](required-windows-diagnostic-data-events-and-fields-2004.md) - [Windows 10, version 1809 basic diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1809.md) - [Windows 10, version 1803 basic diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1803.md) diff --git a/windows/privacy/toc.yml b/windows/privacy/toc.yml index ef92db9493..cca1091e48 100644 --- a/windows/privacy/toc.yml +++ b/windows/privacy/toc.yml @@ -15,7 +15,9 @@ href: Microsoft-DiagnosticDataViewer.md - name: Required Windows diagnostic data events and fields items: - - name: Required Windows 11 diagnostic data events and fields + - name: Windows 11, version 22H2 required diagnostic events and fields + href: required-diagnostic-events-fields-windows-11-22H2.md + - name: Windows 11, version 21H2 required diagnostic events and fields href: required-windows-11-diagnostic-events-and-fields.md - name: Windows 10, version 21H2, Windows 10, version 21H1, Windows 10, version 20H2 and Windows 10, version 2004 required Windows diagnostic data events and fields href: required-windows-diagnostic-data-events-and-fields-2004.md diff --git a/windows/release-information/docfx.json b/windows/release-information/docfx.json deleted file mode 100644 index c5cbdfb50a..0000000000 --- a/windows/release-information/docfx.json +++ /dev/null @@ -1,61 +0,0 @@ -{ - "build": { - "content": [ - { - "files": [ - "**/*.md", - "**/*.yml" - ], - "exclude": [ - "**/obj/**", - "**/includes/**", - "_themes/**", - "_themes.pdf/**", - "README.md", - "LICENSE", - "LICENSE-CODE", - "ThirdPartyNotices" - ] - } - ], - "resource": [ - { - "files": [ - "**/*.png", - "**/*.jpg" - ], - "exclude": [ - "**/obj/**", - "**/includes/**", - "_themes/**", - "_themes.pdf/**" - ] - } - ], - "overwrite": [], - "externalReference": [], - "globalMetadata": { - "recommendations": true, - "breadcrumb_path": "/windows/release-information/breadcrumb/toc.json", - "ms.prod": "w10", - "ms.date": "4/30/2019", - "audience": "ITPro", - "titleSuffix": "Windows Release Information", - "extendBreadcrumb": true, - "feedback_system": "None", - "contributors_to_exclude": [ - "rjagiewich", - "traya1", - "rmca14", - "claydetels19", - "jborsecnik", - "tiburd", - "garycentric" - ] - }, - "fileMetadata": {}, - "template": [], - "dest": "release-information", - "markdownEngineName": "markdig" - } -} diff --git a/windows/security/TOC.yml b/windows/security/TOC.yml index be054e388b..63ab9a4a86 100644 --- a/windows/security/TOC.yml +++ b/windows/security/TOC.yml @@ -5,13 +5,19 @@ href: zero-trust-windows-device-health.md expanded: true - name: Hardware security - items: + items: - name: Overview href: hardware.md + - name: Microsoft Pluton security processor + items: + - name: Microsoft Pluton overview + href: information-protection/pluton/microsoft-pluton-security-processor.md + - name: Microsoft Pluton as TPM + href: information-protection/pluton/pluton-as-tpm.md - name: Trusted Platform Module href: information-protection/tpm/trusted-platform-module-top-node.md - items: - - name: Trusted Platform Module Overview + items: + - name: Trusted Platform Module overview href: information-protection/tpm/trusted-platform-module-overview.md - name: TPM fundamentals href: information-protection/tpm/tpm-fundamentals.md @@ -32,16 +38,16 @@ - name: System Guard Secure Launch and SMM protection href: threat-protection/windows-defender-system-guard/system-guard-secure-launch-and-smm-protection.md - name: Enable virtualization-based protection of code integrity - href: threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity.md + href: threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity.md - name: Kernel DMA Protection href: information-protection/kernel-dma-protection-for-thunderbolt.md - name: Windows secured-core devices href: /windows-hardware/design/device-experiences/oem-highly-secure - name: Operating system security - items: + items: - name: Overview href: operating-system.md - - name: System security + - name: System security items: - name: Secure the Windows boot process href: information-protection/secure-the-windows-10-boot-process.md @@ -70,19 +76,19 @@ href: threat-protection/security-policy-settings/security-policy-settings.md - name: Security auditing href: threat-protection/auditing/security-auditing-overview.md - - name: Encryption and data protection + - name: Encryption and data protection href: encryption-data-protection.md items: - name: Encrypted Hard Drive href: information-protection/encrypted-hard-drive.md - - name: BitLocker + - name: BitLocker href: information-protection/bitlocker/bitlocker-overview.md - items: + items: - name: Overview of BitLocker Device Encryption in Windows href: information-protection/bitlocker/bitlocker-device-encryption-overview-windows-10.md - name: BitLocker frequently asked questions (FAQ) href: information-protection/bitlocker/bitlocker-frequently-asked-questions.yml - items: + items: - name: Overview and requirements href: information-protection/bitlocker/bitlocker-overview-and-requirements-faq.yml - name: Upgrading @@ -128,7 +134,7 @@ - name: Protecting cluster shared volumes and storage area networks with BitLocker href: information-protection/bitlocker/protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md - name: Troubleshoot BitLocker - items: + items: - name: Troubleshoot BitLocker href: information-protection/bitlocker/troubleshoot-bitlocker.md - name: "BitLocker cannot encrypt a drive: known issues" @@ -142,20 +148,28 @@ - name: "BitLocker configuration: known issues" href: information-protection/bitlocker/ts-bitlocker-config-issues.md - name: Troubleshoot BitLocker and TPM issues - items: + items: - name: "BitLocker cannot encrypt a drive: known TPM issues" href: information-protection/bitlocker/ts-bitlocker-cannot-encrypt-tpm-issues.md - name: "BitLocker and TPM: other known issues" href: information-protection/bitlocker/ts-bitlocker-tpm-issues.md - name: Decode Measured Boot logs to track PCR changes href: information-protection/bitlocker/ts-bitlocker-decode-measured-boot-logs.md + - name: Personal Data Encryption (PDE) + items: + - name: Personal Data Encryption (PDE) overview + href: information-protection/personal-data-encryption/overview-pde.md + - name: Personal Data Encryption (PDE) frequently asked questions (FAQ) + href: information-protection/personal-data-encryption/faq-pde.yml + - name: Configure Personal Data Encryption (PDE) in Intune + href: information-protection/personal-data-encryption/configure-pde-in-intune.md - name: Configure S/MIME for Windows - href: identity-protection/configure-s-mime.md + href: identity-protection/configure-s-mime.md - name: Network security items: - name: VPN technical guide href: identity-protection/vpn/vpn-guide.md - items: + items: - name: VPN connection types href: identity-protection/vpn/vpn-connection-type.md - name: VPN routing decisions @@ -182,13 +196,13 @@ href: threat-protection/windows-firewall/windows-firewall-with-advanced-security.md - name: Windows security baselines href: threat-protection/windows-security-configuration-framework/windows-security-baselines.md - items: + items: - name: Security Compliance Toolkit href: threat-protection/windows-security-configuration-framework/security-compliance-toolkit-10.md - name: Get support - href: threat-protection/windows-security-configuration-framework/get-support-for-security-baselines.md + href: threat-protection/windows-security-configuration-framework/get-support-for-security-baselines.md - name: Virus & threat protection - items: + items: - name: Overview href: threat-protection/index.md - name: Microsoft Defender Antivirus @@ -206,7 +220,7 @@ - name: Microsoft Defender for Endpoint href: /microsoft-365/security/defender-endpoint - name: More Windows security - items: + items: - name: Override Process Mitigation Options to help enforce app-related security policies href: threat-protection/override-mitigation-options-for-app-related-security-policies.md - name: Use Windows Event Forwarding to help with intrusion detection @@ -215,13 +229,13 @@ href: threat-protection/block-untrusted-fonts-in-enterprise.md - name: Windows Information Protection (WIP) href: information-protection/windows-information-protection/protect-enterprise-data-using-wip.md - items: + items: - name: Create a WIP policy using Microsoft Intune href: information-protection/windows-information-protection/overview-create-wip-policy.md - items: + items: - name: Create a WIP policy in Microsoft Intune href: information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md - items: + items: - name: Deploy your WIP policy in Microsoft Intune href: information-protection/windows-information-protection/deploy-wip-policy-using-intune-azure.md - name: Associate and deploy a VPN policy for WIP in Microsoft Intune @@ -232,7 +246,7 @@ href: information-protection/windows-information-protection/wip-app-enterprise-context.md - name: Create a WIP policy using Microsoft Endpoint Configuration Manager href: information-protection/windows-information-protection/overview-create-wip-policy-configmgr.md - items: + items: - name: Create and deploy a WIP policy in Configuration Manager href: information-protection/windows-information-protection/create-wip-policy-using-configmgr.md - name: Create and verify an EFS Data Recovery Agent (DRA) certificate @@ -249,7 +263,7 @@ href: information-protection/windows-information-protection/collect-wip-audit-event-logs.md - name: General guidance and best practices for WIP href: information-protection/windows-information-protection/guidance-and-best-practices-wip.md - items: + items: - name: Enlightened apps for use with WIP href: information-protection/windows-information-protection/enlightened-microsoft-apps-and-wip.md - name: Unenlightened and enlightened app behavior while using WIP @@ -274,17 +288,20 @@ href: threat-protection\microsoft-defender-application-guard\md-app-guard-overview.md - name: Windows Sandbox href: threat-protection/windows-sandbox/windows-sandbox-overview.md - items: + items: - name: Windows Sandbox architecture href: threat-protection/windows-sandbox/windows-sandbox-architecture.md - name: Windows Sandbox configuration href: threat-protection/windows-sandbox/windows-sandbox-configure-using-wsb-file.md - name: Microsoft Defender SmartScreen overview href: threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-overview.md + items: + - name: Enhanced Phishing Protection in Microsoft Defender SmartScreen + href: threat-protection\microsoft-defender-smartscreen\phishing-protection-microsoft-defender-smartscreen.md - name: Configure S/MIME for Windows href: identity-protection\configure-s-mime.md - name: Windows Credential Theft Mitigation Guide Abstract - href: identity-protection\windows-credential-theft-mitigation-guide-abstract.md + href: identity-protection\windows-credential-theft-mitigation-guide-abstract.md - name: User security and secured identity items: - name: Overview @@ -297,7 +314,7 @@ href: identity-protection/enterprise-certificate-pinning.md - name: Protect derived domain credentials with Credential Guard href: identity-protection/credential-guard/credential-guard.md - items: + items: - name: How Credential Guard works href: identity-protection/credential-guard/credential-guard-how-it-works.md - name: Credential Guard Requirements @@ -322,12 +339,12 @@ href: identity-protection/password-support-policy.md - name: Access Control Overview href: identity-protection/access-control/access-control.md - items: + items: - name: Local Accounts href: identity-protection/access-control/local-accounts.md - name: User Account Control href: identity-protection/user-account-control/user-account-control-overview.md - items: + items: - name: How User Account Control works href: identity-protection/user-account-control/how-user-account-control-works.md - name: User Account Control security policy settings @@ -336,10 +353,10 @@ href: identity-protection/user-account-control/user-account-control-group-policy-and-registry-key-settings.md - name: Smart Cards href: identity-protection/smart-cards/smart-card-windows-smart-card-technical-reference.md - items: + items: - name: How Smart Card Sign-in Works in Windows href: identity-protection/smart-cards/smart-card-how-smart-card-sign-in-works-in-windows.md - items: + items: - name: Smart Card Architecture href: identity-protection/smart-cards/smart-card-architecture.md - name: Certificate Requirements and Enumeration @@ -354,7 +371,7 @@ href: identity-protection/smart-cards/smart-card-removal-policy-service.md - name: Smart Card Tools and Settings href: identity-protection/smart-cards/smart-card-tools-and-settings.md - items: + items: - name: Smart Cards Debugging Information href: identity-protection/smart-cards/smart-card-debugging-information.md - name: Smart Card Group Policy and Registry Settings @@ -363,10 +380,10 @@ href: identity-protection/smart-cards/smart-card-events.md - name: Virtual Smart Cards href: identity-protection/virtual-smart-cards/virtual-smart-card-overview.md - items: + items: - name: Understanding and Evaluating Virtual Smart Cards href: identity-protection/virtual-smart-cards/virtual-smart-card-understanding-and-evaluating.md - items: + items: - name: "Get Started with Virtual Smart Cards: Walkthrough Guide" href: identity-protection/virtual-smart-cards/virtual-smart-card-get-started.md - name: Use Virtual Smart Cards @@ -388,7 +405,7 @@ - name: Azure Virtual Desktop href: /azure/virtual-desktop/ - name: Security foundations - items: + items: - name: Overview href: security-foundations.md - name: Microsoft Security Development Lifecycle diff --git a/windows/security/encryption-data-protection.md b/windows/security/encryption-data-protection.md index 782617bafe..48738d546a 100644 --- a/windows/security/encryption-data-protection.md +++ b/windows/security/encryption-data-protection.md @@ -2,17 +2,17 @@ title: Encryption and data protection in Windows description: Get an overview encryption and data protection in Windows 11 and Windows 10 search.appverid: MET150 -author: denisebmsft -ms.author: deniseb -manager: dansimp -ms.topic: conceptual -ms.date: 09/08/2021 -ms.prod: m365-security -ms.technology: windows-sec +author: frankroj +ms.author: frankroj +manager: aaroncz +ms.topic: overview +ms.date: 09/22/2022 +ms.prod: windows-client +ms.technology: itpro-security ms.localizationpriority: medium ms.collection: ms.custom: -ms.reviewer: deepakm, rafals +ms.reviewer: rafals --- # Encryption and data protection in Windows client @@ -32,8 +32,8 @@ Encrypted hard drives provide: - Better performance: Encryption hardware, integrated into the drive controller, allows the drive to operate at full data rate with no performance degradation. - Strong security based in hardware: Encryption is always "on" and the keys for encryption never leave the hard drive. User authentication is performed by the drive before it will unlock, independently of the operating system. -- Ease of use: Encryption is transparent to the user, and the user does not need to enable it. Encrypted hard drives are easily erased using on-board encryption key; there is no need to re-encrypt data on the drive. -- Lower cost of ownership: There is no need for new infrastructure to manage encryption keys, since BitLocker uses your existing infrastructure to store recovery information. Your device operates more efficiently because processor cycles do not need to be used for the encryption process. +- Ease of use: Encryption is transparent to the user, and the user doesn't need to enable it. Encrypted hard drives are easily erased using on-board encryption key; there's no need to re-encrypt data on the drive. +- Lower cost of ownership: There's no need for new infrastructure to manage encryption keys, since BitLocker uses your existing infrastructure to store recovery information. Your device operates more efficiently because processor cycles don't need to be used for the encryption process. Encrypted hard drives are a new class of hard drives that are self-encrypted at a hardware level and allow for full disk hardware encryption. @@ -45,8 +45,14 @@ BitLocker provides encryption for the operating system, fixed data, and removabl Windows consistently improves data protection by improving existing options and providing new strategies. +## Personal Data Encryption (PDE) + +(*Applies to: Windows 11, version 22H2 and later*) + +[!INCLUDE [Personal Data Encryption (PDE) description](information-protection/personal-data-encryption/includes/pde-description.md)] ## See also - [Encrypted Hard Drive](information-protection/encrypted-hard-drive.md) - [BitLocker](information-protection/bitlocker/bitlocker-overview.md) +- [Personal Data Encryption (PDE)](information-protection/personal-data-encryption/overview-pde.md) diff --git a/windows/security/identity-protection/credential-guard/credential-guard-manage.md b/windows/security/identity-protection/credential-guard/credential-guard-manage.md index 1b61031be8..319f5a8afd 100644 --- a/windows/security/identity-protection/credential-guard/credential-guard-manage.md +++ b/windows/security/identity-protection/credential-guard/credential-guard-manage.md @@ -5,7 +5,7 @@ ms.prod: m365-security ms.localizationpriority: medium author: paolomatarazzo ms.author: paoloma -ms.reviewer: erikdau +ms.reviewer: zwhittington manager: aaroncz ms.collection: - M365-identity-device-management @@ -22,6 +22,24 @@ appliesto: - ✅ Windows Server 2022 --- # Manage Windows Defender Credential Guard + +## Default Enablement + +Starting with Windows 11 Enterprise 22H2, compatible systems have Windows Defender Credential Guard turned on by default. This changes the default state of the feature in Windows, though system administrators can still modify this enablement state. Windows Defender Credential Guard can still be manually [enabled](#enable-windows-defender-credential-guard) or [disabled](#disable-windows-defender-credential-guard) via the methods documented below. + +### Requirements for automatic enablement + +Windows Defender Credential Guard will be enabled by default when a PC meets the following minimum requirements: + +|Component|Requirement| +|---|---| +|Operating System|Windows 11 Enterprise 22H2| +|Existing Windows Defender Credential Guard Requirements|Only devices which meet the [existing hardware and software requirements](credential-guard-requirements.md#hardware-and-software-requirements) to run Windows Defender Credential Guard will have it enabled by default.| +|Virtualization-based Security (VBS) Requirements|VBS must be enabled in order to run Windows Defender Credential Guard. Starting with Windows 11 Enterprise 22H2, devices that meet the requirements to run Windows Defender Credential Guard as well as the [minimum requirements to enable VBS](/windows-hardware/design/device-experiences/oem-vbs) will have both Windows Defender Credential Guard and VBS enabled by default. + +> [!NOTE] +> If Windows Defender Credential Guard or VBS has previously been explicitly disabled, default enablement will not overwrite this setting. + ## Enable Windows Defender Credential Guard Windows Defender Credential Guard can be enabled either by using [Group Policy](#enable-windows-defender-credential-guard-by-using-group-policy), the [registry](#enable-windows-defender-credential-guard-by-using-the-registry), or the [Hypervisor-Protected Code Integrity (HVCI) and Windows Defender Credential Guard hardware readiness tool](#enable-windows-defender-credential-guard-by-using-the-hvci-and-windows-defender-credential-guard-hardware-readiness-tool). Windows Defender Credential Guard can also protect secrets in a Hyper-V virtual machine, just as it would on a physical machine. diff --git a/windows/security/identity-protection/credential-guard/credential-guard-requirements.md b/windows/security/identity-protection/credential-guard/credential-guard-requirements.md index e4d7f90a39..5688ac38d1 100644 --- a/windows/security/identity-protection/credential-guard/credential-guard-requirements.md +++ b/windows/security/identity-protection/credential-guard/credential-guard-requirements.md @@ -5,7 +5,7 @@ ms.prod: m365-security ms.localizationpriority: medium author: paolomatarazzo ms.author: paoloma -ms.reviewer: erikdau +ms.reviewer: zwhittington manager: aaroncz ms.collection: - M365-identity-device-management @@ -58,8 +58,8 @@ For information about Windows Defender Remote Credential Guard hardware and soft When Windows Defender Credential Guard is enabled, specific authentication capabilities are blocked, so applications that require such capabilities will break. Applications should be tested prior to deployment to ensure compatibility with the reduced functionality. > [!WARNING] -> Enabling Windows Defender Credential Guard on domain controllers is not supported. -> The domain controller hosts authentication services which integrate with processes isolated when Windows Defender Credential Guard is enabled, causing crashes. +> Enabling Windows Defender Credential Guard on domain controllers is not recommended at this time. +> Windows Defender Credential Guard does not provide any added security to domain controllers, and can cause application compatibility issues on domain controllers. > [!NOTE] > Windows Defender Credential Guard does not provide protections for the Active Directory database or the Security Accounts Manager (SAM). The credentials protected by Kerberos and NTLM when Windows Defender Credential Guard is enabled are also in the Active Directory database (on domain controllers) and the SAM (for local accounts). @@ -103,9 +103,6 @@ The following tables describe baseline protections, plus protections for improve |Firmware: **Secure firmware update process**|**Requirements**: - UEFI firmware must support secure firmware update found under the following Windows Hardware Compatibility Program requirement: System.Fundamentals.Firmware.UEFISecureBoot.|UEFI firmware just like software can have security vulnerabilities that, when found, need to be patched through firmware updates. Patching helps prevent root kits from getting installed.| |Software: Qualified **Windows operating system**|**Requirement**: - At least Windows 10 Enterprise or Windows Server 2016.|Support for VBS and for management features that simplify configuration of Windows Defender Credential Guard.| -> [!IMPORTANT] -> Windows Server 2016 running as a domain controller does not support Windows Defender Credential Guard. - > [!IMPORTANT] > The following tables list additional qualifications for improved security. We strongly recommend meeting the additional qualifications to significantly strengthen the level of security that Windows Defender Credential Guard can provide. diff --git a/windows/security/identity-protection/credential-guard/dg-readiness-tool.md b/windows/security/identity-protection/credential-guard/dg-readiness-tool.md index 603dcc1d9c..c6ff98bda7 100644 --- a/windows/security/identity-protection/credential-guard/dg-readiness-tool.md +++ b/windows/security/identity-protection/credential-guard/dg-readiness-tool.md @@ -25,6 +25,8 @@ appliesto: param([switch]$Capable, [switch]$Ready, [switch]$Enable, [switch]$Disable, $SIPolicyPath, [switch]$AutoReboot, [switch]$DG, [switch]$CG, [switch]$HVCI, [switch]$HLK, [switch]$Clear, [switch]$ResetVerifier) +Set-StrictMode -Version Latest + $path = "C:\DGLogs\" $LogFile = $path + "DeviceGuardCheckLog.txt" @@ -796,7 +798,13 @@ function CheckOSArchitecture function CheckSecureBootState { - $_secureBoot = Confirm-SecureBootUEFI + try { + $_secureBoot = Confirm-SecureBootUEFI + } + catch + { + $_secureBoot = $false + } Log $_secureBoot if($_secureBoot) { diff --git a/windows/security/identity-protection/hello-for-business/hello-biometrics-in-enterprise.md b/windows/security/identity-protection/hello-for-business/hello-biometrics-in-enterprise.md index ebbea60361..d057f242cd 100644 --- a/windows/security/identity-protection/hello-for-business/hello-biometrics-in-enterprise.md +++ b/windows/security/identity-protection/hello-for-business/hello-biometrics-in-enterprise.md @@ -78,7 +78,7 @@ To allow facial recognition, you must have devices with integrated special infra - Effective, real world FRR with Anti-spoofing or liveness detection: <10% > [!NOTE] ->Windows Hello face authentication does not currently support wearing a mask during enrollment or authentication. Wearing a mask to enroll is a security concern because other users wearing a similar mask may be able to unlock you device. The product group is aware of this behavior and is investigating this topic further. Please remove a mask if you are wearing one when you enroll or unlock with Windows Hello face authentication. If your working environment doesn’t allow you to remove a mask temporarily, please consider unenrolling from face authentication and only using PIN or fingerprint. +>Windows Hello face authentication does not currently support wearing a mask during enrollment or authentication. Wearing a mask to enroll is a security concern because other users wearing a similar mask may be able to unlock your device. The product group is aware of this behavior and is investigating this topic further. Please remove a mask if you are wearing one when you enroll or unlock with Windows Hello face authentication. If your working environment doesn’t allow you to remove a mask temporarily, please consider unenrolling from face authentication and only using PIN or fingerprint. ## Related topics diff --git a/windows/security/identity-protection/hello-for-business/hello-deployment-guide.md b/windows/security/identity-protection/hello-for-business/hello-deployment-guide.md index 0f2c45e2f0..00e6171863 100644 --- a/windows/security/identity-protection/hello-for-business/hello-deployment-guide.md +++ b/windows/security/identity-protection/hello-for-business/hello-deployment-guide.md @@ -35,7 +35,7 @@ This guide assumes that baseline infrastructure exists which meets the requireme - Multi-factor Authentication is required during Windows Hello for Business provisioning - Proper name resolution, both internal and external names - Active Directory and an adequate number of domain controllers per site to support authentication -- Active Directory Certificate Services 2012 or later (Note: certificate services are not needed for cloud trust deployments) +- Active Directory Certificate Services 2012 or later (Note: certificate services are not needed for cloud Kerberos trust deployments) - One or more workstation computers running Windows 10, version 1703 or later If you are installing a server role for the first time, ensure the appropriate server operating system is installed, updated with the latest patches, and joined to the domain. This document provides guidance to install and configure the specific roles on that server. @@ -44,23 +44,23 @@ Do not begin your deployment until the hosting servers and infrastructure (not r ## Deployment and trust models -Windows Hello for Business has three deployment models: Azure AD cloud only, hybrid, and on-premises. Hybrid has three trust models: *Key trust*, *certificate trust*, and *cloud trust*. On-premises deployment models only support *Key trust* and *certificate trust*. +Windows Hello for Business has three deployment models: Azure AD cloud only, hybrid, and on-premises. Hybrid has three trust models: *Key Trust*, *Certificate Trust*, and *cloud Kerberos trust*. On-premises deployment models only support *Key Trust* and *Certificate Trust*. Hybrid deployments are for enterprises that use Azure Active Directory. On-premises deployments are for enterprises who exclusively use on-premises Active Directory. Remember that the environments that use Azure Active Directory must use the hybrid deployment model for all domains in that forest. The trust model determines how you want users to authenticate to the on-premises Active Directory: - The key-trust model is for enterprises who do not want to issue end-entity certificates to their users and have an adequate number of 2016 domain controllers in each site to support authentication. This still requires Active Directory Certificate Services for domain controller certificates. -- The cloud-trust model is also for hybrid enterprises who do not want to issue end-entity certificates to their users and have an adequate number of 2016 domain controllers in each site to support authentication. This trust model is simpler to deploy than key trust and does not require Active Directory Certificate Services. We recommend using cloud trust instead of key trust if the clients in your enterprise support it. +- The cloud-trust model is also for hybrid enterprises who do not want to issue end-entity certificates to their users and have an adequate number of 2016 domain controllers in each site to support authentication. This trust model is simpler to deploy than key trust and does not require Active Directory Certificate Services. We recommend using **cloud Kerberos trust** instead of **Key Trust** if the clients in your enterprise support it. - The certificate-trust model is for enterprises that *do* want to issue end-entity certificates to their users and have the benefits of certificate expiration and renewal, similar to how smart cards work today. - The certificate trust model also supports enterprises which are not ready to deploy Windows Server 2016 Domain Controllers. > [!Note] -> RDP does not support authentication with Windows Hello for Business key trust or cloud trust deployments as a supplied credential. RDP is only supported with certificate trust deployments as a supplied credential at this time. Windows Hello for Business key trust and cloud trust can be used with [Windows Defender Remote Credential Guard](../remote-credential-guard.md). +> RDP does not support authentication with Windows Hello for Business Key Trust or cloud Kerberos trust deployments as a supplied credential. RDP is only supported with certificate trust deployments as a supplied credential at this time. Windows Hello for Business Key Trust and cloud Kerberos trust can be used with [Windows Defender Remote Credential Guard](../remote-credential-guard.md). Following are the various deployment guides and models included in this topic: -- [Hybrid Azure AD Joined Cloud Trust Deployment](hello-hybrid-cloud-trust.md) +- [Hybrid Azure AD Joined cloud Kerberos trust Deployment](hello-hybrid-cloud-kerberos-trust.md) - [Hybrid Azure AD Joined Key Trust Deployment](hello-hybrid-key-trust.md) - [Hybrid Azure AD Joined Certificate Trust Deployment](hello-hybrid-cert-trust.md) - [Azure AD Join Single Sign-on Deployment Guides](hello-hybrid-aadj-sso.md) diff --git a/windows/security/identity-protection/hello-for-business/hello-faq.yml b/windows/security/identity-protection/hello-for-business/hello-faq.yml index bc542d1967..88115dc1cb 100644 --- a/windows/security/identity-protection/hello-for-business/hello-faq.yml +++ b/windows/security/identity-protection/hello-for-business/hello-faq.yml @@ -29,9 +29,9 @@ sections: - name: Ignored questions: - - question: What is Windows Hello for Business cloud trust? + - question: What is Windows Hello for Business cloud Kerberos trust? answer: | - Windows Hello for Business cloud trust is a new trust model that is currently in preview. This trust model will enable Windows Hello for Business deployment using the infrastructure introduced for supporting [security key sign-in on Hybrid Azure AD-joined devices and on-premises resource access on Azure AD Joined devices](/azure/active-directory/authentication/howto-authentication-passwordless-security-key-on-premises). Cloud trust is the preferred deployment model if you do not need to support certificate authentication scenarios. For more information, see [Hybrid Cloud Trust Deployment (Preview)](/windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-trust). + Windows Hello for Business cloud Kerberos trust is a new trust model that is currently in preview. This trust model will enable Windows Hello for Business deployment using the infrastructure introduced for supporting [security key sign-in on Hybrid Azure AD-joined devices and on-premises resource access on Azure AD Joined devices](/azure/active-directory/authentication/howto-authentication-passwordless-security-key-on-premises). cloud Kerberos trust is the preferred deployment model if you do not need to support certificate authentication scenarios. For more information, see [Hybrid cloud Kerberos trust Deployment (Preview)](/windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-kerberos-trust). - question: What about virtual smart cards? diff --git a/windows/security/identity-protection/hello-for-business/hello-feature-pin-reset.md b/windows/security/identity-protection/hello-for-business/hello-feature-pin-reset.md index 435fe6109b..9b9e87b305 100644 --- a/windows/security/identity-protection/hello-for-business/hello-feature-pin-reset.md +++ b/windows/security/identity-protection/hello-for-business/hello-feature-pin-reset.md @@ -96,8 +96,8 @@ Using Group Policy, Microsoft Intune or a compatible MDM solution, you can confi |--- |--- |--- | |**Functionality**|The user's existing PIN and underlying credentials, including any keys or certificates added to their Windows Hello container, will be deleted from the client and a new logon key and PIN are provisioned.|You must deploy the Microsoft PIN reset service and client policy to enable the PIN recovery feature. For more information on how to deploy the Microsoft PIN reset service and client policy, see [Connect Azure Active Directory with the PIN reset service](#connect-azure-active-directory-with-the-pin-reset-service). During a non-destructive PIN reset, the user's Windows Hello for Business container and keys are preserved, but the user's PIN that they use to authorize key usage is changed.| |**Windows editions and versions**|Reset from settings - Windows 10, version 1703 or later, Windows 11. Reset above Lock - Windows 10, version 1709 or later, Windows 11.|Windows 10, version 1709 to 1809, Enterprise Edition. There is no licensing requirement for this feature since version 1903. Enterprise Edition and Pro edition with Windows 10, version 1903 and newer Windows 11.| -|**Azure Active Directory Joined**|Cert Trust, Key Trust, and Cloud Trust|Cert Trust, Key Trust, and Cloud Trust| -|**Hybrid Azure Active Directory Joined**|Cert Trust and Cloud Trust for both settings and above the lock support destructive PIN reset. Key Trust doesn't support this from above the lock screen. This is due to the sync delay between when a user provisions their Windows Hello for Business credential and being able to use it for sign-in. It does support from the settings page and the users must have a corporate network connectivity to the DC. |Cert Trust, Key Trust, and Cloud Trust for both settings and above the lock support non-destructive PIN reset. No network connection is required for the DC.| +|**Azure Active Directory Joined**|Cert Trust, Key Trust, and cloud Kerberos trust|Cert Trust, Key Trust, and cloud Kerberos trust| +|**Hybrid Azure Active Directory Joined**|Cert Trust and cloud Kerberos trust for both settings and above the lock support destructive PIN reset. Key Trust doesn't support this from above the lock screen. This is due to the sync delay between when a user provisions their Windows Hello for Business credential and being able to use it for sign-in. It does support from the settings page and the users must have a corporate network connectivity to the DC. |Cert Trust, Key Trust, and cloud Kerberos trust for both settings and above the lock support non-destructive PIN reset. No network connection is required for the DC.| |**On Premises**|If ADFS is being used for on premises deployments, users must have a corporate network connectivity to federation services. |The PIN reset service relies on Azure Active Directory identities, so it is only available for Hybrid Azure Active Directory Joined and Azure Active Directory Joined devices.| |**Additional Configuration required**|Supported by default and doesn't require configuration|Deploy the Microsoft PIN reset service and client policy to enable the PIN recovery feature On-board the Microsoft PIN reset service to respective Azure Active Directory tenant Configure Windows devices to use PIN reset using Group *Policy\MDM*.| |**MSA/Enterprise**|MSA and Enterprise|Enterprise only.| diff --git a/windows/security/identity-protection/hello-for-business/hello-how-it-works-authentication.md b/windows/security/identity-protection/hello-for-business/hello-how-it-works-authentication.md index 909df0b77b..ffaec80712 100644 --- a/windows/security/identity-protection/hello-for-business/hello-how-it-works-authentication.md +++ b/windows/security/identity-protection/hello-for-business/hello-how-it-works-authentication.md @@ -21,10 +21,10 @@ Windows Hello for Business authentication is passwordless, two-factor authentica Azure Active Directory-joined devices authenticate to Azure during sign-in and can optionally authenticate to Active Directory. Hybrid Azure Active Directory-joined devices authenticate to Active Directory during sign-in, and authenticate to Azure Active Directory in the background. - [Azure AD join authentication to Azure Active Directory](#azure-ad-join-authentication-to-azure-active-directory) -- [Azure AD join authentication to Active Directory using Azure AD Kerberos (cloud trust preview)](#azure-ad-join-authentication-to-active-directory-using-azure-ad-kerberos-cloud-trust-preview) +- [Azure AD join authentication to Active Directory using Azure AD Kerberos (cloud Kerberos trust)](#azure-ad-join-authentication-to-active-directory-using-azure-ad-kerberos-cloud-kerberos-trust) - [Azure AD join authentication to Active Directory using a key](#azure-ad-join-authentication-to-active-directory-using-a-key) - [Azure AD join authentication to Active Directory using a certificate](#azure-ad-join-authentication-to-active-directory-using-a-certificate) -- [Hybrid Azure AD join authentication using Azure AD Kerberos (cloud trust preview)](#hybrid-azure-ad-join-authentication-using-azure-ad-kerberos-cloud-trust-preview) +- [Hybrid Azure AD join authentication using Azure AD Kerberos (cloud Kerberos trust)](#hybrid-azure-ad-join-authentication-using-azure-ad-kerberos-cloud-kerberos-trust) - [Hybrid Azure AD join authentication using a key](#hybrid-azure-ad-join-authentication-using-a-key) - [Hybrid Azure AD join authentication using a certificate](#hybrid-azure-ad-join-authentication-using-a-certificate) @@ -43,7 +43,7 @@ Azure Active Directory-joined devices authenticate to Azure during sign-in and c |D | The Cloud AP provider receives the encrypted PRT with session key. Using the device's private transport key, the Cloud AP provider decrypt the session key and protects the session key using the device's TPM.| |E | The Cloud AP provider returns a successful authentication response to lsass. Lsass caches the PRT, and informs winlogon of the success authentication. Winlogon creates a logon session, loads the user's profile, and starts explorer.exe.| -## Azure AD join authentication to Active Directory using Azure AD Kerberos (cloud trust preview) +## Azure AD join authentication to Active Directory using Azure AD Kerberos (cloud Kerberos trust)  @@ -78,13 +78,13 @@ Azure Active Directory-joined devices authenticate to Azure during sign-in and c > [!NOTE] > You may have an on-premises domain federated with Azure AD. Once you have successfully provisioned Windows Hello for Business PIN/Bio on, any future login of Windows Hello for Business (PIN/Bio) sign-in will directly authenticate against Azure AD to get PRT, as well as authenticate against your DC (if LOS to DC is available) to get Kerberos as mentioned previously. AD FS federation is used only when Enterprise PRT calls are placed from the client. You need to have device write-back enabled to get "Enterprise PRT" from your federation. -## Hybrid Azure AD join authentication using Azure AD Kerberos (cloud trust preview) +## Hybrid Azure AD join authentication using Azure AD Kerberos (cloud Kerberos trust)  | Phase | Description | | :----: | :----------- | -|A | Authentication begins when the user dismisses the lock screen, which triggers winlogon to show the Windows Hello for Business credential provider. The user provides their Windows Hello gesture (PIN or biometrics). The credential provider packages these credentials and returns them to winlogon. Winlogon passes the collected credentials to lsass. Lsass queries Windows Hello for Business policy to check if cloud trust is enabled. If cloud trust is enabled, Lsass passes the collected credentials to the Cloud Authentication security support provider, or Cloud AP. Cloud AP requests a nonce from Azure Active Directory. Azure AD returns a nonce. +|A | Authentication begins when the user dismisses the lock screen, which triggers winlogon to show the Windows Hello for Business credential provider. The user provides their Windows Hello gesture (PIN or biometrics). The credential provider packages these credentials and returns them to winlogon. Winlogon passes the collected credentials to lsass. Lsass queries Windows Hello for Business policy to check if cloud Kerberos trust is enabled. If cloud Kerberos trust is enabled, Lsass passes the collected credentials to the Cloud Authentication security support provider, or Cloud AP. Cloud AP requests a nonce from Azure Active Directory. Azure AD returns a nonce. |B | Cloud AP signs the nonce using the user's private key and returns the signed nonce to Azure AD. |C | Azure AD validates the signed nonce using the user's securely registered public key against the nonce signature. After validating the signature, Azure AD then validates the returned signed nonce. After validating the nonce, Azure AD creates a PRT with session key that is encrypted to the device's transport key and creates a Partial TGT from Azure AD Kerberos and returns them to Cloud AP. |D | Cloud AP receives the encrypted PRT with session key. Using the device's private transport key, Cloud AP decrypts the session key and protects the session key using the device's TPM (if available). Cloud AP returns a successful authentication response to lsass. Lsass caches the PRT and the Partial TGT. diff --git a/windows/security/identity-protection/hello-for-business/hello-how-it-works-provisioning.md b/windows/security/identity-protection/hello-for-business/hello-how-it-works-provisioning.md index 7d93ef16b8..6ebf241107 100644 --- a/windows/security/identity-protection/hello-for-business/hello-how-it-works-provisioning.md +++ b/windows/security/identity-protection/hello-for-business/hello-how-it-works-provisioning.md @@ -26,7 +26,7 @@ List of provisioning flows: - [Azure AD joined provisioning in a managed environment](#azure-ad-joined-provisioning-in-a-managed-environment) - [Azure AD joined provisioning in a federated environment](#azure-ad-joined-provisioning-in-a-federated-environment) -- [Hybrid Azure AD joined provisioning in a cloud trust (preview) deployment in a managed environment](#hybrid-azure-ad-joined-provisioning-in-a-cloud-trust-preview-deployment-in-a-managed-environment) +- [Hybrid Azure AD joined provisioning in a cloud Kerberos trust deployment in a managed environment](#hybrid-azure-ad-joined-provisioning-in-a-cloud-kerberos-trust-deployment-in-a-managed-environment) - [Hybrid Azure AD joined provisioning in a key trust deployment in a managed environment](#hybrid-azure-ad-joined-provisioning-in-a-key-trust-deployment-in-a-managed-environment) - [Hybrid Azure AD joined provisioning in a synchronous certificate trust deployment in a federated environment](#hybrid-azure-ad-joined-provisioning-in-a-synchronous-certificate-trust-deployment-in-a-federated-environment) - [Domain joined provisioning in an On-premises key trust deployment](#domain-joined-provisioning-in-an-on-premises-key-trust-deployment) @@ -62,9 +62,9 @@ List of provisioning flows: [Return to top](#windows-hello-for-business-provisioning) -## Hybrid Azure AD joined provisioning in a cloud trust (preview) deployment in a managed environment +## Hybrid Azure AD joined provisioning in a cloud Kerberos trust deployment in a managed environment - + [Full size image](images/howitworks/prov-haadj-cloudtrust-managed.png) | Phase | Description | @@ -74,7 +74,7 @@ List of provisioning flows: | C | The application sends the ADRS token, ukpub, attestation data, and device information to ADRS for user key registration. Azure DRS validates the MFA claim remains current. On successful validation, Azure DRS locates the user's object in Azure Active Directory, writes the key information to a multi-values attribute. The key information includes a reference to the device from which it was created. Azure Active Directory returns a key ID to the application which signals the end of user provisioning and the application exits. | > [!NOTE] -> Windows Hello for Business Cloud Trust does not require users' keys to be synced from Azure AD to AD. Users can immediately authenticate to Azure Active Directory and AD after provisioning their credential. +> Windows Hello for Business cloud Kerberos trust does not require users' keys to be synced from Azure AD to AD. Users can immediately authenticate to Azure Active Directory and AD after provisioning their credential. [Return to top](#windows-hello-for-business-provisioning) diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-trust.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-kerberos-trust.md similarity index 59% rename from windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-trust.md rename to windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-kerberos-trust.md index 95583c6427..7e64879acd 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-trust.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-kerberos-trust.md @@ -1,6 +1,6 @@ --- -title: Hybrid Cloud Trust Deployment (Windows Hello for Business) -description: Learn the information you need to successfully deploy Windows Hello for Business in a hybrid cloud trust scenario. +title: Hybrid cloud Kerberos trust Deployment (Windows Hello for Business) +description: Learn the information you need to successfully deploy Windows Hello for Business in a hybrid cloud Kerberos trust scenario. ms.prod: m365-security author: paolomatarazzo ms.author: paoloma @@ -11,66 +11,68 @@ ms.topic: article localizationpriority: medium ms.date: 2/15/2022 appliesto: -- ✅ Windows 10 21H2 and later +- ✅ Windows 10, version 21H2 and later - ✅ Windows 11 +- ✅ Hybrid deployment +- ✅ Cloud Kerberos trust --- -# Hybrid Cloud Trust Deployment (Preview) +# Hybrid Cloud Kerberos Trust Deployment (Preview) -Windows Hello for Business replaces username and password Windows sign-in with strong authentication using an asymmetric key pair. The following deployment guide provides the information needed to successfully deploy Windows Hello for Business in a hybrid cloud trust scenario. +Windows Hello for Business replaces username and password Windows sign-in with strong authentication using an asymmetric key pair. The following deployment guide provides the information needed to successfully deploy Windows Hello for Business in a hybrid cloud Kerberos trust scenario. -## Introduction to Cloud Trust +## Introduction to Cloud Kerberos Trust -The goal of the Windows Hello for Business cloud trust is to bring the simplified deployment experience of [on-premises SSO with passwordless security keys](/azure/active-directory/authentication/howto-authentication-passwordless-security-key-on-premises) to Windows Hello for Business. This deployment model can be used for new Windows Hello for Business deployments or existing deployments can move to this model using policy controls. +The goal of the Windows Hello for Business cloud Kerberos trust is to bring the simplified deployment experience of [on-premises SSO with passwordless security keys](/azure/active-directory/authentication/howto-authentication-passwordless-security-key-on-premises) to Windows Hello for Business. This deployment model can be used for new Windows Hello for Business deployments or existing deployments can move to this model using policy controls. -Windows Hello for Business cloud trust uses Azure Active Directory (AD) Kerberos to address pain points of the key trust deployment model: +Windows Hello for Business cloud Kerberos trust uses Azure Active Directory (AD) Kerberos to address pain points of the key trust deployment model: -- Windows Hello for Business cloud trust provides a simpler deployment experience because it doesn't require the deployment of public key infrastructure (PKI) or changes to existing PKI. -- Cloud trust doesn't require syncing of public keys between Azure AD and on-premises domain controllers (DCs) for users to access on-premises resources and applications. This change means there isn't a delay between the user provisioning and being able to authenticate. -- Deploying Windows Hello for Business cloud trust enables you to also deploy passwordless security keys with minimal extra setup. +- Windows Hello for Business cloud Kerberos trust provides a simpler deployment experience because it doesn't require the deployment of public key infrastructure (PKI) or changes to existing PKI +- Cloud Kerberos trust doesn't require syncing of public keys between Azure AD and on-premises domain controllers (DCs) for users to access on-premises resources and applications. This change means there isn't a delay between the user provisioning and being able to authenticate +- Deploying Windows Hello for Business cloud Kerberos trust enables you to also deploy passwordless security keys with minimal extra setup > [!NOTE] -> Windows Hello for Business cloud trust is recommended instead of key trust if you meet the prerequisites to deploy cloud trust. Cloud trust is the preferred deployment model if you do not need to support certificate authentication scenarios. +> Windows Hello for Business cloud Kerberos trust is recommended instead of key trust if you meet the prerequisites to deploy cloud Kerberos trust. Cloud Kerberos trust is the preferred deployment model if you do not need to support certificate authentication scenarios. -## Azure Active Directory Kerberos and Cloud Trust Authentication +## Azure Active Directory Kerberos and Cloud Kerberos Trust Authentication -Key trust and certificate trust use certificate authentication based Kerberos for requesting kerberos ticket-granting-tickets (TGTs) for on-premises authentication. This type of authentication requires PKI for DC certificates, and requires end-user certificates for certificate trust. Single sign-on (SSO) to on-premises resources from Azure AD-joined devices requires more PKI configuration to publish a certificate revocation list (CRL) to a public endpoint. Cloud trust uses Azure AD Kerberos that doesn't require any of the above PKI to get the user a TGT. +Key trust and certificate trust use certificate authentication based Kerberos for requesting kerberos ticket-granting-tickets (TGTs) for on-premises authentication. This type of authentication requires PKI for DC certificates, and requires end-user certificates for certificate trust. Single sign-on (SSO) to on-premises resources from Azure AD-joined devices requires more PKI configuration to publish a certificate revocation list (CRL) to a public endpoint. cloud Kerberos trust uses Azure AD Kerberos that doesn't require any of the above PKI to get the user a TGT. With Azure AD Kerberos, Azure AD can issue TGTs for one or more of your AD domains. Windows can request a TGT from Azure AD when authenticating with Windows Hello for Business and use the returned TGT for logon or to access traditional AD-based resources. Kerberos service tickets and authorization continue to be controlled by your on-premises AD DCs. When you enable Azure AD Kerberos in a domain, an Azure AD Kerberos Server object is created in your on-premises AD. This object will appear as a Read Only Domain Controller (RODC) object but isn't associated with any physical servers. This resource is only used by Azure Active Directory to generate TGTs for your Active Directory Domain. The same rules and restrictions used for RODCs apply to the Azure AD Kerberos Server object. -More details on how Azure AD Kerberos enables access to on-premises resources are available in our documentation on [enabling passwordless security key sign-in to on-premises resources](/azure/active-directory/authentication/howto-authentication-passwordless-security-key-on-premises). There's more information on how Azure AD Kerberos works with Windows Hello for Business cloud trust in the [Windows Hello for Business authentication technical deep dive](hello-how-it-works-authentication.md#hybrid-azure-ad-join-authentication-using-azure-ad-kerberos-cloud-trust-preview). +More details on how Azure AD Kerberos enables access to on-premises resources are available in our documentation on [enabling passwordless security key sign-in to on-premises resources](/azure/active-directory/authentication/howto-authentication-passwordless-security-key-on-premises). There's more information on how Azure AD Kerberos works with Windows Hello for Business cloud Kerberos trust in the [Windows Hello for Business authentication technical deep dive](hello-how-it-works-authentication.md#hybrid-azure-ad-join-authentication-using-azure-ad-kerberos-cloud-kerberos-trust). -If you're using the hybrid cloud trust deployment model, you _must_ ensure that you have adequate (one or more, depending on your authentication load) Windows Server 2016 or later read-write domain controllers in each Active Directory site where users will be authenticating for Windows Hello for Business. +If you're using the hybrid cloud Kerberos trust deployment model, you _must_ ensure that you have adequate (one or more, depending on your authentication load) Windows Server 2016 or later read-write domain controllers in each Active Directory site where users will be authenticating for Windows Hello for Business. ## Prerequisites | Requirement | Notes | | --- | --- | | Multi-factor Authentication | This requirement can be met using [Azure AD multi-factor authentication](/azure/active-directory/authentication/howto-mfa-getstarted), multi-factor authentication provided through AD FS, or a comparable solution. | -| Patched Windows 10 version 21H2 or patched Windows 11 and later | If you're using Windows 10 21H2, KB5010415 must be installed. If you're using Windows 11 21H2, KB5010414 must be installed. There's no Windows version support difference between Azure AD joined and Hybrid Azure AD-joined devices. | +| Patched Windows 10, version 21H2 or patched Windows 11 and later | If you're using Windows 10 21H2, KB5010415 must be installed. If you're using Windows 11 21H2, KB5010414 must be installed. There's no Windows version support difference between Azure AD joined and Hybrid Azure AD-joined devices. | | Fully patched Windows Server 2016 or later Domain Controllers | Domain controllers should be fully patched to support updates needed for Azure AD Kerberos. If you're using Windows Server 2016, [KB3534307](https://support.microsoft.com/en-us/topic/january-23-2020-kb4534307-os-build-14393-3474-b181594e-2c6a-14ea-e75b-678efea9d27e) must be installed. If you're using Server 2019, [KB4534321](https://support.microsoft.com/en-us/topic/january-23-2020-kb4534321-os-build-17763-1012-023e84c3-f9aa-3b55-8aff-d512911c459f) must be installed. | | Azure AD Kerberos PowerShell module | This module is used for enabling and managing Azure AD Kerberos. It's available through the [PowerShell Gallery](https://www.powershellgallery.com/packages/AzureADHybridAuthenticationManagement).| -| Device management | Windows Hello for Business cloud trust can be managed with group policy or through mobile device management (MDM) policy. This feature is disabled by default and must be enabled using policy. | +| Device management | Windows Hello for Business cloud Kerberos trust can be managed with group policy or through mobile device management (MDM) policy. This feature is disabled by default and must be enabled using policy. | ### Unsupported Scenarios -The following scenarios aren't supported using Windows Hello for Business cloud trust: +The following scenarios aren't supported using Windows Hello for Business cloud Kerberos trust: - On-premises only deployments - RDP/VDI scenarios using supplied credentials (RDP/VDI can be used with Remote Credential Guard or if a certificate is enrolled into the Windows Hello for Business container) - Scenarios that require a certificate for authentication -- Using cloud trust for "Run as" -- Signing in with cloud trust on a Hybrid Azure AD joined device without previously signing in with DC connectivity +- Using cloud Kerberos trust for "Run as" +- Signing in with cloud Kerberos trust on a Hybrid Azure AD joined device without previously signing in with DC connectivity > [!NOTE] -> The default security policy for AD does not grant permission to sign high privilege accounts on to on-premises resources with Cloud Trust or FIDO2 security keys. +> The default security policy for AD does not grant permission to sign high privilege accounts on to on-premises resources with cloud Kerberos trust or FIDO2 security keys. > > To unblock the accounts, use Active Directory Users and Computers to modify the msDS-NeverRevealGroup property of the Azure AD Kerberos Computer object (CN=AzureADKerberos,OU=Domain Controllers,\Windows 10 Pro, 1803 or higher
Windows 11|Determines whether Application Guard can use the clipboard functionality.|**Enabled.** This is effective only in managed mode. Turns On the clipboard functionality and lets you choose whether to additionally:
- Disable the clipboard functionality completely when Virtualization Security is enabled.
- Enable copying of certain content from Application Guard into Microsoft Edge.
- Enable copying of certain content from Microsoft Edge into Application Guard. **Important:** Allowing copied content to go from Microsoft Edge into Application Guard can cause potential security risks and isn't recommended.
**Disabled or not configured.** Completely turns Off the clipboard functionality for Application Guard.| -|Configure Microsoft Defender Application Guard print settings|Windows 10 Enterprise, 1709 or higher
Windows 10 Pro, 1803 or higher
Windows 11|Determines whether Application Guard can use the print functionality.|**Enabled.** This is effective only in managed mode. Turns On the print functionality and lets you choose whether to additionally:
- Enable Application Guard to print into the XPS format.
- Enable Application Guard to print into the PDF format.
- Enable Application Guard to print to locally attached printers.
- Enable Application Guard to print from previously connected network printers. Employees can't search for other printers.
**Disabled or not configured.** Completely turns Off the print functionality for Application Guard.|
-|Allow Persistence|Windows 10 Enterprise, 1709 or higher
Windows 10 Pro, 1803 or higher
Windows 11|Determines whether data persists across different sessions in Microsoft Defender Application Guard.|**Enabled.** This is effective only in managed mode. Application Guard saves user-downloaded files and other items (such as, cookies, Favorites, and so on) for use in future Application Guard sessions.
**Disabled or not configured.** All user data within Application Guard is reset between sessions.
**NOTE**: If you later decide to stop supporting data persistence for your employees, you can use our Windows-provided utility to reset the container and to discard any personal data.
**To reset the container:**
1. Open a command-line program and navigate to `Windows/System32`.
2. Type `wdagtool.exe cleanup`. The container environment is reset, retaining only the employee-generated data.
3. Type `wdagtool.exe cleanup RESET_PERSISTENCE_LAYER`. The container environment is reset, including discarding all employee-generated data.|
-|Turn on Microsoft Defender Application Guard in Managed Mode|Windows 10 Enterprise, 1809 or higher
Windows 11|Determines whether to turn on Application Guard for Microsoft Edge and Microsoft Office.|**Enabled.** Turns on Application Guard for Microsoft Edge and/or Microsoft Office, honoring the network isolation settings, rendering untrusted content in the Application Guard container. Application Guard won't actually be turned on unless the required prerequisites and network isolation settings are already set on the device. Available options:
- Enable Microsoft Defender Application Guard only for Microsoft Edge
- Enable Microsoft Defender Application Guard only for Microsoft Office
- Enable Microsoft Defender Application Guard for both Microsoft Edge and Microsoft Office
**Disabled.** Turns off Application Guard, allowing all apps to run in Microsoft Edge and Microsoft Office.
**Note:** For Windows 10, if you have KB5014666 installed, and for Windows 11, if you have KB5014668 installed, you are no longer required to configure network isolation policy to enable Application Guard for Edge.|
-|Allow files to download to host operating system|Windows 10 Enterprise, 1803 or higher
Windows 11|Determines whether to save downloaded files to the host operating system from the Microsoft Defender Application Guard container.|**Enabled.** This is effective only in managed mode. Allows users to save downloaded files from the Microsoft Defender Application Guard container to the host operating system. This action creates a share between the host and container that also allows for uploads from the host to the Application Guard container.
**Disabled or not configured.** Users aren't able to save downloaded files from Application Guard to the host operating system.|
-|Allow hardware-accelerated rendering for Microsoft Defender Application Guard|Windows 10 Enterprise, 1803 or higher
Windows 10 Pro, 1803 or higher
Windows 11|Determines whether Microsoft Defender Application Guard renders graphics using hardware or software acceleration.|**Enabled.** This is effective only in managed mode. Microsoft Defender Application Guard uses Hyper-V to access supported, high-security rendering graphics hardware (GPUs). These GPUs improve rendering performance and battery life while using Microsoft Defender Application Guard, particularly for video playback and other graphics-intensive use cases. If this setting is enabled without connecting any high-security rendering graphics hardware, Microsoft Defender Application Guard will automatically revert to software-based (CPU) rendering. **Important:** Enabling this setting with potentially compromised graphics devices or drivers might pose a risk to the host device.
**Disabled or not configured.** Microsoft Defender Application Guard uses software-based (CPU) rendering and won’t load any third-party graphics drivers or interact with any connected graphics hardware.|
-|Allow camera and microphone access in Microsoft Defender Application Guard|Windows 10 Enterprise, 1809 or higher
Windows 10 Pro, 1809 or higher
Windows 11|Determines whether to allow camera and microphone access inside Microsoft Defender Application Guard.|**Enabled.** This is effective only in managed mode. Applications inside Microsoft Defender Application Guard are able to access the camera and microphone on the user's device. **Important:** Enabling this policy with a potentially compromised container could bypass camera and microphone permissions and access the camera and microphone without the user's knowledge.
**Disabled or not configured.** Applications inside Microsoft Defender Application Guard are unable to access the camera and microphone on the user's device.|
-|Allow Microsoft Defender Application Guard to use Root Certificate Authorities from a user's device|Windows 10 Enterprise, 1809 or higher
Windows 10 Pro, 1809 or higher
Windows 11|Determines whether Root Certificates are shared with Microsoft Defender Application Guard.|**Enabled.** Certificates matching the specified thumbprint are transferred into the container. Use a comma to separate multiple certificates.
**Disabled or not configured.** Certificates aren't shared with Microsoft Defender Application Guard.|
-|Allow auditing events in Microsoft Defender Application Guard|Windows 10 Enterprise, 1809 or higher
Windows 10 Pro, 1809 or higher
Windows 11|This policy setting allows you to decide whether auditing events can be collected from Microsoft Defender Application Guard.|**Enabled.** This is effective only in managed mode. Application Guard inherits auditing policies from your device and logs system events from the Application Guard container to your host.
**Disabled or not configured.** Event logs aren't collected from your Application Guard container.| +|Configure Microsoft Defender Application Guard clipboard settings|Windows 10 Enterprise, 1709 or higher
Windows 11 Enterprise|Determines whether Application Guard can use the clipboard functionality.|**Enabled.** This is effective only in managed mode. Turns on the clipboard functionality and lets you choose whether to additionally:
- Disable the clipboard functionality completely when Virtualization Security is enabled.
- Enable copying of certain content from Application Guard into Microsoft Edge.
- Enable copying of certain content from Microsoft Edge into Application Guard. **Important:** Allowing copied content to go from Microsoft Edge into Application Guard can cause potential security risks and isn't recommended.
**Disabled or not configured.** Completely turns off the clipboard functionality for Application Guard.| +|Configure Microsoft Defender Application Guard print settings|Windows 10 Enterprise, 1709 or higher
Windows 11 Enterprise|Determines whether Application Guard can use the print functionality.|**Enabled.** This is effective only in managed mode. Turns on the print functionality and lets you choose whether to additionally:
- Enable Application Guard to print into the XPS format.
- Enable Application Guard to print into the PDF format.
- Enable Application Guard to print to locally attached printers.
- Enable Application Guard to print from previously connected network printers. Employees can't search for other printers.
**Disabled or not configured.** Completely turns Off the print functionality for Application Guard.|
+|Allow Persistence|Windows 10 Enterprise, 1709 or higher
Windows 11 Enterprise|Determines whether data persists across different sessions in Microsoft Defender Application Guard.|**Enabled.** This is effective only in managed mode. Application Guard saves user-downloaded files and other items (such as, cookies, Favorites, and so on) for use in future Application Guard sessions.
**Disabled or not configured.** All user data within Application Guard is reset between sessions.
**NOTE**: If you later decide to stop supporting data persistence for your employees, you can use our Windows-provided utility to reset the container and to discard any personal data.
**To reset the container:**
1. Open a command-line program and navigate to `Windows/System32`.
2. Type `wdagtool.exe cleanup`. The container environment is reset, retaining only the employee-generated data.
3. Type `wdagtool.exe cleanup RESET_PERSISTENCE_LAYER`. The container environment is reset, including discarding all employee-generated data.|
+|Turn on Microsoft Defender Application Guard in Managed Mode|Windows 10 Enterprise, 1809 or higher
Windows 11 Enterprise|Determines whether to turn on Application Guard for Microsoft Edge and Microsoft Office.|**Enabled.** Turns on Application Guard for Microsoft Edge and/or Microsoft Office, honoring the network isolation settings, rendering untrusted content in the Application Guard container. Application Guard won't actually be turned on unless the required prerequisites and network isolation settings are already set on the device. Available options:
- Enable Microsoft Defender Application Guard only for Microsoft Edge
- Enable Microsoft Defender Application Guard only for Microsoft Office
- Enable Microsoft Defender Application Guard for both Microsoft Edge and Microsoft Office
**Disabled.** Turns off Application Guard, allowing all apps to run in Microsoft Edge and Microsoft Office.
**Note:** For Windows 10, if you have KB5014666 installed, and for Windows 11, if you have KB5014668 installed, you are no longer required to configure network isolation policy to enable Application Guard for Edge.|
+|Allow files to download to host operating system|Windows 10 Enterprise or Pro, 1803 or higher
Windows 11 Enterprise or Pro|Determines whether to save downloaded files to the host operating system from the Microsoft Defender Application Guard container.|**Enabled.** This is effective only in managed mode. Allows users to save downloaded files from the Microsoft Defender Application Guard container to the host operating system. This action creates a share between the host and container that also allows for uploads from the host to the Application Guard container.
**Disabled or not configured.** Users aren't able to save downloaded files from Application Guard to the host operating system.| +|Allow hardware-accelerated rendering for Microsoft Defender Application Guard|Windows 10 Enterprise, 1803 or higher
Windows 11 Enterprise|Determines whether Microsoft Defender Application Guard renders graphics using hardware or software acceleration.|**Enabled.** This is effective only in managed mode. Microsoft Defender Application Guard uses Hyper-V to access supported, high-security rendering graphics hardware (GPUs). These GPUs improve rendering performance and battery life while using Microsoft Defender Application Guard, particularly for video playback and other graphics-intensive use cases. If this setting is enabled without connecting any high-security rendering graphics hardware, Microsoft Defender Application Guard will automatically revert to software-based (CPU) rendering. **Important:** Enabling this setting with potentially compromised graphics devices or drivers might pose a risk to the host device.
**Disabled or not configured.** Microsoft Defender Application Guard uses software-based (CPU) rendering and won’t load any third-party graphics drivers or interact with any connected graphics hardware.|
+|Allow camera and microphone access in Microsoft Defender Application Guard|Windows 10 Enterprise, 1809 or higher
Windows 11 Enterprise|Determines whether to allow camera and microphone access inside Microsoft Defender Application Guard.|**Enabled.** This is effective only in managed mode. Applications inside Microsoft Defender Application Guard are able to access the camera and microphone on the user's device. **Important:** Enabling this policy with a potentially compromised container could bypass camera and microphone permissions and access the camera and microphone without the user's knowledge.
**Disabled or not configured.** Applications inside Microsoft Defender Application Guard are unable to access the camera and microphone on the user's device.| +|Allow Microsoft Defender Application Guard to use Root Certificate Authorities from a user's device|Windows 10 Enterprise or Pro, 1809 or higher
Windows 11 Enterprise or Pro|Determines whether Root Certificates are shared with Microsoft Defender Application Guard.|**Enabled.** Certificates matching the specified thumbprint are transferred into the container. Use a comma to separate multiple certificates.
**Disabled or not configured.** Certificates aren't shared with Microsoft Defender Application Guard.| +|Allow auditing events in Microsoft Defender Application Guard|Windows 10 Enterprise, 1809 or higher
Windows 11 Enterprise|This policy setting allows you to decide whether auditing events can be collected from Microsoft Defender Application Guard.|**Enabled.** This is effective only in managed mode. Application Guard inherits auditing policies from your device and logs system events from the Application Guard container to your host.
**Disabled or not configured.** Event logs aren't collected from your Application Guard container.|
## Application Guard support dialog settings
diff --git a/windows/security/threat-protection/microsoft-defender-application-guard/test-scenarios-md-app-guard.md b/windows/security/threat-protection/microsoft-defender-application-guard/test-scenarios-md-app-guard.md
index d5400d4de7..d8461e69f2 100644
--- a/windows/security/threat-protection/microsoft-defender-application-guard/test-scenarios-md-app-guard.md
+++ b/windows/security/threat-protection/microsoft-defender-application-guard/test-scenarios-md-app-guard.md
@@ -1,18 +1,15 @@
---
-title: Testing scenarios with Microsoft Defender Application Guard (Windows 10 or Windows 11)
+title: Testing scenarios with Microsoft Defender Application Guard
description: Suggested testing scenarios for Microsoft Defender Application Guard, showing how it works in both Standalone and Enterprise-managed mode.
-ms.prod: m365-security
-ms.mktglfcycl: manage
-ms.sitesec: library
-ms.pagetype: security
+ms.prod: windows-client
+ms.technology: itpro-security
ms.localizationpriority: medium
-author: denisebmsft
-ms.author: deniseb
-ms.reviewer:
-manager: dansimp
-ms.date: 03/14/2022
+author: vinaypamnani-msft
+ms.author: vinpa
+ms.reviewer: sazankha
+manager: aaroncz
+ms.date: 09/23/2022
ms.custom: asr
-ms.technology: windows-sec
---
# Application Guard testing scenarios
@@ -59,7 +56,7 @@ Before you can use Application Guard in managed mode, you must install Windows 1
3. Set up the Network Isolation settings in Group Policy:
- a. Click on the **Windows** icon, type `Group Policy`, and then click **Edit Group Policy**.
+ a. Select the **Windows** icon, type `Group Policy`, and then select **Edit Group Policy**.
b. Go to the **Administrative Templates\Network\Network Isolation\Enterprise resource domains hosted in the cloud** setting.
@@ -75,7 +72,7 @@ Before you can use Application Guard in managed mode, you must install Windows 1
4. Go to the **Computer Configuration\Administrative Templates\Windows Components\Microsoft Defender Application Guard\Turn on Microsoft Defender Application Guard in Managed Mode** setting.
-5. Click **Enabled**, choose Option **1**, and click **OK**.
+5. Select **Enabled**, choose Option **1**, and select **OK**.
@@ -110,15 +107,14 @@ You have the option to change each of these settings to work with your enterpris
**Applies to:**
-- Windows 10 Enterprise edition, version 1709 or higher
-- Windows 10 Professional edition, version 1803
-- Windows 11
+- Windows 10 Enterprise or Pro editions, version 1803 or later
+- Windows 11 Enterprise or Pro editions
#### Copy and paste options
1. Go to the **Computer Configuration\Administrative Templates\Windows Components\Microsoft Defender Application Guard\Configure Microsoft Defender Application Guard clipboard settings**.
-2. Click **Enabled** and click **OK**.
+2. Select **Enabled** and select **OK**.
@@ -138,25 +134,25 @@ You have the option to change each of these settings to work with your enterpris
- Both text and images can be copied between the host PC and the isolated container.
-5. Click **OK**.
+5. Select **OK**.
#### Print options
1. Go to the **Computer Configuration\Administrative Templates\Windows Components\Microsoft Defender Application Guard\Configure Microsoft Defender Application Guard print** settings.
-2. Click **Enabled** and click **OK**.
+2. Select **Enabled** and select **OK**.
3. Based on the list provided in the setting, choose the number that best represents what type of printing should be available to your employees. You can allow any combination of local, network, PDF, and XPS printing.
-4. Click **OK**.
+4. Select **OK**.
#### Data persistence options
1. Go to the **Computer Configuration\Administrative Templates\Windows Components\Microsoft Defender Application Guard\Allow data persistence for Microsoft Defender Application Guard** setting.
-2. Click **Enabled** and click **OK**.
+2. Select **Enabled** and select **OK**.
@@ -166,32 +162,33 @@ You have the option to change each of these settings to work with your enterpris
4. Add the site to your **Favorites** list and then close the isolated session.
-5. Log out and back on to your device, opening Microsoft Edge in Application Guard again.
+5. Sign out and back in to your device, opening Microsoft Edge in Application Guard again.
The previously added site should still appear in your **Favorites** list.
> [!NOTE]
- > If you don't allow or turn off data persistence, restarting a device or logging in and out of the isolated container triggers a recycle event that discards all generated data, including session cookies, Favorites, and so on, removing the data from Application Guard. If you turn on data persistence, all employee-generated artifacts are preserved across container recycle events. However, these artifacts only exist in the isolated container and aren't shared with the host PC. This data persists after restarts and even through build-to-build upgrades of Windows 10 and Windows 11.
+ > Starting with Windows 11, version 22H2, data persistence is disabled by default. If you don't allow or turn off data persistence, restarting a device or signing in and out of the isolated container triggers a recycle event. This action discards all generated data, such as session cookies and Favorites, and removes the data from Application Guard. If you turn on data persistence, all employee-generated artifacts are preserved across container recycle events. However, these artifacts only exist in the isolated container and aren't shared with the host PC. This data persists after restarts and even through build-to-build upgrades of Windows 10 and Windows 11.
>
> If you turn on data persistence, but later decide to stop supporting it for your employees, you can use our Windows-provided utility to reset the container and to discard any personal data.
>
> **To reset the container, follow these steps:**
1. Open a command-line program and navigate to Windows/System32.
2. Type `wdagtool.exe cleanup`. The container environment is reset, retaining only the employee-generated data.
3. Type `wdagtool.exe cleanup RESET_PERSISTENCE_LAYER`. The container environment is reset, including discarding all employee-generated data.
+ >
+ > _Microsoft Edge version 90 or later no longer supports `RESET_PERSISTENCE_LAYER`._
**Applies to:**
-- Windows 10 Enterprise edition, version 1803
-- Windows 10 Professional edition, version 1803
-- Windows 11
+- Windows 10 Enterprise or Pro editions, version 1803
+- Windows 11 Enterprise or Pro editions, version 21H2. Data persistence is disabled by default in Windows 11, version 22H2 and later.
#### Download options
1. Go to the **Computer Configuration\Administrative Templates\Windows Components\Microsoft Defender Application Guard\Allow files to download and save to the host operating system from Microsoft Defender Application Guard** setting.
-2. Click **Enabled** and click **OK**.
+2. Select **Enabled** and select **OK**.
-3. Log out and back on to your device, opening Microsoft Edge in Application Guard again.
+3. Sign out and back in to your device, opening Microsoft Edge in Application Guard again.
4. Download a file from Microsoft Defender Application Guard.
@@ -201,7 +198,7 @@ You have the option to change each of these settings to work with your enterpris
1. Go to the **Computer Configuration\Administrative Templates\Windows Components\Microsoft Defender Application Guard\Allow hardware-accelerated rendering for Microsoft Defender Application Guard** setting.
-2. Click **Enabled** and click **OK**.
+2. Select **Enabled** and Select **OK**.
@@ -209,21 +206,15 @@ You have the option to change each of these settings to work with your enterpris
4. Assess the visual experience and battery performance.
-**Applies to:**
-
-- Windows 10 Enterprise edition, version 1809
-- Windows 10 Professional edition, version 1809
-- Windows 11
-
#### Camera and microphone options
1. Go to the **Computer Configuration\Administrative Templates\Windows Components\Microsoft Defender Application Guard\Allow camera and microphone access in Microsoft Defender Application Guard** setting.
-2. Click **Enabled** and click **OK**.
+2. Select **Enabled** and select **OK**.
-3. Log out and back on to your device, opening Microsoft Edge in Application Guard again.
+3. Sign out and back in to your device, opening Microsoft Edge in Application Guard again.
4. Open an application with video or audio capability in Edge.
@@ -233,11 +224,11 @@ You have the option to change each of these settings to work with your enterpris
1. Go to the **Computer Configuration\Administrative Templates\Windows Components\Microsoft Defender Application Guard\Allow Microsoft Defender Application Guard to use Root Certificate Authorities from the user's device** setting.
-2. Click **Enabled**, copy the thumbprint of each certificate to share, separated by a comma, and click **OK**.
+2. Select **Enabled**, copy the thumbprint of each certificate to share, separated by a comma, and select **OK**.
-3. Log out and back on to your device, opening Microsoft Edge in Application Guard again.
+3. Sign out and back in to your device, opening Microsoft Edge in Application Guard again.
## Application Guard Extension for third-party web browsers
@@ -245,9 +236,9 @@ The [Application Guard Extension](md-app-guard-browser-extension.md) available f
Once a user has the extension and its companion app installed on their enterprise device, you can run through the following scenarios.
-1. Open either Firefox or Chrome — whichever browser you have the extension installed on.
+1. Open either Firefox or Chrome, whichever browser you have the extension installed on.
-2. Navigate to an enterprise website, i.e. an internal website maintained by your organization. You might see this evaluation page for an instant before the site is fully loaded.
+2. Navigate to an organizational website. In other words, an internal website maintained by your organization. You might see this evaluation page for an instant before the site is fully loaded.
3. Navigate to a non-enterprise, external website site, such as [www.bing.com](https://www.bing.com). The site should be redirected to Microsoft Defender Application Guard Edge.
diff --git a/windows/security/threat-protection/microsoft-defender-smartscreen/phishing-protection-microsoft-defender-smartscreen.md b/windows/security/threat-protection/microsoft-defender-smartscreen/phishing-protection-microsoft-defender-smartscreen.md
new file mode 100644
index 0000000000..6fe565bf48
--- /dev/null
+++ b/windows/security/threat-protection/microsoft-defender-smartscreen/phishing-protection-microsoft-defender-smartscreen.md
@@ -0,0 +1,101 @@
+---
+title: Enhanced Phishing Protection in Microsoft Defender SmartScreen
+description: Learn how Enhanced Phishing Protection for Microsoft Defender SmartScreen helps protect Microsoft school or work passwords against phishing and unsafe usage on sites and apps.
+ms.prod: windows-client
+ms.technology: itpro-security
+author: v-mathavale
+ms.author: v-mathavale
+ms.reviewer: paoloma
+manager: aaroncz
+ms.localizationpriority: medium
+ms.date: 06/21/2022
+adobe-target: true
+appliesto:
+- ✅ Windows 11, version 22H2
+---
+
+# Enhanced Phishing Protection in Microsoft Defender SmartScreen
+
+Starting in Windows 11, version 22H2, Enhanced Phishing Protection in Microsoft Defender SmartScreen helps protect Microsoft school or work passwords against phishing and unsafe usage on sites and apps.
+
+Enhanced Phishing Protection works alongside Windows security protections, and helps protect typed work or school passwords used to sign into Windows 11 in three ways:
+
+- If users type their work or school password on any Chromium browser, into a site deemed malicious by Microsoft Defender SmartScreen, Enhanced Phishing Protection will alert them. It will also prompt them to change their password so attackers can't gain access to their account.
+
+- Reusing work or school passwords makes it easy for attackers who compromise a user's password to gain access to their other accounts. Enhanced Phishing Protection can warn users if they reuse their work or school Microsoft account password on sites and apps and prompt them to change their password.
+
+- Since it's unsafe to store plaintext passwords in text editors, Enhanced Phishing Protection can warn users if they store their work or school password in Notepad, Word, or any Microsoft 365 Office app, and recommends they delete their password from the file.
+
+## Benefits of Enhanced Phishing Protection in Microsoft Defender SmartScreen
+
+Enhanced Phishing Protection provides robust phishing protections for work or school passwords that are used to sign into Windows 11. The benefits of Enhanced Phishing Protection are:
+
+- **Anti-phishing support:** Phishing attacks trick users through convincing imitations of safe content or through credential harvesting content hosted inside trusted sites and applications. Enhanced Phishing Protection helps protect users from reported phishing sites by evaluating the URLs a site or app is connecting to, along with other characteristics, to determine if they're known to distribute or host unsafe content.
+
+- **Secure operating system integration:** Enhanced Phishing Protection is integrated directly into the Windows 11 operating system, so it can understand users' password entry context (including process connections, URLs, certificate information) in any browser or app. Because Enhanced Phishing Protection has unparalleled insight into what is happening at the OS level, it can identify when users type their work or school password unsafely. If users do use their work or school password unsafely, the feature empowers users to change their password to minimize chances of their compromised credential being weaponized against them.
+
+- **Unparalleled telemetry shared throughout Microsoft's security suite:** Enhanced Phishing Protection is constantly learning from phishing attacks seen throughout the entire Microsoft security stack. It works alongside other Microsoft security products, to provide a layered approach to password security, especially for organizations early in their password-less authentication journey. If your organization uses Microsoft Defender for Endpoint, you'll be able to see valuable phishing sensors data in the Microsoft 365 Defender Portal. This portal lets you view Enhanced Phishing Protection alerts and reports for unsafe password usage in your environment.
+
+- **Easy management through Group Policy and Microsoft Intune:** Enhanced Phishing Protection works with Group Policy and mobile device management (MDM) settings to help you manage your organization's computer settings. Based on how you set up Enhanced Phishing Protection, you can customize which phishing protection scenarios will show users warning dialogs. For example, the Service Enabled setting determines whether the Enhanced Phishing Protection service is on or off. The feature will be in audit mode if the other settings, which correspond to notification policies, aren't enabled.
+
+## Configure Enhanced Phishing Protection for your organization
+
+Enhanced Phishing Protection can be configured via Group Policy Objects (GPO) or Configuration Service Providers (CSP) with an MDM service like Microsoft Intune. Follow the instructions below to configure your devices using either GPO or CSP.
+
+#### [✅ **GPO**](#tab/gpo)
+
+Enhanced Phishing Protection can be configured using the following Administrative Templates policy settings:
+
+|Setting|Description|
+|---------|---------|
+|Administrative Templates\Windows Components\Windows Defender SmartScreen\Enhanced Phishing Protection\Service Enabled |This policy setting determines whether Enhanced Phishing Protection is in audit mode or off. Users don't see any notifications for any protection scenarios when Enhanced Phishing Protection is in audit mode. In audit mode, Enhanced Phishing Protection captures unsafe password entry events and sends diagnostic data through Microsoft Defender.
If you enable or don't configure this setting, Enhanced Phishing Protection is enabled in audit mode, preventing users to turn it off.
If you disable this policy setting, Enhanced Phishing Protection is off. When off, Enhanced Phishing Protection doesn't capture events, send data, or notify users. Additionally, your users are unable to turn it on.|
+|Administrative Templates\Windows Components\Windows Defender SmartScreen\Enhanced Phishing Protection\Notify Malicious|This policy setting determines whether Enhanced Phishing Protection warns your users if they type their work or school password into one of the following malicious scenarios: into a reported phishing site, into a sign-in URL with an invalid certificate, or into an application connecting to either a reported phishing site or a sign-in URL with an invalid certificate.
If you enable this policy setting, Enhanced Phishing Protection warns your users if they type their work or school password into one of the malicious scenarios described above and encourages them to change their password.
If you disable or don't configure this policy setting, Enhanced Phishing Protection won't warn your users if they type their work or school password into one of the malicious scenarios described above.|
+|Administrative Templates\Windows Components\Windows Defender SmartScreen\Enhanced Phishing Protection\Notify Password Reuse |This policy setting determines whether Enhanced Phishing Protection warns your users if they reuse their work or school password.
If you enable this policy setting, Enhanced Phishing Protection warns users if they reuse their work or school password and encourages them to change it.
If you disable or don't configure this policy setting, Enhanced Phishing Protection won't warn users if they reuse their work or school password.|
+|Administrative Templates\Windows Components\Windows Defender SmartScreen\Enhanced Phishing Protection\Notify Unsafe App|This policy setting determines whether Enhanced Phishing Protection warns your users if they type their work or school passwords in Notepad or Microsoft 365 Office Apps.
If you enable this policy setting, Enhanced Phishing Protection warns your users if they store their password in Notepad or Microsoft 365 Office Apps.
If you disable or don't configure this policy setting, Enhanced Phishing Protection won't warn users if they store their password in Notepad or Microsoft 365 Office Apps.|
+
+#### [✅ **CSP**](#tab/csp)
+
+Enhanced Phishing Protection can be configured using the [WebThreatDefense CSP](/windows/client-management/mdm/policy-csp-webthreatdefense).
+
+| Setting | OMA-URI | Data type |
+|-------------------------|---------------------------------------------------------------------------|-----------|
+| **ServiceEnabled** | `./Device/Vendor/MSFT/Policy/Config/WebThreatDefense/ServiceEnabled` | Integer |
+| **NotifyMalicious** | `./Device/Vendor/MSFT/Policy/Config/WebThreatDefense/NotifyMalicious` | Integer |
+| **NotifyPasswordReuse** | `./Device/Vendor/MSFT/Policy/Config/WebThreatDefense/NotifyPasswordReuse` | Integer |
+| **NotifyUnsafeApp** | `./Device/Vendor/MSFT/Policy/Config/WebThreatDefense/NotifyUnsafeApp` | Integer |
+
+---
+
+### Recommended settings for your organization
+
+By default, Enhanced Phishing Protection is deployed in audit mode, preventing notifications to the users for any protection scenarios. In audit mode, Enhanced Phishing Protection captures unsafe password entry events and sends diagnostic data through Microsoft Defender. Users aren't warned if they enter their work or school password into a phishing site, if they reuse their password, or if they unsafely store their password in applications. Because of this possibility, it's recommended that you configure Enhanced Phishing Protection to warn users during all protection scenarios.
+
+To better help you protect your organization, we recommend turning on and using these specific Microsoft Defender SmartScreen Group Policy and MDM settings.
+
+#### [✅ **GPO**](#tab/gpo)
+
+|Group Policy setting|Recommendation|
+|---------|---------|
+|Administrative Templates\Windows Components\Windows Defender SmartScreen\Enhanced Phishing Protection\Service Enabled| **Enable**: Enhanced Phishing Protection is enabled in audit mode and your users are unable to turn it off.|
+|Administrative Templates\Windows Components\Windows Defender SmartScreen\Enhanced Phishing Protection\Notify Malicious|**Enable**: Enhanced Phishing Protection warns your users if they type their work or school password into one of the following malicious scenarios: into a reported phishing site, into a sign-in URL with an invalid certificate, or into an application connecting to either a reported phishing site or a sign-in URL with an invalid certificate. It encourages users to change their password.|
+|Administrative Templates\Windows Components\Windows Defender SmartScreen\Enhanced Phishing Protection\Notify Password Reuse|**Enable**: Enhanced Phishing Protection warns users if they reuse their work or school password and encourages them to change it.|
+|Administrative Templates\Windows Components\Windows Defender SmartScreen\Enhanced Phishing Protection\Notify Unsafe App|**Enable**: Enhanced Phishing Protection warns users if they store their password in Notepad and Microsoft 365 Office Apps.|
+
+#### [✅ **CSP**](#tab/csp)
+
+|MDM setting|Recommendation|
+|---------|---------|
+|ServiceEnabled|**1**: Turns on Enhanced Phishing Protection in audit mode, which captures work or school password entry events and sends diagnostic data but doesn't show any notifications to your users.|
+|NotifyMalicious|**1**: Turns on Enhanced Phishing Protection notifications when users type their work or school password into one of the previously described malicious scenarios and encourages them to change their password.|
+|NotifyPasswordReuse|**1**: Turns on Enhanced Phishing Protection notifications when users reuse their work or school password and encourages them to change their password.|
+|NotifyUnsafeApp|**1**: Turns on Enhanced Phishing Protection notifications when users type their work or school passwords in Notepad and Microsoft 365 Office Apps.|
+
+---
+
+## Related articles
+
+- [Microsoft Defender SmartScreen](microsoft-defender-smartscreen-overview.md)
+- [SmartScreen Frequently Asked Questions](https://fb.smartscreen.microsoft.com/smartscreenfaq.aspx)
+- [Threat protection](../index.md)
+- [Available Microsoft Defender SmartScreen Group Policy and mobile device management (MDM) settings](microsoft-defender-smartscreen-available-settings.md)
+- [Configuration service provider reference](/windows/client-management/mdm/configuration-service-provider-reference)
diff --git a/windows/security/threat-protection/windows-defender-application-control/TOC.yml b/windows/security/threat-protection/windows-defender-application-control/TOC.yml
index a7d64bd225..dcad6a2586 100644
--- a/windows/security/threat-protection/windows-defender-application-control/TOC.yml
+++ b/windows/security/threat-protection/windows-defender-application-control/TOC.yml
@@ -3,313 +3,309 @@
- name: About application control for Windows
href: windows-defender-application-control.md
expanded: true
- items:
+ items:
- name: WDAC and AppLocker Overview
href: wdac-and-applocker-overview.md
- items:
- - name: WDAC and AppLocker Feature Availability
- href: feature-availability.md
- - name: Virtualization-based protection of code integrity
- href: ../device-guard/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md
- - name: WDAC design guide
- href: windows-defender-application-control-design-guide.md
- items:
- - name: Plan for WDAC policy lifecycle management
- href: plan-windows-defender-application-control-management.md
- - name: Design your WDAC policy
- items:
- - name: Understand WDAC policy design decisions
- href: understand-windows-defender-application-control-policy-design-decisions.md
- - name: Understand WDAC policy rules and file rules
- href: select-types-of-rules-to-create.md
- items:
- - name: Allow apps installed by a managed installer
- href: configure-authorized-apps-deployed-with-a-managed-installer.md
- - name: Allow reputable apps with Intelligent Security Graph (ISG)
- href: use-windows-defender-application-control-with-intelligent-security-graph.md
- - name: Allow COM object registration
- href: allow-com-object-registration-in-windows-defender-application-control-policy.md
- - name: Use WDAC with .NET hardening
- href: use-windows-defender-application-control-with-dynamic-code-security.md
- - name: Manage packaged apps with WDAC
- href: manage-packaged-apps-with-windows-defender-application-control.md
- - name: Use WDAC to control specific plug-ins, add-ins, and modules
- href: use-windows-defender-application-control-policy-to-control-specific-plug-ins-add-ins-and-modules.md
- - name: Understand WDAC policy settings
- href: understanding-wdac-policy-settings.md
- - name: Use multiple WDAC policies
- href: deploy-multiple-windows-defender-application-control-policies.md
- - name: Create your WDAC policy
- items:
- - name: Example WDAC base policies
- href: example-wdac-base-policies.md
- - name: Policy creation for common WDAC usage scenarios
- href: types-of-devices.md
- items:
- - name: Create a WDAC policy for lightly managed devices
- href: create-wdac-policy-for-lightly-managed-devices.md
- - name: Create a WDAC policy for fully managed devices
- href: create-wdac-policy-for-fully-managed-devices.md
- - name: Create a WDAC policy for fixed-workload devices
- href: create-initial-default-policy.md
- - name: Create a WDAC deny list policy
- href: create-wdac-deny-policy.md
- - name: Microsoft recommended block rules
- href: microsoft-recommended-block-rules.md
- - name: Microsoft recommended driver block rules
- href: microsoft-recommended-driver-block-rules.md
- - name: Use the WDAC Wizard tool
- href: wdac-wizard.md
- items:
- - name: Create a base WDAC policy with the Wizard
- href: wdac-wizard-create-base-policy.md
- - name: Create a supplemental WDAC policy with the Wizard
- href: wdac-wizard-create-supplemental-policy.md
- - name: Editing a WDAC policy with the Wizard
- href: wdac-wizard-editing-policy.md
- - name: Merging multiple WDAC policies with the Wizard
- href: wdac-wizard-merging-policies.md
- - name: WDAC deployment guide
- href: windows-defender-application-control-deployment-guide.md
- items:
- - name: Deploy WDAC policies with MDM
- href: deployment/deploy-windows-defender-application-control-policies-using-intune.md
- - name: Deploy WDAC policies with Configuration Manager
- href: deployment/deploy-wdac-policies-with-memcm.md
- - name: Deploy WDAC policies with script
- href: deployment/deploy-wdac-policies-with-script.md
- - name: Deploy WDAC policies with group policy
- href: deployment/deploy-windows-defender-application-control-policies-using-group-policy.md
- - name: Audit WDAC policies
- href: audit-windows-defender-application-control-policies.md
- - name: Merge WDAC policies
- href: merge-windows-defender-application-control-policies.md
- - name: Enforce WDAC policies
- href: enforce-windows-defender-application-control-policies.md
- - name: Use code signing to simplify application control for classic Windows applications
- href: use-code-signing-to-simplify-application-control-for-classic-windows-applications.md
- items:
- - name: "Optional: Use the WDAC Signing Portal in the Microsoft Store for Business"
- href: use-device-guard-signing-portal-in-microsoft-store-for-business.md
- - name: "Optional: Create a code signing cert for WDAC"
- href: create-code-signing-cert-for-windows-defender-application-control.md
- - name: Deploy catalog files to support WDAC
- href: deploy-catalog-files-to-support-windows-defender-application-control.md
- - name: Use signed policies to protect Windows Defender Application Control against tampering
- href: use-signed-policies-to-protect-windows-defender-application-control-against-tampering.md
- - name: Disable WDAC policies
- href: disable-windows-defender-application-control-policies.md
- - name: LOB Win32 Apps on S Mode
- href: LOB-win32-apps-on-s.md
- - name: WDAC operational guide
- href: windows-defender-application-control-operational-guide.md
- items:
- - name: Understanding Application Control event tags
- href: event-tag-explanations.md
- - name: Understanding Application Control event IDs
- href: event-id-explanations.md
- - name: Query WDAC events with Advanced hunting
- href: querying-application-control-events-centrally-using-advanced-hunting.md
- - name: Known Issues
- href: operations/known-issues.md
- - name: Managed installer and ISG technical reference and troubleshooting guide
- href: configure-wdac-managed-installer.md
- - name: WDAC AppId Tagging guide
- href: AppIdTagging/windows-defender-application-control-appid-tagging-guide.md
+ - name: WDAC and AppLocker Feature Availability
+ href: feature-availability.md
+ - name: Virtualization-based protection of code integrity
+ href: ../device-guard/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md
+- name: WDAC design guide
+ href: windows-defender-application-control-design-guide.md
+ items:
+ - name: Plan for WDAC policy lifecycle management
+ href: plan-windows-defender-application-control-management.md
+ - name: Design your WDAC policy
items:
- - name: Creating AppId Tagging Policies
- href: AppIdTagging/design-create-appid-tagging-policies.md
- - name: Deploying AppId Tagging Policies
- href: AppIdTagging/deploy-appid-tagging-policies.md
- - name: Testing and Debugging AppId Tagging Policies
- href: AppIdTagging/debugging-operational-guide-appid-tagging-policies.md
- - name: AppLocker
- href: applocker\applocker-overview.md
- items:
- - name: Administer AppLocker
- href: applocker\administer-applocker.md
- items:
- - name: Maintain AppLocker policies
- href: applocker\maintain-applocker-policies.md
- - name: Edit an AppLocker policy
- href: applocker\edit-an-applocker-policy.md
- - name: Test and update an AppLocker policy
- href: applocker\test-and-update-an-applocker-policy.md
- - name: Deploy AppLocker policies by using the enforce rules setting
- href: applocker\deploy-applocker-policies-by-using-the-enforce-rules-setting.md
- - name: Use the AppLocker Windows PowerShell cmdlets
- href: applocker\use-the-applocker-windows-powershell-cmdlets.md
- - name: Use AppLocker and Software Restriction Policies in the same domain
- href: applocker\use-applocker-and-software-restriction-policies-in-the-same-domain.md
- - name: Optimize AppLocker performance
- href: applocker\optimize-applocker-performance.md
- - name: Monitor app usage with AppLocker
- href: applocker\monitor-application-usage-with-applocker.md
- - name: Manage packaged apps with AppLocker
- href: applocker\manage-packaged-apps-with-applocker.md
- - name: Working with AppLocker rules
- href: applocker\working-with-applocker-rules.md
- items:
- - name: Create a rule that uses a file hash condition
- href: applocker\create-a-rule-that-uses-a-file-hash-condition.md
- - name: Create a rule that uses a path condition
- href: applocker\create-a-rule-that-uses-a-path-condition.md
- - name: Create a rule that uses a publisher condition
- href: applocker\create-a-rule-that-uses-a-publisher-condition.md
- - name: Create AppLocker default rules
- href: applocker\create-applocker-default-rules.md
- - name: Add exceptions for an AppLocker rule
- href: applocker\configure-exceptions-for-an-applocker-rule.md
- - name: Create a rule for packaged apps
- href: applocker\create-a-rule-for-packaged-apps.md
- - name: Delete an AppLocker rule
- href: applocker\delete-an-applocker-rule.md
- - name: Edit AppLocker rules
- href: applocker\edit-applocker-rules.md
- - name: Enable the DLL rule collection
- href: applocker\enable-the-dll-rule-collection.md
- - name: Enforce AppLocker rules
- href: applocker\enforce-applocker-rules.md
- - name: Run the Automatically Generate Rules wizard
- href: applocker\run-the-automatically-generate-rules-wizard.md
- - name: Working with AppLocker policies
- href: applocker\working-with-applocker-policies.md
- items:
- - name: Configure the Application Identity service
- href: applocker\configure-the-application-identity-service.md
- - name: Configure an AppLocker policy for audit only
- href: applocker\configure-an-applocker-policy-for-audit-only.md
- - name: Configure an AppLocker policy for enforce rules
- href: applocker\configure-an-applocker-policy-for-enforce-rules.md
- - name: Display a custom URL message when users try to run a blocked app
- href: applocker\display-a-custom-url-message-when-users-try-to-run-a-blocked-application.md
- - name: Export an AppLocker policy from a GPO
- href: applocker\export-an-applocker-policy-from-a-gpo.md
- - name: Export an AppLocker policy to an XML file
- href: applocker\export-an-applocker-policy-to-an-xml-file.md
- - name: Import an AppLocker policy from another computer
- href: applocker\import-an-applocker-policy-from-another-computer.md
- - name: Import an AppLocker policy into a GPO
- href: applocker\import-an-applocker-policy-into-a-gpo.md
- - name: Add rules for packaged apps to existing AppLocker rule-set
- href: applocker\add-rules-for-packaged-apps-to-existing-applocker-rule-set.md
- - name: Merge AppLocker policies by using Set-ApplockerPolicy
- href: applocker\merge-applocker-policies-by-using-set-applockerpolicy.md
- - name: Merge AppLocker policies manually
- href: applocker\merge-applocker-policies-manually.md
- - name: Refresh an AppLocker policy
- href: applocker\refresh-an-applocker-policy.md
- - name: Test an AppLocker policy by using Test-AppLockerPolicy
- href: applocker\test-an-applocker-policy-by-using-test-applockerpolicy.md
- - name: AppLocker design guide
- href: applocker\applocker-policies-design-guide.md
- items:
- - name: Understand AppLocker policy design decisions
- href: applocker\understand-applocker-policy-design-decisions.md
- - name: Determine your application control objectives
- href: applocker\determine-your-application-control-objectives.md
- - name: Create a list of apps deployed to each business group
- href: applocker\create-list-of-applications-deployed-to-each-business-group.md
- items:
- - name: Document your app list
- href: applocker\document-your-application-list.md
- - name: Select the types of rules to create
- href: applocker\select-types-of-rules-to-create.md
- items:
- - name: Document your AppLocker rules
- href: applocker\document-your-applocker-rules.md
- - name: Determine the Group Policy structure and rule enforcement
- href: applocker\determine-group-policy-structure-and-rule-enforcement.md
- items:
- - name: Understand AppLocker enforcement settings
- href: applocker\understand-applocker-enforcement-settings.md
- - name: Understand AppLocker rules and enforcement setting inheritance in Group Policy
- href: applocker\understand-applocker-rules-and-enforcement-setting-inheritance-in-group-policy.md
- - name: Document the Group Policy structure and AppLocker rule enforcement
- href: applocker\document-group-policy-structure-and-applocker-rule-enforcement.md
- - name: Plan for AppLocker policy management
- href: applocker\plan-for-applocker-policy-management.md
- - name: AppLocker deployment guide
- href: applocker\applocker-policies-deployment-guide.md
- items:
- - name: Understand the AppLocker policy deployment process
- href: applocker\understand-the-applocker-policy-deployment-process.md
- - name: Requirements for Deploying AppLocker Policies
- href: applocker\requirements-for-deploying-applocker-policies.md
- - name: Use Software Restriction Policies and AppLocker policies
- href: applocker\using-software-restriction-policies-and-applocker-policies.md
- - name: Create Your AppLocker policies
- href: applocker\create-your-applocker-policies.md
- items:
- - name: Create Your AppLocker rules
- href: applocker\create-your-applocker-rules.md
- - name: Deploy the AppLocker policy into production
- href: applocker\deploy-the-applocker-policy-into-production.md
- items:
- - name: Use a reference device to create and maintain AppLocker policies
- href: applocker\use-a-reference-computer-to-create-and-maintain-applocker-policies.md
- items:
- - name: Determine which apps are digitally signed on a reference device
- href: applocker\determine-which-applications-are-digitally-signed-on-a-reference-computer.md
- - name: Configure the AppLocker reference device
- href: applocker\configure-the-appLocker-reference-device.md
- - name: AppLocker technical reference
- href: applocker\applocker-technical-reference.md
- items:
- - name: What Is AppLocker?
- href: applocker\what-is-applocker.md
- - name: Requirements to use AppLocker
- href: applocker\requirements-to-use-applocker.md
- - name: AppLocker policy use scenarios
- href: applocker\applocker-policy-use-scenarios.md
- - name: How AppLocker works
- href: applocker\how-applocker-works-techref.md
- items:
- - name: Understanding AppLocker rule behavior
- href: applocker\understanding-applocker-rule-behavior.md
- - name: Understanding AppLocker rule exceptions
- href: applocker\understanding-applocker-rule-exceptions.md
- - name: Understanding AppLocker rule collections
- href: applocker\understanding-applocker-rule-collections.md
- - name: Understanding AppLocker allow and deny actions on rules
- href: applocker\understanding-applocker-allow-and-deny-actions-on-rules.md
- - name: Understanding AppLocker rule condition types
- href: applocker\understanding-applocker-rule-condition-types.md
- items:
- - name: Understanding the publisher rule condition in AppLocker
- href: applocker\understanding-the-publisher-rule-condition-in-applocker.md
- - name: Understanding the path rule condition in AppLocker
- href: applocker\understanding-the-path-rule-condition-in-applocker.md
- - name: Understanding the file hash rule condition in AppLocker
- href: applocker\understanding-the-file-hash-rule-condition-in-applocker.md
- - name: Understanding AppLocker default rules
- href: applocker\understanding-applocker-default-rules.md
- items:
- - name: Executable rules in AppLocker
- href: applocker\executable-rules-in-applocker.md
- - name: Windows Installer rules in AppLocker
- href: applocker\windows-installer-rules-in-applocker.md
- - name: Script rules in AppLocker
- href: applocker\script-rules-in-applocker.md
- - name: DLL rules in AppLocker
- href: applocker\dll-rules-in-applocker.md
- - name: Packaged apps and packaged app installer rules in AppLocker
- href: applocker\packaged-apps-and-packaged-app-installer-rules-in-applocker.md
- - name: AppLocker architecture and components
- href: applocker\applocker-architecture-and-components.md
- - name: AppLocker processes and interactions
- href: applocker\applocker-processes-and-interactions.md
- - name: AppLocker functions
- href: applocker\applocker-functions.md
- - name: Security considerations for AppLocker
- href: applocker\security-considerations-for-applocker.md
- - name: Tools to Use with AppLocker
- href: applocker\tools-to-use-with-applocker.md
- items:
- - name: Using Event Viewer with AppLocker
- href: applocker\using-event-viewer-with-applocker.md
- - name: AppLocker Settings
- href: applocker\applocker-settings.md
-- name: Windows security
- href: /windows/security/
-
+ - name: Understand WDAC policy design decisions
+ href: understand-windows-defender-application-control-policy-design-decisions.md
+ - name: Understand WDAC policy rules and file rules
+ href: select-types-of-rules-to-create.md
+ items:
+ - name: Allow apps installed by a managed installer
+ href: configure-authorized-apps-deployed-with-a-managed-installer.md
+ - name: Allow reputable apps with Intelligent Security Graph (ISG)
+ href: use-windows-defender-application-control-with-intelligent-security-graph.md
+ - name: Allow COM object registration
+ href: allow-com-object-registration-in-windows-defender-application-control-policy.md
+ - name: Use WDAC with .NET hardening
+ href: use-windows-defender-application-control-with-dynamic-code-security.md
+ - name: Manage packaged apps with WDAC
+ href: manage-packaged-apps-with-windows-defender-application-control.md
+ - name: Use WDAC to control specific plug-ins, add-ins, and modules
+ href: use-windows-defender-application-control-policy-to-control-specific-plug-ins-add-ins-and-modules.md
+ - name: Understand WDAC policy settings
+ href: understanding-wdac-policy-settings.md
+ - name: Use multiple WDAC policies
+ href: deploy-multiple-windows-defender-application-control-policies.md
+ - name: Create your WDAC policy
+ items:
+ - name: Example WDAC base policies
+ href: example-wdac-base-policies.md
+ - name: Policy creation for common WDAC usage scenarios
+ href: types-of-devices.md
+ items:
+ - name: Create a WDAC policy for lightly managed devices
+ href: create-wdac-policy-for-lightly-managed-devices.md
+ - name: Create a WDAC policy for fully managed devices
+ href: create-wdac-policy-for-fully-managed-devices.md
+ - name: Create a WDAC policy for fixed-workload devices
+ href: create-initial-default-policy.md
+ - name: Create a WDAC deny list policy
+ href: create-wdac-deny-policy.md
+ - name: Microsoft recommended block rules
+ href: microsoft-recommended-block-rules.md
+ - name: Microsoft recommended driver block rules
+ href: microsoft-recommended-driver-block-rules.md
+ - name: Use the WDAC Wizard tool
+ href: wdac-wizard.md
+ items:
+ - name: Create a base WDAC policy with the Wizard
+ href: wdac-wizard-create-base-policy.md
+ - name: Create a supplemental WDAC policy with the Wizard
+ href: wdac-wizard-create-supplemental-policy.md
+ - name: Editing a WDAC policy with the Wizard
+ href: wdac-wizard-editing-policy.md
+ - name: Merging multiple WDAC policies with the Wizard
+ href: wdac-wizard-merging-policies.md
+- name: WDAC deployment guide
+ href: windows-defender-application-control-deployment-guide.md
+ items:
+ - name: Deploy WDAC policies with MDM
+ href: deployment/deploy-windows-defender-application-control-policies-using-intune.md
+ - name: Deploy WDAC policies with Configuration Manager
+ href: deployment/deploy-wdac-policies-with-memcm.md
+ - name: Deploy WDAC policies with script
+ href: deployment/deploy-wdac-policies-with-script.md
+ - name: Deploy WDAC policies with group policy
+ href: deployment/deploy-windows-defender-application-control-policies-using-group-policy.md
+ - name: Audit WDAC policies
+ href: audit-windows-defender-application-control-policies.md
+ - name: Merge WDAC policies
+ href: merge-windows-defender-application-control-policies.md
+ - name: Enforce WDAC policies
+ href: enforce-windows-defender-application-control-policies.md
+ - name: Use code signing to simplify application control for classic Windows applications
+ href: use-code-signing-to-simplify-application-control-for-classic-windows-applications.md
+ items:
+ - name: "Optional: Use the WDAC Signing Portal in the Microsoft Store for Business"
+ href: use-device-guard-signing-portal-in-microsoft-store-for-business.md
+ - name: "Optional: Create a code signing cert for WDAC"
+ href: create-code-signing-cert-for-windows-defender-application-control.md
+ - name: Deploy catalog files to support WDAC
+ href: deploy-catalog-files-to-support-windows-defender-application-control.md
+ - name: Use signed policies to protect Windows Defender Application Control against tampering
+ href: use-signed-policies-to-protect-windows-defender-application-control-against-tampering.md
+ - name: Disable WDAC policies
+ href: disable-windows-defender-application-control-policies.md
+ - name: LOB Win32 Apps on S Mode
+ href: LOB-win32-apps-on-s.md
+- name: WDAC operational guide
+ href: windows-defender-application-control-operational-guide.md
+ items:
+ - name: Understanding Application Control event tags
+ href: event-tag-explanations.md
+ - name: Understanding Application Control event IDs
+ href: event-id-explanations.md
+ - name: Query WDAC events with Advanced hunting
+ href: querying-application-control-events-centrally-using-advanced-hunting.md
+ - name: Known Issues
+ href: operations/known-issues.md
+ - name: Managed installer and ISG technical reference and troubleshooting guide
+ href: configure-wdac-managed-installer.md
+- name: WDAC AppId Tagging guide
+ href: AppIdTagging/windows-defender-application-control-appid-tagging-guide.md
+ items:
+ - name: Creating AppId Tagging Policies
+ href: AppIdTagging/design-create-appid-tagging-policies.md
+ - name: Deploying AppId Tagging Policies
+ href: AppIdTagging/deploy-appid-tagging-policies.md
+ - name: Testing and Debugging AppId Tagging Policies
+ href: AppIdTagging/debugging-operational-guide-appid-tagging-policies.md
+- name: AppLocker
+ href: applocker\applocker-overview.md
+ items:
+ - name: Administer AppLocker
+ href: applocker\administer-applocker.md
+ items:
+ - name: Maintain AppLocker policies
+ href: applocker\maintain-applocker-policies.md
+ - name: Edit an AppLocker policy
+ href: applocker\edit-an-applocker-policy.md
+ - name: Test and update an AppLocker policy
+ href: applocker\test-and-update-an-applocker-policy.md
+ - name: Deploy AppLocker policies by using the enforce rules setting
+ href: applocker\deploy-applocker-policies-by-using-the-enforce-rules-setting.md
+ - name: Use the AppLocker Windows PowerShell cmdlets
+ href: applocker\use-the-applocker-windows-powershell-cmdlets.md
+ - name: Use AppLocker and Software Restriction Policies in the same domain
+ href: applocker\use-applocker-and-software-restriction-policies-in-the-same-domain.md
+ - name: Optimize AppLocker performance
+ href: applocker\optimize-applocker-performance.md
+ - name: Monitor app usage with AppLocker
+ href: applocker\monitor-application-usage-with-applocker.md
+ - name: Manage packaged apps with AppLocker
+ href: applocker\manage-packaged-apps-with-applocker.md
+ - name: Working with AppLocker rules
+ href: applocker\working-with-applocker-rules.md
+ items:
+ - name: Create a rule that uses a file hash condition
+ href: applocker\create-a-rule-that-uses-a-file-hash-condition.md
+ - name: Create a rule that uses a path condition
+ href: applocker\create-a-rule-that-uses-a-path-condition.md
+ - name: Create a rule that uses a publisher condition
+ href: applocker\create-a-rule-that-uses-a-publisher-condition.md
+ - name: Create AppLocker default rules
+ href: applocker\create-applocker-default-rules.md
+ - name: Add exceptions for an AppLocker rule
+ href: applocker\configure-exceptions-for-an-applocker-rule.md
+ - name: Create a rule for packaged apps
+ href: applocker\create-a-rule-for-packaged-apps.md
+ - name: Delete an AppLocker rule
+ href: applocker\delete-an-applocker-rule.md
+ - name: Edit AppLocker rules
+ href: applocker\edit-applocker-rules.md
+ - name: Enable the DLL rule collection
+ href: applocker\enable-the-dll-rule-collection.md
+ - name: Enforce AppLocker rules
+ href: applocker\enforce-applocker-rules.md
+ - name: Run the Automatically Generate Rules wizard
+ href: applocker\run-the-automatically-generate-rules-wizard.md
+ - name: Working with AppLocker policies
+ href: applocker\working-with-applocker-policies.md
+ items:
+ - name: Configure the Application Identity service
+ href: applocker\configure-the-application-identity-service.md
+ - name: Configure an AppLocker policy for audit only
+ href: applocker\configure-an-applocker-policy-for-audit-only.md
+ - name: Configure an AppLocker policy for enforce rules
+ href: applocker\configure-an-applocker-policy-for-enforce-rules.md
+ - name: Display a custom URL message when users try to run a blocked app
+ href: applocker\display-a-custom-url-message-when-users-try-to-run-a-blocked-application.md
+ - name: Export an AppLocker policy from a GPO
+ href: applocker\export-an-applocker-policy-from-a-gpo.md
+ - name: Export an AppLocker policy to an XML file
+ href: applocker\export-an-applocker-policy-to-an-xml-file.md
+ - name: Import an AppLocker policy from another computer
+ href: applocker\import-an-applocker-policy-from-another-computer.md
+ - name: Import an AppLocker policy into a GPO
+ href: applocker\import-an-applocker-policy-into-a-gpo.md
+ - name: Add rules for packaged apps to existing AppLocker rule-set
+ href: applocker\add-rules-for-packaged-apps-to-existing-applocker-rule-set.md
+ - name: Merge AppLocker policies by using Set-ApplockerPolicy
+ href: applocker\merge-applocker-policies-by-using-set-applockerpolicy.md
+ - name: Merge AppLocker policies manually
+ href: applocker\merge-applocker-policies-manually.md
+ - name: Refresh an AppLocker policy
+ href: applocker\refresh-an-applocker-policy.md
+ - name: Test an AppLocker policy by using Test-AppLockerPolicy
+ href: applocker\test-an-applocker-policy-by-using-test-applockerpolicy.md
+ - name: AppLocker design guide
+ href: applocker\applocker-policies-design-guide.md
+ items:
+ - name: Understand AppLocker policy design decisions
+ href: applocker\understand-applocker-policy-design-decisions.md
+ - name: Determine your application control objectives
+ href: applocker\determine-your-application-control-objectives.md
+ - name: Create a list of apps deployed to each business group
+ href: applocker\create-list-of-applications-deployed-to-each-business-group.md
+ items:
+ - name: Document your app list
+ href: applocker\document-your-application-list.md
+ - name: Select the types of rules to create
+ href: applocker\select-types-of-rules-to-create.md
+ items:
+ - name: Document your AppLocker rules
+ href: applocker\document-your-applocker-rules.md
+ - name: Determine the Group Policy structure and rule enforcement
+ href: applocker\determine-group-policy-structure-and-rule-enforcement.md
+ items:
+ - name: Understand AppLocker enforcement settings
+ href: applocker\understand-applocker-enforcement-settings.md
+ - name: Understand AppLocker rules and enforcement setting inheritance in Group Policy
+ href: applocker\understand-applocker-rules-and-enforcement-setting-inheritance-in-group-policy.md
+ - name: Document the Group Policy structure and AppLocker rule enforcement
+ href: applocker\document-group-policy-structure-and-applocker-rule-enforcement.md
+ - name: Plan for AppLocker policy management
+ href: applocker\plan-for-applocker-policy-management.md
+ - name: AppLocker deployment guide
+ href: applocker\applocker-policies-deployment-guide.md
+ items:
+ - name: Understand the AppLocker policy deployment process
+ href: applocker\understand-the-applocker-policy-deployment-process.md
+ - name: Requirements for Deploying AppLocker Policies
+ href: applocker\requirements-for-deploying-applocker-policies.md
+ - name: Use Software Restriction Policies and AppLocker policies
+ href: applocker\using-software-restriction-policies-and-applocker-policies.md
+ - name: Create Your AppLocker policies
+ href: applocker\create-your-applocker-policies.md
+ items:
+ - name: Create Your AppLocker rules
+ href: applocker\create-your-applocker-rules.md
+ - name: Deploy the AppLocker policy into production
+ href: applocker\deploy-the-applocker-policy-into-production.md
+ items:
+ - name: Use a reference device to create and maintain AppLocker policies
+ href: applocker\use-a-reference-computer-to-create-and-maintain-applocker-policies.md
+ items:
+ - name: Determine which apps are digitally signed on a reference device
+ href: applocker\determine-which-applications-are-digitally-signed-on-a-reference-computer.md
+ - name: Configure the AppLocker reference device
+ href: applocker\configure-the-appLocker-reference-device.md
+ - name: AppLocker technical reference
+ href: applocker\applocker-technical-reference.md
+ items:
+ - name: What Is AppLocker?
+ href: applocker\what-is-applocker.md
+ - name: Requirements to use AppLocker
+ href: applocker\requirements-to-use-applocker.md
+ - name: AppLocker policy use scenarios
+ href: applocker\applocker-policy-use-scenarios.md
+ - name: How AppLocker works
+ href: applocker\how-applocker-works-techref.md
+ items:
+ - name: Understanding AppLocker rule behavior
+ href: applocker\understanding-applocker-rule-behavior.md
+ - name: Understanding AppLocker rule exceptions
+ href: applocker\understanding-applocker-rule-exceptions.md
+ - name: Understanding AppLocker rule collections
+ href: applocker\understanding-applocker-rule-collections.md
+ - name: Understanding AppLocker allow and deny actions on rules
+ href: applocker\understanding-applocker-allow-and-deny-actions-on-rules.md
+ - name: Understanding AppLocker rule condition types
+ href: applocker\understanding-applocker-rule-condition-types.md
+ items:
+ - name: Understanding the publisher rule condition in AppLocker
+ href: applocker\understanding-the-publisher-rule-condition-in-applocker.md
+ - name: Understanding the path rule condition in AppLocker
+ href: applocker\understanding-the-path-rule-condition-in-applocker.md
+ - name: Understanding the file hash rule condition in AppLocker
+ href: applocker\understanding-the-file-hash-rule-condition-in-applocker.md
+ - name: Understanding AppLocker default rules
+ href: applocker\understanding-applocker-default-rules.md
+ items:
+ - name: Executable rules in AppLocker
+ href: applocker\executable-rules-in-applocker.md
+ - name: Windows Installer rules in AppLocker
+ href: applocker\windows-installer-rules-in-applocker.md
+ - name: Script rules in AppLocker
+ href: applocker\script-rules-in-applocker.md
+ - name: DLL rules in AppLocker
+ href: applocker\dll-rules-in-applocker.md
+ - name: Packaged apps and packaged app installer rules in AppLocker
+ href: applocker\packaged-apps-and-packaged-app-installer-rules-in-applocker.md
+ - name: AppLocker architecture and components
+ href: applocker\applocker-architecture-and-components.md
+ - name: AppLocker processes and interactions
+ href: applocker\applocker-processes-and-interactions.md
+ - name: AppLocker functions
+ href: applocker\applocker-functions.md
+ - name: Security considerations for AppLocker
+ href: applocker\security-considerations-for-applocker.md
+ - name: Tools to Use with AppLocker
+ href: applocker\tools-to-use-with-applocker.md
+ items:
+ - name: Using Event Viewer with AppLocker
+ href: applocker\using-event-viewer-with-applocker.md
+ - name: AppLocker Settings
+ href: applocker\applocker-settings.md
diff --git a/windows/security/threat-protection/windows-defender-application-control/create-wdac-policy-for-fully-managed-devices.md b/windows/security/threat-protection/windows-defender-application-control/create-wdac-policy-for-fully-managed-devices.md
index 2d13639669..baee8a7e94 100644
--- a/windows/security/threat-protection/windows-defender-application-control/create-wdac-policy-for-fully-managed-devices.md
+++ b/windows/security/threat-protection/windows-defender-application-control/create-wdac-policy-for-fully-managed-devices.md
@@ -23,9 +23,9 @@ ms.technology: windows-sec
**Applies to:**
-- Windows 10
-- Windows 11
-- Windows Server 2016 and above
+- Windows 10
+- Windows 11
+- Windows Server 2016 and above
>[!NOTE]
>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](feature-availability.md).
@@ -118,9 +118,6 @@ Alice follows these steps to complete this task:
7. Use [ConvertFrom-CIPolicy](/powershell/module/configci/convertfrom-cipolicy) to convert the Windows Defender Application Control policy to a binary format:
- > [!NOTE]
- > In the sample commands below, replace the string "{InsertPolicyID}" with the actual PolicyID GUID (including braces **{ }**) found in your policy XML file.
-
```powershell
[xml]$LamnaPolicyXML = Get-Content $LamnaPolicy
$PolicyId = $LamnaPolicyXML.SiPolicy.PolicyId
diff --git a/windows/security/threat-protection/windows-defender-application-control/create-wdac-policy-for-lightly-managed-devices.md b/windows/security/threat-protection/windows-defender-application-control/create-wdac-policy-for-lightly-managed-devices.md
index 2ef75b15be..e0d19fe8da 100644
--- a/windows/security/threat-protection/windows-defender-application-control/create-wdac-policy-for-lightly-managed-devices.md
+++ b/windows/security/threat-protection/windows-defender-application-control/create-wdac-policy-for-lightly-managed-devices.md
@@ -13,9 +13,9 @@ audience: ITPro
ms.collection: M365-security-compliance
author: jsuther1974
ms.reviewer: isbrahm
-ms.author: dansimp
-manager: dansimp
-ms.date: 11/15/2019
+ms.author: vinpa
+manager: aaroncz
+ms.date: 08/10/2022
ms.technology: windows-sec
---
@@ -23,9 +23,9 @@ ms.technology: windows-sec
**Applies to:**
-- Windows 10
-- Windows 11
-- Windows Server 2016 and above
+- Windows 10
+- Windows 11
+- Windows Server 2016 and above
>[!NOTE]
>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](feature-availability.md).
@@ -58,82 +58,103 @@ Based on the above, Alice defines the pseudo-rules for the policy:
- WHQL (third-party kernel drivers)
- Windows Store signed apps
-2. **"MEMCM works”** rules that include signer and hash rules for Configuration Manager components to properly function.
-3. **Allow Managed Installer** (Configuration Manager configured as a managed installer)
-4. **Allow Intelligent Security Graph (ISG)** (reputation-based authorization)
-5. **Admin-only path rules** for the following locations:
+1. **"MEMCM works”** rules that include:
+ - Signer and hash rules for Configuration Manager components to properly function.
+ - **Allow Managed Installer** rule to authorize Configuration Manager as a managed installer.
+
+1. **Allow Intelligent Security Graph (ISG)** (reputation-based authorization)
+
+1. **Signed apps** using a certificate issued by a Windows Trusted Root Program certificate authority
+
+1. **Admin-only path rules** for the following locations:
- C:\Program Files\*
- C:\Program Files (x86)\*
- %windir%\*
## Create a custom base policy using an example WDAC base policy
-Having defined the "circle-of-trust", Alice is ready to generate the initial policy for Lamna's lightly managed devices. Alice decides to use Configuration Manager to create the initial base policy and then customize it to meet Lamna's needs.
+Having defined the "circle-of-trust", Alice is ready to generate the initial policy for Lamna's lightly managed devices. Alice decides to use the example `SmartAppControl.xml` to create the initial base policy and then customize it to meet Lamna's needs.
Alice follows these steps to complete this task:
-> [!NOTE]
-> If you do not use Configuration Manager or prefer to use a different [example Windows Defender Application Control base policy](example-wdac-base-policies.md) for your own policy, skip to step 2 and substitute the Configuration Manager policy path with your preferred example base policy.
-
-1. [Use Configuration Manager to create and deploy an audit policy](/configmgr/protect/deploy-use/use-device-guard-with-configuration-manager) to a client device running Windows 10 version 1903 and above, or Windows 11.
-
-2. On the client device, run the following commands in an elevated Windows PowerShell session to initialize variables:
-
- ```powershell
- $PolicyName= "Lamna_LightlyManagedClients_Audit"
- $LamnaPolicy=$env:userprofile+"\Desktop\"+$PolicyName+".xml"
- $MEMCMPolicy=$env:windir+"\CCM\DeviceGuard\MergedPolicy_Audit_ISG.xml"
- ```
-
-3. Copy the policy created by Configuration Manager to the desktop:
-
- ```powershell
- cp $MEMCMPolicy $LamnaPolicy
- ```
-
-4. Give the new policy a unique ID, descriptive name, and initial version number:
-
- ```powershell
- Set-CIPolicyIdInfo -FilePath $LamnaPolicy -PolicyName $PolicyName -ResetPolicyID
- Set-CIPolicyVersion -FilePath $LamnaPolicy -Version "1.0.0.0"
- ```
-
-5. Modify the copied policy to set policy rules:
-
- ```powershell
- Set-RuleOption -FilePath $LamnaPolicy -Option 3 # Audit Mode
- Set-RuleOption -FilePath $LamnaPolicy -Option 6 # Unsigned Policy
- Set-RuleOption -FilePath $LamnaPolicy -Option 9 # Advanced Boot Menu
- Set-RuleOption -FilePath $LamnaPolicy -Option 12 # Enforce Store Apps
- Set-RuleOption -FilePath $LamnaPolicy -Option 13 # Managed Installer
- Set-RuleOption -FilePath $LamnaPolicy -Option 14 # ISG
- Set-RuleOption -FilePath $LamnaPolicy -Option 16 # No Reboot
- Set-RuleOption -FilePath $LamnaPolicy -Option 17 # Allow Supplemental
- Set-RuleOption -FilePath $LamnaPolicy -Option 19 # Dynamic Code Security
- ```
-
-6. Add rules to allow the Windows and Program Files directories:
-
- ```powershell
- $PathRules += New-CIPolicyRule -FilePathRule "%windir%\*"
- $PathRules += New-CIPolicyRule -FilePathRule "%OSDrive%\Program Files\*"
- $PathRules += New-CIPolicyRule -FilePathRule "%OSDrive%\Program Files (x86)\*"
- Merge-CIPolicy -OutputFilePath $LamnaPolicy -PolicyPaths $LamnaPolicy -Rules $PathRules
- ```
-
-7. If appropriate, add more signer or file rules to further customize the policy for your organization.
-
-8. Use [ConvertFrom-CIPolicy](/powershell/module/configci/convertfrom-cipolicy) to convert the WDAC policy to a binary format:
+1. On a client device, run the following commands in an elevated Windows PowerShell session to initialize variables:
> [!NOTE]
- > In the sample commands below, replace the string "{InsertPolicyID}" with the actual PolicyID GUID (including braces **{ }**) found in your policy XML file.
+ > If you prefer to use a different [example Windows Defender Application Control base policy](example-wdac-base-policies.md), substitute the example policy path with your preferred base policy in this step.
- ```powershell
- $WDACPolicyBin=$env:userprofile+"\Desktop\"+$PolicyName+"_{InsertPolicyID}.bin"
- ConvertFrom-CIPolicy $LamnaPolicy $WDACPolicyBin
- ```
+ ```powershell
+ $PolicyPath = $env:userprofile+"\Desktop\"
+ $PolicyName= "Lamna_LightlyManagedClients_Audit"
+ $LamnaPolicy=Join-Path $PolicyPath "$PolicyName.xml"
+ $ExamplePolicy=$env:windir+"\schemas\CodeIntegrity\ExamplePolicies\SmartAppControl.xml"
+ ```
-9. Upload your base policy XML and the associated binary to a source control solution such as [GitHub](https://github.com/), or a document management solution such as [Office 365 SharePoint](https://products.office.com/sharepoint/collaboration).
+1. Copy the example policy to the desktop:
+
+ ```powershell
+ Copy-Item $ExamplePolicy $LamnaPolicy
+ ```
+
+1. Modify the policy to remove unsupported rule:
+
+ > [!NOTE]
+ > `SmartAppControl.xml` is available on Windows 11 version 22H2 and later. This policy includes "Enabled:Conditional Windows Lockdown Policy" rule that is unsupported for enterprise WDAC policies and must be removed. For more information, see [WDAC and Smart App Control](windows-defender-application-control.md#wdac-and-smart-app-control). If you are using an example policy other than `SmartAppControl.xml`, skip this step.
+
+ ```powershell
+ [xml]$xml = Get-Content $LamnaPolicy
+ $ns = New-Object System.Xml.XmlNamespaceManager($xml.NameTable)
+ $ns.AddNamespace("ns", $xml.DocumentElement.NamespaceURI)
+ $node = $xml.SelectSingleNode("//ns:Rules/ns:Rule[ns:Option[.='Enabled:Conditional Windows Lockdown Policy']]", $ns)
+ $node.ParentNode.RemoveChild($node)
+ $xml.Save($LamnaPolicy)
+ ```
+
+1. Give the new policy a unique ID, descriptive name, and initial version number:
+
+ ```powershell
+ Set-CIPolicyIdInfo -FilePath $LamnaPolicy -PolicyName $PolicyName -ResetPolicyID
+ Set-CIPolicyVersion -FilePath $LamnaPolicy -Version "1.0.0.0"
+ ```
+
+1. [Use Configuration Manager to create and deploy an audit policy](/configmgr/protect/deploy-use/use-device-guard-with-configuration-manager) to the client device running Windows 10 version 1903 and above, or Windows 11. Merge the Configuration Manager policy with the example policy.
+
+ > [!NOTE]
+ > If you do not use Configuration Manager, skip this step.
+
+ ```powershell
+ $MEMCMPolicy=$env:windir+"\CCM\DeviceGuard\MergedPolicy_Audit_ISG.xml"
+ Merge-CIPolicy -OutputFilePath $LamnaPolicy -PolicyPaths $LamnaPolicy,$MEMCMPolicy
+ Set-RuleOption -FilePath $LamnaPolicy -Option 13 # Managed Installer
+ ```
+
+1. Modify the policy to set additional policy rules:
+
+ ```powershell
+ Set-RuleOption -FilePath $LamnaPolicy -Option 3 # Audit Mode
+ Set-RuleOption -FilePath $LamnaPolicy -Option 12 # Enforce Store Apps
+ Set-RuleOption -FilePath $LamnaPolicy -Option 19 # Dynamic Code Security
+ ```
+
+1. Add rules to allow the Windows and Program Files directories:
+
+ ```powershell
+ $PathRules += New-CIPolicyRule -FilePathRule "%windir%\*"
+ $PathRules += New-CIPolicyRule -FilePathRule "%OSDrive%\Program Files\*"
+ $PathRules += New-CIPolicyRule -FilePathRule "%OSDrive%\Program Files (x86)\*"
+ Merge-CIPolicy -OutputFilePath $LamnaPolicy -PolicyPaths $LamnaPolicy -Rules $PathRules
+ ```
+
+1. If appropriate, add more signer or file rules to further customize the policy for your organization.
+
+1. Use [ConvertFrom-CIPolicy](/powershell/module/configci/convertfrom-cipolicy) to convert the Windows Defender Application Control policy to a binary format:
+
+ ```powershell
+ [xml]$policyXML = Get-Content $LamnaPolicy
+ $WDACPolicyBin = Join-Path $PolicyPath "$($PolicyName)_$($policyXML.SiPolicy.PolicyID).cip"
+ ConvertFrom-CIPolicy $LamnaPolicy $WDACPolicyBin
+ ```
+
+1. Upload your base policy XML and the associated binary to a source control solution such as [GitHub](https://github.com/) or a document management solution such as [Office 365 SharePoint](https://products.office.com/sharepoint/collaboration).
At this point, Alice now has an initial policy that is ready to deploy in audit mode to the managed clients within Lamna.
@@ -141,44 +162,69 @@ At this point, Alice now has an initial policy that is ready to deploy in audit
In order to minimize user productivity impact, Alice has defined a policy that makes several trade-offs between security and user app flexibility. Some of the trade-offs include:
-- **Users with administrative access**
- This is by far the most impactful security trade-off and allows the device user, or malware running with the user's privileges, to modify or remove the WDAC policy on the device. Additionally, administrators can configure any app to act as a managed installer, which would allow them to gain persistent app authorization for whatever apps or binaries they wish.
+- **Users with administrative access**
+
+ This is by far the most impactful security trade-off and allows the device user, or malware running with the user's privileges, to modify or remove the WDAC policy on the device. Additionally, administrators can configure any app to act as a managed installer, which would allow them to gain persistent app authorization for whatever apps or binaries they wish.
+
+ Possible mitigations:
- Possible mitigations:
- Use signed WDAC policies and UEFI BIOS access protection to prevent tampering of WDAC policies.
- Create and deploy signed catalog files as part of the app deployment process in order to remove the requirement for managed installer.
- Use device attestation to detect the configuration state of WDAC at boot time and use that information to condition access to sensitive corporate resources.
-- **Unsigned policies**
- Unsigned policies can be replaced or removed without consequence by any process running as administrator. Unsigned base policies that also enable supplemental policies can have their "circle-of-trust" altered by any unsigned supplemental policy.
- Possible mitigations:
+- **Unsigned policies**
+
+ Unsigned policies can be replaced or removed without consequence by any process running as administrator. Unsigned base policies that also enable supplemental policies can have their "circle-of-trust" altered by any unsigned supplemental policy.
+
+ Possible mitigations:
+
- Use signed WDAC policies and UEFI BIOS access protection to prevent tampering of WDAC policies.
- Limit who can elevate to administrator on the device.
-- **Managed installer**
- See [security considerations with managed installer](configure-authorized-apps-deployed-with-a-managed-installer.md#security-considerations-with-managed-installer)
- Possible mitigations:
+- **Managed installer**
+
+ See [security considerations with managed installer](configure-authorized-apps-deployed-with-a-managed-installer.md#security-considerations-with-managed-installer)
+
+ Possible mitigations:
+
- Create and deploy signed catalog files as part of the app deployment process in order to remove the requirement for managed installer.
- Limit who can elevate to administrator on the device.
-- **Intelligent Security Graph (ISG)**
- See [security considerations with the Intelligent Security Graph](/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-intelligent-security-graph#security-considerations-with-the-isg-option)
- Possible mitigations:
+- **Intelligent Security Graph (ISG)**
+
+ See [security considerations with the Intelligent Security Graph](use-windows-defender-application-control-with-intelligent-security-graph.md#security-considerations-with-the-isg-option)
+
+ Possible mitigations:
+
- Implement policies requiring that apps are managed by IT; audit existing app usage and deploy authorized apps using a software distribution solution such as Microsoft Endpoint Manager; move from ISG to managed installer or signature-based rules.
- Use a restrictive audit mode policy to audit app usage and augment vulnerability detection.
-- **Supplemental policies**
- Supplemental policies are designed to relax the associated base policy. Additionally allowing unsigned policies allows any administrator process to expand the "circle-of-trust" defined by the base policy without restriction.
- Possible mitigations:
+- **Supplemental policies**
+
+ Supplemental policies are designed to relax the associated base policy. Additionally allowing unsigned policies allows any administrator process to expand the "circle-of-trust" defined by the base policy without restriction.
+
+ Possible mitigations:
+
- Use signed WDAC policies that allow authorized signed supplemental policies only.
- Use a restrictive audit mode policy to audit app usage and augment vulnerability detection.
-- **FilePath rules**
- See [more information about filepath rules](select-types-of-rules-to-create.md#more-information-about-filepath-rules)
- Possible mitigations:
+- **FilePath rules**
+
+ See [more information about filepath rules](select-types-of-rules-to-create.md#more-information-about-filepath-rules)
+
+ Possible mitigations:
+
- Limit who can elevate to administrator on the device.
- Migrate from filepath rules to managed installer or signature-based rules.
+- **Signed files**
+
+ Although files that are code-signed verify the author's identity and ensures that the code has not been altered by anyone other than the author, it does not guarantee that the signed code is safe.
+
+ Possible mitigations:
+
+ - Use a reputable antimalware or antivirus software with real-time protection, such as Microsoft Defender, to protect your devices from malicious files, adware, and other threats.
+
## Up next
- [Create a Windows Defender Application Control policy for fully managed devices](create-wdac-policy-for-fully-managed-devices.md)
diff --git a/windows/security/threat-protection/windows-defender-application-control/example-wdac-base-policies.md b/windows/security/threat-protection/windows-defender-application-control/example-wdac-base-policies.md
index 601db3b421..cd504ed4ee 100644
--- a/windows/security/threat-protection/windows-defender-application-control/example-wdac-base-policies.md
+++ b/windows/security/threat-protection/windows-defender-application-control/example-wdac-base-policies.md
@@ -15,7 +15,7 @@ author: jsuther1974
ms.reviewer: jogeurte
ms.author: dansimp
manager: dansimp
-ms.date: 11/15/2019
+ms.date: 08/05/2022
ms.technology: windows-sec
---
@@ -23,9 +23,9 @@ ms.technology: windows-sec
**Applies to:**
-- Windows 10
-- Windows 11
-- Windows Server 2016 and above
+- Windows 10
+- Windows 11
+- Windows Server 2016 and above
>[!NOTE]
>Some capabilities of Windows Defender Application Control (WDAC) are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](feature-availability.md).
@@ -39,7 +39,8 @@ When you create policies for use with Windows Defender Application Control (WDAC
| **DefaultWindows.xml** | This example policy is available in both audit and enforced mode. It includes rules to allow Windows, third-party hardware and software kernel drivers, and Windows Store apps. Used as the basis for all [Microsoft Endpoint Manager](https://www.microsoft.com/microsoft-365/microsoft-endpoint-manager) policies. | %OSDrive%\Windows\schemas\CodeIntegrity\ExamplePolicies |
| **AllowMicrosoft.xml** | This example policy is available in audit mode. It includes the rules from DefaultWindows and adds rules to trust apps signed by the Microsoft product root certificate. | %OSDrive%\Windows\schemas\CodeIntegrity\ExamplePolicies |
| **AllowAll.xml** | This example policy is useful when creating a blocklist. All block policies should include rules allowing all other code to run and then add the DENY rules for your organization's needs. | %OSDrive%\Windows\schemas\CodeIntegrity\ExamplePolicies |
-| **AllowAll_EnableHVCI.xml** | This example policy can be used to enable [memory integrity](/windows/security/threat-protection/device-guard/memory-integrity) (also known as hypervisor-protected code integrity) using Windows Defender Application Control. | %OSDrive%\Windows\schemas\CodeIntegrity\ExamplePolicies |
+| **AllowAll_EnableHVCI.xml** | This example policy can be used to enable [memory integrity](https://support.microsoft.com/windows/core-isolation-e30ed737-17d8-42f3-a2a9-87521df09b78) (also known as hypervisor-protected code integrity) using Windows Defender Application Control. | %OSDrive%\Windows\schemas\CodeIntegrity\ExamplePolicies |
| **DenyAllAudit.xml** | ***Warning: May cause long boot time on Windows Server 2019.*** Only deploy this example policy in audit mode to track all binaries running on critical systems or to meet regulatory requirements. | %OSDrive%\Windows\schemas\CodeIntegrity\ExamplePolicies |
| **Device Guard Signing Service (DGSS) DefaultPolicy.xml** | This example policy is available in audit mode. It includes the rules from DefaultWindows and adds rules to trust apps signed with your organization-specific certificates issued by the DGSS. | [Device Guard Signing Service NuGet Package](https://www.nuget.org/packages/Microsoft.Acs.Dgss.Client) |
| **MEM Configuration Manager** | Customers who use Configuration Manager can deploy a policy with Configuration Manager's built-in WDAC integration, and then use the generated policy XML as an example base policy. | %OSDrive%\Windows\CCM\DeviceGuard on a managed endpoint |
+| **SmartAppControl.xml** | This example policy includes rules based on [Smart App Control](https://support.microsoft.com/topic/what-is-smart-app-control-285ea03d-fa88-4d56-882e-6698afdb7003) that are well-suited for lightly managed systems. This policy includes a rule that is unsupported for enterprise WDAC policies and must be removed. For more information about using this example policy, see [Create a custom base policy using an example WDAC base policy](create-wdac-policy-for-lightly-managed-devices.md#create-a-custom-base-policy-using-an-example-wdac-base-policy)). | %OSDrive%\Windows\schemas\CodeIntegrity\ExamplePolicies |
diff --git a/windows/security/threat-protection/windows-defender-application-control/index.yml b/windows/security/threat-protection/windows-defender-application-control/index.yml
index b39d1f45b2..5dd1e3fd49 100644
--- a/windows/security/threat-protection/windows-defender-application-control/index.yml
+++ b/windows/security/threat-protection/windows-defender-application-control/index.yml
@@ -9,7 +9,7 @@ metadata:
# ms.subservice: Application-Control
# ms.topic: landing-page
# author: Kim Klein
-# ms.author: Jordan Geurten
+# ms.author: Jordan Geurten
# manager: Jeffrey Sutherland
# ms.update: 04/30/2021
# linkListType: overview | how-to-guide | tutorial | video
@@ -21,13 +21,15 @@ landingContent:
linkLists:
- linkListType: overview
links:
+ - text: What is Application Control?
+ url: windows-defender-application-control.md
- text: What is Windows Defender Application Control (WDAC)?
url: wdac-and-applocker-overview.md
- text: What is AppLocker?
url: applocker\applocker-overview.md
- text: WDAC and AppLocker feature availability
- url: feature-availability.md
- # Card
+ url: feature-availability.md
+ # Card
- title: Learn about Policy Design
linkLists:
- linkListType: overview
diff --git a/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules.md b/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules.md
index 0a280940df..80be7ef669 100644
--- a/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules.md
+++ b/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules.md
@@ -6,7 +6,7 @@ ms.technology: itpro-security
ms.localizationpriority: medium
ms.collection: M365-security-compliance
author: jsuther1974
-ms.reviewer: isbrahm
+ms.reviewer: jgeurten
ms.author: vinpa
manager: aaroncz
ms.date: 09/29/2021
@@ -17,14 +17,14 @@ ms.topic: reference
**Applies to:**
-- Windows 10
-- Windows 11
-- Windows Server 2016 and above
+- Windows 10
+- Windows 11
+- Windows Server 2016 and above
>[!NOTE]
>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](feature-availability.md).
-Members of the security community* continuously collaborate with Microsoft to help protect customers. With the help of their valuable reports, Microsoft has identified a list of valid applications that an attacker could also potentially use to bypass Windows Defender Application Control.
+Members of the security community* continuously collaborate with Microsoft to help protect customers. With the help of their valuable reports, Microsoft has identified a list of valid applications that an attacker could also potentially use to bypass Windows Defender Application Control.
Unless your use scenarios explicitly require them, Microsoft recommends that you block the following applications. These applications or files can be used by an attacker to circumvent application allow policies, including Windows Defender Application Control:
@@ -62,6 +62,7 @@ Unless your use scenarios explicitly require them, Microsoft recommends that you
- texttransform.exe
- visualuiaverifynative.exe
- system.management.automation.dll
+- webclnt.dll/davsvc.dll
- wfc.exe
- windbg.exe
- wmic.exe
@@ -82,23 +83,21 @@ Unless your use scenarios explicitly require them, Microsoft recommends that you
|---|---|
| `Alex Ionescu` | `@aionescu`|
| `Brock Mammen`| |
-| `Casey Smith` | `@subTee` |
+| `Casey Smith` | `@subTee` |
| `James Forshaw` | `@tiraniddo` |
| `Jimmy Bayne` | `@bohops` |
| `Kim Oppalfens` | `@thewmiguy` |
| `Lasse Trolle Borup` | `Langkjaer Cyber Defence` |
| `Lee Christensen` | `@tifkin_` |
-| `Matt Graeber` | `@mattifestation` |
-| `Matt Nelson` | `@enigma0x3` |
+| `Matt Graeber` | `@mattifestation` |
+| `Matt Nelson` | `@enigma0x3` |
| `Oddvar Moe` | `@Oddvarmoe` |
| `Philip Tsukerman` | `@PhilipTsukerman` |
| `Vladas Bulavas` | `Kaspersky Lab` |
| `William Easton` | `@Strawgate` |
-
-
-> [!Note]
-> This application list will be updated with the latest vendor information as application vulnerabilities are resolved and new issues are discovered.
+> [!NOTE]
+> This application list will be updated with the latest vendor information as application vulnerabilities are resolved and new issues are discovered.
Certain software applications may allow other code to run by design. Such applications should be blocked by your Windows Defender Application Control policy. In addition, when an application version is upgraded to fix a security vulnerability or potential Windows Defender Application Control bypass, you should add *deny* rules to your application control policies for that application’s previous, less secure versions.
@@ -114,10 +113,14 @@ Microsoft recommends that you block the following Microsoft-signed applications
Select the correct version of each .dll for the Windows release you plan to support, and remove the other versions. Ensure that you also uncomment them in the signing scenarios section.
+
+Expand this section to see the WDAC policy XML
+
```xml
-> [!Note]
+
+Expand this section to see the blocklist WDAC policy XML
+
```xml
+
NOTE: This option is required to run HTA files, and is supported on 1709, 1803, and 1809 builds with the 2019 10C LCU or higher, and on devices with the Windows 10 May 2019 Update (1903) and higher. Using it on versions of Windows without the proper update may have unintended results. | No |
| **12 Required:Enforce Store Applications** | If this rule option is enabled, WDAC policies will also apply to Universal Windows applications. | No |
| **13 Enabled:Managed Installer** | Use this option to automatically allow applications installed by a managed installer. For more information, see [Authorize apps deployed with a WDAC managed installer](configure-authorized-apps-deployed-with-a-managed-installer.md) | Yes |
-| **14 Enabled:Intelligent Security Graph Authorization** | Use this option to automatically allow applications with "known good" reputation as defined by Microsoft’s Intelligent Security Graph (ISG). | Yes |
+| **14 Enabled:Intelligent Security Graph Authorization** | Use this option to automatically allow applications with "known good" reputation as defined by Microsoft's Intelligent Security Graph (ISG). | Yes |
| **15 Enabled:Invalidate EAs on Reboot** | When the Intelligent Security Graph option (14) is used, WDAC sets an extended file attribute that indicates that the file was authorized to run. This option will cause WDAC to periodically revalidate the reputation for files that were authorized by the ISG.| No |
| **16 Enabled:Update Policy No Reboot** | Use this option to allow future WDAC policy updates to apply without requiring a system reboot.
NOTE: This option is only supported on Windows 10, version 1709 and above.| No |
| **17 Enabled:Allow Supplemental Policies** | Use this option on a base policy to allow supplemental policies to expand it.
NOTE: This option is only supported on Windows 10, version 1903 and above. | No |
@@ -88,12 +88,12 @@ Each file rule level has its benefit and disadvantage. Use Table 2 to select the
| Rule level | Description |
|----------- | ----------- |
-| **Hash** | Specifies individual [Authenticode/PE image hash values](#more-information-about-hashes) for each discovered binary. This level is the most specific level, and requires more effort to maintain the current product versions’ hash values. Each time a binary is updated, the hash value changes, therefore requiring a policy update. |
+| **Hash** | Specifies individual [Authenticode/PE image hash values](#more-information-about-hashes) for each discovered binary. This level is the most specific level, and requires more effort to maintain the current product versions' hash values. Each time a binary is updated, the hash value changes, therefore requiring a policy update. |
| **FileName** | Specifies the original filename for each binary. Although the hash values for an application are modified when updated, the file names are typically not. This level offers less specific security than the hash level, but it doesn't typically require a policy update when any binary is modified. |
| **FilePath** | Beginning with Windows 10 version 1903, this level allows binaries to run from specific file path locations. FilePath rules only apply to user mode binaries and can't be used to allow kernel mode drivers. More information about FilePath level rules can be found below. |
| **SignedVersion** | This level combines the publisher rule with a version number. It allows anything to run from the specified publisher with a version at or above the specified version number. |
| **Publisher** | This level combines the PcaCertificate level (typically one certificate below the root) and the common name (CN) of the leaf certificate. You can use this rule level to trust a certificate issued by a particular CA and issued to a specific company you trust (such as Intel, for device drivers). |
-| **FilePublisher** | This level combines the “FileName” attribute of the signed file, plus “Publisher” (PCA certificate with CN of leaf), plus a minimum version number. This option trusts specific files from the specified publisher, with a version at or above the specified version number. |
+| **FilePublisher** | This level combines the "FileName" attribute of the signed file, plus "Publisher" (PCA certificate with CN of leaf), plus a minimum version number. This option trusts specific files from the specified publisher, with a version at or above the specified version number. |
| **LeafCertificate** | Adds trusted signers at the individual signing certificate level. The benefit of using this level versus the individual hash level is that new versions of the product will have different hash values but typically the same signing certificate. When this level is used, no policy update would be needed to run the new version of the application. However, leaf certificates have much shorter validity periods than other certificate levels, so the Windows Defender Application Control policy must be updated whenever these certificates change. |
| **PcaCertificate** | Adds the highest available certificate in the provided certificate chain to signers. This level is typically one certificate below the root certificate because the scan doesn't validate anything beyond the certificates included in the provided signature (it doesn't go online or check local root stores). |
| **RootCertificate** | Currently unsupported. |
@@ -105,9 +105,17 @@ Each file rule level has its benefit and disadvantage. Use Table 2 to select the
> When you create Windows Defender Application Control policies with [New-CIPolicy](/powershell/module/configci/new-cipolicy), you can specify a primary file rule level, by including the **-Level** parameter. For discovered binaries that cannot be trusted based on the primary file rule criteria, use the **-Fallback** parameter. For example, if the primary file rule level is PCACertificate, but you would like to trust the unsigned applications as well, using the Hash rule level as a fallback adds the hash values of binaries that did not have a signing certificate.
> [!NOTE]
+>
> - WDAC only supports signer rules for RSA certificate signing keys with a maximum of 4096 bits.
> - The code uses CN for the CertSubject and CertIssuer fields in the policy. You can use the inbox certutil to look at the underlying format to ensure UTF-8 is not being used for the CN. For example, you can use printable string, IA5, or BMP.
+> [!NOTE]
+> When applicable, minimum and maximum version numbers in a file rule are referenced as MinimumFileVersion and MaximumFileVersion respectively in the policy XML.
+>
+> - Both MinimumFileVersion and MaximumFileVersion specified: For Allow rules, file with version **greater than or equal** to MinimumFileVersion and **less than or equal** to MaximumFileVersion are allowed. For Deny rules, file with version **greater than or equal** to MinimumFileVersion and **less than or equal** to MaximumFileVersion are denied.
+> - MinimumFileVersion specified without MaximumFileVersion: For Allow rules, file with version **greater than or equal** to the specified version are allowed to run. For Deny rules, file with version **less than or equal** to the specified version are blocked.
+> - MaximumFileVersion specified without MinimumFileVersion: For Allow rules, file with version **less than or equal** to the specified version are allowed to run. For Deny rules, file with version **greater than or equal** to the specified version are blocked.
+
## Example of file rule levels in use
For example, consider an IT professional in a department that runs many servers. They only want to run software signed by the companies that provide their hardware, operating system, antivirus, and other important software. They know that their servers also run an internally written application that is unsigned but is rarely updated. They want to allow this application to run.
@@ -149,20 +157,20 @@ You can also use the following macros when the exact volume may vary: `%OSDRIVE%
## More information about hashes
-WDAC uses the [Authenticode/PE image hash algorithm](https://download.microsoft.com/download/9/c/5/9c5b2167-8017-4bae-9fde-d599bac8184a/Authenticode_PE.docx) when calculating the hash of a file. Unlike the more popular, but less secure, [flat file hash](/powershell/module/microsoft.powershell.utility/get-filehash), the Authenticode hash calculation omits the file's checksum and the Certificate Table and the Attribute Certificate Table. Therefore, the Authenticode hash of a file doesn't change when the file is re-signed or timestamped, or the digital signature is removed from the file. With the help of the Authenticode hash, WDAC provides added security and less management overhead so customers don't need to revise the policy hash rules when the digital signature on the file is updated.
+WDAC uses the [Authenticode/PE image hash algorithm](https://download.microsoft.com/download/9/c/5/9c5b2167-8017-4bae-9fde-d599bac8184a/Authenticode_PE.docx) when calculating the hash of a file. Unlike the more popular, but less secure, [flat file hash](/powershell/module/microsoft.powershell.utility/get-filehash), the Authenticode hash calculation omits the file's checksum and the Certificate Table and the Attribute Certificate Table. Therefore, the Authenticode hash of a file doesn't change when the file is re-signed or timestamped, or the digital signature is removed from the file. With the help of the Authenticode hash, WDAC provides added security and less management overhead so customers don't need to revise the policy hash rules when the digital signature on the file is updated.
-The Authenticode/PE image hash can be calculated for digitally signed and unsigned files.
+The Authenticode/PE image hash can be calculated for digitally signed and unsigned files.
### Why does scan create four hash rules per XML file?
The PowerShell cmdlet will produce an Authenticode Sha1 Hash, Sha256 Hash, Sha1 Page Hash, Sha256 Page Hash.
During validation, CI will choose which hashes to calculate, depending on how the file is signed. For example, if the file is page-hash signed the entire file wouldn't get paged in to do a full sha256 authenticode, and we would just match using the first page hash.
-In the cmdlets, rather than try to predict which hash CI will use, we pre-calculate and use the four hashes (sha1/sha2 authenticode, and sha1/sha2 of first page). This method is also resilient, if the signing status of the file changes and necessary for deny rules to ensure that changing/stripping the signature doesn’t result in a different hash than what was in the policy being used by CI.
+In the cmdlets, rather than try to predict which hash CI will use, we pre-calculate and use the four hashes (sha1/sha2 authenticode, and sha1/sha2 of first page). This method is also resilient, if the signing status of the file changes and necessary for deny rules to ensure that changing/stripping the signature doesn't result in a different hash than what was in the policy being used by CI.
### Why does scan create eight hash rules for certain XML files?
-Separate rules are created for UMCI and KMCI. In some cases, files that are purely user-mode or purely kernel-mode may still generate both sets, since CI can’t always precisely determine what is purely user vs. kernel mode, and errs on the side of caution.
+Separate rules are created for UMCI and KMCI. In some cases, files that are purely user-mode or purely kernel-mode may still generate both sets, since CI can't always precisely determine what is purely user vs. kernel mode, and errs on the side of caution.
## Windows Defender Application Control filename rules
diff --git a/windows/security/threat-protection/windows-defender-application-control/understanding-wdac-policy-settings.md b/windows/security/threat-protection/windows-defender-application-control/understanding-wdac-policy-settings.md
index c731e404ee..bcfc28eb19 100644
--- a/windows/security/threat-protection/windows-defender-application-control/understanding-wdac-policy-settings.md
+++ b/windows/security/threat-protection/windows-defender-application-control/understanding-wdac-policy-settings.md
@@ -1,21 +1,15 @@
---
title: Understanding Windows Defender Application Control (WDAC) secure settings
description: Learn about secure settings in Windows Defender Application Control.
-keywords: security, malware
-ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb
-ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
+ms.prod: windows-client
+ms.technology: itpro-security
ms.localizationpriority: medium
-audience: ITPro
ms.collection: M365-security-compliance
author: jgeurten
-ms.reviewer: jgeurten
-ms.author: dansimp
-manager: dansimp
+ms.reviewer: vinpa
+ms.author: jogeurte
+manager: aaroncz
ms.date: 10/11/2021
-ms.technology: mde
---
# Understanding WDAC Policy Settings
diff --git a/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control.md b/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control.md
index a552764722..012e954059 100644
--- a/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control.md
+++ b/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control.md
@@ -46,15 +46,33 @@ Windows 10 and Windows 11 include two technologies that can be used for applicat
- **Windows Defender Application Control (WDAC)**; and
- **AppLocker**
-## In this section
+## WDAC and Smart App Control
-| Article | Description |
-| --- | --- |
-| [WDAC and AppLocker Overview](wdac-and-applocker-overview.md) | This article describes the decisions you need to make to establish the processes for managing and maintaining WDAC policies. |
-| [WDAC and AppLocker Feature Availability](feature-availability.md) | This article lists the design questions, possible answers, and ramifications of the decisions when you plan a deployment of application control policies. |
+Starting in Windows 11 version 22H2, [Smart App Control](https://support.microsoft.com/topic/what-is-smart-app-control-285ea03d-fa88-4d56-882e-6698afdb7003) provides application control for consumers. Smart App Control is based on WDAC, allowing enterprise customers to create a policy that offers the same security and compatibility with the ability to customize it to run line-of-business (LOB) apps. To make it easier to implement this policy, an [example policy](example-wdac-base-policies.md) is provided. The example policy includes **Enabled:Conditional Windows Lockdown Policy** rule which isn't supported for WDAC enterprise policies. This rule must be removed before you use the example policy. To use this example policy as a starting point for creating your own policy, see [Create a custom base policy using an example WDAC base policy](create-wdac-policy-for-lightly-managed-devices.md#create-a-custom-base-policy-using-an-example-wdac-base-policy).
+
+Smart App Control is only available on clean installation of Windows 11 version 22H2 or later, and starts in evaluation mode. Smart App Control will automatically turn off for enterprise managed devices unless the user has turned it on first. To turn Smart App Control on or off across your organization's endpoints, you can set the **VerifiedAndReputablePolicyState** (DWORD) registry value under `HKLM\SYSTEM\CurrentControlSet\Control\CI\Policy` to one of the values listed below. After you change the registry value, you must either restart the device or run [RefreshPolicy.exe](https://www.microsoft.com/download/details.aspx?id=102925) for the change to take effect.
+
+| Value | Description |
+|-------|-------------|
+| 0 | Off |
+| 1 | Enforce |
+| 2 | Evaluation |
+
+> [!IMPORTANT]
+> Once you turn Smart App Control off, it can't be turned on without resetting or reinstalling Windows.
+
+### Smart App Control Enforced Blocks
+
+Smart App Control enforces the [Microsoft Recommended Driver Block rules](microsoft-recommended-driver-block-rules.md) and the [Microsoft Recommended Block Rules](microsoft-recommended-block-rules.md), with a few exceptions for compatibility considerations. The following are not blocked by Smart App Control:
+
+- Infdefaultinstall.exe
+- Microsoft.Build.dll
+- Microsoft.Build.Framework.dll
+- Wslhost.dll
## Related articles
- [WDAC design guide](windows-defender-application-control-design-guide.md)
- [WDAC deployment guide](windows-defender-application-control-deployment-guide.md)
-- [AppLocker overview](applocker/applocker-overview.md)
\ No newline at end of file
+- [WDAC operational guide](windows-defender-application-control-operational-guide.md)
+- [AppLocker overview](applocker/applocker-overview.md)
diff --git a/windows/security/threat-protection/windows-defender-system-guard/how-hardware-based-root-of-trust-helps-protect-windows.md b/windows/security/threat-protection/windows-defender-system-guard/how-hardware-based-root-of-trust-helps-protect-windows.md
index f031321396..1c50e07a18 100644
--- a/windows/security/threat-protection/windows-defender-system-guard/how-hardware-based-root-of-trust-helps-protect-windows.md
+++ b/windows/security/threat-protection/windows-defender-system-guard/how-hardware-based-root-of-trust-helps-protect-windows.md
@@ -84,3 +84,38 @@ As Windows 10 boots, a series of integrity measurements are taken by Windows Def
After the system boots, Windows Defender System Guard signs and seals these measurements using the TPM. Upon request, a management system like Intune or Microsoft Endpoint Configuration Manager can acquire them for remote analysis. If Windows Defender System Guard indicates that the device lacks integrity, the management system can take a series of actions, such as denying the device access to resources.
+## System requirements for System Guard
+
+|For Intel® vPro™ processors starting with Intel® Coffeelake, Whiskeylake, or later silicon|Description|
+|--------|-----------|
+|64-bit CPU|A 64-bit computer with minimum four cores (logical processors) is required for hypervisor and virtualization-based security (VBS). For more information about Hyper-V, see [Hyper-V on Windows Server 2016](/windows-server/virtualization/hyper-v/hyper-v-on-windows-server) or [Introduction to Hyper-V on Windows 10](/virtualization/hyper-v-on-windows/about/). For more information about hypervisor, see [Hypervisor Specifications](/virtualization/hyper-v-on-windows/reference/tlfs).|
+|Trusted Platform Module (TPM) 2.0|Platforms must support a discrete TPM 2.0. Integrated/firmware TPMs aren't supported, except Intel chips that support Platform Trust Technology (PTT), which is a type of integrated hardware TPM that meets the TPM 2.0 spec.|
+|Windows DMA Protection|Platforms must meet the Windows DMA Protection Specification (all external DMA ports must be off by default until the OS explicitly powers them).|
+|SMM communication buffers| All SMM communication buffers must be implemented in EfiRuntimeServicesData, EfiRuntimeServicesCode, EfiACPIMemoryNVS, or EfiReservedMemoryType memory types. |
+|SMM Page Tables| Must NOT contain any mappings to EfiConventionalMemory (for example no OS/VMM owned memory).
Must NOT contain any mappings to code sections within EfiRuntimeServicesCode.
Must NOT have execute and write permissions for the same page
Must allow ONLY that TSEG pages can be marked executable and the memory map must report TSEG EfiReservedMemoryType.
BIOS SMI handler must be implemented such that SMM page tables are locked on every SMM entry. |
+|Modern/Connected Standby|Platforms must support Modern/Connected Standby.|
+|TPM AUX Index|Platform must set up a AUX index with index, attributes, and policy that exactly corresponds to the AUX index specified in the TXT DG with a data size of exactly 104 bytes (for SHA256 AUX data). (NameAlg = SHA256)
Platforms must set up a PS (Platform Supplier) index with: