From dd1035c3bea09135690426df189d95ee2f5f29a0 Mon Sep 17 00:00:00 2001
From: Kim Klein <v-kikl@microsoft.com>
Date: Thu, 27 May 2021 15:29:19 -0700
Subject: [PATCH] Task ID 33452921

Created an Appendix table that lists other IDs and their descriptions.
---
 .../event-id-explanations.md                  | 39 +++++++++++++++++++
 1 file changed, 39 insertions(+)

diff --git a/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md b/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md
index e0c8044cf1..80c6a5ba40 100644
--- a/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md
+++ b/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md
@@ -81,3 +81,42 @@ In order to enable 3090 allow events as well as 3091 and 3092 events, you must i
 ```powershell
 reg add hklm\system\currentcontrolset\control\ci -v TestFlags -t REG_DWORD -d 0x300
 ```
+
+## Appendix
+A list of other relevant event IDs and their corresponding description.
+| Event ID | Description |
+|---|----------|
+| 3001 | An unsigned driver was attempted to load on the system. | 
+| 3002 | Code Integrity could not verify the boot image as the page hash could not be found. |
+| 3004 | Code Integrity could not verify the file as the page hash could not be found. |
+| 3010 | The catalog containing the signature for the file under validation is invalid. |
+| 3011 | Code Integrity finished loading the signature catalog. |
+| 3012 | Code Integrity started loading the signature catalog. |
+| 3023 | The driver file under validation did not meet the requirements to pass the application control policy. |
+| 3024 | Windows application control was unable to refresh the boot catalog file. |
+| 3026 | The catalog loaded is signed by a signing certificate that has been revoked by Microsoft and/or the certificate issuing authority. |
+| 3033 | The file under validation did not meet the requirements to pass the application control policy. |
+| 3034 | The file under validation would not meet the requirements to pass the application control policy if the policy was enforced. The file was allowed since the policy is in audit mode. | 
+| 3036 | The signed file under validation is signed by a code signing certificate that has been revoked by Microsoft or the certificate issuing authority. |
+| 3064 | A user mode DLL under validation would not meet the requirements to pass the application control policy, if the policy was enforced. The DLL was allowed since the policy is in audit mode. | 
+| 3065 | [Ignored] A user mode DLL under validation would not meet the requirements to pass the application control policy, if the policy was enforced. | 
+| 3074 | Page hash failure while hypervisor-protected code integrity was enabled. |
+| 3075 | This event monitors the performance of the Code Integrity policy check a file. |
+| 3079 | The file under validation did not meet the requirements to pass the application control policy. |
+| 3080 | The file under validation would not have me the requirements to pass the application control policy, if the policy was in enforced mode. |
+| 3081 | The file under validation did not meet the requirements to pass the application control policy. |
+| 3082 | The non-WHQL driver would have been denied by the policy, if the policy was in enforced mode. | 
+| 3084 | Code Integrity will enforce theWHQL Required policy setting on this session. |
+| 3085 | Code Integrity will not enforce theWHQL Required policy setting on this session. |
+| 3086 | The file under validation does not meet the signing requirements for an IUM (isolated user mode) process. | 
+| 3095 | This Code Integrity policy cannot be refreshed and must be rebooted instead. | 
+| 3097 | The Code Integrity policy cannot be refreshed. | 
+| 3100 | The application control policy was refreshed but was unsuccessfully activated. Retry. |
+| 3101 | Code Integrity started refreshing the policy. | 
+| 3102 | Code Integrity finished refreshing the policy. | 
+| 3103 | Code Integrity is ignoring the policy refresh. | 
+| 3104 | The file under validation does not meet the signing requirements for a PPL (protected process light) process. | 
+| 3105 | Code Integrity is attempting to refresh the policy. | 
+| 3108 | Windows mode change event was successful. |
+| 3110 | Windows mode change event was unsuccessful. |
+| 3111 | The file under validation did not meet the hypervisor-protected code integrity (HVCI) policy. | 
\ No newline at end of file