Documente Academic
Documente Profesional
Documente Cultură
Privacy
Beginning your General Data Protection Regulation (GDPR) journey for Windows 10
Windows and the GDPR: Information for IT Administrators and Decision Makers
Windows 10 & Privacy Compliance: A Guide for IT and Compliance Professionals
Windows 10 personal data services configuration
Configure Windows diagnostic data in your organization
Diagnostic Data Viewer
Diagnostic Data Viewer Overview
Diagnostic Data Viewer for PowerShell Overview
Basic level Windows diagnostic data events and fields
Windows 10, version 1903 and Windows 10, version 1909 basic level Windows
diagnostic events and fields
Windows 10, version 1809 basic level Windows diagnostic events and fields
Windows 10, version 1803 basic level Windows diagnostic events and fields
Windows 10, version 1709 basic level Windows diagnostic events and fields
Windows 10, version 1703 basic level Windows diagnostic events and fields
Enhanced level Windows diagnostic data events and fields
Windows 10 diagnostic data events and fields collected through the limit enhanced
diagnostic data policy
Full level categories
Windows 10, version 1709 and newer diagnostic data for the Full level
Windows 10, version 1703 diagnostic data for the Full level
Manage Windows 10 connection endpoints
Manage connections from Windows operating system components to Microsoft
services
Manage connections from Windows operating system components to Microsoft
services using MDM
Connection endpoints for Windows 10, version 1903
Connection endpoints for Windows 10, version 1809
Connection endpoints for Windows 10, version 1803
Connection endpoints for Windows 10, version 1709
Connection endpoints for non-Enterprise editions of Windows 10, version 1903
Connection endpoints for non-Enterprise editions of Windows 10, version 1809
Connection endpoints for non-Enterprise editions of Windows 10, version 1803
Connection endpoints for non-Enterprise editions of Windows 10, version 1709
Beginning your General Data Protection Regulation
(GDPR) journey for Windows 10
12/3/2019 • 26 minutes to read • Edit Online
This article provides info about the GDPR, including what it is, and the products Microsoft provides to help you to
become compliant.
Introduction
On May 25, 2018, a European privacy law is due to take effect that sets a new global bar for privacy rights, security,
and compliance.
The General Data Protection Regulation, or GDPR, is fundamentally about protecting and enabling the privacy
rights of individuals. The GDPR establishes strict global privacy requirements governing how you manage and
protect personal data while respecting individual choice — no matter where data is sent, processed, or stored.
Microsoft and our customers are now on a journey to achieve the privacy goals of the GDPR. At Microsoft, we
believe privacy is a fundamental right, and we believe that the GDPR is an important step forward for clarifying and
enabling individual privacy rights. But we also recognize that the GDPR will require significant changes by
organizations all over the world.
We have outlined our commitment to the GDPR and how we are supporting our customers within the Get GDPR
compliant with the Microsoft Cloud blog post by our Chief Privacy Officer Brendon Lynch and the Earning your
trust with contractual commitments to the General Data Protection Regulation” blog post by Rich Sauer - Microsoft
Corporate Vice President & Deputy General Counsel.
Although your journey to GDPR-compliance may seem challenging, we're here to help you. For specific information
about the GDPR, our commitments and how to begin your journey, please visit the GDPR section of the Microsoft
Trust Center.
However, many businesses worldwide have come under increasing threat of targeted attacks, where attackers are
crafting specialized attacks against a specific business, attempting to take control of corporate networks and data.
Blocking all unwanted apps
Application Control is your best defense in a world where there are more than 300,000 new malware samples each
day. As part of Windows 10, Windows Defender Device Guard is a combination of enterprise-related hardware and
software security features that, when configured together, will lock a device down so that it can only run trusted
applications that you define in your code integrity policies. If the app isn’t trusted it can’t run, period.
With hardware that meets basic requirements, it also means that even if an attacker manages to get control of the
Windows kernel, he or she will be much less likely to be able to run malicious executable code. With appropriate
hardware, Windows Defender Device Guard can use the new virtualization-based security in Windows 10 to isolate
the Code Integrity service from the Microsoft Windows kernel itself. In this case, the Code Integrity service runs
alongside the kernel in a Windows hypervisor-protected container.
Windows Defender Device Guard protects threats that can expose personal or sensitive data to attack, including:
Exposure to new malware, for which the "signature" is not yet known
Exposure to unsigned code (most malware is unsigned)
Malware that gains access to the kernel and then, from within the kernel, captures sensitive information or
damages the system
DMA-based attacks, for example, attacks launched from a malicious device that read secrets from memory,
making the enterprise more vulnerable to attack; and
Exposure to boot kits or to a physically present attacker at boot time.
Threat protection: Post-breach detection and response
The GDPR includes explicit requirements for breach notification where a personal data breach means, “a breach of
security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to,
personal data transmitted, stored or otherwise processed.”
As noted in the Windows Security Center white paper, Post Breach: Dealing with Advanced Threats, “Unlike pre-
breach, post-breach assumes a breach has already occurred – acting as a flight recorder and Crime Scene
Investigator (CSI). Post-breach provides security teams the information and toolset needed to identify, investigate,
and respond to attacks that otherwise will stay undetected and below the radar.”
Insightful security diagnostic data
For nearly two decades, Microsoft has been turning threats into useful intelligence that can help fortify our
platform and protect customers. Today, with the immense computing advantages afforded by the cloud, we are
finding new ways to use our rich analytics engines driven by threat intelligence to protect our customers.
By applying a combination of automated and manual processes, machine learning and human experts, we can
create an Intelligent Security Graph that learns from itself and evolves in real-time, reducing our collective time to
detect and respond to new incidents across our products.
The scope of Microsoft’s threat intelligence spans, literally, billions of data points: 35 billion messages scanned
monthly, 1 billion customers across enterprise and consumer segments accessing 200+ cloud services, and 14
billion authentications performed daily. All this data is pulled together on your behalf by Microsoft to create the
Intelligent Security Graph that can help you protect your front door dynamically to stay secure, remain productive,
and meet the requirements of the GDPR.
Detecting attacks and forensic investigation
Even the best endpoint defenses may be breached eventually, as cyberattacks become more sophisticated and
targeted.
Windows Defender Advanced Threat Protection (ATP) helps you detect, investigate, and respond to advanced
attacks and data breaches on your networks. GDPR expects you to protect against attacks and breaches through
technical security measures to ensure the ongoing confidentiality, integrity, and availability of personal data.
Among the key benefits of ATP are the following:
Detecting the undetectable - sensors built deep into the operating system kernel, Windows security experts,
and unique optics from over 1 billion machines and signals across all Microsoft services.
Built in, not bolted on - agentless with high performance and low impact, cloud-powered; easy management
with no deployment.
Single pane of glass for Windows security - explore 6 months of rich machine timeline that unifies security
events from Windows Defender ATP, Windows Defender Antivirus.
Power of the Microsoft graph - leverages the Microsoft Intelligence Security Graph to integrate detection and
exploration with Office 365 ATP subscription, to track back and respond to attacks.
Read more at What’s new in the Windows Defender ATP Creators Update preview.
To provide Detection capabilities, Windows 10 improves our OS memory and kernel sensors to enable detection of
attackers who are employing in-memory and kernel-level attacks – shining a light into previously dark spaces
where attackers hid from conventional detection tools. We’ve already successfully leveraged this new technology
against zero-days attacks on Windows.
We continue to upgrade our detections of ransomware and other advanced attacks, applying our behavioral and
machine-learning detection library to counter changing attacks trends. Our historical detection capability ensures
new detection rules apply to up to six months of stored data to detect attacks that previously went unnoticed.
Customers can also add customized detection rules or IOCs to augment the detection dictionary.
Customers asked us for a single pane of glass across the entire Windows security stack. Windows Defender
Antivirus detections and Windows Defender Device Guard blocks are the first to surface in the Windows Defender
ATP portal interleaved with Windows Defender ATP detections. The new user entity adds identity as a pivot,
providing insight into actions, relationships, and alerts that span machines and allow us to track attackers moving
laterally across the network.
Our alert page now includes a new process tree visualization that aggregates multiple detections and related
events into a single view that helps security teams reduce the time to resolve cases by providing the information
required to understand and resolve incidents without leaving the alert page.
Security Operations (SecOps) can hunt for evidence of attacks, such as file names or hashes, IP addresses or URLs,
behaviors, machines, or users. They can do this immediately by searching the organization’s cloud inventory, across
all machines – and going back up to 6 months in time – even if machines are offline, have been reimaged, or no
longer exist.
When detecting an attack, security teams can now take immediate action: isolate machines, ban files from the
network, kill or quarantine running processes or files, or retrieve an investigation package from a machine to
provide forensic evidence – with a click of a button. Because while detecting advanced attacks is important –
shutting them down is even more so.
Identity Protection
Identify and access management is another area where the GDPR has placed special emphasis by calling for
mechanisms to grant and restrict access to data subject personal data (for example, role-based access, segregation
of duties).
Multi-factor protection
Biometric authentication – using your face, iris, or fingerprint to unlock your devices – is much safer than traditional
passwords. You– uniquely you– plus your device are the keys to your apps, data, and even websites and services –
not a random assortment of letters and numbers that are easily forgotten, hacked, or written down and pinned to a
bulletin board.
Your ability to protect personal and sensitive data, that may be stored or accessed through desktop or laptops will
be further enhanced by adopting advanced authentication capabilities such as Windows Hello for Business and
Windows Hello companion devices. Windows Hello for Business, part of Windows 10, gives users a personal,
secured experience where the device is authenticated based on their presence. Users can log in with a look or a
touch, with no need for a password.
In conjunction with Windows Hello for Business, biometric authentication uses fingerprints or facial recognition and
is more secure, more personal, and more convenient. If an application supports Hello, Windows 10 enables you to
authenticate applications, enterprise content, and even certain online experiences without a password being stored
on your device or in a network server at all. Windows Hello for Business works with the Companion Device
Framework to enhance the user authentication experience. Using the Windows Hello Companion Device
Framework, a companion device can provide a rich experience for Windows Hello even when biometrics are not
available (for example, if the Windows 10 desktop lacks a camera for face authentication or fingerprint reader
device).
There are numerous ways one can use the Windows Hello Companion Device Framework to build a great Windows
unlock experience with a companion device. For example, users can:
Work offline (for example, while traveling on a plane)
Attach their companion device to PC via USB, touch the button on the companion device, and automatically
unlock their PC.
Carry a phone in their pocket that is already paired with their PC over Bluetooth. Upon hitting the spacebar
on their PC, their phone receives a notification. Approve it and the PC simply unlocks.
Tap their companion device to an NFC reader to quickly unlock their PC.
Wear a fitness band that has already authenticated the wearer. Upon approaching PC, and by performing a
special gesture (like clapping), the PC unlocks.
Protection against attacks by isolating user credentials
As noted in the Windows 10 Credential Theft Mitigation Guide, “the tools and techniques criminals use to carry out
credential theft and reuse attacks improve, malicious attackers are finding it easier to achieve their goals. Credential
theft often relies on operational practices or user credential exposure, so effective mitigations require a holistic
approach that addresses people, processes, and technology. In addition, these attacks rely on the attacker stealing
credentials after compromising a system to expand or persist access, so organizations must contain breaches
rapidly by implementing strategies that prevent attackers from moving freely and undetected in a compromised
network.”
An important design consideration for Windows 10 was mitigating credential theft — in particular, derived
credentials. Windows Defender Credential Guard provides significantly improved security against derived
credential theft and reuse by implementing a significant architectural change in Windows designed to help
eliminate hardware-based isolation attacks rather than simply trying to defend against them.
When Credential Manager domain credentials, NTLM, and Kerberos derived credentials are protected using
virtualization-based security, the credential theft attack techniques and tools used in many targeted attacks are
blocked. Malware running in the operating system with administrative privileges can't extract secrets that are
protected by virtualization-based security. While Windows Defender Credential Guard is a powerful mitigation,
persistent threat attacks will likely shift to new attack techniques and you should also incorporate Windows
Defender Device Guard, as described above, and other security strategies and architectures.
Information Protection
The GDPR is focused on information protection regarding data that is considered as personal or sensitive in
relation to a natural person, or data subject. Device protection, protection against threats, and identity protection
are all important elements of a Defense in Depth strategy surrounding a layer of information protection in your
laptop and desktop systems.
As to the protection of data, the GDPR recognizes that in assessing data security risk, consideration should be given
to the risks that are presented such as accidental loss, unauthorized disclosure of, or access to, personal data
transmitted, stored or otherwise processed. It also recommends that measures taken to maintain an appropriate
level of security should consider the state-of-the-art and the costs of implementation in relation to the risks among
other factors.
Windows 10 provides built in risk mitigation capabilities for today’s threat landscape. In this section, we will look at
the types of technologies that will help your journey toward GDPR compliance and at the same time provide you
with solid overall data protection as part of a comprehensive information protection strategy.
Disclaimer
This article is a commentary on the GDPR, as Microsoft interprets it, as of the date of publication. We’ve spent a lot
of time with GDPR and like to think we’ve been thoughtful about its intent and meaning. But the application of
GDPR is highly fact-specific, and not all aspects and interpretations of GDPR are well-settled.
As a result, this article is provided for informational purposes only and should not be relied upon as legal advice or
to determine how GDPR might apply to you and your organization. We encourage you to work with a legally-
qualified professional to discuss GDPR, how it applies specifically to your organization, and how best to ensure
compliance.
MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED, OR STATUTORY, AS TO THE INFORMATION IN THIS
ARTICLE. This article is provided “as-is.” Information and views expressed in this article, including URL and other
Internet website references, may change without notice.
This article does not provide you with any legal rights to any intellectual property in any Microsoft product. You
may copy and use this article for your internal, reference purposes only.
Published September 2017
Version 1.0
© 2017 Microsoft. All rights reserved.
Windows and the GDPR: Information for IT
Administrators and Decision Makers
12/6/2019 • 17 minutes to read • Edit Online
Applies to:
Windows 10, version 1703 and newer
Windows 10 Team Edition, version 1703 for Surface Hub
Windows Server 2016 and newer
Desktop Analytics
This topic provides IT Decision Makers with a basic understanding of the relationship between users in an
organization and Microsoft in the context of the GDPR (General Data Protection Regulation). You will also learn
what role an IT organization plays for that relationship.
For more information about the GDPR, see:
Microsoft GDPR Overview
Microsoft Trust Center FAQs about the GDPR
Microsoft Service Trust Portal (STP)
Get Started: Support for GDPR Accountability
GDPR fundamentals
Here are some GDPR fundamentals:
On May 25, 2018, this EU data privacy law is implemented. It sets a new global bar for data privacy rights,
security, and compliance.
The GDPR is fundamentally about protecting and enabling the privacy rights of individuals – both customers
and employees.
The European law establishes strict global data privacy requirements governing how organizations manage and
protect personal data while respecting individual choice – no matter where data is sent, processed, or stored.
A request by an individual to an organization to take an action on their personal data is referred to here as a
data subject request, or DSR.
Microsoft believes data privacy is a fundamental right, and that the GDPR is an important step forward for
clarifying and enabling individual privacy rights. We also recognize that the GDPR required significant changes by
organizations all over the world with regard to the discovery, management, protection, and reporting of personal
data that is collected, processed, and stored within an organization.
What is personal data under the GDPR?
Article 4 (1) of the GDPR defines personal data as any information relating to an identified or identifiable person.
There is no distinction between a person’s private, public, or work roles. As defined by the GDPR, personal data
includes, but is not limited to:
Name
Email address
Credit card numbers
IP addresses
Social media posts
Location information
Handwriting patterns
Voice input to cloud-based speech services
Controller and processor under the GDPR: Who does what
Definition
The GDPR describes specific requirements for allocating responsibility for controller and processor activities related
to personal data. Thus, every organization that processes personal data must determine whether it is acting as a
controller or processor for a specific scenario.
Controller : GDPR Article 4 (7) defines the ‘controller’ as the natural or legal person, public authority, agency or
other body which, alone or jointly with others, determines the purposes and means of the processing of
personal data.
Processor : According to the GDPR Article 4 (8) ‘processor’ means a natural or legal person, public authority,
agency or other body which processes personal data on behalf of the controller.
Controller scenario
For example, when an organization is using Microsoft Windows Defender Advanced Threat Protection (ATP) to
detect, investigate, and respond to advanced threats on their networks as part of their IT operations, that
organization is collecting data from the user’s device – data, that might include personal data. In this scenario, the
organization is the controller of the respective personal data, since the organization controls the purpose and
means of the processing for data being collected from the devices that have Windows Defender ATP enabled.
Processor scenario
In the controller scenario described above, Microsoft is a processor because Microsoft provides data processing
services to that controller (in the given example, an organization that subscribed to Windows Defender ATP and
enabled it for the user’s device). As processor, Microsoft only processes data on behalf of the enterprise customer
and does not have the right to process data beyond their instructions as specified in a written contract, such as the
Microsoft Product Terms and the Microsoft Online Services Terms (OST).
IMPORTANT
Other Microsoft services as well as 3rd party applications and drivers running on Windows devices may implement their own
functionality, independently from Windows, to transport their diagnostic data. Please contact the publisher for further
guidance on how to control the diagnostic data collection level and transmission of these applications and services.
NOTE
Both Desktop Analytics and Windows Defender ATP are subscription services for organizations. Some functionality requires a
certain license (please see Compare Windows 10 editions).
Desktop Analytics
IMPORTANT
The Upgrade Readiness and Device Health solutions of Windows Analytics are being retired on January 31, 2020. Update
Compliance will continue to be supported. For more information, see Windows Analytics retirement on January 31, 2020.
Desktop Analytics is a cloud-based service that integrates with Configuration Manager. The service provides insight
and intelligence for you to make more informed decisions about the update readiness of Windows Windows
devices in their environment. It uses Windows diagnostic data from devices enrolled by the IT organization of an
enterprise with data aggregated from millions of devices into the Desktop Analytics service.
Windows transmits Windows diagnostic data to Microsoft datacenters, where that data is analyzed and stored.
With Desktop Analytics, the IT organization can then view the analyzed data to detect and fix issues or to improve
their processes for upgrading to Windows 10.
As a result, in terms of the GDPR, the organization that has subscribed to Desktop Analytics is acting as the
controller, while Microsoft is the processor for Desktop Analytics.
NOTE
The IT organization must explicitly enable Desktop Analytics for a device after the organization subscribes.
IMPORTANT
Desktop Analytics does not collect Windows Diagnostic data by itself. Instead, Desktop Analytics only uses a subset of
Windows Diagnostic data that is collected by Windows for an enrolled device. The Windows Diagnostic data collection is
controlled by the IT department of an organization or the user of a device. See Enable data sharing for Desktop Analytics
NOTE
The IT organization must explicitly enable Windows Defender ATP for a device after the organization subscribes.
For Windows 10, version 1709, and Windows 10, version 1703, the recommended Windows diagnostic level
configuration for EEA and Switzerland commercial users is “Basic”.
NOTE
For Windows 7, Microsoft recommends using Commercial Data Opt-in setting to facilitate upgrade planning to Windows 10.
NOTE
Additional information can be found at Desktop Analytics and privacy.
Windows Server
Windows Server follows the same mechanisms as Windows 10 for handling of personal data – for example, when
collecting Windows diagnostic data.
More detailed information about Windows Server and the GDPR is available at Beginning your General Data
Protection Regulation (GDPR) journey for Windows Server.
Windows diagnostic data and Windows Server
The lowest diagnostic data setting level supported on Windows Server 2016 and Windows Server 2019 through
management policies is “Security”. The lowest diagnostic data setting supported through the Settings UI is “Basic”.
The default diagnostic data level for all Windows Server 2016 and Windows Server 2019 editions is “Enhanced”.
IT administrators can configure the Windows Server diagnostic data settings using familiar management tools,
such as Group Policy, MDM, or Windows Provisioning. IT administrators can also manually change settings using
Registry Editor. Setting the Windows Server diagnostic data levels through a management policy overrides any
device-level settings.
There are two options for deleting Windows diagnostic data from a Windows Server machine:
If the “Desktop Experience” option was chosen during the installation of Windows Server 2019, then there are
the same options available for an IT administrator that end users have with Windows 10, version 1803 and
version 1809, to submit a request for deleting that device’s diagnostic data. This is done by clicking the Delete
button in the Delete diagnostic data section of Star t > Settings > Privacy > Diagnostics & feedback .
Microsoft has provided a PowerShell cmdlet that IT administrators can use to delete Windows diagnostic data
via the command line on a machine running Windows Server 2016 or Windows Server 2019. This cmdlet
provides the same functionality for deleting Windows diagnostic data as with Desktop Experience on Windows
Server 2019. For more information, see the PowerShell Gallery.
Backups and Windows Server
Backups, including live backups and backups that are stored locally within an organization or in the cloud, can
contain personal data.
Backups an organizations creates, for example by using Windows Server Backup (WSB), are under its control.
For example, for exporting personal data contained in a backup, the organization needs to restore the
appropriate backup sets to facilitate the respective data subject request (DSR).
The GDPR also applies when storing backups in the cloud. For example, an organization can use Microsoft Azure
Backup to backup files and folders from physical or virtual Windows Server machines (located on-premises or
in Azure) to the cloud. The organization that is subscribed to this backup service also has the obligation to
restore the data in order to exercise the respective DSR.
NOTE
Additional apps running on the device, that are not delivered as part of the in-box experience of Surface Hub, may implement
their own diagnostic data collection and transmission functionality independently to collect and process personal data. Please
contact the app publisher for further guidance on how to control this.
An IT administrator can configure privacy- related settings, such as setting the Windows diagnostic data level to
Basic. Surface Hub does not support group policy for centralized management; however, IT administrators can use
MDM to apply these settings to Surface Hub. For more information about Surface Hub and MDM, please see
Manage settings with an MDM provider.
Further reading
Optional settings / features that further improve the protection of personal data
Personal data protection is one of the goals of the GDPR. One way of improving personal data protection is to use
the modern and advanced security features of Windows 10. An IT organization can learn more at Mitigate threats
by using Windows 10 security features and Standards for a highly secure Windows 10 device.
NOTE
Some of these features might require a particular Windows hardware, such as a computer with a Trusted Platform Module
(TPM) chip, and can depend on a particular Windows product (such as Windows 10 E5).
IMPORTANT
Some of the settings of the Windows Restricted Traffic Limited Functionality Baseline will reduce the functionality and security
configuration of a device in the organization and are therefore not recommended.
Applies to:
Windows 10, version 1809 and newer
Windows 10 Team Edition, version 1703 for Surface Hub
Windows Server 2016 and newer
Windows Analytics
For more information about the GDPR, see:
Windows and the GDPR: Information for IT Administrators and Decision Makers
Microsoft GDPR Overview
Microsoft Trust Center FAQs about the GDPR
Microsoft Service Trust Portal (STP)
Get Started: Support for GDPR Accountability
Overview
At Microsoft, we are deeply committed to data privacy across all our products and services. With this guide, we
provide IT and compliance professionals with data privacy considerations for Windows 10.
Microsoft collects data through multiple interactions with users of Windows 10 devices. This information can
contain personal data that may be used to provide, secure, and improve Windows 10 services. To help users and
organizations control the collection of personal data, Windows 10 provides comprehensive transparency features,
settings choices, controls and support for data subject requests, all of which are detailed in this guide.
This information allows IT and compliance professionals work together to better manage personal data privacy
considerations and related regulations, such as the General Data Protection Regulation (GDPR).
NOTE
This table is limited to the privacy settings that are available as part of setting up a Windows 10 device (Windows 10, version
1809 and later). For the full list of settings that involve data collection, see: Manage connections from Windows operating
system components to Microsoft services.
Inking and typing Microsoft collects inking and Learn more Privacy Statement
diagnostics typing data to improve the
language recognition and
suggestion capabilities of
apps and services running
on Windows.
Speech Use your voice for dictation Learn more Privacy Statement
and to talk to Cortana and
other apps that use
Windows cloud-based
speech recognition.
Microsoft collects voice data
to help improve speech
services.
Find my device Use your device’s location Learn more Privacy Statement
data to help you find your
device if you lose it.
F EAT URE/ SET T IN G DESC RIP T IO N SUP P O RT IN G C O N T EN T P RIVA C Y STAT EM EN T
Tailored Experiences Let Microsoft offer you Learn more Privacy Statement
tailored experiences based
on the diagnostic data you
have chosen (Security, Basic,
Enhanced, or Full). Tailored
experiences mean
personalized tips, ads, and
recommendations to
enhance Microsoft products
and services for your needs.
Activity History/Timeline – If you want timeline and Learn more Privacy statement
Cloud Sync other Windows features to
help you continue what you
were doing, even when you
switch devices, send
Microsoft your activity
history, which includes info
about websites you browse
and how you use apps and
services.
F EAT URE/ SET T IN G DESC RIP T IO N SUP P O RT IN G C O N T EN T P RIVA C Y STAT EM EN T
NOTE
This is not a complete list of settings that involve connecting to Microsoft services. To see a more detailed list, please refer to
Manage connections from Windows operating system components to Microsoft services.
MDM:
Privacy/AllowInputPersonaliz
ation
MDM:
Privacy/LetAppsAccessLocati
on
MDM:
Experience/AllFindMyDevice
DEFA ULT STAT E IF T H E
SET UP EXP ERIEN C E IS STAT E TO STO P / M IN IM IZ E
F EAT URE/ SET T IN G GP / M DM DO C UM EN TAT IO N SUP P RESSED DATA C O L L EC T IO N
Diagnostic Data Group Policy: Desktop SKUs: Security and block endpoints
Computer Configuration Basic (Windows 10, version
> Windows Components 1903 and later)
> Data Collection and
Preview Builds > Allow Server SKUs:
Telemetr y Enhanced
MDM:
System/AllowTelemetry
Inking and typing Group Policy: Off (Windows 10, version Off
diagnostics Computer Configuration 1809 and later)
> Windows Components
> Text Input > Improve
inking and typing
recognition
MDM:
TextInput/AllowLinguisticDat
aCollection
MDM:
Privacy/DisableAdvertisingId
MDM:
Privacy/EnableActivityFeed
MDM:
Experience/AllowCortana
2.3.6 Diagnostic data: Managing end user choice for changing the setting
Windows 10, version 1803 and later, allows users to change their diagnostic data level to a lower setting than what
their IT administrator has set. For instance, if the administrator has set the diagnostic data level to Enhanced or Full,
a user can change the setting to Basic by going into Settings > Privacy > Diagnostic & feedback . The
administrator can disable the user ability to change the setting via Setting > Privacy by setting the Group Policy:
Computer Configuration > Administrative Templates > Windows Components > Data Collection and
Preview Builds > Configure telemetr y opt-in setting user interface or the MDM policy
ConfigureTelemetryOptInSettingsUx .
2.3.7 Diagnostic data: Managing device-based data delete
Windows 10, version 1803 and later, allows a user to delete diagnostic data collected from their device by going
into Settings > Privacy > Diagnostic & feedback and clicking the Delete button. An IT administrator can also
delete diagnostic data for a device using the Clear-WindowsDiagnosticData PowerShell cmdlet script.
An administrator can disable a user’s ability to delete their device’s diagnostic data by setting the Group Policy:
Computer Configuration > Administrative Templates > Windows Components > Data Collection and
Preview Builds > Disable deleting diagnostic data or the MDM policy DisableDeviceDelete .
Additional Resources
Microsoft Trust Center: GDPR Overview
Microsoft Trust Center: Privacy at Microsoft
Windows IT Pro Docs
Windows 10 personal data services configuration
12/24/2019 • 5 minutes to read • Edit Online
Applies to:
Windows 10, version 1803 and newer
Microsoft assembled a list of Windows 10 services configuration settings that are useful for personal data privacy
protection and related regulations, such as the General Data Protection Regulation (GDPR). There is one section
with settings for service data that is managed at Microsoft and a section for local data that is managed by an IT
organization.
IT Professionals that are interested in applying these settings via group policies can find the configuration for
download here.
Introduction
Microsoft collects data from or generates it through interactions with users of Windows 10 devices. This
information can contain personal data that may be used to provide, support, and improve Windows 10 services.
Many Windows 10 services are controller services. A user can manage data collection settings, for example by
opening Start > Settings > Privacy or by visiting the Microsoft Privacy dashboard. While this relationship between
Microsoft and a user is evident in a consumer type scenario, an IT organization can influence that relationship. For
example, the IT department has the ability to configure the Windows diagnostic data level across their organization
by using Group Policy, registry, or Mobile Device Management (MDM) settings.
Below is a collection of settings related to the Windows 10 personal data services configuration that IT
Professionals can use as guidance for influencing Windows diagnostic data collection and personal data protection.
NOTE
In Windows 10, version 1709, Microsoft introduced a new feature: “Limit Enhanced diagnostic data to the minimum required
by Windows Analytics”. When enabled, this feature limits the operating system diagnostic data events included in the
Enhanced level to the smallest set of data required by Windows Analytics. For more information on the Enhanced level, see
Configure Windows diagnostic data in your organization.
Group Policy
Group Policy Computer Configuration\Administrative Templates\Windows
Components\Data Collection and Preview Builds
Recommended 2 - Enhanced
Recommended 2 - Enhanced
NOTE
When both the Computer Configuration policy and User Configuration policy are set, the more restrictive policy is used.
Registry
Value AllowTelemetry
Type REG_DWORD
Setting "00000002"
Value AllowTelemetry
Type REG_DWORD
Setting "00000002"
MDM
Recommended 2 – Allowed
Recommended Enabled
Registry
Value DisableTelemetryOptInChangeNotification
Type REG_DWORD
Setting "00000000"
MDM
Policy ConfigureTelemetryOptInChangeNotification
Recommended 0 – Enabled
Recommended Enabled
Registry
Value DisableTelemetryOptInSettingsUx
Type REG_DWORD
Setting "00000001"
MDM
Policy ConfigureTelemetryOptInSettingsUx
Recommended 0 – Enabled
Policy Name Deny write access to fixed drives not protected by BitLocker
Recommended Enabled
Registry
Registr y key HKLM\System\CurrentControlSet\Policies\Microsoft\FVE
Value FDVDenyWriteAccess
Type REG_DWORD
Setting "00000001"
MDM
Policy FixedDrivesRequireEncryption
Recommended Enabled
Registry
Value RDVDenyWriteAccess
Type REG_DWORD
Setting "00000001"
Value RDVDenyCrossOrg
Type REG_DWORD
Setting "00000000"
MDM
Policy RemovableDrivesRequireEncryption
Privacy – AdvertisingID
This setting determines if the advertising ID, which preventing apps from using the ID for experiences across apps,
is turned off.
Group Policy
Recommended Enabled
Registry
Value DisabledByGroupPolicy
Type REG_DWORD
Setting "00000001"
MDM
Policy DisableAdvertisingId
Recommended 1 – Enabled
Edge
These settings whether employees send “Do Not Track” from the Microsoft Edge web browser to websites.
NOTE
Please see this Microsoft blog post for more details on why the “Do Not Track” is no longer the default setting.
Group Policy
Recommended Disabled
Recommended Disabled
Registry
Value DoNotTrack
Type REG_DWORD
Setting "00000000"
Value DoNotTrack
Type REG_DWORD
Setting "00000000"
MDM
Internet Explorer
These settings whether employees send “Do Not Track” header from the Microsoft Explorer web browser to
websites.
Group Policy
Recommended Disabled
Recommended Disabled
Registry
Value DoNotTrack
Type REG_DWORD
Setting "00000000"
Value DoNotTrack
Type REG_DWORD
Setting "00000000"
MDM
Additional resources
FAQs
Windows 10 feedback, diagnostics, and privacy
Microsoft Edge and privacy
Windows Hello and privacy
Wi-Fi Sense
Blogs
Privacy and Windows 10
Privacy Statement
Microsoft Privacy Statement
Windows Privacy on docs.microsoft.com
Manage connections from Windows operating system components to Microsoft services
Manage connections from Windows 10 operating system components to Microsoft services
Understanding Windows diagnostic data
Configure Windows diagnostic data in your organization
Other resources
Privacy at Microsoft
Configure Windows diagnostic data in your
organization
12/11/2019 • 27 minutes to read • Edit Online
Applies to
Windows 10 Enterprise
Windows 10 Mobile
Windows Server
This article applies to Windows and Windows Server diagnostic data only. It describes the types of diagnostic
data we may gather, the ways you might manage it in your organization, and some examples of how diagnostic
data can provide you with valuable insights into your enterprise deployments. Microsoft uses the data to quickly
identify and address issues affecting its customers.
Use this article to make informed decisions about how you might configure diagnostic data in your organization.
Diagnostic data is a term that means different things to different people and organizations. For this article, we
discuss diagnostic data as system data that is uploaded by the Connected User Experiences and Telemetry
component. Microsoft uses diagnostic data to keep Windows secure and up to date, troubleshoot problems, and
make product improvements.
We are always striving to improve our documentation and welcome your feedback. You can provide feedback by
contacting telmhelp@microsoft.com.
W IN DO W S REL EA SE EN DP O IN T
Windows 10, versions 1703 or later, with the 2018-09 Diagnostics data: v10c.vortex-win.data.microsoft.com
cumulative update installed Functional: v20.vortex-win.data.microsoft.com
Windows 10, versions 1803 or later, without the 2018-09 Diagnostics data: v10.events.data.microsoft.com
cumulative update installed Functional: v20.vortex-win.data.microsoft.com
The following table defines additional diagnostics endpoints not covered by services in the links above:
SERVIC E EN DP O IN T
The following table defines the endpoints for other diagnostic data services:
SERVIC E EN DP O IN T
ceuswatcab01.blob.core.windows.net
ceuswatcab02.blob.core.windows.net
eaus2watcab01.blob.core.windows.net
eaus2watcab02.blob.core.windows.net
weus2watcab01.blob.core.windows.net
SERVIC E EN DP O IN T
weus2watcab02.blob.core.windows.net
The lowest diagnostic data setting level supported through management policies is Security . The lowest
diagnostic data setting supported through the Settings UI is Basic . The default diagnostic data setting for
Windows Server is Enhanced .
Configure the diagnostic data level
You can configure your device's diagnostic data settings using the management tools you’re already using, such
as Group Policy, MDM, or Windows Provisioning. You can also manually change your settings using Registry
Editor. Setting your diagnostic data levels through a management policy sets the upper level for diagnostic data
on the device.
Use the appropriate value in the table below when you configure the management policy.
L EVEL VA L UE
Security 0
Basic 1
Enhanced 2
Full 3
NOTE
When both the Computer Configuration policy and User Configuration policy are set, the more restrictive policy is used.
NOTE
Microsoft does not intend to gather sensitive information, such as credit card numbers, usernames and passwords,
email addresses, or other similarly sensitive information for Linguistic Data Collection. We guard against such
events by using technologies to identify and remove sensitive information before linguistic data is sent from the
user's device. If we determine that sensitive information has been inadvertently received, we delete the information.
NOTE
If your organization relies on Windows Update for updates, you shouldn’t use the Security level. Because no Windows
Update information is gathered at this level, important information about update failures is not sent. Microsoft uses this
information to fix the causes of those failures and improve the quality of our updates.
Windows Server Update Services (WSUS) and Microsoft Endpoint Configuration Manager functionality is not
affected at this level, nor is diagnostic data about Windows Server features or System Center gathered.
The data gathered at this level includes:
Connected User Experiences and Telemetr y component settings . If general diagnostic data has
been gathered and is queued, it is sent to Microsoft. Along with this diagnostic data, the Connected User
Experiences and Telemetry component may download a configuration settings file from Microsoft’s
servers. This file is used to configure the Connected User Experiences and Telemetry component itself. The
data gathered by the client for this request includes OS information, device id (used to identify what
specific device is requesting settings) and device class (for example, whether the device is server or
desktop).
Malicious Software Removal Tool (MSRT) The MSRT infection report contains information, including
device info and IP address.
NOTE
You can turn off the MSRT infection report. No MSRT information is included if MSRT is not used. If Windows
Update is turned off, MSRT will not be offered to users. For more info, see Microsoft KB article 891716.
Windows Defender/Endpoint Protection . Windows Defender and System Center Endpoint Protection
requires some information to function, including: anti-malware signatures, diagnostic information, User
Account Control settings, Unified Extensible Firmware Interface (UEFI) settings, and IP address.
NOTE
This reporting can be turned off and no information is included if a customer is using third-party antimalware
software, or if Windows Defender is turned off. For more info, see Windows Defender.
Microsoft recommends that Windows Update, Windows Defender, and MSRT remain enabled unless the
enterprise uses alternative solutions such as Windows Server Update Services, Microsoft Endpoint
Configuration Manager, or a third-party antimalware solution. Windows Update, Windows Defender, and
MSRT provide core Windows functionality such as driver and OS updates, including security updates.
For servers with default diagnostic data settings and no Internet connectivity, you should set the diagnostic data
level to Security . This stops data gathering for events that would not be uploaded due to the lack of Internet
connectivity.
No user content, such as user files or communications, is gathered at the Security diagnostic data level, and we
take steps to avoid gathering any information that directly identifies a company or user, such as name, email
address, or account ID. However, in rare circumstances, MSRT information may unintentionally contain personal
information. For instance, some malware may create entries in a computer’s registry that include information
such as a username, causing it to be gathered. MSRT reporting is optional and can be turned off at any time.
Basic level
The Basic level gathers a limited set of data that’s critical for understanding the device and its configuration. This
level also includes the Security level data. This level helps to identify problems that can occur on a specific
hardware or software configuration. For example, it can help determine if crashes are more frequent on devices
with a specific amount of memory or that are running a specific driver version. The Connected User Experiences
and Telemetry component does not gather diagnostic data about System Center, but it can transmit diagnostic
data for other non-Windows applications if they have user consent.
This is the default level for Windows 10 Education editions, as well as all desktop editions starting with Windows
10, version 1903.
The normal upload range for the Basic diagnostic data level is between 109 KB - 159 KB per day, per device.
The data gathered at this level includes:
Basic device data . Helps provide an understanding about the types of Windows devices and the
configurations and types of native and virtualized Windows Servers in the ecosystem. Examples include:
Device attributes, such as camera resolution and display type
Internet Explorer version
Battery attributes, such as capacity and type
Networking attributes, such as number of network adapters, speed of network adapters, mobile
operator network, and IMEI number
Processor and memory attributes, such as number of cores, architecture, speed, memory size, and
firmware
Virtualization attribute, such as Second Level Address Translation (SLAT) support and guest operating
system
Operating system attributes, such as Windows edition and virtualization state
Storage attributes, such as number of drives, type, and size
Connected User Experiences and Telemetr y component quality metrics . Helps provide an
understanding about how the Connected User Experiences and Telemetry component is functioning,
including % of uploaded events, dropped events, and the last upload time.
Quality-related information . Helps Microsoft develop a basic understanding of how a device and its
operating system are performing. Some examples are the device characteristics of a Connected Standby
device, the number of crashes or hangs, and application state change details, such as how much processor
time and memory were used, and the total uptime for an app.
Compatibility data . Helps provide an understanding about which apps are installed on a device or
virtual machine and identifies potential compatibility problems.
General app data and app data for Internet Explorer add-ons . Includes a list of apps that are
installed on a native or virtualized instance of the OS and whether these apps function correctly
after an upgrade. This app data includes the app name, publisher, version, and basic details about
which files have been blocked from usage.
Internet Explorer add-ons . Includes a list of Internet Explorer add-ons that are installed on a
device and whether these apps will work after an upgrade.
System data . Helps provide an understanding about whether a device meets the minimum
requirements to upgrade to the next version of the operating system. System information includes
the amount of memory, as well as information about the processor and BIOS.
Accessor y device data . Includes a list of accessory devices, such as printers or external storage
devices, that are connected to Windows PCs and whether these devices will function after
upgrading to a new version of the operating system.
Driver data . Includes specific driver usage that’s meant to help figure out whether apps and
devices will function after upgrading to a new version of the operating system. This can help to
determine blocking issues and then help Microsoft and our partners apply fixes and improvements.
Microsoft Store . Provides information about how the Microsoft Store performs, including app
downloads, installations, and updates. It also includes Microsoft Store launches, page views, suspend and
resumes, and obtaining licenses.
Enhanced level
The Enhanced level gathers data about how Windows and apps are used and how they perform. This level also
includes data from both the Basic and Security levels. This level helps to improve the user experience with the
operating system and apps. Data from this level can be abstracted into patterns and trends that can help
Microsoft determine future improvements.
This level is needed to quickly identify and address Windows and Windows Server quality issues.
The normal upload range for the Enhanced diagnostic data level is between 239 KB - 348 KB per day, per device.
The data gathered at this level includes:
Operating system events . Helps to gain insights into different areas of the operating system, including
networking, Hyper-V, Cortana, storage, file system, and other components.
Operating system app events . A set of events resulting from Microsoft applications and management
tools that were downloaded from the Store or pre-installed with Windows or Windows Server, including
Server Manager, Photos, Mail, and Microsoft Edge.
Device-specific events . Contains data about events that are specific to certain devices, such as Surface
Hub and Microsoft HoloLens. For example, Microsoft HoloLens sends Holographic Processing Unit (HPU)-
related events.
Some crash dump types . All crash dump types, except for heap dumps and full dumps.
If the Connected User Experiences and Telemetry component detects a problem on Windows 10 that requires
gathering more detailed instrumentation, the Connected User Experiences and Telemetry component at the
Enhanced diagnostic data level will only gather data about the events associated with the specific issue.
Full level
The Full level gathers data necessary to identify and to help fix problems, following the approval process
described below. This level also includes data from the Basic, Enhanced, and Security levels.
Additionally, at this level, devices opted in to the Windows Insider Program will send events, such as reliability
and app responsiveness. that can show Microsoft how pre-release binaries and features are performing. These
events help us make decisions on which builds are flighted. All devices in the Windows Insider Program are
automatically set to this level.
If a device experiences problems that are difficult to identify or repeat using Microsoft’s internal testing,
additional data becomes necessary. This data can include any user content that might have triggered the problem
and is gathered from a small sample of devices that have both opted into the Full diagnostic data level and have
exhibited the problem.
However, before more data is gathered, Microsoft’s privacy governance team, including privacy and other subject
matter experts, must approve the diagnostics request made by a Microsoft engineer. If the request is approved,
Microsoft engineers can use the following capabilities to get the information:
Ability to run a limited, pre-approved list of Microsoft certified diagnostic tools, such as msinfo32.exe,
powercfg.exe, and dxdiag.exe.
Ability to get registry keys.
All crash dump types, including heap dumps and full dumps.
NOTE
Crash dumps collected at this diagnostic data level may unintentionally contain personal data, such as portions of memory
from a documents, a web page, etc.
Desktop Analytics reports are powered by diagnostic data not included in the Basic level, such as crash reports
and certain operating system events.
In Windows 10, version 1709, we introduced the Limit Enhanced diagnostic data to the minimum
required by Windows Analytics feature. When enabled, this feature lets you send only the following subset of
Enhanced level diagnostic data.
Operating system events. Limited to a small set required for analytics reports and documented in the
Windows 10 diagnostic data events and fields collected through the limit enhanced diagnostic data policy
topic.
Some crash dump types. Triage dumps for user mode and mini dumps for kernel mode.
NOTE
Triage dumps are a type of minidumps that go through a process of user-sensitive information scrubbing. Some user-
sensitive information may be missed in the process, and will therefore be sent with the dump.
With the retirement of Windows Analytics, this policy will continue to be supported by Desktop Analytics, but will
not include Office related diagnostic data.
Enable limiting enhanced diagnostic data to the minimum required by Desktop Analytics
1. Set the diagnostic data level to Enhanced , using either Group Policy or MDM.
a. Using Group Policy, set the Computer Configuration/Administrative Templates/Windows
Components/Data Collection and Preview Builds/Allow telemetr y setting to 2 .
-OR-
b. Using MDM, use the Policy CSP to set the System/AllowTelemetr y value to 2 .
-AND-
2. Enable the LimitEnhancedDiagnosticDataWindowsAnalytics setting, using either Group Policy or
MDM.
a. Using Group Policy, set the Computer Configuration/Administrative Templates/Windows
Components/Data collection and Preview builds/Limit Enhanced diagnostic data to the
minimum required by Windows Analytics setting to Enabled .
-OR-
b. Using MDM, use the Policy CSP to set the
System/LimitEnhancedDiagnosticDataWindowsAnalytics value to 1 .
Additional resources
FAQs
Cortana, Search, and privacy
Windows 10 feedback, diagnostics, and privacy
Windows 10 camera and privacy
Windows 10 location service and privacy
Microsoft Edge and privacy
Windows 10 speech, inking, typing, and privacy
Windows Hello and privacy
Wi-Fi Sense
Windows Update Delivery Optimization
Blogs
Privacy and Windows 10
Privacy Statement
Microsoft Privacy Statement
TechNet
Manage connections from Windows operating system components to Microsoft services
Web Pages
Privacy at Microsoft
Diagnostic Data Viewer Overview
1/30/2020 • 7 minutes to read • Edit Online
Applies to
Windows 10, version 1803 and newer
Introduction
The Diagnostic Data Viewer is a Windows app that lets you review the Windows diagnostic data your device is
sending to Microsoft, grouping the info into simple categories based on how it's used by Microsoft.
IMPORTANT
It's possible that your Windows device doesn't have the Microsoft Store available (for example, Windows Server). If this is the
case, see Diagnostic Data Viewer for PowerShell.
-OR-
IMPORTANT
Turning on data viewing can use up to 1GB (by default) of disk space on your system drive. We strongly recommend
that you turn off data viewing when you're done using the Diagnostic Data Viewer. For info about turning off data
viewing, see the Turn off data viewing section in this article.
IMPORTANT
Seeing an event does not necessarily mean it has been uploaded yet. It’s possible that some events are still queued
and will be uploaded at a later time.
Search your diagnostic events. The Search box at the top of the screen lets you search amongst all of
the diagnostic event details. The returned search results include any diagnostic event that contains the
matching text.
Selecting an event opens the detailed JSON view, with the matching text highlighted.
Filter your diagnostic event categories. The app's Menu button opens the detailed menu. In here,
you'll find a list of diagnostic event categories, which define how the events are used by Microsoft. Selecting
a check box lets you filter between the diagnostic event categories.
Help to make your Windows experience better. Microsoft only needs diagnostic data from a small
amount of devices to make big improvements to the Windows operating system and ultimately, your
experience. If you’re a part of this small device group and you experience issues, Microsoft will collect the
associated event diagnostic data, allowing your info to potentially help fix the issue for others.
To signify your contribution, you’ll see this icon ( ) if your device is part of the group. In addition, if any
of your diagnostic data events are sent from your device to Microsoft to help make improvements, you’ll
see this icon ( ).
Provide diagnostic event feedback . The Feedback icon in the upper right corner of the window opens
the Feedback Hub app, letting you provide feedback about the Diagnostic Data Viewer and the diagnostic
events.
Selecting a specific event in the Diagnostic Data Viewer automatically fills in the field in the Feedback Hub.
You can add your comments to the box labeled, Give us more detail (optional) .
IMPORTANT
All content in the Feedback Hub is publicly viewable. Therefore, make sure you don't put any personal info into your
feedback comments.
View a summar y of the data you've shared with us over time. Available for users on build 19H1+,
'About my data' in Diagnostic Data Viewer lets you see an overview of the Windows data you've shared
with Microsoft.
Through this feature, you can checkout how much data you send on average each day, the breakdown of
your data by category, the top components and services that have sent data, and more.
IMPORTANT
This content is a reflection of the history of Windows data the app has stored. If you'd like to have extended
analyses, please modify the storage capacity of Diagnostic Data Viewer.
IMPORTANT
Decreasing the maximum amount of diagnostic data viewable through the tool will remove all data history and requires a
reboot of your device. Additionally, increasing the maximum amount of diagnostic data viewable by the tool may come with
performance impacts to your machine.
To view your Windows Error Repor ting diagnostic data using the Control Panel
Go to Star t , select Control Panel > All Control Panel Items > Security and Maintenance > Problem
Repor ts .
-OR-
Go to Star t and search for Problem Reports. The Review problem repor ts tool opens, showing you your
Windows Error Reporting reports, along with a status about whether it was sent to Microsoft.
Applies to
Windows 10, version 1803 and newer
Windows Server, version 1803
Windows Server 2019
Introduction
The Diagnostic Data Viewer for PowerShell is a PowerShell module that lets you review the diagnostic data your
device is sending to Microsoft, grouping the info into simple categories based on how it's used by Microsoft.
Requirements
You must have administrative privilege on the device in order to use this PowerShell module. This module requires
OS version 1803 and higher.
IMPORTANT
It is recommended to visit the documentation on Getting Started with PowerShell Gallery. This page provides more specific
details on installing a PowerShell module.
To install the newest version of the Diagnostic Data Viewer PowerShell module, run the following command within
an elevated PowerShell session:
PS C:\> Enable-DiagnosticDataViewing
Once data viewing is enabled, your Windows machine will begin saving a history of diagnostic data that is sent to
Microsoft from this point on.
IMPORTANT
Turning on data viewing can use up to 1GB (default setting) of disk space on your system drive. We recommend that you
turn off data viewing when you're done using the Diagnostic Data Viewer. For info about turning off data viewing, see the
Turn off data viewing section in this article.
PS C:\> Get-DiagnosticData
If the number of events is large, and you'd like to stop the command, enter Ctrl+C .
IMPORTANT
The above command may produce little to no results if you enabled data viewing recently. It can take several minutes before
your Windows device can show diagnostic data it has sent. Use your device as you normally would in the mean time and try
again.
PS C:\> Get-DiagnosticDataTypes
Filter events by when they were sent. You can view events within specified time ranges by specifying a
start time and end time of each command. For example, to see all diagnostic data sent between 12 and 6
hours ago, run the following command. Note that data is shown in order of oldest first.
Expor t the results of each command. You can export the results of each command to a separate file
such as a csv by using pipe | . For example,
PS C:\> Disable-DiagnosticDataViewing
IMPORTANT
Modifying the maximum amount of diagnostic data viewable by the tool may come with performance impacts to your
machine.
IMPORTANT
If you modify the maximum data history size from a larger value to a lower value, you must turn off data viewing and turn it
back on in order to reclaim disk space.
You can change the maximum data history size (in megabytes) that you can view. For example, to set the maximum
data history size to 2048MB (2GB), you can run the following command.
You can change the maximum data history time (in hours) that you can view. For example, to set the maximum data
history time to 24 hours, you can run the following command.
IMPORTANT
You may need to restart your machine for the new settings to take effect.
IMPORTANT
If you have the Diagnostic Data Viewer store app installed on the same device, modifications to the size of your data history
through the PowerShell module will also be reflected in the app.
When resetting the size of your data history to a lower value, be sure to turn off data viewing and turn it back on in
order to reclaim disk space.
Related Links
Module in PowerShell Gallery
Documentation for Diagnostic Data Viewer for PowerShell
Windows 10, version 1903 and Windows 10, version
1909 basic level Windows diagnostic events and fields
12/26/2019 • 313 minutes to read • Edit Online
Applies to
Windows 10, version 1909
Windows 10, version 1903
The Basic level gathers a limited set of information that is critical for understanding the device and its configuration
including: basic device information, quality-related information, app compatibility, and Microsoft Store. When the
level is set to Basic, it also includes the Security level information.
The Basic level helps to identify problems that can occur on a particular device hardware or software configuration.
For example, it can help determine if crashes are more frequent on devices with a specific amount of memory or
that are running a particular driver version. This helps Microsoft fix operating system or app problems.
Use this article to learn about diagnostic events, grouped by event area, and the fields within each event. A brief
description is provided for each field. Every event generated includes common data, which collects device data.
You can learn more about Windows functional and diagnostic data through these articles:
Windows 10, version 1809 basic diagnostic events and fields
Windows 10, version 1803 basic diagnostic events and fields
Windows 10, version 1709 basic diagnostic events and fields
Windows 10, version 1703 basic diagnostic events and fields
Manage connections from Windows operating system components to Microsoft services
Configure Windows diagnostic data in your organization
AppLocker events
Microsoft.Windows.Security.AppLockerCSP.AddParams
This event indicates the parameters passed to the Add function of the AppLocker Configuration Service Provider
(CSP) to help keep Windows secure.
The following fields are available:
child The child URI of the node to add.
uri URI of the node relative to %SYSTEM32%/AppLocker.
Microsoft.Windows.Security.AppLockerCSP.AddStart
This event indicates the start of an Add operation for the AppLocker Configuration Service Provider (CSP) to help
keep Windows secure.
Microsoft.Windows.Security.AppLockerCSP.AddStop
This event indicates the end of an Add operation for the AppLocker Configuration Service Provider (CSP) to help
keep Windows secure.
The following fields are available:
hr The HRESULT returned by Add function in AppLockerCSP.
Microsoft.Windows.Security.AppLockerCSP.CAppLockerCSP::Commit
This event returns information about the Commit operation in the AppLocker Configuration Service Provider (CSP)
to help keep Windows secure..
The following fields are available:
oldId The unique identifier for the most recent previous CSP transaction.
txId The unique identifier for the current CSP transaction.
Microsoft.Windows.Security.AppLockerCSP.CAppLockerCSP::Rollback
This event provides the result of the Rollback operation in the AppLocker Configuration Service Provider (CSP) to
help keep Windows secure.
The following fields are available:
oldId Previous id for the CSP transaction.
txId Current id for the CSP transaction.
Microsoft.Windows.Security.AppLockerCSP.ClearParams
This event provides the parameters passed to the Clear operation of the AppLocker Configuration Service Provider
(CSP) to help keep Windows secure.
The following fields are available:
uri The URI relative to the %SYSTEM32%\AppLocker folder.
Microsoft.Windows.Security.AppLockerCSP.ClearStart
This event indicates the start of the Clear operation of the AppLocker Configuration Service Provider (CSP) to help
keep Windows secure.
Microsoft.Windows.Security.AppLockerCSP.ClearStop
This event indicates the end of the Clear operation of the AppLocker Configuration Service Provider (CSP) to help
keep Windows secure.
The following fields are available:
hr HRESULT reported at the end of the 'Clear' function.
Microsoft.Windows.Security.AppLockerCSP.CreateNodeInstanceParams
This event provides the parameters that were passed to the Create Node Instance operation of the AppLocker
Configuration Service Provider (CSP) to help keep Windows secure.
The following fields are available:
NodeId NodeId passed to CreateNodeInstance.
nodeOps NodeOperations parameter passed to CreateNodeInstance.
uri URI passed to CreateNodeInstance, relative to %SYSTEM32%\AppLocker.
Microsoft.Windows.Security.AppLockerCSP.CreateNodeInstanceStart
This event indicates the start of the Create Node Instance operation of the AppLocker Configuration Service
Provider (CSP) to help keep Windows secure.
Microsoft.Windows.Security.AppLockerCSP.CreateNodeInstanceStop
This event indicates the end of the Create Node Instance operation of the AppLocker Configuration Service
Provider (CSP) to help keep Windows secure.
The following fields are available:
hr HRESULT returned by the CreateNodeInstance function in AppLockerCSP.
Microsoft.Windows.Security.AppLockerCSP.DeleteChildParams
This event provides the parameters passed to the Delete Child operation of the AppLocker Configuration Service
Provider (CSP) to help keep Windows secure.
The following fields are available:
child The child URI of the node to delete.
uri URI relative to %SYSTEM32%\AppLocker.
Microsoft.Windows.Security.AppLockerCSP.DeleteChildStart
This event indicates the start of the Delete Child operation of the AppLocker Configuration Service Provider (CSP)
to help keep Windows secure.
Microsoft.Windows.Security.AppLockerCSP.DeleteChildStop
This event indicates the end of the Delete Child operation of the AppLocker Configuration Service Provider (CSP)
to help keep Windows secure.
The following fields are available:
hr HRESULT returned by the DeleteChild function in AppLockerCSP.
Microsoft.Windows.Security.AppLockerCSP.EnumPolicies
This event provides the logged Uniform Resource Identifier (URI) relative to %SYSTEM32%\AppLocker if the plug-
in GUID is null or the Configuration Service Provider (CSP) doesn't believe the old policy is present.
The following fields are available:
uri URI relative to %SYSTEM32%\AppLocker.
Microsoft.Windows.Security.AppLockerCSP.GetChildNodeNamesParams
This event provides the parameters passed to the Get Child Node Names operation of the AppLocker
Configuration Service Provider (CSP) to help keep Windows secure.
The following fields are available:
uri URI relative to %SYSTEM32%/AppLocker for MDM node.
Microsoft.Windows.Security.AppLockerCSP.GetChildNodeNamesStart
This event indicates the start of the Get Child Node Names operation of the AppLocker Configuration Service
Provider (CSP) to help keep Windows secure.
Microsoft.Windows.Security.AppLockerCSP.GetChildNodeNamesStop
This event indicates the end of the Get Child Node Names operation of the AppLocker Configuration Service
Provider (CSP) to help keep Windows secure.
The following fields are available:
child[0] If function succeeded, the first child's name, else "NA".
count If function succeeded, the number of child node names returned by the function, else 0.
hr HRESULT returned by the GetChildNodeNames function of AppLockerCSP.
Microsoft.Windows.Security.AppLockerCSP.GetLatestId
This event provides the latest time-stamped unique identifier in the AppLocker Configuration Service Provider
(CSP) to help keep Windows secure.
The following fields are available:
dirId The latest directory identifier found by GetLatestId.
id The id returned by GetLatestId if id > 0 - otherwise the dirId parameter.
Microsoft.Windows.Security.AppLockerCSP.HResultException
This event provides the result code (HRESULT) generated by any arbitrary function in the AppLocker Configuration
Service Provider (CSP).
The following fields are available:
file File in the OS code base in which the exception occurs.
function Function in the OS code base in which the exception occurs.
hr HRESULT that is reported.
line Line in the file in the OS code base in which the exception occurs.
Microsoft.Windows.Security.AppLockerCSP.SetValueParams
This event provides the parameters that were passed to the SetValue operation in the AppLocker Configuration
Service Provider (CSP) to help keep Windows secure.
The following fields are available:
dataLength Length of the value to set.
uri The node URI to that should contain the value, relative to %SYSTEM32%\AppLocker.
Microsoft.Windows.Security.AppLockerCSP.SetValueStart
This event indicates the start of the SetValue operation in the AppLocker Configuration Service Provider (CSP) to
help keep Windows secure.
Microsoft.Windows.Security.AppLockerCSP.SetValueStop
End of the "SetValue" operation for the AppLockerCSP node.
The following fields are available:
hr HRESULT returned by the SetValue function in AppLockerCSP.
Microsoft.Windows.Security.AppLockerCSP.TryRemediateMissingPolicies
This event provides information for fixing a policy in the AppLocker Configuration Service Provider (CSP) to help
keep Windows secure. It includes Uniform Resource Identifier (URI) relative to %SYSTEM32%\AppLocker that
needs to be fixed.
The following fields are available:
uri URI for node relative to %SYSTEM32%/AppLocker.
Appraiser events
Microsoft.Windows.Appraiser.General.ChecksumTotalPictureCount
This event lists the types of objects and how many of each exist on the client device. This allows for a quick way to
ensure that the records present on the server match what is present on the client.
The following fields are available:
DatasourceApplicationFile_19H1 The count of the number of this particular object type present on this
device.
DatasourceApplicationFile_19H1Setup The count of the number of this particular object type present on
this device.
DatasourceApplicationFile_20H1 The count of the number of this particular object type present on this
device.
DatasourceApplicationFile_20H1Setup The count of the number of this particular object type present on
this device.
DatasourceApplicationFile_RS1 An ID for the system, calculated by hashing hardware identifiers.
DatasourceApplicationFile_RS2 An ID for the system, calculated by hashing hardware identifiers.
DatasourceApplicationFile_RS3 The count of the number of this particular object type present on this
device.
DatasourceApplicationFile_RS4 The count of the number of this particular object type present on this
device.
DatasourceApplicationFile_RS5 The count of the number of this particular object type present on this
device.
DatasourceApplicationFile_TH1 The count of the number of this particular object type present on this
device.
DatasourceApplicationFile_TH2 The count of the number of this particular object type present on this
device.
DatasourceDevicePnp_19H1 The count of the number of this particular object type present on this device.
DatasourceDevicePnp_19H1Setup The count of the number of this particular object type present on this
device.
DatasourceDevicePnp_20H1 The count of the number of this particular object type present on this device.
DatasourceDevicePnp_20H1Setup The count of the number of this particular object type present on this
device.
DatasourceDevicePnp_RS1 The total DataSourceDevicePnp objects targeting Windows 10 version 1607 on
this device.
DatasourceDevicePnp_RS2 The count of the number of this particular object type present on this device.
DatasourceDevicePnp_RS3 The count of the number of this particular object type present on this device.
DatasourceDevicePnp_RS3Setup The count of the number of this particular object type present on this
device.
DatasourceDevicePnp_RS4 The count of the number of this particular object type present on this device.
DatasourceDevicePnp_RS4Setup The count of the number of this particular object type present on this
device.
DatasourceDevicePnp_RS5 The count of the number of this particular object type present on this device.
DatasourceDevicePnp_RS5Setup The count of the number of this particular object type present on this
device.
DatasourceDevicePnp_TH1 The count of the number of this particular object type present on this device.
DatasourceDevicePnp_TH2 The count of the number of this particular object type present on this device.
DatasourceDriverPackage_19H1 The count of the number of this particular object type present on this
device.
DatasourceDriverPackage_19H1Setup The count of the number of this particular object type present on
this device.
DatasourceDriverPackage_20H1 The count of the number of this particular object type present on this
device.
DatasourceDriverPackage_20H1Setup The count of the number of this particular object type present on
this device.
DatasourceDriverPackage_RS1 The total DataSourceDriverPackage objects targeting Windows 10 version
1607 on this device.
DatasourceDriverPackage_RS2 The total DataSourceDriverPackage objects targeting Windows 10, version
1703 on this device.
DatasourceDriverPackage_RS3 The count of the number of this particular object type present on this device.
DatasourceDriverPackage_RS3Setup The count of the number of this particular object type present on this
device.
DatasourceDriverPackage_RS4 The count of the number of this particular object type present on this device.
DatasourceDriverPackage_RS4Setup The count of the number of this particular object type present on this
device.
DatasourceDriverPackage_RS5 The count of the number of this particular object type present on this device.
DatasourceDriverPackage_RS5Setup The count of the number of this particular object type present on this
device.
DatasourceDriverPackage_TH1 The count of the number of this particular object type present on this device.
DatasourceDriverPackage_TH2 The count of the number of this particular object type present on this device.
DataSourceMatchingInfoBlock_19H1 The count of the number of this particular object type present on this
device.
DataSourceMatchingInfoBlock_19H1Setup The count of the number of this particular object type present
on this device.
DataSourceMatchingInfoBlock_20H1 The count of the number of this particular object type present on this
device.
DataSourceMatchingInfoBlock_20H1Setup The count of the number of this particular object type present
on this device.
DataSourceMatchingInfoBlock_RS1 The total DataSourceMatchingInfoBlock objects targeting Windows 10
version 1607 on this device.
DataSourceMatchingInfoBlock_RS2 The count of the number of this particular object type present on this
device.
DataSourceMatchingInfoBlock_RS3 The count of the number of this particular object type present on this
device.
DataSourceMatchingInfoBlock_RS4 The count of the number of this particular object type present on this
device.
DataSourceMatchingInfoBlock_RS5 The count of the number of this particular object type present on this
device.
DataSourceMatchingInfoBlock_TH1 The count of the number of this particular object type present on this
device.
DataSourceMatchingInfoBlock_TH2 The count of the number of this particular object type present on this
device.
DataSourceMatchingInfoPassive_19H1 The count of the number of this particular object type present on
this device.
DataSourceMatchingInfoPassive_19H1Setup The count of the number of this particular object type
present on this device.
DataSourceMatchingInfoPassive_20H1 The count of the number of this particular object type present on
this device.
DataSourceMatchingInfoPassive_20H1Setup The count of the number of this particular object type
present on this device.
DataSourceMatchingInfoPassive_RS1 The total DataSourceMatchingInfoPassive objects targeting Windows
10 version 1607 on this device.
DataSourceMatchingInfoPassive_RS2 The count of the number of this particular object type present on this
device.
DataSourceMatchingInfoPassive_RS3 The count of the number of this particular object type present on this
device.
DataSourceMatchingInfoPassive_RS4 The count of the number of this particular object type present on this
device.
DataSourceMatchingInfoPassive_RS5 The count of the number of this particular object type present on this
device.
DataSourceMatchingInfoPassive_TH1 The count of the number of this particular object type present on this
device.
DataSourceMatchingInfoPassive_TH2 The count of the number of this particular object type present on this
device.
DataSourceMatchingInfoPoltUpgrade_20H1 The count of the number of this particular object type present
on this device.
DataSourceMatchingInfoPostUpgrade_19H1 The count of the number of this particular object type
present on this device.
DataSourceMatchingInfoPostUpgrade_19H1Setup The count of the number of this particular object type
present on this device.
DataSourceMatchingInfoPostUpgrade_20H1 The count of the number of this particular object type
present on this device.
DataSourceMatchingInfoPostUpgrade_20H1Setup The count of the number of this particular object type
present on this device.
DataSourceMatchingInfoPostUpgrade_RS1 The total DataSourceMatchingInfoPostUpgrade objects
targeting Windows 10 version 1607 on this device.
DataSourceMatchingInfoPostUpgrade_RS2 The total DataSourceMatchingInfoPostUpgrade objects
targeting Windows 10 version 1703 on this device.
DataSourceMatchingInfoPostUpgrade_RS3 The total DataSourceMatchingInfoPostUpgrade objects
targeting Windows 10 version 1709 on this device.
DataSourceMatchingInfoPostUpgrade_RS4 The count of the number of this particular object type present
on this device.
DataSourceMatchingInfoPostUpgrade_RS5 The count of the number of this particular object type present
on this device.
DataSourceMatchingInfoPostUpgrade_TH1 The count of the number of this particular object type present
on this device.
DataSourceMatchingInfoPostUpgrade_TH2 The count of the number of this particular object type present
on this device.
DatasourceSystemBios_19ASetup The count of the number of this particular object type present on this
device.
DatasourceSystemBios_19H1 The count of the number of this particular object type present on this device.
DatasourceSystemBios_19H1Setup The count of the number of this particular object type present on this
device.
DatasourceSystemBios_20H1 The count of the number of this particular object type present on this device.
DatasourceSystemBios_20H1Setup The count of the number of this particular object type present on this
device.
DatasourceSystemBios_RS1 The total DatasourceSystemBios objects targeting Windows 10 version 1607
present on this device.
DatasourceSystemBios_RS2 The total DatasourceSystemBios objects targeting Windows 10 version 1703
present on this device.
DatasourceSystemBios_RS3 The total DatasourceSystemBios objects targeting Windows 10 version 1709
present on this device.
DatasourceSystemBios_RS3Setup The count of the number of this particular object type present on this
device.
DatasourceSystemBios_RS4 The count of the number of this particular object type present on this device.
DatasourceSystemBios_RS4Setup The count of the number of this particular object type present on this
device.
DatasourceSystemBios_RS5 The count of the number of this particular object type present on this device.
DatasourceSystemBios_RS5Setup The count of the number of this particular object type present on this
device.
DatasourceSystemBios_TH1 The count of the number of this particular object type present on this device.
DatasourceSystemBios_TH2 The count of the number of this particular object type present on this device.
DecisionApplicationFile_19H1 The count of the number of this particular object type present on this device.
DecisionApplicationFile_19H1Setup The count of the number of this particular object type present on this
device.
DecisionApplicationFile_20H1 The count of the number of this particular object type present on this device.
DecisionApplicationFile_20H1Setup The count of the number of this particular object type present on this
device.
DecisionApplicationFile_RS1 The count of the number of this particular object type present on this device.
DecisionApplicationFile_RS2 The count of the number of this particular object type present on this device.
DecisionApplicationFile_RS3 The count of the number of this particular object type present on this device.
DecisionApplicationFile_RS4 The count of the number of this particular object type present on this device.
DecisionApplicationFile_RS5 The count of the number of this particular object type present on this device.
DecisionApplicationFile_TH1 The count of the number of this particular object type present on this device.
DecisionApplicationFile_TH2 The count of the number of this particular object type present on this device.
DecisionDevicePnp_19H1 The count of the number of this particular object type present on this device.
DecisionDevicePnp_19H1Setup The count of the number of this particular object type present on this
device.
DecisionDevicePnp_20H1 The count of the number of this particular object type present on this device.
DecisionDevicePnp_20H1Setup The count of the number of this particular object type present on this
device.
DecisionDevicePnp_RS1 The total DecisionDevicePnp objects targeting Windows 10 version 1607 on this
device.
DecisionDevicePnp_RS2 The count of the number of this particular object type present on this device.
DecisionDevicePnp_RS3 The count of the number of this particular object type present on this device.
DecisionDevicePnp_RS3Setup The count of the number of this particular object type present on this device.
DecisionDevicePnp_RS4 The count of the number of this particular object type present on this device.
DecisionDevicePnp_RS4Setup The count of the number of this particular object type present on this device.
DecisionDevicePnp_RS5 The count of the number of this particular object type present on this device.
DecisionDevicePnp_RS5Setup The count of the number of this particular object type present on this device.
DecisionDevicePnp_TH1 The count of the number of this particular object type present on this device.
DecisionDevicePnp_TH2 The count of the number of this particular object type present on this device.
DecisionDriverPackage_19H1 The count of the number of this particular object type present on this device.
DecisionDriverPackage_19H1Setup The count of the number of this particular object type present on this
device.
DecisionDriverPackage_20H1 The count of the number of this particular object type present on this device.
DecisionDriverPackage_20H1Setup The count of the number of this particular object type present on this
device.
DecisionDriverPackage_RS1 The total DecisionDriverPackage objects targeting Windows 10 version 1607
on this device.
DecisionDriverPackage_RS2 The count of the number of this particular object type present on this device.
DecisionDriverPackage_RS3 The count of the number of this particular object type present on this device.
DecisionDriverPackage_RS3Setup The count of the number of this particular object type present on this
device.
DecisionDriverPackage_RS4 The count of the number of this particular object type present on this device.
DecisionDriverPackage_RS4Setup The count of the number of this particular object type present on this
device.
DecisionDriverPackage_RS5 The count of the number of this particular object type present on this device.
DecisionDriverPackage_RS5Setup The count of the number of this particular object type present on this
device.
DecisionDriverPackage_TH1 The count of the number of this particular object type present on this device.
DecisionDriverPackage_TH2 The count of the number of this particular object type present on this device.
DecisionMatchingInfoBlock_19H1 The count of the number of this particular object type present on this
device.
DecisionMatchingInfoBlock_19H1Setup The count of the number of this particular object type present on
this device.
DecisionMatchingInfoBlock_20H1 The count of the number of this particular object type present on this
device.
DecisionMatchingInfoBlock_20H1Setup The count of the number of this particular object type present on
this device.
DecisionMatchingInfoBlock_RS1 The total DecisionMatchingInfoBlock objects targeting Windows 10
version 1607 present on this device.
DecisionMatchingInfoBlock_RS2 The total DecisionMatchingInfoBlock objects targeting Windows 10
version 1703 present on this device.
DecisionMatchingInfoBlock_RS3 The total DecisionMatchingInfoBlock objects targeting Windows 10
version 1709 present on this device.
DecisionMatchingInfoBlock_RS4 The count of the number of this particular object type present on this
device.
DecisionMatchingInfoBlock_RS5 The count of the number of this particular object type present on this
device.
DecisionMatchingInfoBlock_TH1 The count of the number of this particular object type present on this
device.
DecisionMatchingInfoBlock_TH2 The count of the number of this particular object type present on this
device.
DecisionMatchingInfoPassive_19H1 The count of the number of this particular object type present on this
device.
DecisionMatchingInfoPassive_19H1Setup The count of the number of this particular object type present
on this device.
DecisionMatchingInfoPassive_20H1 The count of the number of this particular object type present on this
device.
DecisionMatchingInfoPassive_20H1Setup The count of the number of this particular object type present
on this device.
DecisionMatchingInfoPassive_RS1 The total DecisionMatchingInfoPassive objects targeting Windows 10
version 1607 on this device.
DecisionMatchingInfoPassive_RS2 The total DecisionMatchingInfoPassive objects targeting Windows 10
version 1703 on this device.
DecisionMatchingInfoPassive_RS3 The total DecisionMatchingInfoPassive objects targeting Windows 10
version 1803 on this device.
DecisionMatchingInfoPassive_RS4 The count of the number of this particular object type present on this
device.
DecisionMatchingInfoPassive_RS5 The count of the number of this particular object type present on this
device.
DecisionMatchingInfoPassive_TH1 The count of the number of this particular object type present on this
device.
DecisionMatchingInfoPassive_TH2 The count of the number of this particular object type present on this
device.
DecisionMatchingInfoPoltUpgrade_20H1 The count of the number of this particular object type present on
this device.
DecisionMatchingInfoPostUpgrade_19H1 The count of the number of this particular object type present
on this device.
DecisionMatchingInfoPostUpgrade_19H1Setup The count of the number of this particular object type
present on this device.
DecisionMatchingInfoPostUpgrade_20H1 The count of the number of this particular object type present
on this device.
DecisionMatchingInfoPostUpgrade_20H1Setup The count of the number of this particular object type
present on this device.
DecisionMatchingInfoPostUpgrade_RS1 The total DecisionMatchingInfoPostUpgrade objects targeting
Windows 10 version 1607 on this device.
DecisionMatchingInfoPostUpgrade_RS2 The total DecisionMatchingInfoPostUpgrade objects targeting
Windows 10 version 1703 on this device.
DecisionMatchingInfoPostUpgrade_RS3 The total DecisionMatchingInfoPostUpgrade objects targeting
Windows 10 version 1709 on this device.
DecisionMatchingInfoPostUpgrade_RS4 The count of the number of this particular object type present on
this device.
DecisionMatchingInfoPostUpgrade_RS5 The count of the number of this particular object type present on
this device.
DecisionMatchingInfoPostUpgrade_TH1 The count of the number of this particular object type present on
this device.
DecisionMatchingInfoPostUpgrade_TH2 The count of the number of this particular object type present on
this device.
DecisionMediaCenter_19H1 The count of the number of this particular object type present on this device.
DecisionMediaCenter_19H1Setup The total DecisionMediaCenter objects targeting the next release of
Windows on this device.
DecisionMediaCenter_20H1 The count of the number of this particular object type present on this device.
DecisionMediaCenter_20H1Setup The count of the number of this particular object type present on this
device.
DecisionMediaCenter_RS1 The total DecisionMediaCenter objects targeting Windows 10 version 1607
present on this device.
DecisionMediaCenter_RS2 The total DecisionMediaCenter objects targeting Windows 10 version 1703
present on this device.
DecisionMediaCenter_RS3 The total DecisionMediaCenter objects targeting Windows 10 version 1709
present on this device.
DecisionMediaCenter_RS4 The count of the number of this particular object type present on this device.
DecisionMediaCenter_RS5 The count of the number of this particular object type present on this device.
DecisionMediaCenter_TH1 The count of the number of this particular object type present on this device.
DecisionMediaCenter_TH2 The count of the number of this particular object type present on this device.
DecisionSystemBios_19ASetup The count of the number of this particular object type present on this
device.
DecisionSystemBios_19H1 The count of the number of this particular object type present on this device.
DecisionSystemBios_19H1Setup The total DecisionSystemBios objects targeting the next release of
Windows on this device.
DecisionSystemBios_20H1 The count of the number of this particular object type present on this device.
DecisionSystemBios_20H1Setup The count of the number of this particular object type present on this
device.
DecisionSystemBios_RS1 The total DecisionSystemBios objects targeting Windows 10 version 1607 on this
device.
DecisionSystemBios_RS2 The total DecisionSystemBios objects targeting Windows 10 version 1703 on this
device.
DecisionSystemBios_RS3 The total DecisionSystemBios objects targeting Windows 10 version 1709 on this
device.
DecisionSystemBios_RS3Setup The count of the number of this particular object type present on this
device.
DecisionSystemBios_RS4 The total DecisionSystemBios objects targeting Windows 10 version, 1803 present
on this device.
DecisionSystemBios_RS4Setup The total DecisionSystemBios objects targeting the next release of Windows
on this device.
DecisionSystemBios_RS5 The total DecisionSystemBios objects targeting the next release of Windows on
this device.
DecisionSystemBios_RS5Setup The count of the number of this particular object type present on this
device.
DecisionSystemBios_TH1 The count of the number of this particular object type present on this device.
DecisionSystemBios_TH2 The count of the number of this particular object type present on this device.
DecisionSystemProcessor_RS2 The count of the number of this particular object type present on this device.
DecisionTest_20H1Setup The count of the number of this particular object type present on this device.
DecisionTest_RS1 An ID for the system, calculated by hashing hardware identifiers.
Inventor yApplicationFile The count of the number of this particular object type present on this device.
Inventor yDeviceContainer A count of device container objects in cache.
Inventor yDevicePnp A count of device Plug and Play objects in cache.
Inventor yDriverBinar y A count of driver binary objects in cache.
Inventor yDriverPackage A count of device objects in cache.
Inventor yLanguagePack The count of the number of this particular object type present on this device.
Inventor yMediaCenter The count of the number of this particular object type present on this device.
Inventor ySystemBios The count of the number of this particular object type present on this device.
Inventor ySystemMachine The count of the number of this particular object type present on this device.
Inventor ySystemProcessor The count of the number of this particular object type present on this device.
Inventor yTest The count of the number of this particular object type present on this device.
Inventor yUplevelDriverPackage The count of the number of this particular object type present on this
device.
PCFP The count of the number of this particular object type present on this device.
SystemMemor y The count of the number of this particular object type present on this device.
SystemProcessorCompareExchange The count of the number of this particular object type present on this
device.
SystemProcessorLahfSahf The count of the number of this particular object type present on this device.
SystemProcessorNx The total number of objects of this type present on this device.
SystemProcessorPrefetchW The total number of objects of this type present on this device.
SystemProcessorSse2 The total number of objects of this type present on this device.
SystemTouch The count of the number of this particular object type present on this device.
SystemWim The total number of objects of this type present on this device.
SystemWindowsActivationStatus The count of the number of this particular object type present on this
device.
SystemWlan The total number of objects of this type present on this device.
Wmdrm_19H1 The count of the number of this particular object type present on this device.
Wmdrm_19H1Setup The total Wmdrm objects targeting the next release of Windows on this device.
Wmdrm_20H1 The count of the number of this particular object type present on this device.
Wmdrm_20H1Setup The total Wmdrm objects targeting the next release of Windows on this device.
Wmdrm_RS1 An ID for the system, calculated by hashing hardware identifiers.
Wmdrm_RS2 An ID for the system, calculated by hashing hardware identifiers.
Wmdrm_RS3 An ID for the system, calculated by hashing hardware identifiers.
Wmdrm_RS4 The total Wmdrm objects targeting Windows 10, version 1803 present on this device.
Wmdrm_RS5 The count of the number of this particular object type present on this device.
Wmdrm_TH1 The count of the number of this particular object type present on this device.
Wmdrm_TH2 The count of the number of this particular object type present on this device.
Microsoft.Windows.Appraiser.General.DatasourceApplicationFileAdd
Represents the basic metadata about specific application files installed on the system.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
AppraiserVersion The version of the appraiser file that is generating the events.
AvDisplayName If the app is an anti-virus app, this is its display name.
CompatModelIndex The compatibility prediction for this file.
HasCitData Indicates whether the file is present in CIT data.
HasUpgradeExe Indicates whether the anti-virus app has an upgrade.exe file.
IsAv Is the file an anti-virus reporting EXE?
ResolveAttempted This will always be an empty string when sending diagnostic data.
SdbEntries An array of fields that indicates the SDB entries that apply to this file.
Microsoft.Windows.Appraiser.General.DatasourceApplicationFileRemove
This event indicates that the DatasourceApplicationFile object is no longer present.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
AppraiserVersion The version of the Appraiser file that is generating the events.
Microsoft.Windows.Appraiser.General.DatasourceApplicationFileStartSync
This event indicates that a new set of DatasourceApplicationFileAdd events will be sent.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
AppraiserVersion The version of the Appraiser file that is generating the events.
Microsoft.Windows.Appraiser.General.DatasourceDevicePnpAdd
This event sends compatibility data for a Plug and Play device, to help keep Windows up to date.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
ActiveNetworkConnection Indicates whether the device is an active network device.
AppraiserVersion The version of the appraiser file generating the events.
CosDeviceRating An enumeration that indicates if there is a driver on the target operating system.
CosDeviceSolution An enumeration that indicates how a driver on the target operating system is available.
CosDeviceSolutionUrl Microsoft.Windows.Appraiser.General.DatasourceDevicePnpAdd . Empty string
CosPopulatedFromId The expected uplevel driver matching ID based on driver coverage data.
IsBootCritical Indicates whether the device boot is critical.
UplevelInboxDriver Indicates whether there is a driver uplevel for this device.
WuDriverCoverage Indicates whether there is a driver uplevel for this device, according to Windows Update.
WuDriverUpdateId The Windows Update ID of the applicable uplevel driver.
WuPopulatedFromId The expected uplevel driver matching ID based on driver coverage from Windows
Update.
Microsoft.Windows.Appraiser.General.DatasourceDevicePnpRemove
This event indicates that the DatasourceDevicePnp object is no longer present.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
AppraiserVersion The version of the Appraiser file that is generating the events.
Microsoft.Windows.Appraiser.General.DatasourceDevicePnpStartSync
This event indicates that a new set of DatasourceDevicePnpAdd events will be sent.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
AppraiserVersion The version of the Appraiser file that is generating the events.
Microsoft.Windows.Appraiser.General.DatasourceDriverPackageAdd
This event sends compatibility database data about driver packages to help keep Windows up to date.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
AppraiserVersion The version of the appraiser file generating the events.
Microsoft.Windows.Appraiser.General.DatasourceDriverPackageRemove
This event indicates that the DatasourceDriverPackage object is no longer present.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
AppraiserVersion The version of the Appraiser file that is generating the events.
Microsoft.Windows.Appraiser.General.DatasourceDriverPackageStartSync
This event indicates that a new set of DatasourceDriverPackageAdd events will be sent.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
AppraiserVersion The version of the Appraiser file that is generating the events.
Microsoft.Windows.Appraiser.General.DataSourceMatchingInfoBlockAdd
This event sends blocking data about any compatibility blocking entries on the system that are not directly related
to specific applications or devices, to help keep Windows up to date.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
AppraiserVersion The version of the appraiser file generating the events.
Microsoft.Windows.Appraiser.General.DataSourceMatchingInfoBlockStartSync
This event indicates that a full set of DataSourceMatchingInfoBlockStAdd events have been sent.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
AppraiserVersion The version of the Appraiser file that is generating the events.
Microsoft.Windows.Appraiser.General.DataSourceMatchingInfoPassiveAdd
This event sends compatibility database information about non-blocking compatibility entries on the system that
are not keyed by either applications or devices, to help keep Windows up to date.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
AppraiserVersion The version of the appraiser file generating the events.
Microsoft.Windows.Appraiser.General.DataSourceMatchingInfoPassiveStartSync
This event indicates that a new set of DataSourceMatchingInfoPassiveAdd events will be sent.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
AppraiserVersion The version of the Appraiser file that is generating the events.
Microsoft.Windows.Appraiser.General.DataSourceMatchingInfoPostUpgradeAdd
This event sends compatibility database information about entries requiring reinstallation after an upgrade on the
system that are not keyed by either applications or devices, to help keep Windows up to date.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
AppraiserVersion The version of the appraiser file generating the events.
Microsoft.Windows.Appraiser.General.DataSourceMatchingInfoPostUpgradeStartSync
This event indicates that a new set of DataSourceMatchingInfoPostUpgradeAdd events will be sent.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
AppraiserVersion The version of the Appraiser file that is generating the events.
Microsoft.Windows.Appraiser.General.DatasourceSystemBiosAdd
This event sends compatibility database information about the BIOS to help keep Windows up to date.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
AppraiserVersion The version of the Appraiser file generating the events.
Microsoft.Windows.Appraiser.General.DatasourceSystemBiosStartSync
This event indicates that a new set of DatasourceSystemBiosAdd events will be sent.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
AppraiserVersion The version of the Appraiser file that is generating the events.
Microsoft.Windows.Appraiser.General.DecisionApplicationFileAdd
This event sends compatibility decision data about a file to help keep Windows up to date.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
AppraiserVersion The version of the appraiser file that is generating the events.
BlockAlreadyInbox The uplevel runtime block on the file already existed on the current OS.
BlockingApplication Indicates whether there are any application issues that interfere with the upgrade due to
the file in question.
DisplayGenericMessage Will be a generic message be shown for this file?
DisplayGenericMessageGated Indicates whether a generic message be shown for this file.
HardBlock This file is blocked in the SDB.
HasUxBlockOverride Does the file have a block that is overridden by a tag in the SDB?
MigApplication Does the file have a MigXML from the SDB associated with it that applies to the current
upgrade mode?
MigRemoval Does the file have a MigXML from the SDB that will cause the app to be removed on upgrade?
NeedsDismissAction Will the file cause an action that can be dismissed?
NeedsInstallPostUpgradeData After upgrade, the file will have a post-upgrade notification to install a
replacement for the app.
NeedsNotifyPostUpgradeData Does the file have a notification that should be shown after upgrade?
NeedsReinstallPostUpgradeData After upgrade, this file will have a post-upgrade notification to reinstall the
app.
NeedsUninstallAction The file must be uninstalled to complete the upgrade.
SdbBlockUpgrade The file is tagged as blocking upgrade in the SDB,
SdbBlockUpgradeCanReinstall The file is tagged as blocking upgrade in the SDB. It can be reinstalled after
upgrade.
SdbBlockUpgradeUntilUpdate The file is tagged as blocking upgrade in the SDB. If the app is updated, the
upgrade can proceed.
SdbReinstallUpgrade The file is tagged as needing to be reinstalled after upgrade in the SDB. It does not
block upgrade.
SdbReinstallUpgradeWarn The file is tagged as needing to be reinstalled after upgrade with a warning in the
SDB. It does not block upgrade.
SoftBlock The file is softblocked in the SDB and has a warning.
Microsoft.Windows.Appraiser.General.DecisionApplicationFileRemove
This event indicates that the DecisionApplicationFile object is no longer present.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
AppraiserVersion The version of the Appraiser file that is generating the events.
Microsoft.Windows.Appraiser.General.DecisionApplicationFileStartSync
This event indicates that a new set of DecisionApplicationFileAdd events will be sent.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
AppraiserVersion The version of the Appraiser file that is generating the events.
Microsoft.Windows.Appraiser.General.DecisionDevicePnpAdd
This event sends compatibility decision data about a Plug and Play (PNP) device to help keep Windows up to date.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
AppraiserVersion The version of the appraiser file generating the events.
AssociatedDriverIsBlocked Is the driver associated with this PNP device blocked?
AssociatedDriverWillNotMigrate Will the driver associated with this plug-and-play device migrate?
BlockAssociatedDriver Should the driver associated with this PNP device be blocked?
BlockingDevice Is this PNP device blocking upgrade?
BlockUpgradeIfDriverBlocked Is the PNP device both boot critical and does not have a driver included with
the OS?
BlockUpgradeIfDriverBlockedAndOnlyActiveNetwork Is this PNP device the only active network device?
DisplayGenericMessage Will a generic message be shown during Setup for this PNP device?
DisplayGenericMessageGated Indicates whether a generic message will be shown during Setup for this PNP
device.
DriverAvailableInbox Is a driver included with the operating system for this PNP device?
DriverAvailableOnline Is there a driver for this PNP device on Windows Update?
DriverAvailableUplevel Is there a driver on Windows Update or included with the operating system for this
PNP device?
DriverBlockOverridden Is there is a driver block on the device that has been overridden?
NeedsDismissAction Will the user would need to dismiss a warning during Setup for this device?
NotRegressed Does the device have a problem code on the source OS that is no better than the one it would
have on the target OS?
SdbDeviceBlockUpgrade Is there an SDB block on the PNP device that blocks upgrade?
SdbDriverBlockOverridden Is there an SDB block on the PNP device that blocks upgrade, but that block was
overridden?
Microsoft.Windows.Appraiser.General.DecisionDevicePnpRemove
This event indicates that the DecisionDevicePnp object is no longer present.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
AppraiserVersion The version of the Appraiser file that is generating the events.
Microsoft.Windows.Appraiser.General.DecisionDevicePnpStartSync
The DecisionDevicePnpStartSync event indicates that a new set of DecisionDevicePnpAdd events will be sent.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
AppraiserVersion The version of the Appraiser file that is generating the events.
Microsoft.Windows.Appraiser.General.DecisionDriverPackageAdd
This event sends decision data about driver package compatibility to help keep Windows up to date.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
AppraiserVersion The version of the appraiser file generating the events.
DisplayGenericMessageGated Indicates whether a generic offer block message will be shown for this driver
package.
DriverBlockOverridden Does the driver package have an SDB block that blocks it from migrating, but that
block has been overridden?
DriverIsDeviceBlocked Was the driver package was blocked because of a device block?
DriverIsDriverBlocked Is the driver package blocked because of a driver block?
DriverIsTroubleshooterBlocked Indicates whether the driver package is blocked because of a troubleshooter
block.
DriverShouldNotMigrate Should the driver package be migrated during upgrade?
SdbDriverBlockOverridden Does the driver package have an SDB block that blocks it from migrating, but
that block has been overridden?
Microsoft.Windows.Appraiser.General.DecisionDriverPackageRemove
This event indicates that the DecisionDriverPackage object is no longer present.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
AppraiserVersion The version of the Appraiser file that is generating the events.
Microsoft.Windows.Appraiser.General.DecisionDriverPackageStartSync
This event indicates that a new set of DecisionDriverPackageAdd events will be sent.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
AppraiserVersion The version of the Appraiser file that is generating the events.
Microsoft.Windows.Appraiser.General.DecisionMatchingInfoBlockAdd
This event sends compatibility decision data about blocking entries on the system that are not keyed by either
applications or devices, to help keep Windows up to date.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
AppraiserVersion The version of the appraiser file generating the events.
BlockingApplication Are there are any application issues that interfere with upgrade due to matching info
blocks?
DisplayGenericMessage Will a generic message be shown for this block?
NeedsUninstallAction Does the user need to take an action in setup due to a matching info block?
SdbBlockUpgrade Is a matching info block blocking upgrade?
SdbBlockUpgradeCanReinstall Is a matching info block blocking upgrade, but has the can reinstall tag?
SdbBlockUpgradeUntilUpdate Is a matching info block blocking upgrade but has the until update tag?
Microsoft.Windows.Appraiser.General.DecisionMatchingInfoBlockStartSync
This event indicates that a new set of DecisionMatchingInfoBlockAdd events will be sent.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
AppraiserVersion The version of the Appraiser file that is generating the events.
Microsoft.Windows.Appraiser.General.DecisionMatchingInfoPassiveAdd
This event sends compatibility decision data about non-blocking entries on the system that are not keyed by either
applications or devices, to help keep Windows up to date.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
AppraiserVersion The version of the Appraiser file that is generating the events.
BlockingApplication Are there any application issues that interfere with upgrade due to matching info
blocks?
DisplayGenericMessageGated Indicates whether a generic offer block message will be shown due to
matching info blocks.
MigApplication Is there a matching info block with a mig for the current mode of upgrade?
Microsoft.Windows.Appraiser.General.DecisionMatchingInfoPassiveStartSync
This event indicates that a new set of DecisionMatchingInfoPassiveAdd events will be sent.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
AppraiserVersion The version of the Appraiser file that is generating the events.
Microsoft.Windows.Appraiser.General.DecisionMatchingInfoPostUpgradeAdd
This event sends compatibility decision data about entries that require reinstall after upgrade. It's used to help keep
Windows up to date.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
AppraiserVersion The version of the Appraiser file that is generating the events.
NeedsInstallPostUpgradeData Will the file have a notification after upgrade to install a replacement for the
app?
NeedsNotifyPostUpgradeData Should a notification be shown for this file after upgrade?
NeedsReinstallPostUpgradeData Will the file have a notification after upgrade to reinstall the app?
SdbReinstallUpgrade The file is tagged as needing to be reinstalled after upgrade in the compatibility
database (but is not blocking upgrade).
Microsoft.Windows.Appraiser.General.DecisionMatchingInfoPostUpgradeStartSync
This event indicates that a new set of DecisionMatchingInfoPostUpgradeAdd events will be sent.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
AppraiserVersion The version of the Appraiser file that is generating the events.
Microsoft.Windows.Appraiser.General.DecisionMediaCenterAdd
This event sends decision data about the presence of Windows Media Center, to help keep Windows up to date.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
AppraiserVersion The version of the Appraiser file generating the events.
BlockingApplication Is there any application issues that interfere with upgrade due to Windows Media
Center?
MediaCenterActivelyUsed If Windows Media Center is supported on the edition, has it been run at least once
and are the MediaCenterIndicators are true?
MediaCenterIndicators Do any indicators imply that Windows Media Center is in active use?
MediaCenterInUse Is Windows Media Center actively being used?
MediaCenterPaidOrActivelyUsed Is Windows Media Center actively being used or is it running on a
supported edition?
NeedsDismissAction Are there any actions that can be dismissed coming from Windows Media Center?
Microsoft.Windows.Appraiser.General.DecisionMediaCenterStartSync
This event indicates that a new set of DecisionMediaCenterAdd events will be sent.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
AppraiserVersion The version of the Appraiser file that is generating the events.
Microsoft.Windows.Appraiser.General.DecisionSystemBiosAdd
This event sends compatibility decision data about the BIOS to help keep Windows up to date.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
AppraiserVersion The version of the Appraiser file generating the events.
Blocking Is the device blocked from upgrade due to a BIOS block?
DisplayGenericMessageGated Indicates whether a generic offer block message will be shown for the bios.
HasBiosBlock Does the device have a BIOS block?
Microsoft.Windows.Appraiser.General.DecisionSystemBiosStartSync
This event indicates that a new set of DecisionSystemBiosAdd events will be sent.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
AppraiserVersion The version of the Appraiser file that is generating the events.
Microsoft.Windows.Appraiser.General.DecisionTestRemove
This event provides data that allows testing of “Remove” decisions to help keep Windows up to date.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
AppraiserVersion The version of the appraiser binary (executable) generating the events.
Microsoft.Windows.Appraiser.General.DecisionTestStartSync
This event provides data that allows testing of “Start Sync” decisions to help keep Windows up to date.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
AppraiserVersion The version of the appraiser binary (executable) generating the events.
Microsoft.Windows.Appraiser.General.GatedRegChange
This event sends data about the results of running a set of quick-blocking instructions, to help keep Windows up to
date.
The following fields are available:
NewData The data in the registry value after the scan completed.
OldData The previous data in the registry value before the scan ran.
PCFP An ID for the system calculated by hashing hardware identifiers.
RegKey The registry key name for which a result is being sent.
RegValue The registry value for which a result is being sent.
Time The client time of the event.
Microsoft.Windows.Appraiser.General.InventoryApplicationFileAdd
This event represents the basic metadata about a file on the system. The file must be part of an app and either have
a block in the compatibility database or be part of an antivirus program.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
AppraiserVersion The version of the Appraiser file generating the events.
AvDisplayName If the app is an antivirus app, this is its display name.
AvProductState Indicates whether the antivirus program is turned on and the signatures are up to date.
Binar yType A binary type. Example: UNINITIALIZED, ZERO_BYTE, DATA_ONLY, DOS_MODULE, NE16_MODULE,
PE32_UNKNOWN, PE32_I386, PE32_ARM, PE64_UNKNOWN, PE64_AMD64, PE64_ARM64, PE64_IA64,
PE32_CLR_32, PE32_CLR_IL, PE32_CLR_IL_PREFER32, PE64_CLR_64.
BinFileVersion An attempt to clean up FileVersion at the client that tries to place the version into 4 octets.
BinProductVersion An attempt to clean up ProductVersion at the client that tries to place the version into 4
octets.
BoeProgramId If there is no entry in Add/Remove Programs, this is the ProgramID that is generated from the
file metadata.
CompanyName The company name of the vendor who developed this file.
FileId A hash that uniquely identifies a file.
FileVersion The File version field from the file metadata under Properties -> Details.
HasUpgradeExe Indicates whether the antivirus app has an upgrade.exe file.
IsAv Indicates whether the file an antivirus reporting EXE.
LinkDate The date and time that this file was linked on.
LowerCaseLongPath The full file path to the file that was inventoried on the device.
Name The name of the file that was inventoried.
ProductName The Product name field from the file metadata under Properties -> Details.
ProductVersion The Product version field from the file metadata under Properties -> Details.
ProgramId A hash of the Name, Version, Publisher, and Language of an application used to identify it.
Size The size of the file (in hexadecimal bytes).
Microsoft.Windows.Appraiser.General.InventoryApplicationFileRemove
This event indicates that the InventoryApplicationFile object is no longer present.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
AppraiserVersion The version of the Appraiser file that is generating the events.
Microsoft.Windows.Appraiser.General.InventoryApplicationFileStartSync
This event indicates that a new set of InventoryApplicationFileAdd events will be sent.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
AppraiserVersion The version of the Appraiser file that is generating the events.
Microsoft.Windows.Appraiser.General.InventoryLanguagePackAdd
This event sends data about the number of language packs installed on the system, to help keep Windows up to
date.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
AppraiserVersion The version of the Appraiser file that is generating the events.
HasLanguagePack Indicates whether this device has 2 or more language packs.
LanguagePackCount The number of language packs are installed.
Microsoft.Windows.Appraiser.General.InventoryLanguagePackRemove
This event indicates that the InventoryLanguagePack object is no longer present.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
AppraiserVersion The version of the Appraiser file that is generating the events.
Microsoft.Windows.Appraiser.General.InventoryLanguagePackStartSync
This event indicates that a new set of InventoryLanguagePackAdd events will be sent.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
AppraiserVersion The version of the Appraiser file that is generating the events.
Microsoft.Windows.Appraiser.General.InventoryMediaCenterAdd
This event sends true/false data about decision points used to understand whether Windows Media Center is used
on the system, to help keep Windows up to date.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
AppraiserVersion The version of the Appraiser file generating the events.
EverLaunched Has Windows Media Center ever been launched?
HasConfiguredTv Has the user configured a TV tuner through Windows Media Center?
HasExtendedUserAccounts Are any Windows Media Center Extender user accounts configured?
HasWatchedFolders Are any folders configured for Windows Media Center to watch?
IsDefaultLauncher Is Windows Media Center the default app for opening music or video files?
IsPaid Is the user running a Windows Media Center edition that implies they paid for Windows Media Center?
IsSuppor ted Does the running OS support Windows Media Center?
Microsoft.Windows.Appraiser.General.InventoryMediaCenterRemove
This event indicates that the InventoryMediaCenter object is no longer present.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
AppraiserVersion The version of the Appraiser file that is generating the events.
Microsoft.Windows.Appraiser.General.InventoryMediaCenterStartSync
This event indicates that a new set of InventoryMediaCenterAdd events will be sent.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
AppraiserVersion The version of the Appraiser file that is generating the events.
Microsoft.Windows.Appraiser.General.InventorySystemBiosAdd
This event sends basic metadata about the BIOS to determine whether it has a compatibility block.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
AppraiserVersion The version of the Appraiser file that is generating the events.
BiosDate The release date of the BIOS in UTC format.
BiosName The name field from Win32_BIOS.
Manufacturer The manufacturer field from Win32_ComputerSystem.
Model The model field from Win32_ComputerSystem.
Microsoft.Windows.Appraiser.General.InventorySystemBiosStartSync
This event indicates that a new set of InventorySystemBiosAdd events will be sent.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
AppraiserVersion The version of the Appraiser binary (executable) generating the events.
Microsoft.Windows.Appraiser.General.InventorySystemProcessorEndSync
This event indicates that a full set of InventorySystemProcessorAdd events has been sent.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
AppraiserVersion The version of the Appraiser binary (executable) generating the events.
Microsoft.Windows.Appraiser.General.InventorySystemProcessorStartSync
This event indicates that a new set of InventorySystemProcessorAdd events will be sent.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
AppraiserVersion The version of the Appraiser binary (executable) generating the events.
Microsoft.Windows.Appraiser.General.InventoryTestRemove
This event provides data that allows testing of “Remove” decisions to help keep Windows up to date.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
AppraiserVersion The version of the appraiser binary (executable) generating the events.
Microsoft.Windows.Appraiser.General.InventoryTestStartSync
This event provides data that allows testing of “Start Sync” decisions to help keep Windows up to date.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
AppraiserVersion The version of the appraiser binary (executable) generating the events.
Microsoft.Windows.Appraiser.General.InventoryUplevelDriverPackageAdd
This event is only runs during setup. It provides a listing of the uplevel driver packages that were downloaded
before the upgrade. Is critical to understanding if failures in setup can be traced to not having sufficient uplevel
drivers before the upgrade.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
AppraiserVersion The version of the Appraiser file that is generating the events.
BootCritical Is the driver package marked as boot critical?
Build The build value from the driver package.
CatalogFile The name of the catalog file within the driver package.
Class The device class from the driver package.
ClassGuid The device class unique ID from the driver package.
Date The date from the driver package.
Inbox Is the driver package of a driver that is included with Windows?
OriginalName The original name of the INF file before it was renamed. Generally a path under
$WINDOWS.~BT\Drivers\DU.
Provider The provider of the driver package.
PublishedName The name of the INF file after it was renamed.
Revision The revision of the driver package.
SignatureStatus Indicates if the driver package is signed. Unknown = 0, Unsigned = 1, Signed = 2.
VersionMajor The major version of the driver package.
VersionMinor The minor version of the driver package.
Microsoft.Windows.Appraiser.General.InventoryUplevelDriverPackageRemove
This event indicates that the InventoryUplevelDriverPackage object is no longer present.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
AppraiserVersion The version of the Appraiser file that is generating the events.
Microsoft.Windows.Appraiser.General.InventoryUplevelDriverPackageStartSync
This event indicates that a new set of InventoryUplevelDriverPackageAdd events will be sent.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
AppraiserVersion The version of the Appraiser file that is generating the events.
Microsoft.Windows.Appraiser.General.RunContext
This event indicates what should be expected in the data payload.
The following fields are available:
AppraiserBranch The source branch in which the currently running version of Appraiser was built.
AppraiserProcess The name of the process that launched Appraiser.
AppraiserVersion The version of the Appraiser file generating the events.
CensusId A unique hardware identifier.
Context Indicates what mode Appraiser is running in. Example: Setup or Telemetry.
PCFP An ID for the system calculated by hashing hardware identifiers.
Subcontext Indicates what categories of incompatibilities appraiser is scanning for. Can be N/A, Resolve, or a
semicolon-delimited list that can include App, Dev, Sys, Gat, or Rescan.
Time The client time of the event.
Microsoft.Windows.Appraiser.General.SystemMemoryAdd
This event sends data on the amount of memory on the system and whether it meets requirements, to help keep
Windows up to date.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
AppraiserVersion The version of the Appraiser file generating the events.
Blocking Is the device from upgrade due to memory restrictions?
Memor yRequirementViolated Was a memory requirement violated?
pageFile The current committed memory limit for the system or the current process, whichever is smaller (in
bytes).
ram The amount of memory on the device.
ramKB The amount of memory (in KB).
vir tual The size of the user-mode portion of the virtual address space of the calling process (in bytes).
vir tualKB The amount of virtual memory (in KB).
Microsoft.Windows.Appraiser.General.SystemMemoryStartSync
This event indicates that a new set of SystemMemoryAdd events will be sent.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
AppraiserVersion The version of the Appraiser file that is generating the events.
Microsoft.Windows.Appraiser.General.SystemProcessorCompareExchangeAdd
This event sends data indicating whether the system supports the CompareExchange128 CPU requirement, to help
keep Windows up to date.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
AppraiserVersion The version of the Appraiser file generating the events.
Blocking Is the upgrade blocked due to the processor?
CompareExchange128Suppor t Does the CPU support CompareExchange128?
Microsoft.Windows.Appraiser.General.SystemProcessorCompareExchangeStartSync
This event indicates that a new set of SystemProcessorCompareExchangeAdd events will be sent.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
AppraiserVersion The version of the Appraiser file that is generating the events.
Microsoft.Windows.Appraiser.General.SystemProcessorLahfSahfAdd
This event sends data indicating whether the system supports the LAHF & SAHF CPU requirement, to help keep
Windows up to date.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
AppraiserVersion The version of the Appraiser file generating the events.
Blocking Is the upgrade blocked due to the processor?
LahfSahfSuppor t Does the CPU support LAHF/SAHF?
Microsoft.Windows.Appraiser.General.SystemProcessorLahfSahfStartSync
This event indicates that a new set of SystemProcessorLahfSahfAdd events will be sent.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
AppraiserVersion The version of the Appraiser file that is generating the events.
Microsoft.Windows.Appraiser.General.SystemProcessorNxAdd
This event sends data indicating whether the system supports the NX CPU requirement, to help keep Windows up
to date.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
AppraiserVersion The version of the Appraiser file that is generating the events.
Blocking Is the upgrade blocked due to the processor?
NXDriverResult The result of the driver used to do a non-deterministic check for NX support.
NXProcessorSuppor t Does the processor support NX?
Microsoft.Windows.Appraiser.General.SystemProcessorNxStartSync
This event indicates that a new set of SystemProcessorNxAdd events will be sent.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
AppraiserVersion The version of the Appraiser file that is generating the events.
Microsoft.Windows.Appraiser.General.SystemProcessorPrefetchWAdd
This event sends data indicating whether the system supports the PrefetchW CPU requirement, to help keep
Windows up to date.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
AppraiserVersion The version of the Appraiser file that is generating the events.
Blocking Is the upgrade blocked due to the processor?
PrefetchWSuppor t Does the processor support PrefetchW?
Microsoft.Windows.Appraiser.General.SystemProcessorPrefetchWStartSync
This event indicates that a new set of SystemProcessorPrefetchWAdd events will be sent.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
AppraiserVersion The version of the Appraiser file that is generating the events.
Microsoft.Windows.Appraiser.General.SystemProcessorSse2Add
This event sends data indicating whether the system supports the SSE2 CPU requirement, to help keep Windows
up to date.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
AppraiserVersion The version of the Appraiser file that is generating the events.
Blocking Is the upgrade blocked due to the processor?
SSE2ProcessorSuppor t Does the processor support SSE2?
Microsoft.Windows.Appraiser.General.SystemProcessorSse2StartSync
This event indicates that a new set of SystemProcessorSse2Add events will be sent.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
AppraiserVersion The version of the Appraiser file that is generating the events.
Microsoft.Windows.Appraiser.General.SystemTouchAdd
This event sends data indicating whether the system supports touch, to help keep Windows up to date.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
AppraiserVersion The version of the Appraiser file that is generating the events.
IntegratedTouchDigitizerPresent Is there an integrated touch digitizer?
MaximumTouches The maximum number of touch points supported by the device hardware.
Microsoft.Windows.Appraiser.General.SystemTouchStartSync
This event indicates that a new set of SystemTouchAdd events will be sent.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
AppraiserVersion The version of the Appraiser file that is generating the events.
Microsoft.Windows.Appraiser.General.SystemWimAdd
This event sends data indicating whether the operating system is running from a compressed Windows Imaging
Format (WIM) file, to help keep Windows up to date.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
AppraiserVersion The version of the Appraiser file that is generating the events.
IsWimBoot Is the current operating system running from a compressed WIM file?
Registr yWimBootValue The raw value from the registry that is used to indicate if the device is running from
a WIM.
Microsoft.Windows.Appraiser.General.SystemWimStartSync
This event indicates that a new set of SystemWimAdd events will be sent.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
AppraiserVersion The version of the Appraiser file that is generating the events.
Microsoft.Windows.Appraiser.General.SystemWindowsActivationStatusAdd
This event sends data indicating whether the current operating system is activated, to help keep Windows up to
date.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
AppraiserVersion The version of the Appraiser file that is generating the events.
WindowsIsLicensedApiValue The result from the API that's used to indicate if operating system is activated.
WindowsNotActivatedDecision Is the current operating system activated?
Microsoft.Windows.Appraiser.General.SystemWindowsActivationStatusRemove
This event indicates that the SystemWindowsActivationStatus object is no longer present.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
AppraiserVersion The version of the Appraiser file that is generating the events.
Microsoft.Windows.Appraiser.General.SystemWindowsActivationStatusStartSync
This event indicates that a new set of SystemWindowsActivationStatusAdd events will be sent.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
AppraiserVersion The version of the Appraiser file that is generating the events.
Microsoft.Windows.Appraiser.General.SystemWlanAdd
This event sends data indicating whether the system has WLAN, and if so, whether it uses an emulated driver that
could block an upgrade, to help keep Windows up to date.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
AppraiserVersion The version of the Appraiser file that is generating the events.
Blocking Is the upgrade blocked because of an emulated WLAN driver?
HasWlanBlock Does the emulated WLAN driver have an upgrade block?
WlanEmulatedDriver Does the device have an emulated WLAN driver?
WlanExists Does the device support WLAN at all?
WlanModulePresent Are any WLAN modules present?
WlanNativeDriver Does the device have a non-emulated WLAN driver?
Microsoft.Windows.Appraiser.General.SystemWlanStartSync
This event indicates that a new set of SystemWlanAdd events will be sent.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
AppraiserVersion The version of the Appraiser file that is generating the events.
Microsoft.Windows.Appraiser.General.TelemetryRunHealth
This event indicates the parameters and result of a diagnostic data run. This allows the rest of the data sent over
the course of the run to be properly contextualized and understood, which is then used to keep Windows up to
date.
The following fields are available:
AppraiserBranch The source branch in which the version of Appraiser that is running was built.
AppraiserDataVersion The version of the data files being used by the Appraiser diagnostic data run.
AppraiserProcess The name of the process that launched Appraiser.
AppraiserVersion The file version (major, minor and build) of the Appraiser DLL, concatenated without dots.
AuxFinal Obsolete, always set to false.
AuxInitial Obsolete, indicates if Appraiser is writing data files to be read by the Get Windows 10 app.
DeadlineDate A timestamp representing the deadline date, which is the time until which appraiser will wait to
do a full scan.
EnterpriseRun Indicates whether the diagnostic data run is an enterprise run, which means appraiser was run
from the command line with an extra enterprise parameter.
FullSync Indicates if Appraiser is performing a full sync, which means that full set of events representing the
state of the machine are sent. Otherwise, only the changes from the previous run are sent.
InboxDataVersion The original version of the data files before retrieving any newer version.
IndicatorsWritten Indicates if all relevant UEX indicators were successfully written or updated.
Inventor yFullSync Indicates if inventory is performing a full sync, which means that the full set of events
representing the inventory of machine are sent.
PCFP An ID for the system calculated by hashing hardware identifiers.
PerfBackoff Indicates if the run was invoked with logic to stop running when a user is present. Helps to
understand why a run may have a longer elapsed time than normal.
PerfBackoffInsurance Indicates if appraiser is running without performance backoff because it has run with
perf backoff and failed to complete several times in a row.
RunAppraiser Indicates if Appraiser was set to run at all. If this if false, it is understood that data events will
not be received from this device.
RunDate The date that the diagnostic data run was stated, expressed as a filetime.
RunGeneralTel Indicates if the generaltel.dll component was run. Generaltel collects additional diagnostic data
on an infrequent schedule and only from machines at diagnostic data levels higher than Basic.
RunOnline Indicates if appraiser was able to connect to Windows Update and theefore is making decisions
using up-to-date driver coverage information.
RunResult The hresult of the Appraiser diagnostic data run.
ScheduledUploadDay The day scheduled for the upload.
SendingUtc Indicates whether the Appraiser client is sending events during the current diagnostic data run.
StoreHandleIsNotNull Obsolete, always set to false
Telementr ySent Indicates whether diagnostic data was successfully sent.
ThrottlingUtc Indicates whether the Appraiser client is throttling its output of CUET events to avoid being
disabled. This increases runtime but also diagnostic data reliability.
Time The client time of the event.
VerboseMode Indicates if appraiser ran in Verbose mode, which is a test-only mode with extra logging.
WhyFullSyncWithoutTablePrefix Indicates the reason or reasons that a full sync was generated.
Microsoft.Windows.Appraiser.General.WmdrmAdd
This event sends data about the usage of older digital rights management on the system, to help keep Windows up
to date. This data does not indicate the details of the media using the digital rights management, only whether any
such files exist. Collecting this data was critical to ensuring the correct mitigation for customers, and should be able
to be removed once all mitigations are in place.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
AppraiserVersion The version of the Appraiser file that is generating the events.
BlockingApplication Same as NeedsDismissAction.
NeedsDismissAction Indicates if a dismissible message is needed to warn the user about a potential loss of
data due to DRM deprecation.
WmdrmApiResult Raw value of the API used to gather DRM state.
WmdrmCdRipped Indicates if the system has any files encrypted with personal DRM, which was used for
ripped CDs.
WmdrmIndicators WmdrmCdRipped OR WmdrmPurchased.
WmdrmInUse WmdrmIndicators AND dismissible block in setup was not dismissed.
WmdrmNonPermanent Indicates if the system has any files with non-permanent licenses.
WmdrmPurchased Indicates if the system has any files with permanent licenses.
Microsoft.Windows.Appraiser.General.WmdrmStartSync
This event indicates that a new set of WmdrmAdd events will be sent.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
AppraiserVersion The version of the Appraiser file that is generating the events.
Census events
Census.App
This event sends version data about the Apps running on this device, to help keep Windows up to date.
The following fields are available:
AppraiserEnterpriseErrorCode The error code of the last Appraiser enterprise run.
AppraiserErrorCode The error code of the last Appraiser run.
AppraiserRunEndTimeStamp The end time of the last Appraiser run.
AppraiserRunIsInProgressOrCrashed Flag that indicates if the Appraiser run is in progress or has crashed.
AppraiserRunStar tTimeStamp The start time of the last Appraiser run.
AppraiserTaskEnabled Whether the Appraiser task is enabled.
AppraiserTaskExitCode The Appraiser task exist code.
AppraiserTaskLastRun The last runtime for the Appraiser task.
CensusVersion The version of Census that generated the current data for this device.
IEVersion The version of Internet Explorer that is running on the device.
Census.Azure
This event returns data from Microsoft-internal Azure server machines (only from Microsoft-internal machines
with Server SKUs). All other machines (those outside Microsoft and/or machines that are not part of the “Azure
fleet”) return empty data sets.
The following fields are available:
CloudCoreBuildEx The Azure CloudCore build number.
CloudCoreSuppor tBuildEx The Azure CloudCore support build number.
NodeID The node identifier on the device that indicates whether the device is part of the Azure fleet.
Census.Battery
This event sends type and capacity data about the battery on the device, as well as the number of connected
standby devices in use, type to help keep Windows up to date.
The following fields are available:
InternalBatter yCapablities Represents information about what the battery is capable of doing.
InternalBatter yCapacityCurrent Represents the battery's current fully charged capacity in mWh (or relative).
Compare this value to DesignedCapacity to estimate the battery's wear.
InternalBatter yCapacityDesign Represents the theoretical capacity of the battery when new, in mWh.
InternalBatter yNumberOfCharges Provides the number of battery charges. This is used when creating new
products and validating that existing products meets targeted functionality performance.
IsAlwaysOnAlwaysConnectedCapable Represents whether the battery enables the device to be
AlwaysOnAlwaysConnected . Boolean value.
Census.Camera
This event sends data about the resolution of cameras on the device, to help keep Windows up to date.
The following fields are available:
FrontFacingCameraResolution Represents the resolution of the front facing camera in megapixels. If a front
facing camera does not exist, then the value is 0.
RearFacingCameraResolution Represents the resolution of the rear facing camera in megapixels. If a rear
facing camera does not exist, then the value is 0.
Census.Enterprise
This event sends data about Azure presence, type, and cloud domain use in order to provide an understanding of
the use and integration of devices in an enterprise, cloud, and server environment.
The following fields are available:
AADDeviceId Azure Active Directory device ID.
AzureOSIDPresent Represents the field used to identify an Azure machine.
AzureVMType Represents whether the instance is Azure VM PAAS, Azure VM IAAS or any other VMs.
CDJType Represents the type of cloud domain joined for the machine.
CommercialId Represents the GUID for the commercial entity which the device is a member of. Will be used
to reflect insights back to customers.
ContainerType The type of container, such as process or virtual machine hosted.
EnrollmentType Defines the type of MDM enrollment on the device.
HashedDomain The hashed representation of the user domain used for login.
IsCloudDomainJoined Is this device joined to an Azure Active Directory (AAD) tenant? true/false
IsDERequirementMet Represents if the device can do device encryption.
IsDeviceProtected Represents if Device protected by BitLocker/Device Encryption
IsDomainJoined Indicates whether a machine is joined to a domain.
IsEDPEnabled Represents if Enterprise data protected on the device.
IsMDMEnrolled Whether the device has been MDM Enrolled or not.
MPNId Returns the Partner ID/MPN ID from Regkey.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\DeployID
SCCMClientId This ID correlate systems that send data to Compat Analytics (OMS) and other OMS based
systems with systems in an Enterprise SCCM environment.
Ser verFeatures Represents the features installed on a Windows Server. This can be used by developers and
administrators who need to automate the process of determining the features installed on a set of server
computers.
SystemCenterID The SCCM ID is an anonymized one-way hash of the Active Directory Organization identifier
Census.Firmware
This event sends data about the BIOS and startup embedded in the device, to help keep Windows up to date.
The following fields are available:
FirmwareManufacturer Represents the manufacturer of the device's firmware (BIOS).
FirmwareReleaseDate Represents the date the current firmware was released.
FirmwareType Represents the firmware type. The various types can be unknown, BIOS, UEFI.
FirmwareVersion Represents the version of the current firmware.
Census.Flighting
This event sends Windows Insider data from customers participating in improvement testing and feedback
programs, to help keep Windows up to date.
The following fields are available:
DeviceSampleRate The telemetry sample rate assigned to the device.
DriverTargetRing Indicates if the device is participating in receiving pre-release drivers and firmware
contrent.
EnablePreviewBuilds Used to enable Windows Insider builds on a device.
FlightIds A list of the different Windows Insider builds on this device.
FlightingBranchName The name of the Windows Insider branch currently used by the device.
IsFlightsDisabled Represents if the device is participating in the Windows Insider program.
MSA_Accounts Represents a list of hashed IDs of the Microsoft Accounts that are flighting (pre-release builds)
on this device.
SSRK Retrieves the mobile targeting settings.
Census.Hardware
This event sends data about the device, including hardware type, OEM brand, model line, model, telemetry level
setting, and TPM support, to help keep Windows up to date.
The following fields are available:
ActiveMicCount The number of active microphones attached to the device.
ChassisType Represents the type of device chassis, such as desktop or low profile desktop. The possible values
can range between 1 - 36.
ComputerHardwareID Identifies a device class that is represented by a hash of different SMBIOS fields.
D3DMaxFeatureLevel Supported Direct3D version.
DeviceColor Indicates a color of the device.
DeviceForm Indicates the form as per the device classification.
DeviceName The device name that is set by the user.
DigitizerSuppor t Is a digitizer supported?
DUID The device unique ID.
Gyroscope Indicates whether the device has a gyroscope (a mechanical component that measures and
maintains orientation).
Inventor yId The device ID used for compatibility testing.
Magnetometer Indicates whether the device has a magnetometer (a mechanical component that works like a
compass).
NFCProximity Indicates whether the device supports NFC (a set of communication protocols that helps
establish communication when applicable devices are brought close together.)
OEMDigitalMarkerFileName The name of the file placed in the \Windows\system32\drivers directory that
specifies the OEM and model name of the device.
OEMManufacturerName The device manufacturer name. The OEMName for an inactive device is not
reprocessed even if the clean OEM name is changed at a later date.
OEMModelBaseBoard The baseboard model used by the OEM.
OEMModelBaseBoardVersion Differentiates between developer and retail devices.
OEMModelName The device model name.
OEMModelNumber The device model number.
OEMModelSKU The device edition that is defined by the manufacturer.
OEMModelSystemFamily The system family set on the device by an OEM.
OEMModelSystemVersion The system model version set on the device by the OEM.
OEMOptionalIdentifier A Microsoft assigned value that represents a specific OEM subsidiary.
OEMSerialNumber The serial number of the device that is set by the manufacturer.
PhoneManufacturer The friendly name of the phone manufacturer.
PowerPlatformRole The OEM preferred power management profile. It's used to help to identify the basic form
factor of the device.
SoCName The firmware manufacturer of the device.
StudyID Used to identify retail and non-retail device.
Telemetr yLevel The telemetry level the user has opted into, such as Basic or Enhanced.
Telemetr yLevelLimitEnhanced The telemetry level for Windows Analytics-based solutions.
Telemetr ySettingAuthority Determines who set the telemetry level, such as GP, MDM, or the user.
TPMManufacturerId The ID of the TPM manufacturer.
TPMManufacturerVersion The version of the TPM manufacturer.
TPMVersion The supported Trusted Platform Module (TPM) on the device. If no TPM is present, the value is 0.
VoiceSuppor ted Does the device have a cellular radio capable of making voice calls?
Census.Memory
This event sends data about the memory on the device, including ROM and RAM, to help keep Windows up to
date.
The following fields are available:
TotalPhysicalRAM Represents the physical memory (in MB).
TotalVisibleMemor y Represents the memory that is not reserved by the system.
Census.Network
This event sends data about the mobile and cellular network used by the device (mobile service provider, network,
device ID, and service cost factors), to help keep Windows up to date.
The following fields are available:
IMEI0 Represents the International Mobile Station Equipment Identity. This number is usually unique and used
by the mobile operator to distinguish different phone hardware. Microsoft does not have access to mobile
operator billing data so collecting this data does not expose or identify the user. The two fields represent phone
with dual sim coverage.
IMEI1 Represents the International Mobile Station Equipment Identity. This number is usually unique and used
by the mobile operator to distinguish different phone hardware. Microsoft does not have access to mobile
operator billing data so collecting this data does not expose or identify the user. The two fields represent phone
with dual sim coverage.
MCC0 Represents the Mobile Country Code (MCC). It used with the Mobile Network Code (MNC) to uniquely
identify a mobile network operator. The two fields represent phone with dual sim coverage.
MCC1 Represents the Mobile Country Code (MCC). It used with the Mobile Network Code (MNC) to uniquely
identify a mobile network operator. The two fields represent phone with dual sim coverage.
MEID Represents the Mobile Equipment Identity (MEID). MEID is a worldwide unique phone ID assigned to
CDMA phones. MEID replaces electronic serial number (ESN), and is equivalent to IMEI for GSM and WCDMA
phones. Microsoft does not have access to mobile operator billing data so collecting this data does not expose
or identify the user.
MNC0 Retrieves the Mobile Network Code (MNC). It used with the Mobile Country Code (MCC) to uniquely
identify a mobile network operator. The two fields represent phone with dual sim coverage.
MNC1 Retrieves the Mobile Network Code (MNC). It used with the Mobile Country Code (MCC) to uniquely
identify a mobile network operator. The two fields represent phone with dual sim coverage.
MobileOperatorBilling Represents the telephone company that provides services for mobile phone users.
MobileOperatorCommercialized Represents which reseller and geography the phone is commercialized for.
This is the set of values on the phone for who and where it was intended to be used. For example, the
commercialized mobile operator code AT&T in the US would be ATT-US.
MobileOperatorNetwork0 Represents the operator of the current mobile network that the device is used on.
(AT&T, T-Mobile, Vodafone). The two fields represent phone with dual sim coverage.
MobileOperatorNetwork1 Represents the operator of the current mobile network that the device is used on.
(AT&T, T-Mobile, Vodafone). The two fields represent phone with dual sim coverage.
NetworkAdapterGUID The GUID of the primary network adapter.
NetworkCost Represents the network cost associated with a connection.
SPN0 Retrieves the Service Provider Name (SPN). For example, these might be AT&T, Sprint, T-Mobile, or
Verizon. The two fields represent phone with dual sim coverage.
SPN1 Retrieves the Service Provider Name (SPN). For example, these might be AT&T, Sprint, T-Mobile, or
Verizon. The two fields represent phone with dual sim coverage.
Census.OS
This event sends data about the operating system such as the version, locale, update service configuration, when
and how it was originally installed, and whether it is a virtual device, to help keep Windows up to date.
The following fields are available:
ActivationChannel Retrieves the retail license key or Volume license key for a machine.
AssignedAccessStatus Kiosk configuration mode.
CompactOS Indicates if the Compact OS feature from Win10 is enabled.
DeveloperUnlockStatus Represents if a device has been developer unlocked by the user or Group Policy.
DeviceTimeZone The time zone that is set on the device. Example: Pacific Standard Time
GenuineState Retrieves the ID Value specifying the OS Genuine check.
InstallationType Retrieves the type of OS installation. (Clean, Upgrade, Reset, Refresh, Update).
InstallLanguage The first language installed on the user machine.
IsDeviceRetailDemo Retrieves if the device is running in demo mode.
IsEduData Returns Boolean if the education data policy is enabled.
IsPor tableOperatingSystem Retrieves whether OS is running Windows-To-Go
IsSecureBootEnabled Retrieves whether Boot chain is signed under UEFI.
LanguagePacks The list of language packages installed on the device.
LicenseStateReason Retrieves why (or how) a system is licensed or unlicensed. The HRESULT may indicate an
error code that indicates a key blocked error, or it may indicate that we are running an OS License granted by
the MS store.
OA3xOriginalProductKey Retrieves the License key stamped by the OEM to the machine.
OSEdition Retrieves the version of the current OS.
OSInstallType Retrieves a numeric description of what install was used on the device i.e. clean, upgrade,
refresh, reset, etc
OSOOBEDateTime Retrieves Out of Box Experience (OOBE) Date in Coordinated Universal Time (UTC).
OSSKU Retrieves the Friendly Name of OS Edition.
OSSubscriptionStatus Represents the existing status for enterprise subscription feature for PRO machines.
OSSubscriptionTypeId Returns boolean for enterprise subscription feature for selected PRO machines.
OSTimeZoneBiasInMins Retrieves the time zone set on machine.
OSUILocale Retrieves the locale of the UI that is currently used by the OS.
ProductActivationResult Returns Boolean if the OS Activation was successful.
ProductActivationTime Returns the OS Activation time for tracking piracy issues.
ProductKeyID2 Retrieves the License key if the machine is updated with a new license key.
RACw7Id Retrieves the Microsoft Reliability Analysis Component (RAC) Win7 Identifier. RAC is used to monitor
and analyze system usage and reliability.
Ser viceMachineIP Retrieves the IP address of the KMS host used for anti-piracy.
Ser viceMachinePor t Retrieves the port of the KMS host used for anti-piracy.
Ser viceProductKeyID Retrieves the License key of the KMS
SharedPCMode Returns Boolean for education devices used as shared cart
Signature Retrieves if it is a signature machine sold by Microsoft store.
SLICStatus Whether a SLIC table exists on the device.
SLICVersion Returns OS type/version from SLIC table.
Census.PrivacySettings
This event provides information about the device level privacy settings and whether device-level access was
granted to these capabilities. Not all settings are applicable to all devices. Each field records the consent state for
the corresponding privacy setting. The consent state is encoded as a 16-bit signed integer, where the first 8 bits
represents the effective consent value, and the last 8 bits represent the authority that set the value. The effective
consent (first 8 bits) is one of the following values: -3 = unexpected consent value, -2 = value was not requested, -1
= an error occurred while attempting to retrieve the value, 0 = undefined, 1 = allow, 2 = deny, 3 = prompt. The
consent authority (last 8 bits) is one of the following values: -3 = unexpected authority, -2 = value was not
requested, -1 = an error occurred while attempting to retrieve the value, 0 = system, 1 = a higher authority (a
gating setting, the system-wide setting, or a group policy), 2 = advertising ID group policy, 3 = advertising ID
policy for child account, 4 = privacy setting provider doesn't know the actual consent authority, 5 = consent was
not configured and a default set in code was used, 6 = system default, 7 = organization policy, 8 = OneSettings.
The following fields are available:
Activity Current state of the activity history setting.
ActivityHistor yCloudSync Current state of the activity history cloud sync setting.
ActivityHistor yCollection Current state of the activity history collection setting.
Adver tisingId Current state of the advertising ID setting.
AppDiagnostics Current state of the app diagnostics setting.
Appointments Current state of the calendar setting.
Bluetooth Current state of the Bluetooth capability setting.
BluetoothSync Current state of the Bluetooth sync capability setting.
BroadFileSystemAccess Current state of the broad file system access setting.
CellularData Current state of the cellular data capability setting.
Chat Current state of the chat setting.
Contacts Current state of the contacts setting.
DocumentsLibrar y Current state of the documents library setting.
Email Current state of the email setting.
FindMyDevice Current state of the "find my device" setting.
GazeInput Current state of the gaze input setting.
HumanInterfaceDevice Current state of the human interface device setting.
InkTypeImprovement Current state of the improve inking and typing setting.
Location Current state of the location setting.
LocationHistor y Current state of the location history setting.
LocationHistor yCloudSync Current state of the location history cloud sync setting.
LocationHistor yOnTimeline Current state of the location history on timeline setting.
Microphone Current state of the microphone setting.
PhoneCall Current state of the phone call setting.
PhoneCallHistor y Current state of the call history setting.
PicturesLibrar y Current state of the pictures library setting.
Radios Current state of the radios setting.
SensorsCustom Current state of the custom sensor setting.
SerialCommunication Current state of the serial communication setting.
Sms Current state of the text messaging setting.
SpeechPersonalization Current state of the speech services setting.
USB Current state of the USB setting.
UserAccountInformation Current state of the account information setting.
UserDataTasks Current state of the tasks setting.
UserNotificationListener Current state of the notifications setting.
VideosLibrar y Current state of the videos library setting.
Webcam Current state of the camera setting.
WiFiDirect Current state of the Wi-Fi direct setting.
Census.Processor
This event sends data about the processor to help keep Windows up to date.
The following fields are available:
KvaShadow This is the micro code information of the processor.
MMSettingOverride Microcode setting of the processor.
MMSettingOverrideMask Microcode setting override of the processor.
PreviousUpdateRevision Previous microcode revision
ProcessorArchitecture Retrieves the processor architecture of the installed operating system.
ProcessorClockSpeed Clock speed of the processor in MHz.
ProcessorCores Number of logical cores in the processor.
ProcessorIdentifier Processor Identifier of a manufacturer.
ProcessorManufacturer Name of the processor manufacturer.
ProcessorModel Name of the processor model.
ProcessorPhysicalCores Number of physical cores in the processor.
ProcessorUpdateRevision The microcode revision.
ProcessorUpdateStatus Enum value that represents the processor microcode load status
SocketCount Count of CPU sockets.
SpeculationControl If the system has enabled protections needed to validate the speculation control
vulnerability.
Census.Security
This event provides information on about security settings used to help keep Windows up to date and secure.
The following fields are available:
AvailableSecurityProper ties This field helps to enumerate and report state on the relevant security
properties for Device Guard.
CGRunning Credential Guard isolates and hardens key system and user secrets against compromise, helping
to minimize the impact and breadth of a Pass the Hash style attack in the event that malicious code is already
running via a local or network based vector. This field tells if Credential Guard is running.
DGState This field summarizes the Device Guard state.
HVCIRunning Hypervisor Code Integrity (HVCI) enables Device Guard to help protect kernel mode processes
and drivers from vulnerability exploits and zero days. HVCI uses the processor’s functionality to force all
software running in kernel mode to safely allocate memory. This field tells if HVCI is running.
IsSawGuest Indicates whether the device is running as a Secure Admin Workstation Guest.
IsSawHost Indicates whether the device is running as a Secure Admin Workstation Host.
RequiredSecurityProper ties Describes the required security properties to enable virtualization-based
security.
SecureBootCapable Systems that support Secure Boot can have the feature turned off via BIOS. This field tells
if the system is capable of running Secure Boot, regardless of the BIOS setting.
SModeState The Windows S mode trail state.
VBSState Virtualization-based security (VBS) uses the hypervisor to help protect the kernel and other parts of
the operating system. Credential Guard and Hypervisor Code Integrity (HVCI) both depend on VBS to
isolate/protect secrets, and kernel-mode code integrity validation. VBS has a tri-state that can be Disabled,
Enabled, or Running.
Census.Speech
This event is used to gather basic speech settings on the device.
The following fields are available:
AboveLockEnabled Cortana setting that represents if Cortana can be invoked when the device is locked.
GPAllowInputPersonalization Indicates if a Group Policy setting has enabled speech functionalities.
HolographicSpeechInputDisabled Holographic setting that represents if the attached HMD devices have
speech functionality disabled by the user.
HolographicSpeechInputDisabledRemote Indicates if a remote policy has disabled speech functionalities
for the HMD devices.
KeyVer Version information for the census speech event.
KWSEnabled Cortana setting that represents if a user has enabled the "Hey Cortana" keyword spotter (KWS).
MDMAllowInputPersonalization Indicates if an MDM policy has enabled speech functionalities.
RemotelyManaged Indicates if the device is being controlled by a remote administrator (MDM or Group
Policy) in the context of speech functionalities.
SpeakerIdEnabled Cortana setting that represents if keyword detection has been trained to try to respond to
a single user's voice.
SpeechSer vicesEnabled Windows setting that represents whether a user is opted-in for speech services on
the device.
SpeechSer vicesValueSource Indicates the deciding factor for the effective online speech recognition privacy
policy settings: remote admin, local admin, or user preference.
Census.Storage
This event sends data about the total capacity of the system volume and primary disk, to help keep Windows up to
date.
The following fields are available:
Primar yDiskTotalCapacity Retrieves the amount of disk space on the primary disk of the device in MB.
Primar yDiskType Retrieves an enumerator value of type STORAGE_BUS_TYPE that indicates the type of bus to
which the device is connected. This should be used to interpret the raw device properties at the end of this
structure (if any).
StorageReser vePassedPolicy Indicates whether the Storage Reserve policy, which ensures that updates have
enough disk space and customers are on the latest OS, is enabled on this device.
SystemVolumeTotalCapacity Retrieves the size of the partition that the System volume is installed on in MB.
Census.Userdefault
This event sends data about the current user's default preferences for browser and several of the most popular
extensions and protocols, to help keep Windows up to date.
The following fields are available:
CalendarType The calendar identifiers that are used to specify different calendars.
DefaultApp The current uer's default program selected for the following extension or protocol: .html, .htm, .jpg,
.jpeg, .png, .mp3, .mp4, .mov, .pdf.
DefaultBrowserProgId The ProgramId of the current user's default browser.
LocaleName Name of the current user locale given by LOCALE_SNAME via the GetLocaleInfoEx() function.
LongDateFormat The long date format the user has selected.
Shor tDateFormat The short date format the user has selected.
Census.UserDisplay
This event sends data about the logical/physical display size, resolution and number of internal/external displays,
and VRAM on the system, to help keep Windows up to date.
The following fields are available:
InternalPrimar yDisplayLogicalDPIX Retrieves the logical DPI in the x-direction of the internal display.
InternalPrimar yDisplayLogicalDPIY Retrieves the logical DPI in the y-direction of the internal display.
InternalPrimar yDisplayPhysicalDPIX Retrieves the physical DPI in the x-direction of the internal display.
InternalPrimar yDisplayPhysicalDPIY Retrieves the physical DPI in the y-direction of the internal display.
InternalPrimar yDisplayResolutionHorizontal Retrieves the number of pixels in the horizontal direction of
the internal display.
InternalPrimar yDisplayResolutionVer tical Retrieves the number of pixels in the vertical direction of the
internal display.
InternalPrimar yDisplaySizePhysicalH Retrieves the physical horizontal length of the display in mm. Used
for calculating the diagonal length in inches .
InternalPrimar yDisplaySizePhysicalY Retrieves the physical vertical length of the display in mm. Used for
calculating the diagonal length in inches
NumberofExternalDisplays Retrieves the number of external displays connected to the machine
NumberofInternalDisplays Retrieves the number of internal displays in a machine.
VRAMDedicated Retrieves the video RAM in MB.
VRAMDedicatedSystem Retrieves the amount of memory on the dedicated video card.
VRAMSharedSystem Retrieves the amount of RAM memory that the video card can use.
Census.UserNLS
This event sends data about the default app language, input, and display language preferences set by the user, to
help keep Windows up to date.
The following fields are available:
DefaultAppLanguage The current user Default App Language.
DisplayLanguage The current user preferred Windows Display Language.
HomeLocation The current user location, which is populated using GetUserGeoId() function.
KeyboardInputLanguages The Keyboard input languages installed on the device.
SpeechInputLanguages The Speech Input languages installed on the device.
Census.UserPrivacySettings
This event provides information about the current users privacy settings and whether device-level access was
granted to these capabilities. Not all settings are applicable to all devices. Each field records the consent state for
the corresponding privacy setting. The consent state is encoded as a 16-bit signed integer, where the first 8 bits
represents the effective consent value, and the last 8 bits represents the authority that set the value. The effective
consent is one of the following values: -3 = unexpected consent value, -2 = value was not requested, -1 = an error
occurred while attempting to retrieve the value, 0 = undefined, 1 = allow, 2 = deny, 3 = prompt. The consent
authority is one of the following values: -3 = unexpected authority, -2 = value was not requested, -1 = an error
occurred while attempting to retrieve the value, 0 = user, 1 = a higher authority (a gating setting, the system-wide
setting, or a group policy), 2 = advertising ID group policy, 3 = advertising ID policy for child account, 4 = privacy
setting provider doesn't know the actual consent authority, 5 = consent was not configured and a default set in
code was used, 6 = system default, 7 = organization policy, 8 = OneSettings.
The following fields are available:
Activity Current state of the activity history setting.
ActivityHistor yCloudSync Current state of the activity history cloud sync setting.
ActivityHistor yCollection Current state of the activity history collection setting.
Adver tisingId Current state of the advertising ID setting.
AppDiagnostics Current state of the app diagnostics setting.
Appointments Current state of the calendar setting.
Bluetooth Current state of the Bluetooth capability setting.
BluetoothSync Current state of the Bluetooth sync capability setting.
BroadFileSystemAccess Current state of the broad file system access setting.
CellularData Current state of the cellular data capability setting.
Chat Current state of the chat setting.
Contacts Current state of the contacts setting.
DocumentsLibrar y Current state of the documents library setting.
Email Current state of the email setting.
GazeInput Current state of the gaze input setting.
HumanInterfaceDevice Current state of the human interface device setting.
InkTypeImprovement Current state of the improve inking and typing setting.
InkTypePersonalization Current state of the inking and typing personalization setting.
Location Current state of the location setting.
LocationHistor y Current state of the location history setting.
LocationHistor yCloudSync Current state of the location history cloud sync setting.
LocationHistor yOnTimeline Current state of the location history on timeline setting.
Microphone Current state of the microphone setting.
PhoneCall Current state of the phone call setting.
PhoneCallHistor y Current state of the call history setting.
PicturesLibrar y Current state of the pictures library setting.
Radios Current state of the radios setting.
SensorsCustom Current state of the custom sensor setting.
SerialCommunication Current state of the serial communication setting.
Sms Current state of the text messaging setting.
SpeechPersonalization Current state of the speech services setting.
USB Current state of the USB setting.
UserAccountInformation Current state of the account information setting.
UserDataTasks Current state of the tasks setting.
UserNotificationListener Current state of the notifications setting.
VideosLibrar y Current state of the videos library setting.
Webcam Current state of the camera setting.
WiFiDirect Current state of the Wi-Fi direct setting.
Census.VM
This event sends data indicating whether virtualization is enabled on the device, and its various characteristics, to
help keep Windows up to date.
The following fields are available:
CloudSer vice Indicates which cloud service, if any, that this virtual machine is running within.
HyperVisor Retrieves whether the current OS is running on top of a Hypervisor.
IOMMUPresent Represents if an input/output memory management unit (IOMMU) is present.
IsVDI Is the device using Virtual Desktop Infrastructure?
IsVir tualDevice Retrieves that when the Hypervisor is Microsoft's Hyper-V Hypervisor or other Hv#1
Hypervisor, this field will be set to FALSE for the Hyper-V host OS and TRUE for any guest OS's. This field should
not be relied upon for non-Hv#1 Hypervisors.
SL ATSuppor ted Represents whether Second Level Address Translation (SLAT) is supported by the hardware.
Vir tualizationFirmwareEnabled Represents whether virtualization is enabled in the firmware.
VMId A string that uniquely identifies a virtual machine.
Census.WU
This event sends data about the Windows update server and other App store policies, to help keep Windows up to
date.
The following fields are available:
AppraiserGatedStatus Indicates whether a device has been gated for upgrading.
AppStoreAutoUpdate Retrieves the Appstore settings for auto upgrade. (Enable/Disabled).
AppStoreAutoUpdateMDM Retrieves the App Auto Update value for MDM: 0 - Disallowed. 1 - Allowed. 2 -
Not configured. Default: [2] Not configured
AppStoreAutoUpdatePolicy Retrieves the Microsoft Store App Auto Update group policy setting
DelayUpgrade Retrieves the Windows upgrade flag for delaying upgrades.
OSAssessmentFeatureOutOfDate How many days has it been since a the last feature update was released
but the device did not install it?
OSAssessmentForFeatureUpdate Is the device is on the latest feature update?
OSAssessmentForQualityUpdate Is the device on the latest quality update?
OSAssessmentForSecurityUpdate Is the device on the latest security update?
OSAssessmentQualityOutOfDate How many days has it been since a the last quality update was released
but the device did not install it?
OSAssessmentReleaseInfoTime The freshness of release information used to perform an assessment.
OSRollbackCount The number of times feature updates have rolled back on the device.
OSRolledBack A flag that represents when a feature update has rolled back during setup.
OSUninstalled A flag that represents when a feature update is uninstalled on a device .
OSWUAutoUpdateOptions Retrieves the auto update settings on the device.
OSWUAutoUpdateOptionsSource The source of auto update setting that appears in the
OSWUAutoUpdateOptions field. For example: Group Policy (GP), Mobile Device Management (MDM), and
Default.
UninstallActive A flag that represents when a device has uninstalled a previous upgrade recently.
UpdateSer viceURLConfigured Retrieves if the device is managed by Windows Server Update Services
(WSUS).
WUDeferUpdatePeriod Retrieves if deferral is set for Updates.
WUDeferUpgradePeriod Retrieves if deferral is set for Upgrades.
WUDODownloadMode Retrieves whether DO is turned on and how to acquire/distribute updates Delivery
Optimization (DO) allows users to deploy previously downloaded WU updates to other devices on the same
network.
WUMachineId Retrieves the Windows Update (WU) Machine Identifier.
WUPauseState Retrieves WU setting to determine if updates are paused.
WUSer ver Retrieves the HTTP(S) URL of the WSUS server that is used by Automatic Updates and API callers
(by default).
DxgKernelTelemetry events
DxgKrnlTelemetry.GPUAdapterInventoryV2
This event sends basic GPU and display driver information to keep Windows and display drivers up-to-date.
The following fields are available:
AdapterTypeValue The numeric value indicating the type of Graphics adapter.
aiSeqId The event sequence ID.
bootId The system boot ID.
BrightnessVersionViaDDI The version of the Display Brightness Interface.
ComputePreemptionLevel The maximum preemption level supported by GPU for compute payload.
DedicatedSystemMemor yB The amount of system memory dedicated for GPU use (in bytes).
DedicatedVideoMemor yB The amount of dedicated VRAM of the GPU (in bytes).
Display1UMDFilePath File path to the location of the Display User Mode Driver in the Driver Store.
DisplayAdapterLuid The display adapter LUID.
DriverDate The date of the display driver.
DriverRank The rank of the display driver.
DriverVersion The display driver version.
DriverWorkarounds Numeric value indicating the driver workarounds enabled for this device.
DX10UMDFilePath The file path to the location of the DirectX 10 Display User Mode Driver in the Driver Store.
DX11UMDFilePath The file path to the location of the DirectX 11 Display User Mode Driver in the Driver Store.
DX12UMDFilePath The file path to the location of the DirectX 12 Display User Mode Driver in the Driver Store.
DX9UMDFilePath The file path to the location of the DirectX 9 Display User Mode Driver in the Driver Store.
GPUDeviceID The GPU device ID.
GPUPreemptionLevel The maximum preemption level supported by GPU for graphics payload.
GPURevisionID The GPU revision ID.
GPUVendorID The GPU vendor ID.
InterfaceId The GPU interface ID.
IsDisplayDevice Does the GPU have displaying capabilities?
IsHwSchEnabled Boolean value indicating whether hardware scheduling is enabled.
IsHwSchSuppor ted Indicates whether the adapter supports hardware scheduling.
IsHybridDiscrete Does the GPU have discrete GPU capabilities in a hybrid device?
IsHybridIntegrated Does the GPU have integrated GPU capabilities in a hybrid device?
IsLDA Is the GPU comprised of Linked Display Adapters?
IsMiracastSuppor ted Does the GPU support Miracast?
IsMismatchLDA Is at least one device in the Linked Display Adapters chain from a different vendor?
IsMPOSuppor ted Does the GPU support Multi-Plane Overlays?
IsMsMiracastSuppor ted Are the GPU Miracast capabilities driven by a Microsoft solution?
IsPostAdapter Is this GPU the POST GPU in the device?
IsRemovable TRUE if the adapter supports being disabled or removed.
IsRenderDevice Does the GPU have rendering capabilities?
IsSoftwareDevice Is this a software implementation of the GPU?
KMDFilePath The file path to the location of the Display Kernel Mode Driver in the Driver Store.
MeasureEnabled Is the device listening to MICROSOFT_KEYWORD_MEASURES?
NumVidPnSources The number of supported display output sources.
NumVidPnTargets The number of supported display output targets.
SharedSystemMemor yB The amount of system memory shared by GPU and CPU (in bytes).
SubSystemID The subsystem ID.
SubVendorID The GPU sub vendor ID.
Telemetr yEnabled Is the device listening to MICROSOFT_KEYWORD_TELEMETRY?
TelInvEvntTrigger What triggered this event to be logged? Example: 0 (GPU enumeration) or 1
(DxgKrnlTelemetry provider toggling)
version The event version.
WDDMVersion The Windows Display Driver Model version.
Holographic events
Microsoft.Windows.Analog.Spectrum.TelemetryHolographicDeviceAdded
This event indicates Windows Mixed Reality device state. This event is also used to count WMR device.
The following fields are available:
ClassGuid Windows Mixed Reality device class GUID.
DeviceInterfaceId Windows Mixed Reality device interface ID.
DeviceName Windows Mixed Reality device name.
DriverVersion Windows Mixed Reality device driver version.
FirmwareVersion Windows Mixed Reality firmware version.
Manufacturer Windows Mixed Reality device manufacturer.
ModelName Windows Mixed Reality device model name.
SerialNumber Windows Mixed Reality device serial number.
Microsoft.Windows.Holographic.Coordinator.HoloShellStateUpdated
This event indicates Windows Mixed Reality HoloShell State. This event is also used to count WMR device.
The following fields are available:
HmdState Windows Mixed Reality Headset HMD state.
NewHoloShellState Windows Mixed Reality HoloShell state.
PriorHoloShellState Windows Mixed Reality state prior to entering to HoloShell.
SimulationEnabled Windows Mixed Reality Simulation state.
Microsoft.Windows.Shell.HolographicFirstRun.AppActivated
This event indicates Windows Mixed Reality Portal app activation state. This event also used to count WMR device.
The following fields are available:
IsDemoMode Windows Mixed Reality Portal app state of demo mode.
IsDeviceSetupComplete Windows Mixed Reality Portal app state of device setup completion.
PackageVersion Windows Mixed Reality Portal app package version.
PreviousExecutionState Windows Mixed Reality Portal app prior execution state.
wilActivity Windows Mixed Reality Portal app wilActivity ID. See wilActivity.
Microsoft.Windows.Shell.HolographicFirstRun.AppLifecycleService_Resuming
This event indicates Windows Mixed Reality Portal app resuming. This event is also used to count WMR device.
TraceLoggingOasisUsbHostApiProvider.DeviceInformation
This event provides Windows Mixed Reality device information. This event is also used to count WMR device and
device type.
The following fields are available:
BootloaderMajorVer Windows Mixed Reality device boot loader major version.
BootloaderMinorVer Windows Mixed Reality device boot loader minor version.
BootloaderRevisionNumber Windows Mixed Reality device boot loader revision number.
BTHFWMajorVer Windows Mixed Reality device BTHFW major version. This event also used to count WMR
device.
BTHFWMinorVer Windows Mixed Reality device BTHFW minor version. This event also used to count WMR
device.
BTHFWRevisionNumber Windows Mixed Reality device BTHFW revision number.
CalibrationBlobSize Windows Mixed Reality device calibration blob size.
CalibrationFwMajorVer Windows Mixed Reality device calibration firmware major version.
CalibrationFwMinorVer Windows Mixed Reality device calibration firmware minor version.
CalibrationFwRevNum Windows Mixed Reality device calibration firmware revision number.
DeviceInfoFlags Windows Mixed Reality device info flags.
DeviceName Windows Mixed Reality device Name. This event is also used to count WMR device.
DeviceReleaseNumber Windows Mixed Reality device release number.
FirmwareMajorVer Windows Mixed Reality device firmware major version.
FirmwareMinorVer Windows Mixed Reality device firmware minor version.
FirmwareRevisionNumber Windows Mixed Reality device calibration firmware revision number.
FpgaFwMajorVer Windows Mixed Reality device FPGA firmware major version.
FpgaFwMinorVer Windows Mixed Reality device FPGA firmware minor version.
FpgaFwRevisionNumber Windows Mixed Reality device FPGA firmware revision number.
FriendlyName Windows Mixed Reality device friendly name.
HashedSerialNumber Windows Mixed Reality device hashed serial number.
HeaderSize Windows Mixed Reality device header size.
HeaderVersion Windows Mixed Reality device header version.
LicenseKey Windows Mixed Reality device header license key.
Make Windows Mixed Reality device make.
ManufacturingDate Windows Mixed Reality device manufacturing date.
Model Windows Mixed Reality device model.
PresenceSensorHidVendorPage Windows Mixed Reality device presence sensor HID vendor page.
PresenceSensorHidVendorUsage Windows Mixed Reality device presence sensor HID vendor usage.
PresenceSensorUsbVid Windows Mixed Reality device presence sensor USB VId.
ProductBoardRevision Windows Mixed Reality device product board revision number.
SerialNumber Windows Mixed Reality device serial number.
Inventory events
Microsoft.Windows.Inventory.Core.AmiTelCacheChecksum
This event captures basic checksum data about the device inventory items stored in the cache for use in
validating data completeness for Microsoft.Windows.Inventory.Core events. The fields in this event may change
over time, but they will always represent a count of a given object.
The following fields are available:
Device A count of device objects in cache.
DeviceCensus A count of device census objects in cache.
DriverPackageExtended A count of driverpackageextended objects in cache.
File A count of file objects in cache.
FileSigningInfo A count of file signing objects in cache.
Generic A count of generic objects in cache.
HwItem A count of hwitem objects in cache.
Inventor yApplication A count of application objects in cache.
Inventor yApplicationAppV A count of application AppV objects in cache.
Inventor yApplicationDriver A count of application driver objects in cache
Inventor yApplicationFile A count of application file objects in cache.
Inventor yApplicationFramework A count of application framework objects in cache
Inventor yApplicationShor tcut A count of application shortcut objects in cache
Inventor yDeviceContainer A count of device container objects in cache.
Inventor yDeviceInterface A count of Plug and Play device interface objects in cache.
Inventor yDeviceMediaClass A count of device media objects in cache.
Inventor yDevicePnp A count of device Plug and Play objects in cache.
Inventor yDeviceUsbHubClass A count of device usb objects in cache
Inventor yDriverBinar y A count of driver binary objects in cache.
Inventor yDriverPackage A count of device objects in cache.
Inventor yMiscellaneousOfficeAddIn A count of office add-in objects in cache
Inventor yMiscellaneousOfficeAddInUsage A count of office add-in usage objects in cache.
Inventor yMiscellaneousOfficeIdentifiers A count of office identifier objects in cache
Inventor yMiscellaneousOfficeIESettings A count of office ie settings objects in cache
Inventor yMiscellaneousOfficeInsights A count of office insights objects in cache
Inventor yMiscellaneousOfficeProducts A count of office products objects in cache
Inventor yMiscellaneousOfficeSettings A count of office settings objects in cache
Inventor yMiscellaneousOfficeVBA A count of office vba objects in cache
Inventor yMiscellaneousOfficeVBARuleViolations A count of office vba rule violations objects in cache
Inventor yMiscellaneousUUPInfo A count of uup info objects in cache
Inventor yVersion The version of the inventory file generating the events.
Metadata A count of metadata objects in cache.
Orphan A count of orphan file objects in cache.
Programs A count of program objects in cache.
Microsoft.Windows.Inventory.Core.AmiTelCacheVersions
This event sends inventory component versions for the Device Inventory data.
The following fields are available:
aeinv The version of the App inventory component.
devinv The file version of the Device inventory component.
Microsoft.Windows.Inventory.Core.FileSigningInfoAdd
This event enumerates the signatures of files, either driver packages or application executables. For driver
packages, this data is collected on demand via Telecommand to limit it only to unrecognized driver packages,
saving time for the client and space on the server. For applications, this data is collected for up to 10 random
executables on a system.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
CatalogSigners Signers from catalog. Each signer starts with Chain.
DigestAlgorithm The pseudonymizing (hashing) algorithm used when the file or package was signed.
DriverPackageStrongName Optional. Available only if FileSigningInfo is collected on a driver package.
EmbeddedSigners Embedded signers. Each signer starts with Chain.
FileName The file name of the file whose signatures are listed.
FileType Either exe or sys, depending on if a driver package or application executable.
Inventor yVersion The version of the inventory file generating the events.
Thumbprint Comma separated hash of the leaf node of each signer. Semicolon is used to separate
CatalogSigners from EmbeddedSigners. There will always be a trailing comma.
Microsoft.Windows.Inventory.Core.InventoryApplicationAdd
This event sends basic metadata about an application on the system to help keep Windows up to date.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
HiddenArp Indicates whether a program hides itself from showing up in ARP.
InstallDate The date the application was installed (a best guess based on folder creation date heuristics).
InstallDateArpLastModified The date of the registry ARP key for a given application. Hints at install date but
not always accurate. Passed as an array. Example: 4/11/2015 00:00:00
InstallDateFromLinkFile The estimated date of install based on the links to the files. Passed as an array.
InstallDateMsi The install date if the application was installed via Microsoft Installer (MSI). Passed as an array.
Inventor yVersion The version of the inventory file generating the events.
Language The language code of the program.
MsiPackageCode A GUID that describes the MSI Package. Multiple 'Products' (apps) can make up an
MsiPackage.
MsiProductCode A GUID that describe the MSI Product.
Name The name of the application.
OSVersionAtInstallTime The four octets from the OS version at the time of the application's install.
PackageFullName The package full name for a Store application.
ProgramInstanceId A hash of the file IDs in an app.
Publisher The Publisher of the application. Location pulled from depends on the 'Source' field.
RootDirPath The path to the root directory where the program was installed.
Source How the program was installed (for example, ARP, MSI, Appx).
StoreAppType A sub-classification for the type of Microsoft Store app, such as UWP or Win8StoreApp.
Type One of ("Application", "Hotfix", "BOE", "Service", "Unknown"). Application indicates Win32 or Appx app,
Hotfix indicates app updates (KBs), BOE indicates it's an app with no ARP or MSI entry, Service indicates that it is
a service. Application and BOE are the ones most likely seen.
Version The version number of the program.
Microsoft.Windows.Inventory.Core.InventoryApplicationDriverAdd
This event represents what drivers an application installs.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
Inventor yVersion The version of the inventory component
ProgramIds The unique program identifier the driver is associated with
Microsoft.Windows.Inventory.Core.InventoryApplicationDriverStartSync
The InventoryApplicationDriverStartSync event indicates that a new set of InventoryApplicationDriverStartAdd
events will be sent.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
Inventor yVersion The version of the inventory component.
Microsoft.Windows.Inventory.Core.InventoryApplicationFileAdd
This event provides file-level information about the applications that exist on the system. This event is used to
understand the applications on a device to determine if those applications will experience compatibility issues
when upgrading Windows.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
Binar yType The architecture of the binary (executable) file.
BinFileVersion Version information for the binary (executable) file.
BinProductVersion The product version provided by the binary (executable) file.
BoeProgramId The “bag of evidence” program identifier.
CompanyName The company name included in the binary (executable) file.
FileId A pseudonymized (hashed) unique identifier derived from the file itself.
FileVersion The version of the file.
Inventor yVersion The version of the inventory component.
Language The language declared in the binary (executable) file.
LinkDate The compiler link date.
LowerCaseLongPath The file path in “long” format.
Name The file name.
ProductName The product name declared in the binary (executable) file.
ProductVersion The product version declared in the binary (executable) file.
ProgramId The program identifier associated with the binary (executable) file.
Size The size of the binary (executable) file.
Microsoft.Windows.Inventory.Core.InventoryApplicationFrameworkAdd
This event provides the basic metadata about the frameworks an application may depend on.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
FileId A hash that uniquely identifies a file.
Frameworks The list of frameworks this file depends on.
Inventor yVersion The version of the inventory file generating the events.
Microsoft.Windows.Inventory.Core.InventoryApplicationFrameworkStartSync
This event indicates that a new set of InventoryApplicationFrameworkAdd events will be sent.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
Inventor yVersion The version of the inventory file generating the events.
Microsoft.Windows.Inventory.Core.InventoryApplicationRemove
This event indicates that a new set of InventoryDevicePnpAdd events will be sent.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
Inventor yVersion The version of the inventory file generating the events.
Microsoft.Windows.Inventory.Core.InventoryApplicationStartSync
This event indicates that a new set of InventoryApplicationAdd events will be sent.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
Inventor yVersion The version of the inventory file generating the events.
Microsoft.Windows.Inventory.Core.InventoryDeviceContainerAdd
This event sends basic metadata about a device container (such as a monitor or printer as opposed to a Plug and
Play device) to help keep Windows up to date.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
Categories A comma separated list of functional categories in which the container belongs.
Discover yMethod The discovery method for the device container.
FriendlyName The name of the device container.
Inventor yVersion The version of the inventory file generating the events.
IsActive Is the device connected, or has it been seen in the last 14 days?
IsConnected For a physically attached device, this value is the same as IsPresent. For wireless a device, this
value represents a communication link.
IsMachineContainer Is the container the root device itself?
IsNetworked Is this a networked device?
IsPaired Does the device container require pairing?
Manufacturer The manufacturer name for the device container.
ModelId A unique model ID.
ModelName The model name.
ModelNumber The model number for the device container.
Primar yCategor y The primary category for the device container.
Microsoft.Windows.Inventory.Core.InventoryDeviceContainerRemove
This event indicates that the InventoryDeviceContainer object is no longer present.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
Inventor yVersion The version of the inventory file generating the events.
Microsoft.Windows.Inventory.Core.InventoryDeviceContainerStartSync
This event indicates that a new set of InventoryDeviceContainerAdd events will be sent.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
Inventor yVersion The version of the inventory file generating the events.
Microsoft.Windows.Inventory.Core.InventoryDeviceInterfaceAdd
This event retrieves information about what sensor interfaces are available on the device.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
Accelerometer3D Indicates if an Accelerator3D sensor is found.
ActivityDetection Indicates if an Activity Detection sensor is found.
AmbientLight Indicates if an Ambient Light sensor is found.
Barometer Indicates if a Barometer sensor is found.
Custom Indicates if a Custom sensor is found.
EnergyMeter Indicates if an Energy sensor is found.
FloorElevation Indicates if a Floor Elevation sensor is found.
GeomagneticOrientation Indicates if a Geo Magnetic Orientation sensor is found.
GravityVector Indicates if a Gravity Detector sensor is found.
Gyrometer3D Indicates if a Gyrometer3D sensor is found.
Humidity Indicates if a Humidity sensor is found.
Inventor yVersion The version of the inventory file generating the events.
LinearAccelerometer Indicates if a Linear Accelerometer sensor is found.
Magnetometer3D Indicates if a Magnetometer3D sensor is found.
Orientation Indicates if an Orientation sensor is found.
Pedometer Indicates if a Pedometer sensor is found.
Proximity Indicates if a Proximity sensor is found.
RelativeOrientation Indicates if a Relative Orientation sensor is found.
SimpleDeviceOrientation Indicates if a Simple Device Orientation sensor is found.
Temperature Indicates if a Temperature sensor is found.
Microsoft.Windows.Inventory.Core.InventoryDeviceInterfaceStartSync
This event indicates that a new set of InventoryDeviceInterfaceAdd events will be sent.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
Inventor yVersion The version of the inventory file generating the events.
Microsoft.Windows.Inventory.Core.InventoryDeviceMediaClassAdd
This event sends additional metadata about a Plug and Play device that is specific to a particular class of devices to
help keep Windows up to date while reducing overall size of data payload.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
Audio.CaptureDriver The capture driver endpoint for the audio device.
Audio.RenderDriver The render driver for the audio device.
Audio_CaptureDriver The Audio device capture driver endpoint.
Audio_RenderDriver The Audio device render driver endpoint.
Inventor yVersion The version of the inventory file generating the events.
Microsoft.Windows.Inventory.Core.InventoryDeviceMediaClassRemove
This event indicates that the InventoryDeviceMediaClassRemove object is no longer present.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
Inventor yVersion The version of the inventory file generating the events.
Microsoft.Windows.Inventory.Core.InventoryDeviceMediaClassStartSync
This event indicates that a new set of InventoryDeviceMediaClassSAdd events will be sent.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
Inventor yVersion The version of the inventory file generating the events.
Microsoft.Windows.Inventory.Core.InventoryDevicePnpAdd
This event sends basic metadata about a PNP device and its associated driver to help keep Windows up to date.
This information is used to assess if the PNP device and driver will remain compatible when upgrading Windows.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
BusRepor tedDescription The description of the device reported by the bux.
Class The device setup class of the driver loaded for the device.
ClassGuid The device class GUID from the driver package
COMPID The device setup class guid of the driver loaded for the device.
ContainerId The list of compat ids for the device.
Description System-supplied GUID that uniquely groups the functional devices associated with a single-
function or multifunction device installed in the computer.
DeviceDriverFlightId The test build (Flight) identifier of the device driver.
DeviceExtDriversFlightIds The test build (Flight) identifier for all extended device drivers.
DeviceInterfaceClasses The device interfaces that this device implements.
DeviceState The device description.
DriverId DeviceState is a bitmask of the following: DEVICE_IS_CONNECTED 0x0001 (currently only for
container). DEVICE_IS_NETWORK_DEVICE 0x0002 (currently only for container). DEVICE_IS_PAIRED 0x0004
(currently only for container). DEVICE_IS_ACTIVE 0x0008 (currently never set). DEVICE_IS_MACHINE 0x0010
(currently only for container). DEVICE_IS_PRESENT 0x0020 (currently always set). DEVICE_IS_HIDDEN 0x0040.
DEVICE_IS_PRINTER 0x0080 (currently only for container). DEVICE_IS_WIRELESS 0x0100.
DEVICE_IS_WIRELESS_FAT 0x0200. The most common values are therefore: 32 (0x20)= device is present. 96
(0x60)= device is present but hidden. 288 (0x120)= device is a wireless device that is present
DriverName A unique identifier for the driver installed.
DriverPackageStrongName The immediate parent directory name in the Directory field of
InventoryDriverPackage
DriverVerDate Name of the .sys image file (or wudfrd.sys if using user mode driver framework).
DriverVerVersion The immediate parent directory name in the Directory field of InventoryDriverPackage.
Enumerator The date of the driver loaded for the device.
ExtendedInfs The extended INF file names.
FirstInstallDate The first time this device was installed on the machine.
HWID The version of the driver loaded for the device.
Inf The bus that enumerated the device.
InstallDate The date of the most recent installation of the device on the machine.
InstallState The device installation state. One of these values:
https://msdn.microsoft.com/library/windows/hardware/ff543130.aspx
Inventor yVersion List of hardware ids for the device.
LowerClassFilters Lower filter class drivers IDs installed for the device
LowerFilters Lower filter drivers IDs installed for the device
Manufacturer INF file name (the name could be renamed by OS, such as oemXX.inf)
MatchingID Device installation state.
Model The version of the inventory binary generating the events.
ParentId Lower filter class drivers IDs installed for the device.
ProblemCode Lower filter drivers IDs installed for the device.
Provider The device manufacturer.
Ser vice The device service name
STACKID Represents the hardware ID or compatible ID that Windows uses to install a device instance.
UpperClassFilters Upper filter drivers IDs installed for the device
UpperFilters The device model.
Microsoft.Windows.Inventory.Core.InventoryDevicePnpRemove
This event indicates that the InventoryDevicePnpRemove object is no longer present.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
Inventor yVersion The version of the inventory file generating the events.
Microsoft.Windows.Inventory.Core.InventoryDevicePnpStartSync
This event indicates that a new set of InventoryDevicePnpAdd events will be sent.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
Inventor yVersion The version of the inventory file generating the events.
Microsoft.Windows.Inventory.Core.InventoryDeviceUsbHubClassAdd
This event sends basic metadata about the USB hubs on the device.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
Inventor yVersion The version of the inventory file generating the events.
TotalUserConnectablePor ts Total number of connectable USB ports.
TotalUserConnectableTypeCPor ts Total number of connectable USB Type C ports.
Microsoft.Windows.Inventory.Core.InventoryDeviceUsbHubClassStartSync
This event indicates that a new set of InventoryDeviceUsbHubClassAdd events will be sent.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
Inventor yVersion The version of the inventory file generating the events.
Microsoft.Windows.Inventory.Core.InventoryDriverBinaryAdd
This event provides the basic metadata about driver binaries running on the system.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
DriverCheckSum The checksum of the driver file.
DriverCompany The company name that developed the driver.
DriverInBox Is the driver included with the operating system?
DriverIsKernelMode Is it a kernel mode driver?
DriverName The file name of the driver.
DriverPackageStrongName The strong name of the driver package
DriverSigned The strong name of the driver package
DriverTimeStamp The low 32 bits of the time stamp of the driver file.
DriverType A bitfield of driver attributes: 1. define DRIVER_MAP_DRIVER_TYPE_PRINTER 0x0001. 2. define
DRIVER_MAP_DRIVER_TYPE_KERNEL 0x0002. 3. define DRIVER_MAP_DRIVER_TYPE_USER 0x0004. 4. define
DRIVER_MAP_DRIVER_IS_SIGNED 0x0008. 5. define DRIVER_MAP_DRIVER_IS_INBOX 0x0010. 6. define
DRIVER_MAP_DRIVER_IS_WINQUAL 0x0040. 7. define DRIVER_MAP_DRIVER_IS_SELF_SIGNED 0x0020. 8.
define DRIVER_MAP_DRIVER_IS_CI_SIGNED 0x0080. 9. define DRIVER_MAP_DRIVER_HAS_BOOT_SERVICE
0x0100. 10. define DRIVER_MAP_DRIVER_TYPE_I386 0x10000. 11. define DRIVER_MAP_DRIVER_TYPE_IA64
0x20000. 12. define DRIVER_MAP_DRIVER_TYPE_AMD64 0x40000. 13. define
DRIVER_MAP_DRIVER_TYPE_ARM 0x100000. 14. define DRIVER_MAP_DRIVER_TYPE_THUMB 0x200000. 15.
define DRIVER_MAP_DRIVER_TYPE_ARMNT 0x400000. 16. define DRIVER_MAP_DRIVER_IS_TIME_STAMPED
0x800000.
DriverVersion The version of the driver file.
ImageSize The size of the driver file.
Inf The name of the INF file.
Inventor yVersion The version of the inventory file generating the events.
Product The product name that is included in the driver file.
ProductVersion The product version that is included in the driver file.
Ser vice The name of the service that is installed for the device.
WdfVersion The Windows Driver Framework version.
Microsoft.Windows.Inventory.Core.InventoryDriverBinaryRemove
This event indicates that the InventoryDriverBinary object is no longer present.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
Inventor yVersion The version of the inventory file generating the events.
Microsoft.Windows.Inventory.Core.InventoryDriverBinaryStartSync
This event indicates that a new set of InventoryDriverBinaryAdd events will be sent.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
Inventor yVersion The version of the inventory file generating the events.
Microsoft.Windows.Inventory.Core.InventoryDriverPackageAdd
This event sends basic metadata about drive packages installed on the system to help keep Windows up to date.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
Class The class name for the device driver.
ClassGuid The class GUID for the device driver.
Date The driver package date.
Director y The path to the driver package.
DriverInBox Is the driver included with the operating system?
Inf The INF name of the driver package.
Inventor yVersion The version of the inventory file generating the events.
Provider The provider for the driver package.
SubmissionId The HLK submission ID for the driver package.
Version The version of the driver package.
Microsoft.Windows.Inventory.Core.InventoryDriverPackageRemove
This event indicates that the InventoryDriverPackageRemove object is no longer present.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
Inventor yVersion The version of the inventory file generating the events.
Microsoft.Windows.Inventory.Core.InventoryDriverPackageStartSync
This event indicates that a new set of InventoryDriverPackageAdd events will be sent.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
Inventor yVersion The version of the inventory file generating the events.
Microsoft.Windows.Inventory.Core.StartUtcJsonTrace
This event collects traces of all other Core events, not used in typical customer scenarios. This event signals the
beginning of the event download, and that tracing should begin.
The following fields are available:
key The globally unique identifier (GUID) used to identify the specific Json Trace logging session.
Microsoft.Windows.Inventory.Core.StopUtcJsonTrace
This event collects traces of all other Core events, not used in typical customer scenarios. This event signals the end
of the event download, and that tracing should end.
The following fields are available:
key The globally unique identifier (GUID) used to identify the specific Json Trace logging session.
Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeAddInAdd
Provides data on the installed Office Add-ins.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
AddinCLSID The class identifier key for the Microsoft Office add-in.
AddInId The identifier for the Microsoft Office add-in.
AddinType The type of the Microsoft Office add-in.
BinFileTimestamp The timestamp of the Office add-in.
BinFileVersion The version of the Microsoft Office add-in.
Description Description of the Microsoft Office add-in.
FileId The file identifier of the Microsoft Office add-in.
FileSize The file size of the Microsoft Office add-in.
FriendlyName The friendly name for the Microsoft Office add-in.
FullPath The full path to the Microsoft Office add-in.
Inventor yVersion The version of the inventory binary generating the events.
LoadBehavior Integer that describes the load behavior.
LoadTime Load time for the Office add-in.
OfficeApplication The Microsoft Office application associated with the add-in.
OfficeArchitecture The architecture of the add-in.
OfficeVersion The Microsoft Office version for this add-in.
OutlookCrashingAddin Indicates whether crashes have been found for this add-in.
ProductCompany The name of the company associated with the Office add-in.
ProductName The product name associated with the Microsoft Office add-in.
ProductVersion The version associated with the Office add-in.
ProgramId The unique program identifier of the Microsoft Office add-in.
Provider Name of the provider for this add-in.
Usage Data about usage for the add-in.
Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeAddInRemove
Indicates that this particular data object represented by the objectInstanceId is no longer present.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
Inventor yVersion The version of the inventory binary generating the events.
Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeAddInStartSync
This event indicates that a new sync is being generated for this object type.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
Inventor yVersion The version of the inventory binary generating the events.
Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeIdentifiersAdd
Provides data on the Office identifiers.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
Inventor yVersion The version of the inventory binary generating the events.
OAudienceData Sub-identifier for Microsoft Office release management, identifying the pilot group for a
device
OAudienceId Microsoft Office identifier for Microsoft Office release management, identifying the pilot group
for a device
OMID Identifier for the Office SQM Machine
OPlatform Whether the installed Microsoft Office product is 32-bit or 64-bit
OTenantId Unique GUID representing the Microsoft O365 Tenant
OVersion Installed version of Microsoft Office. For example, 16.0.8602.1000
OWowMID Legacy Microsoft Office telemetry identifier (SQM Machine ID) for WoW systems (32-bit Microsoft
Office on 64-bit Windows)
Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeIdentifiersStartSync
Diagnostic event to indicate a new sync is being generated for this object type.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
Inventor yVersion The version of the inventory binary generating the events.
Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeIESettingsAdd
Provides data on Office-related Internet Explorer features.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
Inventor yVersion The version of the inventory binary generating the events.
OIeFeatureAddon Flag indicating which Microsoft Office products have this setting enabled. The
FEATURE_ADDON_MANAGEMENT feature lets applications hosting the WebBrowser Control to respect add-on
management selections made using the Add-on Manager feature of Internet Explorer. Add-ons disabled by the
user or by administrative group policy will also be disabled in applications that enable this feature.
OIeMachineLockdown Flag indicating which Microsoft Office products have this setting enabled. When the
FEATURE_LOCALMACHINE_LOCKDOWN feature is enabled, Internet Explorer applies security restrictions on
content loaded from the user's local machine, which helps prevent malicious behavior involving local files.
OIeMimeHandling Flag indicating which Microsoft Office products have this setting enabled. When the
FEATURE_MIME_HANDLING feature control is enabled, Internet Explorer handles MIME types more securely.
Only applies to Windows Internet Explorer 6 for Windows XP Service Pack 2 (SP2)
OIeMimeSniffing Flag indicating which Microsoft Office products have this setting enabled. Determines a
file's type by examining its bit signature. Windows Internet Explorer uses this information to determine how to
render the file. The FEATURE_MIME_SNIFFING feature, when enabled, allows to be set differently for each
security zone by using the URLACTION_FEATURE_MIME_SNIFFING URL action flag
OIeNoAxInstall Flag indicating which Microsoft Office products have this setting enabled. When a webpage
attempts to load or install an ActiveX control that isn't already installed, the
FEATURE_RESTRICT_ACTIVEXINSTALL feature blocks the request. When a webpage tries to load or install an
ActiveX control that isn't already installed, the FEATURE_RESTRICT_ACTIVEXINSTALL feature blocks the request
OIeNoDownload Flag indicating which Microsoft Office products have this setting enabled. The
FEATURE_RESTRICT_FILEDOWNLOAD feature blocks file download requests that navigate to a resource, that
display a file download dialog box, or that are not initiated explicitly by a user action (for example, a mouse click
or key press). Only applies to Windows Internet Explorer 6 for Windows XP Service Pack 2 (SP2)
OIeObjectCaching Flag indicating which Microsoft Office products have this setting enabled. When enabled,
the FEATURE_OBJECT_CACHING feature prevents webpages from accessing or instantiating ActiveX controls
cached from different domains or security contexts
OIePasswordDisable Flag indicating which Microsoft Office products have this setting enabled. After
Windows Internet Explorer 6 for Windows XP Service Pack 2 (SP2), Internet Explorer no longer allows
usernames and passwords to be specified in URLs that use the HTTP or HTTPS protocols. URLs using other
protocols, such as FTP, still allow usernames and passwords
OIeSafeBind Flag indicating which Microsoft Office products have this setting enabled. The
FEATURE_SAFE_BINDTOOBJECT feature performs additional safety checks when calling MonikerBindToObject to
create and initialize Microsoft ActiveX controls. Specifically, prevent the control from being created if
COMPAT_EVIL_DONT_LOAD is in the registry for the control
OIeSecurityBand Flag indicating which Microsoft Office products have this setting enabled. The
FEATURE_SECURITYBAND feature controls the display of the Internet Explorer Information bar. When enabled,
the Information bar appears when file download or code installation is restricted
OIeUncSaveCheck Flag indicating which Microsoft Office products have this setting enabled. The
FEATURE_UNC_SAVEDFILECHECK feature enables the Mark of the Web (MOTW) for local files loaded from
network locations that have been shared by using the Universal Naming Convention (UNC)
OIeValidateUrl Flag indicating which Microsoft Office products have this setting enabled. When enabled, the
FEATURE_VALIDATE_NAVIGATE_URL feature control prevents Windows Internet Explorer from navigating to a
badly formed URL
OIeWebOcPopup Flag indicating which Microsoft Office products have this setting enabled. The
FEATURE_WEBOC_POPUPMANAGEMENT feature allows applications hosting the WebBrowser Control to
receive the default Internet Explorer pop-up window management behavior
OIeWinRestrict Flag indicating which Microsoft Office products have this setting enabled. When enabled, the
FEATURE_WINDOW_RESTRICTIONS feature adds several restrictions to the size and behavior of popup
windows
OIeZoneElevate Flag indicating which Microsoft Office products have this setting enabled. When enabled, the
FEATURE_ZONE_ELEVATION feature prevents pages in one zone from navigating to pages in a higher security
zone unless the navigation is generated by the user
Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeIESettingsStartSync
Diagnostic event to indicate a new sync is being generated for this object type.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
Inventor yVersion The version of the inventory binary generating the events.
Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeInsightsAdd
This event provides insight data on the installed Office products
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
Inventor yVersion The version of the inventory binary generating the events.
OfficeApplication The name of the Office application.
OfficeArchitecture The bitness of the Office application.
OfficeVersion The version of the Office application.
Value The insights collected about this entity.
Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeInsightsRemove
Indicates that this particular data object represented by the objectInstanceId is no longer present.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
Inventor yVersion The version of the inventory binary generating the events.
Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeInsightsStartSync
This diagnostic event indicates that a new sync is being generated for this object type.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
Inventor yVersion The version of the inventory binary generating the events.
Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeProductsAdd
Describes Office Products installed.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
Inventor yVersion The version of the inventory binary generating the events.
OC2rApps A GUID the describes the Office Click-To-Run apps
OC2rSkus Comma-delimited list (CSV) of Office Click-To-Run products installed on the device. For example,
Office 2016 ProPlus
OMsiApps Comma-delimited list (CSV) of Office MSI products installed on the device. For example, Microsoft
Word
OProductCodes A GUID that describes the Office MSI products
Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeProductsStartSync
Diagnostic event to indicate a new sync is being generated for this object type.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
Inventor yVersion The version of the inventory binary generating the events.
Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeSettingsAdd
This event describes various Office settings
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
BrowserFlags Browser flags for Office-related products.
ExchangeProviderFlags Provider policies for Office Exchange.
Inventor yVersion The version of the inventory binary generating the events.
SharedComputerLicensing Office shared computer licensing policies.
Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeSettingsStartSync
Indicates a new sync is being generated for this object type.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
Inventor yVersion The version of the inventory binary generating the events.
Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeVBAAdd
This event provides a summary rollup count of conditions encountered while performing a local scan of Office
files, analyzing for known VBA programmability compatibility issues between legacy office version and ProPlus,
and between 32 and 64-bit versions
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
Design Count of files with design issues found.
Design_x64 Count of files with 64 bit design issues found.
DuplicateVBA Count of files with duplicate VBA code.
HasVBA Count of files with VBA code.
Inaccessible Count of files that were inaccessible for scanning.
Inventor yVersion The version of the inventory binary generating the events.
Issues Count of files with issues detected.
Issues_x64 Count of files with 64-bit issues detected.
IssuesNone Count of files with no issues detected.
IssuesNone_x64 Count of files with no 64-bit issues detected.
Locked Count of files that were locked, preventing scanning.
NoVBA Count of files with no VBA inside.
Protected Count of files that were password protected, preventing scanning.
RemLimited Count of files that require limited remediation changes.
RemLimited_x64 Count of files that require limited remediation changes for 64-bit issues.
RemSignificant Count of files that require significant remediation changes.
RemSignificant_x64 Count of files that require significant remediation changes for 64-bit issues.
Score Overall compatibility score calculated for scanned content.
Score_x64 Overall 64-bit compatibility score calculated for scanned content.
Total Total number of files scanned.
Validation Count of files that require additional manual validation.
Validation_x64 Count of files that require additional manual validation for 64-bit issues.
Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeVBARemove
Indicates that this particular data object represented by the objectInstanceId is no longer present.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
Inventor yVersion The version of the inventory binary generating the events.
Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeVBARuleViolationsAdd
This event provides data on Microsoft Office VBA rule violations, including a rollup count per violation type, giving
an indication of remediation requirements for an organization. The event identifier is a unique GUID, associated
with the validation rule
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
Count Count of total Microsoft Office VBA rule violations
Inventor yVersion The version of the inventory binary generating the events.
Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeVBARuleViolationsRemove
Indicates that this particular data object represented by the objectInstanceId is no longer present.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
Inventor yVersion The version of the inventory binary generating the events.
Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeVBARuleViolationsStartSync
This event indicates that a new sync is being generated for this object type.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
Inventor yVersion The version of the inventory binary generating the events.
Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeVBAStartSync
Diagnostic event to indicate a new sync is being generated for this object type.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
Inventor yVersion The version of the inventory binary generating the events.
Microsoft.Windows.Inventory.General.InventoryMiscellaneousUUPInfoAdd
Provides data on Unified Update Platform (UUP) products and what version they are at.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
Identifier UUP identifier
LastActivatedVersion Last activated version
PreviousVersion Previous version
Source UUP source
Version UUP version
Microsoft.Windows.Inventory.General.InventoryMiscellaneousUUPInfoRemove
Indicates that this particular data object represented by the objectInstanceId is no longer present.
This event includes fields from Ms.Device.DeviceInventoryChange.
Microsoft.Windows.Inventory.General.InventoryMiscellaneousUUPInfoStartSync
Diagnostic event to indicate a new sync is being generated for this object type.
This event includes fields from Ms.Device.DeviceInventoryChange.
Microsoft.Windows.Inventory.Indicators.Checksum
This event summarizes the counts for the InventoryMiscellaneousUexIndicatorAdd events.
The following fields are available:
CensusId A unique hardware identifier.
ChecksumDictionar y A count of each operating system indicator.
PCFP Equivalent to the InventoryId field that is found in other core events.
Microsoft.Windows.Inventory.Indicators.InventoryMiscellaneousUexIndicatorAdd
These events represent the basic metadata about the OS indicators installed on the system which are used for
keeping the device up to date.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
IndicatorValue The indicator value.
Microsoft.Windows.Inventory.Indicators.InventoryMiscellaneousUexIndicatorEndSync
This event indicates that a new set of InventoryMiscellaneousUexIndicatorAdd events has been sent. This data
helps ensure the device is up to date.
This event includes fields from Ms.Device.DeviceInventoryChange.
Microsoft.Windows.Inventory.Indicators.InventoryMiscellaneousUexIndicatorRemove
This event is a counterpart to InventoryMiscellaneousUexIndicatorAdd that indicates that the item has been
removed.
This event includes fields from Ms.Device.DeviceInventoryChange.
Microsoft.Windows.Inventory.Indicators.InventoryMiscellaneousUexIndicatorStartSync
This event indicates that a new set of InventoryMiscellaneousUexIndicatorAdd events will be sent.
This event includes fields from Ms.Device.DeviceInventoryChange.
IoT events
Microsoft.Windows.IoT.Client.CEPAL.MonitorStarted
This event identifies Windows Internet of Things (IoT) devices which are running the CE PAL subsystem by sending
data during CE PAL startup.
Kernel events
IO
This event indicates the number of bytes read from or read by the OS and written to or written by the OS upon
system startup.
The following fields are available:
BytesRead The total number of bytes read from or read by the OS upon system startup.
BytesWritten The total number of bytes written to or written by the OS upon system startup.
Microsoft.Windows.Kernel.BootEnvironment.OsLaunch
OS information collected during Boot, used to evaluate the success of the upgrade process.
The following fields are available:
BootApplicationId This field tells us what the OS Loader Application Identifier is.
BootAttemptCount The number of consecutive times the boot manager has attempted to boot into this
operating system.
BootSequence The current Boot ID, used to correlate events related to a particular boot session.
BootStatusPolicy Identifies the applicable Boot Status Policy.
BootType Identifies the type of boot (e.g.: "Cold", "Hiber", "Resume").
EventTimestamp Seconds elapsed since an arbitrary time point. This can be used to identify the time
difference in successive boot attempts being made.
FirmwareResetReasonEmbeddedController Reason for system reset provided by firmware.
FirmwareResetReasonEmbeddedControllerAdditional Additional information on system reset reason
provided by firmware if needed.
FirmwareResetReasonPch Reason for system reset provided by firmware.
FirmwareResetReasonPchAdditional Additional information on system reset reason provided by firmware
if needed.
FirmwareResetReasonSupplied Flag indicating that a reason for system reset was provided by firmware.
IO Amount of data written to and read from the disk by the OS Loader during boot. See IO.
LastBootSucceeded Flag indicating whether the last boot was successful.
LastShutdownSucceeded Flag indicating whether the last shutdown was successful.
MaxAbove4GbFreeRange This field describes the largest memory range available above 4Gb.
MaxBelow4GbFreeRange This field describes the largest memory range available below 4Gb.
MeasuredLaunchCapable Indicates the system is capable of booting with Dynamic Root of Trust for
Measurement (DRTM) support.
MeasuredLaunchPrepared This field tells us if the OS launch was initiated using Measured/Secure Boot over
DRTM (Dynamic Root of Trust for Measurement).
MeasuredLaunchResume This field tells us if Dynamic Root of Trust for Measurement (DRTM) was used when
resuming from hibernation.
MenuPolicy Type of advanced options menu that should be shown to the user (Legacy, Standard, etc.).
Recover yEnabled Indicates whether recovery is enabled.
TcbLaunch Indicates whether the Trusted Computing Base was used during the boot flow.
UserInputTime The amount of time the loader application spent waiting for user input.
Microsoft.Windows.Kernel.DeviceConfig.DeviceConfig
This critical device configuration event provides information about drivers for a driver installation that took place
within the kernel.
The following fields are available:
ClassGuid The unique ID for the device class.
DeviceInstanceId The unique ID for the device on the system.
DriverDate The date of the driver.
DriverFlightIds The IDs for the driver flights.
DriverInfName Driver INF file name.
DriverProvider The driver manufacturer or provider.
DriverSubmissionId The driver submission ID assigned by the hardware developer center.
DriverVersion The driver version number.
ExtensionDrivers The list of extension driver INF files, extension IDs, and associated flight IDs.
FirstHardwareId The ID in the hardware ID list that provides the most specific device description.
InboxDriver Indicates whether the driver package is included with Windows.
InstallDate Date the driver was installed.
LastCompatibleId The ID in the hardware ID list that provides the least specific device description.
Legacy Indicates whether the driver is a legacy driver.
NeedReboot Indicates whether the driver requires a reboot.
SetupMode Indicates whether the device configuration occurred during the Out Of Box Experience (OOBE).
StatusCode The NTSTATUS of device configuration operation.
Microsoft.Windows.Kernel.PnP.AggregateClearDevNodeProblem
This event is sent when a problem code is cleared from a device.
The following fields are available:
Count The total number of events.
DeviceInstanceId The unique identifier of the device on the system.
LastProblem The previous problem that was cleared.
LastProblemStatus The previous NTSTATUS value that was cleared.
Ser viceName The name of the driver or service attached to the device.
Microsoft.Windows.Kernel.PnP.AggregateSetDevNodeProblem
This event is sent when a new problem code is assigned to a device.
The following fields are available:
Count The total number of events.
DeviceInstanceId The unique identifier of the device in the system.
LastProblem The previous problem code that was set on the device.
LastProblemStatus The previous NTSTATUS value that was set on the device.
Problem The new problem code that was set on the device.
ProblemStatus The new NTSTATUS value that was set on the device.
Ser viceName The driver or service name that is attached to the device.
Microsoft.Windows.Kernel.Power.PreviousShutdownWasThermalShutdown
This event sends Product and Service Performance data on which area of the device exceeded safe temperature
limits and caused the device to shutdown. This information is used to ensure devices are behaving as they are
expected to.
The following fields are available:
temperature Contains the actual temperature measurement, in tenths of degrees Kelvin, for the area that
exceeded the limit.
thermalZone Contains an identifier that specifies which area it was that exceeded temperature limits.
Migration events
Microsoft.Windows.MigrationCore.MigObjectCountDLUsr
This event returns data to track the count of the migration objects across various phases during feature update.
The following fields are available:
currentSid Indicates the user SID for which the migration is being performed.
knownFoldersUsr[i] Predefined folder path locations.
migDiagSession->CString The phase of the upgrade where migration occurs. (E.g.: Validate tracked content)
objectCount The count for the number of objects that are being transferred.
Microsoft.Windows.MigrationCore.MigObjectCountKFSys
This event returns data about the count of the migration objects across various phases during feature update.
The following fields are available:
knownFoldersSys[i] The predefined folder path locations.
migDiagSession->CString Identifies the phase of the upgrade where migration happens.
objectCount The count of the number of objects that are being transferred.
Microsoft.Windows.MigrationCore.MigObjectCountKFUsr
This event returns data to track the count of the migration objects across various phases during feature update.
The following fields are available:
currentSid Indicates the user SID for which the migration is being performed.
knownFoldersUsr[i] Predefined folder path locations.
migDiagSession->CString The phase of the upgrade where the migration occurs. (For example, Validate
tracked content.)
objectCount The number of objects that are being transferred.
Miracast events
Microsoft.Windows.Cast.Miracast.MiracastSessionEnd
This event sends data at the end of a Miracast session that helps determine RTSP related Miracast failures along
with some statistics about the session
The following fields are available:
AudioChannelCount The number of audio channels.
AudioSampleRate The sample rate of audio in terms of samples per second.
AudioSubtype The unique subtype identifier of the audio codec (encoding method) used for audio encoding.
AverageBitrate The average video bitrate used during the Miracast session, in bits per second.
AverageDataRate The average available bandwidth reported by the WiFi driver during the Miracast session,
in bits per second.
AveragePacketSendTimeInMs The average time required for the network to send a sample, in milliseconds.
ConnectorType The type of connector used during the Miracast session.
EncodeAverageTimeMS The average time to encode a frame of video, in milliseconds.
EncodeCount The count of total frames encoded in the session.
EncodeMaxTimeMS The maximum time to encode a frame, in milliseconds.
EncodeMinTimeMS The minimum time to encode a frame, in milliseconds.
EncoderCreationTimeInMs The time required to create the video encoder, in milliseconds.
ErrorSource Identifies the component that encountered an error that caused a disconnect, if applicable.
FirstFrameTime The time (tick count) when the first frame is sent.
FirstLatencyMode The first latency mode.
FrameAverageTimeMS Average time to process an entire frame, in milliseconds.
FrameCount The total number of frames processed.
FrameMaxTimeMS The maximum time required to process an entire frame, in milliseconds.
FrameMinTimeMS The minimum time required to process an entire frame, in milliseconds.
Glitches The number of frames that failed to be delivered on time.
HardwareCursorEnabled Indicates if hardware cursor was enabled when the connection ended.
HDCPState The state of HDCP (High-bandwidth Digital Content Protection) when the connection ended.
HighestBitrate The highest video bitrate used during the Miracast session, in bits per second.
HighestDataRate The highest available bandwidth reported by the WiFi driver, in bits per second.
LastLatencyMode The last reported latency mode.
LogTimeReference The reference time, in tick counts.
LowestBitrate The lowest video bitrate used during the Miracast session, in bits per second.
LowestDataRate The lowest video bitrate used during the Miracast session, in bits per second.
MediaErrorCode The error code reported by the media session, if applicable.
MiracastEntr y The time (tick count) when the Miracast driver was first loaded.
MiracastM1 The time (tick count) when the M1 request was sent.
MiracastM2 The time (tick count) when the M2 request was sent.
MiracastM3 The time (tick count) when the M3 request was sent.
MiracastM4 The time (tick count) when the M4 request was sent.
MiracastM5 The time (tick count) when the M5 request was sent.
MiracastM6 The time (tick count) when the M6 request was sent.
MiracastM7 The time (tick count) when the M7 request was sent.
MiracastSessionState The state of the Miracast session when the connection ended.
MiracastStreaming The time (tick count) when the Miracast session first started processing frames.
ProfileCount The count of profiles generated from the receiver M4 response.
ProfileCountAfterFiltering The count of profiles after filtering based on available bandwidth and encoder
capabilities.
RefreshRate The refresh rate set on the remote display.
RotationSuppor ted Indicates if the Miracast receiver supports display rotation.
RTSPSessionId The unique identifier of the RTSP session. This matches the RTSP session ID for the receiver for
the same session.
SessionGuid The unique identifier of to correlate various Miracast events from a session.
SinkHadEdid Indicates if the Miracast receiver reported an EDID.
Suppor tMicrosoftColorSpaceConversion Indicates whether the Microsoft color space conversion for extra
color fidelity is supported by the receiver.
Suppor tsMicrosoftDiagnostics Indicates whether the Miracast receiver supports the Microsoft Diagnostics
Miracast extension.
Suppor tsMicrosoftFormatChange Indicates whether the Miracast receiver supports the Microsoft Format
Change Miracast extension.
Suppor tsMicrosoftLatencyManagement Indicates whether the Miracast receiver supports the Microsoft
Latency Management Miracast extension.
Suppor tsMicrosoftRTCP Indicates whether the Miracast receiver supports the Microsoft RTCP Miracast
extension.
Suppor tsMicrosoftVideoFormats Indicates whether the Miracast receiver supports Microsoft video format
for 3:2 resolution.
Suppor tsWiDi Indicates whether Miracast receiver supports Intel WiDi extensions.
TeardownErrorCode The error code reason for teardown provided by the receiver, if applicable.
TeardownErrorReason The text string reason for teardown provided by the receiver, if applicable.
UIBCEndState Indicates whether UIBC was enabled when the connection ended.
UIBCEverEnabled Indicates whether UIBC was ever enabled.
UIBCStatus The result code reported by the UIBC setup process.
VideoBitrate The starting bitrate for the video encoder.
VideoCodecLevel The encoding level used for encoding, specific to the video subtype.
VideoHeight The height of encoded video frames.
VideoSubtype The unique subtype identifier of the video codec (encoding method) used for video encoding.
VideoWidth The width of encoded video frames.
WFD2Suppor ted Indicates if the Miracast receiver supports WFD2 protocol.
OneDrive events
Microsoft.OneDrive.Sync.Setup.OSUpgradeInstallationOperation
This event is related to the OS version when the OS is upgraded with OneDrive installed.
The following fields are available:
CurrentOneDriveVersion The current version of OneDrive.
CurrentOSBuildBranch The current branch of the operating system.
CurrentOSBuildNumber The current build number of the operating system.
CurrentOSVersion The current version of the operating system.
HResult The HResult of the operation.
SourceOSBuildBranch The source branch of the operating system.
SourceOSBuildNumber The source build number of the operating system.
SourceOSVersion The source version of the operating system.
Sediment events
Microsoft.Windows.Sediment.Info.DetailedState
This event is sent when detailed state information is needed from an update trial run.
The following fields are available:
Data Data relevant to the state, such as what percent of disk space the directory takes up.
Id Identifies the trial being run, such as a disk related trial.
ReleaseVer The version of the component.
State The state of the reporting data from the trial, such as the top-level directory analysis.
Time The time the event was fired.
Microsoft.Windows.Sediment.Info.PhaseChange
The event indicates progress made by the updater. This information assists in keeping Windows up to date.
The following fields are available:
NewPhase The phase of progress made.
ReleaseVer The version information for the component in which the change occurred.
Time The system time at which the phase chance occurred.
Setup events
SetupPlatformTel.SetupPlatformTelActivityEvent
This event sends basic metadata about the SetupPlatform update installation process, to help keep Windows up to
date.
The following fields are available:
FieldName Retrieves the event name/data point. Examples: InstallStartTime, InstallEndtime, OverallResult etc.
GroupName Retrieves the groupname the event belongs to. Example: Install Information, DU Information, Disk
Space Information etc.
Value Value associated with the corresponding event name. For example, time-related events will include the
system time
SetupPlatformTel.SetupPlatformTelActivityStarted
This event sends basic metadata about the update installation process generated by SetupPlatform to help keep
Windows up to date.
The following fields are available:
Name The name of the dynamic update type. Example: GDR driver
SetupPlatformTel.SetupPlatformTelActivityStopped
This event sends basic metadata about the update installation process generated by SetupPlatform to help keep
Windows up to date.
SetupPlatformTel.SetupPlatformTelEvent
This service retrieves events generated by SetupPlatform, the engine that drives the various deployment scenarios.
The following fields are available:
FieldName Retrieves the event name/data point. Examples: InstallStartTime, InstallEndtime, OverallResult etc.
GroupName Retrieves the groupname the event belongs to. Example: Install Information, DU Information, Disk
Space Information etc.
Value Retrieves the value associated with the corresponding event name (Field Name). For example: For time
related events this will include the system time.
UEFI events
Microsoft.Windows.UEFI.ESRT
This event sends basic data during boot about the firmware loaded or recently installed on the machine. This helps
to keep Windows up to date.
The following fields are available:
DriverFirmwareFilename The firmware file name reported by the device hardware key.
DriverFirmwarePolicy The optional version update policy value.
DriverFirmwareStatus The firmware status reported by the device hardware key.
DriverFirmwareVersion The firmware version reported by the device hardware key.
FirmwareId The UEFI (Unified Extensible Firmware Interface) identifier.
FirmwareLastAttemptStatus The reported status of the most recent firmware installation attempt, as
reported by the EFI System Resource Table (ESRT).
FirmwareLastAttemptVersion The version of the most recent attempted firmware installation, as reported
by the EFI System Resource Table (ESRT).
FirmwareType The UEFI (Unified Extensible Firmware Interface) type.
FirmwareVersion The UEFI (Unified Extensible Firmware Interface) version as reported by the EFI System
Resource Table (ESRT).
InitiateUpdate Indicates whether the system is ready to initiate an update.
LastAttemptDate The date of the most recent attempted firmware installation.
LastAttemptStatus The result of the most recent attempted firmware installation.
LastAttemptVersion The version of the most recent attempted firmware installation.
LowestSuppor tedFirmwareVersion The oldest (lowest) version of firmware supported.
MaxRetr yCount The maximum number of retries, defined by the firmware class key.
Retr yCount The number of attempted installations (retries), reported by the driver software key.
Status The status returned to the PnP (Plug-and-Play) manager.
UpdateAttempted Indicates if installation of the current update has been attempted before.
Update events
Update360Telemetry.Revert
This event sends data relating to the Revert phase of updating Windows.
The following fields are available:
ErrorCode The error code returned for the Revert phase.
FlightId Unique ID for the flight (test instance version).
ObjectId The unique value for each Update Agent mode.
RebootRequired Indicates reboot is required.
RelatedCV The correlation vector value generated from the latest USO (Update Service Orchestrator) scan.
Result The HResult of the event.
Rever tResult The result code returned for the Revert operation.
ScenarioId The ID of the update scenario.
SessionId The ID of the update attempt.
UpdateId The ID of the update.
Update360Telemetry.UpdateAgentCommit
This event collects information regarding the commit phase of the new Unified Update Platform (UUP) update
scenario, which is leveraged by both Mobile and Desktop.
The following fields are available:
ErrorCode The error code returned for the current install phase.
FlightId Unique ID for each flight.
ObjectId Unique value for each Update Agent mode.
RelatedCV Correlation vector value generated from the latest USO scan.
Result Outcome of the install phase of the update.
ScenarioId Indicates the update scenario.
SessionId Unique value for each update attempt.
UpdateId Unique ID for each update.
Update360Telemetry.UpdateAgentDownloadRequest
This event sends data for the download request phase of updating Windows via the new Unified Update Platform
(UUP) scenario. Applicable to PC and Mobile.
The following fields are available:
ContainsSafeOSDUPackage Boolean indicating whether Safe DU packages are part of the payload.
DeletedCorruptFiles Boolean indicating whether corrupt payload was deleted.
DownloadComplete Indicates if the download is complete.
DownloadRequests Number of times a download was retried.
ErrorCode The error code returned for the current download request phase.
ExtensionName Indicates whether the payload is related to Operating System content or a plugin.
FlightId Unique ID for each flight.
InternalFailureResult Indicates a non-fatal error from a plugin.
ObjectId Unique value for each Update Agent mode (same concept as InstanceId for Setup360).
PackageCategoriesSkipped Indicates package categories that were skipped, if applicable.
PackageCountOptional Number of optional packages requested.
PackageCountRequired Number of required packages requested.
PackageCountTotal Total number of packages needed.
PackageCountTotalCanonical Total number of canonical packages.
PackageCountTotalDiff Total number of diff packages.
PackageCountTotalExpress Total number of express packages.
PackageCountTotalPSFX The total number of PSFX packages.
PackageExpressType Type of express package.
PackageSizeCanonical Size of canonical packages in bytes.
PackageSizeDiff Size of diff packages in bytes.
PackageSizeExpress Size of express packages in bytes.
PackageSizePSFX The size of PSFX packages, in bytes.
RangeRequestState Indicates the range request type used.
RelatedCV Correlation vector value generated from the latest USO scan.
Result Outcome of the download request phase of update.
SandboxTaggedForReser ves The sandbox for reserves.
ScenarioId Indicates the update scenario.
SessionId Unique value for each attempt (same value for initialize, download, install commit phases).
UpdateId Unique ID for each update.
Update360Telemetry.UpdateAgentExpand
This event collects information regarding the expansion phase of the new Unified Update Platform (UUP) update
scenario, which is leveraged by both Mobile and Desktop.
The following fields are available:
CanonicalRequestedOnError Indicates if an error caused a reversion to a different type of compressed
update (TRUE or FALSE).
ElapsedTickCount Time taken for expand phase.
EndFreeSpace Free space after expand phase.
EndSandboxSize Sandbox size after expand phase.
ErrorCode The error code returned for the current install phase.
FlightId Unique ID for each flight.
ObjectId Unique value for each Update Agent mode.
RelatedCV Correlation vector value generated from the latest USO scan.
ScenarioId Indicates the update scenario.
SessionId Unique value for each update attempt.
Star tFreeSpace Free space before expand phase.
Star tSandboxSize Sandbox size after expand phase.
UpdateId Unique ID for each update.
Update360Telemetry.UpdateAgentInitialize
This event sends data for the initialize phase of updating Windows via the new Unified Update Platform (UUP)
scenario, which is applicable to both PCs and Mobile.
The following fields are available:
ErrorCode The error code returned for the current install phase.
FlightId Unique ID for each flight.
FlightMetadata Contains the FlightId and the build being flighted.
ObjectId Unique value for each Update Agent mode.
RelatedCV Correlation vector value generated from the latest USO scan.
Result Outcome of the install phase of the update.
ScenarioId Indicates the update scenario.
SessionData String containing instructions to update agent for processing FODs and DUICs (Null for other
scenarios).
SessionId Unique value for each update attempt.
UpdateId Unique ID for each update.
Update360Telemetry.UpdateAgentInstall
This event sends data for the install phase of updating Windows.
The following fields are available:
ErrorCode The error code returned for the current install phase.
ExtensionName Indicates whether the payload is related to Operating System content or a plugin.
FlightId Unique value for each Update Agent mode (same concept as InstanceId for Setup360).
InternalFailureResult Indicates a non-fatal error from a plugin.
ObjectId Correlation vector value generated from the latest USO scan.
RelatedCV Correlation vector value generated from the latest USO scan.
Result The result for the current install phase.
ScenarioId Indicates the update scenario.
SessionId Unique value for each update attempt.
UpdateId Unique ID for each update.
Update360Telemetry.UpdateAgentMerge
The UpdateAgentMerge event sends data on the merge phase when updating Windows.
The following fields are available:
ErrorCode The error code returned for the current merge phase.
FlightId Unique ID for each flight.
MergeId The unique ID to join two update sessions being merged.
ObjectId Unique value for each Update Agent mode.
RelatedCV Related correlation vector value.
Result Outcome of the merge phase of the update.
ScenarioId Indicates the update scenario.
SessionId Unique value for each attempt.
UpdateId Unique ID for each update.
Update360Telemetry.UpdateAgentMitigationResult
This event sends data indicating the result of each update agent mitigation.
The following fields are available:
Applicable Indicates whether the mitigation is applicable for the current update.
CommandCount The number of command operations in the mitigation entry.
CustomCount The number of custom operations in the mitigation entry.
FileCount The number of file operations in the mitigation entry.
FlightId Unique identifier for each flight.
Index The mitigation index of this particular mitigation.
MitigationScenario The update scenario in which the mitigation was executed.
Name The friendly name of the mitigation.
ObjectId Unique value for each Update Agent mode.
OperationIndex The mitigation operation index (in the event of a failure).
OperationName The friendly name of the mitigation operation (in the event of failure).
Registr yCount The number of registry operations in the mitigation entry.
RelatedCV The correlation vector value generated from the latest USO scan.
Result The HResult of this operation.
ScenarioId The update agent scenario ID.
SessionId Unique value for each update attempt.
TimeDiff The amount of time spent performing the mitigation (in 100-nanosecond increments).
UpdateId Unique ID for each Update.
Update360Telemetry.UpdateAgentMitigationSummary
This event sends a summary of all the update agent mitigations available for an this update.
The following fields are available:
Applicable The count of mitigations that were applicable to the system and scenario.
Failed The count of mitigations that failed.
FlightId Unique identifier for each flight.
MitigationScenario The update scenario in which the mitigations were attempted.
ObjectId The unique value for each Update Agent mode.
RelatedCV The correlation vector value generated from the latest USO scan.
Result The HResult of this operation.
ScenarioId The update agent scenario ID.
SessionId Unique value for each update attempt.
TimeDiff The amount of time spent performing all mitigations (in 100-nanosecond increments).
Total Total number of mitigations that were available.
UpdateId Unique ID for each update.
Update360Telemetry.UpdateAgentModeStart
This event sends data for the start of each mode during the process of updating Windows via the new Unified
Update Platform (UUP) scenario. Applicable to both PCs and Mobile.
The following fields are available:
FlightId Unique ID for each flight.
Mode Indicates the mode that has started.
ObjectId Unique value for each Update Agent mode.
RelatedCV Correlation vector value generated from the latest USO scan.
ScenarioId Indicates the update scenario.
SessionId Unique value for each update attempt.
UpdateId Unique ID for each update.
Version Version of update
Update360Telemetry.UpdateAgentOneSettings
This event collects information regarding the post reboot phase of the new UUP (Unified Update Platform) update
scenario; which is leveraged by both Mobile and Desktop.
The following fields are available:
Count The count of applicable OneSettings for the device.
FlightId Unique ID for the flight (test instance version).
ObjectId The unique value for each Update Agent mode.
Parameters The set of name value pair parameters sent to OneSettings to determine if there are any
applicable OneSettings.
RelatedCV The correlation vector value generated from the latest USO (Update Service Orchestrator) scan.
Result The HResult of the event.
ScenarioId The ID of the update scenario.
SessionId The ID of the update attempt.
UpdateId The ID of the update.
Values The values sent back to the device, if applicable.
Update360Telemetry.UpdateAgentPostRebootResult
This event collects information for both Mobile and Desktop regarding the post reboot phase of the new Unified
Update Platform (UUP) update scenario.
The following fields are available:
ErrorCode The error code returned for the current post reboot phase.
FlightId The specific ID of the Windows Insider build the device is getting.
ObjectId Unique value for each Update Agent mode.
PostRebootResult Indicates the Hresult.
RelatedCV Correlation vector value generated from the latest USO scan.
ScenarioId The scenario ID. Example: MobileUpdate, DesktopLanguagePack, DesktopFeatureOnDemand, or
DesktopDriverUpdate.
SessionId Unique value for each update attempt.
UpdateId Unique ID for each update.
Update360Telemetry.UpdateAgentReboot
This event sends information indicating that a request has been sent to suspend an update.
The following fields are available:
ErrorCode The error code returned for the current reboot.
FlightId Unique ID for the flight (test instance version).
IsSuspendable Indicates whether the update has the ability to be suspended and resumed at the time of
reboot. When the machine is rebooted and the update is in middle of Predownload or Install and Setup.exe is
running, this field is TRUE, if not its FALSE.
ObjectId The unique value for each Update Agent mode.
Reason Indicates the HResult why the machine could not be suspended. If it is successfully suspended, the
result is 0.
RelatedCV The correlation vector value generated from the latest USO (Update Service Orchestrator) scan.
Result The HResult of the event.
ScenarioId The ID of the update scenario.
SessionId The ID of the update attempt.
UpdateId The ID of the update.
UpdateState Indicates the state of the machine when Suspend is called. For example, Install, Download,
Commit.
Update360Telemetry.UpdateAgentSetupBoxLaunch
The UpdateAgent_SetupBoxLaunch event sends data for the launching of the setup box when updating Windows
via the new Unified Update Platform (UUP) scenario. This event is only applicable to PCs.
The following fields are available:
ContainsExpressPackage Indicates whether the download package is express.
FlightId Unique ID for each flight.
FreeSpace Free space on OS partition.
InstallCount Number of install attempts using the same sandbox.
ObjectId Unique value for each Update Agent mode.
Quiet Indicates whether setup is running in quiet mode.
RelatedCV Correlation vector value generated from the latest USO scan.
SandboxSize Size of the sandbox.
ScenarioId Indicates the update scenario.
SessionId Unique value for each update attempt.
SetupMode Mode of setup to be launched.
UpdateId Unique ID for each Update.
UserSession Indicates whether install was invoked by user actions.
Update notification events
Microsoft.Windows.UpdateNotificationPipeline.UNPCampaignManagerHeartbeat
This event is sent at the start of the CampaignManager event and is intended to be used as a heartbeat.
The following fields are available:
CampaignConfigVersion Configuration version for the current campaign.
CampaignID Currently campaign that is running on Update Notification Pipeline (UNP).
ConfigCatalogVersion Current catalog version of UNP.
ContentVersion Content version for the current campaign on UNP.
CV Correlation vector.
DetectorVersion Most recently run detector version for the current campaign on UNP.
GlobalEventCounter Client-side counter that indicates the event ordering sent by the user.
PackageVersion Current UNP package version.
Upgrade events
FacilitatorTelemetry.DCATDownload
This event indicates whether devices received additional or critical supplemental content during an OS Upgrade, to
help keep Windows up to date and secure.
The following fields are available:
DownloadSize Download size of payload.
ElapsedTime Time taken to download payload.
MediaFallbackUsed Used to determine if we used Media CompDBs to figure out package requirements for
the upgrade.
ResultCode Result returned by the Facilitator DCAT call.
Scenario Dynamic update scenario (Image DU, or Setup DU).
Type Type of package that was downloaded.
UpdateId The ID of the update that was downloaded.
FacilitatorTelemetry.DUDownload
This event returns data about the download of supplemental packages critical to upgrading a device to the next
version of Windows.
The following fields are available:
PackageCategoriesFailed Lists the categories of packages that failed to download.
PackageCategoriesSkipped Lists the categories of package downloads that were skipped.
FacilitatorTelemetry.InitializeDU
This event determines whether devices received additional or critical supplemental content during an OS upgrade.
The following fields are available:
DCATUrl The Delivery Catalog (DCAT) URL we send the request to.
DownloadRequestAttributes The attributes we send to DCAT.
ResultCode The result returned from the initiation of Facilitator with the URL/attributes.
Scenario Dynamic Update scenario (Image DU, or Setup DU).
Url The Delivery Catalog (DCAT) URL we send the request to.
Version Version of Facilitator.
Setup360Telemetry.Downlevel
This event sends data indicating that the device has started the downlevel phase of the upgrade, to help keep
Windows up to date and secure.
The following fields are available:
ClientId If using Windows Update, this will be the Windows Update client ID that is passed to Setup. In Media
setup, the default value is Media360, but it can be overwritten by the caller to a unique value.
FlightData Unique value that identifies the flight.
HostOSBuildNumber The build number of the downlevel OS.
HostOsSkuName The operating system edition which is running Setup360 instance (downlevel OS).
InstanceId A unique GUID that identifies each instance of setuphost.exe.
Repor tId In the Windows Update scenario, this is the updateID that is passed to Setup. In media setup, this is
the GUID for the install.wim.
Setup360Extended More detailed information about phase/action when the potential failure occurred.
Setup360Mode The phase of Setup360 (for example, Predownload, Install, Finalize, Rollback).
Setup360Result The result of Setup360 (HRESULT used to diagnose errors).
Setup360Scenario The Setup360 flow type (for example, Boot, Media, Update, MCT).
SetupVersionBuildNumber The build number of Setup360 (build number of the target OS).
State Exit state of given Setup360 run. Example: succeeded, failed, blocked, cancelled.
TestId An ID that uniquely identifies a group of events.
WuId This is the Windows Update Client ID. In the Windows Update scenario, this is the same as the clientId.
Setup360Telemetry.Finalize
This event sends data indicating that the device has started the phase of finalizing the upgrade, to help keep
Windows up-to-date and secure.
The following fields are available:
ClientId With Windows Update, this will be the Windows Update client ID that is passed to Setup. In Media
setup, default value is Media360, but can be overwritten by the caller to a unique value.
FlightData Unique value that identifies the flight.
HostOSBuildNumber The build number of the previous OS.
HostOsSkuName The OS edition which is running Setup360 instance (previous OS).
InstanceId A unique GUID that identifies each instance of setuphost.exe
Repor tId With Windows Update, this is the updateID that is passed to Setup. In media setup, this is the GUID
for the install.wim.
Setup360Extended More detailed information about the phase/action when the potential failure occurred.
Setup360Mode The phase of Setup360. Example: Predownload, Install, Finalize, Rollback.
Setup360Result The result of Setup360. This is an HRESULT error code that is used to diagnose errors.
Setup360Scenario The Setup360 flow type. Example: Boot, Media, Update, MCT.
SetupVersionBuildNumber The build number of Setup360 (build number of target OS).
State The exit state of a Setup360 run. Example: succeeded, failed, blocked, cancelled.
TestId ID that uniquely identifies a group of events.
WuId This is the Windows Update Client ID. With Windows Update, this is the same as the clientId.
Setup360Telemetry.OsUninstall
This event sends data regarding OS updates and upgrades from Windows 7, Windows 8, and Windows 10.
Specifically, it indicates the outcome of an OS uninstall.
The following fields are available:
ClientId For Windows Update, this will be the Windows Update client ID that is passed to Setup. In Media
setup, default value is Media360, but can be overwritten by the caller to a unique value.
FlightData Unique value that identifies the flight.
HostOSBuildNumber The build number of the previous OS.
HostOsSkuName The OS edition which is running the Setup360 instance (previous OS).
InstanceId A unique GUID that identifies each instance of setuphost.exe.
Repor tId For Windows Update, this will be the Windows Update client ID that is passed to Setup. In Media
setup, this is the GUID for the install.wim.
Setup360Extended Detailed information about the phase or action when the potential failure occurred.
Setup360Mode The phase of Setup360. Example: Predownload, Install, Finalize, Rollback.
Setup360Result The result of Setup360. This is an HRESULT error code that is used to diagnose errors.
Setup360Scenario The Setup360 flow type. Example: Boot, Media, Update, MCT
SetupVersionBuildNumber The build number of Setup360 (build number of target OS).
State Exit state of a Setup360 run. Example: succeeded, failed, blocked, cancelled.
TestId ID that uniquely identifies a group of events.
WuId Windows Update client ID.
Setup360Telemetry.PostRebootInstall
This event sends data indicating that the device has invoked the post reboot install phase of the upgrade, to help
keep Windows up-to-date.
The following fields are available:
ClientId With Windows Update, this is the Windows Update client ID that is passed to Setup. In Media setup,
the default value is Media360, but can be overwritten by the caller to a unique value.
FlightData Unique value that identifies the flight.
HostOSBuildNumber The build number of the previous OS.
HostOsSkuName The OS edition which is running Setup360 instance (previous OS).
InstanceId A unique GUID that identifies each instance of setuphost.exe.
Repor tId With Windows Update, this is the updateID that is passed to Setup. In media setup, this is the GUID
for the install.wim.
Setup360Extended Extension of result - more granular information about phase/action when the potential
failure happened
Setup360Mode The phase of Setup360. Example: Predownload, Install, Finalize, Rollback
Setup360Result The result of Setup360. This is an HRESULT error code that's used to diagnose errors.
Setup360Scenario The Setup360 flow type. Example: Boot, Media, Update, MCT
SetupVersionBuildNumber The build number of Setup360 (build number of target OS).
State The exit state of a Setup360 run. Example: succeeded, failed, blocked, cancelled
TestId A string to uniquely identify a group of events.
WuId This is the Windows Update Client ID. With Windows Update, this is the same as ClientId.
Setup360Telemetry.PreDownloadQuiet
This event sends data indicating that the device has invoked the predownload quiet phase of the upgrade, to help
keep Windows up to date.
The following fields are available:
ClientId Using Windows Update, this will be the Windows Update client ID that is passed to Setup. In Media
setup, default value is Media360, but can be overwritten by the caller to a unique value.
FlightData Unique value that identifies the flight.
HostOSBuildNumber The build number of the previous OS.
HostOsSkuName The OS edition which is running Setup360 instance (previous operating system).
InstanceId A unique GUID that identifies each instance of setuphost.exe.
Repor tId Using Windows Update, this is the updateID that is passed to Setup. In media setup, this is the GUID
for the install.wim.
Setup360Extended Detailed information about the phase/action when the potential failure occurred.
Setup360Mode The phase of Setup360. Example: Predownload, Install, Finalize, Rollback.
Setup360Result The result of Setup360. This is an HRESULT error code that is used to diagnose errors.
Setup360Scenario The Setup360 flow type. Example: Boot, Media, Update, MCT.
SetupVersionBuildNumber The build number of Setup360 (build number of target OS).
State The exit state of a Setup360 run. Example: succeeded, failed, blocked, canceled.
TestId ID that uniquely identifies a group of events.
WuId This is the Windows Update Client ID. Using Windows Update, this is the same as the clientId.
Setup360Telemetry.PreDownloadUX
This event sends data regarding OS Updates and Upgrades from Windows 7.X, Windows 8.X, Windows 10 and RS,
to help keep Windows up-to-date and secure. Specifically, it indicates the outcome of the PredownloadUX portion
of the update process.
The following fields are available:
ClientId For Windows Update, this will be the Windows Update client ID that is passed to Setup. In Media
setup, default value is Media360, but can be overwritten by the caller to a unique value.
FlightData In the WU scenario, this will be the WU client ID that is passed to Setup. In Media setup, default
value is Media360, but can be overwritten by the caller to a unique value.
HostOSBuildNumber The build number of the previous operating system.
HostOsSkuName The OS edition which is running the Setup360 instance (previous operating system).
InstanceId Unique GUID that identifies each instance of setuphost.exe.
Repor tId For Windows Update, this will be the Windows Update client ID that is passed to Setup. In Media
setup, this is the GUID for the install.wim.
Setup360Extended Detailed information about the phase/action when the potential failure occurred.
Setup360Mode The phase of Setup360. Example: Predownload, Install, Finalize, Rollback.
Setup360Result The result of Setup360. This is an HRESULT error code that can be used to diagnose errors.
Setup360Scenario The Setup360 flow type. Example: Boot, Media, Update, MCT.
SetupVersionBuildNumber The build number of Setup360 (build number of the target OS).
State The exit state of the Setup360 run. Example: succeeded, failed, blocked, cancelled.
TestId ID that uniquely identifies a group of events.
WuId Windows Update client ID.
Setup360Telemetry.PreInstallQuiet
This event sends data indicating that the device has invoked the preinstall quiet phase of the upgrade, to help keep
Windows up-to-date.
The following fields are available:
ClientId With Windows Update, this will be the Windows Update client ID that is passed to Setup. In Media
setup, default value is Media360, but can be overwritten by the caller to a unique value.
FlightData Unique value that identifies the flight.
HostOSBuildNumber The build number of the previous OS.
HostOsSkuName The OS edition which is running Setup360 instance (previous OS).
InstanceId A unique GUID that identifies each instance of setuphost.exe
Repor tId With Windows Update, this is the updateID that is passed to Setup. In media setup, this is the GUID
for the install.wim.
Setup360Extended Detailed information about the phase/action when the potential failure occurred.
Setup360Mode The phase of Setup360. Example: Predownload, Install, Finalize, Rollback.
Setup360Result The result of Setup360. This is an HRESULT error code that can be used to diagnose errors.
Setup360Scenario Setup360 flow type (Boot, Media, Update, MCT).
SetupVersionBuildNumber The build number of Setup360 (build number of target OS).
State The exit state of a Setup360 run. Example: succeeded, failed, blocked, cancelled.
TestId A string to uniquely identify a group of events.
WuId This is the Windows Update Client ID. With Windows Update, this is the same as the clientId.
Setup360Telemetry.PreInstallUX
This event sends data regarding OS updates and upgrades from Windows 7, Windows 8, and Windows 10, to help
keep Windows up-to-date. Specifically, it indicates the outcome of the PreinstallUX portion of the update process.
The following fields are available:
ClientId For Windows Update, this will be the Windows Update client ID that is passed to Setup. In Media
setup, default value is Media360, but can be overwritten by the caller to a unique value.
FlightData Unique value that identifies the flight.
HostOSBuildNumber The build number of the previous OS.
HostOsSkuName The OS edition which is running the Setup360 instance (previous OS).
InstanceId A unique GUID that identifies each instance of setuphost.exe.
Repor tId For Windows Update, this will be the Windows Update client ID that is passed to Setup. In Media
setup, this is the GUID for the install.wim.
Setup360Extended Detailed information about the phase/action when the potential failure occurred.
Setup360Mode The phase of Setup360. Example: Predownload, Install, Finalize, Rollback.
Setup360Result The result of Setup360. This is an HRESULT error code that is used to diagnose errors.
Setup360Scenario The Setup360 flow type, Example: Boot, Media, Update, MCT.
SetupVersionBuildNumber The build number of Setup360 (build number of target OS).
State The exit state of a Setup360 run. Example: succeeded, failed, blocked, cancelled.
TestId A string to uniquely identify a group of events.
WuId Windows Update client ID.
Setup360Telemetry.Setup360
This event sends data about OS deployment scenarios, to help keep Windows up-to-date.
The following fields are available:
ClientId Retrieves the upgrade ID. In the Windows Update scenario, this will be the Windows Update client ID.
In Media setup, default value is Media360, but can be overwritten by the caller to a unique value.
FieldName Retrieves the data point.
FlightData Specifies a unique identifier for each group of Windows Insider builds.
InstanceId Retrieves a unique identifier for each instance of a setup session.
Repor tId Retrieves the report ID.
ScenarioId Retrieves the deployment scenario.
Value Retrieves the value associated with the corresponding FieldName.
Setup360Telemetry.Setup360DynamicUpdate
This event helps determine whether the device received supplemental content during an operating system
upgrade, to help keep Windows up-to-date.
The following fields are available:
FlightData Specifies a unique identifier for each group of Windows Insider builds.
InstanceId Retrieves a unique identifier for each instance of a setup session.
Operation Facilitator’s last known operation (scan, download, etc.).
Repor tId ID for tying together events stream side.
ResultCode Result returned for the entire setup operation.
Scenario Dynamic Update scenario (Image DU, or Setup DU).
ScenarioId Identifies the update scenario.
TargetBranch Branch of the target OS.
TargetBuild Build of the target OS.
Setup360Telemetry.Setup360MitigationResult
This event sends data indicating the result of each setup mitigation.
The following fields are available:
Applicable TRUE if the mitigation is applicable for the current update.
ClientId In the Windows Update scenario, this is the client ID passed to Setup. In Media setup, default value is
Media360, but can be overwritten by the caller to a unique value.
CommandCount The number of command operations in the mitigation entry.
CustomCount The number of custom operations in the mitigation entry.
FileCount The number of file operations in the mitigation entry.
FlightData The unique identifier for each flight (test release).
Index The mitigation index of this particular mitigation.
InstanceId The GUID (Globally Unique ID) that identifies each instance of SetupHost.EXE.
MitigationScenario The update scenario in which the mitigation was executed.
Name The friendly (descriptive) name of the mitigation.
OperationIndex The mitigation operation index (in the event of a failure).
OperationName The friendly (descriptive) name of the mitigation operation (in the event of failure).
Registr yCount The number of registry operations in the mitigation entry.
Repor tId In the Windows Update scenario, the Update ID that is passed to Setup. In media setup, this is the
GUID for the INSTALL.WIM.
Result HResult of this operation.
ScenarioId Setup360 flow type.
TimeDiff The amount of time spent performing the mitigation (in 100-nanosecond increments).
Setup360Telemetry.Setup360MitigationSummary
This event sends a summary of all the setup mitigations available for this update.
The following fields are available:
Applicable The count of mitigations that were applicable to the system and scenario.
ClientId The Windows Update client ID passed to Setup.
Failed The count of mitigations that failed.
FlightData The unique identifier for each flight (test release).
InstanceId The GUID (Globally Unique ID) that identifies each instance of SetupHost.EXE.
MitigationScenario The update scenario in which the mitigations were attempted.
Repor tId In the Windows Update scenario, the Update ID that is passed to Setup. In media setup, this is the
GUID for the INSTALL.WIM.
Result HResult of this operation.
ScenarioId Setup360 flow type.
TimeDiff The amount of time spent performing the mitigation (in 100-nanosecond increments).
Total The total number of mitigations that were available.
Setup360Telemetry.Setup360OneSettings
This event collects information regarding the post reboot phase of the new UUP (Unified Update Platform) update
scenario; which is leveraged by both Mobile and Desktop.
The following fields are available:
ClientId The Windows Update client ID passed to Setup.
Count The count of applicable OneSettings for the device.
FlightData The ID for the flight (test instance version).
InstanceId The GUID (Globally-Unique ID) that identifies each instance of setuphost.exe.
Parameters The set of name value pair parameters sent to OneSettings to determine if there are any
applicable OneSettings.
Repor tId The Update ID passed to Setup.
Result The HResult of the event error.
ScenarioId The update scenario ID.
Values Values sent back to the device, if applicable.
Setup360Telemetry.UnexpectedEvent
This event sends data indicating that the device has invoked the unexpected event phase of the upgrade, to help
keep Windows up to date.
The following fields are available:
ClientId With Windows Update, this will be the Windows Update client ID that is passed to Setup. In Media
setup, default value is Media360, but can be overwritten by the caller to a unique value.
FlightData Unique value that identifies the flight.
HostOSBuildNumber The build number of the previous OS.
HostOsSkuName The OS edition which is running Setup360 instance (previous OS).
InstanceId A unique GUID that identifies each instance of setuphost.exe
Repor tId With Windows Update, this is the updateID that is passed to Setup. In media setup, this is the GUID
for the install.wim.
Setup360Extended Detailed information about the phase/action when the potential failure occurred.
Setup360Mode The phase of Setup360. Example: Predownload, Install, Finalize, Rollback.
Setup360Result The result of Setup360. This is an HRESULT error code that can be used used to diagnose
errors.
Setup360Scenario The Setup360 flow type. Example: Boot, Media, Update, MCT.
SetupVersionBuildNumber The build number of Setup360 (build number of target OS).
State The exit state of a Setup360 run. Example: succeeded, failed, blocked, cancelled.
TestId A string to uniquely identify a group of events.
WuId This is the Windows Update Client ID. With Windows Update, this is the same as the clientId.
Winlogon events
Microsoft.Windows.Security.Winlogon.SetupCompleteLogon
This event signals the completion of the setup process. It happens only once during the first logon.
XBOX events
Microsoft.Xbox.XamTelemetry.AppActivationError
This event indicates whether the system detected an activation error in the app.
The following fields are available:
ActivationUri Activation URI (Uniform Resource Identifier) used in the attempt to activate the app.
AppId The Xbox LIVE Title ID.
AppUserModelId The AUMID (Application User Model ID) of the app to activate.
Result The HResult error.
UserId The Xbox LIVE User ID (XUID).
Microsoft.Xbox.XamTelemetry.AppActivity
This event is triggered whenever the current app state is changed by: launch, switch, terminate, snap, etc.
The following fields are available:
AppActionId The ID of the application action.
AppCurrentVisibilityState The ID of the current application visibility state.
AppId The Xbox LIVE Title ID of the app.
AppPackageFullName The full name of the application package.
AppPreviousVisibilityState The ID of the previous application visibility state.
AppSessionId The application session ID.
AppType The type ID of the application (AppType_NotKnown, AppType_Era, AppType_Sra, AppType_Uwa).
BCACode The BCA (Burst Cutting Area) mark code of the optical disc used to launch the application.
DurationMs The amount of time (in milliseconds) since the last application state transition.
IsTrialLicense This boolean value is TRUE if the application is on a trial license.
LicenseType The type of licensed used to authorize the app (0 - Unknown, 1 - User, 2 - Subscription, 3 - Offline,
4 - Disc).
LicenseXuid If the license type is 1 (User), this field contains the XUID (Xbox User ID) of the registered owner of
the license.
ProductGuid The Xbox product GUID (Globally-Unique ID) of the application.
UserId The XUID (Xbox User ID) of the current user.
Windows 10, version 1809 basic level Windows
diagnostic events and fields
1/31/2020 • 331 minutes to read • Edit Online
Applies to
Windows 10, version 1809
The Basic level gathers a limited set of information that is critical for understanding the device and its
configuration including: basic device information, quality-related information, app compatibility, and Microsoft
Store. When the level is set to Basic, it also includes the Security level information.
The Basic level helps to identify problems that can occur on a particular device hardware or software configuration.
For example, it can help determine if crashes are more frequent on devices with a specific amount of memory or
that are running a particular driver version. This helps Microsoft fix operating system or app problems.
Use this article to learn about diagnostic events, grouped by event area, and the fields within each event. A brief
description is provided for each field. Every event generated includes common data, which collects device data.
You can learn more about Windows functional and diagnostic data through these articles:
Windows 10, version 1903 and Windows 10, version 1909 basic diagnostic events and fields
Windows 10, version 1803 basic diagnostic events and fields
Windows 10, version 1709 basic diagnostic events and fields
Windows 10, version 1703 basic diagnostic events and fields
Manage connections from Windows operating system components to Microsoft services
Configure Windows diagnostic data in your organization
Appraiser events
Microsoft.Windows.Appraiser.General.ChecksumTotalPictureCount
This event lists the types of objects and how many of each exist on the client device. This allows for a quick way to
ensure that the records present on the server match what is present on the client.
The following fields are available:
DatasourceApplicationFile_19ASetup The count of the number of this particular object type present on this
device.
DatasourceApplicationFile_19H1 The count of the number of this particular object type present on this
device.
DatasourceApplicationFile_19H1Setup The count of the number of this particular object type present on
this device.
DatasourceApplicationFile_20H1 The count of the number of this particular object type present on this
device.
DatasourceApplicationFile_20H1Setup The count of the number of this particular object type present on
this device.
DatasourceApplicationFile_RS1 An ID for the system, calculated by hashing hardware identifiers.
DatasourceApplicationFile_RS2 An ID for the system, calculated by hashing hardware identifiers.
DatasourceApplicationFile_RS3 The count of the number of this particular object type present on this
device.
DatasourceApplicationFile_RS3Setup The count of the number of this particular object type present on this
device.
DatasourceApplicationFile_RS4 The count of the number of this particular object type present on this
device.
DatasourceApplicationFile_RS4Setup The count of the number of this particular object type present on this
device.
DatasourceApplicationFile_RS5 The count of the number of this particular object type present on this
device.
DatasourceApplicationFile_RS5Setup The count of the number of this particular object type present on this
device.
DatasourceApplicationFile_TH1 The count of the number of this particular object type present on this
device.
DatasourceApplicationFile_TH2 The count of the number of this particular object type present on this
device.
DatasourceDevicePnp_19ASetup The count of the number of this particular object type present on this
device.
DatasourceDevicePnp_19H1 The count of the number of this particular object type present on this device.
DatasourceDevicePnp_19H1Setup The count of the number of this particular object type present on this
device.
DatasourceDevicePnp_20H1 The count of the number of this particular object type present on this device.
DatasourceDevicePnp_20H1Setup The count of the number of this particular object type present on this
device.
DatasourceDevicePnp_RS1 The total DataSourceDevicePnp objects targeting Windows 10 version 1607 on
this device.
DatasourceDevicePnp_RS2 The count of the number of this particular object type present on this device.
DatasourceDevicePnp_RS3 The count of the number of this particular object type present on this device.
DatasourceDevicePnp_RS3Setup The count of the number of this particular object type present on this
device.
DatasourceDevicePnp_RS4 The count of the number of this particular object type present on this device.
DatasourceDevicePnp_RS4Setup The count of the number of this particular object type present on this
device.
DatasourceDevicePnp_RS5 The count of the number of this particular object type present on this device.
DatasourceDevicePnp_RS5Setup The count of the number of this particular object type present on this
device.
DatasourceDevicePnp_TH1 The count of the number of this particular object type present on this device.
DatasourceDevicePnp_TH2 The count of the number of this particular object type present on this device.
DatasourceDriverPackage_19ASetup The count of the number of this particular object type present on this
device.
DatasourceDriverPackage_19H1 The count of the number of this particular object type present on this
device.
DatasourceDriverPackage_19H1Setup The count of the number of this particular object type present on
this device.
DatasourceDriverPackage_20H1 The count of the number of this particular object type present on this
device.
DatasourceDriverPackage_20H1Setup The count of the number of this particular object type present on
this device.
DatasourceDriverPackage_RS1 The total DataSourceDriverPackage objects targeting Windows 10 version
1607 on this device.
DatasourceDriverPackage_RS2 The total DataSourceDriverPackage objects targeting Windows 10, version
1703 on this device.
DatasourceDriverPackage_RS3 The count of the number of this particular object type present on this device.
DatasourceDriverPackage_RS3Setup The count of the number of this particular object type present on this
device.
DatasourceDriverPackage_RS4 The count of the number of this particular object type present on this device.
DatasourceDriverPackage_RS4Setup The count of the number of this particular object type present on this
device.
DatasourceDriverPackage_RS5 The count of the number of this particular object type present on this device.
DatasourceDriverPackage_RS5Setup The count of the number of this particular object type present on this
device.
DatasourceDriverPackage_TH1 The count of the number of this particular object type present on this device.
DatasourceDriverPackage_TH2 The count of the number of this particular object type present on this device.
DataSourceMatchingInfoBlock_19ASetup The count of the number of this particular object type present
on this device.
DataSourceMatchingInfoBlock_19H1 The count of the number of this particular object type present on this
device.
DataSourceMatchingInfoBlock_19H1Setup The count of the number of this particular object type present
on this device.
DataSourceMatchingInfoBlock_20H1 The count of the number of this particular object type present on this
device.
DataSourceMatchingInfoBlock_20H1Setup The count of the number of this particular object type present
on this device.
DataSourceMatchingInfoBlock_RS1 The total DataSourceMatchingInfoBlock objects targeting Windows 10
version 1607 on this device.
DataSourceMatchingInfoBlock_RS2 The count of the number of this particular object type present on this
device.
DataSourceMatchingInfoBlock_RS3 The count of the number of this particular object type present on this
device.
DataSourceMatchingInfoBlock_RS3Setup The count of the number of this particular object type present
on this device.
DataSourceMatchingInfoBlock_RS4 The count of the number of this particular object type present on this
device.
DataSourceMatchingInfoBlock_RS4Setup The count of the number of this particular object type present
on this device.
DataSourceMatchingInfoBlock_RS5 The count of the number of this particular object type present on this
device.
DataSourceMatchingInfoBlock_RS5Setup The count of the number of this particular object type present
on this device.
DataSourceMatchingInfoBlock_TH1 The count of the number of this particular object type present on this
device.
DataSourceMatchingInfoBlock_TH2 The count of the number of this particular object type present on this
device.
DataSourceMatchingInfoPassive_19ASetup The count of the number of this particular object type present
on this device.
DataSourceMatchingInfoPassive_19H1 The count of the number of this particular object type present on
this device.
DataSourceMatchingInfoPassive_19H1Setup The count of the number of this particular object type
present on this device.
DataSourceMatchingInfoPassive_20H1 The count of the number of this particular object type present on
this device.
DataSourceMatchingInfoPassive_20H1Setup The count of the number of this particular object type
present on this device.
DataSourceMatchingInfoPassive_RS1 The total DataSourceMatchingInfoPassive objects targeting Windows
10 version 1607 on this device.
DataSourceMatchingInfoPassive_RS2 The count of the number of this particular object type present on this
device.
DataSourceMatchingInfoPassive_RS3 The count of the number of this particular object type present on this
device.
DataSourceMatchingInfoPassive_RS3Setup The count of the number of this particular object type present
on this device.
DataSourceMatchingInfoPassive_RS4 The count of the number of this particular object type present on this
device.
DataSourceMatchingInfoPassive_RS4Setup The count of the number of this particular object type present
on this device.
DataSourceMatchingInfoPassive_RS5 The count of the number of this particular object type present on this
device.
DataSourceMatchingInfoPassive_RS5Setup The count of the number of this particular object type present
on this device.
DataSourceMatchingInfoPassive_TH1 The count of the number of this particular object type present on this
device.
DataSourceMatchingInfoPassive_TH2 The count of the number of this particular object type present on this
device.
DataSourceMatchingInfoPostUpgrade_19ASetup The count of the number of this particular object type
present on this device.
DataSourceMatchingInfoPostUpgrade_19H1 The count of the number of this particular object type
present on this device.
DataSourceMatchingInfoPostUpgrade_19H1Setup The count of the number of this particular object type
present on this device.
DataSourceMatchingInfoPostUpgrade_20H1 The count of the number of this particular object type
present on this device.
DataSourceMatchingInfoPostUpgrade_20H1Setup The count of the number of this particular object type
present on this device.
DataSourceMatchingInfoPostUpgrade_RS1 The total DataSourceMatchingInfoPostUpgrade objects
targeting Windows 10 version 1607 on this device.
DataSourceMatchingInfoPostUpgrade_RS2 The total DataSourceMatchingInfoPostUpgrade objects
targeting Windows 10 version 1703 on this device.
DataSourceMatchingInfoPostUpgrade_RS3 The total DataSourceMatchingInfoPostUpgrade objects
targeting Windows 10 version 1709 on this device.
DataSourceMatchingInfoPostUpgrade_RS3Setup The count of the number of this particular object type
present on this device.
DataSourceMatchingInfoPostUpgrade_RS4 The count of the number of this particular object type present
on this device.
DataSourceMatchingInfoPostUpgrade_RS4Setup The count of the number of this particular object type
present on this device.
DataSourceMatchingInfoPostUpgrade_RS5 The count of the number of this particular object type present
on this device.
DataSourceMatchingInfoPostUpgrade_RS5Setup The count of the number of this particular object type
present on this device.
DataSourceMatchingInfoPostUpgrade_TH1 The count of the number of this particular object type present
on this device.
DataSourceMatchingInfoPostUpgrade_TH2 The count of the number of this particular object type present
on this device.
DatasourceSystemBios_19ASetup The count of the number of this particular object type present on this
device.
DatasourceSystemBios_19H1 The count of the number of this particular object type present on this device.
DatasourceSystemBios_19H1Setup The count of the number of this particular object type present on this
device.
DatasourceSystemBios_20H1 The count of the number of this particular object type present on this device.
DatasourceSystemBios_20H1Setup The count of the number of this particular object type present on this
device.
DatasourceSystemBios_RS1 The total DatasourceSystemBios objects targeting Windows 10 version 1607
present on this device.
DatasourceSystemBios_RS2 The total DatasourceSystemBios objects targeting Windows 10 version 1703
present on this device.
DatasourceSystemBios_RS3 The total DatasourceSystemBios objects targeting Windows 10 version 1709
present on this device.
DatasourceSystemBios_RS3Setup The count of the number of this particular object type present on this
device.
DatasourceSystemBios_RS4 The count of the number of this particular object type present on this device.
DatasourceSystemBios_RS4Setup The count of the number of this particular object type present on this
device.
DatasourceSystemBios_RS5 The count of the number of this particular object type present on this device.
DatasourceSystemBios_RS5Setup The count of the number of this particular object type present on this
device.
DatasourceSystemBios_TH1 The count of the number of this particular object type present on this device.
DatasourceSystemBios_TH2 The count of the number of this particular object type present on this device.
DecisionApplicationFile_19ASetup The count of the number of this particular object type present on this
device.
DecisionApplicationFile_19H1 The count of the number of this particular object type present on this device.
DecisionApplicationFile_19H1Setup The count of the number of this particular object type present on this
device.
DecisionApplicationFile_20H1 The count of the number of this particular object type present on this device.
DecisionApplicationFile_20H1Setup The count of the number of this particular object type present on this
device.
DecisionApplicationFile_RS1 The count of the number of this particular object type present on this device.
DecisionApplicationFile_RS2 The count of the number of this particular object type present on this device.
DecisionApplicationFile_RS3 The count of the number of this particular object type present on this device.
DecisionApplicationFile_RS3Setup The count of the number of this particular object type present on this
device.
DecisionApplicationFile_RS4 The count of the number of this particular object type present on this device.
DecisionApplicationFile_RS4Setup The count of the number of this particular object type present on this
device.
DecisionApplicationFile_RS5 The count of the number of this particular object type present on this device.
DecisionApplicationFile_RS5Setup The count of the number of this particular object type present on this
device.
DecisionApplicationFile_TH1 The count of the number of this particular object type present on this device.
DecisionApplicationFile_TH2 The count of the number of this particular object type present on this device.
DecisionDevicePnp_19ASetup The count of the number of this particular object type present on this device.
DecisionDevicePnp_19H1 The count of the number of this particular object type present on this device.
DecisionDevicePnp_19H1Setup The count of the number of this particular object type present on this
device.
DecisionDevicePnp_20H1 The count of the number of this particular object type present on this device.
DecisionDevicePnp_20H1Setup The count of the number of this particular object type present on this
device.
DecisionDevicePnp_RS1 The total DecisionDevicePnp objects targeting Windows 10 version 1607 on this
device.
DecisionDevicePnp_RS2 The count of the number of this particular object type present on this device.
DecisionDevicePnp_RS3 The count of the number of this particular object type present on this device.
DecisionDevicePnp_RS3Setup The count of the number of this particular object type present on this device.
DecisionDevicePnp_RS4 The count of the number of this particular object type present on this device.
DecisionDevicePnp_RS4Setup The count of the number of this particular object type present on this device.
DecisionDevicePnp_RS5 The count of the number of this particular object type present on this device.
DecisionDevicePnp_RS5Setup The count of the number of this particular object type present on this device.
DecisionDevicePnp_TH1 The count of the number of this particular object type present on this device.
DecisionDevicePnp_TH2 The count of the number of this particular object type present on this device.
DecisionDriverPackage_19ASetup The count of the number of this particular object type present on this
device.
DecisionDriverPackage_19H1 The count of the number of this particular object type present on this device.
DecisionDriverPackage_19H1Setup The count of the number of this particular object type present on this
device.
DecisionDriverPackage_20H1 The count of the number of this particular object type present on this device.
DecisionDriverPackage_20H1Setup The count of the number of this particular object type present on this
device.
DecisionDriverPackage_RS1 The total DecisionDriverPackage objects targeting Windows 10 version 1607
on this device.
DecisionDriverPackage_RS2 The count of the number of this particular object type present on this device.
DecisionDriverPackage_RS3 The count of the number of this particular object type present on this device.
DecisionDriverPackage_RS3Setup The count of the number of this particular object type present on this
device.
DecisionDriverPackage_RS4 The count of the number of this particular object type present on this device.
DecisionDriverPackage_RS4Setup The count of the number of this particular object type present on this
device.
DecisionDriverPackage_RS5 The count of the number of this particular object type present on this device.
DecisionDriverPackage_RS5Setup The count of the number of this particular object type present on this
device.
DecisionDriverPackage_TH1 The count of the number of this particular object type present on this device.
DecisionDriverPackage_TH2 The count of the number of this particular object type present on this device.
DecisionMatchingInfoBlock_19ASetup The count of the number of this particular object type present on
this device.
DecisionMatchingInfoBlock_19H1 The count of the number of this particular object type present on this
device.
DecisionMatchingInfoBlock_19H1Setup The count of the number of this particular object type present on
this device.
DecisionMatchingInfoBlock_20H1 The count of the number of this particular object type present on this
device.
DecisionMatchingInfoBlock_20H1Setup The count of the number of this particular object type present on
this device.
DecisionMatchingInfoBlock_RS1 The total DecisionMatchingInfoBlock objects targeting Windows 10
version 1607 present on this device.
DecisionMatchingInfoBlock_RS2 The total DecisionMatchingInfoBlock objects targeting Windows 10
version 1703 present on this device.
DecisionMatchingInfoBlock_RS3 The total DecisionMatchingInfoBlock objects targeting Windows 10
version 1709 present on this device.
DecisionMatchingInfoBlock_RS3Setup The count of the number of this particular object type present on
this device.
DecisionMatchingInfoBlock_RS4 The total DecisionMatchingInfoBlock objects targeting Windows 10
version 1803 present on this device.
DecisionMatchingInfoBlock_RS4Setup The count of the number of this particular object type present on
this device.
DecisionMatchingInfoBlock_RS5 The count of the number of this particular object type present on this
device.
DecisionMatchingInfoBlock_RS5Setup The count of the number of this particular object type present on
this device.
DecisionMatchingInfoBlock_TH1 The count of the number of this particular object type present on this
device.
DecisionMatchingInfoBlock_TH2 The count of the number of this particular object type present on this
device.
DecisionMatchingInfoPassive_19ASetup The count of the number of this particular object type present on
this device.
DecisionMatchingInfoPassive_19H1 The count of the number of this particular object type present on this
device.
DecisionMatchingInfoPassive_19H1Setup The count of the number of this particular object type present
on this device.
DecisionMatchingInfoPassive_20H1 The count of the number of this particular object type present on this
device.
DecisionMatchingInfoPassive_20H1Setup The count of the number of this particular object type present
on this device.
DecisionMatchingInfoPassive_RS1 The total DecisionMatchingInfoPassive objects targeting Windows 10
version 1607 on this device.
DecisionMatchingInfoPassive_RS2 The total DecisionMatchingInfoPassive objects targeting Windows 10
version 1703 on this device.
DecisionMatchingInfoPassive_RS3 The total DecisionMatchingInfoPassive objects targeting Windows 10
version 1803 on this device.
DecisionMatchingInfoPassive_RS3Setup The count of the number of this particular object type present on
this device.
DecisionMatchingInfoPassive_RS4 The count of the number of this particular object type present on this
device.
DecisionMatchingInfoPassive_RS4Setup The count of the number of this particular object type present on
this device.
DecisionMatchingInfoPassive_RS5 The count of the number of this particular object type present on this
device.
DecisionMatchingInfoPassive_RS5Setup The count of the number of this particular object type present on
this device.
DecisionMatchingInfoPassive_TH1 The count of the number of this particular object type present on this
device.
DecisionMatchingInfoPassive_TH2 The count of the number of this particular object type present on this
device.
DecisionMatchingInfoPostUpgrade_19ASetup The count of the number of this particular object type
present on this device.
DecisionMatchingInfoPostUpgrade_19H1 The count of the number of this particular object type present
on this device.
DecisionMatchingInfoPostUpgrade_19H1Setup The count of the number of this particular object type
present on this device.
DecisionMatchingInfoPostUpgrade_20H1 The count of the number of this particular object type present
on this device.
DecisionMatchingInfoPostUpgrade_20H1Setup The count of the number of this particular object type
present on this device.
DecisionMatchingInfoPostUpgrade_RS1 The total DecisionMatchingInfoPostUpgrade objects targeting
Windows 10 version 1607 on this device.
DecisionMatchingInfoPostUpgrade_RS2 The total DecisionMatchingInfoPostUpgrade objects targeting
Windows 10 version 1703 on this device.
DecisionMatchingInfoPostUpgrade_RS3 The total DecisionMatchingInfoPostUpgrade objects targeting
Windows 10 version 1709 on this device.
DecisionMatchingInfoPostUpgrade_RS3Setup The count of the number of this particular object type
present on this device.
DecisionMatchingInfoPostUpgrade_RS4 The count of the number of this particular object type present on
this device.
DecisionMatchingInfoPostUpgrade_RS4Setup The count of the number of this particular object type
present on this device.
DecisionMatchingInfoPostUpgrade_RS5 The count of the number of this particular object type present on
this device.
DecisionMatchingInfoPostUpgrade_RS5Setup The count of the number of this particular object type
present on this device.
DecisionMatchingInfoPostUpgrade_TH1 The count of the number of this particular object type present on
this device.
DecisionMatchingInfoPostUpgrade_TH2 The count of the number of this particular object type present on
this device.
DecisionMediaCenter_19ASetup The count of the number of this particular object type present on this
device.
DecisionMediaCenter_19H1 The count of the number of this particular object type present on this device.
DecisionMediaCenter_19H1Setup The total DecisionMediaCenter objects targeting the next release of
Windows on this device.
DecisionMediaCenter_20H1 The count of the number of this particular object type present on this device.
DecisionMediaCenter_20H1Setup The count of the number of this particular object type present on this
device.
DecisionMediaCenter_RS1 The total DecisionMediaCenter objects targeting Windows 10 version 1607
present on this device.
DecisionMediaCenter_RS2 The total DecisionMediaCenter objects targeting Windows 10 version 1703
present on this device.
DecisionMediaCenter_RS3 The total DecisionMediaCenter objects targeting Windows 10 version 1709
present on this device.
DecisionMediaCenter_RS3Setup The count of the number of this particular object type present on this
device.
DecisionMediaCenter_RS4 The total DecisionMediaCenter objects targeting Windows 10 version 1803
present on this device.
DecisionMediaCenter_RS4Setup The count of the number of this particular object type present on this
device.
DecisionMediaCenter_RS5 The count of the number of this particular object type present on this device.
DecisionMediaCenter_RS5Setup The count of the number of this particular object type present on this
device.
DecisionMediaCenter_TH1 The count of the number of this particular object type present on this device.
DecisionMediaCenter_TH2 The count of the number of this particular object type present on this device.
DecisionSystemBios_19ASetup The total DecisionSystemBios objects targeting the next release of Windows
on this device.
DecisionSystemBios_19H1 The count of the number of this particular object type present on this device.
DecisionSystemBios_19H1Setup The total DecisionSystemBios objects targeting the next release of
Windows on this device.
DecisionSystemBios_20H1 The count of the number of this particular object type present on this device.
DecisionSystemBios_20H1Setup The count of the number of this particular object type present on this
device.
DecisionSystemBios_RS1 The total DecisionSystemBios objects targeting Windows 10 version 1607 on this
device.
DecisionSystemBios_RS2 The total DecisionSystemBios objects targeting Windows 10 version 1703 on this
device.
DecisionSystemBios_RS3 The total DecisionSystemBios objects targeting Windows 10 version 1709 on this
device.
DecisionSystemBios_RS3Setup The count of the number of this particular object type present on this
device.
DecisionSystemBios_RS4 The total DecisionSystemBios objects targeting Windows 10 version, 1803 present
on this device.
DecisionSystemBios_RS4Setup The total DecisionSystemBios objects targeting the next release of Windows
on this device.
DecisionSystemBios_RS5 The total DecisionSystemBios objects targeting the next release of Windows on
this device.
DecisionSystemBios_RS5Setup The total DecisionSystemBios objects targeting the next release of Windows
on this device.
DecisionSystemBios_TH1 The count of the number of this particular object type present on this device.
DecisionSystemBios_TH2 The count of the number of this particular object type present on this device.
DecisionSystemProcessor_RS2 The count of the number of this particular object type present on this
device.
DecisionTest_20H1Setup The count of the number of this particular object type present on this device.
DecisionTest_RS1 An ID for the system, calculated by hashing hardware identifiers.
Inventor yApplicationFile The count of the number of this particular object type present on this device.
Inventor yDeviceContainer A count of device container objects in cache.
Inventor yDevicePnp A count of device Plug and Play objects in cache.
Inventor yDriverBinar y A count of driver binary objects in cache.
Inventor yDriverPackage A count of device objects in cache.
Inventor yLanguagePack The count of the number of this particular object type present on this device.
Inventor yMediaCenter The count of the number of this particular object type present on this device.
Inventor ySystemBios The count of the number of this particular object type present on this device.
Inventor ySystemMachine The count of the number of this particular object type present on this device.
Inventor ySystemProcessor The count of the number of this particular object type present on this device.
Inventor yTest The count of the number of this particular object type present on this device.
Inventor yUplevelDriverPackage The count of the number of this particular object type present on this
device.
PCFP The count of the number of this particular object type present on this device.
SystemMemor y The count of the number of this particular object type present on this device.
SystemProcessorCompareExchange The count of the number of this particular object type present on this
device.
SystemProcessorLahfSahf The count of the number of this particular object type present on this device.
SystemProcessorNx The total number of objects of this type present on this device.
SystemProcessorPrefetchW The total number of objects of this type present on this device.
SystemProcessorSse2 The total number of objects of this type present on this device.
SystemTouch The count of the number of this particular object type present on this device.
SystemWim The total number of objects of this type present on this device.
SystemWindowsActivationStatus The count of the number of this particular object type present on this
device.
SystemWlan The total number of objects of this type present on this device.
Wmdrm_19ASetup The count of the number of this particular object type present on this device.
Wmdrm_19H1 The count of the number of this particular object type present on this device.
Wmdrm_19H1Setup The total Wmdrm objects targeting the next release of Windows on this device.
Wmdrm_20H1 The count of the number of this particular object type present on this device.
Wmdrm_20H1Setup The count of the number of this particular object type present on this device.
Wmdrm_RS1 An ID for the system, calculated by hashing hardware identifiers.
Wmdrm_RS2 An ID for the system, calculated by hashing hardware identifiers.
Wmdrm_RS3 An ID for the system, calculated by hashing hardware identifiers.
Wmdrm_RS3Setup The count of the number of this particular object type present on this device.
Wmdrm_RS4 The total Wmdrm objects targeting Windows 10, version 1803 present on this device.
Wmdrm_RS4Setup The count of the number of this particular object type present on this device.
Wmdrm_RS5 The count of the number of this particular object type present on this device.
Wmdrm_RS5Setup The count of the number of this particular object type present on this device.
Wmdrm_TH1 The count of the number of this particular object type present on this device.
Wmdrm_TH2 The count of the number of this particular object type present on this device.
Microsoft.Windows.Appraiser.General.DatasourceApplicationFileAdd
Represents the basic metadata about specific application files installed on the system.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
AppraiserVersion The version of the appraiser file that is generating the events.
AvDisplayName If the app is an anti-virus app, this is its display name.
CompatModelIndex The compatibility prediction for this file.
HasCitData Indicates whether the file is present in CIT data.
HasUpgradeExe Indicates whether the anti-virus app has an upgrade.exe file.
IsAv Is the file an anti-virus reporting EXE?
ResolveAttempted This will always be an empty string when sending diagnostic data.
SdbEntries An array of fields that indicates the SDB entries that apply to this file.
Microsoft.Windows.Appraiser.General.DatasourceApplicationFileRemove
This event indicates that the DatasourceApplicationFile object is no longer present.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
AppraiserVersion The version of the Appraiser file that is generating the events.
Microsoft.Windows.Appraiser.General.DatasourceApplicationFileStartSync
This event indicates that a new set of DatasourceApplicationFileAdd events will be sent.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
AppraiserVersion The version of the Appraiser file that is generating the events.
Microsoft.Windows.Appraiser.General.DatasourceDevicePnpAdd
This event sends compatibility data for a Plug and Play device, to help keep Windows up to date.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
ActiveNetworkConnection Indicates whether the device is an active network device.
AppraiserVersion The version of the appraiser file generating the events.
CosDeviceRating An enumeration that indicates if there is a driver on the target operating system.
CosDeviceSolution An enumeration that indicates how a driver on the target operating system is available.
CosDeviceSolutionUrl Microsoft.Windows.Appraiser.General.DatasourceDevicePnpAdd . Empty string
CosPopulatedFromId The expected uplevel driver matching ID based on driver coverage data.
IsBootCritical Indicates whether the device boot is critical.
UplevelInboxDriver Indicates whether there is a driver uplevel for this device.
WuDriverCoverage Indicates whether there is a driver uplevel for this device, according to Windows Update.
WuDriverUpdateId The Windows Update ID of the applicable uplevel driver.
WuPopulatedFromId The expected uplevel driver matching ID based on driver coverage from Windows
Update.
Microsoft.Windows.Appraiser.General.DatasourceDevicePnpRemove
This event indicates that the DatasourceDevicePnp object is no longer present.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
AppraiserVersion The version of the Appraiser file that is generating the events.
Microsoft.Windows.Appraiser.General.DatasourceDevicePnpStartSync
This event indicates that a new set of DatasourceDevicePnpAdd events will be sent.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
AppraiserVersion The version of the Appraiser file that is generating the events.
Microsoft.Windows.Appraiser.General.DatasourceDriverPackageAdd
This event sends compatibility database data about driver packages to help keep Windows up to date.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
AppraiserVersion The version of the appraiser file generating the events.
Microsoft.Windows.Appraiser.General.DatasourceDriverPackageRemove
This event indicates that the DatasourceDriverPackage object is no longer present.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
AppraiserVersion The version of the Appraiser file that is generating the events.
Microsoft.Windows.Appraiser.General.DatasourceDriverPackageStartSync
This event indicates that a new set of DatasourceDriverPackageAdd events will be sent.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
AppraiserVersion The version of the Appraiser file that is generating the events.
Microsoft.Windows.Appraiser.General.DataSourceMatchingInfoBlockAdd
This event sends blocking data about any compatibility blocking entries on the system that are not directly related
to specific applications or devices, to help keep Windows up to date.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
AppraiserVersion The version of the appraiser file generating the events.
ResolveAttempted This will always be an empty string when sending diagnostic data.
Microsoft.Windows.Appraiser.General.DataSourceMatchingInfoBlockRemove
This event indicates that the DataSourceMatchingInfoBlock object is no longer present.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
AppraiserVersion The version of the Appraiser file that is generating the events.
Microsoft.Windows.Appraiser.General.DataSourceMatchingInfoBlockStartSync
This event indicates that a full set of DataSourceMatchingInfoBlockStAdd events have been sent.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
AppraiserVersion The version of the Appraiser file that is generating the events.
Microsoft.Windows.Appraiser.General.DataSourceMatchingInfoPassiveAdd
This event sends compatibility database information about non-blocking compatibility entries on the system that
are not keyed by either applications or devices, to help keep Windows up to date.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
AppraiserVersion The version of the appraiser file generating the events.
Microsoft.Windows.Appraiser.General.DataSourceMatchingInfoPassiveRemove
This event indicates that the DataSourceMatchingInfoPassive object is no longer present.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
AppraiserVersion The version of the Appraiser file that is generating the events.
Microsoft.Windows.Appraiser.General.DataSourceMatchingInfoPassiveStartSync
This event indicates that a new set of DataSourceMatchingInfoPassiveAdd events will be sent.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
AppraiserVersion The version of the Appraiser file that is generating the events.
Microsoft.Windows.Appraiser.General.DataSourceMatchingInfoPostUpgradeAdd
This event sends compatibility database information about entries requiring reinstallation after an upgrade on the
system that are not keyed by either applications or devices, to help keep Windows up to date.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
AppraiserVersion The version of the appraiser file generating the events.
Microsoft.Windows.Appraiser.General.DataSourceMatchingInfoPostUpgradeRemove
This event indicates that the DataSourceMatchingInfoPostUpgrade object is no longer present.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
AppraiserVersion The version of the Appraiser file that is generating the events.
Microsoft.Windows.Appraiser.General.DataSourceMatchingInfoPostUpgradeStartSync
This event indicates that a new set of DataSourceMatchingInfoPostUpgradeAdd events will be sent.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
AppraiserVersion The version of the Appraiser file that is generating the events.
Microsoft.Windows.Appraiser.General.DatasourceSystemBiosAdd
This event sends compatibility database information about the BIOS to help keep Windows up to date.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
AppraiserVersion The version of the Appraiser file generating the events.
Microsoft.Windows.Appraiser.General.DatasourceSystemBiosRemove
This event indicates that the DatasourceSystemBios object is no longer present.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
AppraiserVersion The version of the Appraiser file that is generating the events.
Microsoft.Windows.Appraiser.General.DatasourceSystemBiosStartSync
This event indicates that a new set of DatasourceSystemBiosAdd events will be sent.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
AppraiserVersion The version of the Appraiser file that is generating the events.
Microsoft.Windows.Appraiser.General.DecisionApplicationFileAdd
This event sends compatibility decision data about a file to help keep Windows up to date.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
AppraiserVersion The version of the appraiser file that is generating the events.
BlockAlreadyInbox The uplevel runtime block on the file already existed on the current OS.
BlockingApplication Indicates whether there are any application issues that interfere with the upgrade due to
the file in question.
DisplayGenericMessage Will be a generic message be shown for this file?
DisplayGenericMessageGated Indicates whether a generic message be shown for this file.
HardBlock This file is blocked in the SDB.
HasUxBlockOverride Does the file have a block that is overridden by a tag in the SDB?
MigApplication Does the file have a MigXML from the SDB associated with it that applies to the current
upgrade mode?
MigRemoval Does the file have a MigXML from the SDB that will cause the app to be removed on upgrade?
NeedsDismissAction Will the file cause an action that can be dismissed?
NeedsInstallPostUpgradeData After upgrade, the file will have a post-upgrade notification to install a
replacement for the app.
NeedsNotifyPostUpgradeData Does the file have a notification that should be shown after upgrade?
NeedsReinstallPostUpgradeData After upgrade, this file will have a post-upgrade notification to reinstall the
app.
NeedsUninstallAction The file must be uninstalled to complete the upgrade.
SdbBlockUpgrade The file is tagged as blocking upgrade in the SDB,
SdbBlockUpgradeCanReinstall The file is tagged as blocking upgrade in the SDB. It can be reinstalled after
upgrade.
SdbBlockUpgradeUntilUpdate The file is tagged as blocking upgrade in the SDB. If the app is updated, the
upgrade can proceed.
SdbReinstallUpgrade The file is tagged as needing to be reinstalled after upgrade in the SDB. It does not
block upgrade.
SdbReinstallUpgradeWarn The file is tagged as needing to be reinstalled after upgrade with a warning in the
SDB. It does not block upgrade.
SoftBlock The file is softblocked in the SDB and has a warning.
Microsoft.Windows.Appraiser.General.DecisionApplicationFileRemove
This event indicates that the DecisionApplicationFile object is no longer present.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
AppraiserVersion The version of the Appraiser file that is generating the events.
Microsoft.Windows.Appraiser.General.DecisionApplicationFileStartSync
This event indicates that a new set of DecisionApplicationFileAdd events will be sent.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
AppraiserVersion The version of the Appraiser file that is generating the events.
Microsoft.Windows.Appraiser.General.DecisionDevicePnpAdd
This event sends compatibility decision data about a Plug and Play (PNP) device to help keep Windows up to date.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
AppraiserVersion The version of the appraiser file generating the events.
AssociatedDriverIsBlocked Is the driver associated with this PNP device blocked?
AssociatedDriverWillNotMigrate Will the driver associated with this plug-and-play device migrate?
BlockAssociatedDriver Should the driver associated with this PNP device be blocked?
BlockingDevice Is this PNP device blocking upgrade?
BlockUpgradeIfDriverBlocked Is the PNP device both boot critical and does not have a driver included with
the OS?
BlockUpgradeIfDriverBlockedAndOnlyActiveNetwork Is this PNP device the only active network device?
DisplayGenericMessage Will a generic message be shown during Setup for this PNP device?
DisplayGenericMessageGated Indicates whether a generic message will be shown during Setup for this PNP
device.
DriverAvailableInbox Is a driver included with the operating system for this PNP device?
DriverAvailableOnline Is there a driver for this PNP device on Windows Update?
DriverAvailableUplevel Is there a driver on Windows Update or included with the operating system for this
PNP device?
DriverBlockOverridden Is there is a driver block on the device that has been overridden?
NeedsDismissAction Will the user would need to dismiss a warning during Setup for this device?
NotRegressed Does the device have a problem code on the source OS that is no better than the one it would
have on the target OS?
SdbDeviceBlockUpgrade Is there an SDB block on the PNP device that blocks upgrade?
SdbDriverBlockOverridden Is there an SDB block on the PNP device that blocks upgrade, but that block was
overridden?
Microsoft.Windows.Appraiser.General.DecisionDevicePnpRemove
This event indicates that the DecisionDevicePnp object is no longer present.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
AppraiserVersion The version of the Appraiser file that is generating the events.
Microsoft.Windows.Appraiser.General.DecisionDevicePnpStartSync
The DecisionDevicePnpStartSync event indicates that a new set of DecisionDevicePnpAdd events will be sent.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
AppraiserVersion The version of the Appraiser file that is generating the events.
Microsoft.Windows.Appraiser.General.DecisionDriverPackageAdd
This event sends decision data about driver package compatibility to help keep Windows up to date.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
AppraiserVersion The version of the appraiser file generating the events.
DisplayGenericMessageGated Indicates whether a generic offer block message will be shown for this driver
package.
DriverBlockOverridden Does the driver package have an SDB block that blocks it from migrating, but that
block has been overridden?
DriverIsDeviceBlocked Was the driver package was blocked because of a device block?
DriverIsDriverBlocked Is the driver package blocked because of a driver block?
DriverIsTroubleshooterBlocked Indicates whether the driver package is blocked because of a troubleshooter
block.
DriverShouldNotMigrate Should the driver package be migrated during upgrade?
SdbDriverBlockOverridden Does the driver package have an SDB block that blocks it from migrating, but
that block has been overridden?
Microsoft.Windows.Appraiser.General.DecisionDriverPackageRemove
This event indicates that the DecisionDriverPackage object is no longer present.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
AppraiserVersion The version of the Appraiser file that is generating the events.
Microsoft.Windows.Appraiser.General.DecisionDriverPackageStartSync
This event indicates that a new set of DecisionDriverPackageAdd events will be sent.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
AppraiserVersion The version of the Appraiser file that is generating the events.
Microsoft.Windows.Appraiser.General.DecisionMatchingInfoBlockAdd
This event sends compatibility decision data about blocking entries on the system that are not keyed by either
applications or devices, to help keep Windows up to date.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
AppraiserVersion The version of the appraiser file generating the events.
BlockingApplication Are there are any application issues that interfere with upgrade due to matching info
blocks?
DisplayGenericMessage Will a generic message be shown for this block?
NeedsDismissAction Will the file cause an action that can be dismissed?
NeedsUninstallAction Does the user need to take an action in setup due to a matching info block?
SdbBlockUpgrade Is a matching info block blocking upgrade?
SdbBlockUpgradeCanReinstall Is a matching info block blocking upgrade, but has the can reinstall tag?
SdbBlockUpgradeUntilUpdate Is a matching info block blocking upgrade but has the until update tag?
SdbReinstallUpgradeWarn The file is tagged as needing to be reinstalled after upgrade with a warning in the
SDB. It does not block upgrade.
Microsoft.Windows.Appraiser.General.DecisionMatchingInfoBlockRemove
This event indicates that the DecisionMatchingInfoBlock object is no longer present.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
AppraiserVersion The version of the Appraiser file that is generating the events.
Microsoft.Windows.Appraiser.General.DecisionMatchingInfoBlockStartSync
This event indicates that a new set of DecisionMatchingInfoBlockAdd events will be sent.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
AppraiserVersion The version of the Appraiser file that is generating the events.
Microsoft.Windows.Appraiser.General.DecisionMatchingInfoPassiveAdd
This event sends compatibility decision data about non-blocking entries on the system that are not keyed by either
applications or devices, to help keep Windows up to date.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
AppraiserVersion The version of the Appraiser file that is generating the events.
BlockingApplication Are there any application issues that interfere with upgrade due to matching info
blocks?
DisplayGenericMessageGated Indicates whether a generic offer block message will be shown due to
matching info blocks.
MigApplication Is there a matching info block with a mig for the current mode of upgrade?
Microsoft.Windows.Appraiser.General.DecisionMatchingInfoPassiveRemove
This event Indicates that the DecisionMatchingInfoPassive object is no longer present.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
AppraiserVersion The version of the Appraiser file that is generating the events.
Microsoft.Windows.Appraiser.General.DecisionMatchingInfoPassiveStartSync
This event indicates that a new set of DecisionMatchingInfoPassiveAdd events will be sent.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
AppraiserVersion The version of the Appraiser file that is generating the events.
Microsoft.Windows.Appraiser.General.DecisionMatchingInfoPostUpgradeAdd
This event sends compatibility decision data about entries that require reinstall after upgrade. It's used to help keep
Windows up to date.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
AppraiserVersion The version of the Appraiser file that is generating the events.
NeedsInstallPostUpgradeData Will the file have a notification after upgrade to install a replacement for the
app?
NeedsNotifyPostUpgradeData Should a notification be shown for this file after upgrade?
NeedsReinstallPostUpgradeData Will the file have a notification after upgrade to reinstall the app?
SdbReinstallUpgrade The file is tagged as needing to be reinstalled after upgrade in the compatibility
database (but is not blocking upgrade).
Microsoft.Windows.Appraiser.General.DecisionMatchingInfoPostUpgradeRemove
This event indicates that the DecisionMatchingInfoPostUpgrade object is no longer present.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
AppraiserVersion The version of the Appraiser file that is generating the events.
Microsoft.Windows.Appraiser.General.DecisionMatchingInfoPostUpgradeStartSync
This event indicates that a new set of DecisionMatchingInfoPostUpgradeAdd events will be sent.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
AppraiserVersion The version of the Appraiser file that is generating the events.
Microsoft.Windows.Appraiser.General.DecisionMediaCenterAdd
This event sends decision data about the presence of Windows Media Center, to help keep Windows up to date.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
AppraiserVersion The version of the Appraiser file generating the events.
BlockingApplication Is there any application issues that interfere with upgrade due to Windows Media
Center?
MediaCenterActivelyUsed If Windows Media Center is supported on the edition, has it been run at least
once and are the MediaCenterIndicators are true?
MediaCenterIndicators Do any indicators imply that Windows Media Center is in active use?
MediaCenterInUse Is Windows Media Center actively being used?
MediaCenterPaidOrActivelyUsed Is Windows Media Center actively being used or is it running on a
supported edition?
NeedsDismissAction Are there any actions that can be dismissed coming from Windows Media Center?
Microsoft.Windows.Appraiser.General.DecisionMediaCenterRemove
This event indicates that the DecisionMediaCenter object is no longer present.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
AppraiserVersion The version of the Appraiser file that is generating the events.
Microsoft.Windows.Appraiser.General.DecisionMediaCenterStartSync
This event indicates that a new set of DecisionMediaCenterAdd events will be sent.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
AppraiserVersion The version of the Appraiser file that is generating the events.
Microsoft.Windows.Appraiser.General.DecisionSystemBiosAdd
This event sends compatibility decision data about the BIOS to help keep Windows up to date.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
AppraiserVersion The version of the Appraiser file generating the events.
Blocking Is the device blocked from upgrade due to a BIOS block?
DisplayGenericMessageGated Indicates whether a generic offer block message will be shown for the bios.
HasBiosBlock Does the device have a BIOS block?
Microsoft.Windows.Appraiser.General.DecisionSystemBiosRemove
This event indicates that the DecisionSystemBios object is no longer present.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
AppraiserVersion The version of the Appraiser file that is generating the events.
Microsoft.Windows.Appraiser.General.DecisionSystemBiosStartSync
This event indicates that a new set of DecisionSystemBiosAdd events will be sent.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
AppraiserVersion The version of the Appraiser file that is generating the events.
Microsoft.Windows.Appraiser.General.GatedRegChange
This event sends data about the results of running a set of quick-blocking instructions, to help keep Windows up to
date.
The following fields are available:
NewData The data in the registry value after the scan completed.
OldData The previous data in the registry value before the scan ran.
PCFP An ID for the system calculated by hashing hardware identifiers.
RegKey The registry key name for which a result is being sent.
RegValue The registry value for which a result is being sent.
Time The client time of the event.
Microsoft.Windows.Appraiser.General.InventoryApplicationFileAdd
This event represents the basic metadata about a file on the system. The file must be part of an app and either
have a block in the compatibility database or be part of an antivirus program.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
AppraiserVersion The version of the Appraiser file generating the events.
AvDisplayName If the app is an antivirus app, this is its display name.
AvProductState Indicates whether the antivirus program is turned on and the signatures are up to date.
Binar yType A binary type. Example: UNINITIALIZED, ZERO_BYTE, DATA_ONLY, DOS_MODULE, NE16_MODULE,
PE32_UNKNOWN, PE32_I386, PE32_ARM, PE64_UNKNOWN, PE64_AMD64, PE64_ARM64, PE64_IA64,
PE32_CLR_32, PE32_CLR_IL, PE32_CLR_IL_PREFER32, PE64_CLR_64.
BinFileVersion An attempt to clean up FileVersion at the client that tries to place the version into 4 octets.
BinProductVersion An attempt to clean up ProductVersion at the client that tries to place the version into 4
octets.
BoeProgramId If there is no entry in Add/Remove Programs, this is the ProgramID that is generated from the
file metadata.
CompanyName The company name of the vendor who developed this file.
FileId A hash that uniquely identifies a file.
FileVersion The File version field from the file metadata under Properties -> Details.
HasUpgradeExe Indicates whether the antivirus app has an upgrade.exe file.
IsAv Indicates whether the file an antivirus reporting EXE.
LinkDate The date and time that this file was linked on.
LowerCaseLongPath The full file path to the file that was inventoried on the device.
Name The name of the file that was inventoried.
ProductName The Product name field from the file metadata under Properties -> Details.
ProductVersion The Product version field from the file metadata under Properties -> Details.
ProgramId A hash of the Name, Version, Publisher, and Language of an application used to identify it.
Size The size of the file (in hexadecimal bytes).
Microsoft.Windows.Appraiser.General.InventoryApplicationFileRemove
This event indicates that the InventoryApplicationFile object is no longer present.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
AppraiserVersion The version of the Appraiser file that is generating the events.
Microsoft.Windows.Appraiser.General.InventoryApplicationFileStartSync
This event indicates that a new set of InventoryApplicationFileAdd events will be sent.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
AppraiserVersion The version of the Appraiser file that is generating the events.
Microsoft.Windows.Appraiser.General.InventoryLanguagePackAdd
This event sends data about the number of language packs installed on the system, to help keep Windows up to
date.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
AppraiserVersion The version of the Appraiser file that is generating the events.
HasLanguagePack Indicates whether this device has 2 or more language packs.
LanguagePackCount The number of language packs are installed.
Microsoft.Windows.Appraiser.General.InventoryLanguagePackRemove
This event indicates that the InventoryLanguagePack object is no longer present.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
AppraiserVersion The version of the Appraiser file that is generating the events.
Microsoft.Windows.Appraiser.General.InventoryLanguagePackStartSync
This event indicates that a new set of InventoryLanguagePackAdd events will be sent.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
AppraiserVersion The version of the Appraiser file that is generating the events.
Microsoft.Windows.Appraiser.General.InventoryMediaCenterAdd
This event sends true/false data about decision points used to understand whether Windows Media Center is used
on the system, to help keep Windows up to date.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
AppraiserVersion The version of the Appraiser file generating the events.
EverLaunched Has Windows Media Center ever been launched?
HasConfiguredTv Has the user configured a TV tuner through Windows Media Center?
HasExtendedUserAccounts Are any Windows Media Center Extender user accounts configured?
HasWatchedFolders Are any folders configured for Windows Media Center to watch?
IsDefaultLauncher Is Windows Media Center the default app for opening music or video files?
IsPaid Is the user running a Windows Media Center edition that implies they paid for Windows Media Center?
IsSuppor ted Does the running OS support Windows Media Center?
Microsoft.Windows.Appraiser.General.InventoryMediaCenterRemove
This event indicates that the InventoryMediaCenter object is no longer present.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
AppraiserVersion The version of the Appraiser file that is generating the events.
Microsoft.Windows.Appraiser.General.InventoryMediaCenterStartSync
This event indicates that a new set of InventoryMediaCenterAdd events will be sent.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
AppraiserVersion The version of the Appraiser file that is generating the events.
Microsoft.Windows.Appraiser.General.InventorySystemBiosAdd
This event sends basic metadata about the BIOS to determine whether it has a compatibility block.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
AppraiserVersion The version of the Appraiser file that is generating the events.
biosDate The release date of the BIOS in UTC format.
BiosDate The release date of the BIOS in UTC format.
biosName The name field from Win32_BIOS.
BiosName The name field from Win32_BIOS.
manufacturer The manufacturer field from Win32_ComputerSystem.
Manufacturer The manufacturer field from Win32_ComputerSystem.
model The model field from Win32_ComputerSystem.
Model The model field from Win32_ComputerSystem.
Microsoft.Windows.Appraiser.General.InventorySystemBiosRemove
This event indicates that the InventorySystemBios object is no longer present.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
AppraiserVersion The version of the Appraiser file that is generating the events.
Microsoft.Windows.Appraiser.General.InventorySystemBiosStartSync
This event indicates that a new set of InventorySystemBiosAdd events will be sent.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
AppraiserVersion The version of the Appraiser binary (executable) generating the events.
Microsoft.Windows.Appraiser.General.InventoryUplevelDriverPackageAdd
This event is only runs during setup. It provides a listing of the uplevel driver packages that were downloaded
before the upgrade. Is critical to understanding if failures in setup can be traced to not having sufficient uplevel
drivers before the upgrade.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
AppraiserVersion The version of the Appraiser file that is generating the events.
BootCritical Is the driver package marked as boot critical?
Build The build value from the driver package.
CatalogFile The name of the catalog file within the driver package.
Class The device class from the driver package.
ClassGuid The device class unique ID from the driver package.
Date The date from the driver package.
Inbox Is the driver package of a driver that is included with Windows?
OriginalName The original name of the INF file before it was renamed. Generally a path under
$WINDOWS.~BT\Drivers\DU.
Provider The provider of the driver package.
PublishedName The name of the INF file after it was renamed.
Revision The revision of the driver package.
SignatureStatus Indicates if the driver package is signed. Unknown = 0, Unsigned = 1, Signed = 2.
VersionMajor The major version of the driver package.
VersionMinor The minor version of the driver package.
Microsoft.Windows.Appraiser.General.InventoryUplevelDriverPackageRemove
This event indicates that the InventoryUplevelDriverPackage object is no longer present.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
AppraiserVersion The version of the Appraiser file that is generating the events.
Microsoft.Windows.Appraiser.General.InventoryUplevelDriverPackageStartSync
This event indicates that a new set of InventoryUplevelDriverPackageAdd events will be sent.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
AppraiserVersion The version of the Appraiser file that is generating the events.
Microsoft.Windows.Appraiser.General.RunContext
This event indicates what should be expected in the data payload.
The following fields are available:
AppraiserBranch The source branch in which the currently running version of Appraiser was built.
AppraiserProcess The name of the process that launched Appraiser.
AppraiserVersion The version of the Appraiser file generating the events.
CensusId A unique hardware identifier.
Context Indicates what mode Appraiser is running in. Example: Setup or Telemetry.
PCFP An ID for the system calculated by hashing hardware identifiers.
Subcontext Indicates what categories of incompatibilities appraiser is scanning for. Can be N/A, Resolve, or a
semicolon-delimited list that can include App, Dev, Sys, Gat, or Rescan.
Time The client time of the event.
Microsoft.Windows.Appraiser.General.SystemMemoryAdd
This event sends data on the amount of memory on the system and whether it meets requirements, to help keep
Windows up to date.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
AppraiserVersion The version of the Appraiser file generating the events.
Blocking Is the device from upgrade due to memory restrictions?
Memor yRequirementViolated Was a memory requirement violated?
pageFile The current committed memory limit for the system or the current process, whichever is smaller (in
bytes).
ram The amount of memory on the device.
ramKB The amount of memory (in KB).
vir tual The size of the user-mode portion of the virtual address space of the calling process (in bytes).
vir tualKB The amount of virtual memory (in KB).
Microsoft.Windows.Appraiser.General.SystemMemoryRemove
This event that the SystemMemory object is no longer present.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
AppraiserVersion The version of the Appraiser file that is generating the events.
Microsoft.Windows.Appraiser.General.SystemMemoryStartSync
This event indicates that a new set of SystemMemoryAdd events will be sent.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
AppraiserVersion The version of the Appraiser file that is generating the events.
Microsoft.Windows.Appraiser.General.SystemProcessorCompareExchangeAdd
This event sends data indicating whether the system supports the CompareExchange128 CPU requirement, to help
keep Windows up to date.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
AppraiserVersion The version of the Appraiser file generating the events.
Blocking Is the upgrade blocked due to the processor?
CompareExchange128Suppor t Does the CPU support CompareExchange128?
Microsoft.Windows.Appraiser.General.SystemProcessorCompareExchangeRemove
This event indicates that the SystemProcessorCompareExchange object is no longer present.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
AppraiserVersion The version of the Appraiser file that is generating the events.
Microsoft.Windows.Appraiser.General.SystemProcessorCompareExchangeStartSync
This event indicates that a new set of SystemProcessorCompareExchangeAdd events will be sent.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
AppraiserVersion The version of the Appraiser file that is generating the events.
Microsoft.Windows.Appraiser.General.SystemProcessorLahfSahfAdd
This event sends data indicating whether the system supports the LAHF & SAHF CPU requirement, to help keep
Windows up to date.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
AppraiserVersion The version of the Appraiser file generating the events.
Blocking Is the upgrade blocked due to the processor?
LahfSahfSuppor t Does the CPU support LAHF/SAHF?
Microsoft.Windows.Appraiser.General.SystemProcessorLahfSahfRemove
This event indicates that the SystemProcessorLahfSahf object is no longer present.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
AppraiserVersion The version of the Appraiser file that is generating the events.
Microsoft.Windows.Appraiser.General.SystemProcessorLahfSahfStartSync
This event indicates that a new set of SystemProcessorLahfSahfAdd events will be sent.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
AppraiserVersion The version of the Appraiser file that is generating the events.
Microsoft.Windows.Appraiser.General.SystemProcessorNxAdd
This event sends data indicating whether the system supports the NX CPU requirement, to help keep Windows up
to date.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
AppraiserVersion The version of the Appraiser file that is generating the events.
Blocking Is the upgrade blocked due to the processor?
NXDriverResult The result of the driver used to do a non-deterministic check for NX support.
NXProcessorSuppor t Does the processor support NX?
Microsoft.Windows.Appraiser.General.SystemProcessorNxRemove
This event indicates that the SystemProcessorNx object is no longer present.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
AppraiserVersion The version of the Appraiser file that is generating the events.
Microsoft.Windows.Appraiser.General.SystemProcessorNxStartSync
This event indicates that a new set of SystemProcessorNxAdd events will be sent.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
AppraiserVersion The version of the Appraiser file that is generating the events.
Microsoft.Windows.Appraiser.General.SystemProcessorPrefetchWAdd
This event sends data indicating whether the system supports the PrefetchW CPU requirement, to help keep
Windows up to date.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
AppraiserVersion The version of the Appraiser file that is generating the events.
Blocking Is the upgrade blocked due to the processor?
PrefetchWSuppor t Does the processor support PrefetchW?
Microsoft.Windows.Appraiser.General.SystemProcessorPrefetchWRemove
This event indicates that the SystemProcessorPrefetchW object is no longer present.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
AppraiserVersion The version of the Appraiser file that is generating the events.
Microsoft.Windows.Appraiser.General.SystemProcessorPrefetchWStartSync
This event indicates that a new set of SystemProcessorPrefetchWAdd events will be sent.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
AppraiserVersion The version of the Appraiser file that is generating the events.
Microsoft.Windows.Appraiser.General.SystemProcessorSse2Add
This event sends data indicating whether the system supports the SSE2 CPU requirement, to help keep Windows
up to date.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
AppraiserVersion The version of the Appraiser file that is generating the events.
Blocking Is the upgrade blocked due to the processor?
SSE2ProcessorSuppor t Does the processor support SSE2?
Microsoft.Windows.Appraiser.General.SystemProcessorSse2Remove
This event indicates that the SystemProcessorSse2 object is no longer present.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
AppraiserVersion The version of the Appraiser file that is generating the events.
Microsoft.Windows.Appraiser.General.SystemProcessorSse2StartSync
This event indicates that a new set of SystemProcessorSse2Add events will be sent.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
AppraiserVersion The version of the Appraiser file that is generating the events.
Microsoft.Windows.Appraiser.General.SystemTouchAdd
This event sends data indicating whether the system supports touch, to help keep Windows up to date.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
AppraiserVersion The version of the Appraiser file that is generating the events.
IntegratedTouchDigitizerPresent Is there an integrated touch digitizer?
MaximumTouches The maximum number of touch points supported by the device hardware.
Microsoft.Windows.Appraiser.General.SystemTouchRemove
This event indicates that the SystemTouch object is no longer present.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
AppraiserVersion The version of the Appraiser file that is generating the events.
Microsoft.Windows.Appraiser.General.SystemTouchStartSync
This event indicates that a new set of SystemTouchAdd events will be sent.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
AppraiserVersion The version of the Appraiser file that is generating the events.
Microsoft.Windows.Appraiser.General.SystemWimAdd
This event sends data indicating whether the operating system is running from a compressed Windows Imaging
Format (WIM) file, to help keep Windows up to date.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
AppraiserVersion The version of the Appraiser file that is generating the events.
IsWimBoot Is the current operating system running from a compressed WIM file?
Registr yWimBootValue The raw value from the registry that is used to indicate if the device is running from
a WIM.
Microsoft.Windows.Appraiser.General.SystemWimRemove
This event indicates that the SystemWim object is no longer present.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
AppraiserVersion The version of the Appraiser file that is generating the events.
Microsoft.Windows.Appraiser.General.SystemWimStartSync
This event indicates that a new set of SystemWimAdd events will be sent.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
AppraiserVersion The version of the Appraiser file that is generating the events.
Microsoft.Windows.Appraiser.General.SystemWindowsActivationStatusAdd
This event sends data indicating whether the current operating system is activated, to help keep Windows up to
date.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
AppraiserVersion The version of the Appraiser file that is generating the events.
WindowsIsLicensedApiValue The result from the API that's used to indicate if operating system is activated.
WindowsNotActivatedDecision Is the current operating system activated?
Microsoft.Windows.Appraiser.General.SystemWindowsActivationStatusRemove
This event indicates that the SystemWindowsActivationStatus object is no longer present.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
AppraiserVersion The version of the Appraiser file that is generating the events.
Microsoft.Windows.Appraiser.General.SystemWindowsActivationStatusStartSync
This event indicates that a new set of SystemWindowsActivationStatusAdd events will be sent.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
AppraiserVersion The version of the Appraiser file that is generating the events.
Microsoft.Windows.Appraiser.General.SystemWlanAdd
This event sends data indicating whether the system has WLAN, and if so, whether it uses an emulated driver that
could block an upgrade, to help keep Windows up to date.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
AppraiserVersion The version of the Appraiser file that is generating the events.
Blocking Is the upgrade blocked because of an emulated WLAN driver?
HasWlanBlock Does the emulated WLAN driver have an upgrade block?
WlanEmulatedDriver Does the device have an emulated WLAN driver?
WlanExists Does the device support WLAN at all?
WlanModulePresent Are any WLAN modules present?
WlanNativeDriver Does the device have a non-emulated WLAN driver?
Microsoft.Windows.Appraiser.General.SystemWlanRemove
This event indicates that the SystemWlan object is no longer present.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
AppraiserVersion The version of the Appraiser file that is generating the events.
Microsoft.Windows.Appraiser.General.SystemWlanStartSync
This event indicates that a new set of SystemWlanAdd events will be sent.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
AppraiserVersion The version of the Appraiser file that is generating the events.
Microsoft.Windows.Appraiser.General.TelemetryRunHealth
This event indicates the parameters and result of a diagnostic data run. This allows the rest of the data sent over
the course of the run to be properly contextualized and understood, which is then used to keep Windows up to
date.
The following fields are available:
AppraiserBranch The source branch in which the version of Appraiser that is running was built.
AppraiserDataVersion The version of the data files being used by the Appraiser diagnostic data run.
AppraiserProcess The name of the process that launched Appraiser.
AppraiserVersion The file version (major, minor and build) of the Appraiser DLL, concatenated without dots.
AuxFinal Obsolete, always set to false.
AuxInitial Obsolete, indicates if Appraiser is writing data files to be read by the Get Windows 10 app.
DeadlineDate A timestamp representing the deadline date, which is the time until which appraiser will wait to
do a full scan.
EnterpriseRun Indicates whether the diagnostic data run is an enterprise run, which means appraiser was run
from the command line with an extra enterprise parameter.
FullSync Indicates if Appraiser is performing a full sync, which means that full set of events representing the
state of the machine are sent. Otherwise, only the changes from the previous run are sent.
InboxDataVersion The original version of the data files before retrieving any newer version.
IndicatorsWritten Indicates if all relevant UEX indicators were successfully written or updated.
Inventor yFullSync Indicates if inventory is performing a full sync, which means that the full set of events
representing the inventory of machine are sent.
PCFP An ID for the system calculated by hashing hardware identifiers.
PerfBackoff Indicates if the run was invoked with logic to stop running when a user is present. Helps to
understand why a run may have a longer elapsed time than normal.
PerfBackoffInsurance Indicates if appraiser is running without performance backoff because it has run with
perf backoff and failed to complete several times in a row.
RunAppraiser Indicates if Appraiser was set to run at all. If this if false, it is understood that data events will
not be received from this device.
RunDate The date that the diagnostic data run was stated, expressed as a filetime.
RunGeneralTel Indicates if the generaltel.dll component was run. Generaltel collects additional diagnostic data
on an infrequent schedule and only from machines at diagnostic data levels higher than Basic.
RunOnline Indicates if appraiser was able to connect to Windows Update and theefore is making decisions
using up-to-date driver coverage information.
RunResult The hresult of the Appraiser diagnostic data run.
ScheduledUploadDay The day scheduled for the upload.
SendingUtc Indicates whether the Appraiser client is sending events during the current diagnostic data run.
StoreHandleIsNotNull Obsolete, always set to false
Telementr ySent Indicates whether diagnostic data was successfully sent.
ThrottlingUtc Indicates whether the Appraiser client is throttling its output of CUET events to avoid being
disabled. This increases runtime but also diagnostic data reliability.
Time The client time of the event.
VerboseMode Indicates if appraiser ran in Verbose mode, which is a test-only mode with extra logging.
WhyFullSyncWithoutTablePrefix Indicates the reason or reasons that a full sync was generated.
WhyRunSkipped Indicates the reason or reasons that an appraiser run was skipped.
Microsoft.Windows.Appraiser.General.WmdrmAdd
This event sends data about the usage of older digital rights management on the system, to help keep Windows up
to date. This data does not indicate the details of the media using the digital rights management, only whether any
such files exist. Collecting this data was critical to ensuring the correct mitigation for customers, and should be able
to be removed once all mitigations are in place.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
AppraiserVersion The version of the Appraiser file that is generating the events.
BlockingApplication Same as NeedsDismissAction.
NeedsDismissAction Indicates if a dismissible message is needed to warn the user about a potential loss of
data due to DRM deprecation.
WmdrmApiResult Raw value of the API used to gather DRM state.
WmdrmCdRipped Indicates if the system has any files encrypted with personal DRM, which was used for
ripped CDs.
WmdrmIndicators WmdrmCdRipped OR WmdrmPurchased.
WmdrmInUse WmdrmIndicators AND dismissible block in setup was not dismissed.
WmdrmNonPermanent Indicates if the system has any files with non-permanent licenses.
WmdrmPurchased Indicates if the system has any files with permanent licenses.
Microsoft.Windows.Appraiser.General.WmdrmRemove
This event indicates that the Wmdrm object is no longer present.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
AppraiserVersion The version of the Appraiser file that is generating the events.
Microsoft.Windows.Appraiser.General.WmdrmStartSync
This event indicates that a new set of WmdrmAdd events will be sent.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
AppraiserVersion The version of the Appraiser file that is generating the events.
Compatibility events
Microsoft.Windows.Compatibility.Apphelp.SdbFix
Product instrumentation for helping debug/troubleshoot issues with inbox compatibility components.
The following fields are available:
AppName Name of the application impacted by SDB.
FixID SDB GUID.
Flags List of flags applied.
ImageName Name of file.
Deployment extensions
DeploymentTelemetry.Deployment_End
This event indicates that a Deployment 360 API has completed.
The following fields are available:
ClientId Client ID of the user utilizing the D360 API.
ErrorCode Error code of action.
FlightId The specific ID of the Windows Insider build the device is getting.
Mode Phase in upgrade.
RelatedCV The correction vector (CV) of any other related events
Result End result of the action.
DeploymentTelemetry.Deployment_SetupBoxLaunch
This event indicates that the Deployment 360 APIs have launched Setup Box.
The following fields are available:
ClientId The client ID of the user utilizing the D360 API.
FlightId The specific ID of the Windows Insider build the device is getting.
Quiet Whether Setup will run in quiet mode or full mode.
RelatedCV The correlation vector (CV) of any other related events.
SetupMode The current setup phase.
DeploymentTelemetry.Deployment_SetupBoxResult
This event indicates that the Deployment 360 APIs have received a return from Setup Box.
The following fields are available:
ClientId Client ID of the user utilizing the D360 API.
ErrorCode Error code of the action.
FlightId The specific ID of the Windows Insider build the device is getting.
Quiet Indicates whether Setup will run in quiet mode or full mode.
RelatedCV The correlation vector (CV) of any other related events.
SetupMode The current Setup phase.
DeploymentTelemetry.Deployment_Start
This event indicates that a Deployment 360 API has been called.
The following fields are available:
ClientId Client ID of the user utilizing the D360 API.
FlightId The specific ID of the Windows Insider build the device is getting.
Mode The current phase of the upgrade.
RelatedCV The correlation vector (CV) of any other related events.
DISM events
Microsoft.Windows.StartRepairCore.DISMLatestInstalledLCU
The DISM Latest Installed LCU sends information to report result of search for latest installed LCU after last
successful boot.
The following fields are available:
dismInstalledLCUPackageName The name of the latest installed package.
Microsoft.Windows.StartRepairCore.DISMPendingInstall
The DISM Pending Install event sends information to report pending package installation found.
The following fields are available:
dismPendingInstallPackageName The name of the pending package.
Microsoft.Windows.StartRepairCore.SRTRootCauseDiagEnd
The SRT Root Cause Diagnosis End event sends information to report diagnosis operation completed for given
plug-in.
The following fields are available:
errorCode The result code returned by the event.
flightIds The Flight IDs (identifier of the beta release) of found driver updates.
foundDriverUpdateCount The number of found driver updates.
sr tRootCauseDiag The scenario name for a diagnosis event.
Microsoft.Windows.StartRepairCore.SRTRootCauseDiagStart
The SRT Root Cause Diagnosis Start event sends information to report diagnosis operation started for given plug-
in.
The following fields are available:
sr tRootCauseDiag The scenario name for a diagnosis event.
DxgKernelTelemetry events
DxgKrnlTelemetry.GPUAdapterInventoryV2
This event sends basic GPU and display driver information to keep Windows and display drivers up-to-date.
The following fields are available:
AdapterTypeValue The numeric value indicating the type of Graphics adapter.
aiSeqId The event sequence ID.
bootId The system boot ID.
BrightnessVersionViaDDI The version of the Display Brightness Interface.
ComputePreemptionLevel The maximum preemption level supported by GPU for compute payload.
DDIInterfaceVersion The device driver interface version.
DedicatedSystemMemor yB The amount of system memory dedicated for GPU use (in bytes).
DedicatedVideoMemor yB The amount of dedicated VRAM of the GPU (in bytes).
DisplayAdapterLuid The display adapter LUID.
DriverDate The date of the display driver.
DriverRank The rank of the display driver.
DriverVersion The display driver version.
DriverWorkarounds Bitfield data for specific driver workarounds enabled for this device.
DriverWorkarounds.Length The length of the DriverWorkarounds bitfield.
DX10UMDFilePath The file path to the location of the DirectX 10 Display User Mode Driver in the Driver Store.
DX11UMDFilePath The file path to the location of the DirectX 11 Display User Mode Driver in the Driver Store.
DX12UMDFilePath The file path to the location of the DirectX 12 Display User Mode Driver in the Driver Store.
DX9UMDFilePath The file path to the location of the DirectX 9 Display User Mode Driver in the Driver Store.
GPUDeviceID The GPU device ID.
GPUPreemptionLevel The maximum preemption level supported by GPU for graphics payload.
GPURevisionID The GPU revision ID.
GPUVendorID The GPU vendor ID.
InterfaceFuncPointersProvided1 The number of device driver interface function pointers provided.
InterfaceFuncPointersProvided2 The number of device driver interface function pointers provided.
InterfaceId The GPU interface ID.
IsDisplayDevice Does the GPU have displaying capabilities?
IsHwSchEnabled Indicates whether Hardware Scheduling is enabled.
IsHwSchSuppor ted Indicates whether the adapter supports hardware scheduling.
IsHybridDiscrete Does the GPU have discrete GPU capabilities in a hybrid device?
IsHybridIntegrated Does the GPU have integrated GPU capabilities in a hybrid device?
IsLDA Is the GPU comprised of Linked Display Adapters?
IsMiracastSuppor ted Does the GPU support Miracast?
IsMismatchLDA Is at least one device in the Linked Display Adapters chain from a different vendor?
IsMPOSuppor ted Does the GPU support Multi-Plane Overlays?
IsMsMiracastSuppor ted Are the GPU Miracast capabilities driven by a Microsoft solution?
IsPostAdapter Is this GPU the POST GPU in the device?
IsRemovable TRUE if the adapter supports being disabled or removed.
IsRenderDevice Does the GPU have rendering capabilities?
IsSoftwareDevice Is this a software implementation of the GPU?
KMDFilePath The file path to the location of the Display Kernel Mode Driver in the Driver Store.
MeasureEnabled Is the device listening to MICROSOFT_KEYWORD_MEASURES?
MsHybridDiscrete Indicates whether the adapter is a discrete adapter in a hybrid configuration.
NumVidPnSources The number of supported display output sources.
NumVidPnTargets The number of supported display output targets.
SharedSystemMemor yB The amount of system memory shared by GPU and CPU (in bytes).
SubSystemID The subsystem ID.
SubVendorID The GPU sub vendor ID.
Telemetr yEnabled Is the device listening to MICROSOFT_KEYWORD_TELEMETRY?
TelInvEvntTrigger What triggered this event to be logged? Example: 0 (GPU enumeration) or 1
(DxgKrnlTelemetry provider toggling)
version The event version.
WDDMVersion The Windows Display Driver Model version.
Failover Clustering events
Microsoft.Windows.Server.FailoverClusteringCritical.ClusterSummary2
This event returns information about how many resources and of what type are in the server cluster. This data is
collected to keep Windows Server safe, secure, and up to date. The data includes information about whether
hardware is configured correctly, if the software is patched correctly, and assists in preventing crashes by
attributing issues (like fatal errors) to workloads and system configurations.
The following fields are available:
autoAssignSite The cluster parameter: auto site.
autoBalancerLevel The cluster parameter: auto balancer level.
autoBalancerMode The cluster parameter: auto balancer mode.
blockCacheSize The configured size of the block cache.
ClusterAdConfiguration The ad configuration of the cluster.
clusterAdType The cluster parameter: mgmt_point_type.
clusterDumpPolicy The cluster configured dump policy.
clusterFunctionalLevel The current cluster functional level.
clusterGuid The unique identifier for the cluster.
clusterWitnessType The witness type the cluster is configured for.
countNodesInSite The number of nodes in the cluster.
crossSiteDelay The cluster parameter: CrossSiteDelay.
crossSiteThreshold The cluster parameter: CrossSiteThreshold.
crossSubnetDelay The cluster parameter: CrossSubnetDelay.
crossSubnetThreshold The cluster parameter: CrossSubnetThreshold.
csvCompatibleFilters The cluster parameter: ClusterCsvCompatibleFilters.
csvIncompatibleFilters The cluster parameter: ClusterCsvIncompatibleFilters.
csvResourceCount The number of resources in the cluster.
currentNodeSite The name configured for the current site for the cluster.
dasModeBusType The direct storage bus type of the storage spaces.
downLevelNodeCount The number of nodes in the cluster that are running down-level.
drainOnShutdown Specifies whether a node should be drained when it is shut down.
dynamicQuorumEnabled Specifies whether dynamic Quorum has been enabled.
enforcedAntiAffinity The cluster parameter: enforced anti affinity.
genAppNames The win32 service name of a clustered service.
genSvcNames The command line of a clustered genapp.
hangRecover yAction The cluster parameter: hang recovery action.
hangTimeOut Specifies the “hang time out” parameter for the cluster.
isCalabria Specifies whether storage spaces direct is enabled.
isMixedMode Identifies if the cluster is running with different version of OS for nodes.
isRunningDownLevel Identifies if the current node is running down-level.
logLevel Specifies the granularity that is logged in the cluster log.
logSize Specifies the size of the cluster log.
lowerQuorumPriorityNodeId The cluster parameter: lower quorum priority node ID.
minNeverPreempt The cluster parameter: minimum never preempt.
minPreemptor The cluster parameter: minimum preemptor priority.
netftIpsecEnabled The parameter: netftIpsecEnabled.
NodeCount The number of nodes in the cluster.
nodeId The current node number in the cluster.
nodeResourceCounts Specifies the number of node resources.
nodeResourceOnlineCounts Specifies the number of node resources that are online.
numberOfSites The number of different sites.
numNodesInNoSite The number of nodes not belonging to a site.
plumbAllCrossSubnetRoutes The cluster parameter: plumb all cross subnet routes.
preferredSite The preferred site location.
privateCloudWitness Specifies whether a private cloud witness exists for this cluster.
quarantineDuration The quarantine duration.
quarantineThreshold The quarantine threshold.
quorumArbitrationTimeout In the event of an arbitration event, this specifies the quorum timeout period.
resiliencyLevel Specifies the level of resiliency.
resourceCounts Specifies the number of resources.
resourceTypeCounts Specifies the number of resource types in the cluster.
resourceTypes Data representative of each resource type.
resourceTypesPath Data representative of the DLL path for each resource type.
sameSubnetDelay The cluster parameter: same subnet delay.
sameSubnetThreshold The cluster parameter: same subnet threshold.
secondsInMixedMode The amount of time (in seconds) that the cluster has been in mixed mode (nodes with
different operating system versions in the same cluster).
securityLevel The cluster parameter: security level.
securityLevelForStorage The cluster parameter: security level for storage.
sharedVolumeBlockCacheSize Specifies the block cache size for shared for shared volumes.
shutdownTimeoutMinutes Specifies the amount of time it takes to time out when shutting down.
upNodeCount Specifies the number of nodes that are up (online).
useClientAccessNetworksForCsv The cluster parameter: use client access networks for CSV.
vmIsolationTime The cluster parameter: VM isolation time.
witnessDatabaseWriteTimeout Specifies the timeout period for writing to the quorum witness database.
Inventory events
Microsoft.Windows.Inventory.Core.AmiTelCacheChecksum
This event captures basic checksum data about the device inventory items stored in the cache for use in
validating data completeness for Microsoft.Windows.Inventory.Core events. The fields in this event may change
over time, but they will always represent a count of a given object.
The following fields are available:
Device A count of device objects in cache.
DeviceCensus A count of device census objects in cache.
DriverPackageExtended A count of driverpackageextended objects in cache.
File A count of file objects in cache.
FileSigningInfo A count of file signing objects in cache.
Generic A count of generic objects in cache.
HwItem A count of hwitem objects in cache.
Inventor yApplication A count of application objects in cache.
Inventor yApplicationAppV A count of application AppV objects in cache.
Inventor yApplicationDriver A count of application driver objects in cache
Inventor yApplicationFile A count of application file objects in cache.
Inventor yApplicationFramework A count of application framework objects in cache
Inventor yApplicationShor tcut A count of application shortcut objects in cache
Inventor yDeviceContainer A count of device container objects in cache.
Inventor yDeviceInterface A count of Plug and Play device interface objects in cache.
Inventor yDeviceMediaClass A count of device media objects in cache.
Inventor yDevicePnp A count of device Plug and Play objects in cache.
Inventor yDeviceUsbHubClass A count of device usb objects in cache
Inventor yDriverBinar y A count of driver binary objects in cache.
Inventor yDriverPackage A count of device objects in cache.
Inventor yMiscellaneousOfficeAddIn A count of office add-in objects in cache
Inventor yMiscellaneousOfficeAddInUsage A count of office add-in usage objects in cache.
Inventor yMiscellaneousOfficeIdentifiers A count of office identifier objects in cache
Inventor yMiscellaneousOfficeIESettings A count of office ie settings objects in cache
Inventor yMiscellaneousOfficeInsights A count of office insights objects in cache
Inventor yMiscellaneousOfficeProducts A count of office products objects in cache
Inventor yMiscellaneousOfficeSettings A count of office settings objects in cache
Inventor yMiscellaneousOfficeVBA A count of office vba objects in cache
Inventor yMiscellaneousOfficeVBARuleViolations A count of office vba rule violations objects in cache
Inventor yMiscellaneousUUPInfo A count of uup info objects in cache
Metadata A count of metadata objects in cache.
Orphan A count of orphan file objects in cache.
Programs A count of program objects in cache.
Microsoft.Windows.Inventory.Core.AmiTelCacheFileInfo
Diagnostic data about the inventory cache.
The following fields are available:
CacheFileSize Size of the cache.
Inventor yVersion Inventory version of the cache.
TempCacheCount Number of temp caches created.
TempCacheDeletedCount Number of temp caches deleted.
Microsoft.Windows.Inventory.Core.AmiTelCacheVersions
This event sends inventory component versions for the Device Inventory data.
The following fields are available:
aeinv The version of the App inventory component.
devinv The file version of the Device inventory component.
Microsoft.Windows.Inventory.Core.InventoryApplicationAdd
This event sends basic metadata about an application on the system to help keep Windows up to date.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
HiddenArp Indicates whether a program hides itself from showing up in ARP.
InstallDate The date the application was installed (a best guess based on folder creation date heuristics).
InstallDateArpLastModified The date of the registry ARP key for a given application. Hints at install date but
not always accurate. Passed as an array. Example: 4/11/2015 00:00:00
InstallDateFromLinkFile The estimated date of install based on the links to the files. Passed as an array.
InstallDateMsi The install date if the application was installed via Microsoft Installer (MSI). Passed as an array.
Inventor yVersion The version of the inventory file generating the events.
Language The language code of the program.
MsiPackageCode A GUID that describes the MSI Package. Multiple 'Products' (apps) can make up an
MsiPackage.
MsiProductCode A GUID that describe the MSI Product.
Name The name of the application.
OSVersionAtInstallTime The four octets from the OS version at the time of the application's install.
PackageFullName The package full name for a Store application.
ProgramInstanceId A hash of the file IDs in an app.
Publisher The Publisher of the application. Location pulled from depends on the 'Source' field.
RootDirPath The path to the root directory where the program was installed.
Source How the program was installed (for example, ARP, MSI, Appx).
StoreAppType A sub-classification for the type of Microsoft Store app, such as UWP or Win8StoreApp.
Type One of ("Application", "Hotfix", "BOE", "Service", "Unknown"). Application indicates Win32 or Appx app,
Hotfix indicates app updates (KBs), BOE indicates it's an app with no ARP or MSI entry, Service indicates that it is
a service. Application and BOE are the ones most likely seen.
Version The version number of the program.
Microsoft.Windows.Inventory.Core.InventoryApplicationDriverAdd
This event represents what drivers an application installs.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
Inventor yVersion The version of the inventory component.
ProgramIds The unique program identifier the driver is associated with.
Microsoft.Windows.Inventory.Core.InventoryApplicationDriverStartSync
The InventoryApplicationDriverStartSync event indicates that a new set of InventoryApplicationDriverStartAdd
events will be sent.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
Inventor yVersion The version of the inventory component.
Microsoft.Windows.Inventory.Core.InventoryApplicationFrameworkAdd
This event provides the basic metadata about the frameworks an application may depend on.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
FileId A hash that uniquely identifies a file.
Frameworks The list of frameworks this file depends on.
Inventor yVersion The version of the inventory file generating the events.
Microsoft.Windows.Inventory.Core.InventoryApplicationFrameworkStartSync
This event indicates that a new set of InventoryApplicationFrameworkAdd events will be sent.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
Inventor yVersion The version of the inventory file generating the events.
Microsoft.Windows.Inventory.Core.InventoryApplicationRemove
This event indicates that a new set of InventoryDevicePnpAdd events will be sent.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
Inventor yVersion The version of the inventory file generating the events.
Microsoft.Windows.Inventory.Core.InventoryApplicationStartSync
This event indicates that a new set of InventoryApplicationAdd events will be sent.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
Inventor yVersion The version of the inventory file generating the events.
Microsoft.Windows.Inventory.Core.InventoryDeviceContainerAdd
This event sends basic metadata about a device container (such as a monitor or printer as opposed to a Plug and
Play device) to help keep Windows up to date.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
Categories A comma separated list of functional categories in which the container belongs.
Discover yMethod The discovery method for the device container.
FriendlyName The name of the device container.
Inventor yVersion The version of the inventory file generating the events.
IsActive Is the device connected, or has it been seen in the last 14 days?
IsConnected For a physically attached device, this value is the same as IsPresent. For wireless a device, this
value represents a communication link.
IsMachineContainer Is the container the root device itself?
IsNetworked Is this a networked device?
IsPaired Does the device container require pairing?
Manufacturer The manufacturer name for the device container.
ModelId A unique model ID.
ModelName The model name.
ModelNumber The model number for the device container.
Primar yCategor y The primary category for the device container.
Microsoft.Windows.Inventory.Core.InventoryDeviceContainerRemove
This event indicates that the InventoryDeviceContainer object is no longer present.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
Inventor yVersion The version of the inventory file generating the events.
Microsoft.Windows.Inventory.Core.InventoryDeviceContainerStartSync
This event indicates that a new set of InventoryDeviceContainerAdd events will be sent.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
Inventor yVersion The version of the inventory file generating the events.
Microsoft.Windows.Inventory.Core.InventoryDeviceInterfaceAdd
This event retrieves information about what sensor interfaces are available on the device.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
Accelerometer3D Indicates if an Accelerator3D sensor is found.
ActivityDetection Indicates if an Activity Detection sensor is found.
AmbientLight Indicates if an Ambient Light sensor is found.
Barometer Indicates if a Barometer sensor is found.
Custom Indicates if a Custom sensor is found.
EnergyMeter Indicates if an Energy sensor is found.
FloorElevation Indicates if a Floor Elevation sensor is found.
GeomagneticOrientation Indicates if a Geo Magnetic Orientation sensor is found.
GravityVector Indicates if a Gravity Detector sensor is found.
Gyrometer3D Indicates if a Gyrometer3D sensor is found.
Humidity Indicates if a Humidity sensor is found.
Inventor yVersion The version of the inventory file generating the events.
LinearAccelerometer Indicates if a Linear Accelerometer sensor is found.
Magnetometer3D Indicates if a Magnetometer3D sensor is found.
Orientation Indicates if an Orientation sensor is found.
Pedometer Indicates if a Pedometer sensor is found.
Proximity Indicates if a Proximity sensor is found.
RelativeOrientation Indicates if a Relative Orientation sensor is found.
SimpleDeviceOrientation Indicates if a Simple Device Orientation sensor is found.
Temperature Indicates if a Temperature sensor is found.
Microsoft.Windows.Inventory.Core.InventoryDeviceInterfaceStartSync
This event indicates that a new set of InventoryDeviceInterfaceAdd events will be sent.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
Inventor yVersion The version of the inventory file generating the events.
Microsoft.Windows.Inventory.Core.InventoryDeviceMediaClassAdd
This event sends additional metadata about a Plug and Play device that is specific to a particular class of devices to
help keep Windows up to date while reducing overall size of data payload.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
audio.captureDriver Audio device capture driver. Example:
hdaudio.inf:db04a16ce4e8d6ee:HdAudModel:10.0.14887.1000:hdaudio\func_01
audio.renderDriver Audio device render driver. Example:
hdaudio.inf:db04a16ce4e8d6ee:HdAudModel:10.0.14889.1001:hdaudio\func_01
Audio_CaptureDriver The Audio device capture driver endpoint.
Audio_RenderDriver The Audio device render driver endpoint.
Inventor yVersion The version of the inventory file generating the events.
Microsoft.Windows.Inventory.Core.InventoryDeviceMediaClassRemove
This event indicates that the InventoryDeviceMediaClassRemove object is no longer present.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
Inventor yVersion The version of the inventory file generating the events.
Microsoft.Windows.Inventory.Core.InventoryDeviceMediaClassStartSync
This event indicates that a new set of InventoryDeviceMediaClassSAdd events will be sent.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
Inventor yVersion The version of the inventory file generating the events.
Microsoft.Windows.Inventory.Core.InventoryDevicePnpAdd
This event sends basic metadata about a PNP device and its associated driver to help keep Windows up to date.
This information is used to assess if the PNP device and driver will remain compatible when upgrading Windows.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
BusRepor tedDescription The description of the device reported by the bux.
Class The device setup class of the driver loaded for the device.
ClassGuid The device class unique identifier of the driver package loaded on the device.
COMPID The list of “Compatible IDs” for this device.
ContainerId The system-supplied unique identifier that specifies which group(s) the device(s) installed on the
parent (main) device belong to.
Description The description of the device.
DeviceDriverFlightId The test build (Flight) identifier of the device driver.
DeviceExtDriversFlightIds The test build (Flight) identifier for all extended device drivers.
DeviceInterfaceClasses The device interfaces that this device implements.
DeviceState Identifies the current state of the parent (main) device.
DriverId The unique identifier for the installed driver.
DriverName The name of the driver image file.
DriverPackageStrongName The immediate parent directory name in the Directory field of
InventoryDriverPackage.
DriverVerDate The date associated with the driver installed on the device.
DriverVerVersion The version number of the driver installed on the device.
Enumerator Identifies the bus that enumerated the device.
ExtendedInfs The extended INF file names.
FirstInstallDate The first time this device was installed on the machine.
HWID A list of hardware IDs for the device.
Inf The name of the INF file (possibly renamed by the OS, such as oemXX.inf).
InstallDate The date of the most recent installation of the device on the machine.
InstallState The device installation state. One of these values:
https://msdn.microsoft.com/library/windows/hardware/ff543130.aspx
Inventor yVersion The version number of the inventory process generating the events.
LowerClassFilters The identifiers of the Lower Class filters installed for the device.
LowerFilters The identifiers of the Lower filters installed for the device.
Manufacturer The manufacturer of the device.
MatchingID The Hardware ID or Compatible ID that Windows uses to install a device instance.
Model Identifies the model of the device.
ParentId The Device Instance ID of the parent of the device.
ProblemCode The error code currently returned by the device, if applicable.
Provider Identifies the device provider.
Ser vice The name of the device service.
STACKID The list of hardware IDs for the stack.
UpperClassFilters The identifiers of the Upper Class filters installed for the device.
UpperFilters The identifiers of the Upper filters installed for the device.
Microsoft.Windows.Inventory.Core.InventoryDevicePnpRemove
This event indicates that the InventoryDevicePnpRemove object is no longer present.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
Inventor yVersion The version of the inventory file generating the events.
Microsoft.Windows.Inventory.Core.InventoryDevicePnpStartSync
This event indicates that a new set of InventoryDevicePnpAdd events will be sent.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
Inventor yVersion The version of the inventory file generating the events.
Microsoft.Windows.Inventory.Core.InventoryDeviceUsbHubClassAdd
This event sends basic metadata about the USB hubs on the device.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
Inventor yVersion The version of the inventory file generating the events.
TotalUserConnectablePor ts Total number of connectable USB ports.
TotalUserConnectableTypeCPor ts Total number of connectable USB Type C ports.
Microsoft.Windows.Inventory.Core.InventoryDeviceUsbHubClassStartSync
This event indicates that a new set of InventoryDeviceUsbHubClassAdd events will be sent.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
Inventor yVersion The version of the inventory file generating the events.
Microsoft.Windows.Inventory.Core.InventoryDriverBinaryAdd
This event provides the basic metadata about driver binaries running on the system.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
DriverCheckSum The checksum of the driver file.
DriverCompany The company name that developed the driver.
DriverInBox Is the driver included with the operating system?
DriverIsKernelMode Is it a kernel mode driver?
DriverName The file name of the driver.
DriverPackageStrongName The strong name of the driver package
DriverSigned The strong name of the driver package
DriverTimeStamp The low 32 bits of the time stamp of the driver file.
DriverType A bitfield of driver attributes: 1. define DRIVER_MAP_DRIVER_TYPE_PRINTER 0x0001. 2. define
DRIVER_MAP_DRIVER_TYPE_KERNEL 0x0002. 3. define DRIVER_MAP_DRIVER_TYPE_USER 0x0004. 4. define
DRIVER_MAP_DRIVER_IS_SIGNED 0x0008. 5. define DRIVER_MAP_DRIVER_IS_INBOX 0x0010. 6. define
DRIVER_MAP_DRIVER_IS_WINQUAL 0x0040. 7. define DRIVER_MAP_DRIVER_IS_SELF_SIGNED 0x0020. 8.
define DRIVER_MAP_DRIVER_IS_CI_SIGNED 0x0080. 9. define DRIVER_MAP_DRIVER_HAS_BOOT_SERVICE
0x0100. 10. define DRIVER_MAP_DRIVER_TYPE_I386 0x10000. 11. define DRIVER_MAP_DRIVER_TYPE_IA64
0x20000. 12. define DRIVER_MAP_DRIVER_TYPE_AMD64 0x40000. 13. define
DRIVER_MAP_DRIVER_TYPE_ARM 0x100000. 14. define DRIVER_MAP_DRIVER_TYPE_THUMB 0x200000. 15.
define DRIVER_MAP_DRIVER_TYPE_ARMNT 0x400000. 16. define DRIVER_MAP_DRIVER_IS_TIME_STAMPED
0x800000.
DriverVersion The version of the driver file.
ImageSize The size of the driver file.
Inf The name of the INF file.
Inventor yVersion The version of the inventory file generating the events.
Product The product name that is included in the driver file.
ProductVersion The product version that is included in the driver file.
Ser vice The name of the service that is installed for the device.
WdfVersion The Windows Driver Framework version.
Microsoft.Windows.Inventory.Core.InventoryDriverBinaryRemove
This event indicates that the InventoryDriverBinary object is no longer present.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
Inventor yVersion The version of the inventory file generating the events.
Microsoft.Windows.Inventory.Core.InventoryDriverBinaryStartSync
This event indicates that a new set of InventoryDriverBinaryAdd events will be sent.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
Inventor yVersion The version of the inventory file generating the events.
Microsoft.Windows.Inventory.Core.InventoryDriverPackageAdd
This event sends basic metadata about drive packages installed on the system to help keep Windows up to date.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
Class The class name for the device driver.
ClassGuid The class GUID for the device driver.
Date The driver package date.
Director y The path to the driver package.
DriverInBox Is the driver included with the operating system?
Inf The INF name of the driver package.
Inventor yVersion The version of the inventory file generating the events.
Provider The provider for the driver package.
SubmissionId The HLK submission ID for the driver package.
Version The version of the driver package.
Microsoft.Windows.Inventory.Core.InventoryDriverPackageRemove
This event indicates that the InventoryDriverPackageRemove object is no longer present.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
Inventor yVersion The version of the inventory file generating the events.
Microsoft.Windows.Inventory.Core.InventoryDriverPackageStartSync
This event indicates that a new set of InventoryDriverPackageAdd events will be sent.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
Inventor yVersion The version of the inventory file generating the events.
Microsoft.Windows.Inventory.Core.StartUtcJsonTrace
This event collects traces of all other Core events, not used in typical customer scenarios. This event signals the
beginning of the event download, and that tracing should begin.
The following fields are available:
key The globally unique identifier (GUID) used to identify the specific Json Trace logging session.
Microsoft.Windows.Inventory.Core.StopUtcJsonTrace
This event collects traces of all other Core events, not used in typical customer scenarios. This event signals the end
of the event download, and that tracing should end.
The following fields are available:
key The globally unique identifier (GUID) used to identify the specific Json Trace logging session.
Microsoft.Windows.Inventory.General.AppHealthStaticAdd
This event sends details collected for a specific application on the source device.
Microsoft.Windows.Inventory.General.AppHealthStaticStartSync
This event indicates the beginning of a series of AppHealthStaticAdd events.
Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeAddInAdd
Provides data on the installed Office Add-ins.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
AddinCLSID The class identifier key for the Microsoft Office add-in.
AddInCLSID The class identifier key for the Microsoft Office add-in.
AddInId The identifier for the Microsoft Office add-in.
AddinType The type of the Microsoft Office add-in.
BinFileTimestamp The timestamp of the Office add-in.
BinFileVersion The version of the Microsoft Office add-in.
Description Description of the Microsoft Office add-in.
FileId The file identifier of the Microsoft Office add-in.
FileSize The file size of the Microsoft Office add-in.
FriendlyName The friendly name for the Microsoft Office add-in.
FullPath The full path to the Microsoft Office add-in.
Inventor yVersion The version of the inventory binary generating the events.
LoadBehavior Integer that describes the load behavior.
LoadTime Load time for the Office add-in.
OfficeApplication The Microsoft Office application associated with the add-in.
OfficeArchitecture The architecture of the add-in.
OfficeVersion The Microsoft Office version for this add-in.
OutlookCrashingAddin Indicates whether crashes have been found for this add-in.
ProductCompany The name of the company associated with the Office add-in.
ProductName The product name associated with the Microsoft Office add-in.
ProductVersion The version associated with the Office add-in.
ProgramId The unique program identifier of the Microsoft Office add-in.
Provider Name of the provider for this add-in.
Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeAddInRemove
Indicates that this particular data object represented by the objectInstanceId is no longer present.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
Inventor yVersion The version of the inventory binary generating the events.
Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeAddInStartSync
This event indicates that a new sync is being generated for this object type.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
Inventor yVersion The version of the inventory binary generating the events.
Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeIdentifiersAdd
Provides data on the Office identifiers.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
Inventor yVersion The version of the inventory binary generating the events.
OAudienceData Sub-identifier for Microsoft Office release management, identifying the pilot group for a
device
OAudienceId Microsoft Office identifier for Microsoft Office release management, identifying the pilot group
for a device
OMID Identifier for the Office SQM Machine
OPlatform Whether the installed Microsoft Office product is 32-bit or 64-bit
OTenantId Unique GUID representing the Microsoft O365 Tenant
OVersion Installed version of Microsoft Office. For example, 16.0.8602.1000
OWowMID Legacy Microsoft Office telemetry identifier (SQM Machine ID) for WoW systems (32-bit Microsoft
Office on 64-bit Windows)
Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeIdentifiersStartSync
Diagnostic event to indicate a new sync is being generated for this object type.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
Inventor yVersion The version of the inventory binary generating the events.
Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeIESettingsAdd
Provides data on Office-related Internet Explorer features.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
Inventor yVersion The version of the inventory binary generating the events.
OIeFeatureAddon Flag indicating which Microsoft Office products have this setting enabled. The
FEATURE_ADDON_MANAGEMENT feature lets applications hosting the WebBrowser Control to respect add-on
management selections made using the Add-on Manager feature of Internet Explorer. Add-ons disabled by the
user or by administrative group policy will also be disabled in applications that enable this feature.
OIeMachineLockdown Flag indicating which Microsoft Office products have this setting enabled. When the
FEATURE_LOCALMACHINE_LOCKDOWN feature is enabled, Internet Explorer applies security restrictions on
content loaded from the user's local machine, which helps prevent malicious behavior involving local files.
OIeMimeHandling Flag indicating which Microsoft Office products have this setting enabled. When the
FEATURE_MIME_HANDLING feature control is enabled, Internet Explorer handles MIME types more securely.
Only applies to Windows Internet Explorer 6 for Windows XP Service Pack 2 (SP2)
OIeMimeSniffing Flag indicating which Microsoft Office products have this setting enabled. Determines a
file's type by examining its bit signature. Windows Internet Explorer uses this information to determine how to
render the file. The FEATURE_MIME_SNIFFING feature, when enabled, allows to be set differently for each
security zone by using the URLACTION_FEATURE_MIME_SNIFFING URL action flag
OIeNoAxInstall Flag indicating which Microsoft Office products have this setting enabled. When a webpage
attempts to load or install an ActiveX control that isn't already installed, the
FEATURE_RESTRICT_ACTIVEXINSTALL feature blocks the request. When a webpage tries to load or install an
ActiveX control that isn't already installed, the FEATURE_RESTRICT_ACTIVEXINSTALL feature blocks the request
OIeNoDownload Flag indicating which Microsoft Office products have this setting enabled. The
FEATURE_RESTRICT_FILEDOWNLOAD feature blocks file download requests that navigate to a resource, that
display a file download dialog box, or that are not initiated explicitly by a user action (for example, a mouse click
or key press). Only applies to Windows Internet Explorer 6 for Windows XP Service Pack 2 (SP2)
OIeObjectCaching Flag indicating which Microsoft Office products have this setting enabled. When enabled,
the FEATURE_OBJECT_CACHING feature prevents webpages from accessing or instantiating ActiveX controls
cached from different domains or security contexts
OIePasswordDisable Flag indicating which Microsoft Office products have this setting enabled. After
Windows Internet Explorer 6 for Windows XP Service Pack 2 (SP2), Internet Explorer no longer allows
usernames and passwords to be specified in URLs that use the HTTP or HTTPS protocols. URLs using other
protocols, such as FTP, still allow usernames and passwords
OIeSafeBind Flag indicating which Microsoft Office products have this setting enabled. The
FEATURE_SAFE_BINDTOOBJECT feature performs additional safety checks when calling MonikerBindToObject to
create and initialize Microsoft ActiveX controls. Specifically, prevent the control from being created if
COMPAT_EVIL_DONT_LOAD is in the registry for the control
OIeSecurityBand Flag indicating which Microsoft Office products have this setting enabled. The
FEATURE_SECURITYBAND feature controls the display of the Internet Explorer Information bar. When enabled,
the Information bar appears when file download or code installation is restricted
OIeUncSaveCheck Flag indicating which Microsoft Office products have this setting enabled. The
FEATURE_UNC_SAVEDFILECHECK feature enables the Mark of the Web (MOTW) for local files loaded from
network locations that have been shared by using the Universal Naming Convention (UNC)
OIeValidateUrl Flag indicating which Microsoft Office products have this setting enabled. When enabled, the
FEATURE_VALIDATE_NAVIGATE_URL feature control prevents Windows Internet Explorer from navigating to a
badly formed URL
OIeWebOcPopup Flag indicating which Microsoft Office products have this setting enabled. The
FEATURE_WEBOC_POPUPMANAGEMENT feature allows applications hosting the WebBrowser Control to
receive the default Internet Explorer pop-up window management behavior
OIeWinRestrict Flag indicating which Microsoft Office products have this setting enabled. When enabled, the
FEATURE_WINDOW_RESTRICTIONS feature adds several restrictions to the size and behavior of popup
windows
OIeZoneElevate Flag indicating which Microsoft Office products have this setting enabled. When enabled, the
FEATURE_ZONE_ELEVATION feature prevents pages in one zone from navigating to pages in a higher security
zone unless the navigation is generated by the user
Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeIESettingsStartSync
Diagnostic event to indicate a new sync is being generated for this object type.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
Inventor yVersion The version of the inventory binary generating the events.
Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeInsightsAdd
This event provides insight data on the installed Office products
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
Inventor yVersion The version of the inventory binary generating the events.
OfficeApplication The name of the Office application.
OfficeArchitecture The bitness of the Office application.
OfficeVersion The version of the Office application.
Value The insights collected about this entity.
Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeInsightsRemove
Indicates that this particular data object represented by the objectInstanceId is no longer present.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
Inventor yVersion The version of the inventory binary generating the events.
Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeInsightsStartSync
This diagnostic event indicates that a new sync is being generated for this object type.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
Inventor yVersion The version of the inventory binary generating the events.
Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeProductsAdd
Describes Office Products installed.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
Inventor yVersion The version of the inventory binary generating the events.
OC2rApps A GUID the describes the Office Click-To-Run apps
OC2rSkus Comma-delimited list (CSV) of Office Click-To-Run products installed on the device. For example,
Office 2016 ProPlus
OMsiApps Comma-delimited list (CSV) of Office MSI products installed on the device. For example, Microsoft
Word
OProductCodes A GUID that describes the Office MSI products
Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeProductsStartSync
Diagnostic event to indicate a new sync is being generated for this object type.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
Inventor yVersion The version of the inventory binary generating the events.
Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeSettingsAdd
This event describes various Office settings
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
BrowserFlags Browser flags for Office-related products.
ExchangeProviderFlags Provider policies for Office Exchange.
Inventor yVersion The version of the inventory binary generating the events.
SharedComputerLicensing Office shared computer licensing policies.
Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeSettingsStartSync
Indicates a new sync is being generated for this object type.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
Inventor yVersion The version of the inventory binary generating the events.
Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeVBAAdd
This event provides a summary rollup count of conditions encountered while performing a local scan of Office
files, analyzing for known VBA programmability compatibility issues between legacy office version and ProPlus,
and between 32 and 64-bit versions
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
Design Count of files with design issues found.
Design_x64 Count of files with 64 bit design issues found.
DuplicateVBA Count of files with duplicate VBA code.
HasVBA Count of files with VBA code.
Inaccessible Count of files that were inaccessible for scanning.
Inventor yVersion The version of the inventory binary generating the events.
Issues Count of files with issues detected.
Issues_x64 Count of files with 64-bit issues detected.
IssuesNone Count of files with no issues detected.
IssuesNone_x64 Count of files with no 64-bit issues detected.
Locked Count of files that were locked, preventing scanning.
NoVBA Count of files with no VBA inside.
Protected Count of files that were password protected, preventing scanning.
RemLimited Count of files that require limited remediation changes.
RemLimited_x64 Count of files that require limited remediation changes for 64-bit issues.
RemSignificant Count of files that require significant remediation changes.
RemSignificant_x64 Count of files that require significant remediation changes for 64-bit issues.
Score Overall compatibility score calculated for scanned content.
Score_x64 Overall 64-bit compatibility score calculated for scanned content.
Total Total number of files scanned.
Validation Count of files that require additional manual validation.
Validation_x64 Count of files that require additional manual validation for 64-bit issues.
Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeVBARemove
Indicates that this particular data object represented by the objectInstanceId is no longer present.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
Inventor yVersion The version of the inventory binary generating the events.
Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeVBARuleViolationsAdd
This event provides data on Microsoft Office VBA rule violations, including a rollup count per violation type, giving
an indication of remediation requirements for an organization. The event identifier is a unique GUID, associated
with the validation rule
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
Count Count of total Microsoft Office VBA rule violations
Inventor yVersion The version of the inventory binary generating the events.
Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeVBARuleViolationsRemove
Indicates that this particular data object represented by the objectInstanceId is no longer present.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
Inventor yVersion The version of the inventory binary generating the events.
Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeVBARuleViolationsStartSync
This event indicates that a new sync is being generated for this object type.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
Inventor yVersion The version of the inventory binary generating the events.
Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeVBAStartSync
Diagnostic event to indicate a new sync is being generated for this object type.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
Inventor yVersion The version of the inventory binary generating the events.
Microsoft.Windows.Inventory.General.InventoryMiscellaneousUUPInfoAdd
Provides data on Unified Update Platform (UUP) products and what version they are at.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
Identifier UUP identifier
LastActivatedVersion Last activated version
PreviousVersion Previous version
Source UUP source
Version UUP version
Microsoft.Windows.Inventory.General.InventoryMiscellaneousUUPInfoRemove
Indicates that this particular data object represented by the objectInstanceId is no longer present.
This event includes fields from Ms.Device.DeviceInventoryChange.
Microsoft.Windows.Inventory.General.InventoryMiscellaneousUUPInfoStartSync
Diagnostic event to indicate a new sync is being generated for this object type.
This event includes fields from Ms.Device.DeviceInventoryChange.
Microsoft.Windows.Inventory.Indicators.Checksum
This event summarizes the counts for the InventoryMiscellaneousUexIndicatorAdd events.
The following fields are available:
CensusId A unique hardware identifier.
ChecksumDictionar y A count of each operating system indicator.
PCFP Equivalent to the InventoryId field that is found in other core events.
Microsoft.Windows.Inventory.Indicators.InventoryMiscellaneousUexIndicatorAdd
These events represent the basic metadata about the OS indicators installed on the system which are used for
keeping the device up to date.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
IndicatorValue The indicator value.
Value Describes an operating system indicator that may be relevant for the device upgrade.
Microsoft.Windows.Inventory.Indicators.InventoryMiscellaneousUexIndicatorRemove
This event is a counterpart to InventoryMiscellaneousUexIndicatorAdd that indicates that the item has been
removed.
This event includes fields from Ms.Device.DeviceInventoryChange.
Microsoft.Windows.Inventory.Indicators.InventoryMiscellaneousUexIndicatorStartSync
This event indicates that a new set of InventoryMiscellaneousUexIndicatorAdd events will be sent.
This event includes fields from Ms.Device.DeviceInventoryChange.
Kernel events
IO
This event indicates the number of bytes read from or read by the OS and written to or written by the OS upon
system startup.
The following fields are available:
BytesRead The total number of bytes read from or read by the OS upon system startup.
BytesWritten The total number of bytes written to or written by the OS upon system startup.
Microsoft.Windows.Kernel.BootEnvironment.OsLaunch
OS information collected during Boot, used to evaluate the success of the upgrade process.
The following fields are available:
BootApplicationId This field tells us what the OS Loader Application Identifier is.
BootAttemptCount The number of consecutive times the boot manager has attempted to boot into this
operating system.
BootSequence The current Boot ID, used to correlate events related to a particular boot session.
BootStatusPolicy Identifies the applicable Boot Status Policy.
BootType Identifies the type of boot (e.g.: "Cold", "Hiber", "Resume").
EventTimestamp Seconds elapsed since an arbitrary time point. This can be used to identify the time
difference in successive boot attempts being made.
FirmwareResetReasonEmbeddedController Reason for system reset provided by firmware.
FirmwareResetReasonEmbeddedControllerAdditional Additional information on system reset reason
provided by firmware if needed.
FirmwareResetReasonPch Reason for system reset provided by firmware.
FirmwareResetReasonPchAdditional Additional information on system reset reason provided by firmware
if needed.
FirmwareResetReasonSupplied Flag indicating that a reason for system reset was provided by firmware.
IO Amount of data written to and read from the disk by the OS Loader during boot. See IO.
LastBootSucceeded Flag indicating whether the last boot was successful.
LastShutdownSucceeded Flag indicating whether the last shutdown was successful.
MaxAbove4GbFreeRange This field describes the largest memory range available above 4Gb.
MaxBelow4GbFreeRange This field describes the largest memory range available below 4Gb.
MeasuredLaunchPrepared This field tells us if the OS launch was initiated using Measured/Secure Boot over
DRTM (Dynamic Root of Trust for Measurement).
MeasuredLaunchResume This field tells us if Dynamic Root of Trust for Measurement (DRTM) was used
when resuming from hibernation.
MenuPolicy Type of advanced options menu that should be shown to the user (Legacy, Standard, etc.).
Recover yEnabled Indicates whether recovery is enabled.
SecureLaunchPrepared This field indicates if DRTM was prepared during boot.
TcbLaunch Indicates whether the Trusted Computing Base was used during the boot flow.
UserInputTime The amount of time the loader application spent waiting for user input.
Microsoft.Windows.Kernel.DeviceConfig.DeviceConfig
This critical device configuration event provides information about drivers for a driver installation that took place
within the kernel.
The following fields are available:
ClassGuid The unique ID for the device class.
DeviceInstanceId The unique ID for the device on the system.
DriverDate The date of the driver.
DriverFlightIds The IDs for the driver flights.
DriverInfName Driver INF file name.
DriverProvider The driver manufacturer or provider.
DriverSubmissionId The driver submission ID assigned by the hardware developer center.
DriverVersion The driver version number.
ExtensionDrivers The list of extension driver INF files, extension IDs, and associated flight IDs.
FirstHardwareId The ID in the hardware ID list that provides the most specific device description.
InboxDriver Indicates whether the driver package is included with Windows.
InstallDate Date the driver was installed.
LastCompatibleId The ID in the hardware ID list that provides the least specific device description.
Legacy Indicates whether the driver is a legacy driver.
NeedReboot Indicates whether the driver requires a reboot.
SetupMode Indicates whether the device configuration occurred during the Out Of Box Experience (OOBE).
StatusCode The NTSTATUS of device configuration operation.
Microsoft.Windows.Kernel.PnP.AggregateClearDevNodeProblem
This event is sent when a problem code is cleared from a device.
The following fields are available:
Count The total number of events.
DeviceInstanceId The unique identifier of the device on the system.
LastProblem The previous problem that was cleared.
LastProblemStatus The previous NTSTATUS value that was cleared.
Problem The new problem code set on the device node.
ProblemStatus The new NT_STATUS set on the device node.
Ser viceName The name of the driver or service attached to the device.
Microsoft.Windows.Kernel.PnP.AggregateSetDevNodeProblem
This event is sent when a new problem code is assigned to a device.
The following fields are available:
Count The total number of events.
DeviceInstanceId The unique identifier of the device in the system.
LastProblem The previous problem code that was set on the device.
LastProblemStatus The previous NTSTATUS value that was set on the device.
Problem The new problem code that was set on the device.
ProblemStatus The new NTSTATUS value that was set on the device.
Ser viceName The driver or service name that is attached to the device.
Migration events
Microsoft.Windows.MigrationCore.MigObjectCountDLUsr
This event returns data to track the count of the migration objects across various phases during feature update.
The following fields are available:
currentSid Indicates the user SID for which the migration is being performed.
knownFoldersUsr[i] Predefined folder path locations.
migDiagSession->CString The phase of the upgrade where migration occurs. (E.g.: Validate tracked content)
objectCount The count for the number of objects that are being transferred.
Microsoft.Windows.MigrationCore.MigObjectCountKFSys
This event returns data about the count of the migration objects across various phases during feature update.
The following fields are available:
knownFoldersSys[i] The predefined folder path locations.
migDiagSession->CString Identifies the phase of the upgrade where migration happens.
objectCount The count of the number of objects that are being transferred.
Microsoft.Windows.MigrationCore.MigObjectCountKFUsr
This event returns data to track the count of the migration objects across various phases during feature update.
The following fields are available:
currentSid Indicates the user SID for which the migration is being performed.
knownFoldersUsr[i] Predefined folder path locations.
migDiagSession->CString The phase of the upgrade where the migration occurs. (For example, Validate
tracked content.)
objectCount The number of objects that are being transferred.
Miracast events
Microsoft.Windows.Cast.Miracast.MiracastSessionEnd
This event sends data at the end of a Miracast session that helps determine RTSP related Miracast failures along
with some statistics about the session
The following fields are available:
AudioChannelCount The number of audio channels.
AudioSampleRate The sample rate of audio in terms of samples per second.
AudioSubtype The unique subtype identifier of the audio codec (encoding method) used for audio encoding.
AverageBitrate The average video bitrate used during the Miracast session, in bits per second.
AverageDataRate The average available bandwidth reported by the WiFi driver during the Miracast session,
in bits per second.
AveragePacketSendTimeInMs The average time required for the network to send a sample, in milliseconds.
ConnectorType The type of connector used during the Miracast session.
EncodeAverageTimeMS The average time to encode a frame of video, in milliseconds.
EncodeCount The count of total frames encoded in the session.
EncodeMaxTimeMS The maximum time to encode a frame, in milliseconds.
EncodeMinTimeMS The minimum time to encode a frame, in milliseconds.
EncoderCreationTimeInMs The time required to create the video encoder, in milliseconds.
ErrorSource Identifies the component that encountered an error that caused a disconnect, if applicable.
FirstFrameTime The time (tick count) when the first frame is sent.
FirstLatencyMode The first latency mode.
FrameAverageTimeMS Average time to process an entire frame, in milliseconds.
FrameCount The total number of frames processed.
FrameMaxTimeMS The maximum time required to process an entire frame, in milliseconds.
FrameMinTimeMS The minimum time required to process an entire frame, in milliseconds.
Glitches The number of frames that failed to be delivered on time.
HardwareCursorEnabled Indicates if hardware cursor was enabled when the connection ended.
HDCPState The state of HDCP (High-bandwidth Digital Content Protection) when the connection ended.
HighestBitrate The highest video bitrate used during the Miracast session, in bits per second.
HighestDataRate The highest available bandwidth reported by the WiFi driver, in bits per second.
LastLatencyMode The last reported latency mode.
LogTimeReference The reference time, in tick counts.
LowestBitrate The lowest video bitrate used during the Miracast session, in bits per second.
LowestDataRate The lowest video bitrate used during the Miracast session, in bits per second.
MediaErrorCode The error code reported by the media session, if applicable.
MiracastEntr y The time (tick count) when the Miracast driver was first loaded.
MiracastM1 The time (tick count) when the M1 request was sent.
MiracastM2 The time (tick count) when the M2 request was sent.
MiracastM3 The time (tick count) when the M3 request was sent.
MiracastM4 The time (tick count) when the M4 request was sent.
MiracastM5 The time (tick count) when the M5 request was sent.
MiracastM6 The time (tick count) when the M6 request was sent.
MiracastM7 The time (tick count) when the M7 request was sent.
MiracastSessionState The state of the Miracast session when the connection ended.
MiracastStreaming The time (tick count) when the Miracast session first started processing frames.
ProfileCount The count of profiles generated from the receiver M4 response.
ProfileCountAfterFiltering The count of profiles after filtering based on available bandwidth and encoder
capabilities.
RefreshRate The refresh rate set on the remote display.
RotationSuppor ted Indicates if the Miracast receiver supports display rotation.
RTSPSessionId The unique identifier of the RTSP session. This matches the RTSP session ID for the receiver for
the same session.
SessionGuid The unique identifier of to correlate various Miracast events from a session.
SinkHadEdid Indicates if the Miracast receiver reported an EDID.
Suppor tMicrosoftColorSpaceConversion Indicates whether the Microsoft color space conversion for extra
color fidelity is supported by the receiver.
Suppor tsMicrosoftDiagnostics Indicates whether the Miracast receiver supports the Microsoft Diagnostics
Miracast extension.
Suppor tsMicrosoftFormatChange Indicates whether the Miracast receiver supports the Microsoft Format
Change Miracast extension.
Suppor tsMicrosoftLatencyManagement Indicates whether the Miracast receiver supports the Microsoft
Latency Management Miracast extension.
Suppor tsMicrosoftRTCP Indicates whether the Miracast receiver supports the Microsoft RTCP Miracast
extension.
Suppor tsMicrosoftVideoFormats Indicates whether the Miracast receiver supports Microsoft video format
for 3:2 resolution.
Suppor tsWiDi Indicates whether Miracast receiver supports Intel WiDi extensions.
TeardownErrorCode The error code reason for teardown provided by the receiver, if applicable.
TeardownErrorReason The text string reason for teardown provided by the receiver, if applicable.
UIBCEndState Indicates whether UIBC was enabled when the connection ended.
UIBCEverEnabled Indicates whether UIBC was ever enabled.
UIBCStatus The result code reported by the UIBC setup process.
VideoBitrate The starting bitrate for the video encoder.
VideoCodecLevel The encoding level used for encoding, specific to the video subtype.
VideoHeight The height of encoded video frames.
VideoSubtype The unique subtype identifier of the video codec (encoding method) used for video encoding.
VideoWidth The width of encoded video frames.
WFD2Suppor ted Indicates if the Miracast receiver supports WFD2 protocol.
OneDrive events
Microsoft.OneDrive.Sync.Setup.APIOperation
This event includes basic data about install and uninstall OneDrive API operations.
The following fields are available:
APIName The name of the API.
Duration How long the operation took.
IsSuccess Was the operation successful?
ResultCode The result code.
ScenarioName The name of the scenario.
Microsoft.OneDrive.Sync.Setup.EndExperience
This event includes a success or failure summary of the installation.
The following fields are available:
APIName The name of the API.
HResult HResult of the operation
IsSuccess Whether the operation is successful or not
ScenarioName The name of the scenario.
Microsoft.OneDrive.Sync.Setup.OSUpgradeInstallationOperation
This event is related to the OS version when the OS is upgraded with OneDrive installed.
The following fields are available:
CurrentOneDriveVersion The current version of OneDrive.
CurrentOSBuildBranch The current branch of the operating system.
CurrentOSBuildNumber The current build number of the operating system.
CurrentOSVersion The current version of the operating system.
HResult The HResult of the operation.
SourceOSBuildBranch The source branch of the operating system.
SourceOSBuildNumber The source build number of the operating system.
SourceOSVersion The source version of the operating system.
Microsoft.OneDrive.Sync.Setup.RegisterStandaloneUpdaterAPIOperation
This event is related to registering or unregistering the OneDrive update task.
The following fields are available:
APIName The name of the API.
IsSuccess Was the operation successful?
RegisterNewTaskResult The HResult of the RegisterNewTask operation.
ScenarioName The name of the scenario.
UnregisterOldTaskResult The HResult of the UnregisterOldTask operation.
Microsoft.OneDrive.Sync.Updater.ComponentInstallState
This event includes basic data about the installation state of dependent OneDrive components.
The following fields are available:
ComponentName The name of the dependent component.
isInstalled Is the dependent component installed?
Microsoft.OneDrive.Sync.Updater.OverlayIconStatus
This event indicates if the OneDrive overlay icon is working correctly. 0 = healthy; 1 = can be fixed; 2 = broken
The following fields are available:
32bit The status of the OneDrive overlay icon on a 32-bit operating system.
64bit The status of the OneDrive overlay icon on a 64-bit operating system.
Microsoft.OneDrive.Sync.Updater.UpdateOverallResult
This event sends information describing the result of the update.
The following fields are available:
hr The HResult of the operation.
IsLoggingEnabled Indicates whether logging is enabled for the updater.
UpdaterVersion The version of the updater.
Microsoft.OneDrive.Sync.Updater.UpdateXmlDownloadHResult
This event determines the status when downloading the OneDrive update configuration file.
The following fields are available:
hr The HResult of the operation.
Microsoft.OneDrive.Sync.Updater.WebConnectionStatus
This event determines the error code that was returned when verifying Internet connectivity.
The following fields are available:
failedCheck The error code returned by the operation.
winInetError The HResult of the operation.
Remediation events
Microsoft.Windows.Remediation.Applicable
This event indicates whether Windows Update sediment remediations need to be applied to the sediment device to
keep Windows up to date. A sediment device is one that has been on a previous OS version for an extended
period. The remediations address issues on the system that prevent the device from receiving OS updates.
The following fields are available:
AllowAutoUpdateExists Indicates whether the Automatic Update feature is turned on.
AllowAutoUpdateProviderSetExists Indicates whether the Allow Automatic Update provider exists.
AppraiserBinariesValidResult Indicates whether the plug-in was appraised as valid.
AppraiserRegistr yValidResult Indicates whether the registry entry checks out as valid.
AppraiserTaskRepairDisabled Task repair performed by the Appraiser plug-in is disabled.
AppraiserTaskValid Indicates that the Appraiser task is valid.
AUOptionsExists Indicates whether the Automatic Update options exist.
CTACTargetingAttributesInvalid Indicates whether the Common Targeting Attribute Client (CTAC) attributes
are valid. CTAC is a Windows Runtime client library.
CTACVersion The Common Targeting Attribute Client (CTAT) version on the device. CTAT is a Windows
Runtime client library.
CV Correlation vector
DataStoreSizeInBytes Size of the data store, in bytes.
DateTimeDifference The difference between local and reference clock times.
DateTimeSyncEnabled Indicates whether the Datetime Sync plug-in is enabled.
daysSinceInstallThreshold The maximum number of days since the operating system was installed before
the device is checked to see if remediation is needed.
daysSinceInstallValue Number of days since the operating system was installed.
DaysSinceLastSIH The number of days since the most recent SIH executed.
DaysToNextSIH The number of days until the next scheduled SIH execution.
DetectConditionEnabled Indicates whether a condition that the remediation tool can repair was detected.
DetectedCondition Indicates whether detected condition is true and the perform action will be run.
DetectionFailedReason Indicates why a given remediation failed to fix a problem that was detected.
DiskFreeSpaceBeforeSedimentPackInMB Number of megabytes of disk space available on the device
before running the Sediment Pack.
DiskSpaceBefore The amount of free disk space available before a remediation was run.
EditionIdFixCorrupted Indicates whether the Edition ID is corrupted.
EscalationTimerResetFixResult The result of fixing the escalation timer.
EvalAndRepor tAppraiserRegEntries Indicates the EvalAndReportAppraiserRegEntriesFailed event failed.
FixedEditionId Indicates whether we fixed the edition ID.
FlightRebootTime The amount of time before the system is rebooted.
ForcedRebootToleranceDays The maximum number of days before a system reboot is forced on the devie.
FreeSpaceRequirement The amount of free space required.
GlobalEventCounter Client side counter that indicates ordering of events sent by the remediation system.
HResult The HRESULT for detection or perform action phases of the plugin.
installDateValue The date of the installation.
IsAppraiserLatestResult The HRESULT from the appraiser task.
IsConfigurationCorrected Indicates whether the configuration of SIH task was successfully corrected.
IsEscalationTimerResetFixNeeded Determines whether a fix is applicable.
IsForcedModeEnabled Indicates whether forced reboot mode is enabled.
IsHomeSku Indicates whether the device is running the Windows 10 Home edition.
IsRebootForcedMode Indicates whether the forced reboot mode is turned on.
IsSer viceHardeningEnabled Indicates whether the Windows Service Hardening feature was turned on for
the device.
IsSer viceHardeningNeeded Indicates whether Windows Service Hardening was needed for the device
(multiple instances of service tampering were detected.)
isThreshold Indicates whether the value meets our threshold.
IsUsoRebootPending Indicates whether a system reboot is pending.
IsUsoRebootPendingInUpdateStore Indicates whether a reboot is pending.
IsUsoRebootTaskEnabled Indicates whether the Update Service Orchestrator (USO) reboot task is enabled
IsUsoRebootTaskExists Indicates whether the Update Service Orchestrator (USO) reboot task exists.
IsUsoRebootTaskValid Indicates whether the Update Service Orchestrator (USO) reboot task is valid.
LastHresult The HRESULT for detection or perform action phases of the plugin.
LastRebootTaskRunResult Indicates the result of the last reboot task.
LastRebootTaskRunTime The length of time the last reboot task took to run.
LastRun The date of the most recent SIH run.
LPCountBefore The number of language packs on the device before remediation started.
NextCheck Indicates when remediation will next be attempted.
NextRebootTaskRunTime Indicates when the next system reboot task will run.
NextRun Date of the next scheduled SIH run.
NoAutoUpdateExists Indicates whether the Automatic Updates feature is turned off.
NumberOfDaysStuckInReboot The number of days tht the device has been unable to successfully reboot.
OriginalEditionId The Windows edition ID before remediation started.
PackageVersion The version of the current remediation package.
PluginName Name of the plugin specified for each generic plugin event.
ProductType The product type of Windows 10.
QualityUpdateSedimentFunnelState Provides information about whether Windows Quality Updates are
missing on the device.
QualityUpdateSedimentJsonSchemaVersion The schema version of the Quality Update Sediment
Remediation.
QualityUpdateSedimentLastRunSeconds The number of seconds since the Quality Updates were run.
QualityUpdateSedimentLocalStar tTime Provides information about when Quality Updates were run.
QualityUpdateSedimentLocaltTime The local time of the device running the Quality Update Sediment
Remediation.
QualityUpdateSedimentTargetedPlugins Provides the list of remediation plug-ins that are applicable to
enable Quality Updates on the device.
QualityUpdateSedimentTargetedTriggers Provides information about remediations that are applicable to
enable Quality Updates on the device.
RegkeysExist Indicates whether specified registry keys exist.
Reload True if SIH reload is required.
RemediationAutoUACleanupNeeded Automatic Update Assistant cleanup is required.
RemediationAutoUAIsInstalled Indicates whether the Automatic Update Assistant tool is installed.
RemediationAutoUATaskDisabled Indicates whether the Automatic Update Assistant tool task is disabled.
RemediationAutoUATaskNotExists Indicates whether an Automatic Update Assistant tool task does not exist.
RemediationAutoUATasksStalled Indicates whether an Automatic Update Assistant tool task is stalled.
RemediationCorruptionRepairBuildNumber The build number to use to repair corruption.
RemediationCorruptionRepairCorruptionsDetected Indicates whether corruption was detected.
RemediationCorruptionRepairDetected Indicates whether an attempt was made to repair the corruption.
RemediationDeliverToastBuildNumber Indicates a build number that should be applicable to this device.
RemediationDeliverToastDetected Indicates that a plug-in has been detected.
RemediationDeliverToastDeviceExcludedNation Indicates the geographic identity (GEO ID) that is not
applicable for a given plug-in.
RemediationDeliverToastDeviceFreeSpaceInMB Indicates the amount of free space, in megabytes.
RemediationDeliverToastDeviceHomeSku Indicates whether the plug-in is applicable for the Windows 10
Home edition.
RemediationDeliverToastDeviceIncludedNation Indicates the geographic identifier (GEO ID) that is
applicable for a given plug-in.
RemediationDeliverToastDeviceProSku Indicates whether the plug-in is applicable for the Windows 10
Professional edition.
RemediationDeliverToastDeviceSystemDiskSizeInMB Indicates the size of a system disk, in megabytes.
RemediationDeliverToastGeoId Indicates the geographic identifier (GEO ID) that is applicable for a given
plug-in.
RemediationDeviceSkuId The Windows 10 edition ID that maps to the version of Windows 10 on the device.
RemediationGetCurrentFolderExist Indicates whether the GetCurrent folder exists.
RemediationNoisyHammerAcLineStatus Indicates the AC Line Status of the device.
RemediationNoisyHammerAutoStar tCount The number of times hammer auto-started.
RemediationNoisyHammerCalendarTaskEnabled Event that indicates Update Assistant Calendar Task is
enabled.
RemediationNoisyHammerCalendarTaskExists Event that indicates an Update Assistant Calendar Task
exists.
RemediationNoisyHammerCalendarTaskTriggerEnabledCount Event that indicates calendar triggers are
enabled in the task.
RemediationNoisyHammerDaysSinceLastTaskRunTime The number of days since the most recent Noisy
Hammer task ran.
RemediationNoisyHammerGetCurrentSize Size in MB of the $GetCurrent folder.
RemediationNoisyHammerIsInstalled TRUE if the noisy hammer is installed.
RemediationNoisyHammerLastTaskRunResult The result of the last hammer task run.
RemediationNoisyHammerMeteredNetwork TRUE if the machine is on a metered network.
RemediationNoisyHammerTaskEnabled Indicates whether the Update Assistant Task (Noisy Hammer) is
enabled.
RemediationNoisyHammerTaskExists Indicates whether the Update Assistant Task (Noisy Hammer) exists.
RemediationNoisyHammerTasksStalled Indicates whether a task (Noisy Hammer) is stalled.
RemediationNoisyHammerTaskTriggerEnabledCount Indicates whether counting is enabled for the
Update Assistant (Noisy Hammer) task trigger.
RemediationNoisyHammerUAExitCode The exit code of the Update Assistant (Noisy Hammer) task.
RemediationNoisyHammerUAExitState The code for the exit state of the Update Assistant (Noisy Hammer)
task.
RemediationNoisyHammerUserLoggedIn TRUE if there is a user logged in.
RemediationNoisyHammerUserLoggedInAdmin TRUE if there is the user currently logged in is an Admin.
RemediationNotifyUserFixIssuesBoxStatusKey Status of the remediation plug-in.
RemediationNotifyUserFixIssuesBuildNumber The build number of the remediation plug-in.
RemediationNotifyUserFixIssuesDetected Indicates whether the remediation is necessary.
RemediationNotifyUserFixIssuesDiskSpace Indicates whether the remediation is necessary due to low disk
space.
RemediationNotifyUserFixIssuesFeatureUpdateBlocked Indicates whether the remediation is necessary
due to Feature Updates being blocked.
RemediationNotifyUserFixIssuesFeatureUpdateInProgress Indicates whether the remediation is
necessary due to Feature Updates in progress.
RemediationNotifyUserFixIssuesIsUserAdmin Indicates whether the remediation requires that an
Administrator is logged in.
RemediationNotifyUserFixIssuesIsUserLoggedIn Indicates whether the remediation can take place when a
non-Administrator is logged in.
RemediationProgramDataFolderSizeInMB The size (in megabytes) of the Program Data folder on the
device.
RemediationProgramFilesFolderSizeInMB The size (in megabytes) of the Program Files folder on the
device.
RemediationShellDeviceApplicabilityFailedReason The reason the Remediation is not applicable to the
device (expressed as a bitmap).
RemediationShellDeviceEducationSku Indicates whether the Windows 10 Education edition is detected on
the device.
RemediationShellDeviceEnterpriseSku Indicates whether the Windows 10 Enterprise edition is detected on
the device.
RemediationShellDeviceFeatureUpdatesPaused Indicates whether Feature Updates are paused on the
device.
RemediationShellDeviceHomeSku Indicates whether the Windows 10 Home edition is detected on the
device.
RemediationShellDeviceIsAllowedSku Indicates whether the Windows 10 edition is applicable to the
device.
RemediationShellDeviceManaged TRUE if the device is WSUS managed or Windows Updated disabled.
RemediationShellDeviceNewOS TRUE if the device has a recently installed OS.
RemediationShellDeviceProSku Indicates whether a Windows 10 Professional edition is detected.
RemediationShellDeviceQualityUpdatesPaused Indicates whether Quality Updates are paused on the
device.
RemediationShellDeviceSccm TRUE if the device is managed by Microsoft Endpoint Configuration Manager.
RemediationShellDeviceSedimentMutexInUse Indicates whether the Sediment Pack mutual exclusion
object (mutex) is in use.
RemediationShellDeviceSetupMutexInUse Indicates whether device setup is in progress.
RemediationShellDeviceWuRegistr yBlocked Indicates whether the Windows Update is blocked on the
device via the registry.
RemediationShellDeviceZeroExhaust TRUE if the device has opted out of Windows Updates completely.
RemediationShellHasExpired Indicates whether the remediation iterations have ended.
RemediationShellHasUpgraded Indicates whether the device upgraded.
RemediationShellIsDeviceApplicable Indicates whether the remediation is applicable to the device.
RemediationTargetMachine Indicates whether the device is a target of the specified fix.
RemediationTaskHealthAutochkProxy True/False based on the health of the AutochkProxy task.
RemediationTaskHealthChkdskProactiveScan True/False based on the health of the Check Disk task.
RemediationTaskHealthDiskCleanup_SilentCleanup True/False based on the health of the Disk Cleanup
task.
RemediationTaskHealthMaintenance_WinSAT True/False based on the health of the Health Maintenance
task.
RemediationTaskHealthSer vicing_ComponentCleanupTask True/False based on the health of the Health
Servicing Component task.
RemediationTaskHealthUSO_ScheduleScanTask True/False based on the health of the USO (Update
Session Orchestrator) Schedule task.
RemediationTaskHealthWindowsUpdate_ScheduledStar tTask True/False based on the health of the
Windows Update Scheduled Start task.
RemediationTaskHealthWindowsUpdate_SihbootTask True/False based on the health of the Sihboot task.
RemediationUHSer viceDisabledBitMap A bitmap indicating which services were disabled.
RemediationUHSer viceNotExistBitMap A bitmap indicating which services were deleted.
RemediationUsersFolderSizeInMB The size (in megabytes) of the Users folder on the device.
RemediationWindows10UpgradeFolderExist Indicates whether the Windows 10 Upgrade folder exists.
RemediationWindows10UpgradeFolderSizeInMB The size (in megabytes) of the Windows 10 Upgrade
folder on the device.
RemediationWindowsAppsFolderSizeInMB The size (in megabytes) of the Windows Applications folder on
the device.
RemediationWindowsBtFolderSizeInMB The size (in megabytes) of the Windows BT folder on the device.
RemediationWindowsFolderSizeInMB The size (in megabytes) of the Windows folder on the device.
RemediationWindowsSer viceProfilesFolderSizeInMB The size (in megabytes) of the Windows service
profile on the device.
Result This is the HRESULT for Detection or Perform Action phases of the plugin.
RunTask TRUE if SIH task should be run by the plug-in.
StorageSenseDiskCompresserEstimateInMB The estimated amount of free space that can be cleaned up
by running Storage Sense.
StorageSenseHelloFaceRecognitionFodCleanupEstimateInByte The estimated amount of space that can
be cleaned up by running Storage Sense and removing Windows Hello facial recognition.
StorageSenseRestorePointCleanupEstimateInMB The estimated amount of free space (in megabytes) that
can be cleaned up by running Storage Sense.
StorageSenseUserDownloadFolderCleanupEstimateInByte The estimated amount of space that can be
cleaned up by running Storage Sense to clean up the User Download folder.
TimeSer viceNTPSer ver The URL for the NTP time server used by device.
TimeSer viceStar tType The startup type for the NTP time service.
TimeSer viceSyncDomainJoined True if device domain joined and hence uses DC for clock.
TimeSer viceSyncType Type of sync behavior for Date & Time service on device.
uninstallActiveValue Indicates whether an uninstall is in progress.
UpdateApplicabilityFixerTriggerBitMap A bitmap containing the reason(s) why the Update Applicability
Fixer Plugin was executed.
UpdateRebootTime The amount of time it took to reboot to install the updates.
usoScanHoursSinceLastScan The number of hours since the last scan by the Update Service Orchestrator
(USO).
usoScanPastThreshold Indicates whether the Update Service Orchestrator (USO) scan is overdue.
WindowsHiberFilSysSizeInMegabytes The size of the Windows Hibernation file, in megabytes.
WindowsInstallerFolderSizeInMegabytes The size of the Windows Installer folder, in megabytes.
WindowsPageFileSysSizeInMegabytes The size of the Windows Page file, in megabytes.
WindowsSoftwareDistributionFolderSizeInMegabytes The size of the Software Distribution folder, in
megabytes.
WindowsSwapFileSysSizeInMegabytes The size of the Windows Swap file, in megabytes.
WindowsSxsFolderSizeInMegabytes The size of the WinSxS (Windows Side-by-Side) folder, in megabytes.
Microsoft.Windows.Remediation.Completed
This event is sent when Windows Update sediment remediations have completed on the sediment device to keep
Windows up to date. A sediment device is one that has been on a previous OS version for an extended period. The
remediations address issues on the system that prevent the device from receiving OS updates.
The following fields are available:
ActionName Name of the action to be completed by the plug-in.
AppraiserTaskMissing TRUE if the Appraiser task is missing.
branchReadinessLevel Branch readiness level policy.
cloudControlState Value indicating whether the shell is enabled on the cloud control settings.
CV The Correlation Vector.
DateTimeDifference The difference between the local and reference clocks.
DiskFreeSpaceAfterSedimentPackInMB The amount of free disk space (in megabytes) after executing the
Sediment Pack.
DiskFreeSpaceBeforeSedimentPackInMB The amount of free disk space (in megabytes) before executing
the Sediment Pack.
DiskMbFreeAfterCleanup The amount of free hard disk space after cleanup, measured in Megabytes.
DiskMbFreeBeforeCleanup The amount of free hard disk space before cleanup, measured in Megabytes.
DiskSpaceCleanedByComponentCleanup The amount of disk space (in megabytes) in the component store
that was cleaned up by the plug-in.
DiskSpaceCleanedByNGenRemoval The amount of diskspace (megabytes) in the Native Image Generator
(NGEN) cache that was cleaned up by the plug-in.
DiskSpaceCleanedByRestorePointRemoval The amount of disk space (megabytes) in restore points that
was cleaned up by the plug-in.
ForcedAppraiserTaskTriggered TRUE if Appraiser task ran from the plug-in.
GlobalEventCounter Client-side counter that indicates ordering of events sent by the active user.
HandlerCleanupFreeDiskInMegabytes The amount of hard disk space cleaned by the storage sense
handlers, measured in megabytes.
hasRolledBack Indicates whether the client machine has rolled back.
hasUninstalled Indicates whether the client machine has uninstalled a later version of the OS.
hResult The result of the event execution.
HResult The result of the event execution.
installDate The value of installDate registry key. Indicates the install date.
isNetworkMetered Indicates whether the client machine has uninstalled a later version of the OS.
LatestState The final state of the plug-in component.
MicrosoftCompatibilityAppraiser The name of the component targeted by the Appraiser plug-in.
PackageVersion The package version for the current Remediation.
PluginName The name of the plug-in specified for each generic plug-in event.
QualityUpdateSedimentExecutedPlugins The number of plug-ins executed by the Windows Quality Update
remediation.
QualityUpdateSedimentFunnelState The state of the Windows Quality Update remediation funnel for the
device.
QualityUpdateSedimentJsonSchemaVersion The schema version of the Quality Update Sediment
Remediation.
QualityUpdateSedimentLocalEndTime The local time on the device when the Windows Quality Update
remediation executed.
QualityUpdateSedimentLocaltTime The local time of the device running the Quality Update Sediment
Remediation.
QualityUpdateSedimentMatchedTriggers The list of triggers that were matched by the Windows Quality
Update remediation.
QualityUpdateSedimentModelExecutionSeconds The number of seconds needed to execute the Windows
Quality Update remediation.
recoveredFromTargetOS Indicates whether the device recovered from the target operating system (OS).
RemediationAutoUASpaceSaved Amount of disk space saved in MB after cleaning up AutoUA folders.
RemediationBatter yPowerBatter yLevel Indicates the battery level at which it is acceptable to continue
operation.
RemediationBatter yPowerExitDueToLowBatter y True when we exit due to low battery power.
RemediationBatter yPowerOnBatter y True if we allow execution on battery.
RemediationCbsTempDiskSpaceCleanedInMB The amount of space (in megabytes) that the plug-in
cleaned up in the CbsTemp folder.
RemediationCbsTempEstimateInMB The amount of space (megabytes) in the CbsTemp folder that is
available for cleanup by the plug-in.
RemediationComponentCleanupEstimateInMB The amount of space (megabytes) in the WinSxS
(Windows Side-by-Side) folder that is available for cleanup by the plug-in.
RemediationConfigurationTroubleshooterIpconfigFix TRUE if IPConfig Fix completed successfully.
RemediationConfigurationTroubleshooterNetShFix TRUE if network card cache reset ran successfully.
RemediationCorruptionIsManifestFix Boolean indicating if the manifest was repaired.
RemediationCorruptionRepairCorruptionsDetected Number of corruptions detected on the device.
RemediationCorruptionRepairCorruptionsFixed Number of detected corruptions that were fixed on the
device.
RemediationCorruptionRepairDownloadCompleted Boolean indicating if the download of manifest cab
was completed.
RemediationCorruptionRepairDownloadRequired Boolean indicating if the download of manifest cab is
required for repair.
RemediationCorruptionRepairMeteredNetwork Boolean indicating if the device is on a metered network.
RemediationCorruptionRepairPerformActionSuccessful Indicates whether corruption repair was
successful on the device.
RemediationDiskCleanupSearchFileSizeInMB The size of the Cleanup Search index file, measured in
megabytes.
RemediationDiskSpaceSavedByCompressionInMB The amount of disk space (megabytes) that was
compressed by the plug-in.
RemediationDiskSpaceSavedByUserProfileCompressionInMB The amount of User disk space (in
megabytes) that was compressed by the plug-in.
remediationExecution Remediation shell is in "applying remediation" state.
RemediationHandlerCleanupEstimateInMB The estimated amount of disk space (in megabytes) to be
cleaned up by running Storage Sense.
RemediationHibernationMigrated TRUE if hibernation was migrated.
RemediationHibernationMigrationSucceeded TRUE if hibernation migration succeeded.
RemediationNGenDiskSpaceRestored The amount of disk space (in megabytes) that was restored after re-
running the Native Image Generator (NGEN).
RemediationNGenEstimateInMB The amount of disk space (in megabytes) estimated to be in the Native
Image Generator (NGEN) cache by the plug-in.
RemediationNGenMigrationSucceeded Indicates whether the Native Image Generator (NGEN) migration
succeeded.
RemediationRestorePointEstimateInMB The amount of disk space (in megabytes) estimated to be used by
storage points found by the plug-in.
RemediationSearchFileSizeEstimateInMB The amount of disk space (megabytes) estimated to be used by
the Cleanup Search index file found by the plug-in.
RemediationShellHasUpgraded TRUE if the device upgraded.
RemediationShellMinimumTimeBetweenShellRuns Indicates the time between shell runs exceeded the
minimum required to execute plugins.
RemediationShellRunFromSer vice TRUE if the shell driver was run from the service.
RemediationShellSessionIdentifier Unique identifier tracking a shell session.
RemediationShellSessionTimeInSeconds Indicates the time the shell session took in seconds.
RemediationShellTaskDeleted Indicates that the shell task has been deleted so no additional sediment pack
runs occur for this installation.
RemediationSoftwareDistributionCleanedInMB The amount of disk space (megabytes) in the Software
Distribution folder that was cleaned up by the plug-in.
RemediationSoftwareDistributionEstimateInMB The amount of disk space (megabytes) in the Software
Distribution folder that is available for clean up by the plug-in.
RemediationTotalDiskSpaceCleanedInMB The total disk space (in megabytes) that was cleaned up by the
plug-in.
RemediationUpdateSer viceHealthRemediationResult The result of the Update Service Health plug-in.
RemediationUpdateTaskHealthRemediationResult The result of the Update Task Health plug-in.
RemediationUpdateTaskHealthTaskList A list of tasks fixed by the Update Task Health plug-in.
RemediationUserFolderCompressionEstimateInMB The amount of disk space (in megabytes) estimated
to be compressible in User folders by the plug-in.
RemediationUserProfileCompressionEstimateInMB The amount of disk space (megabytes) estimated to
be compressible in User Profile folders by the plug-in.
RemediationUSORebootRequred Indicates whether a reboot is determined to be required by calling the
Update Service Orchestrator (USO).
RemediationWindowsCompactedEstimateInMB The amount of disk space (megabytes) estimated to be
available by compacting the operating system using the plug-in.
RemediationWindowsLogSpaceEstimateInMB The amount of disk space (in megabytes) available in
Windows logs that can be cleaned by the plug-in.
RemediationWindowsLogSpaceFreed The amount of disk space freed by deleting the Windows log files,
measured in Megabytes.
RemediationWindowsOldSpaceEstimateInMB The amount of disk space (megabytes) in the Windows.OLD
folder that can be cleaned up by the plug-in.
RemediationWindowsSpaceCompactedInMB The amount of disk space (megabytes) that can be cleaned
up by the plug-in.
RemediationWindowsStoreSpaceCleanedInMB The amount of disk space (megabytes) from the Windows
Store cache that was cleaned up by the plug-in.
RemediationWindowsStoreSpaceEstimateInMB The amount of disk space (megabytes) in the Windows
store cache that is estimated to be cleanable by the plug-in.
Result The HRESULT for Detection or Perform Action phases of the plug-in.
RunCount The number of times the plugin has executed.
RunResult The HRESULT for Detection or Perform Action phases of the plug-in.
Ser viceHardeningExitCode The exit code returned by Windows Service Repair.
Ser viceHealthEnabledBitMap List of services updated by the plugin.
Ser viceHealthInstalledBitMap List of services installed by the plugin.
StorageSenseDiskCompresserTotalInMB The total number of megabytes that Storage Sense cleaned up in
the User Download folder.
StorageSenseHelloFaceRecognitionFodCleanupTotalInByte The amount of space that Storage Sense was
able to clean up in the User Download folder by removing Windows Hello facial recognition.
StorageSenseRestorePointCleanupTotalInMB The total number of megabytes that Storage Sense cleaned
up in the User Download folder.
StorageSenseUserDownloadFolderCleanupTotalInByte The total number of bytes that Storage Sense
cleaned up in the User Download folder.
systemDriveFreeDiskSpace Indicates the free disk space on system drive, in megabytes.
systemUptimeInHours Indicates the amount of time the system in hours has been on since the last boot.
uninstallActive TRUE if previous uninstall has occurred for current OS
UpdateApplicabilityFixedBitMap Bitmap indicating which fixes were applied by the plugin.
usoScanDaysSinceLastScan The number of days since the last USO (Update Session Orchestrator) scan.
usoScanInProgress TRUE if a USO (Update Session Orchestrator) scan is in progress, to prevent multiple
simultaneous scans.
usoScanIsAllowAutoUpdateKeyPresent TRUE if the AllowAutoUpdate registry key is set.
usoScanIsAllowAutoUpdateProviderSetKeyPresent TRUE if AllowAutoUpdateProviderSet registry key is
set.
usoScanIsAuOptionsPresent TRUE if Auto Update Options registry key is set.
usoScanIsFeatureUpdateInProgress TRUE if a USO (Update Session Orchestrator) scan is in progress, to
prevent multiple simultaneous scans.
usoScanIsNetworkMetered TRUE if the device is currently connected to a metered network.
usoScanIsNoAutoUpdateKeyPresent TRUE if no Auto Update registry key is set/present.
usoScanIsUserLoggedOn TRUE if the user is logged on.
usoScanPastThreshold TRUE if the most recent Update Session Orchestrator (USO) scan is past the threshold
(late).
usoScanType The type of USO (Update Session Orchestrator) scan: "Interactive" or "Background".
windows10UpgraderBlockWuUpdates Event to report the value of Windows 10 Upgrader
BlockWuUpdates Key.
windowsEditionId Event to report the value of Windows Edition ID.
WindowsOldSpaceCleanedInMB The amount of disk space freed by removing the Windows.OLD folder,
measured in Megabytes.
windowsUpgradeRecoveredFromRs4 Event to report the value of the Windows Upgrade Recovered key.
Microsoft.Windows.Remediation.Started
This event is sent when Windows Update sediment remediations have started on the sediment device to keep
Windows up to date. A sediment device is one that has been on a previous OS version for an extended period. The
remediations address issues on the system that prevent the device from receiving OS updates.
The following fields are available:
CV Correlation vector.
GlobalEventCounter Client side counter which indicates ordering of events sent by this user.
PackageVersion The version of the current remediation package.
PluginName Name of the plugin specified for each generic plugin event.
QualityUpdateSedimentFunnelState Provides information about whether quality updates are missing on
the device.
QualityUpdateSedimentFunnelType Indicates whether the Remediation is for Quality Updates or Feature
Updates.
QualityUpdateSedimentJsonSchemaVersion The schema version of the Quality Update Sediment
Remediation.
QualityUpdateSedimentLastRunSeconds The number of seconds since Quality Updates were run.
QualityUpdateSedimentLocaltTime The local time of the device running the Quality Update Sediment
Remediation.
QualityUpdateSedimentMatchedTriggers The list of triggers that were matched by the Windows Quality
Update Remediation.
QualityUpdateSedimentSelectedPlugins The number of plugins that were selected for execution in the
Quality Update Sediment Remediation.
QualityUpdateSedimentTargetedPlugins The list of plug-ins targeted by the current Quality Update
Sediment Remediation.
QualityUpdateSedimentTargetedTriggers The list of triggers targeted by the current Quality Update
Sediment Remediation.
RemediationProgramDataFolderSizeInMB The size (in megabytes) of the Program Data folder on the
device.
RemediationProgramFilesFolderSizeInMB The size (in megabytes) of the Program Files folder on the
device.
RemediationUsersFolderSizeInMB The size (in megabytes) of the Users folder on the device.
RemediationWindowsAppsFolderSizeInMB The size (in megabytes) of the Windows Applications folder on
the device.
RemediationWindowsBtFolderSizeInMB The size (in megabytes) of the Windows BT folder on the device.
RemediationWindowsFolderSizeInMB The size (in megabytes) of the Windows folder on the device.
RemediationWindowsSer viceProfilesFolderSizeInMB The size (in megabytes) of the Windows Service
Profiles folder on the device.
RemediationWindowsTotalSystemDiskSize The total storage capacity of the System disk drive, measured
in megabytes.
Result This is the HRESULT for detection or perform action phases of the plugin.
RunCount The number of times the remediation event started (whether it completed successfully or not).
WindowsHiberFilSysSizeInMegabytes The size of the Windows Hibernation file, measured in megabytes.
WindowsInstallerFolderSizeInMegabytes The size of the Windows Installer folder, measured in megabytes.
WindowsOldFolderSizeInMegabytes The size of the Windows.OLD folder, measured in megabytes.
WindowsPageFileSysSizeInMegabytes The size of the Windows Page file, measured in megabytes.
WindowsSoftwareDistributionFolderSizeInMegabytes The size of the Software Distribution folder,
measured in megabytes.
WindowsSwapFileSysSizeInMegabytes The size of the Windows Swap file, measured in megabytes.
WindowsSxsFolderSizeInMegabytes The size of the WinSxS (Windows Side-by-Side) folder, measured in
megabytes.
Sediment events
Microsoft.Windows.Sediment.Info.DetailedState
This event is sent when detailed state information is needed from an update trial run.
The following fields are available:
Data Data relevant to the state, such as what percent of disk space the directory takes up.
Id Identifies the trial being run, such as a disk related trial.
ReleaseVer The version of the component.
State The state of the reporting data from the trial, such as the top-level directory analysis.
Time The time the event was fired.
Microsoft.Windows.Sediment.Info.Error
This event indicates an error in the updater payload. This information assists in keeping Windows up to date.
The following fields are available:
FailureType The type of error encountered.
FileName The code file in which the error occurred.
HResult The failure error code.
LineNumber The line number in the code file at which the error occurred.
ReleaseVer The version information for the component in which the error occurred.
Time The system time at which the error occurred.
Microsoft.Windows.Sediment.Info.PhaseChange
The event indicates progress made by the updater. This information assists in keeping Windows up to date.
The following fields are available:
NewPhase The phase of progress made.
ReleaseVer The version information for the component in which the change occurred.
Time The system time at which the phase chance occurred.
Microsoft.Windows.SedimentLauncher.Applicable
This event is sent when the Windows Update sediment remediations launcher finds that an applicable plug-in to
address issues that may be preventing the sediment device from receiving OS updates. A sediment device is one
that has been on a previous OS version for an extended period.
The following fields are available:
CV Correlation vector.
DetectedCondition Boolean true if detect condition is true and perform action will be run.
FileVersion The version of the data-link library (DLL) that will be applied by the self-update process.
GlobalEventCounter Client side counter which indicates ordering of events sent by this user.
IsHashMismatch Indicates whether the hash is a mismatch.
IsSelfUpdateEnabledInOneSettings True if self update enabled in Settings.
IsSelfUpdateNeeded True if self update needed by device.
PackageVersion Current package version of Remediation.
PluginName Name of the plugin specified for each generic plugin event.
Result This is the HRESULT for detection or perform action phases of the plugin.
Microsoft.Windows.SedimentLauncher.Completed
This event is sent when the Windows Update sediment remediations launcher finishes running a plug-in to
address issues that may be preventing the sediment device from receiving OS updates. A sediment device is one
that has been on a previous OS version for an extended period.
The following fields are available:
CV Correlation vector.
FailedReasons Concatenated list of failure reasons.
GlobalEventCounter Client side counter which indicates ordering of events sent by this user.
PackageVersion Current package version of Remediation.
PluginName Name of the plugin specified for each generic plugin event.
Result This is the HRESULT for detection or perform action phases of the plugin.
SedLauncherExecutionResult HRESULT for one execution of the Sediment Launcher.
Microsoft.Windows.SedimentLauncher.Started
This event is sent when the Windows Update sediment remediations launcher starts running a plug-in to address
issues that may be preventing the sediment device from receiving OS updates. A sediment device is one that has
been on a previous OS version for an extended period.
The following fields are available:
CV Correlation vector.
GlobalEventCounter Client side counter which indicates ordering of events sent by this user.
PackageVersion Current package version of Remediation.
PluginName Name of the plugin specified for each generic plugin event.
Result This is the HRESULT for detection or perform action phases of the plugin.
Microsoft.Windows.SedimentService.Applicable
This event is sent when the Windows Update sediment remediations service finds that an applicable plug-in to
address issues that may be preventing the sediment device from receiving OS updates. A sediment device is one
that has been on a previous OS version for an extended period.
The following fields are available:
CV Correlation vector.
DetectedCondition Determine whether action needs to run based on device properties.
FileVersion The version of the dynamic-link library (DLL) that will be applied by the self-update process.
GlobalEventCounter Client side counter which indicates ordering of events sent by this user.
IsHashMismatch Indicates whether the hash is a mismatch.
IsSelfUpdateEnabledInOneSettings Indicates if self update is enabled in One Settings.
IsSelfUpdateNeeded Indicates if self update is needed.
PackageVersion Current package version of Remediation.
PluginName Name of the plugin.
Result This is the HRESULT for detection or perform action phases of the plugin.
Microsoft.Windows.SedimentService.Completed
This event is sent when the Windows Update sediment remediations service finishes running a plug-in to address
issues that may be preventing the sediment device from receiving OS updates. A sediment device is one that has
been on a previous OS version for an extended period.
The following fields are available:
CV Correlation vector.
FailedReasons List of reasons when the plugin action failed.
GlobalEventCounter Client side counter which indicates ordering of events sent by this user.
PackageVersion Current package version of Remediation.
PluginName Name of the plugin specified for each generic plugin event.
Result This is the HRESULT for detection or perform action phases of the plugin.
SedimentSer viceCheckTaskFunctional True/False if scheduled task check succeeded.
SedimentSer viceCurrentBytes Number of current private bytes of memory consumed by sedsvc.exe.
SedimentSer viceKillSer vice True/False if service is marked for kill (Shell.KillService).
SedimentSer viceMaximumBytes Maximum bytes allowed for the service.
SedimentSer viceRanShell Indicates whether the shell was run by the service.
SedimentSer viceRetrievedKillSer vice True/False if result of One Settings check for kill succeeded - we only
send back one of these indicators (not for each call).
SedimentSer viceShellRunHResult The HRESULT returned when the shell was run by the service.
SedimentSer viceStopping True/False indicating whether the service is stopping.
SedimentSer viceTaskFunctional True/False if scheduled task is functional. If task is not functional this
indicates plugins will be run.
SedimentSer viceTotalIterations Number of 5 second iterations service will wait before running again.
Microsoft.Windows.SedimentService.Started
This event is sent when the Windows Update sediment remediations service starts running a plug-in to address
issues that may be preventing the sediment device from receiving OS updates. A sediment device is one that has
been on a previous OS version for an extended period.
The following fields are available:
CV The Correlation Vector.
GlobalEventCounter The client-side counter that indicates ordering of events.
PackageVersion The version number of the current remediation package.
PluginName Name of the plugin specified for each generic plugin event.
Result This is the HRESULT for Detection or Perform Action phases of the plugin.
Setup events
SetupPlatformTel.SetupPlatformTelActivityEvent
This event sends basic metadata about the SetupPlatform update installation process, to help keep Windows up to
date.
The following fields are available:
FieldName Retrieves the event name/data point. Examples: InstallStartTime, InstallEndtime, OverallResult etc.
GroupName Retrieves the groupname the event belongs to. Example: Install Information, DU Information, Disk
Space Information etc.
Value Value associated with the corresponding event name. For example, time-related events will include the
system time
SetupPlatformTel.SetupPlatformTelActivityStarted
This event sends basic metadata about the update installation process generated by SetupPlatform to help keep
Windows up to date.
The following fields are available:
Name The name of the dynamic update type. Example: GDR driver
SetupPlatformTel.SetupPlatformTelActivityStopped
This event sends basic metadata about the update installation process generated by SetupPlatform to help keep
Windows up to date.
SetupPlatformTel.SetupPlatformTelEvent
This service retrieves events generated by SetupPlatform, the engine that drives the various deployment scenarios.
The following fields are available:
FieldName Retrieves the event name/data point. Examples: InstallStartTime, InstallEndtime, OverallResult etc.
GroupName Retrieves the groupname the event belongs to. Example: Install Information, DU Information, Disk
Space Information etc.
Value Retrieves the value associated with the corresponding event name (Field Name). For example: For time
related events this will include the system time.
SIH events
SIHEngineTelemetry.EvalApplicability
This event is sent when targeting logic is evaluated to determine if a device is eligible for a given action.
The following fields are available:
ActionReasons If an action has been assessed as inapplicable, the additional logic prevented it.
AdditionalReasons If an action has been assessed as inapplicable, the additional logic prevented it.
CachedEngineVersion The engine DLL version that is being used.
EventInstanceID A unique identifier for event instance.
EventScenario Indicates the purpose of sending this event – whether because the software distribution just
started checking for content, or whether it was cancelled, succeeded, or failed.
HandlerReasons If an action has been assessed as inapplicable, the installer technology-specific logic
prevented it.
IsExecutingAction If the action is presently being executed.
Ser viceGuid A unique identifier that represents which service the software distribution client is connecting to
(SIH, Windows Update, Microsoft Store, etc.)
SihclientVersion The client version that is being used.
StandardReasons If an action has been assessed as inapplicable, the standard logic the prevented it.
StatusCode Result code of the event (success, cancellation, failure code HResult).
UpdateID A unique identifier for the action being acted upon.
WuapiVersion The Windows Update API version that is currently installed.
WuaucltVersion The Windows Update client version that is currently installed.
WuauengVersion The Windows Update engine version that is currently installed.
WUDeviceID The unique identifier controlled by the software distribution client.
SIHEngineTelemetry.ExecuteAction
This event is triggered with SIH attempts to execute (e.g. install) the update or action in question. Includes
important information like if the update required a reboot.
The following fields are available:
CachedEngineVersion The engine DLL version that is being used.
EventInstanceID A unique identifier for event instance.
EventScenario Indicates the purpose of sending this event, whether because the software distribution just
started checking for content, or whether it was cancelled, succeeded, or failed.
RebootRequired Indicates if a reboot was required to complete the action.
Ser viceGuid A unique identifier that represents which service the software distribution client is connecting to
(SIH, Windows Update, Microsoft Store, etc.).
SihclientVersion The SIH version.
StatusCode Result code of the event (success, cancellation, failure code HResult).
UpdateID A unique identifier for the action being acted upon.
WuapiVersion The Windows Update API version.
WuaucltVersion The Windows Update version identifier for SIH.
WuauengVersion The Windows Update engine version identifier.
WUDeviceID The unique identifier controlled by the software distribution client.
SIHEngineTelemetry.PostRebootReport
This event reports the status of an action following a reboot, should one have been required.
The following fields are available:
CachedEngineVersion The engine DLL version that is being used.
EventInstanceID A unique identifier for event instance.
EventScenario Indicates the purpose of sending this event, whether because the software distribution just
started checking for content, or whether it was cancelled, succeeded, or failed.
Ser viceGuid A unique identifier that represents which service the software distribution client is connecting to
(SIH, Windows Update, Microsoft Store, etc.).
SihclientVersion Version of SIH Client on the device.
StatusCode Result code of the event (success, cancellation, failure code HResult).
UpdateID A unique identifier for the action being acted upon.
WuapiVersion Version of Windows Update DLL on the device.
WuaucltVersion Version of WUAUCLT (Windows Update Auto-Update Client) on the device.
WuauengVersion Version of Windows Update (Auto-Update) engine on the device.
WUDeviceID The unique identifier controlled by the software distribution client.
Update events
Update360Telemetry.Revert
This event sends data relating to the Revert phase of updating Windows.
The following fields are available:
ErrorCode The error code returned for the Revert phase.
FlightId Unique ID for the flight (test instance version).
ObjectId The unique value for each Update Agent mode.
RebootRequired Indicates reboot is required.
RelatedCV The correlation vector value generated from the latest USO (Update Service Orchestrator) scan.
Result The HResult of the event.
Rever tResult The result code returned for the Revert operation.
ScenarioId The ID of the update scenario.
SessionId The ID of the update attempt.
UpdateId The ID of the update.
Update360Telemetry.UpdateAgentCommit
This event collects information regarding the commit phase of the new Unified Update Platform (UUP) update
scenario, which is leveraged by both Mobile and Desktop.
The following fields are available:
ErrorCode The error code returned for the current install phase.
FlightId Unique ID for each flight.
ObjectId Unique value for each Update Agent mode.
RelatedCV Correlation vector value generated from the latest USO scan.
Result Outcome of the install phase of the update.
ScenarioId Indicates the update scenario.
SessionId Unique value for each update attempt.
UpdateId Unique ID for each update.
Update360Telemetry.UpdateAgentDownloadRequest
This event sends data for the download request phase of updating Windows via the new Unified Update Platform
(UUP) scenario. Applicable to PC and Mobile.
The following fields are available:
ContainsSafeOSDUPackage Boolean indicating whether Safe DU packages are part of the payload.
DeletedCorruptFiles Boolean indicating whether corrupt payload was deleted.
DownloadComplete Indicates if the download is complete.
DownloadRequests Number of times a download was retried.
ErrorCode The error code returned for the current download request phase.
ExtensionName Indicates whether the payload is related to Operating System content or a plugin.
FlightId Unique ID for each flight.
InternalFailureResult Indicates a non-fatal error from a plugin.
ObjectId Unique value for each Update Agent mode (same concept as InstanceId for Setup360).
PackageCategoriesSkipped Indicates package categories that were skipped, if applicable.
PackageCountOptional Number of optional packages requested.
PackageCountRequired Number of required packages requested.
PackageCountTotal Total number of packages needed.
PackageCountTotalCanonical Total number of canonical packages.
PackageCountTotalDiff Total number of diff packages.
PackageCountTotalExpress Total number of express packages.
PackageCountTotalPSFX The total number of PSFX packages.
PackageExpressType Type of express package.
PackageSizeCanonical Size of canonical packages in bytes.
PackageSizeDiff Size of diff packages in bytes.
PackageSizeExpress Size of express packages in bytes.
PackageSizePSFX The size of PSFX packages, in bytes.
RangeRequestState Indicates the range request type used.
RelatedCV Correlation vector value generated from the latest USO scan.
Result Outcome of the download request phase of update.
SandboxTaggedForReser ves The sandbox for reserves.
ScenarioId Indicates the update scenario.
SessionId Unique value for each attempt (same value for initialize, download, install commit phases).
UpdateId Unique ID for each update.
Update360Telemetry.UpdateAgentExpand
This event collects information regarding the expansion phase of the new Unified Update Platform (UUP) update
scenario, which is leveraged by both Mobile and Desktop.
The following fields are available:
ElapsedTickCount Time taken for expand phase.
EndFreeSpace Free space after expand phase.
EndSandboxSize Sandbox size after expand phase.
ErrorCode The error code returned for the current install phase.
FlightId Unique ID for each flight.
ObjectId Unique value for each Update Agent mode.
RelatedCV Correlation vector value generated from the latest USO scan.
ScenarioId Indicates the update scenario.
SessionId Unique value for each update attempt.
Star tFreeSpace Free space before expand phase.
Star tSandboxSize Sandbox size after expand phase.
UpdateId Unique ID for each update.
Update360Telemetry.UpdateAgentFellBackToCanonical
This event collects information when express could not be used and we fall back to canonical during the new
Unified Update Platform (UUP) update scenario, which is leveraged by both Mobile and Desktop.
The following fields are available:
FlightId Unique ID for each flight.
ObjectId Unique value for each Update Agent mode.
PackageCount Number of packages that feel back to canonical.
PackageList PackageIds which fell back to canonical.
RelatedCV Correlation vector value generated from the latest USO scan.
ScenarioId Indicates the update scenario.
SessionId Unique value for each update attempt.
UpdateId Unique ID for each update.
Update360Telemetry.UpdateAgentInitialize
This event sends data for the initialize phase of updating Windows via the new Unified Update Platform (UUP)
scenario, which is applicable to both PCs and Mobile.
The following fields are available:
ErrorCode The error code returned for the current install phase.
FlightId Unique ID for each flight.
FlightMetadata Contains the FlightId and the build being flighted.
ObjectId Unique value for each Update Agent mode.
RelatedCV Correlation vector value generated from the latest USO scan.
Result Outcome of the install phase of the update.
ScenarioId Indicates the update scenario.
SessionData String containing instructions to update agent for processing FODs and DUICs (Null for other
scenarios).
SessionId Unique value for each update attempt.
UpdateId Unique ID for each update.
Update360Telemetry.UpdateAgentInstall
This event sends data for the install phase of updating Windows.
The following fields are available:
ErrorCode The error code returned for the current install phase.
ExtensionName Indicates whether the payload is related to Operating System content or a plugin.
FlightId Unique value for each Update Agent mode (same concept as InstanceId for Setup360).
InternalFailureResult Indicates a non-fatal error from a plugin.
ObjectId Correlation vector value generated from the latest USO scan.
RelatedCV Correlation vector value generated from the latest USO scan.
Result The result for the current install phase.
ScenarioId Indicates the update scenario.
SessionId Unique value for each update attempt.
UpdateId Unique ID for each update.
Update360Telemetry.UpdateAgentMerge
The UpdateAgentMerge event sends data on the merge phase when updating Windows.
The following fields are available:
ErrorCode The error code returned for the current merge phase.
FlightId Unique ID for each flight.
MergeId The unique ID to join two update sessions being merged.
ObjectId Unique value for each Update Agent mode.
RelatedCV Related correlation vector value.
Result Outcome of the merge phase of the update.
ScenarioId Indicates the update scenario.
SessionId Unique value for each attempt.
UpdateId Unique ID for each update.
Update360Telemetry.UpdateAgentMitigationResult
This event sends data indicating the result of each update agent mitigation.
The following fields are available:
Applicable Indicates whether the mitigation is applicable for the current update.
CommandCount The number of command operations in the mitigation entry.
CustomCount The number of custom operations in the mitigation entry.
FileCount The number of file operations in the mitigation entry.
FlightId Unique identifier for each flight.
Index The mitigation index of this particular mitigation.
MitigationScenario The update scenario in which the mitigation was executed.
Name The friendly name of the mitigation.
ObjectId Unique value for each Update Agent mode.
OperationIndex The mitigation operation index (in the event of a failure).
OperationName The friendly name of the mitigation operation (in the event of failure).
Registr yCount The number of registry operations in the mitigation entry.
RelatedCV The correlation vector value generated from the latest USO scan.
Result The HResult of this operation.
ScenarioId The update agent scenario ID.
SessionId Unique value for each update attempt.
TimeDiff The amount of time spent performing the mitigation (in 100-nanosecond increments).
UpdateId Unique ID for each Update.
Update360Telemetry.UpdateAgentMitigationSummary
This event sends a summary of all the update agent mitigations available for an this update.
The following fields are available:
Applicable The count of mitigations that were applicable to the system and scenario.
Failed The count of mitigations that failed.
FlightId Unique identifier for each flight.
MitigationScenario The update scenario in which the mitigations were attempted.
ObjectId The unique value for each Update Agent mode.
RelatedCV The correlation vector value generated from the latest USO scan.
Result The HResult of this operation.
ScenarioId The update agent scenario ID.
SessionId Unique value for each update attempt.
TimeDiff The amount of time spent performing all mitigations (in 100-nanosecond increments).
Total Total number of mitigations that were available.
UpdateId Unique ID for each update.
Update360Telemetry.UpdateAgentModeStart
This event sends data for the start of each mode during the process of updating Windows via the new Unified
Update Platform (UUP) scenario. Applicable to both PCs and Mobile.
The following fields are available:
FlightId Unique ID for each flight.
Mode Indicates the mode that has started.
ObjectId Unique value for each Update Agent mode.
RelatedCV Correlation vector value generated from the latest USO scan.
ScenarioId Indicates the update scenario.
SessionId Unique value for each update attempt.
UpdateId Unique ID for each update.
Version Version of update
Update360Telemetry.UpdateAgentOneSettings
This event collects information regarding the post reboot phase of the new UUP (Unified Update Platform) update
scenario; which is leveraged by both Mobile and Desktop.
The following fields are available:
Count The count of applicable OneSettings for the device.
FlightId Unique ID for the flight (test instance version).
ObjectId The unique value for each Update Agent mode.
Parameters The set of name value pair parameters sent to OneSettings to determine if there are any
applicable OneSettings.
RelatedCV The correlation vector value generated from the latest USO (Update Service Orchestrator) scan.
Result The HResult of the event.
ScenarioId The ID of the update scenario.
SessionId The ID of the update attempt.
UpdateId The ID of the update.
Values The values sent back to the device, if applicable.
Update360Telemetry.UpdateAgentPostRebootResult
This event collects information for both Mobile and Desktop regarding the post reboot phase of the new Unified
Update Platform (UUP) update scenario.
The following fields are available:
ErrorCode The error code returned for the current post reboot phase.
FlightId The specific ID of the Windows Insider build the device is getting.
ObjectId Unique value for each Update Agent mode.
PostRebootResult Indicates the Hresult.
RelatedCV Correlation vector value generated from the latest USO scan.
ScenarioId The scenario ID. Example: MobileUpdate, DesktopLanguagePack, DesktopFeatureOnDemand, or
DesktopDriverUpdate.
SessionId Unique value for each update attempt.
UpdateId Unique ID for each update.
Update360Telemetry.UpdateAgentReboot
This event sends information indicating that a request has been sent to suspend an update.
The following fields are available:
ErrorCode The error code returned for the current reboot.
FlightId Unique ID for the flight (test instance version).
IsSuspendable Indicates whether the update has the ability to be suspended and resumed at the time of
reboot. When the machine is rebooted and the update is in middle of Predownload or Install and Setup.exe is
running, this field is TRUE, if not its FALSE.
ObjectId The unique value for each Update Agent mode.
Reason Indicates the HResult why the machine could not be suspended. If it is successfully suspended, the
result is 0.
RelatedCV The correlation vector value generated from the latest USO (Update Service Orchestrator) scan.
Result The HResult of the event.
ScenarioId The ID of the update scenario.
SessionId The ID of the update attempt.
UpdateId The ID of the update.
UpdateState Indicates the state of the machine when Suspend is called. For example, Install, Download,
Commit.
Update360Telemetry.UpdateAgentSetupBoxLaunch
The UpdateAgent_SetupBoxLaunch event sends data for the launching of the setup box when updating Windows
via the new Unified Update Platform (UUP) scenario. This event is only applicable to PCs.
The following fields are available:
ContainsExpressPackage Indicates whether the download package is express.
FlightId Unique ID for each flight.
FreeSpace Free space on OS partition.
InstallCount Number of install attempts using the same sandbox.
ObjectId Unique value for each Update Agent mode.
Quiet Indicates whether setup is running in quiet mode.
RelatedCV Correlation vector value generated from the latest USO scan.
SandboxSize Size of the sandbox.
ScenarioId Indicates the update scenario.
SessionId Unique value for each update attempt.
SetupLaunchAttemptCount Indicates the count of attempts to launch setup for the current Update Agent
instance.
SetupMode Mode of setup to be launched.
UpdateId Unique ID for each Update.
UserSession Indicates whether install was invoked by user actions.
Winlogon events
Microsoft.Windows.Security.Winlogon.SetupCompleteLogon
This event signals the completion of the setup process. It happens only once during the first logon.
XBOX events
Microsoft.Xbox.XamTelemetry.AppActivationError
This event indicates whether the system detected an activation error in the app.
The following fields are available:
ActivationUri Activation URI (Uniform Resource Identifier) used in the attempt to activate the app.
AppId The Xbox LIVE Title ID.
AppUserModelId The AUMID (Application User Model ID) of the app to activate.
Result The HResult error.
UserId The Xbox LIVE User ID (XUID).
Microsoft.Xbox.XamTelemetry.AppActivity
This event is triggered whenever the current app state is changed by: launch, switch, terminate, snap, etc.
The following fields are available:
AppActionId The ID of the application action.
AppCurrentVisibilityState The ID of the current application visibility state.
AppId The Xbox LIVE Title ID of the app.
AppPackageFullName The full name of the application package.
AppPreviousVisibilityState The ID of the previous application visibility state.
AppSessionId The application session ID.
AppType The type ID of the application (AppType_NotKnown, AppType_Era, AppType_Sra, AppType_Uwa).
BCACode The BCA (Burst Cutting Area) mark code of the optical disc used to launch the application.
DurationMs The amount of time (in milliseconds) since the last application state transition.
IsTrialLicense This boolean value is TRUE if the application is on a trial license.
LicenseType The type of licensed used to authorize the app (0 - Unknown, 1 - User, 2 - Subscription, 3 -
Offline, 4 - Disc).
LicenseXuid If the license type is 1 (User), this field contains the XUID (Xbox User ID) of the registered owner
of the license.
ProductGuid The Xbox product GUID (Globally-Unique ID) of the application.
UserId The XUID (Xbox User ID) of the current user.
Windows 10, version 1803 basic level Windows
diagnostic events and fields
1/31/2020 • 291 minutes to read • Edit Online
Applies to
Windows 10, version 1803
The Basic level gathers a limited set of information that is critical for understanding the device and its
configuration including: basic device information, quality-related information, app compatibility, and Microsoft
Store. When the level is set to Basic, it also includes the Security level information.
The Basic level helps to identify problems that can occur on a particular device hardware or software
configuration. For example, it can help determine if crashes are more frequent on devices with a specific amount of
memory or that are running a particular driver version. This helps Microsoft fix operating system or app problems.
Use this article to learn about diagnostic events, grouped by event area, and the fields within each event. A brief
description is provided for each field. Every event generated includes common data, which collects device data.
You can learn more about Windows functional and diagnostic data through these articles:
Windows 10, version 1903 and Windows 10, version 1909 basic diagnostic events and fields
Windows 10, version 1809 basic diagnostic events and fields
Windows 10, version 1709 basic diagnostic events and fields
Windows 10, version 1703 basic diagnostic events and fields
Manage connections from Windows operating system components to Microsoft services
Configure Windows diagnostic data in your organization
Appraiser events
Microsoft.Windows.Appraiser.General.ChecksumTotalPictureCount
This event lists the types of objects and how many of each exist on the client device. This allows for a quick way to
ensure that the records present on the server match what is present on the client.
The following fields are available:
DatasourceApplicationFile_RS1 An ID for the system, calculated by hashing hardware identifiers.
DatasourceApplicationFile_RS3 The count of the number of this particular object type present on this
device.
DatasourceApplicationFile_RS5 The count of the number of this particular object type present on this
device.
DatasourceDevicePnp_RS1 The total DataSourceDevicePnp objects targeting Windows 10 version 1607 on
this device.
DatasourceDevicePnp_RS3 The count of the number of this particular object type present on this device.
DatasourceDevicePnp_RS5 The count of the number of this particular object type present on this device.
DatasourceDriverPackage_RS1 The total DataSourceDriverPackage objects targeting Windows 10 version
1607 on this device.
DatasourceDriverPackage_RS3 The count of the number of this particular object type present on this
device.
DatasourceDriverPackage_RS5 The count of the number of this particular object type present on this
device.
DataSourceMatchingInfoBlock_RS1 The total DataSourceMatchingInfoBlock objects targeting Windows 10
version 1607 on this device.
DataSourceMatchingInfoBlock_RS3 The count of the number of this particular object type present on this
device.
DataSourceMatchingInfoBlock_RS5 The count of the number of this particular object type present on this
device.
DataSourceMatchingInfoPassive_RS1 The total DataSourceMatchingInfoPassive objects targeting Windows
10 version 1607 on this device.
DataSourceMatchingInfoPassive_RS3 The count of the number of this particular object type present on
this device.
DataSourceMatchingInfoPassive_RS5 The count of the number of this particular object type present on
this device.
DataSourceMatchingInfoPostUpgrade_RS1 The total DataSourceMatchingInfoPostUpgrade objects
targeting Windows 10 version 1607 on this device.
DataSourceMatchingInfoPostUpgrade_RS3 The total DataSourceMatchingInfoPostUpgrade objects
targeting Windows 10 version 1709 on this device.
DataSourceMatchingInfoPostUpgrade_RS5 The count of the number of this particular object type present
on this device.
DatasourceSystemBios_RS1 The total DatasourceSystemBios objects targeting Windows 10 version 1607
present on this device.
DatasourceSystemBios_RS3 The total DatasourceSystemBios objects targeting Windows 10 version 1709
present on this device.
DatasourceSystemBios_RS5 The count of the number of this particular object type present on this device.
DatasourceSystemBios_RS5Setup The count of the number of this particular object type present on this
device.
DecisionApplicationFile_RS1 An ID for the system, calculated by hashing hardware identifiers.
DecisionApplicationFile_RS3 The count of the number of this particular object type present on this device.
DecisionApplicationFile_RS5 The count of the number of this particular object type present on this device.
DecisionDevicePnp_RS1 The total DecisionDevicePnp objects targeting Windows 10 version 1607 on this
device.
DecisionDevicePnp_RS3 The count of the number of this particular object type present on this device.
DecisionDevicePnp_RS5 The count of the number of this particular object type present on this device.
DecisionDriverPackage_RS1 The total DecisionDriverPackage objects targeting Windows 10 version 1607
on this device.
DecisionDriverPackage_RS3 The count of the number of this particular object type present on this device.
DecisionDriverPackage_RS5 The count of the number of this particular object type present on this device.
DecisionMatchingInfoBlock_RS1 The total DecisionMatchingInfoBlock objects targeting Windows 10
version 1607 present on this device.
DecisionMatchingInfoBlock_RS3 The total DecisionMatchingInfoBlock objects targeting Windows 10
version 1709 present on this device.
DecisionMatchingInfoBlock_RS5 The count of the number of this particular object type present on this
device.
DecisionMatchingInfoPassive_RS1 The total DecisionMatchingInfoPassive objects targeting Windows 10
version 1607 on this device.
DecisionMatchingInfoPassive_RS3 The total DecisionMatchingInfoPassive objects targeting Windows 10
version 1803 on this device.
DecisionMatchingInfoPassive_RS5 The count of the number of this particular object type present on this
device.
DecisionMatchingInfoPostUpgrade_RS1 The total DecisionMatchingInfoPostUpgrade objects targeting
Windows 10 version 1607 on this device.
DecisionMatchingInfoPostUpgrade_RS3 The total DecisionMatchingInfoPostUpgrade objects targeting
Windows 10 version 1709 on this device.
DecisionMatchingInfoPostUpgrade_RS5 The count of the number of this particular object type present on
this device.
DecisionMediaCenter_RS1 The total DecisionMediaCenter objects targeting Windows 10 version 1607
present on this device.
DecisionMediaCenter_RS3 The total DecisionMediaCenter objects targeting Windows 10 version 1709
present on this device.
DecisionMediaCenter_RS5 The count of the number of this particular object type present on this device.
DecisionSystemBios_RS1 The total DecisionSystemBios objects targeting Windows 10 version 1607 on this
device.
DecisionSystemBios_RS3 The total DecisionSystemBios objects targeting Windows 10 version 1709 on this
device.
DecisionSystemBios_RS5 The total DecisionSystemBios objects targeting the next release of Windows on
this device.
DecisionSystemBios_RS5Setup The count of the number of this particular object type present on this
device.
DecisionTest_RS1 An ID for the system, calculated by hashing hardware identifiers.
Inventor yApplicationFile The count of the number of this particular object type present on this device.
Inventor yLanguagePack The count of the number of this particular object type present on this device.
Inventor yMediaCenter The count of the number of this particular object type present on this device.
Inventor ySystemBios The count of the number of this particular object type present on this device.
Inventor yTest The count of the number of this particular object type present on this device.
Inventor yUplevelDriverPackage The count of the number of this particular object type present on this
device.
PCFP An ID for the system, calculated by hashing hardware identifiers.
SystemMemor y The count of the number of this particular object type present on this device.
SystemProcessorCompareExchange The count of the number of this particular object type present on this
device.
SystemProcessorLahfSahf The count of the number of this particular object type present on this device.
SystemProcessorNx The total number of objects of this type present on this device.
SystemProcessorPrefetchW The total number of objects of this type present on this device.
SystemProcessorSse2 The total number of objects of this type present on this device.
SystemTouch The count of SystemTouch objects present on this machine.
SystemWim The total number of objects of this type present on this device.
SystemWindowsActivationStatus The count of SystemWindowsActivationStatus objects present on this
machine.
SystemWlan The total number of objects of this type present on this device.
Wmdrm_RS1 An ID for the system, calculated by hashing hardware identifiers.
Wmdrm_RS3 An ID for the system, calculated by hashing hardware identifiers.
Wmdrm_RS5 The count of the number of this particular object type present on this device.
Microsoft.Windows.Appraiser.General.DatasourceApplicationFileAdd
Represents the basic metadata about specific application files installed on the system.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
AppraiserVersion The version of the appraiser file that is generating the events.
AvDisplayName If the app is an antivirus app, this is its display name.
CompatModelIndex The compatibility prediction for this file.
HasCitData Indicates whether the file is present in CIT data.
HasUpgradeExe Indicates whether the anti-virus app has an upgrade.exe file.
IsAv Is the file an antivirus reporting EXE?
ResolveAttempted This will always be an empty string when sending diagnostic data.
SdbEntries An array of fields that indicates the SDB entries that apply to this file.
Microsoft.Windows.Appraiser.General.DatasourceApplicationFileRemove
This event indicates that the DatasourceApplicationFile object is no longer present.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
AppraiserVersion The version of the Appraiser file that is generating the events.
Microsoft.Windows.Appraiser.General.DatasourceApplicationFileStartSync
This event indicates that a new set of DatasourceApplicationFileAdd events will be sent.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
AppraiserVersion The version of the Appraiser file that is generating the events.
Microsoft.Windows.Appraiser.General.DatasourceDevicePnpAdd
This event sends compatibility data for a Plug and Play device, to help keep Windows up to date.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
ActiveNetworkConnection Indicates whether the device is an active network device.
AppraiserVersion The version of the appraiser file generating the events.
IsBootCritical Indicates whether the device boot is critical.
WuDriverCoverage Indicates whether there is a driver uplevel for this device, according to Windows Update.
WuDriverUpdateId The Windows Update ID of the applicable uplevel driver.
WuPopulatedFromId The expected uplevel driver matching ID based on driver coverage from Windows
Update.
Microsoft.Windows.Appraiser.General.DatasourceDevicePnpRemove
This event indicates that the DatasourceDevicePnp object is no longer present.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
AppraiserVersion The version of the Appraiser file that is generating the events.
Microsoft.Windows.Appraiser.General.DatasourceDevicePnpStartSync
This event indicates that a new set of DatasourceDevicePnpAdd events will be sent.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
AppraiserVersion The version of the Appraiser file that is generating the events.
Microsoft.Windows.Appraiser.General.DatasourceDriverPackageAdd
This event sends compatibility database data about driver packages to help keep Windows up to date.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
AppraiserVersion The version of the appraiser file generating the events.
Microsoft.Windows.Appraiser.General.DatasourceDriverPackageRemove
This event indicates that the DatasourceDriverPackage object is no longer present.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
AppraiserVersion The version of the Appraiser file that is generating the events.
Microsoft.Windows.Appraiser.General.DatasourceDriverPackageStartSync
This event indicates that a new set of DatasourceDriverPackageAdd events will be sent.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
AppraiserVersion The version of the Appraiser file that is generating the events.
Microsoft.Windows.Appraiser.General.DataSourceMatchingInfoBlockAdd
This event sends blocking data about any compatibility blocking entries on the system that are not directly related
to specific applications or devices, to help keep Windows up to date.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
AppraiserVersion The version of the appraiser file generating the events.
Microsoft.Windows.Appraiser.General.DataSourceMatchingInfoBlockRemove
This event indicates that the DataSourceMatchingInfoBlock object is no longer present.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
AppraiserVersion The version of the Appraiser file that is generating the events.
Microsoft.Windows.Appraiser.General.DataSourceMatchingInfoBlockStartSync
This event indicates that a full set of DataSourceMatchingInfoBlockStAdd events have been sent.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
AppraiserVersion The version of the Appraiser file that is generating the events.
Microsoft.Windows.Appraiser.General.DataSourceMatchingInfoPassiveAdd
This event sends compatibility database information about non-blocking compatibility entries on the system that
are not keyed by either applications or devices, to help keep Windows up to date.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
AppraiserVersion The version of the appraiser file generating the events.
Microsoft.Windows.Appraiser.General.DataSourceMatchingInfoPassiveRemove
This event indicates that the DataSourceMatchingInfoPassive object is no longer present.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
AppraiserVersion The version of the Appraiser file that is generating the events.
Microsoft.Windows.Appraiser.General.DataSourceMatchingInfoPassiveStartSync
This event indicates that a new set of DataSourceMatchingInfoPassiveAdd events will be sent.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
AppraiserVersion The version of the Appraiser file that is generating the events.
Microsoft.Windows.Appraiser.General.DataSourceMatchingInfoPostUpgradeAdd
This event sends compatibility database information about entries requiring reinstallation after an upgrade on the
system that are not keyed by either applications or devices, to help keep Windows up to date.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
AppraiserVersion The version of the appraiser file generating the events.
Microsoft.Windows.Appraiser.General.DataSourceMatchingInfoPostUpgradeRemove
This event indicates that the DataSourceMatchingInfoPostUpgrade object is no longer present.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
AppraiserVersion The version of the Appraiser file that is generating the events.
Microsoft.Windows.Appraiser.General.DataSourceMatchingInfoPostUpgradeStartSync
This event indicates that a new set of DataSourceMatchingInfoPostUpgradeAdd events will be sent.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
AppraiserVersion The version of the Appraiser file that is generating the events.
Microsoft.Windows.Appraiser.General.DatasourceSystemBiosAdd
This event sends compatibility database information about the BIOS to help keep Windows up to date.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
AppraiserVersion The version of the Appraiser file generating the events.
Microsoft.Windows.Appraiser.General.DatasourceSystemBiosRemove
This event indicates that the DatasourceSystemBios object is no longer present.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
AppraiserVersion The version of the Appraiser file that is generating the events.
Microsoft.Windows.Appraiser.General.DatasourceSystemBiosStartSync
This event indicates that a new set of DatasourceSystemBiosAdd events will be sent.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
AppraiserVersion The version of the Appraiser file that is generating the events.
Microsoft.Windows.Appraiser.General.DecisionApplicationFileAdd
This event sends compatibility decision data about a file to help keep Windows up to date.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
AppraiserVersion The version of the appraiser file that is generating the events.
BlockAlreadyInbox The uplevel runtime block on the file already existed on the current OS.
BlockingApplication Indicates whether there are any application issues that interfere with the upgrade due to
the file in question.
DisplayGenericMessage Will be a generic message be shown for this file?
DisplayGenericMessageGated Indicates whether a generic message be shown for this file.
HardBlock This file is blocked in the SDB.
HasUxBlockOverride Does the file have a block that is overridden by a tag in the SDB?
MigApplication Does the file have a MigXML from the SDB associated with it that applies to the current
upgrade mode?
MigRemoval Does the file have a MigXML from the SDB that will cause the app to be removed on upgrade?
NeedsDismissAction Will the file cause an action that can be dismissed?
NeedsInstallPostUpgradeData After upgrade, the file will have a post-upgrade notification to install a
replacement for the app.
NeedsNotifyPostUpgradeData Does the file have a notification that should be shown after upgrade?
NeedsReinstallPostUpgradeData After upgrade, this file will have a post-upgrade notification to reinstall the
app.
NeedsUninstallAction The file must be uninstalled to complete the upgrade.
SdbBlockUpgrade The file is tagged as blocking upgrade in the SDB,
SdbBlockUpgradeCanReinstall The file is tagged as blocking upgrade in the SDB. It can be reinstalled after
upgrade.
SdbBlockUpgradeUntilUpdate The file is tagged as blocking upgrade in the SDB. If the app is updated, the
upgrade can proceed.
SdbReinstallUpgrade The file is tagged as needing to be reinstalled after upgrade in the SDB. It does not
block upgrade.
SdbReinstallUpgradeWarn The file is tagged as needing to be reinstalled after upgrade with a warning in the
SDB. It does not block upgrade.
SoftBlock The file is softblocked in the SDB and has a warning.
Microsoft.Windows.Appraiser.General.DecisionApplicationFileRemove
This event indicates that the DecisionApplicationFile object is no longer present.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
AppraiserVersion The version of the Appraiser file that is generating the events.
Microsoft.Windows.Appraiser.General.DecisionApplicationFileStartSync
This event indicates that a new set of DecisionApplicationFileAdd events will be sent.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
AppraiserVersion The version of the Appraiser file that is generating the events.
Microsoft.Windows.Appraiser.General.DecisionDevicePnpAdd
This event sends compatibility decision data about a Plug and Play (PNP) device to help keep Windows up to date.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
AppraiserVersion The version of the appraiser file generating the events.
AssociatedDriverIsBlocked Is the driver associated with this PNP device blocked?
AssociatedDriverWillNotMigrate Will the driver associated with this plug-and-play device migrate?
BlockAssociatedDriver Should the driver associated with this PNP device be blocked?
BlockingDevice Is this PNP device blocking upgrade?
BlockUpgradeIfDriverBlocked Is the PNP device both boot critical and does not have a driver included with
the OS?
BlockUpgradeIfDriverBlockedAndOnlyActiveNetwork Is this PNP device the only active network device?
DisplayGenericMessage Will a generic message be shown during Setup for this PNP device?
DisplayGenericMessageGated Indicates whether a generic message will be shown during Setup for this
PNP device.
DriverAvailableInbox Is a driver included with the operating system for this PNP device?
DriverAvailableOnline Is there a driver for this PNP device on Windows Update?
DriverAvailableUplevel Is there a driver on Windows Update or included with the operating system for this
PNP device?
DriverBlockOverridden Is there is a driver block on the device that has been overridden?
NeedsDismissAction Will the user would need to dismiss a warning during Setup for this device?
NotRegressed Does the device have a problem code on the source OS that is no better than the one it would
have on the target OS?
SdbDeviceBlockUpgrade Is there an SDB block on the PNP device that blocks upgrade?
SdbDriverBlockOverridden Is there an SDB block on the PNP device that blocks upgrade, but that block was
overridden?
Microsoft.Windows.Appraiser.General.DecisionDevicePnpRemove
This event indicates that the DecisionDevicePnp object is no longer present.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
AppraiserVersion The version of the Appraiser file that is generating the events.
Microsoft.Windows.Appraiser.General.DecisionDevicePnpStartSync
The DecisionDevicePnpStartSync event indicates that a new set of DecisionDevicePnpAdd events will be sent.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
AppraiserVersion The version of the Appraiser file that is generating the events.
Microsoft.Windows.Appraiser.General.DecisionDriverPackageAdd
This event sends decision data about driver package compatibility to help keep Windows up to date.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
AppraiserVersion The version of the appraiser file generating the events.
DisplayGenericMessageGated Indicates whether a generic offer block message will be shown for this driver
package.
DriverBlockOverridden Does the driver package have an SDB block that blocks it from migrating, but that
block has been overridden?
DriverIsDeviceBlocked Was the driver package was blocked because of a device block?
DriverIsDriverBlocked Is the driver package blocked because of a driver block?
DriverShouldNotMigrate Should the driver package be migrated during upgrade?
SdbDriverBlockOverridden Does the driver package have an SDB block that blocks it from migrating, but
that block has been overridden?
Microsoft.Windows.Appraiser.General.DecisionDriverPackageRemove
This event indicates that the DecisionDriverPackage object is no longer present.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
AppraiserVersion The version of the Appraiser file that is generating the events.
Microsoft.Windows.Appraiser.General.DecisionDriverPackageStartSync
This event indicates that a new set of DecisionDriverPackageAdd events will be sent.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
AppraiserVersion The version of the Appraiser file that is generating the events.
Microsoft.Windows.Appraiser.General.DecisionMatchingInfoBlockAdd
This event sends compatibility decision data about blocking entries on the system that are not keyed by either
applications or devices, to help keep Windows up to date.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
AppraiserVersion The version of the appraiser file generating the events.
BlockingApplication Are there are any application issues that interfere with upgrade due to matching info
blocks?
DisplayGenericMessage Will a generic message be shown for this block?
NeedsUninstallAction Does the user need to take an action in setup due to a matching info block?
SdbBlockUpgrade Is a matching info block blocking upgrade?
SdbBlockUpgradeCanReinstall Is a matching info block blocking upgrade, but has the can reinstall tag?
SdbBlockUpgradeUntilUpdate Is a matching info block blocking upgrade but has the until update tag?
Microsoft.Windows.Appraiser.General.DecisionMatchingInfoBlockRemove
This event indicates that the DecisionMatchingInfoBlock object is no longer present.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
AppraiserVersion The version of the Appraiser file that is generating the events.
Microsoft.Windows.Appraiser.General.DecisionMatchingInfoBlockStartSync
This event indicates that a new set of DecisionMatchingInfoBlockAdd events will be sent.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
AppraiserVersion The version of the Appraiser file that is generating the events.
Microsoft.Windows.Appraiser.General.DecisionMatchingInfoPassiveAdd
This event sends compatibility decision data about non-blocking entries on the system that are not keyed by either
applications or devices, to help keep Windows up to date.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
AppraiserVersion The version of the Appraiser file that is generating the events.
BlockingApplication Are there any application issues that interfere with upgrade due to matching info
blocks?
DisplayGenericMessageGated Indicates whether a generic offer block message will be shown due to
matching info blocks.
MigApplication Is there a matching info block with a mig for the current mode of upgrade?
Microsoft.Windows.Appraiser.General.DecisionMatchingInfoPassiveRemove
This event Indicates that the DecisionMatchingInfoPassive object is no longer present.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
AppraiserVersion The version of the Appraiser file that is generating the events.
Microsoft.Windows.Appraiser.General.DecisionMatchingInfoPassiveStartSync
This event indicates that a new set of DecisionMatchingInfoPassiveAdd events will be sent.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
AppraiserVersion The version of the Appraiser file that is generating the events.
Microsoft.Windows.Appraiser.General.DecisionMatchingInfoPostUpgradeAdd
This event sends compatibility decision data about entries that require reinstall after upgrade. It's used to help
keep Windows up to date.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
AppraiserVersion The version of the Appraiser file that is generating the events.
NeedsInstallPostUpgradeData Will the file have a notification after upgrade to install a replacement for the
app?
NeedsNotifyPostUpgradeData Should a notification be shown for this file after upgrade?
NeedsReinstallPostUpgradeData Will the file have a notification after upgrade to reinstall the app?
SdbReinstallUpgrade The file is tagged as needing to be reinstalled after upgrade in the compatibility
database (but is not blocking upgrade).
Microsoft.Windows.Appraiser.General.DecisionMatchingInfoPostUpgradeRemove
This event indicates that the DecisionMatchingInfoPostUpgrade object is no longer present.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
AppraiserVersion The version of the Appraiser file that is generating the events.
Microsoft.Windows.Appraiser.General.DecisionMatchingInfoPostUpgradeStartSync
This event indicates that a new set of DecisionMatchingInfoPostUpgradeAdd events will be sent.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
AppraiserVersion The version of the Appraiser file that is generating the events.
Microsoft.Windows.Appraiser.General.DecisionMediaCenterAdd
This event sends decision data about the presence of Windows Media Center, to help keep Windows up to date.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
AppraiserVersion The version of the Appraiser file generating the events.
BlockingApplication Is there any application issues that interfere with upgrade due to Windows Media
Center?
MediaCenterActivelyUsed If Windows Media Center is supported on the edition, has it been run at least
once and are the MediaCenterIndicators are true?
MediaCenterIndicators Do any indicators imply that Windows Media Center is in active use?
MediaCenterInUse Is Windows Media Center actively being used?
MediaCenterPaidOrActivelyUsed Is Windows Media Center actively being used or is it running on a
supported edition?
NeedsDismissAction Are there any actions that can be dismissed coming from Windows Media Center?
Microsoft.Windows.Appraiser.General.DecisionMediaCenterRemove
This event indicates that the DecisionMediaCenter object is no longer present.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
AppraiserVersion The version of the Appraiser file that is generating the events.
Microsoft.Windows.Appraiser.General.DecisionMediaCenterStartSync
This event indicates that a new set of DecisionMediaCenterAdd events will be sent.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
AppraiserVersion The version of the Appraiser file that is generating the events.
Microsoft.Windows.Appraiser.General.DecisionSystemBiosAdd
This event sends compatibility decision data about the BIOS to help keep Windows up to date.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
AppraiserVersion The version of the Appraiser file generating the events.
Blocking Is the device blocked from upgrade due to a BIOS block?
DisplayGenericMessageGated Indicates whether a generic offer block message will be shown for the bios.
HasBiosBlock Does the device have a BIOS block?
Microsoft.Windows.Appraiser.General.DecisionSystemBiosRemove
This event indicates that the DecisionSystemBios object is no longer present.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
AppraiserVersion The version of the Appraiser file that is generating the events.
Microsoft.Windows.Appraiser.General.DecisionSystemBiosStartSync
This event indicates that a new set of DecisionSystemBiosAdd events will be sent.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
AppraiserVersion The version of the Appraiser file that is generating the events.
Microsoft.Windows.Appraiser.General.GatedRegChange
This event sends data about the results of running a set of quick-blocking instructions, to help keep Windows up to
date.
The following fields are available:
NewData The data in the registry value after the scan completed.
OldData The previous data in the registry value before the scan ran.
PCFP An ID for the system calculated by hashing hardware identifiers.
RegKey The registry key name for which a result is being sent.
RegValue The registry value for which a result is being sent.
Time The client time of the event.
Microsoft.Windows.Appraiser.General.InventoryApplicationFileAdd
This event represents the basic metadata about a file on the system. The file must be part of an app and either
have a block in the compatibility database or be part of an antivirus program.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
AppraiserVersion The version of the Appraiser file generating the events.
AvDisplayName If the app is an antivirus app, this is its display name.
AvProductState Indicates whether the antivirus program is turned on and the signatures are up to date.
Binar yType A binary type. Example: UNINITIALIZED, ZERO_BYTE, DATA_ONLY, DOS_MODULE, NE16_MODULE,
PE32_UNKNOWN, PE32_I386, PE32_ARM, PE64_UNKNOWN, PE64_AMD64, PE64_ARM64, PE64_IA64,
PE32_CLR_32, PE32_CLR_IL, PE32_CLR_IL_PREFER32, PE64_CLR_64.
BinFileVersion An attempt to clean up FileVersion at the client that tries to place the version into 4 octets.
BinProductVersion An attempt to clean up ProductVersion at the client that tries to place the version into 4
octets.
BoeProgramId If there is no entry in Add/Remove Programs, this is the ProgramID that is generated from the
file metadata.
CompanyName The company name of the vendor who developed this file.
FileId A hash that uniquely identifies a file.
FileVersion The File version field from the file metadata under Properties -> Details.
HasUpgradeExe Indicates whether the antivirus app has an upgrade.exe file.
IsAv Indicates whether the file an antivirus reporting EXE.
LinkDate The date and time that this file was linked on.
LowerCaseLongPath The full file path to the file that was inventoried on the device.
Name The name of the file that was inventoried.
ProductName The Product name field from the file metadata under Properties -> Details.
ProductVersion The Product version field from the file metadata under Properties -> Details.
ProgramId A hash of the Name, Version, Publisher, and Language of an application used to identify it.
Size The size of the file (in hexadecimal bytes).
Microsoft.Windows.Appraiser.General.InventoryApplicationFileRemove
This event indicates that the InventoryApplicationFile object is no longer present.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
AppraiserVersion The version of the Appraiser file that is generating the events.
Microsoft.Windows.Appraiser.General.InventoryApplicationFileStartSync
This event indicates that a new set of InventoryApplicationFileAdd events will be sent.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
AppraiserVersion The version of the Appraiser file that is generating the events.
Microsoft.Windows.Appraiser.General.InventoryLanguagePackAdd
This event sends data about the number of language packs installed on the system, to help keep Windows up to
date.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
AppraiserVersion The version of the Appraiser file that is generating the events.
HasLanguagePack Indicates whether this device has 2 or more language packs.
LanguagePackCount The number of language packs are installed.
Microsoft.Windows.Appraiser.General.InventoryLanguagePackRemove
This event indicates that the InventoryLanguagePack object is no longer present.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
AppraiserVersion The version of the Appraiser file that is generating the events.
Microsoft.Windows.Appraiser.General.InventoryLanguagePackStartSync
This event indicates that a new set of InventoryLanguagePackAdd events will be sent.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
AppraiserVersion The version of the Appraiser file that is generating the events.
Microsoft.Windows.Appraiser.General.InventoryMediaCenterAdd
This event sends true/false data about decision points used to understand whether Windows Media Center is used
on the system, to help keep Windows up to date.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
AppraiserVersion The version of the Appraiser file generating the events.
EverLaunched Has Windows Media Center ever been launched?
HasConfiguredTv Has the user configured a TV tuner through Windows Media Center?
HasExtendedUserAccounts Are any Windows Media Center Extender user accounts configured?
HasWatchedFolders Are any folders configured for Windows Media Center to watch?
IsDefaultLauncher Is Windows Media Center the default app for opening music or video files?
IsPaid Is the user running a Windows Media Center edition that implies they paid for Windows Media Center?
IsSuppor ted Does the running OS support Windows Media Center?
Microsoft.Windows.Appraiser.General.InventoryMediaCenterRemove
This event indicates that the InventoryMediaCenter object is no longer present.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
AppraiserVersion The version of the Appraiser file that is generating the events.
Microsoft.Windows.Appraiser.General.InventoryMediaCenterStartSync
This event indicates that a new set of InventoryMediaCenterAdd events will be sent.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
AppraiserVersion The version of the Appraiser file that is generating the events.
Microsoft.Windows.Appraiser.General.InventorySystemBiosAdd
This event sends basic metadata about the BIOS to determine whether it has a compatibility block.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
AppraiserVersion The version of the Appraiser file that is generating the events.
BiosDate The release date of the BIOS in UTC format.
BiosName The name field from Win32_BIOS.
Manufacturer The manufacturer field from Win32_ComputerSystem.
Model The model field from Win32_ComputerSystem.
Microsoft.Windows.Appraiser.General.InventorySystemBiosRemove
This event indicates that the InventorySystemBios object is no longer present.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
AppraiserVersion The version of the Appraiser file that is generating the events.
Microsoft.Windows.Appraiser.General.InventorySystemBiosStartSync
This event indicates that a new set of InventorySystemBiosAdd events will be sent.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
AppraiserVersion The version of the Appraiser binary (executable) generating the events.
Microsoft.Windows.Appraiser.General.InventoryUplevelDriverPackageAdd
This event is only runs during setup. It provides a listing of the uplevel driver packages that were downloaded
before the upgrade. Is critical to understanding if failures in setup can be traced to not having sufficient uplevel
drivers before the upgrade.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
AppraiserVersion The version of the Appraiser file that is generating the events.
BootCritical Is the driver package marked as boot critical?
Build The build value from the driver package.
CatalogFile The name of the catalog file within the driver package.
Class The device class from the driver package.
ClassGuid The device class unique ID from the driver package.
Date The date from the driver package.
Inbox Is the driver package of a driver that is included with Windows?
OriginalName The original name of the INF file before it was renamed. Generally a path under
$WINDOWS.~BT\Drivers\DU.
Provider The provider of the driver package.
PublishedName The name of the INF file after it was renamed.
Revision The revision of the driver package.
SignatureStatus Indicates if the driver package is signed. Unknown = 0, Unsigned = 1, Signed = 2.
VersionMajor The major version of the driver package.
VersionMinor The minor version of the driver package.
Microsoft.Windows.Appraiser.General.InventoryUplevelDriverPackageRemove
This event indicates that the InventoryUplevelDriverPackage object is no longer present.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
AppraiserVersion The version of the Appraiser file that is generating the events.
Microsoft.Windows.Appraiser.General.InventoryUplevelDriverPackageStartSync
This event indicates that a new set of InventoryUplevelDriverPackageAdd events will be sent.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
AppraiserVersion The version of the Appraiser file that is generating the events.
Microsoft.Windows.Appraiser.General.RunContext
This event indicates what should be expected in the data payload.
The following fields are available:
AppraiserBranch The source branch in which the currently running version of Appraiser was built.
AppraiserProcess The name of the process that launched Appraiser.
AppraiserVersion The version of the Appraiser file generating the events.
Context Indicates what mode Appraiser is running in. Example: Setup or Telemetry.
PCFP An ID for the system calculated by hashing hardware identifiers.
Time The client time of the event.
Microsoft.Windows.Appraiser.General.SystemMemoryAdd
This event sends data on the amount of memory on the system and whether it meets requirements, to help keep
Windows up to date.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
AppraiserVersion The version of the Appraiser file generating the events.
Blocking Is the device from upgrade due to memory restrictions?
Memor yRequirementViolated Was a memory requirement violated?
pageFile The current committed memory limit for the system or the current process, whichever is smaller (in
bytes).
ram The amount of memory on the device.
ramKB The amount of memory (in KB).
vir tual The size of the user-mode portion of the virtual address space of the calling process (in bytes).
vir tualKB The amount of virtual memory (in KB).
Microsoft.Windows.Appraiser.General.SystemMemoryRemove
This event that the SystemMemory object is no longer present.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
AppraiserVersion The version of the Appraiser file that is generating the events.
Microsoft.Windows.Appraiser.General.SystemMemoryStartSync
This event indicates that a new set of SystemMemoryAdd events will be sent.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
AppraiserVersion The version of the Appraiser file that is generating the events.
Microsoft.Windows.Appraiser.General.SystemProcessorCompareExchangeAdd
This event sends data indicating whether the system supports the CompareExchange128 CPU requirement, to help
keep Windows up to date.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
AppraiserVersion The version of the Appraiser file generating the events.
Blocking Is the upgrade blocked due to the processor?
CompareExchange128Suppor t Does the CPU support CompareExchange128?
Microsoft.Windows.Appraiser.General.SystemProcessorCompareExchangeRemove
This event indicates that the SystemProcessorCompareExchange object is no longer present.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
AppraiserVersion The version of the Appraiser file that is generating the events.
Microsoft.Windows.Appraiser.General.SystemProcessorCompareExchangeStartSync
This event indicates that a new set of SystemProcessorCompareExchangeAdd events will be sent.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
AppraiserVersion The version of the Appraiser file that is generating the events.
Microsoft.Windows.Appraiser.General.SystemProcessorLahfSahfAdd
This event sends data indicating whether the system supports the LAHF & SAHF CPU requirement, to help keep
Windows up to date.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
AppraiserVersion The version of the Appraiser file generating the events.
Blocking Is the upgrade blocked due to the processor?
LahfSahfSuppor t Does the CPU support LAHF/SAHF?
Microsoft.Windows.Appraiser.General.SystemProcessorLahfSahfRemove
This event indicates that the SystemProcessorLahfSahf object is no longer present.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
AppraiserVersion The version of the Appraiser file that is generating the events.
Microsoft.Windows.Appraiser.General.SystemProcessorLahfSahfStartSync
This event indicates that a new set of SystemProcessorLahfSahfAdd events will be sent.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
AppraiserVersion The version of the Appraiser file that is generating the events.
Microsoft.Windows.Appraiser.General.SystemProcessorNxAdd
This event sends data indicating whether the system supports the NX CPU requirement, to help keep Windows up
to date.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
AppraiserVersion The version of the Appraiser file that is generating the events.
Blocking Is the upgrade blocked due to the processor?
NXDriverResult The result of the driver used to do a non-deterministic check for NX support.
NXProcessorSuppor t Does the processor support NX?
Microsoft.Windows.Appraiser.General.SystemProcessorNxRemove
This event indicates that the SystemProcessorNx object is no longer present.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
AppraiserVersion The version of the Appraiser file that is generating the events.
Microsoft.Windows.Appraiser.General.SystemProcessorNxStartSync
This event indicates that a new set of SystemProcessorNxAdd events will be sent.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
AppraiserVersion The version of the Appraiser file that is generating the events.
Microsoft.Windows.Appraiser.General.SystemProcessorPrefetchWAdd
This event sends data indicating whether the system supports the PrefetchW CPU requirement, to help keep
Windows up to date.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
AppraiserVersion The version of the Appraiser file that is generating the events.
Blocking Is the upgrade blocked due to the processor?
PrefetchWSuppor t Does the processor support PrefetchW?
Microsoft.Windows.Appraiser.General.SystemProcessorPrefetchWRemove
This event indicates that the SystemProcessorPrefetchW object is no longer present.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
AppraiserVersion The version of the Appraiser file that is generating the events.
Microsoft.Windows.Appraiser.General.SystemProcessorPrefetchWStartSync
This event indicates that a new set of SystemProcessorPrefetchWAdd events will be sent.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
AppraiserVersion The version of the Appraiser file that is generating the events.
Microsoft.Windows.Appraiser.General.SystemProcessorSse2Add
This event sends data indicating whether the system supports the SSE2 CPU requirement, to help keep Windows
up to date.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
AppraiserVersion The version of the Appraiser file that is generating the events.
Blocking Is the upgrade blocked due to the processor?
SSE2ProcessorSuppor t Does the processor support SSE2?
Microsoft.Windows.Appraiser.General.SystemProcessorSse2Remove
This event indicates that the SystemProcessorSse2 object is no longer present.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
AppraiserVersion The version of the Appraiser file that is generating the events.
Microsoft.Windows.Appraiser.General.SystemProcessorSse2StartSync
This event indicates that a new set of SystemProcessorSse2Add events will be sent.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
AppraiserVersion The version of the Appraiser file that is generating the events.
Microsoft.Windows.Appraiser.General.SystemTouchAdd
This event sends data indicating whether the system supports touch, to help keep Windows up to date.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
AppraiserVersion The version of the Appraiser file that is generating the events.
IntegratedTouchDigitizerPresent Is there an integrated touch digitizer?
MaximumTouches The maximum number of touch points supported by the device hardware.
Microsoft.Windows.Appraiser.General.SystemTouchRemove
This event indicates that the SystemTouch object is no longer present.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
AppraiserVersion The version of the Appraiser file that is generating the events.
Microsoft.Windows.Appraiser.General.SystemTouchStartSync
This event indicates that a new set of SystemTouchAdd events will be sent.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
AppraiserVersion The version of the Appraiser file that is generating the events.
Microsoft.Windows.Appraiser.General.SystemWimAdd
This event sends data indicating whether the operating system is running from a compressed Windows Imaging
Format (WIM) file, to help keep Windows up to date.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
AppraiserVersion The version of the Appraiser file that is generating the events.
IsWimBoot Is the current operating system running from a compressed WIM file?
Registr yWimBootValue The raw value from the registry that is used to indicate if the device is running from
a WIM.
Microsoft.Windows.Appraiser.General.SystemWimRemove
This event indicates that the SystemWim object is no longer present.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
AppraiserVersion The version of the Appraiser file that is generating the events.
Microsoft.Windows.Appraiser.General.SystemWimStartSync
This event indicates that a new set of SystemWimAdd events will be sent.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
AppraiserVersion The version of the Appraiser file that is generating the events.
Microsoft.Windows.Appraiser.General.SystemWindowsActivationStatusAdd
This event sends data indicating whether the current operating system is activated, to help keep Windows up to
date.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
AppraiserVersion The version of the Appraiser file that is generating the events.
WindowsIsLicensedApiValue The result from the API that's used to indicate if operating system is activated.
WindowsNotActivatedDecision Is the current operating system activated?
Microsoft.Windows.Appraiser.General.SystemWindowsActivationStatusEndSync
This event indicates that a full set of SystemWindowsActivationStatusAdd events has succeeded in being sent.
Microsoft.Windows.Appraiser.General.SystemWindowsActivationStatusRemove
This event indicates that the SystemWindowsActivationStatus object is no longer present.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
AppraiserVersion The version of the Appraiser file that is generating the events.
Microsoft.Windows.Appraiser.General.SystemWindowsActivationStatusStartSync
This event indicates that a new set of SystemWindowsActivationStatusAdd events will be sent.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
AppraiserVersion The version of the Appraiser file that is generating the events.
Microsoft.Windows.Appraiser.General.SystemWlanAdd
This event sends data indicating whether the system has WLAN, and if so, whether it uses an emulated driver that
could block an upgrade, to help keep Windows up to date.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
AppraiserVersion The version of the Appraiser file that is generating the events.
Blocking Is the upgrade blocked because of an emulated WLAN driver?
HasWlanBlock Does the emulated WLAN driver have an upgrade block?
WlanEmulatedDriver Does the device have an emulated WLAN driver?
WlanExists Does the device support WLAN at all?
WlanModulePresent Are any WLAN modules present?
WlanNativeDriver Does the device have a non-emulated WLAN driver?
Microsoft.Windows.Appraiser.General.SystemWlanRemove
This event indicates that the SystemWlan object is no longer present.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
AppraiserVersion The version of the Appraiser file that is generating the events.
Microsoft.Windows.Appraiser.General.SystemWlanStartSync
This event indicates that a new set of SystemWlanAdd events will be sent.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
AppraiserVersion The version of the Appraiser file that is generating the events.
Microsoft.Windows.Appraiser.General.TelemetryRunHealth
This event indicates the parameters and result of a diagnostic data run. This allows the rest of the data sent over
the course of the run to be properly contextualized and understood, which is then used to keep Windows up to
date.
The following fields are available:
AppraiserBranch The source branch in which the version of Appraiser that is running was built.
AppraiserDataVersion The version of the data files being used by the Appraiser diagnostic data run.
AppraiserProcess The name of the process that launched Appraiser.
AppraiserVersion The file version (major, minor and build) of the Appraiser DLL, concatenated without dots.
AuxFinal Obsolete, always set to false.
AuxInitial Obsolete, indicates if Appraiser is writing data files to be read by the Get Windows 10 app.
DeadlineDate A timestamp representing the deadline date, which is the time until which appraiser will wait to
do a full scan.
EnterpriseRun Indicates whether the diagnostic data run is an enterprise run, which means appraiser was run
from the command line with an extra enterprise parameter.
FullSync Indicates if Appraiser is performing a full sync, which means that full set of events representing the
state of the machine are sent. Otherwise, only the changes from the previous run are sent.
InboxDataVersion The original version of the data files before retrieving any newer version.
IndicatorsWritten Indicates if all relevant UEX indicators were successfully written or updated.
Inventor yFullSync Indicates if inventory is performing a full sync, which means that the full set of events
representing the inventory of machine are sent.
PCFP An ID for the system calculated by hashing hardware identifiers.
PerfBackoff Indicates if the run was invoked with logic to stop running when a user is present. Helps to
understand why a run may have a longer elapsed time than normal.
PerfBackoffInsurance Indicates if appraiser is running without performance backoff because it has run with
perf backoff and failed to complete several times in a row.
RunAppraiser Indicates if Appraiser was set to run at all. If this if false, it is understood that data events will
not be received from this device.
RunDate The date that the diagnostic data run was stated, expressed as a filetime.
RunGeneralTel Indicates if the generaltel.dll component was run. Generaltel collects additional diagnostic data
on an infrequent schedule and only from machines at diagnostic data levels higher than Basic.
RunOnline Indicates if appraiser was able to connect to Windows Update and theefore is making decisions
using up-to-date driver coverage information.
RunResult The hresult of the Appraiser diagnostic data run.
SendingUtc Indicates whether the Appraiser client is sending events during the current diagnostic data run.
StoreHandleIsNotNull Obsolete, always set to false
Telementr ySent Indicates whether diagnostic data was successfully sent.
ThrottlingUtc Indicates whether the Appraiser client is throttling its output of CUET events to avoid being
disabled. This increases runtime but also diagnostic data reliability.
Time The client time of the event.
VerboseMode Indicates if appraiser ran in Verbose mode, which is a test-only mode with extra logging.
WhyFullSyncWithoutTablePrefix Indicates the reason or reasons that a full sync was generated.
Microsoft.Windows.Appraiser.General.WmdrmAdd
This event sends data about the usage of older digital rights management on the system, to help keep Windows
up to date. This data does not indicate the details of the media using the digital rights management, only whether
any such files exist. Collecting this data was critical to ensuring the correct mitigation for customers, and should be
able to be removed once all mitigations are in place.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
AppraiserVersion The version of the Appraiser file that is generating the events.
BlockingApplication Same as NeedsDismissAction.
NeedsDismissAction Indicates if a dismissible message is needed to warn the user about a potential loss of
data due to DRM deprecation.
WmdrmApiResult Raw value of the API used to gather DRM state.
WmdrmCdRipped Indicates if the system has any files encrypted with personal DRM, which was used for
ripped CDs.
WmdrmIndicators WmdrmCdRipped OR WmdrmPurchased.
WmdrmInUse WmdrmIndicators AND dismissible block in setup was not dismissed.
WmdrmNonPermanent Indicates if the system has any files with non-permanent licenses.
WmdrmPurchased Indicates if the system has any files with permanent licenses.
Microsoft.Windows.Appraiser.General.WmdrmRemove
This event indicates that the Wmdrm object is no longer present.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
AppraiserVersion The version of the Appraiser file that is generating the events.
Microsoft.Windows.Appraiser.General.WmdrmStartSync
This event indicates that a new set of WmdrmAdd events will be sent.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
AppraiserVersion The version of the Appraiser file that is generating the events.
Census events
Census.App
This event sends version data about the Apps running on this device, to help keep Windows up to date.
The following fields are available:
AppraiserEnterpriseErrorCode The error code of the last Appraiser enterprise run.
AppraiserErrorCode The error code of the last Appraiser run.
AppraiserRunEndTimeStamp The end time of the last Appraiser run.
AppraiserRunIsInProgressOrCrashed Flag that indicates if the Appraiser run is in progress or has crashed.
AppraiserRunStar tTimeStamp The start time of the last Appraiser run.
AppraiserTaskEnabled Whether the Appraiser task is enabled.
AppraiserTaskExitCode The Appraiser task exist code.
AppraiserTaskLastRun The last runtime for the Appraiser task.
CensusVersion The version of Census that generated the current data for this device.
IEVersion The version of Internet Explorer that is running on the device.
Census.Azure
This event returns data from Microsoft-internal Azure server machines (only from Microsoft-internal machines
with Server SKUs). All other machines (those outside Microsoft and/or machines that are not part of the “Azure
fleet”) return empty data sets.
The following fields are available:
CloudCoreBuildEx The Azure CloudCore build number.
CloudCoreSuppor tBuildEx The Azure CloudCore support build number.
NodeID The node identifier on the device that indicates whether the device is part of the Azure fleet.
Par tA_PrivTags The privacy tags associated with the event.
Census.Battery
This event sends type and capacity data about the battery on the device, as well as the number of connected
standby devices in use, type to help keep Windows up to date.
The following fields are available:
InternalBatter yCapablities Represents information about what the battery is capable of doing.
InternalBatter yCapacityCurrent Represents the battery's current fully charged capacity in mWh (or relative).
Compare this value to DesignedCapacity to estimate the battery's wear.
InternalBatter yCapacityDesign Represents the theoretical capacity of the battery when new, in mWh.
InternalBatter yNumberOfCharges Provides the number of battery charges. This is used when creating new
products and validating that existing products meets targeted functionality performance.
IsAlwaysOnAlwaysConnectedCapable Represents whether the battery enables the device to be
AlwaysOnAlwaysConnected . Boolean value.
Census.Camera
This event sends data about the resolution of cameras on the device, to help keep Windows up to date.
The following fields are available:
FrontFacingCameraResolution Represents the resolution of the front facing camera in megapixels. If a front
facing camera does not exist, then the value is 0.
RearFacingCameraResolution Represents the resolution of the rear facing camera in megapixels. If a rear
facing camera does not exist, then the value is 0.
Census.Enterprise
This event sends data about Azure presence, type, and cloud domain use in order to provide an understanding of
the use and integration of devices in an enterprise, cloud, and server environment.
The following fields are available:
AADDeviceId Azure Active Directory device ID.
AzureOSIDPresent Represents the field used to identify an Azure machine.
AzureVMType Represents whether the instance is Azure VM PAAS, Azure VM IAAS or any other VMs.
CDJType Represents the type of cloud domain joined for the machine.
CommercialId Represents the GUID for the commercial entity which the device is a member of. Will be used
to reflect insights back to customers.
ContainerType The type of container, such as process or virtual machine hosted.
EnrollmentType Defines the type of MDM enrollment on the device.
HashedDomain The hashed representation of the user domain used for login.
IsCloudDomainJoined Is this device joined to an Azure Active Directory (AAD) tenant? true/false
IsDERequirementMet Represents if the device can do device encryption.
IsDeviceProtected Represents if Device protected by BitLocker/Device Encryption
IsDomainJoined Indicates whether a machine is joined to a domain.
IsEDPEnabled Represents if Enterprise data protected on the device.
IsMDMEnrolled Whether the device has been MDM Enrolled or not.
MPNId Returns the Partner ID/MPN ID from Regkey.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\DeployID
SCCMClientId This ID correlate systems that send data to Compat Analytics (OMS) and other OMS based
systems with systems in an Enterprise SCCM environment.
Ser verFeatures Represents the features installed on a Windows Server. This can be used by developers and
administrators who need to automate the process of determining the features installed on a set of server
computers.
SystemCenterID The SCCM ID is an anonymized one-way hash of the Active Directory Organization identifier
Census.Firmware
This event sends data about the BIOS and startup embedded in the device, to help keep Windows up to date.
The following fields are available:
FirmwareManufacturer Represents the manufacturer of the device's firmware (BIOS).
FirmwareReleaseDate Represents the date the current firmware was released.
FirmwareType Represents the firmware type. The various types can be unknown, BIOS, UEFI.
FirmwareVersion Represents the version of the current firmware.
Census.Flighting
This event sends Windows Insider data from customers participating in improvement testing and feedback
programs, to help keep Windows up to date.
The following fields are available:
DeviceSampleRate The telemetry sample rate assigned to the device.
EnablePreviewBuilds Used to enable Windows Insider builds on a device.
FlightIds A list of the different Windows Insider builds on this device.
FlightingBranchName The name of the Windows Insider branch currently used by the device.
IsFlightsDisabled Represents if the device is participating in the Windows Insider program.
MSA_Accounts Represents a list of hashed IDs of the Microsoft Accounts that are flighting (pre-release builds)
on this device.
SSRK Retrieves the mobile targeting settings.
Census.Hardware
This event sends data about the device, including hardware type, OEM brand, model line, model, telemetry level
setting, and TPM support, to help keep Windows up to date.
The following fields are available:
ActiveMicCount The number of active microphones attached to the device.
ChassisType Represents the type of device chassis, such as desktop or low profile desktop. The possible values
can range between 1 - 36.
ComputerHardwareID Identifies a device class that is represented by a hash of different SMBIOS fields.
D3DMaxFeatureLevel Supported Direct3D version.
DeviceColor Indicates a color of the device.
DeviceForm Indicates the form as per the device classification.
DeviceName The device name that is set by the user.
DigitizerSuppor t Is a digitizer supported?
DUID The device unique ID.
Gyroscope Indicates whether the device has a gyroscope (a mechanical component that measures and
maintains orientation).
Inventor yId The device ID used for compatibility testing.
Magnetometer Indicates whether the device has a magnetometer (a mechanical component that works like a
compass).
NFCProximity Indicates whether the device supports NFC (a set of communication protocols that helps
establish communication when applicable devices are brought close together.)
OEMDigitalMarkerFileName The name of the file placed in the \Windows\system32\drivers directory that
specifies the OEM and model name of the device.
OEMManufacturerName The device manufacturer name. The OEMName for an inactive device is not
reprocessed even if the clean OEM name is changed at a later date.
OEMModelBaseBoard The baseboard model used by the OEM.
OEMModelBaseBoardVersion Differentiates between developer and retail devices.
OEMModelName The device model name.
OEMModelNumber The device model number.
OEMModelSKU The device edition that is defined by the manufacturer.
OEMModelSystemFamily The system family set on the device by an OEM.
OEMModelSystemVersion The system model version set on the device by the OEM.
OEMOptionalIdentifier A Microsoft assigned value that represents a specific OEM subsidiary.
OEMSerialNumber The serial number of the device that is set by the manufacturer.
PhoneManufacturer The friendly name of the phone manufacturer.
PowerPlatformRole The OEM preferred power management profile. It's used to help to identify the basic
form factor of the device.
SoCName The firmware manufacturer of the device.
StudyID Used to identify retail and non-retail device.
Telemetr yLevel The telemetry level the user has opted into, such as Basic or Enhanced.
Telemetr yLevelLimitEnhanced The telemetry level for Windows Analytics-based solutions.
Telemetr ySettingAuthority Determines who set the telemetry level, such as GP, MDM, or the user.
TPMVersion The supported Trusted Platform Module (TPM) on the device. If no TPM is present, the value is 0.
VoiceSuppor ted Does the device have a cellular radio capable of making voice calls?
Census.Memory
This event sends data about the memory on the device, including ROM and RAM, to help keep Windows up to
date.
The following fields are available:
TotalPhysicalRAM Represents the physical memory (in MB).
TotalVisibleMemor y Represents the memory that is not reserved by the system.
Census.Network
This event sends data about the mobile and cellular network used by the device (mobile service provider, network,
device ID, and service cost factors), to help keep Windows up to date.
The following fields are available:
IMEI0 Represents the International Mobile Station Equipment Identity. This number is usually unique and used
by the mobile operator to distinguish different phone hardware. Microsoft does not have access to mobile
operator billing data so collecting this data does not expose or identify the user. The two fields represent phone
with dual sim coverage.
IMEI1 Represents the International Mobile Station Equipment Identity. This number is usually unique and used
by the mobile operator to distinguish different phone hardware. Microsoft does not have access to mobile
operator billing data so collecting this data does not expose or identify the user. The two fields represent phone
with dual sim coverage.
MCC0 Represents the Mobile Country Code (MCC). It used with the Mobile Network Code (MNC) to uniquely
identify a mobile network operator. The two fields represent phone with dual sim coverage.
MCC1 Represents the Mobile Country Code (MCC). It used with the Mobile Network Code (MNC) to uniquely
identify a mobile network operator. The two fields represent phone with dual sim coverage.
MEID Represents the Mobile Equipment Identity (MEID). MEID is a worldwide unique phone ID assigned to
CDMA phones. MEID replaces electronic serial number (ESN), and is equivalent to IMEI for GSM and WCDMA
phones. Microsoft does not have access to mobile operator billing data so collecting this data does not expose
or identify the user.
MNC0 Retrieves the Mobile Network Code (MNC). It used with the Mobile Country Code (MCC) to uniquely
identify a mobile network operator. The two fields represent phone with dual sim coverage.
MNC1 Retrieves the Mobile Network Code (MNC). It used with the Mobile Country Code (MCC) to uniquely
identify a mobile network operator. The two fields represent phone with dual sim coverage.
MobileOperatorBilling Represents the telephone company that provides services for mobile phone users.
MobileOperatorCommercialized Represents which reseller and geography the phone is commercialized for.
This is the set of values on the phone for who and where it was intended to be used. For example, the
commercialized mobile operator code AT&T in the US would be ATT-US.
MobileOperatorNetwork0 Represents the operator of the current mobile network that the device is used on.
(AT&T, T-Mobile, Vodafone). The two fields represent phone with dual sim coverage.
MobileOperatorNetwork1 Represents the operator of the current mobile network that the device is used on.
(AT&T, T-Mobile, Vodafone). The two fields represent phone with dual sim coverage.
NetworkAdapterGUID The GUID of the primary network adapter.
NetworkCost Represents the network cost associated with a connection.
SPN0 Retrieves the Service Provider Name (SPN). For example, these might be AT&T, Sprint, T-Mobile, or
Verizon. The two fields represent phone with dual sim coverage.
SPN1 Retrieves the Service Provider Name (SPN). For example, these might be AT&T, Sprint, T-Mobile, or
Verizon. The two fields represent phone with dual sim coverage.
Census.OS
This event sends data about the operating system such as the version, locale, update service configuration, when
and how it was originally installed, and whether it is a virtual device, to help keep Windows up to date.
The following fields are available:
ActivationChannel Retrieves the retail license key or Volume license key for a machine.
AssignedAccessStatus Kiosk configuration mode.
CompactOS Indicates if the Compact OS feature from Win10 is enabled.
DeveloperUnlockStatus Represents if a device has been developer unlocked by the user or Group Policy.
DeviceTimeZone The time zone that is set on the device. Example: Pacific Standard Time
GenuineState Retrieves the ID Value specifying the OS Genuine check.
InstallationType Retrieves the type of OS installation. (Clean, Upgrade, Reset, Refresh, Update).
InstallLanguage The first language installed on the user machine.
IsDeviceRetailDemo Retrieves if the device is running in demo mode.
IsEduData Returns Boolean if the education data policy is enabled.
IsPor tableOperatingSystem Retrieves whether OS is running Windows-To-Go
IsSecureBootEnabled Retrieves whether Boot chain is signed under UEFI.
LanguagePacks The list of language packages installed on the device.
LicenseStateReason Retrieves why (or how) a system is licensed or unlicensed. The HRESULT may indicate an
error code that indicates a key blocked error, or it may indicate that we are running an OS License granted by
the MS store.
OA3xOriginalProductKey Retrieves the License key stamped by the OEM to the machine.
OSEdition Retrieves the version of the current OS.
OSInstallType Retrieves a numeric description of what install was used on the device i.e. clean, upgrade,
refresh, reset, etc
OSOOBEDateTime Retrieves Out of Box Experience (OOBE) Date in Coordinated Universal Time (UTC).
OSSKU Retrieves the Friendly Name of OS Edition.
OSSubscriptionStatus Represents the existing status for enterprise subscription feature for PRO machines.
OSSubscriptionTypeId Returns boolean for enterprise subscription feature for selected PRO machines.
OSTimeZoneBiasInMins Retrieves the time zone set on machine.
OSUILocale Retrieves the locale of the UI that is currently used by the OS.
ProductActivationResult Returns Boolean if the OS Activation was successful.
ProductActivationTime Returns the OS Activation time for tracking piracy issues.
ProductKeyID2 Retrieves the License key if the machine is updated with a new license key.
RACw7Id Retrieves the Microsoft Reliability Analysis Component (RAC) Win7 Identifier. RAC is used to monitor
and analyze system usage and reliability.
Ser viceMachineIP Retrieves the IP address of the KMS host used for anti-piracy.
Ser viceMachinePor t Retrieves the port of the KMS host used for anti-piracy.
Ser viceProductKeyID Retrieves the License key of the KMS
SharedPCMode Returns Boolean for education devices used as shared cart
Signature Retrieves if it is a signature machine sold by Microsoft store.
SLICStatus Whether a SLIC table exists on the device.
SLICVersion Returns OS type/version from SLIC table.
Census.PrivacySettings
This event provides information about the device level privacy settings and whether device-level access was
granted to these capabilities. Not all settings are applicable to all devices. Each field records the consent state for
the corresponding privacy setting. The consent state is encoded as a 16-bit signed integer, where the first 8 bits
represents the effective consent value, and the last 8 bits represent the authority that set the value. The effective
consent (first 8 bits) is one of the following values: -3 = unexpected consent value, -2 = value was not requested, -
1 = an error occurred while attempting to retrieve the value, 0 = undefined, 1 = allow, 2 = deny, 3 = prompt. The
consent authority (last 8 bits) is one of the following values: -3 = unexpected authority, -2 = value was not
requested, -1 = an error occurred while attempting to retrieve the value, 0 = system, 1 = a higher authority (a
gating setting, the system-wide setting, or a group policy), 2 = advertising ID group policy, 3 = advertising ID
policy for child account, 4 = privacy setting provider doesn't know the actual consent authority, 5 = consent was
not configured and a default set in code was used, 6 = system default, 7 = organization policy, 8 = OneSettings.
The following fields are available:
Activity Current state of the activity history setting.
ActivityHistor yCloudSync Current state of the activity history cloud sync setting.
ActivityHistor yCollection Current state of the activity history collection setting.
Adver tisingId Current state of the advertising ID setting.
AppDiagnostics Current state of the app diagnostics setting.
Appointments Current state of the calendar setting.
Bluetooth Current state of the Bluetooth capability setting.
BluetoothSync Current state of the Bluetooth sync capability setting.
BroadFileSystemAccess Current state of the broad file system access setting.
CellularData Current state of the cellular data capability setting.
Chat Current state of the chat setting.
Contacts Current state of the contacts setting.
DocumentsLibrar y Current state of the documents library setting.
Email Current state of the email setting.
FindMyDevice Current state of the "find my device" setting.
GazeInput Current state of the gaze input setting.
HumanInterfaceDevice Current state of the human interface device setting.
InkTypeImprovement Current state of the improve inking and typing setting.
Location Current state of the location setting.
LocationHistor y Current state of the location history setting.
Microphone Current state of the microphone setting.
PhoneCall Current state of the phone call setting.
PhoneCallHistor y Current state of the call history setting.
PicturesLibrar y Current state of the pictures library setting.
Radios Current state of the radios setting.
SensorsCustom Current state of the custom sensor setting.
SerialCommunication Current state of the serial communication setting.
Sms Current state of the text messaging setting.
SpeechPersonalization Current state of the speech services setting.
USB Current state of the USB setting.
UserAccountInformation Current state of the account information setting.
UserDataTasks Current state of the tasks setting.
UserNotificationListener Current state of the notifications setting.
VideosLibrar y Current state of the videos library setting.
Webcam Current state of the camera setting.
WiFiDirect Current state of the Wi-Fi direct setting.
Census.Processor
This event sends data about the processor to help keep Windows up to date.
The following fields are available:
KvaShadow This is the micro code information of the processor.
MMSettingOverride Microcode setting of the processor.
MMSettingOverrideMask Microcode setting override of the processor.
PreviousUpdateRevision Previous microcode revision.
ProcessorArchitecture Retrieves the processor architecture of the installed operating system.
ProcessorClockSpeed Clock speed of the processor in MHz.
ProcessorCores Number of logical cores in the processor.
ProcessorIdentifier Processor Identifier of a manufacturer.
ProcessorManufacturer Name of the processor manufacturer.
ProcessorModel Name of the processor model.
ProcessorPhysicalCores Number of physical cores in the processor.
ProcessorUpdateRevision The microcode revision.
ProcessorUpdateStatus Enum value that represents the processor microcode load status.
SocketCount Count of CPU sockets.
SpeculationControl Indicates whether the system has enabled protections needed to validate the speculation
control vulnerability.
Census.Security
This event provides information on about security settings used to help keep Windows up to date and secure.
The following fields are available:
AvailableSecurityProper ties This field helps to enumerate and report state on the relevant security
properties for Device Guard.
CGRunning Credential Guard isolates and hardens key system and user secrets against compromise, helping
to minimize the impact and breadth of a Pass the Hash style attack in the event that malicious code is already
running via a local or network based vector. This field tells if Credential Guard is running.
DGState This field summarizes the Device Guard state.
HVCIRunning Hypervisor Code Integrity (HVCI) enables Device Guard to help protect kernel mode processes
and drivers from vulnerability exploits and zero days. HVCI uses the processor’s functionality to force all
software running in kernel mode to safely allocate memory. This field tells if HVCI is running.
IsSawGuest Indicates whether the device is running as a Secure Admin Workstation Guest.
IsSawHost Indicates whether the device is running as a Secure Admin Workstation Host.
RequiredSecurityProper ties Describes the required security properties to enable virtualization-based
security.
SecureBootCapable Systems that support Secure Boot can have the feature turned off via BIOS. This field
tells if the system is capable of running Secure Boot, regardless of the BIOS setting.
SModeState The Windows S mode trail state.
VBSState Virtualization-based security (VBS) uses the hypervisor to help protect the kernel and other parts of
the operating system. Credential Guard and Hypervisor Code Integrity (HVCI) both depend on VBS to
isolate/protect secrets, and kernel-mode code integrity validation. VBS has a tri-state that can be Disabled,
Enabled, or Running.
Census.Speech
This event is used to gather basic speech settings on the device.
The following fields are available:
AboveLockEnabled Cortana setting that represents if Cortana can be invoked when the device is locked.
GPAllowInputPersonalization Indicates if a Group Policy setting has enabled speech functionalities.
HolographicSpeechInputDisabled Holographic setting that represents if the attached HMD devices have
speech functionality disabled by the user.
HolographicSpeechInputDisabledRemote Indicates if a remote policy has disabled speech functionalities
for the HMD devices.
KWSEnabled Cortana setting that represents if a user has enabled the "Hey Cortana" keyword spotter (KWS).
MDMAllowInputPersonalization Indicates if an MDM policy has enabled speech functionalities.
RemotelyManaged Indicates if the device is being controlled by a remote administrator (MDM or Group
Policy) in the context of speech functionalities.
SpeakerIdEnabled Cortana setting that represents if keyword detection has been trained to try to respond to
a single user's voice.
SpeechSer vicesEnabled Windows setting that represents whether a user is opted-in for speech services on
the device.
Census.Storage
This event sends data about the total capacity of the system volume and primary disk, to help keep Windows up to
date.
The following fields are available:
Primar yDiskTotalCapacity Retrieves the amount of disk space on the primary disk of the device in MB.
Primar yDiskType Retrieves an enumerator value of type STORAGE_BUS_TYPE that indicates the type of bus to
which the device is connected. This should be used to interpret the raw device properties at the end of this
structure (if any).
SystemVolumeTotalCapacity Retrieves the size of the partition that the System volume is installed on in MB.
Census.Userdefault
This event sends data about the current user's default preferences for browser and several of the most popular
extensions and protocols, to help keep Windows up to date.
The following fields are available:
DefaultApp The current uer's default program selected for the following extension or protocol: .html, .htm,
.jpg, .jpeg, .png, .mp3, .mp4, .mov, .pdf.
DefaultBrowserProgId The ProgramId of the current user's default browser.
Census.UserDisplay
This event sends data about the logical/physical display size, resolution and number of internal/external displays,
and VRAM on the system, to help keep Windows up to date.
The following fields are available:
InternalPrimar yDisplayLogicalDPIX Retrieves the logical DPI in the x-direction of the internal display.
InternalPrimar yDisplayLogicalDPIY Retrieves the logical DPI in the y-direction of the internal display.
InternalPrimar yDisplayPhysicalDPIX Retrieves the physical DPI in the x-direction of the internal display.
InternalPrimar yDisplayPhysicalDPIY Retrieves the physical DPI in the y-direction of the internal display.
InternalPrimar yDisplayResolutionHorizontal Retrieves the number of pixels in the horizontal direction of
the internal display.
InternalPrimar yDisplayResolutionVer tical Retrieves the number of pixels in the vertical direction of the
internal display.
InternalPrimar yDisplaySizePhysicalH Retrieves the physical horizontal length of the display in mm. Used
for calculating the diagonal length in inches .
InternalPrimar yDisplaySizePhysicalY Retrieves the physical vertical length of the display in mm. Used for
calculating the diagonal length in inches
NumberofExternalDisplays Retrieves the number of external displays connected to the machine
NumberofInternalDisplays Retrieves the number of internal displays in a machine.
VRAMDedicated Retrieves the video RAM in MB.
VRAMDedicatedSystem Retrieves the amount of memory on the dedicated video card.
VRAMSharedSystem Retrieves the amount of RAM memory that the video card can use.
Census.UserNLS
This event sends data about the default app language, input, and display language preferences set by the user, to
help keep Windows up to date.
The following fields are available:
DefaultAppLanguage The current user Default App Language.
DisplayLanguage The current user preferred Windows Display Language.
HomeLocation The current user location, which is populated using GetUserGeoId() function.
KeyboardInputLanguages The Keyboard input languages installed on the device.
SpeechInputLanguages The Speech Input languages installed on the device.
Census.UserPrivacySettings
This event provides information about the current users privacy settings and whether device-level access was
granted to these capabilities. Not all settings are applicable to all devices. Each field records the consent state for
the corresponding privacy setting. The consent state is encoded as a 16-bit signed integer, where the first 8 bits
represents the effective consent value, and the last 8 bits represents the authority that set the value. The effective
consent is one of the following values: -3 = unexpected consent value, -2 = value was not requested, -1 = an error
occurred while attempting to retrieve the value, 0 = undefined, 1 = allow, 2 = deny, 3 = prompt. The consent
authority is one of the following values: -3 = unexpected authority, -2 = value was not requested, -1 = an error
occurred while attempting to retrieve the value, 0 = user, 1 = a higher authority (a gating setting, the system-wide
setting, or a group policy), 2 = advertising ID group policy, 3 = advertising ID policy for child account, 4 = privacy
setting provider doesn't know the actual consent authority, 5 = consent was not configured and a default set in
code was used, 6 = system default, 7 = organization policy, 8 = OneSettings.
The following fields are available:
Activity Current state of the activity history setting.
ActivityHistor yCloudSync Current state of the activity history cloud sync setting.
ActivityHistor yCollection Current state of the activity history collection setting.
Adver tisingId Current state of the advertising ID setting.
AppDiagnostics Current state of the app diagnostics setting.
Appointments Current state of the calendar setting.
Bluetooth Current state of the Bluetooth capability setting.
BluetoothSync Current state of the Bluetooth sync capability setting.
BroadFileSystemAccess Current state of the broad file system access setting.
CellularData Current state of the cellular data capability setting.
Chat Current state of the chat setting.
Contacts Current state of the contacts setting.
DocumentsLibrar y Current state of the documents library setting.
Email Current state of the email setting.
GazeInput Current state of the gaze input setting.
HumanInterfaceDevice Current state of the human interface device setting.
InkTypeImprovement Current state of the improve inking and typing setting.
InkTypePersonalization Current state of the inking and typing personalization setting.
Location Current state of the location setting.
LocationHistor y Current state of the location history setting.
Microphone Current state of the microphone setting.
PhoneCall Current state of the phone call setting.
PhoneCallHistor y Current state of the call history setting.
PicturesLibrar y Current state of the pictures library setting.
Radios Current state of the radios setting.
SensorsCustom Current state of the custom sensor setting.
SerialCommunication Current state of the serial communication setting.
Sms Current state of the text messaging setting.
SpeechPersonalization Current state of the speech services setting.
USB Current state of the USB setting.
UserAccountInformation Current state of the account information setting.
UserDataTasks Current state of the tasks setting.
UserNotificationListener Current state of the notifications setting.
VideosLibrar y Current state of the videos library setting.
Webcam Current state of the camera setting.
WiFiDirect Current state of the Wi-Fi direct setting.
Census.VM
This event sends data indicating whether virtualization is enabled on the device, and its various characteristics, to
help keep Windows up to date.
The following fields are available:
CloudSer vice Indicates which cloud service, if any, that this virtual machine is running within.
HyperVisor Retrieves whether the current OS is running on top of a Hypervisor.
IOMMUPresent Represents if an input/output memory management unit (IOMMU) is present.
IsVDI Is the device using Virtual Desktop Infrastructure?
IsVir tualDevice Retrieves that when the Hypervisor is Microsoft's Hyper-V Hypervisor or other Hv#1
Hypervisor, this field will be set to FALSE for the Hyper-V host OS and TRUE for any guest OS's. This field should
not be relied upon for non-Hv#1 Hypervisors.
SL ATSuppor ted Represents whether Second Level Address Translation (SLAT) is supported by the hardware.
Vir tualizationFirmwareEnabled Represents whether virtualization is enabled in the firmware.
Census.WU
This event sends data about the Windows update server and other App store policies, to help keep Windows up to
date.
The following fields are available:
AppraiserGatedStatus Indicates whether a device has been gated for upgrading.
AppStoreAutoUpdate Retrieves the Appstore settings for auto upgrade. (Enable/Disabled).
AppStoreAutoUpdateMDM Retrieves the App Auto Update value for MDM: 0 - Disallowed. 1 - Allowed. 2 -
Not configured. Default: [2] Not configured
AppStoreAutoUpdatePolicy Retrieves the Microsoft Store App Auto Update group policy setting
DelayUpgrade Retrieves the Windows upgrade flag for delaying upgrades.
OSAssessmentFeatureOutOfDate How many days has it been since a the last feature update was released
but the device did not install it?
OSAssessmentForFeatureUpdate Is the device is on the latest feature update?
OSAssessmentForQualityUpdate Is the device on the latest quality update?
OSAssessmentForSecurityUpdate Is the device on the latest security update?
OSAssessmentQualityOutOfDate How many days has it been since a the last quality update was released
but the device did not install it?
OSAssessmentReleaseInfoTime The freshness of release information used to perform an assessment.
OSRollbackCount The number of times feature updates have rolled back on the device.
OSRolledBack A flag that represents when a feature update has rolled back during setup.
OSUninstalled A flag that represents when a feature update is uninstalled on a device .
OSWUAutoUpdateOptions Retrieves the auto update settings on the device.
OSWUAutoUpdateOptionsSource The source of auto update setting that appears in the
OSWUAutoUpdateOptions field. For example: Group Policy (GP), Mobile Device Management (MDM), and
Default.
UninstallActive A flag that represents when a device has uninstalled a previous upgrade recently.
UpdateSer viceURLConfigured Retrieves if the device is managed by Windows Server Update Services
(WSUS).
WUDeferUpdatePeriod Retrieves if deferral is set for Updates.
WUDeferUpgradePeriod Retrieves if deferral is set for Upgrades.
WUDODownloadMode Retrieves whether DO is turned on and how to acquire/distribute updates Delivery
Optimization (DO) allows users to deploy previously downloaded WU updates to other devices on the same
network.
WUMachineId Retrieves the Windows Update (WU) Machine Identifier.
WUPauseState Retrieves WU setting to determine if updates are paused.
WUSer ver Retrieves the HTTP(S) URL of the WSUS server that is used by Automatic Updates and API callers
(by default).
Census.Xbox
This event sends data about the Xbox Console, such as Serial Number and DeviceId, to help keep Windows up to
date.
The following fields are available:
XboxConsolePreferredLanguage Retrieves the preferred language selected by the user on Xbox console.
XboxConsoleSerialNumber Retrieves the serial number of the Xbox console.
XboxLiveDeviceId Retrieves the unique device ID of the console.
XboxLiveSandboxId Retrieves the developer sandbox ID if the device is internal to Microsoft.
Compatibility events
Microsoft.Windows.Compatibility.Apphelp.SdbFix
Product instrumentation for helping debug/troubleshoot issues with inbox compatibility components.
The following fields are available:
AppName Name of the application impacted by SDB.
FixID SDB GUID.
Flags List of flags applied.
ImageName Name of file.
Deployment extensions
DeploymentTelemetry.Deployment_End
This event indicates that a Deployment 360 API has completed.
The following fields are available:
ClientId Client ID of the user utilizing the D360 API.
ErrorCode Error code of action.
FlightId The specific ID of the Windows Insider build the device is getting.
Mode Phase in upgrade.
RelatedCV The correction vector (CV) of any other related events
Result End result of the action.
DeploymentTelemetry.Deployment_Initialize
This event indicates that the Deployment 360 APIs have been initialized for use.
The following fields are available:
ClientId Client ID of user utilizing the D360 API.
ErrorCode Error code of the action.
FlightId The specific ID of the Windows Insider build the device is getting.
RelatedCV The correlation vector of any other related events.
Result End result of the action.
DeploymentTelemetry.Deployment_SetupBoxLaunch
This event indicates that the Deployment 360 APIs have launched Setup Box.
The following fields are available:
ClientId The client ID of the user utilizing the D360 API.
FlightId The specific ID of the Windows Insider build the device is getting.
Quiet Whether Setup will run in quiet mode or full mode.
RelatedCV The correlation vector (CV) of any other related events.
SetupMode The current setup phase.
DeploymentTelemetry.Deployment_SetupBoxResult
This event indicates that the Deployment 360 APIs have received a return from Setup Box.
The following fields are available:
ClientId Client ID of the user utilizing the D360 API.
ErrorCode Error code of the action.
FlightId The specific ID of the Windows Insider build the device is getting.
Quiet Indicates whether Setup will run in quiet mode or full mode.
RelatedCV The correlation vector (CV) of any other related events.
SetupMode The current Setup phase.
DeploymentTelemetry.Deployment_Start
This event indicates that a Deployment 360 API has been called.
The following fields are available:
ClientId Client ID of the user utilizing the D360 API.
FlightId The specific ID of the Windows Insider build the device is getting.
Mode The current phase of the upgrade.
RelatedCV The correlation vector (CV) of any other related events.
DxgKernelTelemetry events
DxgKrnlTelemetry.GPUAdapterInventoryV2
This event sends basic GPU and display driver information to keep Windows and display drivers up-to-date.
The following fields are available:
AdapterTypeValue The numeric value indicating the type of Graphics adapter.
aiSeqId The event sequence ID.
bootId The system boot ID.
BrightnessVersionViaDDI The version of the Display Brightness Interface.
ComputePreemptionLevel The maximum preemption level supported by GPU for compute payload.
DedicatedSystemMemor yB The amount of system memory dedicated for GPU use (in bytes).
DedicatedVideoMemor yB The amount of dedicated VRAM of the GPU (in bytes).
DisplayAdapterLuid The display adapter LUID.
DriverDate The date of the display driver.
DriverRank The rank of the display driver.
DriverVersion The display driver version.
DX10UMDFilePath The file path to the location of the DirectX 10 Display User Mode Driver in the Driver Store.
DX11UMDFilePath The file path to the location of the DirectX 11 Display User Mode Driver in the Driver Store.
DX12UMDFilePath The file path to the location of the DirectX 12 Display User Mode Driver in the Driver Store.
DX9UMDFilePath The file path to the location of the DirectX 9 Display User Mode Driver in the Driver Store.
GPUDeviceID The GPU device ID.
GPUPreemptionLevel The maximum preemption level supported by GPU for graphics payload.
GPURevisionID The GPU revision ID.
GPUVendorID The GPU vendor ID.
InterfaceId The GPU interface ID.
IsDisplayDevice Does the GPU have displaying capabilities?
IsHybridDiscrete Does the GPU have discrete GPU capabilities in a hybrid device?
IsHybridIntegrated Does the GPU have integrated GPU capabilities in a hybrid device?
IsLDA Is the GPU comprised of Linked Display Adapters?
IsMiracastSuppor ted Does the GPU support Miracast?
IsMismatchLDA Is at least one device in the Linked Display Adapters chain from a different vendor?
IsMPOSuppor ted Does the GPU support Multi-Plane Overlays?
IsMsMiracastSuppor ted Are the GPU Miracast capabilities driven by a Microsoft solution?
IsPostAdapter Is this GPU the POST GPU in the device?
IsRemovable TRUE if the adapter supports being disabled or removed.
IsRenderDevice Does the GPU have rendering capabilities?
IsSoftwareDevice Is this a software implementation of the GPU?
KMDFilePath The file path to the location of the Display Kernel Mode Driver in the Driver Store.
MeasureEnabled Is the device listening to MICROSOFT_KEYWORD_MEASURES?
NumVidPnSources The number of supported display output sources.
NumVidPnTargets The number of supported display output targets.
SharedSystemMemor yB The amount of system memory shared by GPU and CPU (in bytes).
SubSystemID The subsystem ID.
SubVendorID The GPU sub vendor ID.
Telemetr yEnabled Is the device listening to MICROSOFT_KEYWORD_TELEMETRY?
TelInvEvntTrigger What triggered this event to be logged? Example: 0 (GPU enumeration) or 1
(DxgKrnlTelemetry provider toggling)
version The event version.
WDDMVersion The Windows Display Driver Model version.
Kernel events
IO
This event indicates the number of bytes read from or read by the OS and written to or written by the OS upon
system startup.
The following fields are available:
BytesRead The total number of bytes read from or read by the OS upon system startup.
BytesWritten The total number of bytes written to or written by the OS upon system startup.
Microsoft.Windows.Kernel.BootEnvironment.OsLaunch
OS information collected during Boot, used to evaluate the success of the upgrade process.
The following fields are available:
BootApplicationId This field tells us what the OS Loader Application Identifier is.
BootAttemptCount The number of consecutive times the boot manager has attempted to boot into this
operating system.
BootSequence The current Boot ID, used to correlate events related to a particular boot session.
BootStatusPolicy Identifies the applicable Boot Status Policy.
BootType Identifies the type of boot (e.g.: "Cold", "Hiber", "Resume").
EventTimestamp Seconds elapsed since an arbitrary time point. This can be used to identify the time
difference in successive boot attempts being made.
FirmwareResetReasonEmbeddedController Reason for system reset provided by firmware.
FirmwareResetReasonEmbeddedControllerAdditional Additional information on system reset reason
provided by firmware if needed.
FirmwareResetReasonPch Reason for system reset provided by firmware.
FirmwareResetReasonPchAdditional Additional information on system reset reason provided by firmware
if needed.
FirmwareResetReasonSupplied Flag indicating that a reason for system reset was provided by firmware.
IO Amount of data written to and read from the disk by the OS Loader during boot. See IO.
LastBootSucceeded Flag indicating whether the last boot was successful.
LastShutdownSucceeded Flag indicating whether the last shutdown was successful.
MaxAbove4GbFreeRange This field describes the largest memory range available above 4Gb.
MaxBelow4GbFreeRange This field describes the largest memory range available below 4Gb.
MeasuredLaunchPrepared This field tells us if the OS launch was initiated using Measured/Secure Boot over
DRTM (Dynamic Root of Trust for Measurement).
MenuPolicy Type of advanced options menu that should be shown to the user (Legacy, Standard, etc.).
Recover yEnabled Indicates whether recovery is enabled.
SecureLaunchPrepared This field indicates if DRTM was prepared during boot.
UserInputTime The amount of time the loader application spent waiting for user input.
Microsoft.Windows.Kernel.Power.OSStateChange
This event indicates an OS state change.
The following fields are available:
AcPowerOnline If "TRUE," the device is using AC power. If "FALSE," the device is using battery power.
ActualTransitions The number of transitions between operating system states since the last system boot
Batter yCapacity Maximum battery capacity in mWh
Batter yCharge Current battery charge as a percentage of total capacity
Batter yDischarging Flag indicating whether the battery is discharging or charging
BootId Total boot count since the operating system was installed
BootTimeUTC Date and time of a particular boot event (identified by BootId)
EnergyChangeV2 A snapshot value in mWh reflecting a change in power usage
EnergyChangeV2Flags Flags for disambiguating EnergyChangeV2 context
EventSequence Indicates the sequence order for this event instance, relative to previous instances of
OSStateChange events that have occurred since boot
LastStateTransition ID of the last operating system state transition
LastStateTransitionSub ID of the last operating system sub-state transition
StateDurationMS Number of milliseconds spent in the last operating system state
StateTransition ID of the operating system state the system is transitioning to
StateTransitionSub ID of the operating system sub-state the system is transitioning to
TotalDurationMS Total time (in milliseconds) spent in all states since the last boot
TotalUptimeMS Total time (in milliseconds) the device was in Up or Running states since the last boot
TransitionsToOn Number of transitions to the Powered On state since the last boot
UptimeDeltaMS Total time (in milliseconds) added to Uptime since the last event
Migration events
Microsoft.Windows.MigrationCore.MigObjectCountDLUsr
This event returns data to track the count of the migration objects across various phases during feature update.
Microsoft.Windows.MigrationCore.MigObjectCountKFSys
This event returns data about the count of the migration objects across various phases during feature update.
Microsoft.Windows.MigrationCore.MigObjectCountKFUsr
This event returns data to track the count of the migration objects across various phases during feature update.
Miracast events
Microsoft.Windows.Cast.Miracast.MiracastSessionEnd
This event sends data at the end of a Miracast session that helps determine RTSP related Miracast failures along
with some statistics about the session
The following fields are available:
AudioChannelCount The number of audio channels.
AudioSampleRate The sample rate of audio in terms of samples per second.
AudioSubtype The unique subtype identifier of the audio codec (encoding method) used for audio encoding.
AverageBitrate The average video bitrate used during the Miracast session, in bits per second.
AverageDataRate The average available bandwidth reported by the WiFi driver during the Miracast session,
in bits per second.
AveragePacketSendTimeInMs The average time required for the network to send a sample, in milliseconds.
ConnectorType The type of connector used during the Miracast session.
EncodeAverageTimeMS The average time to encode a frame of video, in milliseconds.
EncodeCount The count of total frames encoded in the session.
EncodeMaxTimeMS The maximum time to encode a frame, in milliseconds.
EncodeMinTimeMS The minimum time to encode a frame, in milliseconds.
EncoderCreationTimeInMs The time required to create the video encoder, in milliseconds.
ErrorSource Identifies the component that encountered an error that caused a disconnect, if applicable.
FirstFrameTime The time (tick count) when the first frame is sent.
FirstLatencyMode The first latency mode.
FrameAverageTimeMS Average time to process an entire frame, in milliseconds.
FrameCount The total number of frames processed.
FrameMaxTimeMS The maximum time required to process an entire frame, in milliseconds.
FrameMinTimeMS The minimum time required to process an entire frame, in milliseconds.
Glitches The number of frames that failed to be delivered on time.
HardwareCursorEnabled Indicates if hardware cursor was enabled when the connection ended.
HDCPState The state of HDCP (High-bandwidth Digital Content Protection) when the connection ended.
HighestBitrate The highest video bitrate used during the Miracast session, in bits per second.
HighestDataRate The highest available bandwidth reported by the WiFi driver, in bits per second.
LastLatencyMode The last reported latency mode.
LastLatencyTime The last reported latency time.
LogTimeReference The reference time, in tick counts.
LowestBitrate The lowest video bitrate used during the Miracast session, in bits per second.
LowestDataRate The lowest video bitrate used during the Miracast session, in bits per second.
MediaErrorCode The error code reported by the media session, if applicable.
MiracastEntr y The time (tick count) when the Miracast driver was first loaded.
MiracastM1 The time (tick count) when the M1 request was sent.
MiracastM2 The time (tick count) when the M2 request was sent.
MiracastM3 The time (tick count) when the M3 request was sent.
MiracastM4 The time (tick count) when the M4 request was sent.
MiracastM5 The time (tick count) when the M5 request was sent.
MiracastM6 The time (tick count) when the M6 request was sent.
MiracastM7 The time (tick count) when the M7 request was sent.
MiracastSessionState The state of the Miracast session when the connection ended.
MiracastStreaming The time (tick count) when the Miracast session first started processing frames.
ProfileCount The count of profiles generated from the receiver M4 response.
ProfileCountAfterFiltering The count of profiles after filtering based on available bandwidth and encoder
capabilities.
RefreshRate The refresh rate set on the remote display.
RotationSuppor ted Indicates if the Miracast receiver supports display rotation.
RTSPSessionId The unique identifier of the RTSP session. This matches the RTSP session ID for the receiver for
the same session.
SessionGuid The unique identifier of to correlate various Miracast events from a session.
SinkHadEdid Indicates if the Miracast receiver reported an EDID.
Suppor tMicrosoftColorSpaceConversion Indicates whether the Microsoft color space conversion for extra
color fidelity is supported by the receiver.
Suppor tsMicrosoftDiagnostics Indicates whether the Miracast receiver supports the Microsoft Diagnostics
Miracast extension.
Suppor tsMicrosoftFormatChange Indicates whether the Miracast receiver supports the Microsoft Format
Change Miracast extension.
Suppor tsMicrosoftLatencyManagement Indicates whether the Miracast receiver supports the Microsoft
Latency Management Miracast extension.
Suppor tsMicrosoftRTCP Indicates whether the Miracast receiver supports the Microsoft RTCP Miracast
extension.
Suppor tsMicrosoftVideoFormats Indicates whether the Miracast receiver supports Microsoft video format
for 3:2 resolution.
Suppor tsWiDi Indicates whether Miracast receiver supports Intel WiDi extensions.
TeardownErrorCode The error code reason for teardown provided by the receiver, if applicable.
TeardownErrorReason The text string reason for teardown provided by the receiver, if applicable.
UIBCEndState Indicates whether UIBC was enabled when the connection ended.
UIBCEverEnabled Indicates whether UIBC was ever enabled.
UIBCStatus The result code reported by the UIBC setup process.
VideoBitrate The starting bitrate for the video encoder.
VideoCodecLevel The encoding level used for encoding, specific to the video subtype.
VideoHeight The height of encoded video frames.
VideoSubtype The unique subtype identifier of the video codec (encoding method) used for video encoding.
VideoWidth The width of encoded video frames.
WFD2Suppor ted Indicates if the Miracast receiver supports WFD2 protocol.
OneDrive events
Microsoft.OneDrive.Sync.Setup.APIOperation
This event includes basic data about install and uninstall OneDrive API operations.
The following fields are available:
APIName The name of the API.
Duration How long the operation took.
IsSuccess Was the operation successful?
ResultCode The result code.
ScenarioName The name of the scenario.
Microsoft.OneDrive.Sync.Setup.EndExperience
This event includes a success or failure summary of the installation.
The following fields are available:
APIName The name of the API.
HResult HResult of the operation
IsSuccess Whether the operation is successful or not
ScenarioName The name of the scenario.
Microsoft.OneDrive.Sync.Setup.OSUpgradeInstallationOperation
This event is related to the OS version when the OS is upgraded with OneDrive installed.
The following fields are available:
CurrentOneDriveVersion The current version of OneDrive.
CurrentOSBuildBranch The current branch of the operating system.
CurrentOSBuildNumber The current build number of the operating system.
CurrentOSVersion The current version of the operating system.
HResult The HResult of the operation.
SourceOSBuildBranch The source branch of the operating system.
SourceOSBuildNumber The source build number of the operating system.
SourceOSVersion The source version of the operating system.
Microsoft.OneDrive.Sync.Setup.RegisterStandaloneUpdaterAPIOperation
This event is related to registering or unregistering the OneDrive update task.
The following fields are available:
APIName The name of the API.
IsSuccess Was the operation successful?
RegisterNewTaskResult The HResult of the RegisterNewTask operation.
ScenarioName The name of the scenario.
UnregisterOldTaskResult The HResult of the UnregisterOldTask operation.
Microsoft.OneDrive.Sync.Updater.ComponentInstallState
This event includes basic data about the installation state of dependent OneDrive components.
The following fields are available:
ComponentName The name of the dependent component.
isInstalled Is the dependent component installed?
Microsoft.OneDrive.Sync.Updater.OverlayIconStatus
This event indicates if the OneDrive overlay icon is working correctly. 0 = healthy; 1 = can be fixed; 2 = broken
The following fields are available:
32bit The status of the OneDrive overlay icon on a 32-bit operating system.
64bit The status of the OneDrive overlay icon on a 64-bit operating system.
Microsoft.OneDrive.Sync.Updater.UpdateOverallResult
This event sends information describing the result of the update.
The following fields are available:
hr The HResult of the operation.
IsLoggingEnabled Indicates whether logging is enabled for the updater.
UpdaterVersion The version of the updater.
Microsoft.OneDrive.Sync.Updater.UpdateXmlDownloadHResult
This event determines the status when downloading the OneDrive update configuration file.
The following fields are available:
hr The HResult of the operation.
Microsoft.OneDrive.Sync.Updater.WebConnectionStatus
This event determines the error code that was returned when verifying Internet connectivity.
The following fields are available:
winInetError The HResult of the operation.
Remediation events
Microsoft.Windows.Remediation.Applicable
deny
The following fields are available:
ActionName The name of the action to be taken by the plug-in.
AppraiserBinariesValidResult Indicates whether the plug-in was appraised as valid.
AppraiserDetectCondition Indicates whether the plug-in passed the appraiser's check.
AppraiserRegistr yValidResult Indicates whether the registry entry checks out as valid.
AppraiserTaskDisabled Indicates the appraiser task is disabled.
AppraiserTaskValidFailed Indicates the Appraiser task did not function and requires intervention.
CV Correlation vector
DateTimeDifference The difference between local and reference clock times.
DateTimeSyncEnabled Indicates whether the Datetime Sync plug-in is enabled.
DaysSinceLastSIH The number of days since the most recent SIH executed.
DaysToNextSIH The number of days until the next scheduled SIH execution.
DetectedCondition Indicates whether detected condition is true and the perform action will be run.
EvalAndRepor tAppraiserBinariesFailed Indicates the EvalAndReportAppraiserBinaries event failed.
EvalAndRepor tAppraiserRegEntries Indicates the EvalAndReportAppraiserRegEntriesFailed event failed.
EvalAndRepor tAppraiserRegEntriesFailed Indicates the EvalAndReportAppraiserRegEntriesFailed event
failed.
GlobalEventCounter Client side counter that indicates ordering of events sent by the remediation system.
HResult The HRESULT for detection or perform action phases of the plugin.
IsAppraiserLatestResult The HRESULT from the appraiser task.
IsConfigurationCorrected Indicates whether the configuration of SIH task was successfully corrected.
LastHresult The HRESULT for detection or perform action phases of the plugin.
LastRun The date of the most recent SIH run.
NextRun Date of the next scheduled SIH run.
PackageVersion The version of the current remediation package.
PluginName Name of the plugin specified for each generic plugin event.
Reload True if SIH reload is required.
RemediationNoisyHammerAcLineStatus Indicates the AC Line Status of the device.
RemediationNoisyHammerAutoStar tCount The number of times hammer auto-started.
RemediationNoisyHammerCalendarTaskEnabled Event that indicates Update Assistant Calendar Task is
enabled.
RemediationNoisyHammerCalendarTaskExists Event that indicates an Update Assistant Calendar Task
exists.
RemediationNoisyHammerCalendarTaskTriggerEnabledCount Event that indicates calendar triggers are
enabled in the task.
RemediationNoisyHammerDaysSinceLastTaskRunTime The number of days since the most recent Noisy
Hammer task ran.
RemediationNoisyHammerGetCurrentSize Size in MB of the $GetCurrent folder.
RemediationNoisyHammerIsInstalled TRUE if the noisy hammer is installed.
RemediationNoisyHammerLastTaskRunResult The result of the last hammer task run.
RemediationNoisyHammerMeteredNetwork TRUE if the machine is on a metered network.
RemediationNoisyHammerTaskEnabled Indicates whether the Update Assistant Task (Noisy Hammer) is
enabled.
RemediationNoisyHammerTaskExists Indicates whether the Update Assistant Task (Noisy Hammer) exists.
RemediationNoisyHammerTaskTriggerEnabledCount Indicates whether counting is enabled for the
Update Assistant (Noisy Hammer) task trigger.
RemediationNoisyHammerUAExitCode The exit code of the Update Assistant (Noisy Hammer) task.
RemediationNoisyHammerUAExitState The code for the exit state of the Update Assistant (Noisy Hammer)
task.
RemediationNoisyHammerUserLoggedIn TRUE if there is a user logged in.
RemediationNoisyHammerUserLoggedInAdmin TRUE if there is the user currently logged in is an Admin.
RemediationShellDeviceManaged TRUE if the device is WSUS managed or Windows Updated disabled.
RemediationShellDeviceNewOS TRUE if the device has a recently installed OS.
RemediationShellDeviceSccm TRUE if the device is managed by Microsoft Endpoint Configuration Manager.
RemediationShellDeviceZeroExhaust TRUE if the device has opted out of Windows Updates completely.
RemediationTargetMachine Indicates whether the device is a target of the specified fix.
RemediationTaskHealthAutochkProxy True/False based on the health of the AutochkProxy task.
RemediationTaskHealthChkdskProactiveScan True/False based on the health of the Check Disk task.
RemediationTaskHealthDiskCleanup_SilentCleanup True/False based on the health of the Disk Cleanup
task.
RemediationTaskHealthMaintenance_WinSAT True/False based on the health of the Health Maintenance
task.
RemediationTaskHealthSer vicing_ComponentCleanupTask True/False based on the health of the Health
Servicing Component task.
RemediationTaskHealthUSO_ScheduleScanTask True/False based on the health of the USO (Update
Session Orchestrator) Schedule task.
RemediationTaskHealthWindowsUpdate_ScheduledStar tTask True/False based on the health of the
Windows Update Scheduled Start task.
RemediationTaskHealthWindowsUpdate_SihbootTask True/False based on the health of the Sihboot task.
RemediationUHSer viceBitsSer viceEnabled Indicates whether BITS service is enabled.
RemediationUHSer viceDeviceInstallEnabled Indicates whether Device Install service is enabled.
RemediationUHSer viceDoSvcSer viceEnabled Indicates whether DO service is enabled.
RemediationUHSer viceDsmsvcEnabled Indicates whether DSMSVC service is enabled.
RemediationUHSer viceLicensemanagerEnabled Indicates whether License Manager service is enabled.
RemediationUHSer viceMpssvcEnabled Indicates whether MPSSVC service is enabled.
RemediationUHSer viceTokenBrokerEnabled Indicates whether Token Broker service is enabled.
RemediationUHSer viceTrustedInstallerSer viceEnabled Indicates whether Trusted Installer service is
enabled.
RemediationUHSer viceUsoSer viceEnabled Indicates whether USO (Update Session Orchestrator) service
is enabled.
RemediationUHSer vicew32timeSer viceEnabled Indicates whether W32 Time service is enabled.
RemediationUHSer viceWecsvcEnabled Indicates whether WECSVC service is enabled.
RemediationUHSer viceWinmgmtEnabled Indicates whether WMI service is enabled.
RemediationUHSer viceWpnSer viceEnabled Indicates whether WPN service is enabled.
RemediationUHSer viceWuauser vSer viceEnabled Indicates whether WUAUSERV service is enabled.
Result This is the HRESULT for Detection or Perform Action phases of the plugin.
RunAppraiserFailed Indicates RunAppraiser failed to run correctly.
RunTask TRUE if SIH task should be run by the plug-in.
TimeSer viceNTPSer ver The URL for the NTP time server used by device.
TimeSer viceStar tType The startup type for the NTP time service.
TimeSer viceSyncDomainJoined True if device domain joined and hence uses DC for clock.
TimeSer viceSyncType Type of sync behavior for Date & Time service on device.
Microsoft.Windows.Remediation.ChangePowerProfileDetection
Indicates whether the remediation system can put in a request to defer a system-initiated sleep to enable
installation of security or quality updates.
The following fields are available:
ActionName A descriptive name for the plugin action
CurrentPowerPlanGUID The ID of the current power plan configured on the device
CV Correlation vector
GlobalEventCounter Counter that indicates the ordering of events on the device
PackageVersion Current package version of remediation service
RemediationBatter yPowerBatter yLevel Integer between 0 and 100 indicating % battery power remaining
(if not on battery, expect 0)
RemediationFUInProcess Result that shows whether the device is currently installing a feature update
RemediationFURebootRequred Indicates that a feature update reboot required was detected so the plugin
will exit.
RemediationScanInProcess Result that shows whether the device is currently scanning for updates
RemediationTargetMachine Result that shows whether this device is a candidate for remediation(s) that will
fix update issues
SetupMutexAvailable Result that shows whether setup mutex is available or not
SysPowerStatusAC Result that shows whether system is on AC power or not
Microsoft.Windows.Remediation.Completed
This event is sent when Windows Update sediment remediations have completed on the sediment device to keep
Windows up to date. A sediment device is one that has been on a previous OS version for an extended period. The
remediations address issues on the system that prevent the device from receiving OS updates.
The following fields are available:
ActionName Name of the action to be completed by the plug-in.
AppraiserTaskCreationFailed TRUE if the appraiser task creation failed to complete successfully.
AppraiserTaskDeleteFailed TRUE if deletion of appraiser task failed to complete successfully.
AppraiserTaskExistFailed TRUE if detection of the appraiser task failed to complete successfully.
AppraiserTaskLoadXmlFailed TRUE if the Appraiser XML Loader failed to complete successfully.
AppraiserTaskMissing TRUE if the Appraiser task is missing.
AppraiserTaskTimeTriggerUpdateFailedId TRUE if the Appraiser Task Time Trigger failed to update
successfully.
AppraiserTaskValidateTaskXmlFailed TRUE if the Appraiser Task XML failed to complete successfully.
branchReadinessLevel Branch readiness level policy.
cloudControlState Value indicating whether the shell is enabled on the cloud control settings.
CrossedDiskSpaceThreshold Indicates if cleanup resulted in hard drive usage threshold required for feature
update to be exceeded.
CV The Correlation Vector.
DateTimeDifference The difference between the local and reference clocks.
DaysSinceOsInstallation The number of days since the installation of the Operating System.
DiskMbCleaned The amount of space cleaned on the hard disk, measured in megabytes.
DiskMbFreeAfterCleanup The amount of free hard disk space after cleanup, measured in Megabytes.
DiskMbFreeBeforeCleanup The amount of free hard disk space before cleanup, measured in Megabytes.
ForcedAppraiserTaskTriggered TRUE if Appraiser task ran from the plug-in.
GlobalEventCounter Client-side counter that indicates ordering of events sent by the active user.
HandlerCleanupFreeDiskInMegabytes The amount of hard disk space cleaned by the storage sense
handlers, measured in megabytes.
hasRolledBack Indicates whether the client machine has rolled back.
hasUninstalled Indicates whether the client machine has uninstalled a later version of the OS.
hResult The result of the event execution.
HResult The result of the event execution.
installDate The value of installDate registry key. Indicates the install date.
isNetworkMetered Indicates whether the client machine has uninstalled a later version of the OS.
LatestState The final state of the plug-in component.
MicrosoftCompatibilityAppraiser The name of the component targeted by the Appraiser plug-in.
PackageVersion The package version for the current Remediation.
PageFileCount The number of Windows Page files.
PageFileCurrentSize The size of the Windows Page file, measured in Megabytes.
PageFileLocation The storage location (directory path) of the Windows Page file.
PageFilePeakSize The maximum amount of hard disk space used by the Windows Page file, measured in
Megabytes.
PluginName The name of the plug-in specified for each generic plug-in event.
RanCleanup TRUE if the plug-in ran disk cleanup.
RemediationBatter yPowerBatter yLevel Indicates the battery level at which it is acceptable to continue
operation.
RemediationBatter yPowerExitDueToLowBatter y True when we exit due to low battery power.
RemediationBatter yPowerOnBatter y True if we allow execution on battery.
RemediationConfigurationTroubleshooterExecuted True/False based on whether the Remediation
Configuration Troubleshooter executed successfully.
RemediationConfigurationTroubleshooterIpconfigFix TRUE if IPConfig Fix completed successfully.
RemediationConfigurationTroubleshooterNetShFix TRUE if network card cache reset ran successfully.
RemediationDiskCleanSizeBtWindowsFolderInMegabytes The size of the Windows BT folder (used to
store Windows upgrade files), measured in Megabytes.
RemediationDiskCleanupBTFolderEsdSizeInMB The size of the Windows BT folder (used to store Windows
upgrade files) ESD (Electronic Software Delivery), measured in Megabytes.
RemediationDiskCleanupGetCurrentEsdSizeInMB The size of any existing ESD (Electronic Software
Delivery) folder, measured in Megabytes.
RemediationDiskCleanupSearchFileSizeInMegabytes The size of the Cleanup Search index file, measured
in Megabytes.
RemediationDiskCleanupUpdateAssistantSizeInMB The size of the Update Assistant folder, measured in
Megabytes.
RemediationDoorstopChangeSucceeded TRUE if Doorstop registry key was successfully modified.
RemediationDoorstopExists TRUE if there is a One Settings Doorstop value.
RemediationDoorstopRegkeyError TRUE if an error occurred accessing the Doorstop registry key.
RemediationDRFKeyDeleteSucceeded TRUE if the RecoveredFrom (Doorstop) registry key was successfully
deleted.
RemediationDUABuildNumber The build number of the DUA.
RemediationDUAKeyDeleteSucceeded TRUE if the UninstallActive registry key was successfully deleted.
RemediationDuplicateTokenSucceeded TRUE if the user token was successfully duplicated.
remediationExecution Remediation shell is in "applying remediation" state.
RemediationHibernationMigrated TRUE if hibernation was migrated.
RemediationHibernationMigrationSucceeded TRUE if hibernation migration succeeded.
RemediationImpersonateUserSucceeded TRUE if the user was successfully impersonated.
RemediationNoisyHammerTaskFixSuccessId Indicates whether the Update Assistant task fix was
successful.
RemediationNoisyHammerTaskKickOffIsSuccess TRUE if the NoisyHammer task started successfully.
RemediationQuer yTokenSucceeded TRUE if the user token was successfully queried.
RemediationRanHibernation TRUE if the system entered Hibernation.
RemediationRever tToSystemSucceeded TRUE if reversion to the system context succeeded.
RemediationShellHasUpgraded TRUE if the device upgraded.
RemediationShellMinimumTimeBetweenShellRuns Indicates the time between shell runs exceeded the
minimum required to execute plugins.
RemediationShellRunFromSer vice TRUE if the shell driver was run from the service.
RemediationShellSessionIdentifier Unique identifier tracking a shell session.
RemediationShellSessionTimeInSeconds Indicates the time the shell session took in seconds.
RemediationShellTaskDeleted Indicates that the shell task has been deleted so no additional sediment pack
runs occur for this installation.
RemediationUpdateSer viceHealthRemediationResult The result of the Update Service Health plug-in.
RemediationUpdateTaskHealthRemediationResult The result of the Update Task Health plug-in.
RemediationUpdateTaskHealthTaskList A list of tasks fixed by the Update Task Health plug-in.
RemediationWindowsLogSpaceFound The size of the Windows log files found, measured in Megabytes.
RemediationWindowsLogSpaceFreed The amount of disk space freed by deleting the Windows log files,
measured in Megabytes.
RemediationWindowsSecondar yDriveFreeSpace The amount of free space on the secondary drive,
measured in Megabytes.
RemediationWindowsSecondar yDriveLetter The letter designation of the first secondary drive with a total
capacity of 10GB or more.
RemediationWindowsSecondar yDriveTotalSpace The total storage capacity of the secondary drive,
measured in Megabytes.
RemediationWindowsTotalSystemDiskSize The total storage capacity of the System Disk Drive, measured
in Megabytes.
Result The HRESULT for Detection or Perform Action phases of the plug-in.
RunResult The HRESULT for Detection or Perform Action phases of the plug-in.
Ser viceHardeningExitCode The exit code returned by Windows Service Repair.
Ser viceHealthEnabledBitMap List of services updated by the plugin.
Ser viceHealthInstalledBitMap List of services installed by the plugin.
Ser viceHealthPlugin The nae of the Service Health plug-in.
Star tComponentCleanupTask TRUE if the Component Cleanup task started successfully.
systemDriveFreeDiskSpace Indicates the free disk space on system drive, in megabytes.
systemUptimeInHours Indicates the amount of time the system in hours has been on since the last boot.
TotalSizeofOrphanedInstallerFilesInMegabytes The size of any orphaned Windows Installer files,
measured in Megabytes.
TotalSizeofStoreCacheAfterCleanupInMegabytes The size of the Microsoft Store cache after cleanup,
measured in Megabytes.
TotalSizeofStoreCacheBeforeCleanupInMegabytes The size of the Microsoft Store cache (prior to
cleanup), measured in Megabytes.
uninstallActive TRUE if previous uninstall has occurred for current OS
usoScanDaysSinceLastScan The number of days since the last USO (Update Session Orchestrator) scan.
usoScanInProgress TRUE if a USO (Update Session Orchestrator) scan is in progress, to prevent multiple
simultaneous scans.
usoScanIsAllowAutoUpdateKeyPresent TRUE if the AllowAutoUpdate registry key is set.
usoScanIsAllowAutoUpdateProviderSetKeyPresent TRUE if AllowAutoUpdateProviderSet registry key is
set.
usoScanIsAuOptionsPresent TRUE if Auto Update Options registry key is set.
usoScanIsFeatureUpdateInProgress TRUE if a USO (Update Session Orchestrator) scan is in progress, to
prevent multiple simultaneous scans.
usoScanIsNetworkMetered TRUE if the device is currently connected to a metered network.
usoScanIsNoAutoUpdateKeyPresent TRUE if no Auto Update registry key is set/present.
usoScanIsUserLoggedOn TRUE if the user is logged on.
usoScanPastThreshold TRUE if the most recent Update Session Orchestrator (USO) scan is past the threshold
(late).
usoScanType The type of USO (Update Session Orchestrator) scan: "Interactive" or "Background".
windows10UpgraderBlockWuUpdates Event to report the value of Windows 10 Upgrader
BlockWuUpdates Key.
windowsEditionId Event to report the value of Windows Edition ID.
WindowsHyberFilSysSizeInMegabytes The size of the Windows Hibernation file, measured in Megabytes.
WindowsInstallerFolderSizeInMegabytes The size of the Windows Installer folder, measured in Megabytes.
WindowsOldFolderSizeInMegabytes The size of the Windows.OLD folder, measured in Megabytes.
WindowsOldSpaceCleanedInMB The amount of disk space freed by removing the Windows.OLD folder,
measured in Megabytes.
WindowsPageFileSysSizeInMegabytes The size of the Windows Page file, measured in Megabytes.
WindowsSoftwareDistributionFolderSizeInMegabytes The size of the SoftwareDistribution folder,
measured in Megabytes.
WindowsSwapFileSysSizeInMegabytes The size of the Windows Swap file, measured in Megabytes.
WindowsSxsFolderSizeInMegabytes The size of the WinSxS (Windows Side-by-Side) folder, measured in
Megabytes.
WindowsSxsTempFolderSizeInMegabytes The size of the WinSxS (Windows Side-by-Side) Temp folder,
measured in Megabytes.
windowsUpgradeRecoveredFromRs4 Event to report the value of the Windows Upgrade Recovered key.
Microsoft.Windows.Remediation.RemediationShellMainExeEventId
Enables tracking of completion of process that remediates issues preventing security and quality updates.
The following fields are available:
CV Client side counter which indicates ordering of events sent by the remediation system.
GlobalEventCounter Client side counter which indicates ordering of events sent by the remediation system.
PackageVersion Current package version of Remediation.
RemediationShellCanAcquireSedimentMutex True if the remediation was able to acquire the sediment
mutex. False if it is already running.
RemediationShellExecuteShellResult Indicates if the remediation system completed without errors.
RemediationShellFoundDriverDll Result whether the remediation system found its component files to run
properly.
RemediationShellLoadedShellDriver Result whether the remediation system loaded its component files to
run properly.
RemediationShellLoadedShellFunction Result whether the remediation system loaded the functions from
its component files to run properly.
Microsoft.Windows.Remediation.Started
This event is sent when Windows Update sediment remediations have started on the sediment device to keep
Windows up to date. A sediment device is one that has been on a previous OS version for an extended period. The
remediations address issues on the system that prevent the device from receiving OS updates.
The following fields are available:
CV Correlation vector.
GlobalEventCounter Client side counter which indicates ordering of events sent by this user.
PackageVersion The version of the current remediation package.
PluginName Name of the plugin specified for each generic plugin event.
Result This is the HRESULT for detection or perform action phases of the plugin.
RunCount The number of times the remediation event started (whether it completed successfully or not).
Sediment events
Microsoft.Windows.Sediment.Info.DetailedState
This event is sent when detailed state information is needed from an update trial run.
The following fields are available:
Data Data relevant to the state, such as what percent of disk space the directory takes up.
Id Identifies the trial being run, such as a disk related trial.
ReleaseVer The version of the component.
State The state of the reporting data from the trial, such as the top-level directory analysis.
Time The time the event was fired.
Microsoft.Windows.Sediment.Info.Error
This event indicates an error in the updater payload. This information assists in keeping Windows up to date.
Microsoft.Windows.Sediment.Info.PhaseChange
The event indicates progress made by the updater. This information assists in keeping Windows up to date.
The following fields are available:
NewPhase The phase of progress made.
ReleaseVer The version information for the component in which the change occurred.
Time The system time at which the phase chance occurred.
Microsoft.Windows.Sediment.OSRSS.CheckingOneSettings
This event indicates the parameters that the Operating System Remediation System Service (OSRSS) uses for a
secure ping to Microsoft to help ensure Windows is up to date.
The following fields are available:
CustomVer The registry value for targeting.
IsMetered TRUE if the machine is on a metered network.
LastVer The version of the last successful run.
Ser viceVersionMajor The Major version information of the component.
Ser viceVersionMinor The Minor version information of the component.
Time The system time at which the event occurred.
Microsoft.Windows.Sediment.OSRSS.DownloadingUrl
This event provides information about the URL from which the Operating System Remediation System Service
(OSRSS) is attempting to download. This information helps ensure Windows is up to date.
The following fields are available:
AttemptNumber The count indicating which download attempt is starting.
Ser viceVersionMajor The Major version information of the component.
Ser viceVersionMinor The Minor version information of the component.
Time The system time at which the event occurred.
Url The URL from which data was downloaded.
Microsoft.Windows.Sediment.OSRSS.DownloadSuccess
This event indicates the Operating System Remediation System Service (OSRSS) successfully download data from
the indicated URL. This information helps ensure Windows is up to date.
The following fields are available:
Ser viceVersionMajor The Major version information of the component.
Ser viceVersionMinor The Minor version information of the component.
Time The system time at which the event occurred.
Url The URL from which data was downloaded.
Microsoft.Windows.Sediment.OSRSS.Error
This event indicates an error occurred in the Operating System Remediation System Service (OSRSS). The
information provided helps ensure future upgrade/update attempts are more successful.
The following fields are available:
FailureType The type of error encountered.
FileName The code file in which the error occurred.
HResult The failure error code.
LineNumber The line number in the code file at which the error occurred.
Ser viceVersionMajor The Major version information of the component.
Ser viceVersionMinor The Minor version information of the component.
Time The system time at which the event occurred.
Microsoft.Windows.Sediment.OSRSS.ExeSignatureValidated
This event indicates the Operating System Remediation System Service (OSRSS) successfully validated the
signature of an EXE from the indicated URL. The information provided helps ensure Windows is up to date.
The following fields are available:
Ser viceVersionMajor The Major version information of the component.
Ser viceVersionMinor The Minor version information of the component.
Time The system time at which the event occurred.
Url The URL from which the validated EXE was downloaded.
Microsoft.Windows.Sediment.OSRSS.ExtractSuccess
This event indicates that the Operating System Remediation System Service (OSRSS) successfully extracted
downloaded content. The information provided helps ensure Windows is up to date.
The following fields are available:
Ser viceVersionMajor The Major version information of the component.
Ser viceVersionMinor The Minor version information of the component.
Time The system time at which the event occurred.
Url The URL from which the successfully extracted content was downloaded.
Microsoft.Windows.Sediment.OSRSS.NewUrlFound
This event indicates the Operating System Remediation System Service (OSRSS) succeeded in finding a new URL
to download from. This helps ensure Windows is up to date.
The following fields are available:
Ser viceVersionMajor The Major version information of the component.
Ser viceVersionMinor The Minor version information of the component.
Time The system time at which the event occurred.
Url The new URL from which content will be downloaded.
Microsoft.Windows.Sediment.OSRSS.ProcessCreated
This event indicates the Operating System Remediation System Service (OSRSS) created a new process to execute
content downloaded from the indicated URL. This information helps ensure Windows is up to date.
The following fields are available:
Ser viceVersionMajor The Major version information of the component.
Ser viceVersionMinor The Minor version information of the component.
Time The system time at which the event occurred.
Url The new URL from which content will be executed.
Microsoft.Windows.Sediment.OSRSS.SelfUpdate
This event returns metadata after Operating System Remediation System Service (OSRSS) successfully replaces
itself with a new version.
The following fields are available:
Ser viceVersionMajor The major version number for the component.
Ser viceVersionMinor The minor version number for the component.
Time The system timestamp for when the event occurred.
Microsoft.Windows.Sediment.OSRSS.UrlState
This event indicates the state the Operating System Remediation System Service (OSRSS) is in while attempting a
download from the URL.
The following fields are available:
Id A number identifying the URL.
Ser viceVersionMajor Version information for the component.
Ser viceVersionMinor Version information for the component.
StateData State-specific data, such as the attempt number for the download.
StateNumber A number identifying the current state of the URL (for example, found, downloading, extracted).
Time System timestamp when the event was started.
Microsoft.Windows.Sediment.ServiceInstaller.AttemptingUpdate
This event indicates the Operating System Remediation System Service (OSRSS) installer is attempting an update
to itself. This information helps ensure Windows is up to date.
The following fields are available:
InstallerVersion The version information of the Installer component.
Time The system time at which the event occurred.
Microsoft.Windows.Sediment.ServiceInstaller.BinaryUpdated
This event indicates the Operating System Remediation System Service (OSRSS) updated installer binaries with
new binaries as part of its self-update process. This information helps ensure Windows is up to date.
The following fields are available:
InstallerVersion The version information of the Installer component.
Time The system time at which the event occurred.
Microsoft.Windows.Sediment.ServiceInstaller.ServiceRestarted
This event indicates the Operating System Remediation System Service (OSRSS) has restarted after installing an
updated version of itself. This information helps ensure Windows is up to date.
The following fields are available:
InstallerVersion The version information of the Installer component.
Time The system time at which the event occurred.
Microsoft.Windows.Sediment.ServiceInstaller.ServiceStopped
This event indicates the Operating System Remediation System Service (OSRSS) was stopped by a self-updated to
install an updated version of itself. This information helps ensure Windows is up to date.
The following fields are available:
InstallerVersion The version information of the Installer component.
Time The system time at which the event occurred.
Microsoft.Windows.Sediment.ServiceInstaller.UpdaterCompleted
This event indicates the Operating System Remediation System Service (OSRSS) successfully completed the self-
update operation. This information helps ensure Windows is up to date.
The following fields are available:
InstallerVersion The version information of the Installer component.
Time The system time at which the event occurred.
Microsoft.Windows.Sediment.ServiceInstaller.UpdaterLaunched
This event indicates the Operating System Remediation System Service (OSRSS) successfully launched the self-
updater after downloading it. This information helps ensure Windows is up to date.
The following fields are available:
InstallerVersion The version information of the Installer component.
Time The system time at which the event occurred.
Microsoft.Windows.SedimentLauncher.Applicable
This event is sent when the Windows Update sediment remediations launcher finds that an applicable plug-in to
address issues that may be preventing the sediment device from receiving OS updates. A sediment device is one
that has been on a previous OS version for an extended period.
The following fields are available:
CV Correlation vector.
DetectedCondition Boolean true if detect condition is true and perform action will be run.
GlobalEventCounter Client side counter which indicates ordering of events sent by this user.
IsSelfUpdateEnabledInOneSettings True if self update enabled in Settings.
IsSelfUpdateNeeded True if self update needed by device.
PackageVersion Current package version of Remediation.
PluginName Name of the plugin specified for each generic plugin event.
Result This is the HRESULT for detection or perform action phases of the plugin.
Microsoft.Windows.SedimentLauncher.Completed
This event is sent when the Windows Update sediment remediations launcher finishes running a plug-in to
address issues that may be preventing the sediment device from receiving OS updates. A sediment device is one
that has been on a previous OS version for an extended period.
The following fields are available:
CV Correlation vector.
FailedReasons Concatenated list of failure reasons.
GlobalEventCounter Client side counter which indicates ordering of events sent by this user.
PackageVersion Current package version of Remediation.
PluginName Name of the plugin specified for each generic plugin event.
Result This is the HRESULT for detection or perform action phases of the plugin.
SedLauncherExecutionResult HRESULT for one execution of the Sediment Launcher.
Microsoft.Windows.SedimentLauncher.Started
This event is sent when the Windows Update sediment remediations launcher starts running a plug-in to address
issues that may be preventing the sediment device from receiving OS updates. A sediment device is one that has
been on a previous OS version for an extended period.
The following fields are available:
CV Correlation vector.
GlobalEventCounter Client side counter which indicates ordering of events sent by this user.
PackageVersion Current package version of Remediation.
PluginName Name of the plugin specified for each generic plugin event.
Result This is the HRESULT for detection or perform action phases of the plugin.
Microsoft.Windows.SedimentService.Applicable
This event is sent when the Windows Update sediment remediations service finds that an applicable plug-in to
address issues that may be preventing the sediment device from receiving OS updates. A sediment device is one
that has been on a previous OS version for an extended period.
The following fields are available:
CV Correlation vector.
DetectedCondition Determine whether action needs to run based on device properties.
GlobalEventCounter Client side counter which indicates ordering of events sent by this user.
IsSelfUpdateEnabledInOneSettings Indicates if self update is enabled in One Settings.
IsSelfUpdateNeeded Indicates if self update is needed.
PackageVersion Current package version of Remediation.
PluginName Name of the plugin.
Result This is the HRESULT for detection or perform action phases of the plugin.
Microsoft.Windows.SedimentService.Completed
This event is sent when the Windows Update sediment remediations service finishes running a plug-in to address
issues that may be preventing the sediment device from receiving OS updates. A sediment device is one that has
been on a previous OS version for an extended period.
The following fields are available:
CV Correlation vector.
FailedReasons List of reasons when the plugin action failed.
GlobalEventCounter Client side counter which indicates ordering of events sent by this user.
PackageVersion Current package version of Remediation.
PluginName Name of the plugin specified for each generic plugin event.
Result This is the HRESULT for detection or perform action phases of the plugin.
SedimentSer viceCheckTaskFunctional True/False if scheduled task check succeeded.
SedimentSer viceCurrentBytes Number of current private bytes of memory consumed by sedsvc.exe.
SedimentSer viceKillSer vice True/False if service is marked for kill (Shell.KillService).
SedimentSer viceMaximumBytes Maximum bytes allowed for the service.
SedimentSer viceRetrievedKillSer vice True/False if result of One Settings check for kill succeeded - we only
send back one of these indicators (not for each call).
SedimentSer viceStopping True/False indicating whether the service is stopping.
SedimentSer viceTaskFunctional True/False if scheduled task is functional. If task is not functional this
indicates plugins will be run.
SedimentSer viceTotalIterations Number of 5 second iterations service will wait before running again.
Microsoft.Windows.SedimentService.Started
This event is sent when the Windows Update sediment remediations service starts running a plug-in to address
issues that may be preventing the sediment device from receiving OS updates. A sediment device is one that has
been on a previous OS version for an extended period.
The following fields are available:
CV The Correlation Vector.
GlobalEventCounter The client-side counter that indicates ordering of events.
PackageVersion The version number of the current remediation package.
PluginName Name of the plugin specified for each generic plugin event.
Result This is the HRESULT for Detection or Perform Action phases of the plugin.
Setup events
SetupPlatformTel.SetupPlatformTelActivityEvent
This event sends basic metadata about the SetupPlatform update installation process, to help keep Windows up to
date.
The following fields are available:
FieldName Retrieves the event name/data point. Examples: InstallStartTime, InstallEndtime, OverallResult etc.
GroupName Retrieves the groupname the event belongs to. Example: Install Information, DU Information, Disk
Space Information etc.
Value Value associated with the corresponding event name. For example, time-related events will include the
system time
SetupPlatformTel.SetupPlatformTelActivityStarted
This event sends basic metadata about the update installation process generated by SetupPlatform to help keep
Windows up to date.
The following fields are available:
Name The name of the dynamic update type. Example: GDR driver
SetupPlatformTel.SetupPlatformTelActivityStopped
This event sends basic metadata about the update installation process generated by SetupPlatform to help keep
Windows up to date.
SetupPlatformTel.SetupPlatformTelEvent
This service retrieves events generated by SetupPlatform, the engine that drives the various deployment scenarios.
The following fields are available:
FieldName Retrieves the event name/data point. Examples: InstallStartTime, InstallEndtime, OverallResult etc.
GroupName Retrieves the groupname the event belongs to. Example: Install Information, DU Information, Disk
Space Information etc.
Value Retrieves the value associated with the corresponding event name (Field Name). For example: For time
related events this will include the system time.
Shared PC events
Microsoft.Windows.SharedPC.AccountManager.DeleteUserAccount
Activity for deletion of a user account for devices set up for Shared PC mode as part of the Transient Account
Manager to help keep Windows up to date. Deleting un-used user accounts on Education/Shared PCs frees up disk
space to improve Windows Update success rates.
The following fields are available:
accountType The type of account that was deleted. Example: AD, AAD, or Local
deleteState Whether the attempted deletion of the user account was successful.
userSid The security identifier of the account.
wilActivity Windows Error Reporting data collected when there is a failure in deleting a user account with the
Transient Account Manager. See wilActivity.
Microsoft.Windows.SharedPC.AccountManager.SinglePolicyEvaluation
Activity for run of the Transient Account Manager that determines if any user accounts should be deleted for
devices set up for Shared PC mode to help keep Windows up to date. Deleting unused user accounts on shared
devices frees up disk space to improve Windows Update success rates
The following fields are available:
evaluationTrigger When was the Transient Account Manager policies ran? Example: At log off or during
maintenance hours
totalAccountCount The number of accounts on a device after running the Transient Account Manager
policies.
wilActivity Windows Error Reporting data collected when there is a failure in evaluating accounts to be
deleted with the Transient Account Manager. See wilActivity.
wilActivity
This event provides a Windows Internal Library context used for Product and Service diagnostics.
The following fields are available:
callContext The function where the failure occurred.
currentContextId The ID of the current call context where the failure occurred.
currentContextMessage The message of the current call context where the failure occurred.
currentContextName The name of the current call context where the failure occurred.
failureCount The number of failures for this failure ID.
failureId The ID of the failure that occurred.
failureType The type of the failure that occurred.
fileName The file name where the failure occurred.
function The function where the failure occurred.
hresult The HResult of the overall activity.
lineNumber The line number where the failure occurred.
message The message of the failure that occurred.
module The module where the failure occurred.
originatingContextId The ID of the originating call context that resulted in the failure.
originatingContextMessage The message of the originating call context that resulted in the failure.
originatingContextName The name of the originating call context that resulted in the failure.
threadId The ID of the thread on which the activity is executing.
wilResult
This event provides a Windows Internal Library context used for Product and Service diagnostics.
The following fields are available:
callContext The call context stack where failure occurred.
currentContextId The ID of the current call context where the failure occurred.
currentContextMessage The message of the current call context where the failure occurred.
currentContextName The name of the current call context where the failure occurred.
failureCount The number of failures for this failure ID.
failureId The ID of the failure that occurred.
failureType The type of the failure that occurred.
fileName The file name where the failure occurred.
function The function where the failure occurred.
hresult The HResult of the overall activity.
lineNumber The line number where the failure occurred.
message The message of the failure that occurred.
module The module where the failure occurred.
originatingContextId The ID of the originating call context that resulted in the failure.
originatingContextMessage The message of the originating call context that resulted in the failure.
originatingContextName The name of the originating call context that resulted in the failure.
threadId The ID of the thread on which the activity is executing.
SIH events
SIHEngineTelemetry.ExecuteAction
This event is triggered with SIH attempts to execute (e.g. install) the update or action in question. Includes
important information like if the update required a reboot.
SIHEngineTelemetry.SLSActionData
This event reports if the SIH client was able to successfully parse the manifest describing the actions to be
evaluated.
The following fields are available:
CachedEngineVersion The engine DLL version that is being used.
EventInstanceID A unique identifier for event instance.
EventScenario Indicates the purpose of sending this event – whether because the software distribution just
started checking for content, or whether it was cancelled, succeeded, or failed.
FailedParseActions The list of actions that were not successfully parsed.
ParsedActions The list of actions that were successfully parsed.
Ser viceGuid A unique identifier that represents which service the software distribution client is connecting to
(SIH, Windows Update, Microsoft Store, etc.).
SihclientVersion The client version that is being used.
WuapiVersion The Windows Update API version that is currently installed.
WuaucltVersion The Windows Update client version that is currently installed.
WuauengVersion The Windows Update engine version that is currently installed.
WUDeviceID The unique identifier controlled by the software distribution client.
Update events
Update360Telemetry.Revert
This event sends data relating to the Revert phase of updating Windows.
The following fields are available:
ErrorCode The error code returned for the Revert phase.
FlightId Unique ID for the flight (test instance version).
ObjectId The unique value for each Update Agent mode.
RebootRequired Indicates reboot is required.
RelatedCV The correlation vector value generated from the latest USO (Update Service Orchestrator) scan.
Result The HResult of the event.
ScenarioId The ID of the update scenario.
SessionId The ID of the update attempt.
UpdateId The ID of the update.
Update360Telemetry.UpdateAgentCommit
This event collects information regarding the commit phase of the new Unified Update Platform (UUP) update
scenario, which is leveraged by both Mobile and Desktop.
The following fields are available:
ErrorCode The error code returned for the current install phase.
FlightId Unique ID for each flight.
ObjectId Unique value for each Update Agent mode.
RelatedCV Correlation vector value generated from the latest USO scan.
Result Outcome of the install phase of the update.
ScenarioId Indicates the update scenario.
SessionId Unique value for each update attempt.
UpdateId Unique ID for each update.
Update360Telemetry.UpdateAgentDownloadRequest
This event sends data for the download request phase of updating Windows via the new Unified Update Platform
(UUP) scenario. Applicable to PC and Mobile.
The following fields are available:
DeletedCorruptFiles Boolean indicating whether corrupt payload was deleted.
DownloadRequests Number of times a download was retried.
ErrorCode The error code returned for the current download request phase.
ExtensionName Indicates whether the payload is related to Operating System content or a plugin.
FlightId Unique ID for each flight.
InternalFailureResult Indicates a non-fatal error from a plugin.
ObjectId Unique value for each Update Agent mode (same concept as InstanceId for Setup360).
PackageCategoriesSkipped Indicates package categories that were skipped, if applicable.
PackageCountOptional Number of optional packages requested.
PackageCountRequired Number of required packages requested.
PackageCountTotal Total number of packages needed.
PackageCountTotalCanonical Total number of canonical packages.
PackageCountTotalDiff Total number of diff packages.
PackageCountTotalExpress Total number of express packages.
PackageExpressType Type of express package.
PackageSizeCanonical Size of canonical packages in bytes.
PackageSizeDiff Size of diff packages in bytes.
PackageSizeExpress Size of express packages in bytes.
RangeRequestState Indicates the range request type used.
RelatedCV Correlation vector value generated from the latest USO scan.
Result Outcome of the download request phase of update.
ScenarioId Indicates the update scenario.
SessionId Unique value for each attempt (same value for initialize, download, install commit phases).
UpdateId Unique ID for each update.
Update360Telemetry.UpdateAgentExpand
This event collects information regarding the expansion phase of the new Unified Update Platform (UUP) update
scenario, which is leveraged by both Mobile and Desktop.
The following fields are available:
ElapsedTickCount Time taken for expand phase.
EndFreeSpace Free space after expand phase.
EndSandboxSize Sandbox size after expand phase.
ErrorCode The error code returned for the current install phase.
FlightId Unique ID for each flight.
ObjectId Unique value for each Update Agent mode.
RelatedCV Correlation vector value generated from the latest USO scan.
ScenarioId Indicates the update scenario.
SessionId Unique value for each update attempt.
Star tFreeSpace Free space before expand phase.
Star tSandboxSize Sandbox size after expand phase.
UpdateId Unique ID for each update.
Update360Telemetry.UpdateAgentFellBackToCanonical
This event collects information when express could not be used and we fall back to canonical during the new
Unified Update Platform (UUP) update scenario, which is leveraged by both Mobile and Desktop.
The following fields are available:
FlightId Unique ID for each flight.
ObjectId Unique value for each Update Agent mode.
PackageCount Number of packages that feel back to canonical.
PackageList PackageIds which fell back to canonical.
RelatedCV Correlation vector value generated from the latest USO scan.
ScenarioId Indicates the update scenario.
SessionId Unique value for each update attempt.
UpdateId Unique ID for each update.
Update360Telemetry.UpdateAgentInitialize
This event sends data for the initialize phase of updating Windows via the new Unified Update Platform (UUP)
scenario, which is applicable to both PCs and Mobile.
The following fields are available:
ErrorCode The error code returned for the current install phase.
FlightId Unique ID for each flight.
FlightMetadata Contains the FlightId and the build being flighted.
ObjectId Unique value for each Update Agent mode.
RelatedCV Correlation vector value generated from the latest USO scan.
Result Outcome of the install phase of the update.
ScenarioId Indicates the update scenario.
SessionData String containing instructions to update agent for processing FODs and DUICs (Null for other
scenarios).
SessionId Unique value for each update attempt.
UpdateId Unique ID for each update.
Update360Telemetry.UpdateAgentInstall
This event sends data for the install phase of updating Windows.
The following fields are available:
ErrorCode The error code returned for the current install phase.
ExtensionName Indicates whether the payload is related to Operating System content or a plugin.
FlightId Unique value for each Update Agent mode (same concept as InstanceId for Setup360).
InternalFailureResult Indicates a non-fatal error from a plugin.
ObjectId Correlation vector value generated from the latest USO scan.
RelatedCV Correlation vector value generated from the latest USO scan.
Result The result for the current install phase.
ScenarioId Indicates the update scenario.
SessionId Unique value for each update attempt.
UpdateId Unique ID for each update.
Update360Telemetry.UpdateAgentMerge
The UpdateAgentMerge event sends data on the merge phase when updating Windows.
The following fields are available:
ErrorCode The error code returned for the current merge phase.
FlightId Unique ID for each flight.
ObjectId Unique value for each Update Agent mode.
RelatedCV Related correlation vector value.
Result Outcome of the merge phase of the update.
ScenarioId Indicates the update scenario.
SessionId Unique value for each attempt.
UpdateId Unique ID for each update.
Update360Telemetry.UpdateAgentMitigationResult
This event sends data indicating the result of each update agent mitigation.
The following fields are available:
Applicable Indicates whether the mitigation is applicable for the current update.
CommandCount The number of command operations in the mitigation entry.
CustomCount The number of custom operations in the mitigation entry.
FileCount The number of file operations in the mitigation entry.
FlightId Unique identifier for each flight.
Index The mitigation index of this particular mitigation.
MitigationScenario The update scenario in which the mitigation was executed.
Name The friendly name of the mitigation.
ObjectId Unique value for each Update Agent mode.
OperationIndex The mitigation operation index (in the event of a failure).
OperationName The friendly name of the mitigation operation (in the event of failure).
Registr yCount The number of registry operations in the mitigation entry.
RelatedCV The correlation vector value generated from the latest USO scan.
Result The HResult of this operation.
ScenarioId The update agent scenario ID.
SessionId Unique value for each update attempt.
TimeDiff The amount of time spent performing the mitigation (in 100-nanosecond increments).
UpdateId Unique ID for each Update.
Update360Telemetry.UpdateAgentMitigationSummary
This event sends a summary of all the update agent mitigations available for an this update.
The following fields are available:
Applicable The count of mitigations that were applicable to the system and scenario.
Failed The count of mitigations that failed.
FlightId Unique identifier for each flight.
MitigationScenario The update scenario in which the mitigations were attempted.
ObjectId The unique value for each Update Agent mode.
RelatedCV The correlation vector value generated from the latest USO scan.
Result The HResult of this operation.
ScenarioId The update agent scenario ID.
SessionId Unique value for each update attempt.
TimeDiff The amount of time spent performing all mitigations (in 100-nanosecond increments).
Total Total number of mitigations that were available.
UpdateId Unique ID for each update.
Update360Telemetry.UpdateAgentModeStart
This event sends data for the start of each mode during the process of updating Windows via the new Unified
Update Platform (UUP) scenario. Applicable to both PCs and Mobile.
The following fields are available:
FlightId Unique ID for each flight.
Mode Indicates the mode that has started.
ObjectId Unique value for each Update Agent mode.
RelatedCV Correlation vector value generated from the latest USO scan.
ScenarioId Indicates the update scenario.
SessionId Unique value for each update attempt.
UpdateId Unique ID for each update.
Version Version of update
Update360Telemetry.UpdateAgentOneSettings
This event collects information regarding the post reboot phase of the new UUP (Unified Update Platform) update
scenario; which is leveraged by both Mobile and Desktop.
The following fields are available:
Count The count of applicable OneSettings for the device.
FlightId Unique ID for the flight (test instance version).
ObjectId The unique value for each Update Agent mode.
Parameters The set of name value pair parameters sent to OneSettings to determine if there are any
applicable OneSettings.
RelatedCV The correlation vector value generated from the latest USO (Update Service Orchestrator) scan.
Result The HResult of the event.
ScenarioId The ID of the update scenario.
SessionId The ID of the update attempt.
UpdateId The ID of the update.
Values The values sent back to the device, if applicable.
Update360Telemetry.UpdateAgentPostRebootResult
This event collects information for both Mobile and Desktop regarding the post reboot phase of the new Unified
Update Platform (UUP) update scenario.
The following fields are available:
ErrorCode The error code returned for the current post reboot phase.
FlightId The specific ID of the Windows Insider build the device is getting.
ObjectId Unique value for each Update Agent mode.
PostRebootResult Indicates the Hresult.
RelatedCV Correlation vector value generated from the latest USO scan.
ScenarioId The scenario ID. Example: MobileUpdate, DesktopLanguagePack, DesktopFeatureOnDemand, or
DesktopDriverUpdate.
SessionId Unique value for each update attempt.
UpdateId Unique ID for each update.
Update360Telemetry.UpdateAgentReboot
This event sends information indicating that a request has been sent to suspend an update.
Update360Telemetry.UpdateAgentSetupBoxLaunch
The UpdateAgent_SetupBoxLaunch event sends data for the launching of the setup box when updating Windows
via the new Unified Update Platform (UUP) scenario. This event is only applicable to PCs.
The following fields are available:
ContainsExpressPackage Indicates whether the download package is express.
FlightId Unique ID for each flight.
FreeSpace Free space on OS partition.
InstallCount Number of install attempts using the same sandbox.
ObjectId Unique value for each Update Agent mode.
Quiet Indicates whether setup is running in quiet mode.
RelatedCV Correlation vector value generated from the latest USO scan.
SandboxSize Size of the sandbox.
ScenarioId Indicates the update scenario.
SessionId Unique value for each update attempt.
SetupMode Mode of setup to be launched.
UpdateId Unique ID for each Update.
UserSession Indicates whether install was invoked by user actions.
Upgrade events
FacilitatorTelemetry.DCATDownload
This event indicates whether devices received additional or critical supplemental content during an OS Upgrade, to
help keep Windows up to date and secure.
The following fields are available:
DownloadSize Download size of payload.
ElapsedTime Time taken to download payload.
MediaFallbackUsed Used to determine if we used Media CompDBs to figure out package requirements for
the upgrade.
ResultCode Result returned by the Facilitator DCAT call.
Scenario Dynamic Update scenario (Image DU, or Setup DU).
Type Type of package that was downloaded.
FacilitatorTelemetry.DUDownload
This event returns data about the download of supplemental packages critical to upgrading a device to the next
version of Windows.
The following fields are available:
PackageCategoriesFailed Lists the categories of packages that failed to download.
PackageCategoriesSkipped Lists the categories of package downloads that were skipped.
FacilitatorTelemetry.InitializeDU
This event determines whether devices received additional or critical supplemental content during an OS upgrade.
The following fields are available:
DCATUrl The Delivery Catalog (DCAT) URL we send the request to.
DownloadRequestAttributes The attributes we send to DCAT.
ResultCode The result returned from the initialization of Facilitator with the URL/attributes.
Scenario Dynamic Update scenario (Image DU, or Setup DU).
Url The Delivery Catalog (DCAT) URL we send the request to.
Version Version of Facilitator.
Setup360Telemetry.Downlevel
This event sends data indicating that the device has started the downlevel phase of the upgrade, to help keep
Windows up to date and secure.
The following fields are available:
ClientId If using Windows Update, this will be the Windows Update client ID that is passed to Setup. In Media
setup, the default value is Media360, but it can be overwritten by the caller to a unique value.
FlightData Unique value that identifies the flight.
HostOSBuildNumber The build number of the downlevel OS.
HostOsSkuName The operating system edition which is running Setup360 instance (downlevel OS).
InstanceId A unique GUID that identifies each instance of setuphost.exe.
Repor tId In the Windows Update scenario, this is the updateID that is passed to Setup. In media setup, this is
the GUID for the install.wim.
Setup360Extended More detailed information about phase/action when the potential failure occurred.
Setup360Mode The phase of Setup360 (for example, Predownload, Install, Finalize, Rollback).
Setup360Result The result of Setup360 (HRESULT used to diagnose errors).
Setup360Scenario The Setup360 flow type (for example, Boot, Media, Update, MCT).
SetupVersionBuildNumber The build number of Setup360 (build number of the target OS).
State Exit state of given Setup360 run. Example: succeeded, failed, blocked, cancelled.
TestId An ID that uniquely identifies a group of events.
WuId This is the Windows Update Client ID. In the Windows Update scenario, this is the same as the clientId.
Setup360Telemetry.Finalize
This event sends data indicating that the device has started the phase of finalizing the upgrade, to help keep
Windows up-to-date and secure.
The following fields are available:
ClientId With Windows Update, this will be the Windows Update client ID that is passed to Setup. In Media
setup, default value is Media360, but can be overwritten by the caller to a unique value.
FlightData Unique value that identifies the flight.
HostOSBuildNumber The build number of the previous OS.
HostOsSkuName The OS edition which is running Setup360 instance (previous OS).
InstanceId A unique GUID that identifies each instance of setuphost.exe
Repor tId With Windows Update, this is the updateID that is passed to Setup. In media setup, this is the GUID
for the install.wim.
Setup360Extended More detailed information about the phase/action when the potential failure occurred.
Setup360Mode The phase of Setup360. Example: Predownload, Install, Finalize, Rollback.
Setup360Result The result of Setup360. This is an HRESULT error code that is used to diagnose errors.
Setup360Scenario The Setup360 flow type. Example: Boot, Media, Update, MCT.
SetupVersionBuildNumber The build number of Setup360 (build number of target OS).
State The exit state of a Setup360 run. Example: succeeded, failed, blocked, cancelled.
TestId ID that uniquely identifies a group of events.
WuId This is the Windows Update Client ID. With Windows Update, this is the same as the clientId.
Setup360Telemetry.OsUninstall
This event sends data regarding OS updates and upgrades from Windows 7, Windows 8, and Windows 10.
Specifically, it indicates the outcome of an OS uninstall.
The following fields are available:
ClientId For Windows Update, this will be the Windows Update client ID that is passed to Setup. In Media
setup, default value is Media360, but can be overwritten by the caller to a unique value.
FlightData Unique value that identifies the flight.
HostOSBuildNumber The build number of the previous OS.
HostOsSkuName The OS edition which is running the Setup360 instance (previous OS).
InstanceId A unique GUID that identifies each instance of setuphost.exe.
Repor tId For Windows Update, this will be the Windows Update client ID that is passed to Setup. In Media
setup, this is the GUID for the install.wim.
Setup360Extended Detailed information about the phase or action when the potential failure occurred.
Setup360Mode The phase of Setup360. Example: Predownload, Install, Finalize, Rollback.
Setup360Result The result of Setup360. This is an HRESULT error code that is used to diagnose errors.
Setup360Scenario The Setup360 flow type. Example: Boot, Media, Update, MCT
SetupVersionBuildNumber The build number of Setup360 (build number of target OS).
State Exit state of a Setup360 run. Example: succeeded, failed, blocked, cancelled.
TestId ID that uniquely identifies a group of events.
WuId Windows Update client ID.
Setup360Telemetry.PostRebootInstall
This event sends data indicating that the device has invoked the post reboot install phase of the upgrade, to help
keep Windows up-to-date.
The following fields are available:
ClientId With Windows Update, this is the Windows Update client ID that is passed to Setup. In Media setup,
the default value is Media360, but can be overwritten by the caller to a unique value.
FlightData Unique value that identifies the flight.
HostOSBuildNumber The build number of the previous OS.
HostOsSkuName The OS edition which is running Setup360 instance (previous OS).
InstanceId A unique GUID that identifies each instance of setuphost.exe.
Repor tId With Windows Update, this is the updateID that is passed to Setup. In media setup, this is the GUID
for the install.wim.
Setup360Extended Extension of result - more granular information about phase/action when the potential
failure happened
Setup360Mode The phase of Setup360. Example: Predownload, Install, Finalize, Rollback
Setup360Result The result of Setup360. This is an HRESULT error code that's used to diagnose errors.
Setup360Scenario The Setup360 flow type. Example: Boot, Media, Update, MCT
SetupVersionBuildNumber The build number of Setup360 (build number of target OS).
State The exit state of a Setup360 run. Example: succeeded, failed, blocked, cancelled
TestId A string to uniquely identify a group of events.
WuId This is the Windows Update Client ID. With Windows Update, this is the same as ClientId.
Setup360Telemetry.PreDownloadQuiet
This event sends data indicating that the device has invoked the predownload quiet phase of the upgrade, to help
keep Windows up to date.
The following fields are available:
ClientId Using Windows Update, this will be the Windows Update client ID that is passed to Setup. In Media
setup, default value is Media360, but can be overwritten by the caller to a unique value.
FlightData Unique value that identifies the flight.
HostOSBuildNumber The build number of the previous OS.
HostOsSkuName The OS edition which is running Setup360 instance (previous operating system).
InstanceId A unique GUID that identifies each instance of setuphost.exe.
Repor tId Using Windows Update, this is the updateID that is passed to Setup. In media setup, this is the GUID
for the install.wim.
Setup360Extended Detailed information about the phase/action when the potential failure occurred.
Setup360Mode The phase of Setup360. Example: Predownload, Install, Finalize, Rollback.
Setup360Result The result of Setup360. This is an HRESULT error code that is used to diagnose errors.
Setup360Scenario The Setup360 flow type. Example: Boot, Media, Update, MCT.
SetupVersionBuildNumber The build number of Setup360 (build number of target OS).
State The exit state of a Setup360 run. Example: succeeded, failed, blocked, canceled.
TestId ID that uniquely identifies a group of events.
WuId This is the Windows Update Client ID. Using Windows Update, this is the same as the clientId.
Setup360Telemetry.PreDownloadUX
This event sends data regarding OS Updates and Upgrades from Windows 7.X, Windows 8.X, Windows 10 and RS,
to help keep Windows up-to-date and secure. Specifically, it indicates the outcome of the PredownloadUX portion
of the update process.
The following fields are available:
ClientId For Windows Update, this will be the Windows Update client ID that is passed to Setup. In Media
setup, default value is Media360, but can be overwritten by the caller to a unique value.
FlightData In the WU scenario, this will be the WU client ID that is passed to Setup. In Media setup, default
value is Media360, but can be overwritten by the caller to a unique value.
HostOSBuildNumber The build number of the previous operating system.
HostOsSkuName The OS edition which is running the Setup360 instance (previous operating system).
InstanceId Unique GUID that identifies each instance of setuphost.exe.
Repor tId For Windows Update, this will be the Windows Update client ID that is passed to Setup. In Media
setup, this is the GUID for the install.wim.
Setup360Extended Detailed information about the phase/action when the potential failure occurred.
Setup360Mode The phase of Setup360. Example: Predownload, Install, Finalize, Rollback.
Setup360Result The result of Setup360. This is an HRESULT error code that can be used to diagnose errors.
Setup360Scenario The Setup360 flow type. Example: Boot, Media, Update, MCT.
SetupVersionBuildNumber The build number of Setup360 (build number of the target OS).
State The exit state of the Setup360 run. Example: succeeded, failed, blocked, cancelled.
TestId ID that uniquely identifies a group of events.
WuId Windows Update client ID.
Setup360Telemetry.PreInstallQuiet
This event sends data indicating that the device has invoked the preinstall quiet phase of the upgrade, to help keep
Windows up-to-date.
The following fields are available:
ClientId With Windows Update, this will be the Windows Update client ID that is passed to Setup. In Media
setup, default value is Media360, but can be overwritten by the caller to a unique value.
FlightData Unique value that identifies the flight.
HostOSBuildNumber The build number of the previous OS.
HostOsSkuName The OS edition which is running Setup360 instance (previous OS).
InstanceId A unique GUID that identifies each instance of setuphost.exe
Repor tId With Windows Update, this is the updateID that is passed to Setup. In media setup, this is the GUID
for the install.wim.
Setup360Extended Detailed information about the phase/action when the potential failure occurred.
Setup360Mode The phase of Setup360. Example: Predownload, Install, Finalize, Rollback.
Setup360Result The result of Setup360. This is an HRESULT error code that can be used to diagnose errors.
Setup360Scenario Setup360 flow type (Boot, Media, Update, MCT).
SetupVersionBuildNumber The build number of Setup360 (build number of target OS).
State The exit state of a Setup360 run. Example: succeeded, failed, blocked, cancelled.
TestId A string to uniquely identify a group of events.
WuId This is the Windows Update Client ID. With Windows Update, this is the same as the clientId.
Setup360Telemetry.PreInstallUX
This event sends data regarding OS updates and upgrades from Windows 7, Windows 8, and Windows 10, to help
keep Windows up-to-date. Specifically, it indicates the outcome of the PreinstallUX portion of the update process.
The following fields are available:
ClientId For Windows Update, this will be the Windows Update client ID that is passed to Setup. In Media
setup, default value is Media360, but can be overwritten by the caller to a unique value.
FlightData Unique value that identifies the flight.
HostOSBuildNumber The build number of the previous OS.
HostOsSkuName The OS edition which is running the Setup360 instance (previous OS).
InstanceId A unique GUID that identifies each instance of setuphost.exe.
Repor tId For Windows Update, this will be the Windows Update client ID that is passed to Setup. In Media
setup, this is the GUID for the install.wim.
Setup360Extended Detailed information about the phase/action when the potential failure occurred.
Setup360Mode The phase of Setup360. Example: Predownload, Install, Finalize, Rollback.
Setup360Result The result of Setup360. This is an HRESULT error code that is used to diagnose errors.
Setup360Scenario The Setup360 flow type, Example: Boot, Media, Update, MCT.
SetupVersionBuildNumber The build number of Setup360 (build number of target OS).
State The exit state of a Setup360 run. Example: succeeded, failed, blocked, cancelled.
TestId A string to uniquely identify a group of events.
WuId Windows Update client ID.
Setup360Telemetry.Setup360
This event sends data about OS deployment scenarios, to help keep Windows up-to-date.
The following fields are available:
ClientId Retrieves the upgrade ID. In the Windows Update scenario, this will be the Windows Update client ID.
In Media setup, default value is Media360, but can be overwritten by the caller to a unique value.
FieldName Retrieves the data point.
FlightData Specifies a unique identifier for each group of Windows Insider builds.
InstanceId Retrieves a unique identifier for each instance of a setup session.
Repor tId Retrieves the report ID.
ScenarioId Retrieves the deployment scenario.
Value Retrieves the value associated with the corresponding FieldName.
Setup360Telemetry.Setup360DynamicUpdate
This event helps determine whether the device received supplemental content during an operating system
upgrade, to help keep Windows up-to-date.
The following fields are available:
FlightData Specifies a unique identifier for each group of Windows Insider builds.
InstanceId Retrieves a unique identifier for each instance of a setup session.
Operation Facilitator’s last known operation (scan, download, etc.).
Repor tId ID for tying together events stream side.
ResultCode Result returned for the entire setup operation.
Scenario Dynamic Update scenario (Image DU, or Setup DU).
ScenarioId Identifies the update scenario.
TargetBranch Branch of the target OS.
TargetBuild Build of the target OS.
Setup360Telemetry.Setup360MitigationResult
This event sends data indicating the result of each setup mitigation.
The following fields are available:
Applicable TRUE if the mitigation is applicable for the current update.
ClientId In the Windows Update scenario, this is the client ID passed to Setup. In Media setup, default value is
Media360, but can be overwritten by the caller to a unique value.
CommandCount The number of command operations in the mitigation entry.
CustomCount The number of custom operations in the mitigation entry.
FileCount The number of file operations in the mitigation entry.
FlightData The unique identifier for each flight (test release).
Index The mitigation index of this particular mitigation.
InstanceId The GUID (Globally Unique ID) that identifies each instance of SetupHost.EXE.
MitigationScenario The update scenario in which the mitigation was executed.
Name The friendly (descriptive) name of the mitigation.
OperationIndex The mitigation operation index (in the event of a failure).
OperationName The friendly (descriptive) name of the mitigation operation (in the event of failure).
Registr yCount The number of registry operations in the mitigation entry.
Repor tId In the Windows Update scenario, the Update ID that is passed to Setup. In media setup, this is the
GUID for the INSTALL.WIM.
Result HResult of this operation.
ScenarioId Setup360 flow type.
TimeDiff The amount of time spent performing the mitigation (in 100-nanosecond increments).
Setup360Telemetry.Setup360MitigationSummary
This event sends a summary of all the setup mitigations available for this update.
The following fields are available:
Applicable The count of mitigations that were applicable to the system and scenario.
ClientId The Windows Update client ID passed to Setup.
Failed The count of mitigations that failed.
FlightData The unique identifier for each flight (test release).
InstanceId The GUID (Globally Unique ID) that identifies each instance of SetupHost.EXE.
MitigationScenario The update scenario in which the mitigations were attempted.
Repor tId In the Windows Update scenario, the Update ID that is passed to Setup. In media setup, this is the
GUID for the INSTALL.WIM.
Result HResult of this operation.
ScenarioId Setup360 flow type.
TimeDiff The amount of time spent performing the mitigation (in 100-nanosecond increments).
Total The total number of mitigations that were available.
Setup360Telemetry.Setup360OneSettings
This event collects information regarding the post reboot phase of the new UUP (Unified Update Platform) update
scenario; which is leveraged by both Mobile and Desktop.
The following fields are available:
ClientId The Windows Update client ID passed to Setup.
Count The count of applicable OneSettings for the device.
FlightData The ID for the flight (test instance version).
InstanceId The GUID (Globally-Unique ID) that identifies each instance of setuphost.exe.
Parameters The set of name value pair parameters sent to OneSettings to determine if there are any
applicable OneSettings.
Repor tId The Update ID passed to Setup.
Result The HResult of the event error.
ScenarioId The update scenario ID.
Values Values sent back to the device, if applicable.
Setup360Telemetry.UnexpectedEvent
This event sends data indicating that the device has invoked the unexpected event phase of the upgrade, to help
keep Windows up to date.
The following fields are available:
ClientId With Windows Update, this will be the Windows Update client ID that is passed to Setup. In Media
setup, default value is Media360, but can be overwritten by the caller to a unique value.
FlightData Unique value that identifies the flight.
HostOSBuildNumber The build number of the previous OS.
HostOsSkuName The OS edition which is running Setup360 instance (previous OS).
InstanceId A unique GUID that identifies each instance of setuphost.exe
Repor tId With Windows Update, this is the updateID that is passed to Setup. In media setup, this is the GUID
for the install.wim.
Setup360Extended Detailed information about the phase/action when the potential failure occurred.
Setup360Mode The phase of Setup360. Example: Predownload, Install, Finalize, Rollback.
Setup360Result The result of Setup360. This is an HRESULT error code that can be used used to diagnose
errors.
Setup360Scenario The Setup360 flow type. Example: Boot, Media, Update, MCT.
SetupVersionBuildNumber The build number of Setup360 (build number of target OS).
State The exit state of a Setup360 run. Example: succeeded, failed, blocked, cancelled.
TestId A string to uniquely identify a group of events.
WuId This is the Windows Update Client ID. With Windows Update, this is the same as the clientId.
Winlogon events
Microsoft.Windows.Security.Winlogon.SetupCompleteLogon
This event signals the completion of the setup process. It happens only once during the first logon.
XBOX events
Microsoft.Xbox.XamTelemetry.AppActivationError
This event indicates whether the system detected an activation error in the app.
Microsoft.Xbox.XamTelemetry.AppActivity
This event is triggered whenever the current app state is changed by: launch, switch, terminate, snap, etc.
The following fields are available:
AppActionId The ID of the application action.
AppCurrentVisibilityState The ID of the current application visibility state.
AppId The Xbox LIVE Title ID of the app.
AppPackageFullName The full name of the application package.
AppPreviousVisibilityState The ID of the previous application visibility state.
AppSessionId The application session ID.
AppType The type ID of the application (AppType_NotKnown, AppType_Era, AppType_Sra, AppType_Uwa).
BCACode The BCA (Burst Cutting Area) mark code of the optical disc used to launch the application.
DurationMs The amount of time (in milliseconds) since the last application state transition.
IsTrialLicense This boolean value is TRUE if the application is on a trial license.
LicenseType The type of licensed used to authorize the app (0 - Unknown, 1 - User, 2 - Subscription, 3 -
Offline, 4 - Disc).
LicenseXuid If the license type is 1 (User), this field contains the XUID (Xbox User ID) of the registered owner
of the license.
ProductGuid The Xbox product GUID (Globally-Unique ID) of the application.
UserId The XUID (Xbox User ID) of the current user.
Windows 10, version 1709 basic level Windows
diagnostic events and fields
1/31/2020 • 229 minutes to read • Edit Online
Applies to
Windows 10, version 1709
The Basic level gathers a limited set of information that is critical for understanding the device and its
configuration including: basic device information, quality-related information, app compatibility, and Microsoft
Store. When the level is set to Basic, it also includes the Security level information.
The Basic level helps to identify problems that can occur on a particular device hardware or software
configuration. For example, it can help determine if crashes are more frequent on devices with a specific amount of
memory or that are running a particular driver version. This helps Microsoft fix operating system or app problems.
Use this article to learn about diagnostic events, grouped by event area, and the fields within each event. A brief
description is provided for each field. Every event generated includes common data, which collects device data.
You can learn more about Windows functional and diagnostic data through these articles:
Windows 10, version 1903 and Windows 10, version 1909 basic diagnostic events and fields
Windows 10, version 1809 basic diagnostic events and fields
Windows 10, version 1803 basic diagnostic events and fields
Windows 10, version 1703 basic diagnostic events and fields
Manage connections from Windows operating system components to Microsoft services
Configure Windows diagnostic data in your organization
Appraiser events
Microsoft.Windows.Appraiser.General.ChecksumTotalPictureCount
Invalid Signature - This event is superseded by an event that contains additional fields.
The following fields are available:
DatasourceApplicationFile_RS4 An ID for the system, calculated by hashing hardware identifiers.
DatasourceDevicePnp_RS4 An ID for the system, calculated by hashing hardware identifiers.
DatasourceDriverPackage_RS4 The count of the number of this particular object type present on this
device.
DataSourceMatchingInfoBlock_RS4 The count of the number of this particular object type present on this
device.
DataSourceMatchingInfoPassive_RS4 The count of the number of this particular object type present on
this device.
DataSourceMatchingInfoPostUpgrade_RS4 The count of the number of this particular object type present
on this device.
DatasourceSystemBios_19H1Setup The count of the number of this particular object type present on this
device.
DatasourceSystemBios_RS4 The count of the number of this particular object type present on this device.
DecisionApplicationFile_RS4 The count of the number of this particular object type present on this device.
DecisionDevicePnp_RS4 The count of the number of this particular object type present on this device.
DecisionDriverPackage_RS4 The count of the number of this particular object type present on this device.
DecisionMatchingInfoBlock_RS4 The count of the number of this particular object type present on this
device.
DecisionMatchingInfoPassive_RS4 The count of the number of this particular object type present on this
device.
DecisionMatchingInfoPostUpgrade_RS4 The count of the number of this particular object type present on
this device.
DecisionMediaCenter_RS4 The count of the number of this particular object type present on this device.
DecisionSystemBios_19H1Setup The total DecisionSystemBios objects targeting the next release of
Windows on this device.
DecisionSystemBios_RS4 The total DecisionSystemBios objects targeting Windows 10 version, 1803 present
on this device.
Inventor yApplicationFile The count of the number of this particular object type present on this device.
Inventor yLanguagePack The count of InventoryLanguagePack objects present on this machine.
Inventor yMediaCenter The count of the number of this particular object type present on this device.
Inventor ySystemBios The count of the number of this particular object type present on this device.
Inventor yUplevelDriverPackage The count of the number of this particular object type present on this
device.
PCFP An ID for the system, calculated by hashing hardware identifiers.
SystemMemor y The count of the number of this particular object type present on this device.
SystemProcessorCompareExchange The count of the number of this particular object type present on this
device.
SystemProcessorLahfSahf The count of the number of this particular object type present on this device.
SystemProcessorNx The total number of objects of this type present on this device.
SystemProcessorPrefetchW The total number of objects of this type present on this device.
SystemProcessorSse2 The count of SystemProcessorSse2 objects present on this machine.
SystemTouch The count of the number of this particular object type present on this device.
SystemWim The total number of objects of this type present on this device.
SystemWindowsActivationStatus The count of the number of this particular object type present on this
device.
SystemWlan The total number of objects of this type present on this device.
Wmdrm_RS4 The total Wmdrm objects targeting Windows 10, version 1803 present on this device.
Microsoft.Windows.Appraiser.General.DatasourceApplicationFileAdd
Represents the basic metadata about specific application files installed on the system.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
AppraiserVersion The version of the appraiser file that is generating the events.
AvDisplayName If the app is an anti-virus app, this is its display name.
CompatModelIndex The compatibility prediction for this file.
HasCitData Indicates whether the file is present in CIT data.
HasUpgradeExe Indicates whether the anti-virus app has an upgrade.exe file.
IsAv Is the file an anti-virus reporting EXE?
ResolveAttempted This will always be an empty string when sending diagnostic data.
SdbEntries An array of fields that indicates the SDB entries that apply to this file.
Microsoft.Windows.Appraiser.General.DatasourceApplicationFileRemove
This event indicates that the DatasourceApplicationFile object is no longer present.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
AppraiserVersion The version of the Appraiser file that is generating the events.
Microsoft.Windows.Appraiser.General.DatasourceApplicationFileStartSync
This event indicates that a new set of DatasourceApplicationFileAdd events will be sent.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
AppraiserVersion The version of the Appraiser file that is generating the events.
Microsoft.Windows.Appraiser.General.DatasourceDevicePnpAdd
This event sends compatibility data for a Plug and Play device, to help keep Windows up to date.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
ActiveNetworkConnection Indicates whether the device is an active network device.
AppraiserVersion The version of the appraiser file generating the events.
IsBootCritical Indicates whether the device boot is critical.
WuDriverCoverage Indicates whether there is a driver uplevel for this device, according to Windows Update.
WuDriverUpdateId The Windows Update ID of the applicable uplevel driver.
WuPopulatedFromId The expected uplevel driver matching ID based on driver coverage from Windows
Update.
Microsoft.Windows.Appraiser.General.DatasourceDevicePnpRemove
This event indicates that the DatasourceDevicePnp object is no longer present.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
AppraiserVersion The version of the Appraiser file that is generating the events.
Microsoft.Windows.Appraiser.General.DatasourceDevicePnpStartSync
This event indicates that a new set of DatasourceDevicePnpAdd events will be sent.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
AppraiserVersion The version of the Appraiser file that is generating the events.
Microsoft.Windows.Appraiser.General.DatasourceDriverPackageAdd
This event sends compatibility database data about driver packages to help keep Windows up to date.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
AppraiserVersion The version of the appraiser file generating the events.
Microsoft.Windows.Appraiser.General.DatasourceDriverPackageRemove
This event indicates that the DatasourceDriverPackage object is no longer present.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
AppraiserVersion The version of the Appraiser file that is generating the events.
Microsoft.Windows.Appraiser.General.DatasourceDriverPackageStartSync
This event indicates that a new set of DatasourceDriverPackageAdd events will be sent.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
AppraiserVersion The version of the Appraiser file that is generating the events.
Microsoft.Windows.Appraiser.General.DataSourceMatchingInfoBlockAdd
This event sends blocking data about any compatibility blocking entries on the system that are not directly related
to specific applications or devices, to help keep Windows up to date.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
AppraiserVersion The version of the appraiser file generating the events.
Microsoft.Windows.Appraiser.General.DataSourceMatchingInfoBlockRemove
This event indicates that the DataSourceMatchingInfoBlock object is no longer present.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
AppraiserVersion The version of the Appraiser file that is generating the events.
Microsoft.Windows.Appraiser.General.DataSourceMatchingInfoBlockStartSync
This event indicates that a full set of DataSourceMatchingInfoBlockStAdd events have been sent.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
AppraiserVersion The version of the Appraiser file that is generating the events.
Microsoft.Windows.Appraiser.General.DataSourceMatchingInfoPassiveAdd
This event sends compatibility database information about non-blocking compatibility entries on the system that
are not keyed by either applications or devices, to help keep Windows up to date.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
AppraiserVersion The version of the appraiser file generating the events.
Microsoft.Windows.Appraiser.General.DataSourceMatchingInfoPassiveRemove
This event indicates that the DataSourceMatchingInfoPassive object is no longer present.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
AppraiserVersion The version of the Appraiser file that is generating the events.
Microsoft.Windows.Appraiser.General.DataSourceMatchingInfoPassiveStartSync
This event indicates that a new set of DataSourceMatchingInfoPassiveAdd events will be sent.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
AppraiserVersion The version of the Appraiser file that is generating the events.
Microsoft.Windows.Appraiser.General.DataSourceMatchingInfoPostUpgradeAdd
This event sends compatibility database information about entries requiring reinstallation after an upgrade on the
system that are not keyed by either applications or devices, to help keep Windows up to date.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
AppraiserVersion The version of the appraiser file generating the events.
Microsoft.Windows.Appraiser.General.DataSourceMatchingInfoPostUpgradeRemove
This event indicates that the DataSourceMatchingInfoPostUpgrade object is no longer present.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
AppraiserVersion The version of the Appraiser file that is generating the events.
Microsoft.Windows.Appraiser.General.DataSourceMatchingInfoPostUpgradeStartSync
This event indicates that a new set of DataSourceMatchingInfoPostUpgradeAdd events will be sent.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
AppraiserVersion The version of the Appraiser file that is generating the events.
Microsoft.Windows.Appraiser.General.DatasourceSystemBiosAdd
This event sends compatibility database information about the BIOS to help keep Windows up to date.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
AppraiserVersion The version of the Appraiser file generating the events.
Microsoft.Windows.Appraiser.General.DatasourceSystemBiosRemove
This event indicates that the DatasourceSystemBios object is no longer present.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
AppraiserVersion The version of the Appraiser file that is generating the events.
Microsoft.Windows.Appraiser.General.DatasourceSystemBiosStartSync
This event indicates that a new set of DatasourceSystemBiosAdd events will be sent.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
AppraiserVersion The version of the Appraiser file that is generating the events.
Microsoft.Windows.Appraiser.General.DecisionApplicationFileAdd
This event sends compatibility decision data about a file to help keep Windows up to date.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
AppraiserVersion The version of the appraiser file that is generating the events.
BlockAlreadyInbox The uplevel runtime block on the file already existed on the current OS.
BlockingApplication Indicates whether there are any application issues that interfere with the upgrade due to
the file in question.
DisplayGenericMessage Will be a generic message be shown for this file?
HardBlock This file is blocked in the SDB.
HasUxBlockOverride Does the file have a block that is overridden by a tag in the SDB?
MigApplication Does the file have a MigXML from the SDB associated with it that applies to the current
upgrade mode?
MigRemoval Does the file have a MigXML from the SDB that will cause the app to be removed on upgrade?
NeedsDismissAction Will the file cause an action that can be dismissed?
NeedsInstallPostUpgradeData After upgrade, the file will have a post-upgrade notification to install a
replacement for the app.
NeedsNotifyPostUpgradeData Does the file have a notification that should be shown after upgrade?
NeedsReinstallPostUpgradeData After upgrade, this file will have a post-upgrade notification to reinstall the
app.
NeedsUninstallAction The file must be uninstalled to complete the upgrade.
SdbBlockUpgrade The file is tagged as blocking upgrade in the SDB,
SdbBlockUpgradeCanReinstall The file is tagged as blocking upgrade in the SDB. It can be reinstalled after
upgrade.
SdbBlockUpgradeUntilUpdate The file is tagged as blocking upgrade in the SDB. If the app is updated, the
upgrade can proceed.
SdbReinstallUpgrade The file is tagged as needing to be reinstalled after upgrade in the SDB. It does not
block upgrade.
SdbReinstallUpgradeWarn The file is tagged as needing to be reinstalled after upgrade with a warning in the
SDB. It does not block upgrade.
SoftBlock The file is softblocked in the SDB and has a warning.
Microsoft.Windows.Appraiser.General.DecisionApplicationFileRemove
This event indicates that the DecisionApplicationFile object is no longer present.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
AppraiserVersion The version of the Appraiser file that is generating the events.
Microsoft.Windows.Appraiser.General.DecisionApplicationFileStartSync
This event indicates that a new set of DecisionApplicationFileAdd events will be sent.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
AppraiserVersion The version of the Appraiser file that is generating the events.
Microsoft.Windows.Appraiser.General.DecisionDevicePnpAdd
This event sends compatibility decision data about a Plug and Play (PNP) device to help keep Windows up to date.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
AppraiserVersion The version of the appraiser file generating the events.
AssociatedDriverIsBlocked Is the driver associated with this PNP device blocked?
AssociatedDriverWillNotMigrate Will the driver associated with this plug-and-play device migrate?
BlockAssociatedDriver Should the driver associated with this PNP device be blocked?
BlockingDevice Is this PNP device blocking upgrade?
BlockUpgradeIfDriverBlocked Is the PNP device both boot critical and does not have a driver included with
the OS?
BlockUpgradeIfDriverBlockedAndOnlyActiveNetwork Is this PNP device the only active network device?
DisplayGenericMessage Will a generic message be shown during Setup for this PNP device?
DriverAvailableInbox Is a driver included with the operating system for this PNP device?
DriverAvailableOnline Is there a driver for this PNP device on Windows Update?
DriverAvailableUplevel Is there a driver on Windows Update or included with the operating system for this
PNP device?
DriverBlockOverridden Is there is a driver block on the device that has been overridden?
NeedsDismissAction Will the user would need to dismiss a warning during Setup for this device?
NotRegressed Does the device have a problem code on the source OS that is no better than the one it would
have on the target OS?
SdbDeviceBlockUpgrade Is there an SDB block on the PNP device that blocks upgrade?
SdbDriverBlockOverridden Is there an SDB block on the PNP device that blocks upgrade, but that block was
overridden?
Microsoft.Windows.Appraiser.General.DecisionDevicePnpRemove
This event indicates that the DecisionDevicePnp object is no longer present.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
AppraiserVersion The version of the Appraiser file that is generating the events.
Microsoft.Windows.Appraiser.General.DecisionDevicePnpStartSync
The DecisionDevicePnpStartSync event indicates that a new set of DecisionDevicePnpAdd events will be sent.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
AppraiserVersion The version of the Appraiser file that is generating the events.
Microsoft.Windows.Appraiser.General.DecisionDriverPackageAdd
This event sends decision data about driver package compatibility to help keep Windows up to date.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
AppraiserVersion The version of the appraiser file generating the events.
DriverBlockOverridden Does the driver package have an SDB block that blocks it from migrating, but that
block has been overridden?
DriverIsDeviceBlocked Was the driver package was blocked because of a device block?
DriverIsDriverBlocked Is the driver package blocked because of a driver block?
DriverShouldNotMigrate Should the driver package be migrated during upgrade?
SdbDriverBlockOverridden Does the driver package have an SDB block that blocks it from migrating, but
that block has been overridden?
Microsoft.Windows.Appraiser.General.DecisionDriverPackageRemove
This event indicates that the DecisionDriverPackage object is no longer present.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
AppraiserVersion The version of the Appraiser file that is generating the events.
Microsoft.Windows.Appraiser.General.DecisionDriverPackageStartSync
This event indicates that a new set of DecisionDriverPackageAdd events will be sent.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
AppraiserVersion The version of the Appraiser file that is generating the events.
Microsoft.Windows.Appraiser.General.DecisionMatchingInfoBlockAdd
This event sends compatibility decision data about blocking entries on the system that are not keyed by either
applications or devices, to help keep Windows up to date.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
AppraiserVersion The version of the appraiser file generating the events.
BlockingApplication Are there are any application issues that interfere with upgrade due to matching info
blocks?
DisplayGenericMessage Will a generic message be shown for this block?
NeedsUninstallAction Does the user need to take an action in setup due to a matching info block?
SdbBlockUpgrade Is a matching info block blocking upgrade?
SdbBlockUpgradeCanReinstall Is a matching info block blocking upgrade, but has the can reinstall tag?
SdbBlockUpgradeUntilUpdate Is a matching info block blocking upgrade but has the until update tag?
Microsoft.Windows.Appraiser.General.DecisionMatchingInfoBlockRemove
This event indicates that the DecisionMatchingInfoBlock object is no longer present.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
AppraiserVersion The version of the Appraiser file that is generating the events.
Microsoft.Windows.Appraiser.General.DecisionMatchingInfoBlockStartSync
This event indicates that a new set of DecisionMatchingInfoBlockAdd events will be sent.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
AppraiserVersion The version of the Appraiser file that is generating the events.
Microsoft.Windows.Appraiser.General.DecisionMatchingInfoPassiveAdd
This event sends compatibility decision data about non-blocking entries on the system that are not keyed by either
applications or devices, to help keep Windows up to date.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
AppraiserVersion The version of the Appraiser file that is generating the events.
BlockingApplication Are there any application issues that interfere with upgrade due to matching info
blocks?
MigApplication Is there a matching info block with a mig for the current mode of upgrade?
Microsoft.Windows.Appraiser.General.DecisionMatchingInfoPassiveRemove
This event Indicates that the DecisionMatchingInfoPassive object is no longer present.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
AppraiserVersion The version of the Appraiser file that is generating the events.
Microsoft.Windows.Appraiser.General.DecisionMatchingInfoPassiveStartSync
This event indicates that a new set of DecisionMatchingInfoPassiveAdd events will be sent.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
AppraiserVersion The version of the Appraiser file that is generating the events.
Microsoft.Windows.Appraiser.General.DecisionMatchingInfoPostUpgradeAdd
This event sends compatibility decision data about entries that require reinstall after upgrade. It's used to help
keep Windows up to date.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
AppraiserVersion The version of the Appraiser file that is generating the events.
NeedsInstallPostUpgradeData Will the file have a notification after upgrade to install a replacement for the
app?
NeedsNotifyPostUpgradeData Should a notification be shown for this file after upgrade?
NeedsReinstallPostUpgradeData Will the file have a notification after upgrade to reinstall the app?
SdbReinstallUpgrade The file is tagged as needing to be reinstalled after upgrade in the compatibility
database (but is not blocking upgrade).
Microsoft.Windows.Appraiser.General.DecisionMatchingInfoPostUpgradeRemove
This event indicates that the DecisionMatchingInfoPostUpgrade object is no longer present.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
AppraiserVersion The version of the Appraiser file that is generating the events.
Microsoft.Windows.Appraiser.General.DecisionMatchingInfoPostUpgradeStartSync
This event indicates that a new set of DecisionMatchingInfoPostUpgradeAdd events will be sent.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
AppraiserVersion The version of the Appraiser file that is generating the events.
Microsoft.Windows.Appraiser.General.DecisionMediaCenterAdd
This event sends decision data about the presence of Windows Media Center, to help keep Windows up to date.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
AppraiserVersion The version of the Appraiser file generating the events.
BlockingApplication Is there any application issues that interfere with upgrade due to Windows Media
Center?
MediaCenterActivelyUsed If Windows Media Center is supported on the edition, has it been run at least
once and are the MediaCenterIndicators are true?
MediaCenterIndicators Do any indicators imply that Windows Media Center is in active use?
MediaCenterInUse Is Windows Media Center actively being used?
MediaCenterPaidOrActivelyUsed Is Windows Media Center actively being used or is it running on a
supported edition?
NeedsDismissAction Are there any actions that can be dismissed coming from Windows Media Center?
Microsoft.Windows.Appraiser.General.DecisionMediaCenterRemove
This event indicates that the DecisionMediaCenter object is no longer present.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
AppraiserVersion The version of the Appraiser file that is generating the events.
Microsoft.Windows.Appraiser.General.DecisionMediaCenterStartSync
This event indicates that a new set of DecisionMediaCenterAdd events will be sent.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
AppraiserVersion The version of the Appraiser file that is generating the events.
Microsoft.Windows.Appraiser.General.DecisionSystemBiosAdd
This event sends compatibility decision data about the BIOS to help keep Windows up to date.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
AppraiserVersion The version of the Appraiser file generating the events.
Blocking Is the device blocked from upgrade due to a BIOS block?
DisplayGenericMessageGated Indicates whether a generic offer block message will be shown for the bios.
HasBiosBlock Does the device have a BIOS block?
Microsoft.Windows.Appraiser.General.DecisionSystemBiosRemove
This event indicates that the DecisionSystemBios object is no longer present.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
AppraiserVersion The version of the Appraiser file that is generating the events.
Microsoft.Windows.Appraiser.General.DecisionSystemBiosStartSync
This event indicates that a new set of DecisionSystemBiosAdd events will be sent.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
AppraiserVersion The version of the Appraiser file that is generating the events.
Microsoft.Windows.Appraiser.General.GatedRegChange
This event sends data about the results of running a set of quick-blocking instructions, to help keep Windows up to
date.
The following fields are available:
NewData The data in the registry value after the scan completed.
OldData The previous data in the registry value before the scan ran.
PCFP An ID for the system calculated by hashing hardware identifiers.
RegKey The registry key name for which a result is being sent.
RegValue The registry value for which a result is being sent.
Time The client time of the event.
Microsoft.Windows.Appraiser.General.InventoryApplicationFileAdd
This event represents the basic metadata about a file on the system. The file must be part of an app and either
have a block in the compatibility database or be part of an antivirus program.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
AppraiserVersion The version of the Appraiser file generating the events.
AvDisplayName If the app is an antivirus app, this is its display name.
AvProductState Indicates whether the antivirus program is turned on and the signatures are up to date.
Binar yType A binary type. Example: UNINITIALIZED, ZERO_BYTE, DATA_ONLY, DOS_MODULE, NE16_MODULE,
PE32_UNKNOWN, PE32_I386, PE32_ARM, PE64_UNKNOWN, PE64_AMD64, PE64_ARM64, PE64_IA64,
PE32_CLR_32, PE32_CLR_IL, PE32_CLR_IL_PREFER32, PE64_CLR_64.
BinFileVersion An attempt to clean up FileVersion at the client that tries to place the version into 4 octets.
BinProductVersion An attempt to clean up ProductVersion at the client that tries to place the version into 4
octets.
BoeProgramId If there is no entry in Add/Remove Programs, this is the ProgramID that is generated from the
file metadata.
CompanyName The company name of the vendor who developed this file.
FileId A hash that uniquely identifies a file.
FileVersion The File version field from the file metadata under Properties -> Details.
HasUpgradeExe Indicates whether the antivirus app has an upgrade.exe file.
IsAv Indicates whether the file an antivirus reporting EXE.
LinkDate The date and time that this file was linked on.
LowerCaseLongPath The full file path to the file that was inventoried on the device.
Name The name of the file that was inventoried.
ProductName The Product name field from the file metadata under Properties -> Details.
ProductVersion The Product version field from the file metadata under Properties -> Details.
ProgramId A hash of the Name, Version, Publisher, and Language of an application used to identify it.
Size The size of the file (in hexadecimal bytes).
Microsoft.Windows.Appraiser.General.InventoryApplicationFileRemove
This event indicates that the InventoryApplicationFile object is no longer present.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
AppraiserVersion The version of the Appraiser file that is generating the events.
Microsoft.Windows.Appraiser.General.InventoryApplicationFileStartSync
This event indicates that a new set of InventoryApplicationFileAdd events will be sent.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
AppraiserVersion The version of the Appraiser file that is generating the events.
Microsoft.Windows.Appraiser.General.InventoryLanguagePackAdd
This event sends data about the number of language packs installed on the system, to help keep Windows up to
date.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
AppraiserVersion The version of the Appraiser file that is generating the events.
HasLanguagePack Indicates whether this device has 2 or more language packs.
LanguagePackCount The number of language packs are installed.
Microsoft.Windows.Appraiser.General.InventoryLanguagePackRemove
This event indicates that the InventoryLanguagePack object is no longer present.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
AppraiserVersion The version of the Appraiser file that is generating the events.
Microsoft.Windows.Appraiser.General.InventoryLanguagePackStartSync
This event indicates that a new set of InventoryLanguagePackAdd events will be sent.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
AppraiserVersion The version of the Appraiser file that is generating the events.
Microsoft.Windows.Appraiser.General.InventoryMediaCenterAdd
This event sends true/false data about decision points used to understand whether Windows Media Center is used
on the system, to help keep Windows up to date.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
AppraiserVersion The version of the Appraiser file generating the events.
EverLaunched Has Windows Media Center ever been launched?
HasConfiguredTv Has the user configured a TV tuner through Windows Media Center?
HasExtendedUserAccounts Are any Windows Media Center Extender user accounts configured?
HasWatchedFolders Are any folders configured for Windows Media Center to watch?
IsDefaultLauncher Is Windows Media Center the default app for opening music or video files?
IsPaid Is the user running a Windows Media Center edition that implies they paid for Windows Media Center?
IsSuppor ted Does the running OS support Windows Media Center?
Microsoft.Windows.Appraiser.General.InventoryMediaCenterRemove
This event indicates that the InventoryMediaCenter object is no longer present.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
AppraiserVersion The version of the Appraiser file that is generating the events.
Microsoft.Windows.Appraiser.General.InventoryMediaCenterStartSync
This event indicates that a new set of InventoryMediaCenterAdd events will be sent.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
AppraiserVersion The version of the Appraiser file that is generating the events.
Microsoft.Windows.Appraiser.General.InventorySystemBiosAdd
This event sends basic metadata about the BIOS to determine whether it has a compatibility block.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
AppraiserVersion The version of the Appraiser file that is generating the events.
BiosDate The release date of the BIOS in UTC format.
BiosName The name field from Win32_BIOS.
Manufacturer The manufacturer field from Win32_ComputerSystem.
Model The model field from Win32_ComputerSystem.
Microsoft.Windows.Appraiser.General.InventorySystemBiosRemove
This event indicates that the InventorySystemBios object is no longer present.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
AppraiserVersion The version of the Appraiser file that is generating the events.
Microsoft.Windows.Appraiser.General.InventorySystemBiosStartSync
This event indicates that a new set of InventorySystemBiosAdd events will be sent.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
AppraiserVersion The version of the Appraiser binary (executable) generating the events.
Microsoft.Windows.Appraiser.General.InventoryUplevelDriverPackageAdd
This event is only runs during setup. It provides a listing of the uplevel driver packages that were downloaded
before the upgrade. Is critical to understanding if failures in setup can be traced to not having sufficient uplevel
drivers before the upgrade.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
AppraiserVersion The version of the Appraiser file that is generating the events.
BootCritical Is the driver package marked as boot critical?
Build The build value from the driver package.
CatalogFile The name of the catalog file within the driver package.
Class The device class from the driver package.
ClassGuid The device class unique ID from the driver package.
Date The date from the driver package.
Inbox Is the driver package of a driver that is included with Windows?
OriginalName The original name of the INF file before it was renamed. Generally a path under
$WINDOWS.~BT\Drivers\DU.
Provider The provider of the driver package.
PublishedName The name of the INF file after it was renamed.
Revision The revision of the driver package.
SignatureStatus Indicates if the driver package is signed. Unknown = 0, Unsigned = 1, Signed = 2.
VersionMajor The major version of the driver package.
VersionMinor The minor version of the driver package.
Microsoft.Windows.Appraiser.General.InventoryUplevelDriverPackageRemove
This event indicates that the InventoryUplevelDriverPackage object is no longer present.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
AppraiserVersion The version of the Appraiser file that is generating the events.
Microsoft.Windows.Appraiser.General.InventoryUplevelDriverPackageStartSync
This event indicates that a new set of InventoryUplevelDriverPackageAdd events will be sent.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
AppraiserVersion The version of the Appraiser file that is generating the events.
Microsoft.Windows.Appraiser.General.RunContext
This event indicates what should be expected in the data payload.
The following fields are available:
AppraiserBranch The source branch in which the currently running version of Appraiser was built.
AppraiserProcess The name of the process that launched Appraiser.
AppraiserVersion The version of the Appraiser file generating the events.
Context Indicates what mode Appraiser is running in. Example: Setup or Telemetry.
PCFP An ID for the system calculated by hashing hardware identifiers.
Subcontext Indicates what categories of incompatibilities appraiser is scanning for. Can be N/A, Resolve, or a
semicolon-delimited list that can include App, Dev, Sys, Gat, or Rescan.
Time The client time of the event.
Microsoft.Windows.Appraiser.General.SystemMemoryAdd
This event sends data on the amount of memory on the system and whether it meets requirements, to help keep
Windows up to date.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
AppraiserVersion The version of the Appraiser file generating the events.
Blocking Is the device from upgrade due to memory restrictions?
Memor yRequirementViolated Was a memory requirement violated?
pageFile The current committed memory limit for the system or the current process, whichever is smaller (in
bytes).
ram The amount of memory on the device.
ramKB The amount of memory (in KB).
vir tual The size of the user-mode portion of the virtual address space of the calling process (in bytes).
vir tualKB The amount of virtual memory (in KB).
Microsoft.Windows.Appraiser.General.SystemMemoryRemove
This event that the SystemMemory object is no longer present.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
AppraiserVersion The version of the Appraiser file that is generating the events.
Microsoft.Windows.Appraiser.General.SystemMemoryStartSync
This event indicates that a new set of SystemMemoryAdd events will be sent.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
AppraiserVersion The version of the Appraiser file that is generating the events.
Microsoft.Windows.Appraiser.General.SystemProcessorCompareExchangeAdd
This event sends data indicating whether the system supports the CompareExchange128 CPU requirement, to help
keep Windows up to date.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
AppraiserVersion The version of the Appraiser file generating the events.
Blocking Is the upgrade blocked due to the processor?
CompareExchange128Suppor t Does the CPU support CompareExchange128?
Microsoft.Windows.Appraiser.General.SystemProcessorCompareExchangeRemove
This event indicates that the SystemProcessorCompareExchange object is no longer present.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
AppraiserVersion The version of the Appraiser file that is generating the events.
Microsoft.Windows.Appraiser.General.SystemProcessorCompareExchangeStartSync
This event indicates that a new set of SystemProcessorCompareExchangeAdd events will be sent.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
AppraiserVersion The version of the Appraiser file that is generating the events.
Microsoft.Windows.Appraiser.General.SystemProcessorLahfSahfAdd
This event sends data indicating whether the system supports the LAHF & SAHF CPU requirement, to help keep
Windows up to date.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
AppraiserVersion The version of the Appraiser file generating the events.
Blocking Is the upgrade blocked due to the processor?
LahfSahfSuppor t Does the CPU support LAHF/SAHF?
Microsoft.Windows.Appraiser.General.SystemProcessorLahfSahfRemove
This event indicates that the SystemProcessorLahfSahf object is no longer present.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
AppraiserVersion The version of the Appraiser file that is generating the events.
Microsoft.Windows.Appraiser.General.SystemProcessorLahfSahfStartSync
This event indicates that a new set of SystemProcessorLahfSahfAdd events will be sent.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
AppraiserVersion The version of the Appraiser file that is generating the events.
Microsoft.Windows.Appraiser.General.SystemProcessorNxAdd
This event sends data indicating whether the system supports the NX CPU requirement, to help keep Windows up
to date.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
AppraiserVersion The version of the Appraiser file that is generating the events.
Blocking Is the upgrade blocked due to the processor?
NXDriverResult The result of the driver used to do a non-deterministic check for NX support.
NXProcessorSuppor t Does the processor support NX?
Microsoft.Windows.Appraiser.General.SystemProcessorNxRemove
This event indicates that the SystemProcessorNx object is no longer present.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
AppraiserVersion The version of the Appraiser file that is generating the events.
Microsoft.Windows.Appraiser.General.SystemProcessorNxStartSync
This event indicates that a new set of SystemProcessorNxAdd events will be sent.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
AppraiserVersion The version of the Appraiser file that is generating the events.
Microsoft.Windows.Appraiser.General.SystemProcessorPrefetchWAdd
This event sends data indicating whether the system supports the PrefetchW CPU requirement, to help keep
Windows up to date.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
AppraiserVersion The version of the Appraiser file that is generating the events.
Blocking Is the upgrade blocked due to the processor?
PrefetchWSuppor t Does the processor support PrefetchW?
Microsoft.Windows.Appraiser.General.SystemProcessorPrefetchWRemove
This event indicates that the SystemProcessorPrefetchW object is no longer present.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
AppraiserVersion The version of the Appraiser file that is generating the events.
Microsoft.Windows.Appraiser.General.SystemProcessorPrefetchWStartSync
This event indicates that a new set of SystemProcessorPrefetchWAdd events will be sent.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
AppraiserVersion The version of the Appraiser file that is generating the events.
Microsoft.Windows.Appraiser.General.SystemProcessorSse2Add
This event sends data indicating whether the system supports the SSE2 CPU requirement, to help keep Windows
up to date.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
AppraiserVersion The version of the Appraiser file that is generating the events.
Blocking Is the upgrade blocked due to the processor?
SSE2ProcessorSuppor t Does the processor support SSE2?
Microsoft.Windows.Appraiser.General.SystemProcessorSse2Remove
This event indicates that the SystemProcessorSse2 object is no longer present.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
AppraiserVersion The version of the Appraiser file that is generating the events.
Microsoft.Windows.Appraiser.General.SystemProcessorSse2StartSync
This event indicates that a new set of SystemProcessorSse2Add events will be sent.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
AppraiserVersion The version of the Appraiser file that is generating the events.
Microsoft.Windows.Appraiser.General.SystemTouchAdd
This event sends data indicating whether the system supports touch, to help keep Windows up to date.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
AppraiserVersion The version of the Appraiser file that is generating the events.
IntegratedTouchDigitizerPresent Is there an integrated touch digitizer?
MaximumTouches The maximum number of touch points supported by the device hardware.
Microsoft.Windows.Appraiser.General.SystemTouchRemove
This event indicates that the SystemTouch object is no longer present.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
AppraiserVersion The version of the Appraiser file that is generating the events.
Microsoft.Windows.Appraiser.General.SystemTouchStartSync
This event indicates that a new set of SystemTouchAdd events will be sent.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
AppraiserVersion The version of the Appraiser file that is generating the events.
Microsoft.Windows.Appraiser.General.SystemWimAdd
This event sends data indicating whether the operating system is running from a compressed Windows Imaging
Format (WIM) file, to help keep Windows up to date.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
AppraiserVersion The version of the Appraiser file that is generating the events.
IsWimBoot Is the current operating system running from a compressed WIM file?
Registr yWimBootValue The raw value from the registry that is used to indicate if the device is running from
a WIM.
Microsoft.Windows.Appraiser.General.SystemWimRemove
This event indicates that the SystemWim object is no longer present.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
AppraiserVersion The version of the Appraiser file that is generating the events.
Microsoft.Windows.Appraiser.General.SystemWimStartSync
This event indicates that a new set of SystemWimAdd events will be sent.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
AppraiserVersion The version of the Appraiser file that is generating the events.
Microsoft.Windows.Appraiser.General.SystemWindowsActivationStatusAdd
This event sends data indicating whether the current operating system is activated, to help keep Windows up to
date.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
AppraiserVersion The version of the Appraiser file that is generating the events.
WindowsIsLicensedApiValue The result from the API that's used to indicate if operating system is activated.
WindowsNotActivatedDecision Is the current operating system activated?
Microsoft.Windows.Appraiser.General.SystemWindowsActivationStatusRemove
This event indicates that the SystemWindowsActivationStatus object is no longer present.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
AppraiserVersion The version of the Appraiser file that is generating the events.
Microsoft.Windows.Appraiser.General.SystemWindowsActivationStatusStartSync
This event indicates that a new set of SystemWindowsActivationStatusAdd events will be sent.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
AppraiserVersion The version of the Appraiser file that is generating the events.
Microsoft.Windows.Appraiser.General.SystemWlanAdd
This event sends data indicating whether the system has WLAN, and if so, whether it uses an emulated driver that
could block an upgrade, to help keep Windows up to date.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
AppraiserVersion The version of the Appraiser file that is generating the events.
Blocking Is the upgrade blocked because of an emulated WLAN driver?
HasWlanBlock Does the emulated WLAN driver have an upgrade block?
WlanEmulatedDriver Does the device have an emulated WLAN driver?
WlanExists Does the device support WLAN at all?
WlanModulePresent Are any WLAN modules present?
WlanNativeDriver Does the device have a non-emulated WLAN driver?
Microsoft.Windows.Appraiser.General.SystemWlanRemove
This event indicates that the SystemWlan object is no longer present.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
AppraiserVersion The version of the Appraiser file that is generating the events.
Microsoft.Windows.Appraiser.General.SystemWlanStartSync
This event indicates that a new set of SystemWlanAdd events will be sent.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
AppraiserVersion The version of the Appraiser file that is generating the events.
Microsoft.Windows.Appraiser.General.TelemetryRunHealth
This event indicates the parameters and result of a diagnostic data run. This allows the rest of the data sent over
the course of the run to be properly contextualized and understood, which is then used to keep Windows up to
date.
The following fields are available:
AppraiserBranch The source branch in which the version of Appraiser that is running was built.
AppraiserDataVersion The version of the data files being used by the Appraiser telemetry run.
AppraiserProcess The name of the process that launched Appraiser.
AppraiserVersion The file version (major, minor and build) of the Appraiser DLL, concatenated without dots.
AuxFinal Obsolete, always set to false.
AuxInitial Obsolete, indicates if Appraiser is writing data files to be read by the Get Windows 10 app.
DeadlineDate A timestamp representing the deadline date, which is the time until which appraiser will wait to
do a full scan.
EnterpriseRun Indicates whether the diagnostic data run is an enterprise run, which means appraiser was run
from the command line with an extra enterprise parameter.
FullSync Indicates if Appraiser is performing a full sync, which means that full set of events representing the
state of the machine are sent. Otherwise, only the changes from the previous run are sent.
Inventor yFullSync Indicates if inventory is performing a full sync, which means that the full set of events
representing the inventory of machine are sent.
PCFP An ID for the system calculated by hashing hardware identifiers.
PerfBackoff Indicates if the run was invoked with logic to stop running when a user is present. Helps to
understand why a run may have a longer elapsed time than normal.
PerfBackoffInsurance Indicates if appraiser is running without performance backoff because it has run with
perf backoff and failed to complete several times in a row.
RunAppraiser Indicates if Appraiser was set to run at all. If this if false, it is understood that data events will
not be received from this device.
RunDate The date that the diagnostic data run was stated, expressed as a filetime.
RunGeneralTel Indicates if the generaltel.dll component was run. Generaltel collects additional diagnostic data
on an infrequent schedule and only from machines at diagnostic data levels higher than Basic.
RunOnline Indicates if appraiser was able to connect to Windows Update and theefore is making decisions
using up-to-date driver coverage information.
RunResult The hresult of the Appraiser diagnostic data run.
SendingUtc Indicates whether the Appraiser client is sending events during the current diagnostic data run.
StoreHandleIsNotNull Obsolete, always set to false
Telementr ySent Indicates whether diagnostic data was successfully sent.
ThrottlingUtc Indicates whether the Appraiser client is throttling its output of CUET events to avoid being
disabled. This increases runtime but also diagnostic data reliability.
Time The client time of the event.
VerboseMode Indicates if appraiser ran in Verbose mode, which is a test-only mode with extra logging.
WhyFullSyncWithoutTablePrefix Indicates the reason or reasons that a full sync was generated.
Microsoft.Windows.Appraiser.General.WmdrmAdd
This event sends data about the usage of older digital rights management on the system, to help keep Windows
up to date. This data does not indicate the details of the media using the digital rights management, only whether
any such files exist. Collecting this data was critical to ensuring the correct mitigation for customers, and should be
able to be removed once all mitigations are in place.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
AppraiserVersion The version of the Appraiser file that is generating the events.
BlockingApplication Same as NeedsDismissAction.
NeedsDismissAction Indicates if a dismissible message is needed to warn the user about a potential loss of
data due to DRM deprecation.
WmdrmApiResult Raw value of the API used to gather DRM state.
WmdrmCdRipped Indicates if the system has any files encrypted with personal DRM, which was used for
ripped CDs.
WmdrmIndicators WmdrmCdRipped OR WmdrmPurchased.
WmdrmInUse WmdrmIndicators AND dismissible block in setup was not dismissed.
WmdrmNonPermanent Indicates if the system has any files with non-permanent licenses.
WmdrmPurchased Indicates if the system has any files with permanent licenses.
Microsoft.Windows.Appraiser.General.WmdrmRemove
This event indicates that the Wmdrm object is no longer present.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
AppraiserVersion The version of the Appraiser file that is generating the events.
Microsoft.Windows.Appraiser.General.WmdrmStartSync
This event indicates that a new set of WmdrmAdd events will be sent.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
AppraiserVersion The version of the Appraiser file that is generating the events.
Census events
Census.App
This event sends version data about the Apps running on this device, to help keep Windows up to date.
The following fields are available:
AppraiserEnterpriseErrorCode The error code of the last Appraiser enterprise run.
AppraiserErrorCode The error code of the last Appraiser run.
AppraiserRunEndTimeStamp The end time of the last Appraiser run.
AppraiserRunIsInProgressOrCrashed Flag that indicates if the Appraiser run is in progress or has crashed.
AppraiserRunStar tTimeStamp The start time of the last Appraiser run.
AppraiserTaskEnabled Whether the Appraiser task is enabled.
AppraiserTaskExitCode The Appraiser task exist code.
AppraiserTaskLastRun The last runtime for the Appraiser task.
CensusVersion The version of Census that generated the current data for this device.
IEVersion The version of Internet Explorer that is running on the device.
Census.Battery
This event sends type and capacity data about the battery on the device, as well as the number of connected
standby devices in use, type to help keep Windows up to date.
The following fields are available:
InternalBatter yCapablities Represents information about what the battery is capable of doing.
InternalBatter yCapacityCurrent Represents the battery's current fully charged capacity in mWh (or relative).
Compare this value to DesignedCapacity to estimate the battery's wear.
InternalBatter yCapacityDesign Represents the theoretical capacity of the battery when new, in mWh.
InternalBatter yNumberOfCharges Provides the number of battery charges. This is used when creating new
products and validating that existing products meets targeted functionality performance.
IsAlwaysOnAlwaysConnectedCapable Represents whether the battery enables the device to be
AlwaysOnAlwaysConnected . Boolean value.
Census.Camera
This event sends data about the resolution of cameras on the device, to help keep Windows up to date.
The following fields are available:
FrontFacingCameraResolution Represents the resolution of the front facing camera in megapixels. If a front
facing camera does not exist, then the value is 0.
RearFacingCameraResolution Represents the resolution of the rear facing camera in megapixels. If a rear
facing camera does not exist, then the value is 0.
Census.Enterprise
This event sends data about Azure presence, type, and cloud domain use in order to provide an understanding of
the use and integration of devices in an enterprise, cloud, and server environment.
The following fields are available:
AzureOSIDPresent Represents the field used to identify an Azure machine.
AzureVMType Represents whether the instance is Azure VM PAAS, Azure VM IAAS or any other VMs.
CDJType Represents the type of cloud domain joined for the machine.
CommercialId Represents the GUID for the commercial entity which the device is a member of. Will be used
to reflect insights back to customers.
ContainerType The type of container, such as process or virtual machine hosted.
EnrollmentType Defines the type of MDM enrollment on the device.
HashedDomain The hashed representation of the user domain used for login.
IsCloudDomainJoined Is this device joined to an Azure Active Directory (AAD) tenant? true/false
IsDERequirementMet Represents if the device can do device encryption.
IsDeviceProtected Represents if Device protected by BitLocker/Device Encryption
IsDomainJoined Indicates whether a machine is joined to a domain.
IsEDPEnabled Represents if Enterprise data protected on the device.
IsMDMEnrolled Whether the device has been MDM Enrolled or not.
MPNId Returns the Partner ID/MPN ID from Regkey.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\DeployID
SCCMClientId This ID correlate systems that send data to Compat Analytics (OMS) and other OMS based
systems with systems in an Enterprise SCCM environment.
Ser verFeatures Represents the features installed on a Windows Server. This can be used by developers and
administrators who need to automate the process of determining the features installed on a set of server
computers.
SystemCenterID The SCCM ID is an anonymized one-way hash of the Active Directory Organization identifier
Census.Firmware
This event sends data about the BIOS and startup embedded in the device, to help keep Windows up to date.
The following fields are available:
FirmwareManufacturer Represents the manufacturer of the device's firmware (BIOS).
FirmwareReleaseDate Represents the date the current firmware was released.
FirmwareType Represents the firmware type. The various types can be unknown, BIOS, UEFI.
FirmwareVersion Represents the version of the current firmware.
Census.Flighting
This event sends Windows Insider data from customers participating in improvement testing and feedback
programs, to help keep Windows up to date.
The following fields are available:
DeviceSampleRate The telemetry sample rate assigned to the device.
EnablePreviewBuilds Used to enable Windows Insider builds on a device.
FlightIds A list of the different Windows Insider builds on this device.
FlightingBranchName The name of the Windows Insider branch currently used by the device.
IsFlightsDisabled Represents if the device is participating in the Windows Insider program.
MSA_Accounts Represents a list of hashed IDs of the Microsoft Accounts that are flighting (pre-release builds)
on this device.
SSRK Retrieves the mobile targeting settings.
Census.Hardware
This event sends data about the device, including hardware type, OEM brand, model line, model, telemetry level
setting, and TPM support, to help keep Windows up to date.
The following fields are available:
ActiveMicCount The number of active microphones attached to the device.
ChassisType Represents the type of device chassis, such as desktop or low profile desktop. The possible values
can range between 1 - 36.
ComputerHardwareID Identifies a device class that is represented by a hash of different SMBIOS fields.
D3DMaxFeatureLevel Supported Direct3D version.
DeviceColor Indicates a color of the device.
DeviceForm Indicates the form as per the device classification.
DeviceName The device name that is set by the user.
DigitizerSuppor t Is a digitizer supported?
DUID The device unique ID.
Gyroscope Indicates whether the device has a gyroscope (a mechanical component that measures and
maintains orientation).
Inventor yId The device ID used for compatibility testing.
Magnetometer Indicates whether the device has a magnetometer (a mechanical component that works like a
compass).
NFCProximity Indicates whether the device supports NFC (a set of communication protocols that helps
establish communication when applicable devices are brought close together.)
OEMDigitalMarkerFileName The name of the file placed in the \Windows\system32\drivers directory that
specifies the OEM and model name of the device.
OEMManufacturerName The device manufacturer name. The OEMName for an inactive device is not
reprocessed even if the clean OEM name is changed at a later date.
OEMModelBaseBoard The baseboard model used by the OEM.
OEMModelBaseBoardVersion Differentiates between developer and retail devices.
OEMModelName The device model name.
OEMModelNumber The device model number.
OEMModelSKU The device edition that is defined by the manufacturer.
OEMModelSystemFamily The system family set on the device by an OEM.
OEMModelSystemVersion The system model version set on the device by the OEM.
OEMOptionalIdentifier A Microsoft assigned value that represents a specific OEM subsidiary.
OEMSerialNumber The serial number of the device that is set by the manufacturer.
PhoneManufacturer The friendly name of the phone manufacturer.
PowerPlatformRole The OEM preferred power management profile. It's used to help to identify the basic
form factor of the device.
SoCName The firmware manufacturer of the device.
StudyID Used to identify retail and non-retail device.
Telemetr yLevel The telemetry level the user has opted into, such as Basic or Enhanced.
Telemetr yLevelLimitEnhanced The telemetry level for Windows Analytics-based solutions.
Telemetr ySettingAuthority Determines who set the telemetry level, such as GP, MDM, or the user.
TPMVersion The supported Trusted Platform Module (TPM) on the device. If no TPM is present, the value is 0.
VoiceSuppor ted Does the device have a cellular radio capable of making voice calls?
Census.Memory
This event sends data about the memory on the device, including ROM and RAM, to help keep Windows up to
date.
The following fields are available:
TotalPhysicalRAM Represents the physical memory (in MB).
TotalVisibleMemor y Represents the memory that is not reserved by the system.
Census.Network
This event sends data about the mobile and cellular network used by the device (mobile service provider, network,
device ID, and service cost factors), to help keep Windows up to date.
The following fields are available:
IMEI0 Represents the International Mobile Station Equipment Identity. This number is usually unique and used
by the mobile operator to distinguish different phone hardware. Microsoft does not have access to mobile
operator billing data so collecting this data does not expose or identify the user. The two fields represent phone
with dual sim coverage.
IMEI1 Represents the International Mobile Station Equipment Identity. This number is usually unique and used
by the mobile operator to distinguish different phone hardware. Microsoft does not have access to mobile
operator billing data so collecting this data does not expose or identify the user. The two fields represent phone
with dual sim coverage.
MCC0 Represents the Mobile Country Code (MCC). It used with the Mobile Network Code (MNC) to uniquely
identify a mobile network operator. The two fields represent phone with dual sim coverage.
MCC1 Represents the Mobile Country Code (MCC). It used with the Mobile Network Code (MNC) to uniquely
identify a mobile network operator. The two fields represent phone with dual sim coverage.
MEID Represents the Mobile Equipment Identity (MEID). MEID is a worldwide unique phone ID assigned to
CDMA phones. MEID replaces electronic serial number (ESN), and is equivalent to IMEI for GSM and WCDMA
phones. Microsoft does not have access to mobile operator billing data so collecting this data does not expose
or identify the user.
MNC0 Retrieves the Mobile Network Code (MNC). It used with the Mobile Country Code (MCC) to uniquely
identify a mobile network operator. The two fields represent phone with dual sim coverage.
MNC1 Retrieves the Mobile Network Code (MNC). It used with the Mobile Country Code (MCC) to uniquely
identify a mobile network operator. The two fields represent phone with dual sim coverage.
MobileOperatorBilling Represents the telephone company that provides services for mobile phone users.
MobileOperatorCommercialized Represents which reseller and geography the phone is commercialized for.
This is the set of values on the phone for who and where it was intended to be used. For example, the
commercialized mobile operator code AT&T in the US would be ATT-US.
MobileOperatorNetwork0 Represents the operator of the current mobile network that the device is used on.
(AT&T, T-Mobile, Vodafone). The two fields represent phone with dual sim coverage.
MobileOperatorNetwork1 Represents the operator of the current mobile network that the device is used on.
(AT&T, T-Mobile, Vodafone). The two fields represent phone with dual sim coverage.
NetworkAdapterGUID The GUID of the primary network adapter.
NetworkCost Represents the network cost associated with a connection.
SPN0 Retrieves the Service Provider Name (SPN). For example, these might be AT&T, Sprint, T-Mobile, or
Verizon. The two fields represent phone with dual sim coverage.
SPN1 Retrieves the Service Provider Name (SPN). For example, these might be AT&T, Sprint, T-Mobile, or
Verizon. The two fields represent phone with dual sim coverage.
Census.OS
This event sends data about the operating system such as the version, locale, update service configuration, when
and how it was originally installed, and whether it is a virtual device, to help keep Windows up to date.
The following fields are available:
ActivationChannel Retrieves the retail license key or Volume license key for a machine.
AssignedAccessStatus Kiosk configuration mode.
CompactOS Indicates if the Compact OS feature from Win10 is enabled.
DeveloperUnlockStatus Represents if a device has been developer unlocked by the user or Group Policy.
DeviceTimeZone The time zone that is set on the device. Example: Pacific Standard Time
GenuineState Retrieves the ID Value specifying the OS Genuine check.
InstallationType Retrieves the type of OS installation. (Clean, Upgrade, Reset, Refresh, Update).
InstallLanguage The first language installed on the user machine.
IsDeviceRetailDemo Retrieves if the device is running in demo mode.
IsEduData Returns Boolean if the education data policy is enabled.
IsPor tableOperatingSystem Retrieves whether OS is running Windows-To-Go
IsSecureBootEnabled Retrieves whether Boot chain is signed under UEFI.
LanguagePacks The list of language packages installed on the device.
LicenseStateReason Retrieves why (or how) a system is licensed or unlicensed. The HRESULT may indicate an
error code that indicates a key blocked error, or it may indicate that we are running an OS License granted by
the MS store.
OA3xOriginalProductKey Retrieves the License key stamped by the OEM to the machine.
OSEdition Retrieves the version of the current OS.
OSInstallType Retrieves a numeric description of what install was used on the device i.e. clean, upgrade,
refresh, reset, etc
OSOOBEDateTime Retrieves Out of Box Experience (OOBE) Date in Coordinated Universal Time (UTC).
OSSKU Retrieves the Friendly Name of OS Edition.
OSSubscriptionStatus Represents the existing status for enterprise subscription feature for PRO machines.
OSSubscriptionTypeId Returns boolean for enterprise subscription feature for selected PRO machines.
OSTimeZoneBiasInMins Retrieves the time zone set on machine.
OSUILocale Retrieves the locale of the UI that is currently used by the OS.
ProductActivationResult Returns Boolean if the OS Activation was successful.
ProductActivationTime Returns the OS Activation time for tracking piracy issues.
ProductKeyID2 Retrieves the License key if the machine is updated with a new license key.
RACw7Id Retrieves the Microsoft Reliability Analysis Component (RAC) Win7 Identifier. RAC is used to monitor
and analyze system usage and reliability.
Ser viceMachineIP Retrieves the IP address of the KMS host used for anti-piracy.
Ser viceMachinePor t Retrieves the port of the KMS host used for anti-piracy.
Ser viceProductKeyID Retrieves the License key of the KMS
SharedPCMode Returns Boolean for education devices used as shared cart
Signature Retrieves if it is a signature machine sold by Microsoft store.
SLICStatus Whether a SLIC table exists on the device.
SLICVersion Returns OS type/version from SLIC table.
Census.Processor
This event sends data about the processor to help keep Windows up to date.
The following fields are available:
KvaShadow This is the micro code information of the processor.
MMSettingOverride Microcode setting of the processor.
MMSettingOverrideMask Microcode setting override of the processor.
ProcessorArchitecture Retrieves the processor architecture of the installed operating system.
ProcessorClockSpeed Clock speed of the processor in MHz.
ProcessorCores Number of logical cores in the processor.
ProcessorIdentifier Processor Identifier of a manufacturer.
ProcessorManufacturer Name of the processor manufacturer.
ProcessorModel Name of the processor model.
ProcessorPhysicalCores Number of physical cores in the processor.
ProcessorUpdateRevision The microcode revision.
ProcessorUpdateStatus Enum value that represents the processor microcode load status
SocketCount Count of CPU sockets.
SpeculationControl Indicates whether the system has enabled protections needed to validate the speculation
control vulnerability.
Census.Security
This event provides information on about security settings used to help keep Windows up to date and secure.
The following fields are available:
AvailableSecurityProper ties This field helps to enumerate and report state on the relevant security
properties for Device Guard.
CGRunning Credential Guard isolates and hardens key system and user secrets against compromise, helping
to minimize the impact and breadth of a Pass the Hash style attack in the event that malicious code is already
running via a local or network based vector. This field tells if Credential Guard is running.
DGState This field summarizes the Device Guard state.
HVCIRunning Hypervisor Code Integrity (HVCI) enables Device Guard to help protect kernel mode processes
and drivers from vulnerability exploits and zero days. HVCI uses the processor’s functionality to force all
software running in kernel mode to safely allocate memory. This field tells if HVCI is running.
IsSawGuest Indicates whether the device is running as a Secure Admin Workstation Guest.
IsSawHost Indicates whether the device is running as a Secure Admin Workstation Host.
RequiredSecurityProper ties Describes the required security properties to enable virtualization-based
security.
SecureBootCapable Systems that support Secure Boot can have the feature turned off via BIOS. This field
tells if the system is capable of running Secure Boot, regardless of the BIOS setting.
VBSState Virtualization-based security (VBS) uses the hypervisor to help protect the kernel and other parts of
the operating system. Credential Guard and Hypervisor Code Integrity (HVCI) both depend on VBS to
isolate/protect secrets, and kernel-mode code integrity validation. VBS has a tri-state that can be Disabled,
Enabled, or Running.
Census.Speech
This event is used to gather basic speech settings on the device.
The following fields are available:
AboveLockEnabled Cortana setting that represents if Cortana can be invoked when the device is locked.
GPAllowInputPersonalization Indicates if a Group Policy setting has enabled speech functionalities.
HolographicSpeechInputDisabled Holographic setting that represents if the attached HMD devices have
speech functionality disabled by the user.
HolographicSpeechInputDisabledRemote Indicates if a remote policy has disabled speech functionalities
for the HMD devices.
KWSEnabled Cortana setting that represents if a user has enabled the "Hey Cortana" keyword spotter (KWS).
MDMAllowInputPersonalization Indicates if an MDM policy has enabled speech functionalities.
RemotelyManaged Indicates if the device is being controlled by a remote administrator (MDM or Group
Policy) in the context of speech functionalities.
SpeakerIdEnabled Cortana setting that represents if keyword detection has been trained to try to respond to
a single user's voice.
SpeechSer vicesEnabled Windows setting that represents whether a user is opted-in for speech services on
the device.
Census.Storage
This event sends data about the total capacity of the system volume and primary disk, to help keep Windows up to
date.
The following fields are available:
Primar yDiskTotalCapacity Retrieves the amount of disk space on the primary disk of the device in MB.
Primar yDiskType Retrieves an enumerator value of type STORAGE_BUS_TYPE that indicates the type of bus to
which the device is connected. This should be used to interpret the raw device properties at the end of this
structure (if any).
SystemVolumeTotalCapacity Retrieves the size of the partition that the System volume is installed on in MB.
Census.Userdefault
This event sends data about the current user's default preferences for browser and several of the most popular
extensions and protocols, to help keep Windows up to date.
The following fields are available:
DefaultApp The current uer's default program selected for the following extension or protocol: .html, .htm,
.jpg, .jpeg, .png, .mp3, .mp4, .mov, .pdf.
DefaultBrowserProgId The ProgramId of the current user's default browser.
Census.UserDisplay
This event sends data about the logical/physical display size, resolution and number of internal/external displays,
and VRAM on the system, to help keep Windows up to date.
The following fields are available:
InternalPrimar yDisplayLogicalDPIX Retrieves the logical DPI in the x-direction of the internal display.
InternalPrimar yDisplayLogicalDPIY Retrieves the logical DPI in the y-direction of the internal display.
InternalPrimar yDisplayPhysicalDPIX Retrieves the physical DPI in the x-direction of the internal display.
InternalPrimar yDisplayPhysicalDPIY Retrieves the physical DPI in the y-direction of the internal display.
InternalPrimar yDisplayResolutionHorizontal Retrieves the number of pixels in the horizontal direction of
the internal display.
InternalPrimar yDisplayResolutionVer tical Retrieves the number of pixels in the vertical direction of the
internal display.
InternalPrimar yDisplaySizePhysicalH Retrieves the physical horizontal length of the display in mm. Used
for calculating the diagonal length in inches .
InternalPrimar yDisplaySizePhysicalY Retrieves the physical vertical length of the display in mm. Used for
calculating the diagonal length in inches
NumberofExternalDisplays Retrieves the number of external displays connected to the machine
NumberofInternalDisplays Retrieves the number of internal displays in a machine.
VRAMDedicated Retrieves the video RAM in MB.
VRAMDedicatedSystem Retrieves the amount of memory on the dedicated video card.
VRAMSharedSystem Retrieves the amount of RAM memory that the video card can use.
Census.UserNLS
This event sends data about the default app language, input, and display language preferences set by the user, to
help keep Windows up to date.
The following fields are available:
DefaultAppLanguage The current user Default App Language.
DisplayLanguage The current user preferred Windows Display Language.
HomeLocation The current user location, which is populated using GetUserGeoId() function.
KeyboardInputLanguages The Keyboard input languages installed on the device.
SpeechInputLanguages The Speech Input languages installed on the device.
Census.VM
This event sends data indicating whether virtualization is enabled on the device, and its various characteristics, to
help keep Windows up to date.
The following fields are available:
CloudSer vice Indicates which cloud service, if any, that this virtual machine is running within.
HyperVisor Retrieves whether the current OS is running on top of a Hypervisor.
IOMMUPresent Represents if an input/output memory management unit (IOMMU) is present.
IsVDI Is the device using Virtual Desktop Infrastructure?
IsVir tualDevice Retrieves that when the Hypervisor is Microsoft's Hyper-V Hypervisor or other Hv#1
Hypervisor, this field will be set to FALSE for the Hyper-V host OS and TRUE for any guest OS's. This field should
not be relied upon for non-Hv#1 Hypervisors.
SL ATSuppor ted Represents whether Second Level Address Translation (SLAT) is supported by the hardware.
Vir tualizationFirmwareEnabled Represents whether virtualization is enabled in the firmware.
Census.WU
This event sends data about the Windows update server and other App store policies, to help keep Windows up to
date.
The following fields are available:
AppraiserGatedStatus Indicates whether a device has been gated for upgrading.
AppStoreAutoUpdate Retrieves the Appstore settings for auto upgrade. (Enable/Disabled).
AppStoreAutoUpdateMDM Retrieves the App Auto Update value for MDM: 0 - Disallowed. 1 - Allowed. 2 -
Not configured. Default: [2] Not configured
AppStoreAutoUpdatePolicy Retrieves the Microsoft Store App Auto Update group policy setting
DelayUpgrade Retrieves the Windows upgrade flag for delaying upgrades.
OSAssessmentFeatureOutOfDate How many days has it been since a the last feature update was released
but the device did not install it?
OSAssessmentForFeatureUpdate Is the device is on the latest feature update?
OSAssessmentForQualityUpdate Is the device on the latest quality update?
OSAssessmentForSecurityUpdate Is the device on the latest security update?
OSAssessmentQualityOutOfDate How many days has it been since a the last quality update was released
but the device did not install it?
OSAssessmentReleaseInfoTime The freshness of release information used to perform an assessment.
OSRollbackCount The number of times feature updates have rolled back on the device.
OSRolledBack A flag that represents when a feature update has rolled back during setup.
OSUninstalled A flag that represents when a feature update is uninstalled on a device .
OSWUAutoUpdateOptions Retrieves the auto update settings on the device.
UninstallActive A flag that represents when a device has uninstalled a previous upgrade recently.
UpdateSer viceURLConfigured Retrieves if the device is managed by Windows Server Update Services
(WSUS).
WUDeferUpdatePeriod Retrieves if deferral is set for Updates.
WUDeferUpgradePeriod Retrieves if deferral is set for Upgrades.
WUDODownloadMode Retrieves whether DO is turned on and how to acquire/distribute updates Delivery
Optimization (DO) allows users to deploy previously downloaded WU updates to other devices on the same
network.
WUMachineId Retrieves the Windows Update (WU) Machine Identifier.
WUPauseState Retrieves WU setting to determine if updates are paused.
WUSer ver Retrieves the HTTP(S) URL of the WSUS server that is used by Automatic Updates and API callers
(by default).
Census.Xbox
This event sends data about the Xbox Console, such as Serial Number and DeviceId, to help keep Windows up to
date.
The following fields are available:
XboxConsolePreferredLanguage Retrieves the preferred language selected by the user on Xbox console.
XboxConsoleSerialNumber Retrieves the serial number of the Xbox console.
XboxLiveDeviceId Retrieves the unique device ID of the console.
XboxLiveSandboxId Retrieves the developer sandbox ID if the device is internal to Microsoft.
DxgKernelTelemetry events
DxgKrnlTelemetry.GPUAdapterInventoryV2
This event sends basic GPU and display driver information to keep Windows and display drivers up-to-date.
The following fields are available:
AdapterTypeValue The numeric value indicating the type of Graphics adapter.
aiSeqId The event sequence ID.
bootId The system boot ID.
ComputePreemptionLevel The maximum preemption level supported by GPU for compute payload.
DedicatedSystemMemor yB The amount of system memory dedicated for GPU use (in bytes).
DedicatedVideoMemor yB The amount of dedicated VRAM of the GPU (in bytes).
DisplayAdapterLuid The display adapter LUID.
DriverDate The date of the display driver.
DriverRank The rank of the display driver.
DriverVersion The display driver version.
GPUDeviceID The GPU device ID.
GPUPreemptionLevel The maximum preemption level supported by GPU for graphics payload.
GPURevisionID The GPU revision ID.
GPUVendorID The GPU vendor ID.
InterfaceId The GPU interface ID.
IsDisplayDevice Does the GPU have displaying capabilities?
IsHybridDiscrete Does the GPU have discrete GPU capabilities in a hybrid device?
IsHybridIntegrated Does the GPU have integrated GPU capabilities in a hybrid device?
IsLDA Is the GPU comprised of Linked Display Adapters?
IsMiracastSuppor ted Does the GPU support Miracast?
IsMismatchLDA Is at least one device in the Linked Display Adapters chain from a different vendor?
IsMPOSuppor ted Does the GPU support Multi-Plane Overlays?
IsMsMiracastSuppor ted Are the GPU Miracast capabilities driven by a Microsoft solution?
IsPostAdapter Is this GPU the POST GPU in the device?
IsRemovable TRUE if the adapter supports being disabled or removed.
IsRenderDevice Does the GPU have rendering capabilities?
IsSoftwareDevice Is this a software implementation of the GPU?
MeasureEnabled Is the device listening to MICROSOFT_KEYWORD_MEASURES?
NumVidPnSources The number of supported display output sources.
NumVidPnTargets The number of supported display output targets.
SharedSystemMemor yB The amount of system memory shared by GPU and CPU (in bytes).
SubSystemID The subsystem ID.
SubVendorID The GPU sub vendor ID.
Telemetr yEnabled Is the device listening to MICROSOFT_KEYWORD_TELEMETRY?
TelInvEvntTrigger What triggered this event to be logged? Example: 0 (GPU enumeration) or 1
(DxgKrnlTelemetry provider toggling)
version The event version.
WDDMVersion The Windows Display Driver Model version.
Inventory events
Microsoft.Windows.Inventory.Core.AmiTelCacheChecksum
This event captures basic checksum data about the device inventory items stored in the cache for use in
validating data completeness for Microsoft.Windows.Inventory.Core events. The fields in this event may change
over time, but they will always represent a count of a given object.
The following fields are available:
Device A count of device objects in cache.
DeviceCensus A count of devicecensus objects in cache.
DriverPackageExtended A count of driverpackageextended objects in cache.
File A count of file objects in cache.
FileSigningInfo A count of file signing objects in cache.
Generic A count of generic objects in cache.
HwItem A count of hwitem objects in cache.
Inventor yApplication A count of application objects in cache.
Inventor yApplicationFile A count of application file objects in cache.
Inventor yDeviceContainer A count of device container objects in cache.
Inventor yDeviceInterface A count of Plug and Play device interface objects in cache.
Inventor yDeviceMediaClass A count of device media objects in cache.
Inventor yDevicePnp A count of device Plug and Play objects in cache.
Inventor yDeviceUsbHubClass A count of device usb objects in cache
Inventor yDriverBinar y A count of driver binary objects in cache.
Inventor yDriverPackage A count of device objects in cache.
Metadata A count of metadata objects in cache.
Orphan A count of orphan file objects in cache.
Programs A count of program objects in cache.
Microsoft.Windows.Inventory.Core.AmiTelCacheVersions
This event sends inventory component versions for the Device Inventory data.
The following fields are available:
aeinv The version of the App inventory component.
devinv The file version of the Device inventory component.
Microsoft.Windows.Inventory.Core.InventoryApplicationAdd
This event sends basic metadata about an application on the system to help keep Windows up to date.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
HiddenArp Indicates whether a program hides itself from showing up in ARP.
InstallDate The date the application was installed (a best guess based on folder creation date heuristics).
InstallDateArpLastModified The date of the registry ARP key for a given application. Hints at install date but
not always accurate. Passed as an array. Example: 4/11/2015 00:00:00
InstallDateFromLinkFile The estimated date of install based on the links to the files. Passed as an array.
InstallDateMsi The install date if the application was installed via Microsoft Installer (MSI). Passed as an array.
Inventor yVersion The version of the inventory file generating the events.
Language The language code of the program.
MsiPackageCode A GUID that describes the MSI Package. Multiple 'Products' (apps) can make up an
MsiPackage.
MsiProductCode A GUID that describe the MSI Product.
Name The name of the application.
OSVersionAtInstallTime The four octets from the OS version at the time of the application's install.
PackageFullName The package full name for a Store application.
ProgramInstanceId A hash of the file IDs in an app.
Publisher The Publisher of the application. Location pulled from depends on the 'Source' field.
RootDirPath The path to the root directory where the program was installed.
Source How the program was installed (for example, ARP, MSI, Appx).
StoreAppType A sub-classification for the type of Microsoft Store app, such as UWP or Win8StoreApp.
Type One of ("Application", "Hotfix", "BOE", "Service", "Unknown"). Application indicates Win32 or Appx app,
Hotfix indicates app updates (KBs), BOE indicates it's an app with no ARP or MSI entry, Service indicates that it
is a service. Application and BOE are the ones most likely seen.
Version The version number of the program.
Microsoft.Windows.Inventory.Core.InventoryApplicationDriverAdd
This event represents what drivers an application installs.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
Inventor yVersion The version of the inventory component.
ProgramIds The unique program identifier the driver is associated with.
Microsoft.Windows.Inventory.Core.InventoryApplicationDriverStartSync
This event indicates that a new set of InventoryApplicationDriverStartAdd events will be sent.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
Inventor yVersion The version of the inventory component.
Microsoft.Windows.Inventory.Core.InventoryApplicationFrameworkAdd
This event provides the basic metadata about the frameworks an application may depend on.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
FileId A hash that uniquely identifies a file.
Frameworks The list of frameworks this file depends on.
Inventor yVersion The version of the inventory file generating the events.
ProgramId A hash of the Name, Version, Publisher, and Language of an application used to identify it
Microsoft.Windows.Inventory.Core.InventoryApplicationFrameworkStartSync
This event indicates that a new set of InventoryApplicationFrameworkAdd events will be sent.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
Inventor yVersion The version of the inventory file generating the events.
Microsoft.Windows.Inventory.Core.InventoryApplicationRemove
This event indicates that a new set of InventoryDevicePnpAdd events will be sent.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
Inventor yVersion The version of the inventory file generating the events.
Microsoft.Windows.Inventory.Core.InventoryApplicationStartSync
This event indicates that a new set of InventoryApplicationAdd events will be sent.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
Inventor yVersion The version of the inventory file generating the events.
Microsoft.Windows.Inventory.Core.InventoryDeviceContainerAdd
This event sends basic metadata about a device container (such as a monitor or printer as opposed to a Plug and
Play device) to help keep Windows up to date.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
Categories A comma separated list of functional categories in which the container belongs.
Discover yMethod The discovery method for the device container.
FriendlyName The name of the device container.
Inventor yVersion The version of the inventory file generating the events.
IsActive Is the device connected, or has it been seen in the last 14 days?
IsConnected For a physically attached device, this value is the same as IsPresent. For wireless a device, this
value represents a communication link.
IsMachineContainer Is the container the root device itself?
IsNetworked Is this a networked device?
IsPaired Does the device container require pairing?
Manufacturer The manufacturer name for the device container.
ModelId A unique model ID.
ModelName The model name.
ModelNumber The model number for the device container.
Primar yCategor y The primary category for the device container.
Microsoft.Windows.Inventory.Core.InventoryDeviceContainerRemove
This event indicates that the InventoryDeviceContainer object is no longer present.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
Inventor yVersion The version of the inventory file generating the events.
Microsoft.Windows.Inventory.Core.InventoryDeviceContainerStartSync
This event indicates that a new set of InventoryDeviceContainerAdd events will be sent.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
Inventor yVersion The version of the inventory file generating the events.
Microsoft.Windows.Inventory.Core.InventoryDeviceInterfaceAdd
This event retrieves information about what sensor interfaces are available on the device.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
Accelerometer3D Indicates if an Accelerator3D sensor is found.
ActivityDetection Indicates if an Activity Detection sensor is found.
AmbientLight Indicates if an Ambient Light sensor is found.
Barometer Indicates if a Barometer sensor is found.
Custom Indicates if a Custom sensor is found.
EnergyMeter Indicates if an Energy sensor is found.
FloorElevation Indicates if a Floor Elevation sensor is found.
GeomagneticOrientation Indicates if a Geo Magnetic Orientation sensor is found.
GravityVector Indicates if a Gravity Detector sensor is found.
Gyrometer3D Indicates if a Gyrometer3D sensor is found.
Humidity Indicates if a Humidity sensor is found.
Inventor yVersion The version of the inventory file generating the events.
LinearAccelerometer Indicates if a Linear Accelerometer sensor is found.
Magnetometer3D Indicates if a Magnetometer3D sensor is found.
Orientation Indicates if an Orientation sensor is found.
Pedometer Indicates if a Pedometer sensor is found.
Proximity Indicates if a Proximity sensor is found.
RelativeOrientation Indicates if a Relative Orientation sensor is found.
SimpleDeviceOrientation Indicates if a Simple Device Orientation sensor is found.
Temperature Indicates if a Temperature sensor is found.
Microsoft.Windows.Inventory.Core.InventoryDeviceInterfaceStartSync
This event indicates that a new set of InventoryDeviceInterfaceAdd events will be sent.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
Inventor yVersion The version of the inventory file generating the events.
Microsoft.Windows.Inventory.Core.InventoryDeviceMediaClassAdd
This event sends additional metadata about a Plug and Play device that is specific to a particular class of devices to
help keep Windows up to date while reducing overall size of data payload.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
Audio_CaptureDriver The Audio device capture driver endpoint.
Audio_RenderDriver The Audio device render driver endpoint.
Inventor yVersion The version of the inventory file generating the events.
Microsoft.Windows.Inventory.Core.InventoryDeviceMediaClassRemove
This event indicates that the InventoryDeviceMediaClassRemove object is no longer present.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
Inventor yVersion The version of the inventory file generating the events.
Microsoft.Windows.Inventory.Core.InventoryDeviceMediaClassStartSync
This event indicates that a new set of InventoryDeviceMediaClassSAdd events will be sent.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
Inventor yVersion The version of the inventory file generating the events.
Microsoft.Windows.Inventory.Core.InventoryDevicePnpAdd
This event sends basic metadata about a PNP device and its associated driver to help keep Windows up to date.
This information is used to assess if the PNP device and driver will remain compatible when upgrading Windows.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
BusRepor tedDescription The description of the device reported by the bus.
Class The device setup class of the driver loaded for the device.
ClassGuid The device class unique identifier of the driver package loaded on the device.
COMPID The list of “Compatible IDs” for this device.
ContainerId The system-supplied unique identifier that specifies which group(s) the device(s) installed on the
parent (main) device belong to.
Description The description of the device.
DeviceState Identifies the current state of the parent (main) device.
DriverId The unique identifier for the installed driver.
DriverName The file name of the installed driver image.
DriverPackageStrongName The immediate parent directory name in the Directory field of
InventoryDriverPackage.
DriverVerDate The date associated with the driver installed on the device.
DriverVerVersion The version number of the driver installed on the device.
Enumerator Identifies the bus that enumerated the device.
HWID A list of hardware IDs for the device.
Inf The name of the INF file (possibly renamed by the OS, such as oemXX.inf).
InstallState The device installation state. For a list of values, see:
https://msdn.microsoft.com/library/windows/hardware/ff543130.aspx
Inventor yVersion The version number of the inventory process generating the events.
LowerClassFilters The identifiers of the Lower Class filters installed for the device.
LowerFilters The identifiers of the Lower filters installed for the device.
Manufacturer The manufacturer of the device.
MatchingID The Hardware ID or Compatible ID that Windows uses to install a device instance.
Model Identifies the model of the device.
ParentId The Device Instance ID of the parent of the device.
ProblemCode The error code currently returned by the device, if applicable.
Provider Identifies the device provider.
Ser vice The name of the device service.
STACKID The list of hardware IDs for the stack.
UpperClassFilters The identifiers of the Upper Class filters installed for the device.
UpperFilters The identifiers of the Upper filters installed for the device.
Microsoft.Windows.Inventory.Core.InventoryDevicePnpRemove
This event indicates that the InventoryDevicePnpRemove object is no longer present.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
Inventor yVersion The version of the inventory file generating the events.
Microsoft.Windows.Inventory.Core.InventoryDevicePnpStartSync
This event indicates that a new set of InventoryDevicePnpAdd events will be sent.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
Inventor yVersion The version of the inventory file generating the events.
Microsoft.Windows.Inventory.Core.InventoryDeviceUsbHubClassAdd
This event sends basic metadata about the USB hubs on the device.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
Inventor yVersion The version of the inventory file generating the events.
TotalUserConnectablePor ts Total number of connectable USB ports.
TotalUserConnectableTypeCPor ts Total number of connectable USB Type C ports.
Microsoft.Windows.Inventory.Core.InventoryDeviceUsbHubClassStartSync
This event indicates that a new set of InventoryDeviceUsbHubClassAdd events will be sent.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
Inventor yVersion The version of the inventory file generating the events.
Microsoft.Windows.Inventory.Core.InventoryDriverBinaryAdd
This event provides the basic metadata about driver binaries running on the system.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
DriverCheckSum The checksum of the driver file.
DriverCompany The company name that developed the driver.
DriverInBox Is the driver included with the operating system?
DriverIsKernelMode Is it a kernel mode driver?
DriverName The file name of the driver.
DriverPackageStrongName The strong name of the driver package
DriverSigned The strong name of the driver package
DriverTimeStamp The low 32 bits of the time stamp of the driver file.
DriverType A bitfield of driver attributes: 1. define DRIVER_MAP_DRIVER_TYPE_PRINTER 0x0001. 2. define
DRIVER_MAP_DRIVER_TYPE_KERNEL 0x0002. 3. define DRIVER_MAP_DRIVER_TYPE_USER 0x0004. 4. define
DRIVER_MAP_DRIVER_IS_SIGNED 0x0008. 5. define DRIVER_MAP_DRIVER_IS_INBOX 0x0010. 6. define
DRIVER_MAP_DRIVER_IS_WINQUAL 0x0040. 7. define DRIVER_MAP_DRIVER_IS_SELF_SIGNED 0x0020. 8.
define DRIVER_MAP_DRIVER_IS_CI_SIGNED 0x0080. 9. define DRIVER_MAP_DRIVER_HAS_BOOT_SERVICE
0x0100. 10. define DRIVER_MAP_DRIVER_TYPE_I386 0x10000. 11. define DRIVER_MAP_DRIVER_TYPE_IA64
0x20000. 12. define DRIVER_MAP_DRIVER_TYPE_AMD64 0x40000. 13. define
DRIVER_MAP_DRIVER_TYPE_ARM 0x100000. 14. define DRIVER_MAP_DRIVER_TYPE_THUMB 0x200000. 15.
define DRIVER_MAP_DRIVER_TYPE_ARMNT 0x400000. 16. define DRIVER_MAP_DRIVER_IS_TIME_STAMPED
0x800000.
DriverVersion The version of the driver file.
ImageSize The size of the driver file.
Inf The name of the INF file.
Inventor yVersion The version of the inventory file generating the events.
Product The product name that is included in the driver file.
ProductVersion The product version that is included in the driver file.
Ser vice The name of the service that is installed for the device.
WdfVersion The Windows Driver Framework version.
Microsoft.Windows.Inventory.Core.InventoryDriverBinaryRemove
This event indicates that the InventoryDriverBinary object is no longer present.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
Inventor yVersion The version of the inventory file generating the events.
Microsoft.Windows.Inventory.Core.InventoryDriverBinaryStartSync
This event indicates that a new set of InventoryDriverBinaryAdd events will be sent.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
Inventor yVersion The version of the inventory file generating the events.
Microsoft.Windows.Inventory.Core.InventoryDriverPackageAdd
This event sends basic metadata about drive packages installed on the system to help keep Windows up to date.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
Class The class name for the device driver.
ClassGuid The class GUID for the device driver.
Date The driver package date.
Director y The path to the driver package.
DriverInBox Is the driver included with the operating system?
Inf The INF name of the driver package.
Inventor yVersion The version of the inventory file generating the events.
Provider The provider for the driver package.
SubmissionId The HLK submission ID for the driver package.
Version The version of the driver package.
Microsoft.Windows.Inventory.Core.InventoryDriverPackageRemove
This event indicates that the InventoryDriverPackageRemove object is no longer present.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
Inventor yVersion The version of the inventory file generating the events.
Microsoft.Windows.Inventory.Core.InventoryDriverPackageStartSync
This event indicates that a new set of InventoryDriverPackageAdd events will be sent.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
Inventor yVersion The version of the inventory file generating the events.
Microsoft.Windows.Inventory.General.AppHealthStaticAdd
This event sends details collected for a specific application on the source device.
The following fields are available:
AhaVersion The binary version of the App Health Analyzer tool.
ApplicationErrors The count of application errors from the event log.
Bitness The architecture type of the application (16 Bit or 32 bit or 64 bit).
device_level Various JRE/JAVA versions installed on a particular device.
ExtendedProper ties Attribute used for aggregating all other attributes under this event type.
Jar Flag to determine if an app has a Java JAR file dependency.
Jre Flag to determine if an app has JRE framework dependency.
Jre_version JRE versions an app has declared framework dependency for.
Name Name of the application.
NonDPIAware Flag to determine if an app is non-DPI aware
NumBinaries Count of all binaries (.sys,.dll,.ini) from application install location.
RequiresAdmin Flag to determine if an app requests admin privileges for execution.
RequiresAdminv2 Additional flag to determine if an app requests admin privileges for execution.
RequiresUIAccess Flag to determine if an app is based on UI features for accessibility.
VB6 Flag to determine if an app is based on VB6 framework.
VB6v2 Additional flag to determine if an app is based on VB6 framework.
Version Version of the application.
VersionCheck Flag to determine if an app has a static dependency on OS version.
VersionCheckv2 Additional flag to determine if an app has a static dependency on OS version.
Microsoft.Windows.Inventory.General.AppHealthStaticStartSync
This event indicates the beginning of a series of AppHealthStaticAdd events.
The following fields are available:
AllowTelemetr y Indicates the presence of the 'allowtelemetry' command line argument.
CommandLineArgs Command line arguments passed when launching the App Health Analyzer executable.
Enhanced Indicates the presence of the 'enhanced' command line argument.
Star tTime UTC date and time at which this event was sent.
Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeAddInAdd
Invalid variant - Provides data on the installed Office Add-ins
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
AddinCLSID The class identifier key for the Microsoft Office add-in.
AddInCLSID The class identifier key for the Microsoft Office add-in.
AddInId The identifier for the Microsoft Office add-in.
AddinType The type of the Microsoft Office add-in.
BinFileTimestamp The timestamp of the Office add-in.
BinFileVersion The version of the Microsoft Office add-in.
Description Description of the Microsoft Office add-in.
FileId The file identifier of the Microsoft Office add-in.
FileSize The file size of the Microsoft Office add-in.
FriendlyName The friendly name for the Microsoft Office add-in.
FullPath The full path to the Microsoft Office add-in.
Inventor yVersion The version of the inventory binary generating the events.
LoadBehavior Integer that describes the load behavior.
LoadTime Load time for the Office add-in.
OfficeApplication The Microsoft Office application associated with the add-in.
OfficeArchitecture The architecture of the add-in.
OfficeVersion The Microsoft Office version for this add-in.
OutlookCrashingAddin Indicates whether crashes have been found for this add-in.
ProductCompany The name of the company associated with the Office add-in.
ProductName The product name associated with the Microsoft Office add-in.
ProductVersion The version associated with the Office add-in.
ProgramId The unique program identifier of the Microsoft Office add-in.
Provider Name of the provider for this add-in.
Usage Data regarding usage of the add-in.
Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeAddInRemove
This event indicates that the particular data object represented by the objectInstanceId is no longer present.
This event includes fields from Ms.Device.DeviceInventoryChange.
Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeAddInStartSync
This event indicates that a new sync is being generated for this object type.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
Inventor yVersion The version of the inventory binary generating the events.
Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeIdentifiersAdd
This event provides data on the Office identifiers
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
Inventor yVersion The version of the inventory binary generating the events.
OAudienceData Sub-identifier for Microsoft Office release management, identifying the pilot group for a
device
OAudienceId Microsoft Office identifier for Microsoft Office release management, identifying the pilot group
for a device
OMID Identifier for the Office SQM Machine
OPlatform Whether the installed Microsoft Office product is 32-bit or 64-bit
OTenantId Unique GUID representing the Microsoft O365 Tenant
OVersion Installed version of Microsoft Office. For example, 16.0.8602.1000
OWowMID Legacy Microsoft Office telemetry identifier (SQM Machine ID) for WoW systems (32-bit Microsoft
Office on 64-bit Windows)
Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeIdentifiersStartSync
Diagnostic event to indicate a new sync is being generated for this object type
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
Inventor yVersion The version of the inventory binary generating the events.
Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeIESettingsAdd
This event includes the Office-related Internet Explorer features
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
Inventor yVersion The version of the inventory binary generating the events.
OIeFeatureAddon Flag indicating which Microsoft Office products have this setting enabled. The
FEATURE_ADDON_MANAGEMENT feature lets applications hosting the WebBrowser Control to respect add-on
management selections made using the Add-on Manager feature of Internet Explorer. Add-ons disabled by the
user or by administrative group policy will also be disabled in applications that enable this feature.
OIeMachineLockdown Flag indicating which Microsoft Office products have this setting enabled. When the
FEATURE_LOCALMACHINE_LOCKDOWN feature is enabled, Internet Explorer applies security restrictions on
content loaded from the user's local machine, which helps prevent malicious behavior involving local files.
OIeMimeHandling Flag indicating which Microsoft Office products have this setting enabled. When the
FEATURE_MIME_HANDLING feature control is enabled, Internet Explorer handles MIME types more securely.
Only applies to Windows Internet Explorer 6 for Windows XP Service Pack 2 (SP2)
OIeMimeSniffing Flag indicating which Microsoft Office products have this setting enabled. Determines a
file's type by examining its bit signature. Windows Internet Explorer uses this information to determine how to
render the file. The FEATURE_MIME_SNIFFING feature, when enabled, allows to be set differently for each
security zone by using the URLACTION_FEATURE_MIME_SNIFFING URL action flag
OIeNoAxInstall Flag indicating which Microsoft Office products have this setting enabled. When a webpage
attempts to load or install an ActiveX control that isn't already installed, the
FEATURE_RESTRICT_ACTIVEXINSTALL feature blocks the request. When a webpage tries to load or install an
ActiveX control that isn't already installed, the FEATURE_RESTRICT_ACTIVEXINSTALL feature blocks the request
OIeNoDownload Flag indicating which Microsoft Office products have this setting enabled. The
FEATURE_RESTRICT_FILEDOWNLOAD feature blocks file download requests that navigate to a resource, that
display a file download dialog box, or that are not initiated explicitly by a user action (for example, a mouse click
or key press). Only applies to Windows Internet Explorer 6 for Windows XP Service Pack 2 (SP2)
OIeObjectCaching Flag indicating which Microsoft Office products have this setting enabled. When enabled,
the FEATURE_OBJECT_CACHING feature prevents webpages from accessing or instantiating ActiveX controls
cached from different domains or security contexts
OIePasswordDisable Flag indicating which Microsoft Office products have this setting enabled. After
Windows Internet Explorer 6 for Windows XP Service Pack 2 (SP2), Internet Explorer no longer allows
usernames and passwords to be specified in URLs that use the HTTP or HTTPS protocols. URLs using other
protocols, such as FTP, still allow usernames and passwords
OIeSafeBind Flag indicating which Microsoft Office products have this setting enabled. The
FEATURE_SAFE_BINDTOOBJECT feature performs additional safety checks when calling MonikerBindToObject to
create and initialize Microsoft ActiveX controls. Specifically, prevent the control from being created if
COMPAT_EVIL_DONT_LOAD is in the registry for the control
OIeSecurityBand Flag indicating which Microsoft Office products have this setting enabled. The
FEATURE_SECURITYBAND feature controls the display of the Internet Explorer Information bar. When enabled,
the Information bar appears when file download or code installation is restricted
OIeUncSaveCheck Flag indicating which Microsoft Office products have this setting enabled. The
FEATURE_UNC_SAVEDFILECHECK feature enables the Mark of the Web (MOTW) for local files loaded from
network locations that have been shared by using the Universal Naming Convention (UNC)
OIeValidateUrl Flag indicating which Microsoft Office products have this setting enabled. When enabled, the
FEATURE_VALIDATE_NAVIGATE_URL feature control prevents Windows Internet Explorer from navigating to a
badly formed URL
OIeWebOcPopup Flag indicating which Microsoft Office products have this setting enabled. The
FEATURE_WEBOC_POPUPMANAGEMENT feature allows applications hosting the WebBrowser Control to
receive the default Internet Explorer pop-up window management behavior
OIeWinRestrict Flag indicating which Microsoft Office products have this setting enabled. When enabled, the
FEATURE_WINDOW_RESTRICTIONS feature adds several restrictions to the size and behavior of popup
windows
OIeZoneElevate Flag indicating which Microsoft Office products have this setting enabled. When enabled, the
FEATURE_ZONE_ELEVATION feature prevents pages in one zone from navigating to pages in a higher security
zone unless the navigation is generated by the user
Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeIESettingsStartSync
Diagnostic event to indicate a new sync is being generated for this object type
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
Inventor yVersion The version of the inventory binary generating the events.
Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeInsightsAdd
Provides insight data on the installed Office products
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
Inventor yVersion The version of the inventory binary generating the events.
OfficeApplication The name of the Office application.
OfficeArchitecture The bitness of the Office application.
OfficeVersion The version of the Office application.
Value The insights collected about this entity.
Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeInsightsRemove
This event indicates that the particular data object represented by the objectInstanceId is no longer present.
This event includes fields from Ms.Device.DeviceInventoryChange.
Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeInsightsStartSync
Diagnostic event to indicate a new sync is being generated for this object type
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
Inventor yVersion The version of the inventory binary generating the events.
Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeProductsAdd
This event list all installed Office products
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
Inventor yVersion The version of the inventory binary generating the events.
OC2rApps A GUID the describes the Office Click-To-Run apps
OC2rSkus Comma-delimited list (CSV) of Office Click-To-Run products installed on the device. For example,
Office 2016 ProPlus
OMsiApps Comma-delimited list (CSV) of Office MSI products installed on the device. For example, Microsoft
Word
OProductCodes A GUID that describes the Office MSI products
Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeProductsStartSync
Diagnostic event to indicate a new sync is being generated for this object type
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
Inventor yVersion The version of the inventory binary generating the events.
Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeSettingsAdd
This event describes various Office settings
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
BrowserFlags Browser flags for Office-related products.
ExchangeProviderFlags Office Exchange provider policies
Inventor yVersion The version of the inventory binary generating the events.
SharedComputerLicensing Office Shared Computer Licensing policies
Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeSettingsStartSync
Diagnostic event to indicate a new sync is being generated for this object type
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
Inventor yVersion The version of the inventory binary generating the events.
Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeVBAAdd
This event provides a summary rollup count of conditions encountered while performing a local scan of Office
files, analyzing for known VBA programmability compatibility issues between legacy office version and ProPlus,
and between 32 and 64-bit versions
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
Design Count of files with design issues found
Design_x64 Count of files with 64 bit design issues found
DuplicateVBA Count of files with duplicate VBA code
HasVBA Count of files with VBA code
Inaccessible Count of files that were inaccessible for scanning
Issues Count of files with issues detected
Issues_x64 Count of files with 64-bit issues detected
IssuesNone Count of files with no issues detected
IssuesNone_x64 Count of files with no 64-bit issues detected
Locked Count of files that were locked, preventing scanning
NoVBA Count of files with no VBA inside
Protected Count of files that were password protected, preventing scanning
RemLimited Count of files that require limited remediation changes
RemLimited_x64 Count of files that require limited remediation changes for 64-bit issues
RemSignificant Count of files that require significant remediation changes
RemSignificant_x64 Count of files that require significant remediation changes for 64-bit issues
Score Overall compatibility score calculated for scanned content
Score_x64 Overall 64-bit compatibility score calculated for scanned content
Total Total number of files scanned
Validation Count of files that require additional manual validation
Validation_x64 Count of files that require additional manual validation for 64-bit issues
Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeVBARemove
This event indicates that the particular data object represented by the objectInstanceId is no longer present.
This event includes fields from Ms.Device.DeviceInventoryChange.
Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeVBARuleViolationsAdd
This event provides data on Microsoft Office VBA rule violations, including a rollup count per violation type, giving
an indication of remediation requirements for an organization. The event identifier is a unique GUID, associated
with the validation rule
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
Count Count of total Microsoft Office VBA rule violations
Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeVBARuleViolationsRemove
This event indicates that the particular data object represented by the objectInstanceId is no longer present.
This event includes fields from Ms.Device.DeviceInventoryChange.
Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeVBARuleViolationsStartSync
This event indicates that a new sync is being generated for this object type.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
Inventor yVersion The version of the inventory binary generating the events.
Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeVBAStartSync
Diagnostic event to indicate a new sync is being generated for this object type
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
Inventor yVersion The version of the inventory binary generating the events.
Microsoft.Windows.Inventory.General.InventoryMiscellaneousUUPInfoAdd
Provides data on Unified Update Platform (UUP) products and what version they are at.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
Identifier UUP identifier
LastActivatedVersion Last activated version
PreviousVersion Previous version
Source UUP source
Version UUP version
Microsoft.Windows.Inventory.General.InventoryMiscellaneousUUPInfoRemove
Indicates that this particular data object represented by the objectInstanceId is no longer present.
This event includes fields from Ms.Device.DeviceInventoryChange.
Microsoft.Windows.Inventory.General.InventoryMiscellaneousUUPInfoStartSync
Diagnostic event to indicate a new sync is being generated for this object type
This event includes fields from Ms.Device.DeviceInventoryChange.
Microsoft.Windows.Inventory.Indicators.Checksum
This event summarizes the counts for the InventoryMiscellaneousUexIndicatorAdd events.
The following fields are available:
ChecksumDictionar y A count of each operating system indicator.
PCFP Equivalent to the InventoryId field that is found in other core events.
Microsoft.Windows.Inventory.Indicators.InventoryMiscellaneousUexIndicatorAdd
These events represent the basic metadata about the OS indicators installed on the system which are used for
keeping the device up to date.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
IndicatorValue The indicator value.
Microsoft.Windows.Inventory.Indicators.InventoryMiscellaneousUexIndicatorRemove
This event is a counterpart to InventoryMiscellaneousUexIndicatorAdd that indicates that the item has been
removed.
This event includes fields from Ms.Device.DeviceInventoryChange.
Microsoft.Windows.Inventory.Indicators.InventoryMiscellaneousUexIndicatorStartSync
This event indicates that a new set of InventoryMiscellaneousUexIndicatorAdd events will be sent.
This event includes fields from Ms.Device.DeviceInventoryChange.
Kernel events
IO
This event indicates the number of bytes read from or read by the OS and written to or written by the OS upon
system startup.
The following fields are available:
BytesRead The total number of bytes read from or read by the OS upon system startup.
BytesWritten The total number of bytes written to or written by the OS upon system startup.
Microsoft.Windows.Kernel.BootEnvironment.OsLaunch
OS information collected during Boot, used to evaluate the success of the upgrade process.
The following fields are available:
BootApplicationId This field tells us what the OS Loader Application Identifier is.
BootAttemptCount The number of consecutive times the boot manager has attempted to boot into this
operating system.
BootSequence The current Boot ID, used to correlate events related to a particular boot session.
BootStatusPolicy Identifies the applicable Boot Status Policy.
BootType Identifies the type of boot (e.g.: "Cold", "Hiber", "Resume").
EventTimestamp Seconds elapsed since an arbitrary time point. This can be used to identify the time
difference in successive boot attempts being made.
FirmwareResetReasonEmbeddedController Reason for system reset provided by firmware.
FirmwareResetReasonEmbeddedControllerAdditional Additional information on system reset reason
provided by firmware if needed.
FirmwareResetReasonPch Reason for system reset provided by firmware.
FirmwareResetReasonPchAdditional Additional information on system reset reason provided by firmware
if needed.
FirmwareResetReasonSupplied Flag indicating that a reason for system reset was provided by firmware.
IO Amount of data written to and read from the disk by the OS Loader during boot. See IO.
LastBootSucceeded Flag indicating whether the last boot was successful.
LastShutdownSucceeded Flag indicating whether the last shutdown was successful.
MenuPolicy Type of advanced options menu that should be shown to the user (Legacy, Standard, etc.).
Recover yEnabled Indicates whether recovery is enabled.
UserInputTime The amount of time the loader application spent waiting for user input.
Migration events
Microsoft.Windows.MigrationCore.MigObjectCountDLUsr
This event returns data to track the count of the migration objects across various phases during feature update.
Microsoft.Windows.MigrationCore.MigObjectCountKFSys
This event returns data about the count of the migration objects across various phases during feature update.
Microsoft.Windows.MigrationCore.MigObjectCountKFUsr
This event returns data to track the count of the migration objects across various phases during feature update.
OneDrive events
Microsoft.OneDrive.Sync.Setup.APIOperation
This event includes basic data about install and uninstall OneDrive API operations.
The following fields are available:
APIName The name of the API.
Duration How long the operation took.
IsSuccess Was the operation successful?
ResultCode The result code.
ScenarioName The name of the scenario.
Microsoft.OneDrive.Sync.Setup.EndExperience
This event includes a success or failure summary of the installation.
The following fields are available:
APIName The name of the API.
HResult The result code of the last action performed before this operation
IsSuccess Was the operation successful?
ScenarioName The name of the scenario.
Microsoft.OneDrive.Sync.Setup.OSUpgradeInstallationOperation
This event is related to the OS version when the OS is upgraded with OneDrive installed.
The following fields are available:
CurrentOneDriveVersion The current version of OneDrive.
CurrentOSBuildBranch The current branch of the operating system.
CurrentOSBuildNumber The current build number of the operating system.
CurrentOSVersion The current version of the operating system.
HResult The HResult of the operation.
SourceOSBuildBranch The source branch of the operating system.
SourceOSBuildNumber The source build number of the operating system.
SourceOSVersion The source version of the operating system.
Microsoft.OneDrive.Sync.Setup.RegisterStandaloneUpdaterAPIOperation
This event is related to registering or unregistering the OneDrive update task.
The following fields are available:
APIName The name of the API.
IsSuccess Was the operation successful?
RegisterNewTaskResult The HResult of the RegisterNewTask operation.
ScenarioName The name of the scenario.
UnregisterOldTaskResult The HResult of the UnregisterOldTask operation.
Microsoft.OneDrive.Sync.Updater.ComponentInstallState
This event includes basic data about the installation state of dependent OneDrive components.
The following fields are available:
ComponentName The name of the dependent component.
isInstalled Is the dependent component installed?
Microsoft.OneDrive.Sync.Updater.OverlayIconStatus
This event indicates if the OneDrive overlay icon is working correctly. 0 = healthy; 1 = can be fixed; 2 = broken
The following fields are available:
32bit The status of the OneDrive overlay icon on a 32-bit operating system.
64bit The status of the OneDrive overlay icon on a 64-bit operating system.
Microsoft.OneDrive.Sync.Updater.UpdateOverallResult
This event sends information describing the result of the update.
The following fields are available:
hr The HResult of the operation.
IsLoggingEnabled Indicates whether logging is enabled for the updater.
UpdaterVersion The version of the updater.
Microsoft.OneDrive.Sync.Updater.UpdateXmlDownloadHResult
This event determines the status when downloading the OneDrive update configuration file.
The following fields are available:
hr The HResult of the operation.
Microsoft.OneDrive.Sync.Updater.WebConnectionStatus
This event determines the error code that was returned when verifying Internet connectivity.
The following fields are available:
winInetError The HResult of the operation.
Remediation events
Microsoft.Windows.Remediation.Applicable
deny
The following fields are available:
ActionName The name of the action to be taken by the plug-in.
AppraiserBinariesValidResult Indicates whether the plug-in was appraised as valid.
AppraiserDetectCondition Indicates whether the plug-in passed the appraiser's check.
AppraiserRegistr yValidResult Indicates whether the registry entry checks out as valid.
AppraiserTaskDisabled Indicates the appraiser task is disabled.
CV Correlation vector
DateTimeDifference The difference between local and reference clock times.
DateTimeSyncEnabled Indicates whether the Datetime Sync plug-in is enabled.
DaysSinceLastSIH The number of days since the most recent SIH executed.
DaysToNextSIH The number of days until the next scheduled SIH execution.
DetectedCondition Indicates whether detected condition is true and the perform action will be run.
EvalAndRepor tAppraiserBinariesFailed Indicates the EvalAndReportAppraiserBinaries event failed.
EvalAndRepor tAppraiserRegEntries Indicates the EvalAndReportAppraiserRegEntriesFailed event failed.
EvalAndRepor tAppraiserRegEntriesFailed Indicates the EvalAndReportAppraiserRegEntriesFailed event
failed.
GlobalEventCounter Client side counter that indicates ordering of events sent by the remediation system.
HResult The HRESULT for detection or perform action phases of the plugin.
IsAppraiserLatestResult The HRESULT from the appraiser task.
IsConfigurationCorrected Indicates whether the configuration of SIH task was successfully corrected.
LastHresult The HRESULT for detection or perform action phases of the plugin.
LastRun The date of the most recent SIH run.
NextRun Date of the next scheduled SIH run.
PackageVersion The version of the current remediation package.
PluginName Name of the plugin specified for each generic plugin event.
Reload True if SIH reload is required.
RemediationNoisyHammerAcLineStatus Indicates the AC Line Status of the device.
RemediationNoisyHammerAutoStar tCount The number of times hammer auto-started.
RemediationNoisyHammerCalendarTaskEnabled Event that indicates Update Assistant Calendar Task is
enabled.
RemediationNoisyHammerCalendarTaskExists Event that indicates an Update Assistant Calendar Task
exists.
RemediationNoisyHammerCalendarTaskTriggerEnabledCount Event that indicates calendar triggers are
enabled in the task.
RemediationNoisyHammerDaysSinceLastTaskRunTime The number of days since the most recent Noisy
Hammer task ran.
RemediationNoisyHammerGetCurrentSize Size in MB of the $GetCurrent folder.
RemediationNoisyHammerIsInstalled TRUE if the noisy hammer is installed.
RemediationNoisyHammerLastTaskRunResult The result of the last hammer task run.
RemediationNoisyHammerMeteredNetwork TRUE if the machine is on a metered network.
RemediationNoisyHammerTaskEnabled Indicates whether the Update Assistant Task (Noisy Hammer) is
enabled.
RemediationNoisyHammerTaskExists Indicates whether the Update Assistant Task (Noisy Hammer) exists.
RemediationNoisyHammerTaskTriggerEnabledCount Indicates whether counting is enabled for the
Update Assistant (Noisy Hammer) task trigger.
RemediationNoisyHammerUAExitCode The exit code of the Update Assistant (Noisy Hammer) task.
RemediationNoisyHammerUAExitState The code for the exit state of the Update Assistant (Noisy Hammer)
task.
RemediationNoisyHammerUserLoggedIn TRUE if there is a user logged in.
RemediationNoisyHammerUserLoggedInAdmin TRUE if there is the user currently logged in is an Admin.
RemediationShellDeviceManaged TRUE if the device is WSUS managed or Windows Updated disabled.
RemediationShellDeviceNewOS TRUE if the device has a recently installed OS.
RemediationShellDeviceSccm TRUE if the device is managed by Microsoft Endpoint Configuration Manager.
RemediationShellDeviceZeroExhaust TRUE if the device has opted out of Windows Updates completely.
RemediationTargetMachine Indicates whether the device is a target of the specified fix.
RemediationTaskHealthAutochkProxy True/False based on the health of the AutochkProxy task.
RemediationTaskHealthChkdskProactiveScan True/False based on the health of the Check Disk task.
RemediationTaskHealthDiskCleanup_SilentCleanup True/False based on the health of the Disk Cleanup
task.
RemediationTaskHealthMaintenance_WinSAT True/False based on the health of the Health Maintenance
task.
RemediationTaskHealthSer vicing_ComponentCleanupTask True/False based on the health of the Health
Servicing Component task.
RemediationTaskHealthUSO_ScheduleScanTask True/False based on the health of the USO (Update
Session Orchestrator) Schedule task.
RemediationTaskHealthWindowsUpdate_ScheduledStar tTask True/False based on the health of the
Windows Update Scheduled Start task.
RemediationTaskHealthWindowsUpdate_SihbootTask True/False based on the health of the Sihboot task.
RemediationUHSer viceBitsSer viceEnabled Indicates whether BITS service is enabled.
RemediationUHSer viceDeviceInstallEnabled Indicates whether Device Install service is enabled.
RemediationUHSer viceDoSvcSer viceEnabled Indicates whether DO service is enabled.
RemediationUHSer viceDsmsvcEnabled Indicates whether DSMSVC service is enabled.
RemediationUHSer viceLicensemanagerEnabled Indicates whether License Manager service is enabled.
RemediationUHSer viceMpssvcEnabled Indicates whether MPSSVC service is enabled.
RemediationUHSer viceTokenBrokerEnabled Indicates whether Token Broker service is enabled.
RemediationUHSer viceTrustedInstallerSer viceEnabled Indicates whether Trusted Installer service is
enabled.
RemediationUHSer viceUsoSer viceEnabled Indicates whether USO (Update Session Orchestrator) service
is enabled.
RemediationUHSer vicew32timeSer viceEnabled Indicates whether W32 Time service is enabled.
RemediationUHSer viceWecsvcEnabled Indicates whether WECSVC service is enabled.
RemediationUHSer viceWinmgmtEnabled Indicates whether WMI service is enabled.
RemediationUHSer viceWpnSer viceEnabled Indicates whether WPN service is enabled.
RemediationUHSer viceWuauser vSer viceEnabled Indicates whether WUAUSERV service is enabled.
Result This is the HRESULT for Detection or Perform Action phases of the plugin.
RunAppraiserFailed Indicates RunAppraiser failed to run correctly.
RunTask TRUE if SIH task should be run by the plug-in.
TimeSer viceNTPSer ver The URL for the NTP time server used by device.
TimeSer viceStar tType The startup type for the NTP time service.
TimeSer viceSyncDomainJoined True if device domain joined and hence uses DC for clock.
TimeSer viceSyncType Type of sync behavior for Date & Time service on device.
Microsoft.Windows.Remediation.ChangePowerProfileDetection
Indicates whether the remediation system can put in a request to defer a system-initiated sleep to enable
installation of security or quality updates.
The following fields are available:
ActionName A descriptive name for the plugin action
CurrentPowerPlanGUID The ID of the current power plan configured on the device
CV Correlation vector
GlobalEventCounter Counter that indicates the ordering of events on the device
PackageVersion Current package version of remediation service
RemediationBatter yPowerBatter yLevel Integer between 0 and 100 indicating % battery power remaining
(if not on battery, expect 0)
RemediationFUInProcess Result that shows whether the device is currently installing a feature update
RemediationFURebootRequred Indicates that a feature update reboot required was detected so the plugin
will exit.
RemediationScanInProcess Result that shows whether the device is currently scanning for updates
RemediationTargetMachine Result that shows whether this device is a candidate for remediation(s) that will
fix update issues
SetupMutexAvailable Result that shows whether setup mutex is available or not
SysPowerStatusAC Result that shows whether system is on AC power or not
Microsoft.Windows.Remediation.Completed
This event is sent when Windows Update sediment remediations have completed on the sediment device to keep
Windows up to date. A sediment device is one that has been on a previous OS version for an extended period. The
remediations address issues on the system that prevent the device from receiving OS updates.
The following fields are available:
ActionName Name of the action to be completed by the plug-in.
AppraiserTaskCreationFailed TRUE if the appraiser task creation failed to complete successfully.
AppraiserTaskDeleteFailed TRUE if deletion of appraiser task failed to complete successfully.
AppraiserTaskExistFailed TRUE if detection of the appraiser task failed to complete successfully.
AppraiserTaskLoadXmlFailed TRUE if the Appraiser XML Loader failed to complete successfully.
AppraiserTaskMissing TRUE if the Appraiser task is missing.
AppraiserTaskTimeTriggerUpdateFailedId TRUE if the Appraiser Task Time Trigger failed to update
successfully.
AppraiserTaskValidateTaskXmlFailed TRUE if the Appraiser Task XML failed to complete successfully.
branchReadinessLevel Branch readiness level policy.
cloudControlState Value indicating whether the shell is enabled on the cloud control settings.
CrossedDiskSpaceThreshold Indicates if cleanup resulted in hard drive usage threshold required for feature
update to be exceeded.
CV The Correlation Vector.
DateTimeDifference The difference between the local and reference clocks.
DaysSinceOsInstallation The number of days since the installation of the Operating System.
DiskMbCleaned The amount of space cleaned on the hard disk, measured in megabytes.
DiskMbFreeAfterCleanup The amount of free hard disk space after cleanup, measured in Megabytes.
DiskMbFreeBeforeCleanup The amount of free hard disk space before cleanup, measured in Megabytes.
ForcedAppraiserTaskTriggered TRUE if Appraiser task ran from the plug-in.
GlobalEventCounter Client-side counter that indicates ordering of events sent by the active user.
HandlerCleanupFreeDiskInMegabytes The amount of hard disk space cleaned by the storage sense
handlers, measured in megabytes.
hasRolledBack Indicates whether the client machine has rolled back.
hasUninstalled Indicates whether the client machine has uninstalled a later version of the OS.
hResult The result of the event execution.
HResult The result of the event execution.
installDate The value of installDate registry key. Indicates the install date.
isNetworkMetered Indicates whether the client machine has uninstalled a later version of the OS.
LatestState The final state of the plug-in component.
MicrosoftCompatibilityAppraiser The name of the component targeted by the Appraiser plug-in.
PackageVersion The package version for the current Remediation.
PageFileCount The number of Windows Page files.
PageFileCurrentSize The size of the Windows Page file, measured in Megabytes.
PageFileLocation The storage location (directory path) of the Windows Page file.
PageFilePeakSize The maximum amount of hard disk space used by the Windows Page file, measured in
Megabytes.
PluginName The name of the plug-in specified for each generic plug-in event.
RanCleanup TRUE if the plug-in ran disk cleanup.
RemediationBatter yPowerBatter yLevel Indicates the battery level at which it is acceptable to continue
operation.
RemediationBatter yPowerExitDueToLowBatter y True when we exit due to low battery power.
RemediationBatter yPowerOnBatter y True if we allow execution on battery.
RemediationConfigurationTroubleshooterExecuted True/False based on whether the Remediation
Configuration Troubleshooter executed successfully.
RemediationConfigurationTroubleshooterIpconfigFix TRUE if IPConfig Fix completed successfully.
RemediationConfigurationTroubleshooterNetShFix TRUE if network card cache reset ran successfully.
RemediationDiskCleanSizeBtWindowsFolderInMegabytes The size of the Windows BT folder (used to
store Windows upgrade files), measured in Megabytes.
RemediationDiskCleanupBTFolderEsdSizeInMB The size of the Windows BT folder (used to store Windows
upgrade files) ESD (Electronic Software Delivery), measured in Megabytes.
RemediationDiskCleanupGetCurrentEsdSizeInMB The size of any existing ESD (Electronic Software
Delivery) folder, measured in Megabytes.
RemediationDiskCleanupSearchFileSizeInMegabytes The size of the Cleanup Search index file, measured
in Megabytes.
RemediationDiskCleanupUpdateAssistantSizeInMB The size of the Update Assistant folder, measured in
Megabytes.
RemediationDoorstopChangeSucceeded TRUE if Doorstop registry key was successfully modified.
RemediationDoorstopExists TRUE if there is a One Settings Doorstop value.
RemediationDoorstopRegkeyError TRUE if an error occurred accessing the Doorstop registry key.
RemediationDRFKeyDeleteSucceeded TRUE if the RecoveredFrom (Doorstop) registry key was successfully
deleted.
RemediationDUABuildNumber The build number of the DUA.
RemediationDUAKeyDeleteSucceeded TRUE if the UninstallActive registry key was successfully deleted.
RemediationDuplicateTokenSucceeded TRUE if the user token was successfully duplicated.
remediationExecution Remediation shell is in "applying remediation" state.
RemediationHibernationMigrated TRUE if hibernation was migrated.
RemediationHibernationMigrationSucceeded TRUE if hibernation migration succeeded.
RemediationImpersonateUserSucceeded TRUE if the user was successfully impersonated.
RemediationNoisyHammerTaskKickOffIsSuccess TRUE if the NoisyHammer task started successfully.
RemediationQuer yTokenSucceeded TRUE if the user token was successfully queried.
RemediationRanHibernation TRUE if the system entered Hibernation.
RemediationRever tToSystemSucceeded TRUE if reversion to the system context succeeded.
RemediationShellHasUpgraded TRUE if the device upgraded.
RemediationShellMinimumTimeBetweenShellRuns Indicates the time between shell runs exceeded the
minimum required to execute plugins.
RemediationShellRunFromSer vice TRUE if the shell driver was run from the service.
RemediationShellSessionIdentifier Unique identifier tracking a shell session.
RemediationShellSessionTimeInSeconds Indicates the time the shell session took in seconds.
RemediationShellTaskDeleted Indicates that the shell task has been deleted so no additional sediment pack
runs occur for this installation.
RemediationUpdateSer viceHealthRemediationResult The result of the Update Service Health plug-in.
RemediationUpdateTaskHealthRemediationResult The result of the Update Task Health plug-in.
RemediationUpdateTaskHealthTaskList A list of tasks fixed by the Update Task Health plug-in.
RemediationWindowsLogSpaceFound The size of the Windows log files found, measured in Megabytes.
RemediationWindowsLogSpaceFreed The amount of disk space freed by deleting the Windows log files,
measured in Megabytes.
RemediationWindowsSecondar yDriveFreeSpace The amount of free space on the secondary drive,
measured in Megabytes.
RemediationWindowsSecondar yDriveLetter The letter designation of the first secondary drive with a total
capacity of 10GB or more.
RemediationWindowsSecondar yDriveTotalSpace The total storage capacity of the secondary drive,
measured in Megabytes.
RemediationWindowsTotalSystemDiskSize The total storage capacity of the System Disk Drive, measured
in Megabytes.
Result The HRESULT for Detection or Perform Action phases of the plug-in.
RunResult The HRESULT for Detection or Perform Action phases of the plug-in.
Ser viceHealthPlugin The nae of the Service Health plug-in.
Star tComponentCleanupTask TRUE if the Component Cleanup task started successfully.
systemDriveFreeDiskSpace Indicates the free disk space on system drive, in megabytes.
systemUptimeInHours Indicates the amount of time the system in hours has been on since the last boot.
TotalSizeofOrphanedInstallerFilesInMegabytes The size of any orphaned Windows Installer files,
measured in Megabytes.
TotalSizeofStoreCacheAfterCleanupInMegabytes The size of the Microsoft Store cache after cleanup,
measured in Megabytes.
TotalSizeofStoreCacheBeforeCleanupInMegabytes The size of the Microsoft Store cache (prior to
cleanup), measured in Megabytes.
uninstallActive TRUE if previous uninstall has occurred for current OS
usoScanDaysSinceLastScan The number of days since the last USO (Update Session Orchestrator) scan.
usoScanInProgress TRUE if a USO (Update Session Orchestrator) scan is in progress, to prevent multiple
simultaneous scans.
usoScanIsAllowAutoUpdateKeyPresent TRUE if the AllowAutoUpdate registry key is set.
usoScanIsAllowAutoUpdateProviderSetKeyPresent TRUE if AllowAutoUpdateProviderSet registry key is
set.
usoScanIsAuOptionsPresent TRUE if Auto Update Options registry key is set.
usoScanIsFeatureUpdateInProgress TRUE if a USO (Update Session Orchestrator) scan is in progress, to
prevent multiple simultaneous scans.
usoScanIsNetworkMetered TRUE if the device is currently connected to a metered network.
usoScanIsNoAutoUpdateKeyPresent TRUE if no Auto Update registry key is set/present.
usoScanIsUserLoggedOn TRUE if the user is logged on.
usoScanPastThreshold TRUE if the most recent Update Session Orchestrator (USO) scan is past the threshold
(late).
usoScanType The type of USO (Update Session Orchestrator) scan: "Interactive" or "Background".
windows10UpgraderBlockWuUpdates Event to report the value of Windows 10 Upgrader
BlockWuUpdates Key.
windowsEditionId Event to report the value of Windows Edition ID.
WindowsHyberFilSysSizeInMegabytes The size of the Windows Hibernation file, measured in Megabytes.
WindowsInstallerFolderSizeInMegabytes The size of the Windows Installer folder, measured in Megabytes.
WindowsOldFolderSizeInMegabytes The size of the Windows.OLD folder, measured in Megabytes.
WindowsOldSpaceCleanedInMB The amount of disk space freed by removing the Windows.OLD folder,
measured in Megabytes.
WindowsPageFileSysSizeInMegabytes The size of the Windows Page file, measured in Megabytes.
WindowsSoftwareDistributionFolderSizeInMegabytes The size of the SoftwareDistribution folder,
measured in Megabytes.
WindowsSwapFileSysSizeInMegabytes The size of the Windows Swap file, measured in Megabytes.
WindowsSxsFolderSizeInMegabytes The size of the WinSxS (Windows Side-by-Side) folder, measured in
Megabytes.
WindowsSxsTempFolderSizeInMegabytes The size of the WinSxS (Windows Side-by-Side) Temp folder,
measured in Megabytes.
windowsUpgradeRecoveredFromRs4 Event to report the value of the Windows Upgrade Recovered key.
Microsoft.Windows.Remediation.RemediationShellMainExeEventId
Enables tracking of completion of process that remediates issues preventing security and quality updates.
The following fields are available:
CV Client side counter which indicates ordering of events sent by the remediation system.
GlobalEventCounter Client side counter which indicates ordering of events sent by the remediation system.
PackageVersion Current package version of Remediation.
RemediationShellCanAcquireSedimentMutex True if the remediation was able to acquire the sediment
mutex. False if it is already running.
RemediationShellExecuteShellResult Indicates if the remediation system completed without errors.
RemediationShellFoundDriverDll Result whether the remediation system found its component files to run
properly.
RemediationShellLoadedShellDriver Result whether the remediation system loaded its component files to
run properly.
RemediationShellLoadedShellFunction Result whether the remediation system loaded the functions from
its component files to run properly.
Microsoft.Windows.Remediation.Started
This event is sent when Windows Update sediment remediations have started on the sediment device to keep
Windows up to date. A sediment device is one that has been on a previous OS version for an extended period. The
remediations address issues on the system that prevent the device from receiving OS updates.
The following fields are available:
CV Correlation vector.
GlobalEventCounter Client side counter which indicates ordering of events sent by this user.
PackageVersion The version of the current remediation package.
PluginName Name of the plugin specified for each generic plugin event.
Result This is the HRESULT for detection or perform action phases of the plugin.
Sediment events
Microsoft.Windows.Sediment.Info.DetailedState
This event is sent when detailed state information is needed from an update trial run.
The following fields are available:
Data Data relevant to the state, such as what percent of disk space the directory takes up.
Id Identifies the trial being run, such as a disk related trial.
ReleaseVer The version of the component.
State The state of the reporting data from the trial, such as the top-level directory analysis.
Time The time the event was fired.
Microsoft.Windows.Sediment.Info.Error
This event indicates an error in the updater payload. This information assists in keeping Windows up to date.
Microsoft.Windows.Sediment.Info.PhaseChange
The event indicates progress made by the updater. This information assists in keeping Windows up to date.
Microsoft.Windows.Sediment.OSRSS.CheckingOneSettings
This event indicates the parameters that the Operating System Remediation System Service (OSRSS) uses for a
secure ping to Microsoft to help ensure Windows is up to date.
The following fields are available:
CustomVer The registry value for targeting.
IsMetered TRUE if the machine is on a metered network.
LastVer The version of the last successful run.
Ser viceVersionMajor The Major version information of the component.
Ser viceVersionMinor The Minor version information of the component.
Time The system time at which the event occurred.
Microsoft.Windows.Sediment.OSRSS.DownloadingUrl
This event provides information about the URL from which the Operating System Remediation System Service
(OSRSS) is attempting to download. This information helps ensure Windows is up to date.
The following fields are available:
AttemptNumber The count indicating which download attempt is starting.
Ser viceVersionMajor The Major version information of the component.
Ser viceVersionMinor The Minor version information of the component.
Time The system time at which the event occurred.
Url The URL from which data was downloaded.
Microsoft.Windows.Sediment.OSRSS.DownloadSuccess
This event indicates the Operating System Remediation System Service (OSRSS) successfully download data from
the indicated URL. This information helps ensure Windows is up to date.
The following fields are available:
Ser viceVersionMajor The Major version information of the component.
Ser viceVersionMinor The Minor version information of the component.
Time The system time at which the event occurred.
Url The URL from which data was downloaded.
Microsoft.Windows.Sediment.OSRSS.Error
This event indicates an error occurred in the Operating System Remediation System Service (OSRSS). The
information provided helps ensure future upgrade/update attempts are more successful.
The following fields are available:
FailureType The type of error encountered.
FileName The code file in which the error occurred.
HResult The failure error code.
LineNumber The line number in the code file at which the error occurred.
Ser viceVersionMajor The Major version information of the component.
Ser viceVersionMinor The Minor version information of the component.
Time The system time at which the event occurred.
Microsoft.Windows.Sediment.OSRSS.ExeSignatureValidated
This event indicates the Operating System Remediation System Service (OSRSS) successfully validated the
signature of an EXE from the indicated URL. The information provided helps ensure Windows is up to date.
The following fields are available:
Ser viceVersionMajor The Major version information of the component.
Ser viceVersionMinor The Minor version information of the component.
Time The system time at which the event occurred.
Url The URL from which the validated EXE was downloaded.
Microsoft.Windows.Sediment.OSRSS.ExtractSuccess
This event indicates that the Operating System Remediation System Service (OSRSS) successfully extracted
downloaded content. The information provided helps ensure Windows is up to date.
The following fields are available:
Ser viceVersionMajor The Major version information of the component.
Ser viceVersionMinor The Minor version information of the component.
Time The system time at which the event occurred.
Url The URL from which the successfully extracted content was downloaded.
Microsoft.Windows.Sediment.OSRSS.NewUrlFound
This event indicates the Operating System Remediation System Service (OSRSS) succeeded in finding a new URL
to download from. This helps ensure Windows is up to date.
The following fields are available:
Ser viceVersionMajor The Major version information of the component.
Ser viceVersionMinor The Minor version information of the component.
Time The system time at which the event occurred.
Url The new URL from which content will be downloaded.
Microsoft.Windows.Sediment.OSRSS.ProcessCreated
This event indicates the Operating System Remediation System Service (OSRSS) created a new process to execute
content downloaded from the indicated URL. This information helps ensure Windows is up to date.
The following fields are available:
Ser viceVersionMajor The Major version information of the component.
Ser viceVersionMinor The Minor version information of the component.
Time The system time at which the event occurred.
Url The new URL from which content will be executed.
Microsoft.Windows.Sediment.OSRSS.SelfUpdate
This event returns metadata after Operating System Remediation System Service (OSRSS) successfully replaces
itself with a new version.
The following fields are available:
Ser viceVersionMajor The major version number for the component.
Ser viceVersionMinor The minor version number for the component.
Time The system timestamp for when the event occurred.
Microsoft.Windows.Sediment.OSRSS.UrlState
This event indicates the state the Operating System Remediation System Service (OSRSS) is in while attempting a
download from the URL.
The following fields are available:
Id A number identifying the URL
Ser viceVersionMajor Version info for the component
Ser viceVersionMinor Version info for the component
StateData State-specific data, such as which attempt number for the download
StateNumber A number identifying which state the URL is in (found, downloading, extracted, etc.)
Time System timestamp the event was fired
Microsoft.Windows.Sediment.ServiceInstaller.ApplicabilityCheckFailed
This event returns data relating to the error state after one of the applicability checks for the installer component
of the Operating System Remediation System Service (OSRSS) has failed.
The following fields are available:
CheckName The name of the applicability check that failed.
InstallerVersion The version information for the installer component.
Time The system timestamp for when the event occurred.
Microsoft.Windows.Sediment.ServiceInstaller.AttemptingUpdate
This event indicates the Operating System Remediation System Service (OSRSS) installer is attempting an update
to itself. This information helps ensure Windows is up to date.
The following fields are available:
InstallerVersion The version information of the Installer component.
Time The system time at which the event occurred.
Microsoft.Windows.Sediment.ServiceInstaller.BinaryUpdated
This event indicates the Operating System Remediation System Service (OSRSS) updated installer binaries with
new binaries as part of its self-update process. This information helps ensure Windows is up to date.
The following fields are available:
InstallerVersion The version information of the Installer component.
Time The system time at which the event occurred.
Microsoft.Windows.Sediment.ServiceInstaller.InstallerLaunched
This event indicates the Operating System Remediation System Service (OSRSS) has launched. The information
provided helps ensure Windows is up to date.
The following fields are available:
InstallerVersion The version information of the Installer component.
Time The system time at which the event occurred.
Microsoft.Windows.Sediment.ServiceInstaller.ServiceInstalled
This event indicates the Operating System Remediation System Service (OSRSS) successfully installed the Installer
Component. This information helps ensure Windows is up to date.
The following fields are available:
InstallerVersion The version information of the Installer component.
Time The system time at which the event occurred.
Microsoft.Windows.Sediment.ServiceInstaller.ServiceRestarted
This event indicates the Operating System Remediation System Service (OSRSS) has restarted after installing an
updated version of itself. This information helps ensure Windows is up to date.
The following fields are available:
InstallerVersion The version information of the Installer component.
Time The system time at which the event occurred.
Microsoft.Windows.Sediment.ServiceInstaller.ServiceStarted
This event indicates the Operating System Remediation System Service (OSRSS) has started after installing an
updated version of itself. This information helps ensure Windows is up to date.
The following fields are available:
InstallerVersion The version information of the Installer component.
Time The system time at which the event occurred.
Microsoft.Windows.Sediment.ServiceInstaller.ServiceStopped
This event indicates the Operating System Remediation System Service (OSRSS) was stopped by a self-updated to
install an updated version of itself. This information helps ensure Windows is up to date.
The following fields are available:
InstallerVersion The version information of the Installer component.
Time The system time at which the event occurred.
Microsoft.Windows.Sediment.ServiceInstaller.UpdaterCompleted
This event indicates the Operating System Remediation System Service (OSRSS) successfully completed the self-
update operation. This information helps ensure Windows is up to date.
The following fields are available:
InstallerVersion The version information of the Installer component.
Time The system time at which the event occurred.
Microsoft.Windows.Sediment.ServiceInstaller.UpdaterLaunched
This event indicates the Operating System Remediation System Service (OSRSS) successfully launched the self-
updater after downloading it. This information helps ensure Windows is up to date.
The following fields are available:
InstallerVersion The version information of the Installer component.
Time The system time at which the event occurred.
Microsoft.Windows.SedimentLauncher.Applicable
This event is sent when the Windows Update sediment remediations launcher finds that an applicable plug-in to
address issues that may be preventing the sediment device from receiving OS updates. A sediment device is one
that has been on a previous OS version for an extended period.
The following fields are available:
CV Correlation vector.
DetectedCondition Boolean true if detect condition is true and perform action will be run.
GlobalEventCounter Client side counter which indicates ordering of events sent by this user.
IsSelfUpdateEnabledInOneSettings True if self update enabled in Settings.
IsSelfUpdateNeeded True if self update needed by device.
PackageVersion Current package version of Remediation.
PluginName Name of the plugin specified for each generic plugin event.
Result This is the HRESULT for detection or perform action phases of the plugin.
Microsoft.Windows.SedimentLauncher.Completed
This event is sent when the Windows Update sediment remediations launcher finishes running a plug-in to
address issues that may be preventing the sediment device from receiving OS updates. A sediment device is one
that has been on a previous OS version for an extended period.
The following fields are available:
CV Correlation vector.
FailedReasons Concatenated list of failure reasons.
GlobalEventCounter Client side counter which indicates ordering of events sent by this user.
PackageVersion Current package version of Remediation.
PluginName Name of the plugin specified for each generic plugin event.
Result This is the HRESULT for detection or perform action phases of the plugin.
SedLauncherExecutionResult HRESULT for one execution of the Sediment Launcher.
Microsoft.Windows.SedimentLauncher.Error
Error occurred during execution of the plugin.
The following fields are available:
HResult The result for the Detection or Perform Action phases of the plug-in.
Message A message containing information about the error that occurred (if any).
PackageVersion The version number of the current remediation package.
Microsoft.Windows.SedimentLauncher.FallbackError
This event indicates that an error occurred during execution of the plug-in fallback.
The following fields are available:
s0 Error occurred during execution of the plugin fallback. See Microsoft.Windows.SedimentLauncher.wilResult.
wilResult Result from executing wil based function. See wilResult.
Microsoft.Windows.SedimentLauncher.Information
This event provides general information returned from the plug-in.
The following fields are available:
HResult This is the HRESULT for detection or perform action phases of the plugin.
Message Information message returned from a plugin containing only information internal to the plugins
execution.
PackageVersion Current package version of Remediation.
Microsoft.Windows.SedimentLauncher.Started
This event is sent when the Windows Update sediment remediations launcher starts running a plug-in to address
issues that may be preventing the sediment device from receiving OS updates. A sediment device is one that has
been on a previous OS version for an extended period.
The following fields are available:
CV Correlation vector.
GlobalEventCounter Client side counter which indicates ordering of events sent by this user.
PackageVersion Current package version of Remediation.
PluginName Name of the plugin specified for each generic plugin event.
Result This is the HRESULT for detection or perform action phases of the plugin.
Microsoft.Windows.SedimentLauncher.wilResult
This event provides the result from the Windows internal library.
The following fields are available:
callContext List of telemetry activities containing this error.
currentContextId Identifier for the newest telemetry activity containing this error.
currentContextMessage Custom message associated with the newest telemetry activity containing this error
(if any).
currentContextName Name of the newest telemetry activity containing this error.
failureCount Number of failures seen within the binary where the error occurred.
failureId Identifier assigned to this failure.
failureType Indicates what type of failure was observed (exception, returned error, logged error or fail fast).
fileName Source code file name where the error occurred.
function Name of the function where the error occurred.
hresult Failure error code.
lineNumber Line number within the source code file where the error occurred.
message Custom message associated with the failure (if any).
module Name of the binary where the error occurred.
originatingContextId Identifier for the oldest telemetry activity containing this error.
originatingContextMessage Custom message associated with the oldest telemetry activity containing this
error (if any).
originatingContextName Name of the oldest telemetry activity containing this error.
threadId Identifier of the thread the error occurred on.
Microsoft.Windows.SedimentService.Applicable
This event is sent when the Windows Update sediment remediations service finds that an applicable plug-in to
address issues that may be preventing the sediment device from receiving OS updates. A sediment device is one
that has been on a previous OS version for an extended period.
The following fields are available:
CV Correlation vector.
DetectedCondition Determine whether action needs to run based on device properties.
GlobalEventCounter Client side counter which indicates ordering of events sent by this user.
IsSelfUpdateEnabledInOneSettings Indicates if self update is enabled in One Settings.
IsSelfUpdateNeeded Indicates if self update is needed.
PackageVersion Current package version of Remediation.
PluginName Name of the plugin.
Result This is the HRESULT for detection or perform action phases of the plugin.
Microsoft.Windows.SedimentService.Completed
This event is sent when the Windows Update sediment remediations service finishes running a plug-in to address
issues that may be preventing the sediment device from receiving OS updates. A sediment device is one that has
been on a previous OS version for an extended period.
The following fields are available:
CV Correlation vector.
FailedReasons List of reasons when the plugin action failed.
GlobalEventCounter Client side counter which indicates ordering of events sent by this user.
PackageVersion Current package version of Remediation.
PluginName Name of the plugin specified for each generic plugin event.
Result This is the HRESULT for detection or perform action phases of the plugin.
SedimentSer viceCheckTaskFunctional True/False if scheduled task check succeeded.
SedimentSer viceCurrentBytes Number of current private bytes of memory consumed by sedsvc.exe.
SedimentSer viceKillSer vice True/False if service is marked for kill (Shell.KillService).
SedimentSer viceMaximumBytes Maximum bytes allowed for the service.
SedimentSer viceRetrievedKillSer vice True/False if result of One Settings check for kill succeeded - we only
send back one of these indicators (not for each call).
SedimentSer viceStopping True/False indicating whether the service is stopping.
SedimentSer viceTaskFunctional True/False if scheduled task is functional. If task is not functional this
indicates plugins will be run.
SedimentSer viceTotalIterations Number of 5 second iterations service will wait before running again.
Microsoft.Windows.SedimentService.Error
This event indicates whether an error condition occurred in the plug-in.
The following fields are available:
HResult This is the HRESULT for detection or perform action phases of the plugin.
Message Custom message associated with the failure (if any).
PackageVersion Current package version of Remediation.
Microsoft.Windows.SedimentService.FallbackError
This event indicates whether an error occurred for a fallback in the plug-in.
The following fields are available:
s0 Event returned when an error occurs for a fallback in the plugin. See
Microsoft.Windows.SedimentService.wilResult.
wilResult Result for wil based function. See wilResult.
Microsoft.Windows.SedimentService.Information
This event provides general information returned from the plug-in.
The following fields are available:
HResult This is the HRESULT for detection or perform action phases of the plugin.
Message Custom message associated with the failure (if any).
PackageVersion Current package version of Remediation.
Microsoft.Windows.SedimentService.Started
This event is sent when the Windows Update sediment remediations service starts running a plug-in to address
issues that may be preventing the sediment device from receiving OS updates. A sediment device is one that has
been on a previous OS version for an extended period.
The following fields are available:
CV The Correlation Vector.
GlobalEventCounter The client-side counter that indicates ordering of events.
PackageVersion The version number of the current remediation package.
PluginName Name of the plugin specified for each generic plugin event.
Result This is the HRESULT for Detection or Perform Action phases of the plugin.
Microsoft.Windows.SedimentService.wilResult
This event provides the result from the Windows internal library.
The following fields are available:
callContext List of telemetry activities containing this error.
currentContextId Identifier for the newest telemetry activity containing this error.
currentContextMessage Custom message associated with the newest telemetry activity containing this error
(if any).
currentContextName Name of the newest telemetry activity containing this error.
failureCount Number of failures seen within the binary where the error occurred.
failureId Identifier assigned to this failure.
failureType Indicates what type of failure was observed (exception, returned error, logged error or fail fast).
fileName Source code file name where the error occurred.
function Name of the function where the error occurred.
hresult Failure error code.
lineNumber Line number within the source code file where the error occurred.
message Custom message associated with the failure (if any).
module Name of the binary where the error occurred.
originatingContextId Identifier for the oldest telemetry activity containing this error.
originatingContextMessage Custom message associated with the oldest telemetry activity containing this
error (if any).
originatingContextName Name of the oldest telemetry activity containing this error.
threadId Identifier of the thread the error occurred on.
Setup events
SetupPlatformTel.SetupPlatformTelActivityEvent
This event sends basic metadata about the SetupPlatform update installation process, to help keep Windows up to
date.
The following fields are available:
FieldName Retrieves the event name/data point. Examples: InstallStartTime, InstallEndtime, OverallResult etc.
GroupName Retrieves the groupname the event belongs to. Example: Install Information, DU Information, Disk
Space Information etc.
Value Value associated with the corresponding event name. For example, time-related events will include the
system time
SetupPlatformTel.SetupPlatformTelActivityStarted
This event sends basic metadata about the update installation process generated by SetupPlatform to help keep
Windows up to date.
The following fields are available:
Name The name of the dynamic update type. Example: GDR driver
SetupPlatformTel.SetupPlatformTelActivityStopped
This event sends basic metadata about the update installation process generated by SetupPlatform to help keep
Windows up to date.
SetupPlatformTel.SetupPlatformTelEvent
This service retrieves events generated by SetupPlatform, the engine that drives the various deployment scenarios.
The following fields are available:
FieldName Retrieves the event name/data point. Examples: InstallStartTime, InstallEndtime, OverallResult etc.
GroupName Retrieves the groupname the event belongs to. Example: Install Information, DU Information, Disk
Space Information etc.
Value Retrieves the value associated with the corresponding event name (Field Name). For example: For time
related events this will include the system time.
Shared PC events
Microsoft.Windows.SharedPC.AccountManager.DeleteUserAccount
Activity for deletion of a user account for devices set up for Shared PC mode as part of the Transient Account
Manager to help keep Windows up to date. Deleting un-used user accounts on Education/Shared PCs frees up disk
space to improve Windows Update success rates.
The following fields are available:
accountType The type of account that was deleted. Example: AD, AAD, or Local
deleteState Whether the attempted deletion of the user account was successful.
userSid The security identifier of the account.
wilActivity Windows Error Reporting data collected when there is a failure in deleting a user account with the
Transient Account Manager. See wilActivity.
Microsoft.Windows.SharedPC.AccountManager.SinglePolicyEvaluation
Activity for run of the Transient Account Manager that determines if any user accounts should be deleted for
devices set up for Shared PC mode to help keep Windows up to date. Deleting unused user accounts on shared
devices frees up disk space to improve Windows Update success rates
The following fields are available:
evaluationTrigger When was the Transient Account Manager policies ran? Example: At log off or during
maintenance hours
totalAccountCount The number of accounts on a device after running the Transient Account Manager
policies.
wilActivity Windows Error Reporting data collected when there is a failure in evaluating accounts to be
deleted with the Transient Account Manager. See wilActivity.
wilActivity
This event provides a Windows Internal Library context used for Product and Service diagnostics.
The following fields are available:
callContext The function where the failure occurred.
currentContextId The ID of the current call context where the failure occurred.
currentContextMessage The message of the current call context where the failure occurred.
currentContextName The name of the current call context where the failure occurred.
failureCount The number of failures for this failure ID.
failureId The ID of the failure that occurred.
failureType The type of the failure that occurred.
fileName The file name where the failure occurred.
function The function where the failure occurred.
hresult The HResult of the overall activity.
lineNumber The line number where the failure occurred.
message The message of the failure that occurred.
module The module where the failure occurred.
originatingContextId The ID of the originating call context that resulted in the failure.
originatingContextMessage The message of the originating call context that resulted in the failure.
originatingContextName The name of the originating call context that resulted in the failure.
threadId The ID of the thread on which the activity is executing.
wilResult
This event provides a Windows Internal Library context used for Product and Service diagnostics.
The following fields are available:
callContext The call context stack where failure occurred.
currentContextId The ID of the current call context where the failure occurred.
currentContextMessage The message of the current call context where the failure occurred.
currentContextName The name of the current call context where the failure occurred.
failureCount The number of failures for this failure ID.
failureId The ID of the failure that occurred.
failureType The type of the failure that occurred.
fileName The file name where the failure occurred.
function The function where the failure occurred.
hresult The HResult of the overall activity.
lineNumber The line number where the failure occurred.
message The message of the failure that occurred.
module The module where the failure occurred.
originatingContextId The ID of the originating call context that resulted in the failure.
originatingContextMessage The message of the originating call context that resulted in the failure.
originatingContextName The name of the originating call context that resulted in the failure.
threadId The ID of the thread on which the activity is executing.
SIH events
SIHEngineTelemetry.EvalApplicability
This event is sent when targeting logic is evaluated to determine if a device is eligible a given action.
The following fields are available:
ActionReasons If an action has been assessed as inapplicable, the additional logic prevented it.
CachedEngineVersion The engine DLL version that is being used.
EventInstanceID A unique identifier for event instance.
EventScenario Indicates the purpose of sending this event – whether because the software distribution just
started checking for content, or whether it was cancelled, succeeded, or failed.
HandlerReasons If an action has been assessed as inapplicable, the installer technology-specific logic
prevented it.
Ser viceGuid A unique identifier that represents which service the software distribution client is connecting to
(SIH, Windows Update, Microsoft Store, etc.).
StandardReasons If an action has been assessed as inapplicable, the standard logic the prevented it.
StatusCode Result code of the event (success, cancellation, failure code HResult).
UpdateID A unique identifier for the action being acted upon.
WUDeviceID The unique identifier controlled by the software distribution client.
SIHEngineTelemetry.ExecuteAction
This event is triggered with SIH attempts to execute (e.g. install) the update or action in question. Includes
important information like if the update required a reboot.
The following fields are available:
CachedEngineVersion The engine DLL version that is being used.
EventInstanceID A unique identifier for event instance.
EventScenario Indicates the purpose of sending this event, whether because the software distribution just
started checking for content, or whether it was cancelled, succeeded, or failed.
RebootRequired Indicates if a reboot was required to complete the action.
Ser viceGuid A unique identifier that represents which service the software distribution client is connecting to
(SIH, Windows Update, Microsoft Store, etc.).
StatusCode Result code of the event (success, cancellation, failure code HResult).
UpdateID A unique identifier for the action being acted upon.
WUDeviceID The unique identifier controlled by the software distribution client.
SIHEngineTelemetry.PostRebootReport
This event reports the status of an action following a reboot, should one have been required.
The following fields are available:
CachedEngineVersion The engine DLL version that is being used.
EventInstanceID A unique identifier for event instance.
EventScenario Indicates the purpose of sending this event, whether because the software distribution just
started checking for content, or whether it was cancelled, succeeded, or failed.
Ser viceGuid A unique identifier that represents which service the software distribution client is connecting to
(SIH, Windows Update, Microsoft Store, etc.).
StatusCode Result code of the event (success, cancellation, failure code HResult).
UpdateID A unique identifier for the action being acted upon.
WUDeviceID The unique identifier controlled by the software distribution client.
SIHEngineTelemetry.ServiceStateChange
This event reports the status of attempts to stop or start a service as part of executing an action.
The following fields are available:
CachedEngineVersion The engine DLL version that is being used.
EventInstanceID A unique identifier for event instance.
EventScenario Indicates the purpose of sending this event, whether because the software distribution just
started checking for content, or whether it was cancelled, succeeded, or failed.
Ser vice The service that is being stopped/started.
Ser viceGuid A unique identifier that represents which service the software distribution client is connecting to
(SIH, Windows Update, Microsoft Store, etc.).
StateChange The service operation (stop/start) is being attempted.
StatusCode Result code of the event (success, cancellation, failure code HResult).
UpdateID A unique identifier for the action being acted upon.
WUDeviceID The unique identifier controlled by the software distribution client.
SIHEngineTelemetry.SLSActionData
This event reports if the SIH client was able to successfully parse the manifest describing the actions to be
evaluated.
The following fields are available:
CachedEngineVersion The engine DLL version that is being used.
EventInstanceID A unique identifier for event instance.
EventScenario Indicates the purpose of sending this event – whether because the software distribution just
started checking for content, or whether it was cancelled, succeeded, or failed.
FailedParseActions The list of actions that were not successfully parsed.
ParsedActions The list of actions that were successfully parsed.
Ser viceGuid A unique identifier that represents which service the software distribution client is connecting to
(SIH, Windows Update, Microsoft Store, etc.).
WUDeviceID The unique identifier controlled by the software distribution client.
Update events
Update360Telemetry.UpdateAgent_DownloadRequest
This event sends data during the download request phase of updating Windows.
The following fields are available:
DeletedCorruptFiles Boolean indicating whether corrupt payload was deleted.
ErrorCode The error code returned for the current download request phase.
FlightId Unique ID for each flight.
ObjectId Unique value for each Update Agent mode (same concept as InstanceId for Setup360).
PackageCountOptional # of optional packages requested.
PackageCountRequired # of required packages requested.
PackageCountTotal Total # of packages needed.
PackageCountTotalCanonical Total number of canonical packages.
PackageCountTotalDiff Total number of diff packages.
PackageCountTotalExpress Total number of express packages.
PackageSizeCanonical Size of canonical packages in bytes.
PackageSizeDiff Size of diff packages in bytes.
PackageSizeExpress Size of express packages in bytes.
RangeRequestState Indicates the range request type used.
RelatedCV Correlation vector value generated from the latest USO scan.
Result Outcome of the download request phase of update.
ScenarioId Indicates the update scenario.
SessionId Unique value for each attempt (same value for initialize, download, install commit phases)
UpdateId Unique ID for each Update.
Update360Telemetry.UpdateAgent_FellBackToCanonical
This event collects information when Express could not be used, and the update had to fall back to “canonical”
during the new UUP (Unified Update Platform) update scenario; which is leveraged by both Mobile and Desktop.
The following fields are available:
FlightId Unique ID for the flight (test instance version).
ObjectId The unique value for each Update Agent mode.
PackageCount The number of packages that fell back to “canonical”.
PackageList PackageIDs which fell back to “canonical”.
RelatedCV The correlation vector value generated from the latest USO (Update Service Orchestrator) scan.
ScenarioId The ID of the update scenario.
SessionId The ID of the update attempt.
UpdateId The ID of the update.
Update360Telemetry.UpdateAgent_Initialize
This event sends data during the initialize phase of updating Windows.
The following fields are available:
ErrorCode The error code returned for the current initialize phase.
FlightId Unique ID for each flight.
FlightMetadata Contains the FlightId and the build being flighted.
ObjectId Unique value for each Update Agent mode.
RelatedCV Correlation vector value generated from the latest USO scan.
Result Result of the initialize phase of update. 0 = Succeeded, 1 = Failed, 2 = Cancelled, 3 = Blocked, 4 =
BlockCancelled
ScenarioId The scenario ID. Example: MobileUpdate, DesktopLanguagePack, DesktopFeatureOnDemand, or
DesktopDriverUpdate
SessionData Contains instructions to update agent for processing FODs and DUICs (Null for other scenarios).
SessionId Unique value for each Update Agent mode attempt .
UpdateId Unique ID for each update.
Update360Telemetry.UpdateAgent_Install
This event sends data during the install phase of updating Windows.
The following fields are available:
ErrorCode The error code returned for the current install phase.
FlightId Unique ID for each flight.
ObjectId Unique value for each Update Agent mode.
RelatedCV Correlation vector value generated from the latest scan.
Result Result of the install phase of update. 0 = Succeeded 1 = Failed, 2 = Cancelled, 3 = Blocked, 4 =
BlockCancelled
ScenarioId The scenario ID. Example: MobileUpdate, DesktopLanguagePack, DesktopFeatureOnDemand, or
DesktopDriverUpdate
SessionId Unique value for each Update Agent mode attempt.
UpdateId Unique ID for each update.
Update360Telemetry.UpdateAgent_Merge
This event sends data on the merge phase when updating Windows.
The following fields are available:
ErrorCode The error code returned for the current reboot.
FlightId Unique ID for the flight (test instance version).
ObjectId The unique value for each Update Agent mode.
RelatedCV The correlation vector value generated from the latest USO (Update Service Orchestrator) scan.
Result The HResult of the event.
ScenarioId The ID of the update scenario.
SessionId The ID of the update attempt.
UpdateId The ID of the update.
Update360Telemetry.UpdateAgent_ModeStart
This event sends data for the start of each mode during the process of updating Windows.
The following fields are available:
FlightId Unique ID for each flight.
Mode Indicates that the Update Agent mode that has started. 1 = Initialize, 2 = DownloadRequest, 3 = Install, 4
= Commit
ObjectId Unique value for each Update Agent mode.
RelatedCV The correlation vector value generated from the latest scan.
ScenarioId The scenario ID. Example: MobileUpdate, DesktopLanguagePack, DesktopFeatureOnDemand, or
DesktopDriverUpdate
SessionId Unique value for each Update Agent mode attempt.
UpdateId Unique ID for each update.
Update360Telemetry.UpdateAgent_SetupBoxLaunch
This event sends data during the launching of the setup box when updating Windows.
The following fields are available:
FlightId Unique ID for each flight.
ObjectId Unique value for each Update Agent mode.
Quiet Indicates whether setup is running in quiet mode. 0 = false 1 = true
RelatedCV Correlation vector value generated from the latest scan.
SandboxSize The size of the sandbox folder on the device.
ScenarioId The scenario ID. Example: MobileUpdate, DesktopLanguagePack, DesktopFeatureOnDemand, or
DesktopDriverUpdate
SessionId Unique value for each Update Agent mode attempt.
SetupMode Setup mode 1 = predownload, 2 = install, 3 = finalize
UpdateId Unique ID for each update.
Update360Telemetry.UpdateAgentCommit
This event collects information regarding the commit phase of the new Unified Update Platform (UUP) update
scenario, which is leveraged by both Mobile and Desktop.
The following fields are available:
ErrorCode The error code returned for the current install phase.
FlightId Unique ID for each flight.
ObjectId Unique value for each Update Agent mode.
RelatedCV Correlation vector value generated from the latest USO scan.
Result Outcome of the install phase of the update.
ScenarioId Indicates the update scenario.
SessionId Unique value for each update attempt.
UpdateId Unique ID for each update.
Update360Telemetry.UpdateAgentDownloadRequest
This event sends data for the download request phase of updating Windows via the new Unified Update Platform
(UUP) scenario. Applicable to PC and Mobile.
The following fields are available:
DeletedCorruptFiles Boolean indicating whether corrupt payload was deleted.
DownloadRequests Number of times a download was retried.
ErrorCode The error code returned for the current download request phase.
ExtensionName Indicates whether the payload is related to Operating System content or a plugin.
FlightId Unique ID for each flight.
InternalFailureResult Indicates a non-fatal error from a plugin.
ObjectId Unique value for each Update Agent mode (same concept as InstanceId for Setup360).
PackageCategoriesSkipped Indicates package categories that were skipped, if applicable.
PackageCountOptional # of optional packages requested.
PackageCountRequired # of required packages requested.
PackageCountTotal Total # of packages needed.
PackageCountTotalCanonical Total number of canonical packages.
PackageCountTotalDiff Total number of diff packages.
PackageCountTotalExpress Total number of express packages.
PackageExpressType Type of express package.
PackageSizeCanonical Size of canonical packages in bytes.
PackageSizeDiff Size of diff packages in bytes.
PackageSizeExpress Size of express packages in bytes.
RangeRequestState Indicates the range request type used.
RelatedCV Correlation vector value generated from the latest USO scan.
Result Outcome of the download request phase of update.
ScenarioId Indicates the update scenario.
SessionId Unique value for each attempt (same value for initialize, download, install commit phases).
UpdateId Unique ID for each Update.
Update360Telemetry.UpdateAgentExpand
This event collects information regarding the expansion phase of the new Unified Update Platform (UUP) update
scenario, which is leveraged by both Mobile and Desktop.
The following fields are available:
ElapsedTickCount Time taken for expand phase.
EndFreeSpace Free space after expand phase.
EndSandboxSize Sandbox size after expand phase.
ErrorCode The error code returned for the current install phase.
FlightId Unique ID for each flight.
ObjectId Unique value for each Update Agent mode.
RelatedCV Correlation vector value generated from the latest USO scan.
ScenarioId Indicates the update scenario.
SessionId Unique value for each update attempt.
Star tFreeSpace Free space before expand phase.
Star tSandboxSize Sandbox size after expand phase.
UpdateId Unique ID for each Update.
Update360Telemetry.UpdateAgentFellBackToCanonical
This event collects information when express could not be used and we fall back to canonical during the new
Unified Update Platform (UUP) update scenario, which is leveraged by both Mobile and Desktop.
The following fields are available:
FlightId Unique ID for each flight.
ObjectId Unique value for each Update Agent mode.
PackageCount Number of packages that feel back to canonical.
PackageList PackageIds which fell back to canonical.
RelatedCV Correlation vector value generated from the latest USO scan.
ScenarioId Indicates the update scenario.
SessionId Unique value for each update attempt.
UpdateId Unique ID for each update.
Update360Telemetry.UpdateAgentInitialize
This event sends data for the initialize phase of updating Windows via the new Unified Update Platform (UUP)
scenario, which is applicable to both PCs and Mobile.
The following fields are available:
ErrorCode The error code returned for the current install phase.
FlightId Unique ID for each flight.
FlightMetadata Contains the FlightId and the build being flighted.
ObjectId Unique value for each Update Agent mode.
RelatedCV Correlation vector value generated from the latest USO scan.
Result Outcome of the install phase of the update.
ScenarioId Indicates the update scenario.
SessionData String containing instructions to update agent for processing FODs and DUICs (Null for other
scenarios).
SessionId Unique value for each update attempt.
UpdateId Unique ID for each update.
Update360Telemetry.UpdateAgentInstall
This event sends data for the install phase of updating Windows.
The following fields are available:
ErrorCode The error code returned for the current install phase.
FlightId Unique value for each Update Agent mode (same concept as InstanceId for Setup360).
ObjectId Correlation vector value generated from the latest USO scan.
RelatedCV Correlation vector value generated from the latest USO scan.
Result The result for the current install phase.
ScenarioId Indicates the update scenario.
SessionId Unique value for each update attempt.
UpdateId Unique ID for each update.
Update360Telemetry.UpdateAgentMerge
The UpdateAgentMerge event sends data on the merge phase when updating Windows.
The following fields are available:
ErrorCode The error code returned for the current merge phase.
FlightId Unique ID for each flight.
ObjectId Unique value for each Update Agent mode.
RelatedCV Related correlation vector value.
Result Outcome of the merge phase of the update.
ScenarioId Indicates the update scenario.
SessionId Unique value for each attempt.
UpdateId Unique ID for each update.
Update360Telemetry.UpdateAgentMitigationResult
This event sends data indicating the result of each update agent mitigation.
The following fields are available:
Applicable Indicates whether the mitigation is applicable for the current update.
CommandCount The number of command operations in the mitigation entry.
CustomCount The number of custom operations in the mitigation entry.
FileCount The number of file operations in the mitigation entry.
FlightId Unique identifier for each flight.
Index The mitigation index of this particular mitigation.
MitigationScenario The update scenario in which the mitigation was executed.
Name The friendly name of the mitigation.
ObjectId Unique value for each Update Agent mode.
OperationIndex The mitigation operation index (in the event of a failure).
OperationName The friendly name of the mitigation operation (in the event of failure).
Registr yCount The number of registry operations in the mitigation entry.
RelatedCV The correlation vector value generated from the latest USO scan.
Result The HResult of this operation.
ScenarioId The update agent scenario ID.
SessionId Unique value for each update attempt.
TimeDiff The amount of time spent performing the mitigation (in 100-nanosecond increments).
UpdateId Unique ID for each Update.
Update360Telemetry.UpdateAgentMitigationSummary
This event sends a summary of all the update agent mitigations available for an this update.
The following fields are available:
Applicable The count of mitigations that were applicable to the system and scenario.
Failed The count of mitigations that failed.
FlightId Unique identifier for each flight.
MitigationScenario The update scenario in which the mitigations were attempted.
ObjectId The unique value for each Update Agent mode.
RelatedCV The correlation vector value generated from the latest USO scan.
Result The HResult of this operation.
ScenarioId The update agent scenario ID.
SessionId Unique value for each update attempt.
TimeDiff The amount of time spent performing all mitigations (in 100-nanosecond increments).
Total Total number of mitigations that were available.
UpdateId Unique ID for each update.
Update360Telemetry.UpdateAgentModeStart
This event sends data for the start of each mode during the process of updating Windows via the new Unified
Update Platform (UUP) scenario. Applicable to both PCs and Mobile.
The following fields are available:
FlightId Unique ID for each flight.
Mode Indicates the mode that has started.
ObjectId Unique value for each Update Agent mode.
RelatedCV Correlation vector value generated from the latest USO scan.
ScenarioId Indicates the update scenario.
SessionId Unique value for each update attempt.
UpdateId Unique ID for each update.
Version Version of update
Update360Telemetry.UpdateAgentOneSettings
This event collects information regarding the post reboot phase of the new UUP (Unified Update Platform) update
scenario; which is leveraged by both Mobile and Desktop.
The following fields are available:
Count The count of applicable OneSettings for the device.
FlightId Unique ID for the flight (test instance version).
ObjectId The unique value for each Update Agent mode.
Parameters The set of name value pair parameters sent to OneSettings to determine if there are any
applicable OneSettings.
RelatedCV The correlation vector value generated from the latest USO (Update Service Orchestrator) scan.
Result The HResult of the event.
ScenarioId The ID of the update scenario.
SessionId The ID of the update attempt.
UpdateId The ID of the update.
Values The values sent back to the device, if applicable.
Update360Telemetry.UpdateAgentPostRebootResult
This event collects information for both Mobile and Desktop regarding the post reboot phase of the new Unified
Update Platform (UUP) update scenario.
The following fields are available:
ErrorCode The error code returned for the current post reboot phase.
FlightId The specific ID of the Windows Insider build the device is getting.
ObjectId Unique value for each Update Agent mode.
PostRebootResult Indicates the Hresult.
RelatedCV Correlation vector value generated from the latest USO scan.
Result Indicates the Hresult
ScenarioId The scenario ID. Example: MobileUpdate, DesktopLanguagePack, DesktopFeatureOnDemand, or
DesktopDriverUpdate.
SessionId Unique value for each update attempt.
UpdateId Unique ID for each update.
Update360Telemetry.UpdateAgentSetupBoxLaunch
The UpdateAgent_SetupBoxLaunch event sends data for the launching of the setup box when updating Windows
via the new Unified Update Platform (UUP) scenario. This event is only applicable to PCs.
The following fields are available:
ContainsExpressPackage Indicates whether the download package is express.
FlightId Unique ID for each flight.
FreeSpace Free space on OS partition.
InstallCount Number of install attempts using the same sandbox.
ObjectId Unique value for each Update Agent mode.
Quiet Indicates whether setup is running in quiet mode.
RelatedCV Correlation vector value generated from the latest USO scan.
SandboxSize Size of the sandbox.
ScenarioId Indicates the update scenario.
SessionId Unique value for each update attempt.
SetupMode Mode of setup to be launched.
UpdateId Unique ID for each Update.
UserSession Indicates whether install was invoked by user actions.
Upgrade events
FacilitatorTelemetry.DCATDownload
This event indicates whether devices received additional or critical supplemental content during an OS Upgrade, to
help keep Windows up to date and secure.
FacilitatorTelemetry.DUDownload
This event returns data about the download of supplemental packages critical to upgrading a device to the next
version of Windows.
FacilitatorTelemetry.InitializeDU
This event determines whether devices received additional or critical supplemental content during an OS upgrade.
Setup360Telemetry.Downlevel
This event sends data indicating that the device has started the downlevel phase of the upgrade, to help keep
Windows up to date and secure.
The following fields are available:
ClientId If using Windows Update, this will be the Windows Update client ID that is passed to Setup. In Media
setup, the default value is Media360, but it can be overwritten by the caller to a unique value.
HostOSBuildNumber The build number of the downlevel OS.
HostOsSkuName The operating system edition which is running Setup360 instance (downlevel OS).
InstanceId A unique GUID that identifies each instance of setuphost.exe.
Repor tId In the Windows Update scenario, this is the updateID that is passed to Setup. In media setup, this is
the GUID for the install.wim.
Setup360Extended More detailed information about phase/action when the potential failure occurred.
Setup360Mode The phase of Setup360 (for example, Predownload, Install, Finalize, Rollback).
Setup360Result The result of Setup360 (HRESULT used to diagnose errors).
Setup360Scenario The Setup360 flow type (for example, Boot, Media, Update, MCT).
SetupVersionBuildNumber The build number of Setup360 (build number of the target OS).
State Exit state of given Setup360 run. Example: succeeded, failed, blocked, cancelled.
TestId An ID that uniquely identifies a group of events.
WuId This is the Windows Update Client ID. In the Windows Update scenario, this is the same as the clientId.
Setup360Telemetry.Finalize
This event sends data indicating that the device has started the phase of finalizing the upgrade, to help keep
Windows up-to-date and secure.
The following fields are available:
ClientId With Windows Update, this will be the Windows Update client ID that is passed to Setup. In Media
setup, default value is Media360, but can be overwritten by the caller to a unique value.
HostOSBuildNumber The build number of the previous OS.
HostOsSkuName The OS edition which is running Setup360 instance (previous OS).
InstanceId A unique GUID that identifies each instance of setuphost.exe
Repor tId With Windows Update, this is the updateID that is passed to Setup. In media setup, this is the GUID
for the install.wim.
Setup360Extended d
Setup360Mode The phase of Setup360. Example: Predownload, Install, Finalize, Rollback.
Setup360Result The result of Setup360. This is an HRESULT error code that is used to diagnose errors.
Setup360Scenario The Setup360 flow type. Example: Boot, Media, Update, MCT
SetupVersionBuildNumber The build number of Setup360 (build number of target OS).
State The exit state of a Setup360 run. Example: succeeded, failed, blocked, cancelled.
TestId ID that uniquely identifies a group of events.
WuId This is the Windows Update Client ID. With Windows Update, this is the same as the clientId.
Setup360Telemetry.OsUninstall
This event sends data regarding OS updates and upgrades from Windows 7, Windows 8, and Windows 10.
Specifically, it indicates the outcome of an OS uninstall.
The following fields are available:
ClientId For Windows Update, this will be the Windows Update client ID that is passed to Setup. In Media
setup, default value is Media360, but can be overwritten by the caller to a unique value.
HostOSBuildNumber The build number of the previous OS.
HostOsSkuName The OS edition which is running the Setup360 instance (previous OS).
InstanceId A unique GUID that identifies each instance of setuphost.exe.
Repor tId For Windows Update, this will be the Windows Update client ID that is passed to Setup. In Media
setup, this is the GUID for the install.wim.
Setup360Extended Detailed information about the phase or action when the potential failure occurred.
Setup360Mode The phase of Setup360. Example: Predownload, Install, Finalize, Rollback.
Setup360Result The result of Setup360. This is an HRESULT error code that is used to diagnose errors.
Setup360Scenario The Setup360 flow type. Example: Boot, Media, Update, MCT
SetupVersionBuildNumber The build number of Setup360 (build number of target OS).
State Exit state of a Setup360 run. Example: succeeded, failed, blocked, cancelled.
TestId A string to uniquely identify a group of events.
WuId Windows Update client ID.
Setup360Telemetry.PostRebootInstall
This event sends data indicating that the device has invoked the post reboot install phase of the upgrade, to help
keep Windows up-to-date.
The following fields are available:
ClientId With Windows Update, this is the Windows Update client ID that is passed to Setup. In Media setup,
the default value is Media360, but can be overwritten by the caller to a unique value.
HostOSBuildNumber The build number of the previous OS.
HostOsSkuName The OS edition which is running Setup360 instance (previous OS).
InstanceId A unique GUID that identifies each instance of setuphost.exe.
Repor tId With Windows Update, this is the updateID that is passed to Setup. In media setup, this is the GUID
for the install.wim.
Setup360Extended Extension of result - more granular information about phase/action when the potential
failure happened
Setup360Mode The phase of Setup360. Example: Predownload, Install, Finalize, Rollback
Setup360Result The result of Setup360. This is an HRESULT error code that's used to diagnose errors.
Setup360Scenario The Setup360 flow type. Example: Boot, Media, Update, MCT
SetupVersionBuildNumber The build number of Setup360 (build number of target OS).
State The exit state of a Setup360 run. Example: succeeded, failed, blocked, cancelled
TestId A string to uniquely identify a group of events.
WuId This is the Windows Update Client ID. With Windows Update, this is the same as ClientId.
Setup360Telemetry.PreDownloadQuiet
This event sends data indicating that the device has invoked the predownload quiet phase of the upgrade, to help
keep Windows up to date.
The following fields are available:
ClientId Using Windows Update, this will be the Windows Update client ID that is passed to Setup. In Media
setup, default value is Media360, but can be overwritten by the caller to a unique value.
FlightData Unique value that identifies the flight.
HostOSBuildNumber The build number of the previous OS.
HostOsSkuName The OS edition which is running Setup360 instance (previous operating system).
InstanceId A unique GUID that identifies each instance of setuphost.exe.
Repor tId Using Windows Update, this is the updateID that is passed to Setup. In media setup, this is the GUID
for the install.wim.
Setup360Extended Detailed information about the phase/action when the potential failure occurred.
Setup360Mode The phase of Setup360. Example: Predownload, Install, Finalize, Rollback.
Setup360Result The result of Setup360. This is an HRESULT error code that is used to diagnose errors.
Setup360Scenario The Setup360 flow type. Example: Boot, Media, Update, MCT.
SetupVersionBuildNumber The build number of Setup360 (build number of target OS).
State The exit state of a Setup360 run. Example: succeeded, failed, blocked, canceled.
TestId ID that uniquely identifies a group of events.
WuId This is the Windows Update Client ID. Using Windows Update, this is the same as the clientId.
Setup360Telemetry.PreDownloadUX
This event sends data regarding OS Updates and Upgrades from Windows 7.X, Windows 8.X, Windows 10 and RS,
to help keep Windows up-to-date and secure. Specifically, it indicates the outcome of the PredownloadUX portion
of the update process.
The following fields are available:
ClientId For Windows Update, this will be the Windows Update client ID that is passed to Setup. In Media
setup, default value is Media360, but can be overwritten by the caller to a unique value.
HostOSBuildNumber The build number of the previous operating system.
HostOsSkuName The OS edition which is running the Setup360 instance (previous operating system).
InstanceId Unique GUID that identifies each instance of setuphost.exe.
Repor tId For Windows Update, this will be the Windows Update client ID that is passed to Setup. In Media
setup, this is the GUID for the install.wim.
Setup360Extended Detailed information about the phase/action when the potential failure occurred.
Setup360Mode The phase of Setup360. Example: Predownload, Install, Finalize, Rollback.
Setup360Result The result of Setup360. This is an HRESULT error code that can be used to diagnose errors.
Setup360Scenario The Setup360 flow type. Example: Boot, Media, Update, MCT.
SetupVersionBuildNumber The build number of Setup360 (build number of the target OS).
State The exit state of the Setup360 run. Example: succeeded, failed, blocked, cancelled.
TestId A string to uniquely identify a group of events.
WuId Windows Update client ID.
Setup360Telemetry.PreInstallQuiet
This event sends data indicating that the device has invoked the preinstall quiet phase of the upgrade, to help keep
Windows up-to-date.
The following fields are available:
ClientId With Windows Update, this will be the Windows Update client ID that is passed to Setup. In Media
setup, default value is Media360, but can be overwritten by the caller to a unique value.
HostOSBuildNumber The build number of the previous OS.
HostOsSkuName The OS edition which is running Setup360 instance (previous OS).
InstanceId A unique GUID that identifies each instance of setuphost.exe
Repor tId With Windows Update, this is the updateID that is passed to Setup. In media setup, this is the GUID
for the install.wim.
Setup360Extended Detailed information about the phase/action when the potential failure occurred.
Setup360Mode The phase of Setup360. Example: Predownload, Install, Finalize, Rollback.
Setup360Result The result of Setup360. This is an HRESULT error code that can be used to diagnose errors.
Setup360Scenario Setup360 flow type (Boot, Media, Update, MCT).
SetupVersionBuildNumber The build number of Setup360 (build number of target OS).
State The exit state of a Setup360 run. Example: succeeded, failed, blocked, cancelled.
TestId A string to uniquely identify a group of events.
WuId This is the Windows Update Client ID. With Windows Update, this is the same as the clientId.
Setup360Telemetry.PreInstallUX
This event sends data regarding OS updates and upgrades from Windows 7, Windows 8, and Windows 10, to help
keep Windows up-to-date. Specifically, it indicates the outcome of the PreinstallUX portion of the update process.
The following fields are available:
ClientId For Windows Update, this will be the Windows Update client ID that is passed to Setup. In Media
setup, default value is Media360, but can be overwritten by the caller to a unique value.
HostOSBuildNumber The build number of the previous OS.
HostOsSkuName The OS edition which is running the Setup360 instance (previous OS).
InstanceId A unique GUID that identifies each instance of setuphost.exe.
Repor tId For Windows Update, this will be the Windows Update client ID that is passed to Setup. In Media
setup, this is the GUID for the install.wim.
Setup360Extended Detailed information about the phase/action when the potential failure occurred.
Setup360Mode The phase of Setup360. Example: Predownload, Install, Finalize, Rollback.
Setup360Result The result of Setup360. This is an HRESULT error code that is used to diagnose errors.
Setup360Scenario The Setup360 flow type, Example: Boot, Media, Update, MCT.
SetupVersionBuildNumber The build number of Setup360 (build number of target OS).
State The exit state of a Setup360 run. Example: succeeded, failed, blocked, cancelled.
TestId A string to uniquely identify a group of events.
WuId Windows Update client ID.
Setup360Telemetry.Setup360
This event sends data about OS deployment scenarios, to help keep Windows up-to-date.
The following fields are available:
ClientId Retrieves the upgrade ID. In the Windows Update scenario, this will be the Windows Update client ID.
In Media setup, default value is Media360, but can be overwritten by the caller to a unique value.
FieldName Retrieves the data point.
FlightData Specifies a unique identifier for each group of Windows Insider builds.
InstanceId Retrieves a unique identifier for each instance of a setup session.
Repor tId Retrieves the report ID.
ScenarioId Retrieves the deployment scenario.
Value Retrieves the value associated with the corresponding FieldName.
Setup360Telemetry.Setup360DynamicUpdate
This event helps determine whether the device received supplemental content during an operating system
upgrade, to help keep Windows up-to-date.
Setup360Telemetry.Setup360MitigationResult
This event sends data indicating the result of each setup mitigation.
Setup360Telemetry.Setup360MitigationSummary
This event sends a summary of all the setup mitigations available for this update.
Setup360Telemetry.Setup360OneSettings
This event collects information regarding the post reboot phase of the new UUP (Unified Update Platform) update
scenario; which is leveraged by both Mobile and Desktop.
The following fields are available:
ClientId The Windows Update client ID passed to Setup.
Count The count of applicable OneSettings for the device.
FlightData The ID for the flight (test instance version).
InstanceId The GUID (Globally-Unique ID) that identifies each instance of setuphost.exe.
Parameters The set of name value pair parameters sent to OneSettings to determine if there are any
applicable OneSettings.
Repor tId The Update ID passed to Setup.
Result The HResult of the event error.
ScenarioId The update scenario ID.
Values Values sent back to the device, if applicable.
Setup360Telemetry.UnexpectedEvent
This event sends data indicating that the device has invoked the unexpected event phase of the upgrade, to help
keep Windows up to date.
The following fields are available:
ClientId With Windows Update, this will be the Windows Update client ID that is passed to Setup. In Media
setup, default value is Media360, but can be overwritten by the caller to a unique value.
HostOSBuildNumber The build number of the previous OS.
HostOsSkuName The OS edition which is running Setup360 instance (previous OS).
InstanceId A unique GUID that identifies each instance of setuphost.exe
Repor tId With Windows Update, this is the updateID that is passed to Setup. In media setup, this is the GUID
for the install.wim.
Setup360Extended Detailed information about the phase/action when the potential failure occurred.
Setup360Mode The phase of Setup360. Example: Predownload, Install, Finalize, Rollback.
Setup360Result The result of Setup360. This is an HRESULT error code that can be used used to diagnose
errors.
Setup360Scenario The Setup360 flow type. Example: Boot, Media, Update, MCT.
SetupVersionBuildNumber The build number of Setup360 (build number of target OS).
State The exit state of a Setup360 run. Example: succeeded, failed, blocked, cancelled.
TestId A string to uniquely identify a group of events.
WuId This is the Windows Update Client ID. With Windows Update, this is the same as the clientId.
Winlogon events
Microsoft.Windows.Security.Winlogon.SetupCompleteLogon
This event signals the completion of the setup process. It happens only once during the first logon.
XBOX events
Microsoft.Xbox.XamTelemetry.AppActivationError
This event indicates whether the system detected an activation error in the app.
Microsoft.Xbox.XamTelemetry.AppActivity
This event is triggered whenever the current app state is changed by: launch, switch, terminate, snap, etc.
Windows 10, version 1703 basic level Windows
diagnostic events and fields
1/31/2020 • 216 minutes to read • Edit Online
Applies to
Windows 10, version 1703
The Basic level gathers a limited set of information that is critical for understanding the device and its
configuration including: basic device information, quality-related information, app compatibility, and Microsoft
Store. When the level is set to Basic, it also includes the Security level information.
The Basic level helps to identify problems that can occur on a particular device hardware or software
configuration. For example, it can help determine if crashes are more frequent on devices with a specific amount
of memory or that are running a particular driver version. This helps Microsoft fix operating system or app
problems.
Use this article to learn about diagnostic events, grouped by event area, and the fields within each event. A brief
description is provided for each field. Every event generated includes common data, which collects device data.
You can learn more about Windows functional and diagnostic data through these articles:
Windows 10, version 1903 and Windows 10, version 1909 basic diagnostic events and fields
Windows 10, version 1809 basic diagnostic events and fields
Windows 10, version 1803 basic diagnostic events and fields
Windows 10, version 1709 basic diagnostic events and fields
Manage connections from Windows operating system components to Microsoft services
Configure Windows diagnostic data in your organization
Appraiser events
Microsoft.Windows.Appraiser.General.ChecksumTotalPictureCount
This event lists the types of objects and how many of each exist on the client device. This allows for a quick way to
ensure that the records present on the server match what is present on the client.
The following fields are available:
DatasourceApplicationFile_RS3 The total DecisionApplicationFile objects targeting the next release of
Windows on this device.
DatasourceDevicePnp_RS3 The total DatasourceDevicePnp objects targeting the next release of Windows
on this device.
DatasourceDriverPackage_RS3 The total DatasourceDriverPackage objects targeting the next release of
Windows on this device.
DataSourceMatchingInfoBlock_RS3 The total DataSourceMatchingInfoBlock objects targeting the next
release of Windows on this device.
DataSourceMatchingInfoPassive_RS3 The total DataSourceMatchingInfoPassive objects targeting the next
release of Windows on this device.
DataSourceMatchingInfoPostUpgrade_RS3 The total DataSourceMatchingInfoPostUpgrade objects
targeting the next release of Windows on this device.
DatasourceSystemBios_RS3 The total DatasourceSystemBios objects targeting the next release of Windows
on this device.
DecisionApplicationFile_RS3 The total DecisionApplicationFile objects targeting the next release of
Windows on this device.
DecisionDevicePnp_RS2 The count of DataSourceMatchingInfoBlock objects present on this machine
targeting the next release of Windows
DecisionDevicePnp_RS3 The total DecisionDevicePnp objects targeting the next release of Windows on this
device.
DecisionDriverPackage_RS3 The total DecisionDriverPackage objects targeting the next release of Windows
on this device.
DecisionMatchingInfoBlock_RS3 The total DecisionMatchingInfoBlock objects targeting the next release of
Windows on this device.
DecisionMatchingInfoPassive_RS3 The total DataSourceMatchingInfoPassive objects targeting the next
release of Windows on this device.
DecisionMatchingInfoPostUpgrade_RS3 The total DecisionMatchingInfoPostUpgrade objects targeting the
next release of Windows on this device.
DecisionMediaCenter_RS3 The total DecisionMediaCenter objects targeting the next release of Windows on
this device.
DecisionSystemBios_RS3 The total DecisionSystemBios objects targeting the next release of Windows on
this device.
Inventor yLanguagePack The count of DecisionApplicationFile objects present on this machine targeting the
next release of Windows
Inventor ySystemBios The count of DecisionDevicePnp objects present on this machine targeting the next
release of Windows
PCFP The count of DecisionDriverPackage objects present on this machine targeting the next release of
Windows
SystemProcessorCompareExchange The count of DecisionMatchingInfoBlock objects present on this
machine targeting the next release of Windows
SystemProcessorNx The total number of objects of this type present on this device.
SystemProcessorPrefetchW The total number of objects of this type present on this device.
SystemProcessorSse2 The total number of objects of this type present on this device.
SystemWim The total number of objects of this type present on this device.
SystemWindowsActivationStatus The count of DecisionSystemBios objects present on this machine
targeting the next release of Windows
SystemWlan The total number of objects of this type present on this device.
Microsoft.Windows.Appraiser.General.DatasourceApplicationFileAdd
Represents the basic metadata about specific application files installed on the system.
The following fields are available:
AppraiserVersion The version of the appraiser file that is generating the events.
AvDisplayName If the app is an anti-virus app, this is its display name.
CompatModelIndex The compatibility prediction for this file.
HasCitData Indicates whether the file is present in CIT data.
HasUpgradeExe Indicates whether the anti-virus app has an upgrade.exe file.
IsAv Is the file an anti-virus reporting EXE?
ResolveAttempted This will always be an empty string when sending diagnostic data.
SdbEntries An array of fields that indicates the SDB entries that apply to this file.
Microsoft.Windows.Appraiser.General.DatasourceApplicationFileRemove
This event indicates that the DatasourceApplicationFile object is no longer present.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
AppraiserVersion The version of the Appraiser file that is generating the events.
Microsoft.Windows.Appraiser.General.DatasourceApplicationFileStartSync
This event indicates that a new set of DatasourceApplicationFileAdd events will be sent.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
AppraiserVersion The version of the Appraiser file that is generating the events.
Microsoft.Windows.Appraiser.General.DatasourceDevicePnpAdd
This event sends compatibility data for a Plug and Play device, to help keep Windows up to date.
The following fields are available:
ActiveNetworkConnection Indicates whether the device is an active network device.
AppraiserVersion The version of the appraiser file generating the events.
IsBootCritical Indicates whether the device boot is critical.
SdbEntries An array of fields indicating the SDB entries that apply to this device.
WuDriverCoverage Indicates whether there is a driver uplevel for this device, according to Windows Update.
WuDriverUpdateId The Windows Update ID of the applicable uplevel driver.
WuDriverUpdateID The Update ID of the applicable uplevel driver from Windows Update.
WuPopulatedFromId The expected uplevel driver matching ID based on driver coverage from Windows
Update.
WuPopulatedFromID The expected uplevel driver matching ID based on driver coverage from Windows
Update.
Microsoft.Windows.Appraiser.General.DatasourceDevicePnpRemove
This event indicates that the DatasourceDevicePnp object is no longer present.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
AppraiserVersion The version of the Appraiser file that is generating the events.
Microsoft.Windows.Appraiser.General.DatasourceDevicePnpStartSync
This event indicates that a new set of DatasourceDevicePnpAdd events will be sent.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
AppraiserVersion The version of the Appraiser file that is generating the events.
Microsoft.Windows.Appraiser.General.DatasourceDriverPackageAdd
This event sends compatibility database data about driver packages to help keep Windows up to date.
The following fields are available:
AppraiserVersion The version of the appraiser file generating the events.
Microsoft.Windows.Appraiser.General.DatasourceDriverPackageRemove
This event indicates that the DatasourceDriverPackage object is no longer present.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
AppraiserVersion The version of the Appraiser file that is generating the events.
Microsoft.Windows.Appraiser.General.DatasourceDriverPackageStartSync
This event indicates that a new set of DatasourceDriverPackageAdd events will be sent.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
AppraiserVersion The version of the Appraiser file that is generating the events.
Microsoft.Windows.Appraiser.General.DataSourceMatchingInfoBlockAdd
This event sends blocking data about any compatibility blocking entries on the system that are not directly related
to specific applications or devices, to help keep Windows up to date.
The following fields are available:
AppraiserVersion The version of the appraiser file generating the events.
Microsoft.Windows.Appraiser.General.DataSourceMatchingInfoBlockRemove
This event indicates that the DataSourceMatchingInfoBlock object is no longer present.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
AppraiserVersion The version of the Appraiser file that is generating the events.
Microsoft.Windows.Appraiser.General.DataSourceMatchingInfoBlockStartSync
This event indicates that a full set of DataSourceMatchingInfoBlockStAdd events have been sent.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
AppraiserVersion The version of the Appraiser file that is generating the events.
Microsoft.Windows.Appraiser.General.DataSourceMatchingInfoPassiveAdd
This event sends compatibility database information about non-blocking compatibility entries on the system that
are not keyed by either applications or devices, to help keep Windows up to date.
The following fields are available:
AppraiserVersion The version of the appraiser file generating the events.
Microsoft.Windows.Appraiser.General.DataSourceMatchingInfoPassiveRemove
This event indicates that the DataSourceMatchingInfoPassive object is no longer present.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
AppraiserVersion The version of the Appraiser file that is generating the events.
Microsoft.Windows.Appraiser.General.DataSourceMatchingInfoPassiveStartSync
This event indicates that a new set of DataSourceMatchingInfoPassiveAdd events will be sent.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
AppraiserVersion The version of the Appraiser file that is generating the events.
Microsoft.Windows.Appraiser.General.DataSourceMatchingInfoPostUpgradeAdd
This event sends compatibility database information about entries requiring reinstallation after an upgrade on the
system that are not keyed by either applications or devices, to help keep Windows up to date.
The following fields are available:
AppraiserVersion The version of the appraiser file generating the events.
Microsoft.Windows.Appraiser.General.DataSourceMatchingInfoPostUpgradeRemove
This event indicates that the DataSourceMatchingInfoPostUpgrade object is no longer present.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
AppraiserVersion The version of the Appraiser file that is generating the events.
Microsoft.Windows.Appraiser.General.DataSourceMatchingInfoPostUpgradeStartSync
This event indicates that a new set of DataSourceMatchingInfoPostUpgradeAdd events will be sent.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
AppraiserVersion The version of the Appraiser file that is generating the events.
Microsoft.Windows.Appraiser.General.DatasourceSystemBiosAdd
This event sends compatibility database information about the BIOS to help keep Windows up to date.
The following fields are available:
AppraiserVersion The version of the Appraiser file generating the events.
SdbEntries An array of fields indicating the SDB entries that apply to this BIOS.
Microsoft.Windows.Appraiser.General.DatasourceSystemBiosRemove
This event indicates that the DatasourceSystemBios object is no longer present.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
AppraiserVersion The version of the Appraiser file that is generating the events.
Microsoft.Windows.Appraiser.General.DatasourceSystemBiosStartSync
This event indicates that a new set of DatasourceSystemBiosAdd events will be sent.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
AppraiserVersion The version of the Appraiser file that is generating the events.
Microsoft.Windows.Appraiser.General.DecisionApplicationFileAdd
This event sends compatibility decision data about a file to help keep Windows up to date.
The following fields are available:
AppraiserVersion The version of the appraiser file that is generating the events.
BlockAlreadyInbox The uplevel runtime block on the file already existed on the current OS.
BlockingApplication Indicates whether there are any application issues that interfere with the upgrade due to
the file in question.
DisplayGenericMessage Will be a generic message be shown for this file?
HardBlock This file is blocked in the SDB.
HasUxBlockOverride Does the file have a block that is overridden by a tag in the SDB?
MigApplication Does the file have a MigXML from the SDB associated with it that applies to the current
upgrade mode?
MigRemoval Does the file have a MigXML from the SDB that will cause the app to be removed on upgrade?
NeedsDismissAction Will the file cause an action that can be dimissed?
NeedsInstallPostUpgradeData After upgrade, the file will have a post-upgrade notification to install a
replacement for the app.
NeedsNotifyPostUpgradeData Does the file have a notification that should be shown after upgrade?
NeedsReinstallPostUpgradeData After upgrade, this file will have a post-upgrade notification to reinstall the
app.
NeedsUninstallAction The file must be uninstalled to complete the upgrade.
SdbBlockUpgrade The file is tagged as blocking upgrade in the SDB,
SdbBlockUpgradeCanReinstall The file is tagged as blocking upgrade in the SDB. It can be reinstalled after
upgrade.
SdbBlockUpgradeUntilUpdate The file is tagged as blocking upgrade in the SDB. If the app is updated, the
upgrade can proceed.
SdbReinstallUpgrade The file is tagged as needing to be reinstalled after upgrade in the SDB. It does not
block upgrade.
SdbReinstallUpgradeWarn The file is tagged as needing to be reinstalled after upgrade with a warning in the
SDB. It does not block upgrade.
SoftBlock The file is softblocked in the SDB and has a warning.
Microsoft.Windows.Appraiser.General.DecisionApplicationFileRemove
This event indicates that the DecisionApplicationFile object is no longer present.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
AppraiserVersion The version of the Appraiser file that is generating the events.
Microsoft.Windows.Appraiser.General.DecisionApplicationFileStartSync
This event indicates that a new set of DecisionApplicationFileAdd events will be sent.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
AppraiserVersion The version of the Appraiser file that is generating the events.
Microsoft.Windows.Appraiser.General.DecisionDevicePnpAdd
This event sends compatibility decision data about a Plug and Play (PNP) device to help keep Windows up to date.
The following fields are available:
AppraiserVersion The version of the appraiser file generating the events.
AssociatedDriverIsBlocked Is the driver associated with this PNP device blocked?
BlockAssociatedDriver Should the driver associated with this PNP device be blocked?
BlockingDevice Is this PNP device blocking upgrade?
BlockUpgradeIfDriverBlocked Is the PNP device both boot critical and does not have a driver included with
the OS?
BlockUpgradeIfDriverBlockedAndOnlyActiveNetwork Is this PNP device the only active network device?
DisplayGenericMessage Will a generic message be shown during Setup for this PNP device?
DriverAvailableInbox Is a driver included with the operating system for this PNP device?
DriverAvailableOnline Is there a driver for this PNP device on Windows Update?
DriverAvailableUplevel Is there a driver on Windows Update or included with the operating system for this
PNP device?
DriverBlockOverridden Is there is a driver block on the device that has been overridden?
NeedsDismissAction Will the user would need to dismiss a warning during Setup for this device?
NotRegressed Does the device have a problem code on the source OS that is no better than the one it would
have on the target OS?
SdbDeviceBlockUpgrade Is there an SDB block on the PNP device that blocks upgrade?
SdbDriverBlockOverridden Is there an SDB block on the PNP device that blocks upgrade, but that block was
overridden?
Microsoft.Windows.Appraiser.General.DecisionDevicePnpRemove
This event indicates that the DecisionDevicePnp object is no longer present.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
AppraiserVersion The version of the Appraiser file that is generating the events.
Microsoft.Windows.Appraiser.General.DecisionDevicePnpStartSync
This event indicates that the DecisionDevicePnp object is no longer present.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
AppraiserVersion The version of the Appraiser file that is generating the events.
Microsoft.Windows.Appraiser.General.DecisionDriverPackageAdd
This event sends decision data about driver package compatibility to help keep Windows up to date.
The following fields are available:
AppraiserVersion The version of the appraiser file generating the events.
DriverBlockOverridden Does the driver package have an SDB block that blocks it from migrating, but that
block has been overridden?
DriverIsDeviceBlocked Was the driver package was blocked because of a device block?
DriverIsDriverBlocked Is the driver package blocked because of a driver block?
DriverShouldNotMigrate Should the driver package be migrated during upgrade?
SdbDriverBlockOverridden Does the driver package have an SDB block that blocks it from migrating, but
that block has been overridden?
Microsoft.Windows.Appraiser.General.DecisionDriverPackageRemove
This event indicates that the DecisionDriverPackage object is no longer present.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
AppraiserVersion The version of the Appraiser file that is generating the events.
Microsoft.Windows.Appraiser.General.DecisionDriverPackageStartSync
This event indicates that a new set of DecisionDriverPackageAdd events will be sent.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
AppraiserVersion The version of the Appraiser file that is generating the events.
Microsoft.Windows.Appraiser.General.DecisionMatchingInfoBlockAdd
This event sends compatibility decision data about blocking entries on the system that are not keyed by either
applications or devices, to help keep Windows up to date.
The following fields are available:
AppraiserVersion The version of the appraiser file generating the events.
BlockingApplication Are there are any application issues that interfere with upgrade due to matching info
blocks?
DisplayGenericMessage Will a generic message be shown for this block?
NeedsUninstallAction Does the user need to take an action in setup due to a matching info block?
SdbBlockUpgrade Is a matching info block blocking upgrade?
SdbBlockUpgradeCanReinstall Is a matching info block blocking upgrade, but has the can reinstall tag?
SdbBlockUpgradeUntilUpdate Is a matching info block blocking upgrade but has the until update tag?
Microsoft.Windows.Appraiser.General.DecisionMatchingInfoBlockRemove
This event indicates that the DecisionMatchingInfoBlock object is no longer present.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
AppraiserVersion The version of the Appraiser file that is generating the events.
Microsoft.Windows.Appraiser.General.DecisionMatchingInfoBlockStartSync
This event indicates that a new set of DecisionMatchingInfoBlockAdd events will be sent.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
AppraiserVersion The version of the Appraiser file that is generating the events.
Microsoft.Windows.Appraiser.General.DecisionMatchingInfoPassiveAdd
This event sends compatibility decision data about non-blocking entries on the system that are not keyed by either
applications or devices, to help keep Windows up to date.
The following fields are available:
AppraiserVersion The version of the Appraiser file that is generating the events.
BlockingApplication Are there any application issues that interfere with upgrade due to matching info
blocks?
MigApplication Is there a matching info block with a mig for the current mode of upgrade?
Microsoft.Windows.Appraiser.General.DecisionMatchingInfoPassiveRemove
This event Indicates that the DecisionMatchingInfoPassive object is no longer present.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
AppraiserVersion The version of the Appraiser file that is generating the events.
Microsoft.Windows.Appraiser.General.DecisionMatchingInfoPassiveStartSync
This event indicates that a new set of DecisionMatchingInfoPassiveAdd events will be sent.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
AppraiserVersion The version of the Appraiser file that is generating the events.
Microsoft.Windows.Appraiser.General.DecisionMatchingInfoPostUpgradeAdd
This event sends compatibility decision data about entries that require reinstall after upgrade. It's used to help
keep Windows up to date.
The following fields are available:
AppraiserVersion The version of the Appraiser file that is generating the events.
NeedsInstallPostUpgradeData Will the file have a notification after upgrade to install a replacement for the
app?
NeedsNotifyPostUpgradeData Should a notification be shown for this file after upgrade?
NeedsReinstallPostUpgradeData Will the file have a notification after upgrade to reinstall the app?
SdbReinstallUpgrade The file is tagged as needing to be reinstalled after upgrade in the compatibility
database (but is not blocking upgrade).
Microsoft.Windows.Appraiser.General.DecisionMatchingInfoPostUpgradeRemove
This event indicates that the DecisionMatchingInfoPostUpgrade object is no longer present.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
AppraiserVersion The version of the Appraiser file that is generating the events.
Microsoft.Windows.Appraiser.General.DecisionMatchingInfoPostUpgradeStartSync
This event indicates that a new set of DecisionMatchingInfoPostUpgradeAdd events will be sent.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
AppraiserVersion The version of the Appraiser file that is generating the events.
Microsoft.Windows.Appraiser.General.DecisionMediaCenterAdd
This event sends decision data about the presence of Windows Media Center, to help keep Windows up to date.
The following fields are available:
AppraiserVersion The version of the Appraiser file generating the events.
BlockingApplication Is there any application issues that interfere with upgrade due to Windows Media
Center?
MediaCenterActivelyUsed If Windows Media Center is supported on the edition, has it been run at least
once and are the MediaCenterIndicators are true?
MediaCenterIndicators Do any indicators imply that Windows Media Center is in active use?
MediaCenterInUse Is Windows Media Center actively being used?
MediaCenterPaidOrActivelyUsed Is Windows Media Center actively being used or is it running on a
supported edition?
NeedsDismissAction Are there any actions that can be dismissed coming from Windows Media Center?
Microsoft.Windows.Appraiser.General.DecisionMediaCenterRemove
This event indicates that the DecisionMediaCenter object is no longer present.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
AppraiserVersion The version of the Appraiser file that is generating the events.
Microsoft.Windows.Appraiser.General.DecisionMediaCenterStartSync
This event indicates that a new set of DecisionMediaCenterAdd events will be sent.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
AppraiserVersion The version of the Appraiser file that is generating the events.
Microsoft.Windows.Appraiser.General.DecisionSystemBiosAdd
This event sends compatibility decision data about the BIOS to help keep Windows up to date.
The following fields are available:
AppraiserVersion The version of the Appraiser file generating the events.
Blocking Is the device blocked from upgrade due to a BIOS block?
HasBiosBlock Does the device have a BIOS block?
Microsoft.Windows.Appraiser.General.DecisionSystemBiosRemove
This event indicates that the DecisionSystemBios object is no longer present.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
AppraiserVersion The version of the Appraiser file that is generating the events.
Microsoft.Windows.Appraiser.General.DecisionSystemBiosStartSync
This event indicates that a new set of DecisionSystemBiosAdd events will be sent.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
AppraiserVersion The version of the Appraiser file that is generating the events.
Microsoft.Windows.Appraiser.General.EnterpriseScenarioWithDiagTrackServiceRunning
This event indicates that Appraiser has been triggered to run an enterprise scenario while the DiagTrack service is
installed. This event can only be sent if a special flag is used to trigger the enterprise scenario.
The following fields are available:
PCFP An ID for the system calculated by hashing hardware identifiers.
Time The client time of the event.
Microsoft.Windows.Appraiser.General.GatedRegChange
This event sends data about the results of running a set of quick-blocking instructions, to help keep Windows up to
date.
The following fields are available:
NewData The data in the registry value after the scan completed.
OldData The previous data in the registry value before the scan ran.
PCFP An ID for the system calculated by hashing hardware identifiers.
RegKey The registry key name for which a result is being sent.
RegValue The registry value for which a result is being sent.
Time The client time of the event.
Microsoft.Windows.Appraiser.General.InventoryApplicationFileAdd
This event represents the basic metadata about a file on the system. The file must be part of an app and either
have a block in the compatibility database or be part of an antivirus program.
The following fields are available:
AppraiserVersion The version of the Appraiser file generating the events.
Binar yType A binary type. Example: UNINITIALIZED, ZERO_BYTE, DATA_ONLY, DOS_MODULE, NE16_MODULE,
PE32_UNKNOWN, PE32_I386, PE32_ARM, PE64_UNKNOWN, PE64_AMD64, PE64_ARM64, PE64_IA64,
PE32_CLR_32, PE32_CLR_IL, PE32_CLR_IL_PREFER32, PE64_CLR_64.
BinFileVersion An attempt to clean up FileVersion at the client that tries to place the version into 4 octets.
BinProductVersion An attempt to clean up ProductVersion at the client that tries to place the version into 4
octets.
BoeProgramId If there is no entry in Add/Remove Programs, this is the ProgramID that is generated from the
file metadata.
CompanyName The company name of the vendor who developed this file.
FileId A hash that uniquely identifies a file.
FileVersion The File version field from the file metadata under Properties -> Details.
LinkDate The date and time that this file was linked on.
LowerCaseLongPath The full file path to the file that was inventoried on the device.
Name The name of the file that was inventoried.
ProductName The Product name field from the file metadata under Properties -> Details.
ProductVersion The Product version field from the file metadata under Properties -> Details.
ProgramId A hash of the Name, Version, Publisher, and Language of an application used to identify it.
Size The size of the file (in hexadecimal bytes).
Microsoft.Windows.Appraiser.General.InventoryApplicationFileRemove
This event indicates that the InventoryApplicationFile object is no longer present.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
AppraiserVersion The version of the Appraiser file that is generating the events.
Microsoft.Windows.Appraiser.General.InventoryApplicationFileStartSync
This event indicates that a new set of InventoryApplicationFileAdd events will be sent.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
AppraiserVersion The version of the Appraiser file that is generating the events.
Microsoft.Windows.Appraiser.General.InventoryLanguagePackAdd
This event sends data about the number of language packs installed on the system, to help keep Windows up to
date.
The following fields are available:
AppraiserVersion The version of the Appraiser file that is generating the events.
HasLanguagePack Indicates whether this device has 2 or more language packs.
LanguagePackCount The number of language packs are installed.
Microsoft.Windows.Appraiser.General.InventoryLanguagePackRemove
This event indicates that the InventoryLanguagePack object is no longer present.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
AppraiserVersion The version of the Appraiser file that is generating the events.
Microsoft.Windows.Appraiser.General.InventoryLanguagePackStartSync
This event indicates that a new set of InventoryLanguagePackAdd events will be sent.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
AppraiserVersion The version of the Appraiser file that is generating the events.
Microsoft.Windows.Appraiser.General.InventoryMediaCenterAdd
This event sends true/false data about decision points used to understand whether Windows Media Center is used
on the system, to help keep Windows up to date.
The following fields are available:
AppraiserVersion The version of the Appraiser file generating the events.
EverLaunched Has Windows Media Center ever been launched?
HasConfiguredTv Has the user configured a TV tuner through Windows Media Center?
HasExtendedUserAccounts Are any Windows Media Center Extender user accounts configured?
HasWatchedFolders Are any folders configured for Windows Media Center to watch?
IsDefaultLauncher Is Windows Media Center the default app for opening music or video files?
IsPaid Is the user running a Windows Media Center edition that implies they paid for Windows Media Center?
IsSuppor ted Does the running OS support Windows Media Center?
Microsoft.Windows.Appraiser.General.InventoryMediaCenterRemove
This event indicates that the InventoryMediaCenter object is no longer present.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
AppraiserVersion The version of the Appraiser file that is generating the events.
Microsoft.Windows.Appraiser.General.InventoryMediaCenterStartSync
This event indicates that a new set of InventoryMediaCenterAdd events will be sent.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
AppraiserVersion The version of the Appraiser file that is generating the events.
Microsoft.Windows.Appraiser.General.InventorySystemBiosAdd
This event sends basic metadata about the BIOS to determine whether it has a compatibility block.
The following fields are available:
AppraiserVersion The version of the Appraiser file that is generating the events.
BiosDate The release date of the BIOS in UTC format.
BiosName The name field from Win32_BIOS.
Manufacturer The manufacturer field from Win32_ComputerSystem.
Model The model field from Win32_ComputerSystem.
Microsoft.Windows.Appraiser.General.InventorySystemBiosRemove
This event indicates that the InventorySystemBios object is no longer present.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
AppraiserVersion The version of the Appraiser file that is generating the events.
Microsoft.Windows.Appraiser.General.InventorySystemBiosStartSync
This event indicates that a new set of InventorySystemBiosAdd events will be sent.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
AppraiserVersion The version of the Appraiser binary (executable) generating the events.
Microsoft.Windows.Appraiser.General.InventoryUplevelDriverPackageAdd
This event is only runs during setup. It provides a listing of the uplevel driver packages that were downloaded
before the upgrade. Is critical to understanding if failures in setup can be traced to not having sufficient uplevel
drivers before the upgrade.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
AppraiserVersion The version of the Appraiser file that is generating the events.
BootCritical Is the driver package marked as boot critical?
Build The build value from the driver package.
CatalogFile The name of the catalog file within the driver package.
Class The device class from the driver package.
ClassGuid The device class unique ID from the driver package.
Date The date from the driver package.
Inbox Is the driver package of a driver that is included with Windows?
OriginalName The original name of the INF file before it was renamed. Generally a path under
$WINDOWS.~BT\Drivers\DU.
Provider The provider of the driver package.
PublishedName The name of the INF file after it was renamed.
Revision The revision of the driver package.
SignatureStatus Indicates if the driver package is signed. Unknown = 0, Unsigned = 1, Signed = 2.
VersionMajor The major version of the driver package.
VersionMinor The minor version of the driver package.
Microsoft.Windows.Appraiser.General.InventoryUplevelDriverPackageRemove
This event indicates that the InventoryUplevelDriverPackage object is no longer present.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
AppraiserVersion The version of the Appraiser file that is generating the events.
Microsoft.Windows.Appraiser.General.InventoryUplevelDriverPackageStartSync
This event indicates that a new set of InventoryUplevelDriverPackageAdd events will be sent.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
AppraiserVersion The version of the Appraiser file that is generating the events.
Microsoft.Windows.Appraiser.General.RunContext
This event indicates what should be expected in the data payload.
The following fields are available:
AppraiserBranch The source branch in which the currently running version of Appraiser was built.
AppraiserProcess The name of the process that launched Appraiser.
AppraiserVersion The version of the Appraiser file generating the events.
Context Indicates what mode Appraiser is running in. Example: Setup or Telemetry.
PCFP An ID for the system calculated by hashing hardware identifiers.
Time The client time of the event.
Microsoft.Windows.Appraiser.General.SystemMemoryAdd
This event sends data on the amount of memory on the system and whether it meets requirements, to help keep
Windows up to date.
The following fields are available:
AppraiserVersion The version of the Appraiser file generating the events.
Blocking Is the device from upgrade due to memory restrictions?
Memor yRequirementViolated Was a memory requirement violated?
pageFile The current committed memory limit for the system or the current process, whichever is smaller (in
bytes).
ram The amount of memory on the device.
ramKB The amount of memory (in KB).
vir tual The size of the user-mode portion of the virtual address space of the calling process (in bytes).
vir tualKB The amount of virtual memory (in KB).
Microsoft.Windows.Appraiser.General.SystemMemoryRemove
This event that the SystemMemory object is no longer present.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
AppraiserVersion The version of the Appraiser file that is generating the events.
Microsoft.Windows.Appraiser.General.SystemMemoryStartSync
This event indicates that a new set of SystemMemoryAdd events will be sent.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
AppraiserVersion The version of the Appraiser file that is generating the events.
Microsoft.Windows.Appraiser.General.SystemProcessorCompareExchangeAdd
This event sends data indicating whether the system supports the CompareExchange128 CPU requirement, to
help keep Windows up to date.
The following fields are available:
AppraiserVersion The version of the Appraiser file generating the events.
Blocking Is the upgrade blocked due to the processor?
CompareExchange128Suppor t Does the CPU support CompareExchange128?
Microsoft.Windows.Appraiser.General.SystemProcessorCompareExchangeRemove
This event indicates that the SystemProcessorCompareExchange object is no longer present.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
AppraiserVersion The version of the Appraiser file that is generating the events.
Microsoft.Windows.Appraiser.General.SystemProcessorCompareExchangeStartSync
This event indicates that a new set of SystemProcessorCompareExchangeAdd events will be sent.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
AppraiserVersion The version of the Appraiser file that is generating the events.
Microsoft.Windows.Appraiser.General.SystemProcessorLahfSahfAdd
This event sends data indicating whether the system supports the LAHF & SAHF CPU requirement, to help keep
Windows up to date.
The following fields are available:
AppraiserVersion The version of the Appraiser file generating the events.
Blocking Is the upgrade blocked due to the processor?
LahfSahfSuppor t Does the CPU support LAHF/SAHF?
Microsoft.Windows.Appraiser.General.SystemProcessorLahfSahfRemove
This event indicates that the SystemProcessorLahfSahf object is no longer present.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
AppraiserVersion The version of the Appraiser file that is generating the events.
Microsoft.Windows.Appraiser.General.SystemProcessorLahfSahfStartSync
This event indicates that a new set of SystemProcessorLahfSahfAdd events will be sent.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
AppraiserVersion The version of the Appraiser file that is generating the events.
Microsoft.Windows.Appraiser.General.SystemProcessorNxAdd
This event sends data indicating whether the system supports the NX CPU requirement, to help keep Windows up
to date.
The following fields are available:
AppraiserVersion The version of the Appraiser file that is generating the events.
Blocking Is the upgrade blocked due to the processor?
NXDriverResult The result of the driver used to do a non-deterministic check for NX support.
NXProcessorSuppor t Does the processor support NX?
Microsoft.Windows.Appraiser.General.SystemProcessorNxRemove
This event indicates that the SystemProcessorNx object is no longer present.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
AppraiserVersion The version of the Appraiser file that is generating the events.
Microsoft.Windows.Appraiser.General.SystemProcessorNxStartSync
This event indicates that a new set of SystemProcessorNxAdd events will be sent.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
AppraiserVersion The version of the Appraiser file that is generating the events.
Microsoft.Windows.Appraiser.General.SystemProcessorPrefetchWAdd
This event sends data indicating whether the system supports the PrefetchW CPU requirement, to help keep
Windows up to date.
The following fields are available:
AppraiserVersion The version of the Appraiser file that is generating the events.
Blocking Is the upgrade blocked due to the processor?
PrefetchWSuppor t Does the processor support PrefetchW?
Microsoft.Windows.Appraiser.General.SystemProcessorPrefetchWRemove
This event indicates that the SystemProcessorPrefetchW object is no longer present.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
AppraiserVersion The version of the Appraiser file that is generating the events.
Microsoft.Windows.Appraiser.General.SystemProcessorPrefetchWStartSync
This event indicates that a new set of SystemProcessorPrefetchWAdd events will be sent.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
AppraiserVersion The version of the Appraiser file that is generating the events.
Microsoft.Windows.Appraiser.General.SystemProcessorSse2Add
This event sends data indicating whether the system supports the SSE2 CPU requirement, to help keep Windows
up to date.
The following fields are available:
AppraiserVersion The version of the Appraiser file that is generating the events.
Blocking Is the upgrade blocked due to the processor?
SSE2ProcessorSuppor t Does the processor support SSE2?
Microsoft.Windows.Appraiser.General.SystemProcessorSse2Remove
This event indicates that the SystemProcessorSse2 object is no longer present.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
AppraiserVersion The version of the Appraiser file that is generating the events.
Microsoft.Windows.Appraiser.General.SystemProcessorSse2StartSync
This event indicates that a new set of SystemProcessorSse2Add events will be sent.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
AppraiserVersion The version of the Appraiser file that is generating the events.
Microsoft.Windows.Appraiser.General.SystemTouchAdd
This event sends data indicating whether the system supports touch, to help keep Windows up to date.
The following fields are available:
AppraiserVersion The version of the Appraiser file that is generating the events.
IntegratedTouchDigitizerPresent Is there an integrated touch digitizer?
MaximumTouches The maximum number of touch points supported by the device hardware.
Microsoft.Windows.Appraiser.General.SystemTouchRemove
This event indicates that the SystemTouch object is no longer present.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
AppraiserVersion The version of the Appraiser file that is generating the events.
Microsoft.Windows.Appraiser.General.SystemTouchStartSync
This event indicates that a new set of SystemTouchAdd events will be sent.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
AppraiserVersion The version of the Appraiser file that is generating the events.
Microsoft.Windows.Appraiser.General.SystemWimAdd
This event sends data indicating whether the operating system is running from a compressed Windows Imaging
Format (WIM) file, to help keep Windows up to date.
The following fields are available:
AppraiserVersion The version of the Appraiser file that is generating the events.
IsWimBoot Is the current operating system running from a compressed WIM file?
Registr yWimBootValue The raw value from the registry that is used to indicate if the device is running from
a WIM.
Microsoft.Windows.Appraiser.General.SystemWimRemove
This event indicates that the SystemWim object is no longer present.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
AppraiserVersion The version of the Appraiser file that is generating the events.
Microsoft.Windows.Appraiser.General.SystemWimStartSync
This event indicates that a new set of SystemWimAdd events will be sent.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
AppraiserVersion The version of the Appraiser file that is generating the events.
Microsoft.Windows.Appraiser.General.SystemWindowsActivationStatusAdd
This event sends data indicating whether the current operating system is activated, to help keep Windows up to
date.
The following fields are available:
AppraiserVersion The version of the Appraiser file that is generating the events.
WindowsIsLicensedApiValue The result from the API that's used to indicate if operating system is activated.
WindowsNotActivatedDecision Is the current operating system activated?
Microsoft.Windows.Appraiser.General.SystemWindowsActivationStatusRemove
This event indicates that the SystemWindowsActivationStatus object is no longer present.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
AppraiserVersion The version of the Appraiser file that is generating the events.
Microsoft.Windows.Appraiser.General.SystemWindowsActivationStatusStartSync
This event indicates that a new set of SystemWindowsActivationStatusAdd events will be sent.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
AppraiserVersion The version of the Appraiser file that is generating the events.
Microsoft.Windows.Appraiser.General.SystemWlanAdd
This event sends data indicating whether the system has WLAN, and if so, whether it uses an emulated driver that
could block an upgrade, to help keep Windows up to date.
The following fields are available:
AppraiserVersion The version of the Appraiser file that is generating the events.
Blocking Is the upgrade blocked because of an emulated WLAN driver?
HasWlanBlock Does the emulated WLAN driver have an upgrade block?
WlanEmulatedDriver Does the device have an emulated WLAN driver?
WlanExists Does the device support WLAN at all?
WlanModulePresent Are any WLAN modules present?
WlanNativeDriver Does the device have a non-emulated WLAN driver?
Microsoft.Windows.Appraiser.General.SystemWlanRemove
This event indicates that the SystemWlan object is no longer present.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
AppraiserVersion The version of the Appraiser file that is generating the events.
Microsoft.Windows.Appraiser.General.SystemWlanStartSync
This event indicates that a new set of SystemWlanAdd events will be sent.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
AppraiserVersion The version of the Appraiser file that is generating the events.
Microsoft.Windows.Appraiser.General.TelemetryRunHealth
This event indicates the parameters and result of a diagnostic data run. This allows the rest of the data sent over
the course of the run to be properly contextualized and understood, which is then used to keep Windows up to
date.
The following fields are available:
AppraiserBranch The source branch in which the version of Appraiser that is running was built.
AppraiserDataVersion The version of the data files being used by the Appraiser diagnostic data run.
AppraiserProcess The name of the process that launched Appraiser.
AppraiserVersion The file version (major, minor and build) of the Appraiser DLL, concatenated without dots.
AuxFinal Obsolete, always set to false.
AuxInitial Obsolete, indicates if Appraiser is writing data files to be read by the Get Windows 10 app.
DeadlineDate A timestamp representing the deadline date, which is the time until which appraiser will wait to
do a full scan.
EnterpriseRun Indicates whether the diagnostic data run is an enterprise run, which means appraiser was run
from the command line with an extra enterprise parameter.
FullSync Indicates if Appraiser is performing a full sync, which means that full set of events representing the
state of the machine are sent. Otherwise, only the changes from the previous run are sent.
Inventor yFullSync Indicates if inventory is performing a full sync, which means that the full set of events
representing the inventory of machine are sent.
PCFP An ID for the system calculated by hashing hardware identifiers.
PerfBackoff Indicates if the run was invoked with logic to stop running when a user is present. Helps to
understand why a run may have a longer elapsed time than normal.
PerfBackoffInsurance Indicates if appraiser is running without performance backoff because it has run with
perf backoff and failed to complete several times in a row.
RunAppraiser Indicates if Appraiser was set to run at all. If this if false, it is understood that data events will
not be received from this device.
RunDate The date that the diagnostic data run was stated, expressed as a filetime.
RunGeneralTel Indicates if the generaltel.dll component was run. Generaltel collects additional diagnostic data
on an infrequent schedule and only from machines at diagnostic data levels higher than Basic.
RunOnline Indicates if appraiser was able to connect to Windows Update and theefore is making decisions
using up-to-date driver coverage information.
RunResult The hresult of the Appraiser diagnostic data run.
SendingUtc Indicates whether the Appraiser client is sending events during the current diagnostic data run.
StoreHandleIsNotNull Obsolete, always set to false
Telementr ySent Indicates whether diagnostic data was successfully sent.
ThrottlingUtc Indicates whether the Appraiser client is throttling its output of CUET events to avoid being
disabled. This increases runtime but also diagnostic data reliability.
Time The client time of the event.
VerboseMode Indicates if appraiser ran in Verbose mode, which is a test-only mode with extra logging.
WhyFullSyncWithoutTablePrefix Indicates the reason or reasons that a full sync was generated.
Microsoft.Windows.Appraiser.General.WmdrmAdd
This event sends data about the usage of older digital rights management on the system, to help keep Windows
up to date. This data does not indicate the details of the media using the digital rights management, only whether
any such files exist. Collecting this data was critical to ensuring the correct mitigation for customers, and should be
able to be removed once all mitigations are in place.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
AppraiserVersion The version of the Appraiser file that is generating the events.
BlockingApplication Same as NeedsDismissAction.
NeedsDismissAction Indicates if a dismissible message is needed to warn the user about a potential loss of
data due to DRM deprecation.
WmdrmApiResult Raw value of the API used to gather DRM state.
WmdrmCdRipped Indicates if the system has any files encrypted with personal DRM, which was used for
ripped CDs.
WmdrmIndicators WmdrmCdRipped OR WmdrmPurchased.
WmdrmInUse WmdrmIndicators AND dismissible block in setup was not dismissed.
WmdrmNonPermanent Indicates if the system has any files with non-permanent licenses.
WmdrmPurchased Indicates if the system has any files with permanent licenses.
Microsoft.Windows.Appraiser.General.WmdrmRemove
This event indicates that the Wmdrm object is no longer present.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
AppraiserVersion The version of the Appraiser file that is generating the events.
Microsoft.Windows.Appraiser.General.WmdrmStartSync
This event indicates that a new set of WmdrmAdd events will be sent.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
AppraiserVersion The version of the Appraiser file that is generating the events.
Census events
Census.App
This event sends version data about the Apps running on this device, to help keep Windows up to date.
The following fields are available:
CensusVersion The version of Census that generated the current data for this device.
IEVersion The version of Internet Explorer that is running on the device.
Census.Battery
This event sends type and capacity data about the battery on the device, as well as the number of connected
standby devices in use, type to help keep Windows up to date.
The following fields are available:
InternalBatter yCapablities Represents information about what the battery is capable of doing.
InternalBatter yCapacityCurrent Represents the battery's current fully charged capacity in mWh (or
relative). Compare this value to DesignedCapacity to estimate the battery's wear.
InternalBatter yCapacityDesign Represents the theoretical capacity of the battery when new, in mWh.
InternalBatter yNumberOfCharges Provides the number of battery charges. This is used when creating new
products and validating that existing products meets targeted functionality performance.
IsAlwaysOnAlwaysConnectedCapable Represents whether the battery enables the device to be
AlwaysOnAlwaysConnected . Boolean value.
Census.Camera
This event sends data about the resolution of cameras on the device, to help keep Windows up to date.
The following fields are available:
FrontFacingCameraResolution Represents the resolution of the front facing camera in megapixels. If a front
facing camera does not exist, then the value is 0.
RearFacingCameraResolution Represents the resolution of the rear facing camera in megapixels. If a rear
facing camera does not exist, then the value is 0.
Census.Enterprise
This event sends data about Azure presence, type, and cloud domain use in order to provide an understanding of
the use and integration of devices in an enterprise, cloud, and server environment.
The following fields are available:
AzureOSIDPresent Represents the field used to identify an Azure machine.
AzureVMType Represents whether the instance is Azure VM PAAS, Azure VM IAAS or any other VMs.
CDJType Represents the type of cloud domain joined for the machine.
CommercialId Represents the GUID for the commercial entity which the device is a member of. Will be used
to reflect insights back to customers.
ContainerType The type of container, such as process or virtual machine hosted.
HashedDomain The hashed representation of the user domain used for login.
IsCloudDomainJoined Is this device joined to an Azure Active Directory (AAD) tenant? true/false
IsDERequirementMet Represents if the device can do device encryption.
IsDeviceProtected Represents if Device protected by BitLocker/Device Encryption
IsDomainJoined Indicates whether a machine is joined to a domain.
IsEDPEnabled Represents if Enterprise data protected on the device.
IsMDMEnrolled Whether the device has been MDM Enrolled or not.
MPNId Returns the Partner ID/MPN ID from Regkey.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\DeployID
SCCMClientId This ID correlate systems that send data to Compat Analytics (OMS) and other OMS based
systems with systems in an Enterprise Microsoft Endpoint Configuration Manager environment.
Ser verFeatures Represents the features installed on a Windows Server. This can be used by developers and
administrators who need to automate the process of determining the features installed on a set of server
computers.
SystemCenterID The Microsoft Endpoint Configuration Manager ID is an anonymized one-way hash of the
Active Directory Organization identifier.
Census.Firmware
This event sends data about the BIOS and startup embedded in the device, to help keep Windows up to date.
The following fields are available:
FirmwareManufacturer Represents the manufacturer of the device's firmware (BIOS).
FirmwareReleaseDate Represents the date the current firmware was released.
FirmwareType Represents the firmware type. The various types can be unknown, BIOS, UEFI.
FirmwareVersion Represents the version of the current firmware.
Census.Flighting
This event sends Windows Insider data from customers participating in improvement testing and feedback
programs, to help keep Windows up to date.
The following fields are available:
DeviceSampleRate The telemetry sample rate assigned to the device.
EnablePreviewBuilds Used to enable Windows Insider builds on a device.
FlightIds A list of the different Windows Insider builds on this device.
FlightingBranchName The name of the Windows Insider branch currently used by the device.
IsFlightsDisabled Represents if the device is participating in the Windows Insider program.
MSA_Accounts Represents a list of hashed IDs of the Microsoft Accounts that are flighting (pre-release builds)
on this device.
SSRK Retrieves the mobile targeting settings.
Census.Hardware
This event sends data about the device, including hardware type, OEM brand, model line, model, telemetry level
setting, and TPM support, to help keep Windows up to date.
The following fields are available:
ActiveMicCount The number of active microphones attached to the device.
ChassisType Represents the type of device chassis, such as desktop or low profile desktop. The possible values
can range between 1 - 36.
ComputerHardwareID Identifies a device class that is represented by a hash of different SMBIOS fields.
DeviceColor Indicates a color of the device.
DeviceForm Indicates the form as per the device classification.
DeviceName The device name that is set by the user.
DigitizerSuppor t Is a digitizer supported?
DUID The device unique ID.
Inventor yId The device ID used for compatibility testing.
OEMDigitalMarkerFileName The name of the file placed in the \Windows\system32\drivers directory that
specifies the OEM and model name of the device.
OEMManufacturerName The device manufacturer name. The OEMName for an inactive device is not
reprocessed even if the clean OEM name is changed at a later date.
OEMModelBaseBoard The baseboard model used by the OEM.
OEMModelBaseBoardVersion Differentiates between developer and retail devices.
OEMModelName The device model name.
OEMModelNumber The device model number.
OEMModelSKU The device edition that is defined by the manufacturer.
OEMModelSystemFamily The system family set on the device by an OEM.
OEMModelSystemVersion The system model version set on the device by the OEM.
OEMOptionalIdentifier A Microsoft assigned value that represents a specific OEM subsidiary.
OEMSerialNumber The serial number of the device that is set by the manufacturer.
PhoneManufacturer The friendly name of the phone manufacturer.
PowerPlatformRole The OEM preferred power management profile. It's used to help to identify the basic
form factor of the device.
SoCName The firmware manufacturer of the device.
StudyID Used to identify retail and non-retail device.
Telemetr yLevel The telemetry level the user has opted into, such as Basic or Enhanced.
Telemetr ySettingAuthority Determines who set the telemetry level, such as GP, MDM, or the user.
TPMVersion The supported Trusted Platform Module (TPM) on the device. If no TPM is present, the value is 0.
VoiceSuppor ted Does the device have a cellular radio capable of making voice calls?
Census.Memory
This event sends data about the memory on the device, including ROM and RAM, to help keep Windows up to
date.
The following fields are available:
TotalPhysicalRAM Represents the physical memory (in MB).
TotalVisibleMemor y Represents the memory that is not reserved by the system.
Census.Network
This event sends data about the mobile and cellular network used by the device (mobile service provider, network,
device ID, and service cost factors), to help keep Windows up to date.
The following fields are available:
IMEI0 Represents the International Mobile Station Equipment Identity. This number is usually unique and used
by the mobile operator to distinguish different phone hardware. Microsoft does not have access to mobile
operator billing data so collecting this data does not expose or identify the user. The two fields represent phone
with dual sim coverage.
IMEI1 Represents the International Mobile Station Equipment Identity. This number is usually unique and used
by the mobile operator to distinguish different phone hardware. Microsoft does not have access to mobile
operator billing data so collecting this data does not expose or identify the user. The two fields represent phone
with dual sim coverage.
MCC0 Represents the Mobile Country Code (MCC). It used with the Mobile Network Code (MNC) to uniquely
identify a mobile network operator. The two fields represent phone with dual sim coverage.
MCC1 Represents the Mobile Country Code (MCC). It used with the Mobile Network Code (MNC) to uniquely
identify a mobile network operator. The two fields represent phone with dual sim coverage.
MEID Represents the Mobile Equipment Identity (MEID). MEID is a worldwide unique phone ID assigned to
CDMA phones. MEID replaces electronic serial number (ESN), and is equivalent to IMEI for GSM and WCDMA
phones. Microsoft does not have access to mobile operator billing data so collecting this data does not expose
or identify the user.
MNC0 Retrieves the Mobile Network Code (MNC). It used with the Mobile Country Code (MCC) to uniquely
identify a mobile network operator. The two fields represent phone with dual sim coverage.
MNC1 Retrieves the Mobile Network Code (MNC). It used with the Mobile Country Code (MCC) to uniquely
identify a mobile network operator. The two fields represent phone with dual sim coverage.
MobileOperatorBilling Represents the telephone company that provides services for mobile phone users.
MobileOperatorCommercialized Represents which reseller and geography the phone is commercialized for.
This is the set of values on the phone for who and where it was intended to be used. For example, the
commercialized mobile operator code AT&T in the US would be ATT-US.
MobileOperatorNetwork0 Represents the operator of the current mobile network that the device is used on.
(AT&T, T-Mobile, Vodafone). The two fields represent phone with dual sim coverage.
MobileOperatorNetwork1 Represents the operator of the current mobile network that the device is used on.
(AT&T, T-Mobile, Vodafone). The two fields represent phone with dual sim coverage.
NetworkAdapterGUID The GUID of the primary network adapter.
NetworkCost Represents the network cost associated with a connection.
SPN0 Retrieves the Service Provider Name (SPN). For example, these might be AT&T, Sprint, T-Mobile, or
Verizon. The two fields represent phone with dual sim coverage.
SPN1 Retrieves the Service Provider Name (SPN). For example, these might be AT&T, Sprint, T-Mobile, or
Verizon. The two fields represent phone with dual sim coverage.
Census.OS
This event sends data about the operating system such as the version, locale, update service configuration, when
and how it was originally installed, and whether it is a virtual device, to help keep Windows up to date.
The following fields are available:
ActivationChannel Retrieves the retail license key or Volume license key for a machine.
CompactOS Indicates if the Compact OS feature from Win10 is enabled.
DeveloperUnlockStatus Represents if a device has been developer unlocked by the user or Group Policy.
DeviceTimeZone The time zone that is set on the device. Example: Pacific Standard Time
GenuineState Retrieves the ID Value specifying the OS Genuine check.
InstallationType Retrieves the type of OS installation. (Clean, Upgrade, Reset, Refresh, Update).
InstallLanguage The first language installed on the user machine.
IsDeviceRetailDemo Retrieves if the device is running in demo mode.
IsEduData Returns Boolean if the education data policy is enabled.
IsPor tableOperatingSystem Retrieves whether OS is running Windows-To-Go
IsSecureBootEnabled Retrieves whether Boot chain is signed under UEFI.
LanguagePacks The list of language packages installed on the device.
LicenseStateReason Retrieves why (or how) a system is licensed or unlicensed. The HRESULT may indicate an
error code that indicates a key blocked error, or it may indicate that we are running an OS License granted by
the MS store.
OA3xOriginalProductKey Retrieves the License key stamped by the OEM to the machine.
OSEdition Retrieves the version of the current OS.
OSInstallDateTime Retrieves the date the OS was installed using ISO 8601 (Date part) == yyyy-mm-dd
OSInstallType Retrieves a numeric description of what install was used on the device i.e. clean, upgrade,
refresh, reset, etc
OSOOBEDateTime Retrieves Out of Box Experience (OOBE) Date in Coordinated Universal Time (UTC).
OSSKU Retrieves the Friendly Name of OS Edition.
OSSubscriptionStatus Represents the existing status for enterprise subscription feature for PRO machines.
OSSubscriptionTypeId Returns boolean for enterprise subscription feature for selected PRO machines.
OSTimeZoneBiasInMins Retrieves the time zone set on machine.
OSUILocale Retrieves the locale of the UI that is currently used by the OS.
ProductActivationResult Returns Boolean if the OS Activation was successful.
ProductActivationTime Returns the OS Activation time for tracking piracy issues.
ProductKeyID2 Retrieves the License key if the machine is updated with a new license key.
RACw7Id Retrieves the Microsoft Reliability Analysis Component (RAC) Win7 Identifier. RAC is used to monitor
and analyze system usage and reliability.
Ser viceMachineIP Retrieves the IP address of the KMS host used for anti-piracy.
Ser viceMachinePor t Retrieves the port of the KMS host used for anti-piracy.
Ser viceProductKeyID Retrieves the License key of the KMS
SharedPCMode Returns Boolean for education devices used as shared cart
Signature Retrieves if it is a signature machine sold by Microsoft store.
SLICStatus Whether a SLIC table exists on the device.
SLICVersion Returns OS type/version from SLIC table.
Census.Processor
This event sends data about the processor to help keep Windows up to date.
The following fields are available:
ProcessorArchitecture Retrieves the processor architecture of the installed operating system.
ProcessorClockSpeed Retrieves the clock speed of the processor in MHz.
ProcessorCores Retrieves the number of cores in the processor.
ProcessorIdentifier The processor identifier of a manufacturer.
ProcessorManufacturer Retrieves the name of the processor's manufacturer.
ProcessorModel Retrieves the name of the processor model.
ProcessorPhysicalCores Number of physical cores in the processor.
SocketCount Number of physical CPU sockets of the machine.
Census.Security
Provides information on several important data points about security settings.
Census.Speech
This event is used to gather basic speech settings on the device.
The following fields are available:
AboveLockEnabled Cortana setting that represents if Cortana can be invoked when the device is locked.
GPAllowInputPersonalization Indicates if a Group Policy setting has enabled speech functionalities.
HolographicSpeechInputDisabled Holographic setting that represents if the attached HMD devices have
speech functionality disabled by the user.
HolographicSpeechInputDisabledRemote Indicates if a remote policy has disabled speech functionalities
for the HMD devices.
KWSEnabled Cortana setting that represents if a user has enabled the "Hey Cortana" keyword spotter (KWS).
MDMAllowInputPersonalization Indicates if an MDM policy has enabled speech functionalities.
RemotelyManaged Indicates if the device is being controlled by a remote admininistrator (MDM or Group
Policy) in the context of speech functionalities.
SpeakerIdEnabled Cortana setting that represents if keyword detection has been trained to try to respond to
a single user's voice.
SpeechSer vicesEnabled Windows setting that represents whether a user is opted-in for speech services on
the device.
Census.Storage
This event sends data about the total capacity of the system volume and primary disk, to help keep Windows up to
date.
The following fields are available:
Primar yDiskTotalCapacity Retrieves the amount of disk space on the primary disk of the device in MB.
Primar yDiskType Retrieves an enumerator value of type STORAGE_BUS_TYPE that indicates the type of bus
to which the device is connected. This should be used to interpret the raw device properties at the end of this
structure (if any).
SystemVolumeTotalCapacity Retrieves the size of the partition that the System volume is installed on in MB.
Census.Userdefault
This event sends data about the current user's default preferences for browser and several of the most popular
extensions and protocols, to help keep Windows up to date.
The following fields are available:
DefaultApp The current uer's default program selected for the following extension or protocol: .html, .htm,
.jpg, .jpeg, .png, .mp3, .mp4, .mov, .pdf.
DefaultBrowserProgId The ProgramId of the current user's default browser.
Census.UserDisplay
This event sends data about the logical/physical display size, resolution and number of internal/external displays,
and VRAM on the system, to help keep Windows up to date.
The following fields are available:
InternalPrimar yDisplayLogicalDPIX Retrieves the logical DPI in the x-direction of the internal display.
InternalPrimar yDisplayLogicalDPIY Retrieves the logical DPI in the y-direction of the internal display.
InternalPrimar yDisplayPhysicalDPIX Retrieves the physical DPI in the x-direction of the internal display.
InternalPrimar yDisplayPhysicalDPIY Retrieves the physical DPI in the y-direction of the internal display.
InternalPrimar yDisplayResolutionHorizontal Retrieves the number of pixels in the horizontal direction of
the internal display.
InternalPrimar yDisplayResolutionVer tical Retrieves the number of pixels in the vertical direction of the
internal display.
InternalPrimar yDisplaySizePhysicalH Retrieves the physical horizontal length of the display in mm. Used
for calculating the diagonal length in inches .
InternalPrimar yDisplaySizePhysicalY Retrieves the physical vertical length of the display in mm. Used for
calculating the diagonal length in inches
InternalPrimar yDisplayType Represents the type of technology used in the monitor, such as Plasma, LED,
LCOS, etc.
NumberofExternalDisplays Retrieves the number of external displays connected to the machine
NumberofInternalDisplays Retrieves the number of internal displays in a machine.
VRAMDedicated Retrieves the video RAM in MB.
VRAMDedicatedSystem Retrieves the amount of memory on the dedicated video card.
VRAMSharedSystem Retrieves the amount of RAM memory that the video card can use.
Census.UserNLS
This event sends data about the default app language, input, and display language preferences set by the user, to
help keep Windows up to date.
The following fields are available:
DefaultAppLanguage The current user Default App Language.
DisplayLanguage The current user preferred Windows Display Language.
HomeLocation The current user location, which is populated using GetUserGeoId() function.
KeyboardInputLanguages The Keyboard input languages installed on the device.
SpeechInputLanguages The Speech Input languages installed on the device.
Census.VM
This event sends data indicating whether virtualization is enabled on the device, and its various characteristics, to
help keep Windows up to date.
The following fields are available:
HyperVisor Retrieves whether the current OS is running on top of a Hypervisor.
IOMMUPresent Represents if an input/output memory management unit (IOMMU) is present.
IsVir tualDevice Retrieves that when the Hypervisor is Microsoft's Hyper-V Hypervisor or other Hv#1
Hypervisor, this field will be set to FALSE for the Hyper-V host OS and TRUE for any guest OS's. This field
should not be relied upon for non-Hv#1 Hypervisors.
SL ATSuppor ted Represents whether Second Level Address Translation (SLAT) is supported by the hardware.
Vir tualizationFirmwareEnabled Represents whether virtualization is enabled in the firmware.
Census.WU
This event sends data about the Windows update server and other App store policies, to help keep Windows up to
date.
The following fields are available:
AppraiserGatedStatus Indicates whether a device has been gated for upgrading.
AppStoreAutoUpdate Retrieves the Appstore settings for auto upgrade. (Enable/Disabled).
AppStoreAutoUpdateMDM Retrieves the App Auto Update value for MDM: 0 - Disallowed. 1 - Allowed. 2 -
Not configured. Default: [2] Not configured
AppStoreAutoUpdatePolicy Retrieves the Microsoft Store App Auto Update group policy setting
DelayUpgrade Retrieves the Windows upgrade flag for delaying upgrades.
OSRollbackCount The number of times feature updates have rolled back on the device.
OSRolledBack A flag that represents when a feature update has rolled back during setup.
OSUninstalled A flag that represents when a feature update is uninstalled on a device .
OSWUAutoUpdateOptions Retrieves the auto update settings on the device.
UninstallActive A flag that represents when a device has uninstalled a previous upgrade recently.
UpdateSer viceURLConfigured Retrieves if the device is managed by Windows Server Update Services
(WSUS).
WUDeferUpdatePeriod Retrieves if deferral is set for Updates.
WUDeferUpgradePeriod Retrieves if deferral is set for Upgrades.
WUDODownloadMode Retrieves whether DO is turned on and how to acquire/distribute updates Delivery
Optimization (DO) allows users to deploy previously downloaded WU updates to other devices on the same
network.
WUMachineId Retrieves the Windows Update (WU) Machine Identifier.
WUPauseState Retrieves WU setting to determine if updates are paused.
WUSer ver Retrieves the HTTP(S) URL of the WSUS server that is used by Automatic Updates and API callers
(by default).
Census.Xbox
This event sends data about the Xbox Console, such as Serial Number and DeviceId, to help keep Windows up to
date.
The following fields are available:
XboxConsolePreferredLanguage Retrieves the preferred language selected by the user on Xbox console.
XboxConsoleSerialNumber Retrieves the serial number of the Xbox console.
XboxLiveDeviceId Retrieves the unique device ID of the console.
XboxLiveSandboxId Retrieves the developer sandbox ID if the device is internal to Microsoft.
DxgKernelTelemetry events
DxgKrnlTelemetry.GPUAdapterInventoryV2
This event sends basic GPU and display driver information to keep Windows and display drivers up-to-date.
The following fields are available:
aiSeqId The event sequence ID.
bootId The system boot ID.
ComputePreemptionLevel The maximum preemption level supported by GPU for compute payload.
DedicatedSystemMemor yB The amount of system memory dedicated for GPU use (in bytes).
DedicatedVideoMemor yB The amount of dedicated VRAM of the GPU (in bytes).
DisplayAdapterLuid The display adapter LUID.
DriverDate The date of the display driver.
DriverRank The rank of the display driver.
DriverVersion The display driver version.
GPUDeviceID The GPU device ID.
GPUPreemptionLevel The maximum preemption level supported by GPU for graphics payload.
GPURevisionID The GPU revision ID.
GPUVendorID The GPU vendor ID.
InterfaceId The GPU interface ID.
IsDisplayDevice Does the GPU have displaying capabilities?
IsHybridDiscrete Does the GPU have discrete GPU capabilities in a hybrid device?
IsHybridIntegrated Does the GPU have integrated GPU capabilities in a hybrid device?
IsLDA Is the GPU comprised of Linked Display Adapters?
IsMiracastSuppor ted Does the GPU support Miracast?
IsMismatchLDA Is at least one device in the Linked Display Adapters chain from a different vendor?
IsMPOSuppor ted Does the GPU support Multi-Plane Overlays?
IsMsMiracastSuppor ted Are the GPU Miracast capabilities driven by a Microsoft solution?
IsPostAdapter Is this GPU the POST GPU in the device?
IsRenderDevice Does the GPU have rendering capabilities?
IsSoftwareDevice Is this a software implementation of the GPU?
MeasureEnabled Is the device listening to MICROSOFT_KEYWORD_MEASURES?
NumVidPnSources The number of supported display output sources.
NumVidPnTargets The number of supported display output targets.
SharedSystemMemor yB The amount of system memory shared by GPU and CPU (in bytes).
SubSystemID The subsystem ID.
SubVendorID The GPU sub vendor ID.
Telemetr yEnabled Is the device listening to MICROSOFT_KEYWORD_TELEMETRY?
TelInvEvntTrigger What triggered this event to be logged? Example: 0 (GPU enumeration) or 1
(DxgKrnlTelemetry provider toggling)
version The event version.
WDDMVersion The Windows Display Driver Model version.
Inventory events
ChecksumDictionary
The list of values sent by each object type.
The following fields are available:
Key The object type being described.
Value The number of objects of this type that were sent.
COMPID
This event provides a device's internal application compatible ID, a vendor-defined identification that Windows
uses to match a device to an INF file. A device can have a list of compatible IDs associated with it.
The following fields are available:
Order The index of the array of compatible IDs for the device.
Value The array of compatible IDs for the device.
HWID
This event provides a device's internal hardware ID, a vendor-defined identification that Windows uses to match a
device to an INF file. In most cases, a device has associated with it a list of hardware IDs.
The following fields are available:
Order The index of the array of internal hardware IDs for the device.
Value The array of internal hardware IDs for the device.
InstallDateArpLastModified
This event indicates the date the add/remove program (ARP) entry was last modified by an update.
The following fields are available:
Order The index of the ordered array.
Value The value contained in the ordered array.
InstallDateFromLinkFile
This event provides the application installation date from the linked file.
The following fields are available:
Order The index of the ordered array.
Value The value contained in the ordered array.
InstallDateMsi
The install date from the Microsoft installer (MSI) database.
The following fields are available:
Order The index of the ordered array.
Value The value contained in the ordered array.
Microsoft.Windows.Inventory.Core.AmiTelCacheChecksum
This event captures basic checksum data about the device inventory items stored in the cache for use in validating
data completeness for Microsoft.Windows.Inventory.Core events. The fields in this event may change over time,
but they will always represent a count of a given object.
The following fields are available:
Device A count of device objects in cache.
DeviceCensus A count of devicecensus objects in cache.
DriverPackageExtended A count of driverpackageextended objects in cache.
File A count of file objects in cache.
FileSigningInfo A count of file signing objects in cache.
Generic A count of generic objects in cache.
HwItem A count of hwitem objects in cache.
Inventor yApplication A count of application objects in cache.
Inventor yApplicationFile A count of application file objects in cache.
Inventor yDeviceContainer A count of device container objects in cache.
Inventor yDeviceInterface A count of Plug and Play device interface objects in cache.
Inventor yDeviceMediaClass A count of device media objects in cache.
Inventor yDevicePnp A count of device Plug and Play objects in cache.
Inventor yDriverBinar y A count of driver binary objects in cache.
Inventor yDriverPackage A count of device objects in cache.
Metadata A count of metadata objects in cache.
Orphan A count of orphan file objects in cache.
Programs A count of program objects in cache.
Microsoft.Windows.Inventory.Core.AmiTelCacheVersions
This event sends inventory component versions for the Device Inventory data.
The following fields are available:
aeinv The version of the App inventory component.
aeinv.dll The version of the App inventory component.
devinv The file version of the Device inventory component.
devinv.dll The file version of the Device inventory component.
Microsoft.Windows.Inventory.Core.FileSigningInfoAdd
This event enumerates the signatures of files, either driver packages or application executables. For driver
packages, this data is collected on demand via Telecommand to limit it only to unrecognized driver packages,
saving time for the client and space on the server. For applications, this data is collected for up to 10 random
executables on a system.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
CatalogSigners Signers from catalog. Each signer starts with Chain.
DriverPackageStrongName Optional. Available only if FileSigningInfo is collected on a driver package.
EmbeddedSigners Embedded signers. Each signer starts with Chain.
FileName The file name of the file whose signatures are listed.
FileType Either exe or sys, depending on if a driver package or application executable.
Inventor yVersion The version of the inventory file generating the events.
Thumbprint Comma separated hash of the leaf node of each signer. Semicolon is used to separate
CatalogSigners from EmbeddedSigners. There will always be a trailing comma.
Microsoft.Windows.Inventory.Core.InventoryApplicationAdd
This event sends basic metadata about an application on the system to help keep Windows up to date.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
HiddenArp Indicates whether a program hides itself from showing up in ARP.
InstallDate The date the application was installed (a best guess based on folder creation date heuristics).
InstallDateArpLastModified The date of the registry ARP key for a given application. Hints at install date but
not always accurate. Passed as an array. Example: 4/11/2015 00:00:00 See InstallDateArpLastModified.
InstallDateFromLinkFile The estimated date of install based on the links to the files. Passed as an array. See
InstallDateFromLinkFile.
InstallDateMsi The install date if the application was installed via Microsoft Installer (MSI). Passed as an array.
See InstallDateMsi.
Inventor yVersion The version of the inventory file generating the events.
Language The language code of the program.
MsiPackageCode A GUID that describes the MSI Package. Multiple 'Products' (apps) can make up an
MsiPackage.
MsiProductCode A GUID that describe the MSI Product.
Name The name of the application.
OSVersionAtInstallTime The four octets from the OS version at the time of the application's install.
PackageFullName The package full name for a Store application.
ProgramInstanceId A hash of the file IDs in an app.
Publisher The Publisher of the application. Location pulled from depends on the 'Source' field.
RootDirPath The path to the root directory where the program was installed.
Source How the program was installed (for example, ARP, MSI, Appx).
StoreAppType A sub-classification for the type of Microsoft Store app, such as UWP or Win8StoreApp.
Type One of ("Application", "Hotfix", "BOE", "Service", "Unknown"). Application indicates Win32 or Appx app,
Hotfix indicates app updates (KBs), BOE indicates it's an app with no ARP or MSI entry, Service indicates that it
is a service. Application and BOE are the ones most likely seen.
Version The version number of the program.
Microsoft.Windows.Inventory.Core.InventoryApplicationDriverAdd
This event represents what drivers an application installs.
Microsoft.Windows.Inventory.Core.InventoryApplicationDriverStartSync
The InventoryApplicationDriverStartSync event indicates that a new set of InventoryApplicationDriverStartAdd
events will be sent.
Microsoft.Windows.Inventory.Core.InventoryApplicationFrameworkAdd
This event provides the basic metadata about the frameworks an application may depend on.
Microsoft.Windows.Inventory.Core.InventoryApplicationFrameworkStartSync
This event indicates that a new set of InventoryApplicationFrameworkAdd events will be sent.
Microsoft.Windows.Inventory.Core.InventoryApplicationRemove
This event indicates that a new set of InventoryDevicePnpAdd events will be sent.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
Inventor yVersion The version of the inventory file generating the events.
Microsoft.Windows.Inventory.Core.InventoryApplicationStartSync
This event indicates that a new set of InventoryApplicationAdd events will be sent.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
Inventor yVersion The version of the inventory file generating the events.
Microsoft.Windows.Inventory.Core.InventoryDeviceContainerAdd
This event sends basic metadata about a device container (such as a monitor or printer as opposed to a Plug and
Play device) to help keep Windows up to date.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
Categories A comma separated list of functional categories in which the container belongs.
Discover yMethod The discovery method for the device container.
FriendlyName The name of the device container.
Inventor yVersion The version of the inventory file generating the events.
IsActive Is the device connected, or has it been seen in the last 14 days?
IsConnected For a physically attached device, this value is the same as IsPresent. For wireless a device, this
value represents a communication link.
IsMachineContainer Is the container the root device itself?
IsNetworked Is this a networked device?
IsPaired Does the device container require pairing?
Manufacturer The manufacturer name for the device container.
ModelId A unique model ID.
ModelName The model name.
ModelNumber The model number for the device container.
Primar yCategor y The primary category for the device container.
Microsoft.Windows.Inventory.Core.InventoryDeviceContainerRemove
This event indicates that the InventoryDeviceContainer object is no longer present.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
Inventor yVersion The version of the inventory file generating the events.
Microsoft.Windows.Inventory.Core.InventoryDeviceContainerStartSync
This event indicates that a new set of InventoryDeviceContainerAdd events will be sent.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
Inventor yVersion The version of the inventory file generating the events.
Microsoft.Windows.Inventory.Core.InventoryDeviceInterfaceAdd
This event retrieves information about what sensor interfaces are available on the device.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
Accelerometer3D Indicates if an Accelerator3D sensor is found.
ActivityDetection Indicates if an Activity Detection sensor is found.
AmbientLight Indicates if an Ambient Light sensor is found.
Barometer Indicates if a Barometer sensor is found.
Custom Indicates if a Custom sensor is found.
FloorElevation Indicates if a Floor Elevation sensor is found.
GeomagneticOrientation Indicates if a Geo Magnetic Orientation sensor is found.
GravityVector Indicates if a Gravity Detector sensor is found.
Gyrometer3D Indicates if a Gyrometer3D sensor is found.
Humidity Indicates if a Humidity sensor is found.
Inventor yVersion The version of the inventory file generating the events.
LinearAccelerometer Indicates if a Linear Accelerometer sensor is found.
Magnetometer3D Indicates if a Magnetometer3D sensor is found.
Orientation Indicates if an Orientation sensor is found.
Pedometer Indicates if a Pedometer sensor is found.
Proximity Indicates if a Proximity sensor is found.
RelativeOrientation Indicates if a Relative Orientation sensor is found.
SimpleDeviceOrientation Indicates if a Simple Device Orientation sensor is found.
Temperature Indicates if a Temperature sensor is found.
Microsoft.Windows.Inventory.Core.InventoryDeviceInterfaceStartSync
This event indicates that a new set of InventoryDeviceInterfaceAdd events will be sent.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
Inventor yVersion The version of the inventory file generating the events.
Microsoft.Windows.Inventory.Core.InventoryDeviceMediaClassAdd
This event sends additional metadata about a Plug and Play device that is specific to a particular class of devices to
help keep Windows up to date while reducing overall size of data payload.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
Audio_CaptureDriver The Audio device capture driver endpoint.
Audio_RenderDriver The Audio device render driver endpoint.
Inventor yVersion The version of the inventory file generating the events.
Microsoft.Windows.Inventory.Core.InventoryDeviceMediaClassRemove
This event indicates that the InventoryDeviceMediaClassRemove object is no longer present.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
Inventor yVersion The version of the inventory file generating the events.
Microsoft.Windows.Inventory.Core.InventoryDeviceMediaClassStartSync
This event indicates that a new set of InventoryDeviceMediaClassSAdd events will be sent.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
Inventor yVersion The version of the inventory file generating the events.
Microsoft.Windows.Inventory.Core.InventoryDevicePnpAdd
This event represents the basic metadata about a plug and play (PNP) device and its associated driver.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
Class The device setup class of the driver loaded for the device.
ClassGuid The device class unique identifier of the driver package loaded on the device.
COMPID The list of “Compatible IDs” for this device. See COMPID.
ContainerId The system-supplied unique identifier that specifies which group(s) the device(s) installed on the
parent (main) device belong to.
Description The description of the device.
DeviceState Identifies the current state of the parent (main) device.
DriverId The unique identifier for the installed driver.
DriverName The name of the driver image file.
DriverPackageStrongName The immediate parent directory name in the Directory field of
InventoryDriverPackage.
DriverVerDate The date of the driver loaded for the device
DriverVerVersion The version of the driver loaded for the device
Enumerator Identifies the bus that enumerated the device.
HWID A list of hardware IDs for the device. See HWID.
Inf The name of the INF file (possibly renamed by the OS, such as oemXX.inf).
InstallState The device installation state. For a list of values, see:
https://msdn.microsoft.com/library/windows/hardware/ff543130.aspx
Inventor yVersion The version number of the inventory process generating the events.
LowerClassFilters The identifiers of the Lower Class filters installed for the device.
LowerFilters The identifiers of the Lower filters installed for the device.
Manufacturer The manufacturer of the device.
MatchingID The Hardware ID or Compatible ID that Windows uses to install a device instance.
Model Identifies the model of the device.
ParentId The Device Instance ID of the parent of the device.
ProblemCode The error code currently returned by the device, if applicable.
Provider Identifies the device provider.
Ser vice The name of the device service.
STACKID The list of hardware IDs for the stack. See STACKID.
UpperClassFilters The identifiers of the Upper Class filters installed for the device.
UpperFilters The identifiers of the Upper filters installed for the device.
Microsoft.Windows.Inventory.Core.InventoryDevicePnpRemove
This event indicates that the InventoryDevicePnpRemove object is no longer present.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
Inventor yVersion The version of the inventory file generating the events.
Microsoft.Windows.Inventory.Core.InventoryDevicePnpStartSync
This event indicates that a new set of InventoryDevicePnpAdd events will be sent.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
Inventor yVersion The version of the inventory file generating the events.
Microsoft.Windows.Inventory.Core.InventoryDeviceUsbHubClassAdd
This event sends basic metadata about the USB hubs on the device.
Microsoft.Windows.Inventory.Core.InventoryDeviceUsbHubClassStartSync
This event indicates that a new set of InventoryDeviceUsbHubClassAdd events will be sent.
Microsoft.Windows.Inventory.Core.InventoryDriverBinaryAdd
This event provides the basic metadata about driver binaries running on the system.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
DriverCheckSum The checksum of the driver file.
DriverCompany The company name that developed the driver.
DriverInBox Is the driver included with the operating system?
DriverIsKernelMode Is it a kernel mode driver?
DriverName The file name of the driver.
DriverPackageStrongName The strong name of the driver package
DriverSigned The strong name of the driver package
DriverTimeStamp The low 32 bits of the time stamp of the driver file.
DriverType A bitfield of driver attributes: 1. define DRIVER_MAP_DRIVER_TYPE_PRINTER 0x0001. 2. define
DRIVER_MAP_DRIVER_TYPE_KERNEL 0x0002. 3. define DRIVER_MAP_DRIVER_TYPE_USER 0x0004. 4. define
DRIVER_MAP_DRIVER_IS_SIGNED 0x0008. 5. define DRIVER_MAP_DRIVER_IS_INBOX 0x0010. 6. define
DRIVER_MAP_DRIVER_IS_WINQUAL 0x0040. 7. define DRIVER_MAP_DRIVER_IS_SELF_SIGNED 0x0020. 8.
define DRIVER_MAP_DRIVER_IS_CI_SIGNED 0x0080. 9. define DRIVER_MAP_DRIVER_HAS_BOOT_SERVICE
0x0100. 10. define DRIVER_MAP_DRIVER_TYPE_I386 0x10000. 11. define DRIVER_MAP_DRIVER_TYPE_IA64
0x20000. 12. define DRIVER_MAP_DRIVER_TYPE_AMD64 0x40000. 13. define
DRIVER_MAP_DRIVER_TYPE_ARM 0x100000. 14. define DRIVER_MAP_DRIVER_TYPE_THUMB 0x200000. 15.
define DRIVER_MAP_DRIVER_TYPE_ARMNT 0x400000. 16. define DRIVER_MAP_DRIVER_IS_TIME_STAMPED
0x800000.
DriverVersion The version of the driver file.
ImageSize The size of the driver file.
Inf The name of the INF file.
Inventor yVersion The version of the inventory file generating the events.
Product The product name that is included in the driver file.
ProductVersion The product version that is included in the driver file.
Ser vice The name of the service that is installed for the device.
WdfVersion The Windows Driver Framework version.
Microsoft.Windows.Inventory.Core.InventoryDriverBinaryRemove
This event indicates that the InventoryDriverBinary object is no longer present.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
Inventor yVersion The version of the inventory file generating the events.
Microsoft.Windows.Inventory.Core.InventoryDriverBinaryStartSync
This event indicates that a new set of InventoryDriverBinaryAdd events will be sent.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
Inventor yVersion The version of the inventory file generating the events.
Microsoft.Windows.Inventory.Core.InventoryDriverPackageAdd
This event sends basic metadata about drive packages installed on the system to help keep Windows up to date.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
Class The class name for the device driver.
ClassGuid The class GUID for the device driver.
Date The driver package date.
Director y The path to the driver package.
Inf The INF name of the driver package.
Inventor yVersion The version of the inventory file generating the events.
Provider The provider for the driver package.
SubmissionId The HLK submission ID for the driver package.
Version The version of the driver package.
Microsoft.Windows.Inventory.Core.InventoryDriverPackageRemove
This event indicates that the InventoryDriverPackageRemove object is no longer present.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
Inventor yVersion The version of the inventory file generating the events.
Microsoft.Windows.Inventory.Core.InventoryDriverPackageStartSync
This event indicates that a new set of InventoryDriverPackageAdd events will be sent.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
Inventor yVersion The version of the inventory file generating the events.
Microsoft.Windows.Inventory.General.AppHealthStaticAdd
This event sends details collected for a specific application on the source device.
The following fields are available:
AhaVersion The binary version of the App Health Analyzer tool.
ApplicationErrors The count of application errors from the event log.
Bitness The architecture type of the application (16 Bit or 32 bit or 64 bit).
device_level Various JRE/JAVA versions installed on a particular device.
ExtendedProper ties Attribute used for aggregating all other attributes under this event type.
Jar Flag to determine if an app has a Java JAR file dependency.
Jre Flag to determine if an app has JRE framework dependency.
Jre_version JRE versions an app has declared framework dependency for.
Name Name of the application.
NonDPIAware Flag to determine if an app is non-DPI aware
NumBinaries Count of all binaries (.sys,.dll,.ini) from application install location.
RequiresAdmin Flag to determine if an app requests admin privileges for execution.
RequiresAdminv2 Additional flag to determine if an app requests admin privileges for execution.
RequiresUIAccess Flag to determine if an app is based on UI features for accessibility.
VB6 Flag to determine if an app is based on VB6 framework.
VB6v2 Additional flag to determine if an app is based on VB6 framework.
Version Version of the application.
VersionCheck Flag to determine if an app has a static dependency on OS version.
VersionCheckv2 Additional flag to determine if an app has a static dependency on OS version.
Microsoft.Windows.Inventory.General.AppHealthStaticStartSync
This event indicates the beginning of a series of AppHealthStaticAdd events.
The following fields are available:
AllowTelemetr y Indicates the presence of the 'allowtelemetry' command line argument.
CommandLineArgs Command line arguments passed when launching the App Health Analyzer executable.
Enhanced Indicates the presence of the 'enhanced' command line argument.
Star tTime UTC date and time at which this event was sent.
Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeAddInAdd
Invalid variant - Provides data on the installed Office Add-ins
Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeAddInRemove
Indicates that this particular data object represented by the objectInstanceId is no longer present.
Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeAddInStartSync
This event indicates that a new sync is being generated for this object type.
Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeIdentifiersAdd
Provides data on the Office identifiers.
Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeIdentifiersStartSync
Diagnostic event to indicate a new sync is being generated for this object type.
Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeIESettingsAdd
Provides data on Office-related Internet Explorer features.
Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeIESettingsStartSync
Diagnostic event to indicate a new sync is being generated for this object type.
Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeInsightsAdd
This event provides insight data on the installed Office products
Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeInsightsRemove
Indicates that this particular data object represented by the objectInstanceId is no longer present.
Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeInsightsStartSync
This diagnostic event indicates that a new sync is being generated for this object type.
Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeProductsAdd
Describes Office Products installed.
Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeProductsStartSync
Diagnostic event to indicate a new sync is being generated for this object type.
Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeSettingsAdd
This event describes various Office settings
Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeSettingsStartSync
Indicates a new sync is being generated for this object type.
Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeVBARuleViolationsStartSync
This event indicates that a new sync is being generated for this object type.
Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeVBAStartSync
Diagnostic event to indicate a new sync is being generated for this object type.
Microsoft.Windows.Inventory.General.InventoryMiscellaneousUUPInfoAdd
Provides data on Unified Update Platform (UUP) products and what version they are at.
Microsoft.Windows.Inventory.General.InventoryMiscellaneousUUPInfoStartSync
Diagnostic event to indicate a new sync is being generated for this object type.
Microsoft.Windows.Inventory.Indicators.Checksum
This event summarizes the counts for the InventoryMiscellaneousUexIndicatorAdd events.
The following fields are available:
ChecksumDictionar y A count of each operating system indicator. See ChecksumDictionary.
PCFP Equivalent to the InventoryId field that is found in other core events.
Microsoft.Windows.Inventory.Indicators.InventoryMiscellaneousUexIndicatorAdd
These events represent the basic metadata about the OS indicators installed on the system which are used for
keeping the device up to date.
This event includes fields from Ms.Device.DeviceInventoryChange.
The following fields are available:
IndicatorValue The indicator value.
Value Describes an operating system indicator that may be relevant for the device upgrade.
Microsoft.Windows.Inventory.Indicators.InventoryMiscellaneousUexIndicatorEndSync
This event indicates that a new set of InventoryMiscellaneousUexIndicatorAdd events has been sent.
This event includes fields from Ms.Device.DeviceInventoryChange.
Microsoft.Windows.Inventory.Indicators.InventoryMiscellaneousUexIndicatorRemove
This event is a counterpart to InventoryMiscellaneousUexIndicatorAdd that indicates that the item has been
removed.
This event includes fields from Ms.Device.DeviceInventoryChange.
Microsoft.Windows.Inventory.Indicators.InventoryMiscellaneousUexIndicatorStartSync
This event indicates that a new set of InventoryMiscellaneousUexIndicatorAdd events will be sent.
This event includes fields from Ms.Device.DeviceInventoryChange.
STACKID
This event provides the internal compatible ID for the stack.
The following fields are available:
Order The index of the ordered array.
Value The value contained in the ordered array.
Kernel events
IO
This event indicates the number of bytes read from or read by the OS and written to or written by the OS upon
system startup.
The following fields are available:
BytesRead The total number of bytes read from or read by the OS upon system startup.
BytesWritten The total number of bytes written to or written by the OS upon system startup.
Microsoft.Windows.Kernel.BootEnvironment.OsLaunch
This event includes basic data about the Operating System, collected during Boot and used to evaluate the success
of the upgrade process.
The following fields are available:
BootApplicationId This field tells us what the OS Loader Application Identifier is.
BootAttemptCount The number of consecutive times the boot manager has attempted to boot into this
operating system.
BootSequence The current Boot ID, used to correlate events related to a particular boot session.
BootStatusPolicy Identifies the applicable Boot Status Policy.
BootType Identifies the type of boot (e.g.: "Cold", "Hiber", "Resume").
EventTimestamp Seconds elapsed since an arbitrary time point. This can be used to identify the time
difference in successive boot attempts being made.
FirmwareResetReasonEmbeddedController Reason for system reset provided by firmware.
FirmwareResetReasonEmbeddedControllerAdditional Additional information on system reset reason
provided by firmware if needed.
FirmwareResetReasonPch Reason for system reset provided by firmware.
FirmwareResetReasonPchAdditional Additional information on system reset reason provided by firmware
if needed.
FirmwareResetReasonSupplied Flag indicating that a reason for system reset was provided by firmware.
IO Amount of data written to and read from the disk by the OS Loader during boot. See IO.
LastBootSucceeded Flag indicating whether the last boot was successful.
LastShutdownSucceeded Flag indicating whether the last shutdown was successful.
MenuPolicy Type of advanced options menu that should be shown to the user (Legacy, Standard, etc.).
Recover yEnabled Indicates whether recovery is enabled.
UserInputTime The amount of time the loader application spent waiting for user input.
Microsoft.Windows.Kernel.Power.OSStateChange
This event denotes the transition between operating system states (e.g., On, Off, Sleep, etc.). By using this event
with Windows Analytics, organizations can use this to help monitor reliability and performance of managed
devices.
The following fields are available:
AcPowerOnline If "TRUE," the device is using AC power. If "FALSE," the device is using battery power.
ActualTransitions This will give the actual transitions number
Batter yCapacity Maximum battery capacity in mWh
Batter yCharge Current battery charge as a percentage of total capacity
Batter yDischarging Flag indicating whether the battery is discharging or charging
BootId Monotonically increasing boot id, reset on upgrades.
BootTimeUTC Boot time in UTC file time.
EventSequence Monotonically increasing event number for OsStateChange events logged during this boot.
LastStateTransition The previous state transition on the device.
LastStateTransitionSub The previous state subtransition on the device.
StateDurationMS Milliseconds spent in the state being departed
StateTransition Transition type PowerOn=1, Shutdown, Suspend, Resume, Heartbeat.
StateTransitionSub Subtransition type Normal=1, Reboot, Hiberboot, Standby, Hibernate, ConnectedStandby,
Reserved, HybridSleep.
TotalDurationMS Total time device has been up in milliseconds in wall clock time.
TotalUptimeMS Total time device has been on (not in a suspended state) in milliseconds.
TransitionsToOn TransitionsToOn increments each time the system successfully completes a system sleep
event, and is sent as part of the PowerTransitionEnd ETW event.
UptimeDeltaMS Duration in last state in milliseconds.
Migration events
Microsoft.Windows.MigrationCore.MigObjectCountKFSys
This event returns data about the count of the migration objects across various phases during feature update.
Microsoft.Windows.MigrationCore.MigObjectCountKFUsr
This event returns data to track the count of the migration objects across various phases during feature update.
OneDrive events
Microsoft.OneDrive.Sync.Setup.APIOperation
This event includes basic data about install and uninstall OneDrive API operations.
The following fields are available:
APIName The name of the API.
Duration How long the operation took.
IsSuccess Was the operation successful?
ResultCode The result code.
ScenarioName The name of the scenario.
Microsoft.OneDrive.Sync.Setup.EndExperience
This event includes a success or failure summary of the installation.
The following fields are available:
APIName The name of the API.
HResult Indicates the result code of the event
IsSuccess Was the operation successful?
ScenarioName The name of the scenario.
Microsoft.OneDrive.Sync.Setup.OSUpgradeInstallationOperation
This event is related to the OS version when the OS is upgraded with OneDrive installed.
The following fields are available:
CurrentOneDriveVersion The current version of OneDrive.
CurrentOSBuildBranch The current branch of the operating system.
CurrentOSBuildNumber The current build number of the operating system.
CurrentOSVersion The current version of the operating system.
HResult The HResult of the operation.
SourceOSBuildBranch The source branch of the operating system.
SourceOSBuildNumber The source build number of the operating system.
SourceOSVersion The source version of the operating system.
Microsoft.OneDrive.Sync.Setup.RegisterStandaloneUpdaterAPIOperation
This event is related to registering or unregistering the OneDrive update task.
The following fields are available:
APIName The name of the API.
IsSuccess Was the operation successful?
RegisterNewTaskResult The HResult of the RegisterNewTask operation.
ScenarioName The name of the scenario.
UnregisterOldTaskResult The HResult of the UnregisterOldTask operation.
Microsoft.OneDrive.Sync.Updater.ComponentInstallState
This event includes basic data about the installation state of dependent OneDrive components.
The following fields are available:
ComponentName The name of the dependent component.
isInstalled Is the dependent component installed?
Microsoft.OneDrive.Sync.Updater.OfficeRegistration
This event indicates the status of the OneDrive integration with Microsoft Office.
The following fields are available:
isValid Is the Microsoft Office registration valid?
Microsoft.OneDrive.Sync.Updater.OverlayIconStatus
This event indicates if the OneDrive overlay icon is working correctly. 0 = healthy; 1 = can be fixed; 2 = broken
The following fields are available:
32bit The status of the OneDrive overlay icon on a 32-bit operating system.
64bit The status of the OneDrive overlay icon on a 64-bit operating system.
Microsoft.OneDrive.Sync.Updater.RepairResult
The event determines the result of the installation repair.
The following fields are available:
hr The HResult of the operation.
Microsoft.OneDrive.Sync.Updater.SetupBinaryDownloadHResult
This event indicates the status when downloading the OneDrive setup file.
The following fields are available:
hr The HResult of the operation.
Microsoft.OneDrive.Sync.Updater.UpdateOverallResult
This event sends information describing the result of the update.
The following fields are available:
hr The HResult of the operation.
IsLoggingEnabled Indicates whether logging is enabled for the updater.
UpdaterVersion The version of the updater.
Microsoft.OneDrive.Sync.Updater.UpdateTierReg
This event determines status of the update tier registry values.
The following fields are available:
regReadEnterpriseHr The HResult of the enterprise reg read value.
regReadTeamHr The HResult of the team reg read value.
Microsoft.OneDrive.Sync.Updater.UpdateXmlDownloadHResult
This event determines the status when downloading the OneDrive update configuration file.
The following fields are available:
hr The HResult of the operation.
Microsoft.OneDrive.Sync.Updater.WebConnectionStatus
This event determines the error code that was returned when verifying Internet connectivity.
The following fields are available:
winInetError The HResult of the operation.
Remediation events
Microsoft.Windows.Remediation.Applicable
deny
The following fields are available:
ActionName The name of the action to be taken by the plug-in.
AppraiserBinariesValidResult Indicates whether the plug-in was appraised as valid.
AppraiserDetectCondition Indicates whether the plug-in passed the appraiser's check.
AppraiserRegistr yValidResult Indicates whether the registry entry checks out as valid.
AppraiserTaskDisabled Indicates the appraiser task is disabled.
AppraiserTaskValidFailed Indicates the Appraiser task did not function and requires intervention.
CV Correlation vector
DateTimeDifference The difference between local and reference clock times.
DateTimeSyncEnabled Indicates whether the Datetime Sync plug-in is enabled.
DaysSinceLastSIH The number of days since the most recent SIH executed.
DaysToNextSIH The number of days until the next scheduled SIH execution.
DetectedCondition Indicates whether detected condition is true and the perform action will be run.
EvalAndRepor tAppraiserBinariesFailed Indicates the EvalAndReportAppraiserBinaries event failed.
EvalAndRepor tAppraiserRegEntries Indicates the EvalAndReportAppraiserRegEntriesFailed event failed.
EvalAndRepor tAppraiserRegEntriesFailed Indicates the EvalAndReportAppraiserRegEntriesFailed event
failed.
GlobalEventCounter Client side counter that indicates ordering of events sent by the remediation system.
HResult The HRESULT for detection or perform action phases of the plugin.
IsAppraiserLatestResult The HRESULT from the appraiser task.
IsConfigurationCorrected Indicates whether the configuration of SIH task was successfully corrected.
LastHresult The HRESULT for detection or perform action phases of the plugin.
LastRun The date of the most recent SIH run.
NextRun Date of the next scheduled SIH run.
PackageVersion The version of the current remediation package.
PluginName Name of the plugin specified for each generic plugin event.
Reload True if SIH reload is required.
RemediationNoisyHammerAcLineStatus Indicates the AC Line Status of the device.
RemediationNoisyHammerAutoStar tCount The number of times hammer auto-started.
RemediationNoisyHammerCalendarTaskEnabled Event that indicates Update Assistant Calendar Task is
enabled.
RemediationNoisyHammerCalendarTaskExists Event that indicates an Update Assistant Calendar Task
exists.
RemediationNoisyHammerCalendarTaskTriggerEnabledCount Event that indicates calendar triggers are
enabled in the task.
RemediationNoisyHammerDaysSinceLastTaskRunTime The number of days since the most recent Noisy
Hammer task ran.
RemediationNoisyHammerGetCurrentSize Size in MB of the $GetCurrent folder.
RemediationNoisyHammerIsInstalled TRUE if the noisy hammer is installed.
RemediationNoisyHammerLastTaskRunResult The result of the last hammer task run.
RemediationNoisyHammerMeteredNetwork TRUE if the machine is on a metered network.
RemediationNoisyHammerTaskEnabled Indicates whether the Update Assistant Task (Noisy Hammer) is
enabled.
RemediationNoisyHammerTaskExists Indicates whether the Update Assistant Task (Noisy Hammer) exists.
RemediationNoisyHammerTaskTriggerEnabledCount Indicates whether counting is enabled for the
Update Assistant (Noisy Hammer) task trigger.
RemediationNoisyHammerUAExitCode The exit code of the Update Assistant (Noisy Hammer) task.
RemediationNoisyHammerUAExitState The code for the exit state of the Update Assistant (Noisy Hammer)
task.
RemediationNoisyHammerUserLoggedIn TRUE if there is a user logged in.
RemediationNoisyHammerUserLoggedInAdmin TRUE if there is the user currently logged in is an Admin.
RemediationShellDeviceManaged TRUE if the device is WSUS managed or Windows Updated disabled.
RemediationShellDeviceNewOS TRUE if the device has a recently installed OS.
RemediationShellDeviceSccm TRUE if the device is managed by Microsoft Endpoint Configuration Manager.
RemediationShellDeviceZeroExhaust TRUE if the device has opted out of Windows Updates completely.
RemediationTargetMachine Indicates whether the device is a target of the specified fix.
RemediationTaskHealthAutochkProxy True/False based on the health of the AutochkProxy task.
RemediationTaskHealthChkdskProactiveScan True/False based on the health of the Check Disk task.
RemediationTaskHealthDiskCleanup_SilentCleanup True/False based on the health of the Disk Cleanup
task.
RemediationTaskHealthMaintenance_WinSAT True/False based on the health of the Health Maintenance
task.
RemediationTaskHealthSer vicing_ComponentCleanupTask True/False based on the health of the Health
Servicing Component task.
RemediationTaskHealthUSO_ScheduleScanTask True/False based on the health of the USO (Update
Session Orchestrator) Schedule task.
RemediationTaskHealthWindowsUpdate_ScheduledStar tTask True/False based on the health of the
Windows Update Scheduled Start task.
RemediationTaskHealthWindowsUpdate_SihbootTask True/False based on the health of the Sihboot task.
RemediationUHSer viceBitsSer viceEnabled Indicates whether BITS service is enabled.
RemediationUHSer viceDeviceInstallEnabled Indicates whether Device Install service is enabled.
RemediationUHSer viceDoSvcSer viceEnabled Indicates whether DO service is enabled.
RemediationUHSer viceDsmsvcEnabled Indicates whether DSMSVC service is enabled.
RemediationUHSer viceLicensemanagerEnabled Indicates whether License Manager service is enabled.
RemediationUHSer viceMpssvcEnabled Indicates whether MPSSVC service is enabled.
RemediationUHSer viceTokenBrokerEnabled Indicates whether Token Broker service is enabled.
RemediationUHSer viceTrustedInstallerSer viceEnabled Indicates whether Trusted Installer service is
enabled.
RemediationUHSer viceUsoSer viceEnabled Indicates whether USO (Update Session Orchestrator) service
is enabled.
RemediationUHSer vicew32timeSer viceEnabled Indicates whether W32 Time service is enabled.
RemediationUHSer viceWecsvcEnabled Indicates whether WECSVC service is enabled.
RemediationUHSer viceWinmgmtEnabled Indicates whether WMI service is enabled.
RemediationUHSer viceWpnSer viceEnabled Indicates whether WPN service is enabled.
RemediationUHSer viceWuauser vSer viceEnabled Indicates whether WUAUSERV service is enabled.
Result This is the HRESULT for Detection or Perform Action phases of the plugin.
RunAppraiserFailed Indicates RunAppraiser failed to run correctly.
RunTask TRUE if SIH task should be run by the plug-in.
TimeSer viceNTPSer ver The URL for the NTP time server used by device.
TimeSer viceStar tType The startup type for the NTP time service.
TimeSer viceSyncDomainJoined True if device domain joined and hence uses DC for clock.
TimeSer viceSyncType Type of sync behavior for Date & Time service on device.
Microsoft.Windows.Remediation.Completed
This event is sent when Windows Update sediment remediations have completed on the sediment device to keep
Windows up to date. A sediment device is one that has been on a previous OS version for an extended period. The
remediations address issues on the system that prevent the device from receiving OS updates.
The following fields are available:
ActionName Name of the action to be completed by the plug-in.
AppraiserTaskCreationFailed TRUE if the appraiser task creation failed to complete successfully.
AppraiserTaskDeleteFailed TRUE if deletion of appraiser task failed to complete successfully.
AppraiserTaskExistFailed TRUE if detection of the appraiser task failed to complete successfully.
AppraiserTaskLoadXmlFailed TRUE if the Appraiser XML Loader failed to complete successfully.
AppraiserTaskMissing TRUE if the Appraiser task is missing.
AppraiserTaskTimeTriggerUpdateFailedId TRUE if the Appraiser Task Time Trigger failed to update
successfully.
AppraiserTaskValidateTaskXmlFailed TRUE if the Appraiser Task XML failed to complete successfully.
CrossedDiskSpaceThreshold Indicates if cleanup resulted in hard drive usage threshold required for feature
update to be exceeded.
CV The Correlation Vector.
DateTimeDifference The difference between the local and reference clocks.
DaysSinceOsInstallation The number of days since the installation of the Operating System.
DiskMbCleaned The amount of space cleaned on the hard disk, measured in megabytes.
DiskMbFreeAfterCleanup The amount of free hard disk space after cleanup, measured in Megabytes.
DiskMbFreeBeforeCleanup The amount of free hard disk space before cleanup, measured in Megabytes.
ForcedAppraiserTaskTriggered TRUE if Appraiser task ran from the plug-in.
GlobalEventCounter Client-side counter that indicates ordering of events sent by the active user.
HandlerCleanupFreeDiskInMegabytes The amount of hard disk space cleaned by the storage sense
handlers, measured in megabytes.
HResult The result of the event execution.
LatestState The final state of the plug-in component.
PackageVersion The package version for the current Remediation.
PageFileCount The number of Windows Page files.
PageFileCurrentSize The size of the Windows Page file, measured in Megabytes.
PageFileLocation The storage location (directory path) of the Windows Page file.
PageFilePeakSize The maximum amount of hard disk space used by the Windows Page file, measured in
Megabytes.
PluginName The name of the plug-in specified for each generic plug-in event.
RanCleanup TRUE if the plug-in ran disk cleanup.
RemediationConfigurationTroubleshooterExecuted True/False based on whether the Remediation
Configuration Troubleshooter executed successfully.
RemediationConfigurationTroubleshooterIpconfigFix TRUE if IPConfig Fix completed successfully.
RemediationConfigurationTroubleshooterNetShFix TRUE if network card cache reset ran successfully.
RemediationDiskCleanSizeBtWindowsFolderInMegabytes The size of the Windows BT folder (used to
store Windows upgrade files), measured in Megabytes.
RemediationDiskCleanupBTFolderEsdSizeInMB The size of the Windows BT folder (used to store Windows
upgrade files) ESD (Electronic Software Delivery), measured in Megabytes.
RemediationDiskCleanupGetCurrentEsdSizeInMB The size of any existing ESD (Electronic Software
Delivery) folder, measured in Megabytes.
RemediationDiskCleanupSearchFileSizeInMegabytes The size of the Cleanup Search index file, measured
in Megabytes.
RemediationDiskCleanupUpdateAssistantSizeInMB The size of the Update Assistant folder, measured in
Megabytes.
RemediationDoorstopChangeSucceeded TRUE if Doorstop registry key was successfully modified.
RemediationDoorstopExists TRUE if there is a OneSettings Doorstop value.
RemediationDoorstopRegkeyError TRUE if an error occurred accessing the Doorstop registry key.
RemediationDRFKeyDeleteSucceeded TRUE if the RecoveredFrom (Doorstop) registry key was successfully
deleted.
RemediationDUABuildNumber The build number of the DUA.
RemediationDUAKeyDeleteSucceeded TRUE if the UninstallActive registry key was successfully deleted.
RemediationDuplicateTokenSucceeded TRUE if the user token was successfully duplicated.
RemediationImpersonateUserSucceeded TRUE if the user was successfully impersonated.
RemediationNoisyHammerTaskKickOffIsSuccess TRUE if the NoisyHammer task started successfully.
RemediationQuer yTokenSucceeded TRUE if the user token was successfully queried.
RemediationRanHibernation TRUE if the system entered Hibernation.
RemediationRever tToSystemSucceeded TRUE if reversion to the system context succeeded.
RemediationUpdateSer viceHealthRemediationResult The result of the Update Service Health plug-in.
RemediationUpdateTaskHealthRemediationResult The result of the Update Task Health plug-in.
RemediationUpdateTaskHealthTaskList A list of tasks fixed by the Update Task Health plug-in.
RemediationWindowsLogSpaceFound The size of the Windows log files found, measured in Megabytes.
RemediationWindowsLogSpaceFreed The amount of disk space freed by deleting the Windows log files,
measured in Megabytes.
RemediationWindowsSecondar yDriveFreeSpace The amount of free space on the secondary drive,
measured in Megabytes.
RemediationWindowsSecondar yDriveLetter The letter designation of the first secondary drive with a total
capacity of 10GB or more.
RemediationWindowsSecondar yDriveTotalSpace The total storage capacity of the secondary drive,
measured in Megabytes.
RemediationWindowsTotalSystemDiskSize The total storage capacity of the System Disk Drive, measured
in Megabytes.
Result The HRESULT for Detection or Perform Action phases of the plug-in.
RunResult The HRESULT for Detection or Perform Action phases of the plug-in.
Ser viceHealthPlugin The nae of the Service Health plug-in.
Star tComponentCleanupTask TRUE if the Component Cleanup task started successfully.
TotalSizeofOrphanedInstallerFilesInMegabytes The size of any orphaned Windows Installer files,
measured in Megabytes.
TotalSizeofStoreCacheAfterCleanupInMegabytes The size of the Microsoft Store cache after cleanup,
measured in Megabytes.
TotalSizeofStoreCacheBeforeCleanupInMegabytes The size of the Microsoft Store cache (prior to
cleanup), measured in Megabytes.
usoScanDaysSinceLastScan The number of days since the last USO (Update Session Orchestrator) scan.
usoScanInProgress TRUE if a USO (Update Session Orchestrator) scan is in progress, to prevent multiple
simultaneous scans.
usoScanIsAllowAutoUpdateKeyPresent TRUE if the AllowAutoUpdate registry key is set.
usoScanIsAllowAutoUpdateProviderSetKeyPresent TRUE if AllowAutoUpdateProviderSet registry key is
set.
usoScanIsAuOptionsPresent TRUE if Auto Update Options registry key is set.
usoScanIsFeatureUpdateInProgress TRUE if a USO (Update Session Orchestrator) scan is in progress, to
prevent multiple simultaneous scans.
usoScanIsNetworkMetered TRUE if the device is currently connected to a metered network.
usoScanIsNoAutoUpdateKeyPresent TRUE if no Auto Update registry key is set/present.
usoScanIsUserLoggedOn TRUE if the user is logged on.
usoScanPastThreshold TRUE if the most recent Update Session Orchestrator (USO) scan is past the
threshold (late).
usoScanType The type of USO (Update Session Orchestrator) scan: "Interactive" or "Background".
WindowsHyberFilSysSizeInMegabytes The size of the Windows Hibernation file, measured in Megabytes.
WindowsInstallerFolderSizeInMegabytes The size of the Windows Installer folder, measured in Megabytes.
WindowsOldFolderSizeInMegabytes The size of the Windows.OLD folder, measured in Megabytes.
WindowsOldSpaceCleanedInMB The amount of disk space freed by removing the Windows.OLD folder,
measured in Megabytes.
WindowsPageFileSysSizeInMegabytes The size of the Windows Page file, measured in Megabytes.
WindowsSoftwareDistributionFolderSizeInMegabytes The size of the SoftwareDistribution folder,
measured in Megabytes.
WindowsSwapFileSysSizeInMegabytes The size of the Windows Swap file, measured in Megabytes.
WindowsSxsFolderSizeInMegabytes The size of the WinSxS (Windows Side-by-Side) folder, measured in
Megabytes.
WindowsSxsTempFolderSizeInMegabytes The size of the WinSxS (Windows Side-by-Side) Temp folder,
measured in Megabytes.
Microsoft.Windows.Remediation.DiskCleanUnExpectedErrorEvent
This event indicates that an unexpected error occurred during an update and provides information to help address
the issue.
The following fields are available:
CV The Correlation vector.
ErrorMessage A description of any errors encountered while the plug-in was running.
GlobalEventCounter The client-side counter that indicates ordering of events.
Hresult The result of the event execution.
PackageVersion The version number of the current remediation package.
SessionGuid GUID associated with a given execution of sediment pack.
Microsoft.Windows.Remediation.Error
This event indicates a Sediment Pack error (update stack failure) has been detected and provides information to
help address the issue.
The following fields are available:
HResult The result of the event execution.
Message A message containing information about the error that occurred.
PackageVersion The version number of the current remediation package.
Microsoft.Windows.Remediation.FallbackError
This event indicates an error when Self Update results in a Fallback and provides information to help address the
issue.
The following fields are available:
s0 Indicates the Fallback error level. See Microsoft.Windows.Remediation.wilResult.
wilResult The result of the Windows Installer Logging. See wilResult.
Microsoft.Windows.Remediation.RemediationNotifyUserFixIssuesInvokeUIEvent
This event occurs when the Notify User task executes and provides information about the cause of the notification.
The following fields are available:
CV The Correlation vector.
GlobalEventCounter The client-side counter that indicates ordering of events.
PackageVersion The version number of the current remediation package.
RemediationNotifyUserFixIssuesCallResult The result of calling the USO (Update Session Orchestrator)
sequence steps.
RemediationNotifyUserFixIssuesUsoDownloadCalledHr The error code from the USO (Update Session
Orchestrator) download call.
RemediationNotifyUserFixIssuesUsoInitializedHr The error code from the USO (Update Session
Orchestrator) initialize call.
RemediationNotifyUserFixIssuesUsoProxyBlanketHr The error code from the USO (Update Session
Orchestrator) proxy blanket call.
RemediationNotifyUserFixIssuesUsoSetSessionHr The error code from the USO (Update Session
Orchestrator) session call.
Microsoft.Windows.Remediation.RemediationShellFailedAutomaticAppUpdateModifyEventId
This event provides the modification of the date on which an Automatic App Update scheduled task failed and
provides information about the failure.
The following fields are available:
CV The Correlation Vector.
GlobalEventCounter The client-side counter that indicates ordering of events.
hResult The result of the event execution.
PackageVersion The version number of the current remediation package.
Microsoft.Windows.Remediation.RemediationShellUnexpectedExceptionId
This event identifies the remediation plug-in that returned an unexpected exception and provides information
about the exception.
The following fields are available:
CV The Correlation Vector.
GlobalEventCounter The client-side counter that indicates ordering of events.
PackageVersion The version number of the current remediation package.
RemediationShellUnexpectedExceptionId The ID of the remediation plug-in that caused the exception.
Microsoft.Windows.Remediation.RemediationUHEnableServiceFailed
This event tracks the health of key update (Remediation) services and whether they are enabled.
The following fields are available:
CV The Correlation Vector.
GlobalEventCounter The client-side counter that indicates ordering of events.
hResult The result of the event execution.
PackageVersion The version number of the current remediation package.
ser viceName The name associated with the operation.
Microsoft.Windows.Remediation.RemediationUpgradeSucceededDataEventId
This event returns information about the upgrade upon success to help ensure Windows is up to date.
The following fields are available:
AppraiserPlugin TRUE / FALSE depending on whether the Appraiser plug-in task fix was successful.
ClearAUOptionsPlugin TRUE / FALSE depending on whether the AU (Auto Updater) Options registry keys
were successfully deleted.
CV The Correlation Vector.
DatetimeSyncPlugin TRUE / FALSE depending on whether the DateTimeSync plug-in ran successfully.
DiskCleanupPlugin TRUE / FALSE depending on whether the DiskCleanup plug-in ran successfully.
GlobalEventCounter The client-side counter that indicates ordering of events.
NoisyHammerPlugin TRUE / FALSE depending on whether the NoisyHammer plug-in ran successfully.
PackageVersion The version number of the current remediation package.
RebootRequiredPlugin TRUE / FALSE depending on whether the Reboot plug-in ran successfully.
RemediationNotifyUserFixIssuesPlugin TRUE / FALSE depending on whether the User Fix Issues plug-in
ran successfully
RemediationPostUpgradeDiskSpace The amount of disk space available after the upgrade.
RemediationPostUpgradeHibernationSize The size of the Hibernation file after the upgrade.
Ser viceHealthPlugin A list of services updated by the plug-in.
SIHHealthPlugin TRUE / FALSE depending on whether the SIH Health plug-in ran successfully.
StackDataResetPlugin TRUE / FALSE depending on whether the update stack completed successfully.
TaskHealthPlugin A list of tasks updated by the plug-in.
UpdateApplicabilityFixerPlugin TRUE / FALSE depending on whether the update applicability fixer plug-in
completed successfully.
WindowsUpdateEndpointPlugin TRUE / FALSE depending on whether the Windows Update Endpoint was
successful.
Microsoft.Windows.Remediation.Started
deny
The following fields are available:
CV Correlation vector.
GlobalEventCounter Client side counter which indicates ordering of events sent by this user.
PackageVersion The version of the current remediation package.
PluginName Name of the plugin specified for each generic plugin event.
Result This is the HRESULT for detection or perform action phases of the plugin.
Microsoft.Windows.Remediation.wilResult
This event provides Self Update information to help keep Windows up to date.
The following fields are available:
callContext A list of diagnostic activities containing this error.
currentContextId An identifier for the newest diagnostic activity containing this error.
currentContextMessage A message associated with the most recent diagnostic activity containing this error
(if any).
currentContextName Name of the most recent diagnostic activity containing this error.
failureCount Number of failures seen within the binary where the error occurred.
failureId The identifier assigned to this failure.
failureType Indicates the type of failure observed (exception, returned, error, logged error, or fail fast).
fileName The source code file name where the error occurred.
function The name of the function where the error occurred.
hresult The failure error code.
lineNumber The Line Number within the source code file where the error occurred.
message A message associated with the failure (if any).
module The name of the binary module in which the error occurred.
originatingContextId The identifier for the oldest diagnostic activity containing this error.
originatingContextMessage A message associated with the oldest diagnostic activity containing this error (if
any).
originatingContextName The name of the oldest diagnostic activity containing this error.
threadId The identifier of the thread the error occurred on.
Sediment events
Microsoft.Windows.Sediment.Info.AppraiserData
This event provides data on the current Appraiser status of the device to help ensure Windows is up to date.
The following fields are available:
ErrorCode The value of the Return Code for the registry query.
GStatus The pre-upgrade GStatus value.
PayloadVersion The version information for the remediation component.
RegKeyName The name of the registry subkey where data was found for this event.
Time The system time at which the event began.
UpgEx The pre-upgrade UpgEx value.
Microsoft.Windows.Sediment.Info.BinaryInfo
This event provides information about the binary returned by the Operating System Remediation System Service
(OSRSS) to help ensure Windows is up to date.
The following fields are available:
Binar yPath The sanitized name of the system binary from which the data was gathered.
ErrorCode The value of the return code for querying the version from the binary.
FileVerBuild The binary’s build number.
FileVerMajor The binary’s major version number.
FileVerMinor The binary’s minor version number.
FileVerRev The binary’s revision number.
PayloadVersion The version information for the remediation component.
Time The system time at which the event began.
Microsoft.Windows.Sediment.Info.DetailedState
This event is sent when detailed state information is needed from an update trial run.
Microsoft.Windows.Sediment.Info.DownloadServiceError
This event provides information when the Download Service returns an error. The information provided helps
keep Windows up to date.
The following fields are available:
Architecture The platform architecture used to identify the correct download payload.
BuildNumber The starting build number used to identify the correct download payload.
Edition The Operating System Edition used to identify the correct download payload.
Error The description of the error encountered.
LanguageCode The system User Interface Language used to identify the correct download payload.
Stack Details about the error encountered.
WorkingDirector y The folder location (path) downloader was attempting to say the payload to.
Microsoft.Windows.Sediment.Info.DownloadServiceProgress
This event indicates the progress of the downloader in 1% increments.
The following fields are available:
Percentage The amount successfully downloaded, measured as a percentage of the whole.
Microsoft.Windows.Sediment.Info.Error
This event indicates an error in the updater payload. This information assists in keeping Windows up to date.
The following fields are available:
FailureType The type of error encountered.
FileName The code file in which the error occurred.
HResult The failure error code.
LineNumber The line number in the code file at which the error occurred.
ReleaseVer The version information for the component in which the error occurred.
Time The system time at which the error occurred.
Microsoft.Windows.Sediment.Info.PhaseChange
The event indicates progress made by the updater. This information assists in keeping Windows up to date.
The following fields are available:
NewPhase The phase of progress made.
ReleaseVer The version information for the component in which the change occurred.
Time The system time at which the phase chance occurred.
Microsoft.Windows.Sediment.Info.ServiceInfo
This event provide information about the system service for which data is being gathered by the Operating
System Remediation System Service (OSRSS) to help ensure Windows is up to date.
The following fields are available:
ErrorCode The value returned by the error for querying the service information.
PayloadVersion The version information for the remediation component.
Ser viceName The name of the system service for which data was gathered.
Ser viceStatus The status of the specified service.
Time The system time at which the event occurred.
Microsoft.Windows.Sediment.Info.Uptime
This event provides information about how long the device has been operating. This information helps ensure
Windows is up to date.
The following fields are available:
Days The number of days the device has been on.
Hours The number of hours the device has been on.
Minutes The number of minutes the device has been on.
PayloadVersion The version information for the remediation component.
Seconds The number of seconds the machine has been on.
Ticks The number of system clock “ticks” the device has been on.
Time The system time at which the event occurred.
Microsoft.Windows.Sediment.OSRSS.CheckingOneSettings
This event indicates the parameters that the Operating System Remediation System Service (OSRSS) uses for a
secure ping to Microsoft to help ensure Windows is up to date.
The following fields are available:
CustomVer The registry value for targeting.
IsMetered TRUE if the machine is on a metered network.
LastVer The version of the last successful run.
Ser viceVersionMajor The Major version information of the component.
Ser viceVersionMinor The Minor version information of the component.
Time The system time at which the event occurred.
Microsoft.Windows.Sediment.OSRSS.DownloadingUrl
This event provides information about the URL from which the Operating System Remediation System Service
(OSRSS) is attempting to download. This information helps ensure Windows is up to date.
The following fields are available:
AttemptNumber The count indicating which download attempt is starting.
Ser viceVersionMajor The Major version information of the component.
Ser viceVersionMinor The Minor version information of the component.
Time The system time at which the event occurred.
Url The URL from which data was downloaded.
Microsoft.Windows.Sediment.OSRSS.DownloadSuccess
This event indicates the Operating System Remediation System Service (OSRSS) successfully download data from
the indicated URL. This information helps ensure Windows is up to date.
The following fields are available:
Ser viceVersionMajor The Major version information of the component.
Ser viceVersionMinor The Minor version information of the component.
Time The system time at which the event occurred.
Url The URL from which data was downloaded.
Microsoft.Windows.Sediment.OSRSS.Error
This event indicates an error occurred in the Operating System Remediation System Service (OSRSS). The
information provided helps ensure future upgrade/update attempts are more successful.
The following fields are available:
FailureType The type of error encountered.
FileName The code file in which the error occurred.
HResult The failure error code.
LineNumber The line number in the code file at which the error occurred.
Ser viceVersionMajor The Major version information of the component.
Ser viceVersionMinor The Minor version information of the component.
Time The system time at which the event occurred.
Microsoft.Windows.Sediment.OSRSS.ExeSignatureValidated
This event indicates the Operating System Remediation System Service (OSRSS) successfully validated the
signature of an EXE from the indicated URL. The information provided helps ensure Windows is up to date.
The following fields are available:
Ser viceVersionMajor The Major version information of the component.
Ser viceVersionMinor The Minor version information of the component.
Time The system time at which the event occurred.
Url The URL from which the validated EXE was downloaded.
Microsoft.Windows.Sediment.OSRSS.ExtractSuccess
This event indicates that the Operating System Remediation System Service (OSRSS) successfully extracted
downloaded content. The information provided helps ensure Windows is up to date.
The following fields are available:
Ser viceVersionMajor The Major version information of the component.
Ser viceVersionMinor The Minor version information of the component.
Time The system time at which the event occurred.
Url The URL from which the successfully extracted content was downloaded.
Microsoft.Windows.Sediment.OSRSS.NewUrlFound
This event indicates the Operating System Remediation System Service (OSRSS) succeeded in finding a new URL
to download from. This helps ensure Windows is up to date.
The following fields are available:
Ser viceVersionMajor The Major version information of the component.
Ser viceVersionMinor The Minor version information of the component.
Time The system time at which the event occurred.
Url The new URL from which content will be downloaded.
Microsoft.Windows.Sediment.OSRSS.ProcessCreated
This event indicates the Operating System Remediation System Service (OSRSS) created a new process to execute
content downloaded from the indicated URL. This information helps ensure Windows is up to date.
The following fields are available:
Ser viceVersionMajor The Major version information of the component.
Ser viceVersionMinor The Minor version information of the component.
Time The system time at which the event occurred.
Url The new URL from which content will be executed.
Microsoft.Windows.Sediment.OSRSS.SelfUpdate
This event returns metadata after Operating System Remediation System Service (OSRSS) successfully replaces
itself with a new version.
The following fields are available:
Ser viceVersionMajor The major version number for the component.
Ser viceVersionMinor The minor version number for the component.
Time The system timestamp for when the event occurred.
Microsoft.Windows.Sediment.OSRSS.UrlState
This event indicates the state the Operating System Remediation System Service (OSRSS) is in while attempting a
download from the URL.
The following fields are available:
Id A number identifying the URL
Ser viceVersionMajor Version info for the component
Ser viceVersionMinor Version info for the component
StateData State-specific data, such as which attempt number for the download
StateNumber A number identifying which state the URL is in (found, downloading, extracted, etc.)
Time System timestamp the event was fired
Microsoft.Windows.Sediment.ServiceInstaller.ApplicabilityCheckFailed
This event returns data relating to the error state after one of the applicability checks for the installer component
of the Operating System Remediation System Service (OSRSS) has failed.
The following fields are available:
CheckName The name of the applicability check that failed.
InstallerVersion The version information for the installer component.
Time The system timestamp for when the event occurred.
Microsoft.Windows.Sediment.ServiceInstaller.AttemptingUpdate
This event indicates the Operating System Remediation System Service (OSRSS) installer is attempting an update
to itself. This information helps ensure Windows is up to date.
The following fields are available:
InstallerVersion The version information of the Installer component.
Time The system time at which the event occurred.
Microsoft.Windows.Sediment.ServiceInstaller.BinaryUpdated
This event indicates the Operating System Remediation System Service (OSRSS) updated installer binaries with
new binaries as part of its self-update process. This information helps ensure Windows is up to date.
The following fields are available:
InstallerVersion The version information of the Installer component.
Time The system time at which the event occurred.
Microsoft.Windows.Sediment.ServiceInstaller.Error
This event indicates an error occurred in the Operating System Remediation System Service (OSRSS). The
information provided helps ensure future upgrade/update attempts are more successful.
The following fields are available:
FailureType The type of error encountered.
FileName The code file in which the error occurred.
HResult The failure error code.
InstallerVersion The version information of the Installer component.
LineNumber The line number in the code file at which the error occurred.
Time The system time at which the event occurred.
Microsoft.Windows.Sediment.ServiceInstaller.InstallerLaunched
This event indicates the Operating System Remediation System Service (OSRSS) has launched. The information
provided helps ensure Windows is up to date.
The following fields are available:
InstallerVersion The version information of the Installer component.
Time The system time at which the event occurred.
Microsoft.Windows.Sediment.ServiceInstaller.ServiceInstalled
This event indicates the Operating System Remediation System Service (OSRSS) successfully installed the Installer
Component. This information helps ensure Windows is up to date.
The following fields are available:
InstallerVersion The version information of the Installer component.
Time The system time at which the event occurred.
Microsoft.Windows.Sediment.ServiceInstaller.ServiceRestarted
This event indicates the Operating System Remediation System Service (OSRSS) has restarted after installing an
updated version of itself. This information helps ensure Windows is up to date.
The following fields are available:
InstallerVersion The version information of the Installer component.
Time The system time at which the event occurred.
Microsoft.Windows.Sediment.ServiceInstaller.ServiceStarted
This event indicates the Operating System Remediation System Service (OSRSS) has started after installing an
updated version of itself. This information helps ensure Windows is up to date.
The following fields are available:
InstallerVersion The version information of the Installer component.
Time The system time at which the event occurred.
Microsoft.Windows.Sediment.ServiceInstaller.ServiceStopped
This event indicates the Operating System Remediation System Service (OSRSS) was stopped by a self-updated to
install an updated version of itself. This information helps ensure Windows is up to date.
The following fields are available:
InstallerVersion The version information of the Installer component.
Time The system time at which the event occurred.
Microsoft.Windows.Sediment.ServiceInstaller.UninstallerCompleted
This event indicates the Operating System Remediation System Service (OSRSS) successfully uninstalled the
installed version as part of a self-update. This information helps ensure Windows is up to date.
The following fields are available:
InstallerVersion The version information of the Installer component.
Time The system time at which the event occurred.
Microsoft.Windows.Sediment.ServiceInstaller.UninstallerLaunched
This event indicates the Operating System Remediation System Service (OSRSS) successfully started the
Uninstaller as part of a self-update. This information helps ensure Windows is up to date.
The following fields are available:
InstallerVersion The version information of the Installer component.
Time The system time at which the event occurred.
Microsoft.Windows.Sediment.ServiceInstaller.UpdaterCompleted
This event indicates the Operating System Remediation System Service (OSRSS) successfully completed the self-
update operation. This information helps ensure Windows is up to date.
The following fields are available:
InstallerVersion The version information of the Installer component.
Time The system time at which the event occurred.
Microsoft.Windows.Sediment.ServiceInstaller.UpdaterLaunched
This event indicates the Operating System Remediation System Service (OSRSS) successfully launched the self-
updater after downloading it. This information helps ensure Windows is up to date.
The following fields are available:
InstallerVersion The version information of the Installer component.
Time The system time at which the event occurred.
Microsoft.Windows.SedimentLauncher.Applicable
This event is sent when the Windows Update sediment remediations launcher finds that an applicable plug-in to
address issues that may be preventing the sediment device from receiving OS updates. A sediment device is one
that has been on a previous OS version for an extended period.
The following fields are available:
CV Correlation vector.
DetectedCondition Boolean true if detect condition is true and perform action will be run.
GlobalEventCounter Client side counter which indicates ordering of events sent by this user.
IsSelfUpdateEnabledInOneSettings True if self update enabled in Settings.
IsSelfUpdateNeeded True if self update needed by device.
PackageVersion Current package version of Remediation.
PluginName Name of the plugin specified for each generic plugin event.
Result This is the HRESULT for detection or perform action phases of the plugin.
Microsoft.Windows.SedimentLauncher.Completed
This event is sent when the Windows Update sediment remediations launcher finishes running a plug-in to
address issues that may be preventing the sediment device from receiving OS updates. A sediment device is one
that has been on a previous OS version for an extended period.
The following fields are available:
CV Correlation vector.
FailedReasons Concatenated list of failure reasons.
GlobalEventCounter Client side counter which indicates ordering of events sent by this user.
PackageVersion Current package version of Remediation.
PluginName Name of the plugin specified for each generic plugin event.
Result This is the HRESULT for detection or perform action phases of the plugin.
SedLauncherExecutionResult HRESULT for one execution of the Sediment Launcher.
Microsoft.Windows.SedimentLauncher.Error
This event indicates an error occurred during the execution of the plug-in. The information provided helps ensure
future upgrade/update attempts are more successful.
The following fields are available:
HResult The result for the Detection or Perform Action phases of the plug-in.
Message A message containing information about the error that occurred (if any).
PackageVersion The version number of the current remediation package.
Microsoft.Windows.SedimentLauncher.FallbackError
This event indicates that an error occurred during execution of the plug-in fallback.
The following fields are available:
s0 Error occurred during execution of the plugin fallback. See Microsoft.Windows.SedimentLauncher.wilResult.
Microsoft.Windows.SedimentLauncher.Information
This event provides general information returned from the plug-in.
The following fields are available:
HResult This is the HRESULT for detection or perform action phases of the plugin.
Message Information message returned from a plugin containing only information internal to the plugins
execution.
PackageVersion Current package version of Remediation.
Microsoft.Windows.SedimentLauncher.Started
This event is sent when the Windows Update sediment remediations launcher starts running a plug-in to address
issues that may be preventing the sediment device from receiving OS updates. A sediment device is one that has
been on a previous OS version for an extended period.
The following fields are available:
CV Correlation vector.
GlobalEventCounter Client side counter which indicates ordering of events sent by this user.
PackageVersion Current package version of Remediation.
PluginName Name of the plugin specified for each generic plugin event.
Result This is the HRESULT for detection or perform action phases of the plugin.
Microsoft.Windows.SedimentLauncher.wilResult
This event provides the result from the Windows internal library.
The following fields are available:
callContext List of telemetry activities containing this error.
currentContextId Identifier for the newest telemetry activity containing this error.
currentContextMessage Custom message associated with the newest telemetry activity containing this error
(if any).
currentContextName Name of the newest telemetry activity containing this error.
failureCount Number of failures seen within the binary where the error occurred.
failureId Identifier assigned to this failure.
failureType Indicates what type of failure was observed (exception, returned error, logged error or fail fast).
fileName Source code file name where the error occurred.
function Name of the function where the error occurred.
hresult Failure error code.
lineNumber Line number within the source code file where the error occurred.
message Custom message associated with the failure (if any).
module Name of the binary where the error occurred.
originatingContextId Identifier for the oldest telemetry activity containing this error.
originatingContextMessage Custom message associated with the oldest telemetry activity containing this
error (if any).
originatingContextName Name of the oldest telemetry activity containing this error.
threadId Identifier of the thread the error occurred on.
Microsoft.Windows.SedimentService.Applicable
This event is sent when the Windows Update sediment remediations service finds that an applicable plug-in to
address issues that may be preventing the sediment device from receiving OS updates. A sediment device is one
that has been on a previous OS version for an extended period.
The following fields are available:
CV Correlation vector.
DetectedCondition Determine whether action needs to run based on device properties.
GlobalEventCounter Client side counter which indicates ordering of events sent by this user.
IsSelfUpdateEnabledInOneSettings Indicates if self update is enabled in One Settings.
IsSelfUpdateNeeded Indicates if self update is needed.
PackageVersion Current package version of Remediation.
PluginName Name of the plugin.
Result This is the HRESULT for detection or perform action phases of the plugin.
Microsoft.Windows.SedimentService.Completed
This event is sent when the Windows Update sediment remediations service finishes running a plug-in to address
issues that may be preventing the sediment device from receiving OS updates. A sediment device is one that has
been on a previous OS version for an extended period.
The following fields are available:
CV Correlation vector.
FailedReasons List of reasons when the plugin action failed.
GlobalEventCounter Client side counter which indicates ordering of events sent by this user.
PackageVersion Current package version of Remediation.
PluginName Name of the plugin specified for each generic plugin event.
Result This is the HRESULT for detection or perform action phases of the plugin.
SedimentSer viceCheckTaskFunctional True/False if scheduled task check succeeded.
SedimentSer viceCurrentBytes Number of current private bytes of memory consumed by sedsvc.exe.
SedimentSer viceKillSer vice True/False if service is marked for kill (Shell.KillService).
SedimentSer viceMaximumBytes Maximum bytes allowed for the service.
SedimentSer viceRetrievedKillSer vice True/False if result of One Settings check for kill succeeded - we only
send back one of these indicators (not for each call).
SedimentSer viceStopping True/False indicating whether the service is stopping.
SedimentSer viceTaskFunctional True/False if scheduled task is functional. If task is not functional this
indicates plugins will be run.
SedimentSer viceTotalIterations Number of 5 second iterations service will wait before running again.
Microsoft.Windows.SedimentService.Error
This event indicates whether an error condition occurred in the plug-in.
The following fields are available:
HResult This is the HRESULT for detection or perform action phases of the plugin.
Message Custom message associated with the failure (if any).
PackageVersion Current package version of Remediation.
Microsoft.Windows.SedimentService.FallbackError
This event indicates whether an error occurred for a fallback in the plug-in.
The following fields are available:
s0 Event returned when an error occurs for a fallback in the plugin. See
Microsoft.Windows.SedimentService.wilResult.
Microsoft.Windows.SedimentService.Information
This event provides general information returned from the plug-in.
The following fields are available:
HResult This is the HRESULT for detection or perform action phases of the plugin.
Message Custom message associated with the failure (if any).
PackageVersion Current package version of Remediation.
Microsoft.Windows.SedimentService.Started
This event is sent when the Windows Update sediment remediations service starts running a plug-in to address
issues that may be preventing the sediment device from receiving OS updates. A sediment device is one that has
been on a previous OS version for an extended period.
The following fields are available:
CV The Correlation Vector.
GlobalEventCounter The client-side counter that indicates ordering of events.
PackageVersion The version number of the current remediation package.
PluginName Name of the plugin specified for each generic plugin event.
Result This is the HRESULT for Detection or Perform Action phases of the plugin.
Microsoft.Windows.SedimentService.wilResult
This event provides the result from the Windows internal library.
The following fields are available:
callContext List of telemetry activities containing this error.
currentContextId Identifier for the newest telemetry activity containing this error.
currentContextMessage Custom message associated with the newest telemetry activity containing this error
(if any).
currentContextName Name of the newest telemetry activity containing this error.
failureCount Number of failures seen within the binary where the error occurred.
failureId Identifier assigned to this failure.
failureType Indicates what type of failure was observed (exception, returned error, logged error or fail fast).
fileName Source code file name where the error occurred.
function Name of the function where the error occurred.
hresult Failure error code.
lineNumber Line number within the source code file where the error occurred.
message Custom message associated with the failure (if any).
module Name of the binary where the error occurred.
originatingContextId Identifier for the oldest telemetry activity containing this error.
originatingContextMessage Custom message associated with the oldest telemetry activity containing this
error (if any).
originatingContextName Name of the oldest telemetry activity containing this error.
threadId Identifier of the thread the error occurred on.
Setup events
SetupPlatformTel.SetupPlatformTelActivityEvent
This event sends basic metadata about the SetupPlatform update installation process, to help keep Windows up to
date.
The following fields are available:
ActivityId Provides a unique Id to correlate events that occur between a activity start event, and a stop event
ActivityName Provides a friendly name of the package type that belongs to the ActivityId (Setup,
LanguagePack, GDR, Driver, etc.)
FieldName Retrieves the event name/data point. Examples: InstallStartTime, InstallEndtime, OverallResult etc.
GroupName Retrieves the groupname the event belongs to. Example: Install Information, DU Information,
Disk Space Information etc.
value Value associated with the corresponding event name. For example, time-related events will include the
system time
Value Value associated with the corresponding event name. For example, time-related events will include the
system time
SetupPlatformTel.SetupPlatformTelActivityStarted
This event sends basic metadata about the update installation process generated by SetupPlatform to help keep
Windows up to date.
The following fields are available:
Name The name of the dynamic update type. Example: GDR driver
SetupPlatformTel.SetupPlatformTelActivityStopped
This event sends basic metadata about the update installation process generated by SetupPlatform to help keep
Windows up to date.
SetupPlatformTel.SetupPlatformTelEvent
This service retrieves events generated by SetupPlatform, the engine that drives the various deployment scenarios.
The following fields are available:
FieldName Retrieves the event name/data point. Examples: InstallStartTime, InstallEndtime, OverallResult etc.
GroupName Retrieves the groupname the event belongs to. Example: Install Information, DU Information,
Disk Space Information etc.
Value Retrieves the value associated with the corresponding event name (Field Name). For example: For time
related events this will include the system time.
Shared PC events
Microsoft.Windows.SharedPC.AccountManager.DeleteUserAccount
Activity for deletion of a user account for devices set up for Shared PC mode as part of the Transient Account
Manager to help keep Windows up to date. Deleting unused user accounts on shared devices frees up disk space
to improve Windows Update success rates.
The following fields are available:
accountType The type of account that was deleted. Example: AD, AAD, or Local
userSid The security identifier of the account.
wilActivity Windows Error Reporting data collected when there is a failure in deleting a user account with the
Transient Account Manager. See wilActivity.
Microsoft.Windows.SharedPC.AccountManager.SinglePolicyEvaluation
Activity for run of the Transient Account Manager that determines if any user accounts should be deleted for
devices set up for Shared PC mode to help keep Windows up to date. Deleting unused user accounts on shared
devices frees up disk space to improve Windows Update success rates
The following fields are available:
evaluationTrigger When was the Transient Account Manager policies ran? Example: At log off or during
maintenance hours
totalAccountCount The number of accounts on a device after running the Transient Account Manager
policies.
wilActivity Windows Error Reporting data collected when there is a failure in evaluating accounts to be
deleted with the Transient Account Manager. See wilActivity.
wilActivity
This event provides a Windows Internal Library context used for Product and Service diagnostics.
The following fields are available:
callContext The function where the failure occurred.
currentContextId The ID of the current call context where the failure occurred.
currentContextMessage The message of the current call context where the failure occurred.
currentContextName The name of the current call context where the failure occurred.
failureCount The number of failures for this failure ID.
failureId The ID of the failure that occurred.
failureType The type of the failure that occurred.
fileName The file name where the failure occurred.
function The function where the failure occurred.
hresult The HResult of the overall activity.
lineNumber The line number where the failure occurred.
message The message of the failure that occurred.
module The module where the failure occurred.
originatingContextId The ID of the originating call context that resulted in the failure.
originatingContextMessage The message of the originating call context that resulted in the failure.
originatingContextName The name of the originating call context that resulted in the failure.
threadId The ID of the thread on which the activity is executing.
wilResult
This event provides a Windows Internal Library context used for Product and Service diagnostics.
The following fields are available:
callContext The call context stack where failure occurred.
currentContextId The ID of the current call context where the failure occurred.
currentContextMessage The message of the current call context where the failure occurred.
currentContextName The name of the current call context where the failure occurred.
failureCount The number of failures for this failure ID.
failureId The ID of the failure that occurred.
failureType The type of the failure that occurred.
fileName The file name where the failure occurred.
function The function where the failure occurred.
hresult The HResult of the overall activity.
lineNumber The line number where the failure occurred.
message The message of the failure that occurred.
module The module where the failure occurred.
originatingContextId The ID of the originating call context that resulted in the failure.
originatingContextMessage The message of the originating call context that resulted in the failure.
originatingContextName The name of the originating call context that resulted in the failure.
threadId The ID of the thread on which the activity is executing.
SIH events
SIHEngineTelemetry.EvalApplicability
This event is sent when targeting logic is evaluated to determine if a device is eligible for a given action.
SIHEngineTelemetry.ExecuteAction
This event is triggered with SIH attempts to execute (e.g. install) the update or action in question. Includes
important information like if the update required a reboot.
SIHEngineTelemetry.PostRebootReport
This event reports the status of an action following a reboot, should one have been required.
Update events
Update360Telemetry.UpdateAgent_DownloadRequest
This event sends data during the download request phase of updating Windows.
The following fields are available:
DeletedCorruptFiles Indicates if UpdateAgent found any corrupt payload files and whether the payload was
deleted.
ErrorCode The error code returned for the current download request phase.
FlightId Unique ID for each flight.
ObjectId Unique value for each Update Agent mode.
PackageCountOptional Number of optional packages requested.
PackageCountRequired Number of required packages requested.
PackageCountTotal Total number of packages needed.
PackageCountTotalCanonical Total number of canonical packages.
PackageCountTotalDiff Total number of diff packages.
PackageCountTotalExpress Total number of express packages.
PackageSizeCanonical Size of canonical packages in bytes
PackageSizeDiff Size of diff packages in bytes
PackageSizeExpress Size of express packages in bytes
RangeRequestState Represents the state of the download range request.
RelatedCV Correlation vector value generated from the latest USO scan.
Result Result of the download request phase of update.
ScenarioId The scenario ID. Example: MobileUpdate, DesktopLanguagePack, DesktopFeatureOnDemand, or
DesktopDriverUpdate
SessionId Unique value for each Update Agent mode attempt.
UpdateId Unique ID for each update.
Update360Telemetry.UpdateAgent_FellBackToCanonical
This event collects information when Express could not be used, and the update had to fall back to “canonical”
during the new UUP (Unified Update Platform) update scenario; which is leveraged by both Mobile and Desktop.
The following fields are available:
FlightId Unique ID for the flight (test instance version).
ObjectId The unique value for each Update Agent mode.
PackageCount The number of packages that fell back to “canonical”.
PackageList PackageIDs which fell back to “canonical”.
RelatedCV The correlation vector value generated from the latest USO (Update Service Orchestrator) scan.
ScenarioId The ID of the update scenario.
SessionId The ID of the update attempt.
UpdateId The ID of the update.
Update360Telemetry.UpdateAgent_Initialize
This event sends data during the initialize phase of updating Windows.
The following fields are available:
ErrorCode The error code returned for the current initialize phase.
FlightId Unique ID for each flight.
FlightMetadata Contains the FlightId and the build being flighted.
ObjectId Unique value for each Update Agent mode.
RelatedCV Correlation vector value generated from the latest USO scan.
Result Result of the initialize phase of update. 0 = Succeeded, 1 = Failed, 2 = Cancelled, 3 = Blocked, 4 =
BlockCancelled
ScenarioId The scenario ID. Example: MobileUpdate, DesktopLanguagePack, DesktopFeatureOnDemand, or
DesktopDriverUpdate
SessionData Contains instructions to update agent for processing FODs and DUICs (Null for other scenarios).
SessionId Unique value for each Update Agent mode attempt .
UpdateId Unique ID for each update.
Update360Telemetry.UpdateAgent_Install
This event sends data during the install phase of updating Windows.
The following fields are available:
ErrorCode The error code returned for the current install phase.
FlightId Unique ID for each flight.
ObjectId Unique value for each Update Agent mode.
RelatedCV Correlation vector value generated from the latest scan.
Result Result of the install phase of update. 0 = Succeeded 1 = Failed, 2 = Cancelled, 3 = Blocked, 4 =
BlockCancelled
ScenarioId The scenario ID. Example: MobileUpdate, DesktopLanguagePack, DesktopFeatureOnDemand, or
DesktopDriverUpdate
SessionId Unique value for each Update Agent mode attempt.
UpdateId Unique ID for each update.
Update360Telemetry.UpdateAgent_Merge
This event sends data on the merge phase when updating Windows.
The following fields are available:
ErrorCode The error code returned for the current reboot.
FlightId Unique ID for the flight (test instance version).
ObjectId The unique value for each Update Agent mode.
RelatedCV The correlation vector value generated from the latest USO (Update Service Orchestrator) scan.
Result The HResult of the event.
ScenarioId The ID of the update scenario.
SessionId The ID of the update attempt.
UpdateId The ID of the update.
Update360Telemetry.UpdateAgent_ModeStart
This event sends data for the start of each mode during the process of updating Windows.
The following fields are available:
FlightId Unique ID for each flight.
Mode Indicates that the Update Agent mode that has started. 1 = Initialize, 2 = DownloadRequest, 3 = Install, 4
= Commit
ObjectId Unique value for each Update Agent mode.
RelatedCV The correlation vector value generated from the latest scan.
ScenarioId The scenario ID. Example: MobileUpdate, DesktopLanguagePack, DesktopFeatureOnDemand, or
DesktopDriverUpdate
SessionId Unique value for each Update Agent mode attempt.
UpdateId Unique ID for each update.
Update360Telemetry.UpdateAgent_SetupBoxLaunch
This event sends data during the launching of the setup box when updating Windows.
The following fields are available:
FlightId Unique ID for each flight.
ObjectId Unique value for each Update Agent mode.
Quiet Indicates whether setup is running in quiet mode. 0 = false 1 = true
RelatedCV Correlation vector value generated from the latest scan.
SandboxSize The size of the sandbox folder on the device.
ScenarioId The scenario ID. Example: MobileUpdate, DesktopLanguagePack, DesktopFeatureOnDemand, or
DesktopDriverUpdate
SessionId Unique value for each Update Agent mode attempt.
SetupMode Setup mode 1 = predownload, 2 = install, 3 = finalize
UpdateId Unique ID for each update.
Update360Telemetry.UpdateAgentCommit
This event collects information regarding the commit phase of the new Unified Update Platform (UUP) update
scenario, which is leveraged by both Mobile and Desktop.
The following fields are available:
ErrorCode The error code returned for the current install phase.
FlightId Unique ID for each flight.
ObjectId Unique value for each Update Agent mode.
RelatedCV Correlation vector value generated from the latest USO scan.
Result Outcome of the install phase of the update.
ScenarioId Indicates the update scenario.
SessionId Unique value for each update attempt.
UpdateId Unique ID for each update.
Update360Telemetry.UpdateAgentDownloadRequest
This event sends data for the download request phase of updating Windows via the new Unified Update Platform
(UUP) scenario. Applicable to PC and Mobile.
The following fields are available:
DeletedCorruptFiles Boolean indicating whether corrupt payload was deleted.
DownloadRequests Number of times a download was retried.
ErrorCode The error code returned for the current download request phase.
ExtensionName Indicates whether the payload is related to Operating System content or a plugin.
FlightId Unique ID for each flight.
InternalFailureResult Indicates a non-fatal error from a plugin.
ObjectId Unique value for each Update Agent mode (same concept as InstanceId for Setup360).
PackageCountOptional # of optional packages requested.
PackageCountRequired # of required packages requested.
PackageCountTotal Total # of packages needed.
PackageCountTotalCanonical Total number of canonical packages.
PackageCountTotalDiff Total number of diff packages.
PackageCountTotalExpress Total number of express packages.
PackageExpressType Type of express package.
PackageSizeCanonical Size of canonical packages in bytes.
PackageSizeDiff Size of diff packages in bytes.
PackageSizeExpress Size of express packages in bytes.
RangeRequestState Indicates the range request type used.
RelatedCV Correlation vector value generated from the latest USO scan.
Result Outcome of the download request phase of update.
ScenarioId Indicates the update scenario.
SessionId Unique value for each attempt (same value for initialize, download, install commit phases).
UpdateId Unique ID for each Update.
Update360Telemetry.UpdateAgentExpand
This event collects information regarding the expansion phase of the new Unified Update Platform (UUP) update
scenario, which is leveraged by both Mobile and Desktop.
The following fields are available:
ElapsedTickCount Time taken for expand phase.
EndFreeSpace Free space after expand phase.
EndSandboxSize Sandbox size after expand phase.
ErrorCode The error code returned for the current install phase.
FlightId Unique ID for each flight.
ObjectId Unique value for each Update Agent mode.
RelatedCV Correlation vector value generated from the latest USO scan.
ScenarioId Indicates the update scenario.
SessionId Unique value for each update attempt.
Star tFreeSpace Free space before expand phase.
Star tSandboxSize Sandbox size after expand phase.
UpdateId Unique ID for each update.
Update360Telemetry.UpdateAgentInitialize
This event sends data for the initialize phase of updating Windows via the new Unified Update Platform (UUP)
scenario, which is applicable to both PCs and Mobile.
The following fields are available:
ErrorCode The error code returned for the current install phase.
FlightId Unique ID for each flight.
FlightMetadata Contains the FlightId and the build being flighted.
ObjectId Unique value for each Update Agent mode.
RelatedCV Correlation vector value generated from the latest USO scan.
Result Outcome of the install phase of the update.
ScenarioId Indicates the update scenario.
SessionData String containing instructions to update agent for processing FODs and DUICs (Null for other
scenarios).
SessionId Unique value for each update attempt.
UpdateId Unique ID for each update.
Update360Telemetry.UpdateAgentInstall
This event sends data for the install phase of updating Windows.
The following fields are available:
ErrorCode The error code returned for the current install phase.
FlightId Unique value for each Update Agent mode (same concept as InstanceId for Setup360).
ObjectId Correlation vector value generated from the latest USO scan.
RelatedCV Correlation vector value generated from the latest USO scan.
Result The result for the current install phase.
ScenarioId Indicates the update scenario.
SessionId Unique value for each update attempt.
UpdateId Unique ID for each update.
Update360Telemetry.UpdateAgentMitigationResult
This event sends data indicating the result of each update agent mitigation.
The following fields are available:
Applicable Indicates whether the mitigation is applicable for the current update.
CommandCount The number of command operations in the mitigation entry.
CustomCount The number of custom operations in the mitigation entry.
FileCount The number of file operations in the mitigation entry.
FlightId Unique identifier for each flight.
Index The mitigation index of this particular mitigation.
MitigationScenario The update scenario in which the mitigation was executed.
Name The friendly name of the mitigation.
ObjectId Unique value for each Update Agent mode.
OperationIndex The mitigation operation index (in the event of a failure).
OperationName The friendly name of the mitigation operation (in the event of failure).
Registr yCount The number of registry operations in the mitigation entry.
RelatedCV The correlation vector value generated from the latest USO scan.
Result The HResult of this operation.
ScenarioId The update agent scenario ID.
SessionId Unique value for each update attempt.
TimeDiff The amount of time spent performing the mitigation (in 100-nanosecond increments).
UpdateId Unique ID for each Update.
Update360Telemetry.UpdateAgentMitigationSummary
This event sends a summary of all the update agent mitigations available for an this update.
Update360Telemetry.UpdateAgentModeStart
This event sends data for the start of each mode during the process of updating Windows via the new Unified
Update Platform (UUP) scenario. Applicable to both PCs and Mobile.
The following fields are available:
FlightId Unique ID for each flight.
Mode Indicates the mode that has started.
ObjectId Unique value for each Update Agent mode.
RelatedCV Correlation vector value generated from the latest USO scan.
ScenarioId Indicates the update scenario.
SessionId Unique value for each update attempt.
UpdateId Unique ID for each update.
Version Version of update
Update360Telemetry.UpdateAgentOneSettings
This event collects information regarding the post reboot phase of the new UUP (Unified Update Platform) update
scenario; which is leveraged by both Mobile and Desktop.
Update360Telemetry.UpdateAgentSetupBoxLaunch
The UpdateAgent_SetupBoxLaunch event sends data for the launching of the setup box when updating Windows
via the new Unified Update Platform (UUP) scenario. This event is only applicable to PCs.
The following fields are available:
ContainsExpressPackage Indicates whether the download package is express.
FlightId Unique ID for each flight.
FreeSpace Free space on OS partition.
InstallCount Number of install attempts using the same sandbox.
ObjectId Unique value for each Update Agent mode.
Quiet Indicates whether setup is running in quiet mode.
RelatedCV Correlation vector value generated from the latest USO scan.
SandboxSize Size of the sandbox.
ScenarioId Indicates the update scenario.
SessionId Unique value for each update attempt.
SetupMode Mode of setup to be launched.
UpdateId Unique ID for each Update.
UserSession Indicates whether install was invoked by user actions.
Upgrade events
FacilitatorTelemetry.DCATDownload
This event indicates whether devices received additional or critical supplemental content during an OS Upgrade, to
help keep Windows up to date and secure.
FacilitatorTelemetry.DUDownload
This event returns data about the download of supplemental packages critical to upgrading a device to the next
version of Windows.
FacilitatorTelemetry.InitializeDU
This event determines whether devices received additional or critical supplemental content during an OS upgrade.
Setup360Telemetry.Downlevel
This event sends data indicating that the device has started the downlevel phase of the upgrade, to help keep
Windows up to date and secure.
The following fields are available:
ClientId If using Windows Update, this will be the Windows Update client ID that is passed to Setup. In Media
setup, the default value is Media360, but it can be overwritten by the caller to a unique value.
HostOSBuildNumber The build number of the downlevel OS.
HostOsSkuName The operating system edition which is running Setup360 instance (downlevel OS).
InstanceId A unique GUID that identifies each instance of setuphost.exe.
Repor tId In the Windows Update scenario, this is the updateID that is passed to Setup. In media setup, this is
the GUID for the install.wim.
Setup360Extended More detailed information about phase/action when the potential failure occurred.
Setup360Mode The phase of Setup360 (for example, Predownload, Install, Finalize, Rollback).
Setup360Result The result of Setup360 (HRESULT used to diagnose errors).
Setup360Scenario The Setup360 flow type (for example, Boot, Media, Update, MCT).
SetupVersionBuildNumber The build number of Setup360 (build number of the target OS).
State Exit state of given Setup360 run. Example: succeeded, failed, blocked, cancelled.
TestId An ID that uniquely identifies a group of events.
WuId This is the Windows Update Client ID. In the Windows Update scenario, this is the same as the clientId.
Setup360Telemetry.Finalize
This event sends data indicating that the device has started the phase of finalizing the upgrade, to help keep
Windows up-to-date and secure.
The following fields are available:
ClientId With Windows Update, this will be the Windows Update client ID that is passed to Setup. In Media
setup, default value is Media360, but can be overwritten by the caller to a unique value.
HostOSBuildNumber The build number of the previous OS.
HostOsSkuName The OS edition which is running Setup360 instance (previous OS).
InstanceId A unique GUID that identifies each instance of setuphost.exe
Repor tId With Windows Update, this is the updateID that is passed to Setup. In media setup, this is the GUID
for the install.wim.
Setup360Extended More detailed information about the phase/action when the potential failure occurred.
Setup360Mode The phase of Setup360. Example: Predownload, Install, Finalize, Rollback.
Setup360Result The result of Setup360. This is an HRESULT error code that is used to diagnose errors.
Setup360Scenario The Setup360 flow type. Example: Boot, Media, Update, MCT.
SetupVersionBuildNumber The build number of Setup360 (build number of target OS).
State The exit state of a Setup360 run. Example: succeeded, failed, blocked, cancelled.
TestId ID that uniquely identifies a group of events.
WuId This is the Windows Update Client ID. With Windows Update, this is the same as the clientId.
Setup360Telemetry.OsUninstall
This event sends data regarding OS updates and upgrades from Windows 7, Windows 8, and Windows 10.
Specifically, it indicates the outcome of an OS uninstall.
The following fields are available:
ClientId For Windows Update, this will be the Windows Update client ID that is passed to Setup. In Media
setup, default value is Media360, but can be overwritten by the caller to a unique value.
HostOSBuildNumber The build number of the previous OS.
HostOsSkuName The OS edition which is running the Setup360 instance (previous OS).
InstanceId A unique GUID that identifies each instance of setuphost.exe.
Repor tId For Windows Update, this will be the Windows Update client ID that is passed to Setup. In Media
setup, this is the GUID for the install.wim.
Setup360Extended Detailed information about the phase or action when the potential failure occurred.
Setup360Mode The phase of Setup360. Example: Predownload, Install, Finalize, Rollback.
Setup360Result The result of Setup360. This is an HRESULT error code that is used to diagnose errors.
Setup360Scenario The Setup360 flow type. Example: Boot, Media, Update, MCT
SetupVersionBuildNumber The build number of Setup360 (build number of target OS).
State Exit state of a Setup360 run. Example: succeeded, failed, blocked, cancelled.
TestId ID that uniquely identifies a group of events.
WuId Windows Update client ID.
Setup360Telemetry.PostRebootInstall
This event sends data indicating that the device has invoked the post reboot install phase of the upgrade, to help
keep Windows up-to-date.
The following fields are available:
ClientId With Windows Update, this is the Windows Update client ID that is passed to Setup. In Media setup,
the default value is Media360, but can be overwritten by the caller to a unique value.
HostOSBuildNumber The build number of the previous OS.
HostOsSkuName The OS edition which is running Setup360 instance (previous OS).
InstanceId A unique GUID that identifies each instance of setuphost.exe.
Repor tId With Windows Update, this is the updateID that is passed to Setup. In media setup, this is the GUID
for the install.wim.
Setup360Extended Extension of result - more granular information about phase/action when the potential
failure happened
Setup360Mode The phase of Setup360. Example: Predownload, Install, Finalize, Rollback
Setup360Result The result of Setup360. This is an HRESULT error code that's used to diagnose errors.
Setup360Scenario The Setup360 flow type. Example: Boot, Media, Update, MCT
SetupVersionBuildNumber The build number of Setup360 (build number of target OS).
State The exit state of a Setup360 run. Example: succeeded, failed, blocked, cancelled
TestId A string to uniquely identify a group of events.
WuId This is the Windows Update Client ID. With Windows Update, this is the same as ClientId.
Setup360Telemetry.PreDownloadQuiet
This event sends data indicating that the device has invoked the predownload quiet phase of the upgrade, to help
keep Windows up to date.
The following fields are available:
ClientId Using Windows Update, this will be the Windows Update client ID that is passed to Setup. In Media
setup, default value is Media360, but can be overwritten by the caller to a unique value.
HostOSBuildNumber The build number of the previous OS.
HostOsSkuName The OS edition which is running Setup360 instance (previous operating system).
InstanceId A unique GUID that identifies each instance of setuphost.exe.
Repor tId Using Windows Update, this is the updateID that is passed to Setup. In media setup, this is the GUID
for the install.wim.
Setup360Extended Detailed information about the phase/action when the potential failure occurred.
Setup360Mode The phase of Setup360. Example: Predownload, Install, Finalize, Rollback.
Setup360Result The result of Setup360. This is an HRESULT error code that is used to diagnose errors.
Setup360Scenario The Setup360 flow type. Example: Boot, Media, Update, MCT.
SetupVersionBuildNumber The build number of Setup360 (build number of target OS).
State The exit state of a Setup360 run. Example: succeeded, failed, blocked, canceled.
TestId ID that uniquely identifies a group of events.
WuId This is the Windows Update Client ID. Using Windows Update, this is the same as the clientId.
Setup360Telemetry.PreDownloadUX
This event sends data regarding OS Updates and Upgrades from Windows 7.X, Windows 8.X, Windows 10 and RS,
to help keep Windows up-to-date and secure. Specifically, it indicates the outcome of the PredownloadUX portion
of the update process.
The following fields are available:
ClientId For Windows Update, this will be the Windows Update client ID that is passed to Setup. In Media
setup, default value is Media360, but can be overwritten by the caller to a unique value.
HostOSBuildNumber The build number of the previous operating system.
HostOsSkuName The OS edition which is running the Setup360 instance (previous operating system).
InstanceId Unique GUID that identifies each instance of setuphost.exe.
Repor tId For Windows Update, this will be the Windows Update client ID that is passed to Setup. In Media
setup, this is the GUID for the install.wim.
Setup360Extended Detailed information about the phase/action when the potential failure occurred.
Setup360Mode The phase of Setup360. Example: Predownload, Install, Finalize, Rollback.
Setup360Result The result of Setup360. This is an HRESULT error code that can be used to diagnose errors.
Setup360Scenario The Setup360 flow type. Example: Boot, Media, Update, MCT.
SetupVersionBuildNumber The build number of Setup360 (build number of the target OS).
State The exit state of the Setup360 run. Example: succeeded, failed, blocked, cancelled.
TestId ID that uniquely identifies a group of events.
WuId Windows Update client ID.
Setup360Telemetry.PreInstallQuiet
This event sends data indicating that the device has invoked the preinstall quiet phase of the upgrade, to help keep
Windows up-to-date.
The following fields are available:
ClientId With Windows Update, this will be the Windows Update client ID that is passed to Setup. In Media
setup, default value is Media360, but can be overwritten by the caller to a unique value.
HostOSBuildNumber The build number of the previous OS.
HostOsSkuName The OS edition which is running Setup360 instance (previous OS).
InstanceId A unique GUID that identifies each instance of setuphost.exe
Repor tId With Windows Update, this is the updateID that is passed to Setup. In media setup, this is the GUID
for the install.wim.
Setup360Extended Detailed information about the phase/action when the potential failure occurred.
Setup360Mode The phase of Setup360. Example: Predownload, Install, Finalize, Rollback.
Setup360Result The result of Setup360. This is an HRESULT error code that can be used to diagnose errors.
Setup360Scenario Setup360 flow type (Boot, Media, Update, MCT).
SetupVersionBuildNumber The build number of Setup360 (build number of target OS).
State The exit state of a Setup360 run. Example: succeeded, failed, blocked, cancelled.
TestId A string to uniquely identify a group of events.
WuId This is the Windows Update Client ID. With Windows Update, this is the same as the clientId.
Setup360Telemetry.PreInstallUX
This event sends data regarding OS updates and upgrades from Windows 7, Windows 8, and Windows 10, to help
keep Windows up-to-date. Specifically, it indicates the outcome of the PreinstallUX portion of the update process.
The following fields are available:
ClientId For Windows Update, this will be the Windows Update client ID that is passed to Setup. In Media
setup, default value is Media360, but can be overwritten by the caller to a unique value.
HostOSBuildNumber The build number of the previous OS.
HostOsSkuName The OS edition which is running the Setup360 instance (previous OS).
InstanceId A unique GUID that identifies each instance of setuphost.exe.
Repor tId For Windows Update, this will be the Windows Update client ID that is passed to Setup. In Media
setup, this is the GUID for the install.wim.
Setup360Extended Detailed information about the phase/action when the potential failure occurred.
Setup360Mode The phase of Setup360. Example: Predownload, Install, Finalize, Rollback.
Setup360Result The result of Setup360. This is an HRESULT error code that is used to diagnose errors.
Setup360Scenario The Setup360 flow type, Example: Boot, Media, Update, MCT.
SetupVersionBuildNumber The build number of Setup360 (build number of target OS).
State The exit state of a Setup360 run. Example: succeeded, failed, blocked, cancelled.
TestId A string to uniquely identify a group of events.
WuId Windows Update client ID.
Setup360Telemetry.Setup360
This event sends data about OS deployment scenarios, to help keep Windows up-to-date.
The following fields are available:
ClientId Retrieves the upgrade ID. In the Windows Update scenario, this will be the Windows Update client ID.
In Media setup, default value is Media360, but can be overwritten by the caller to a unique value.
FieldName Retrieves the data point.
FlightData Specifies a unique identifier for each group of Windows Insider builds.
InstanceId Retrieves a unique identifier for each instance of a setup session.
Repor tId Retrieves the report ID.
ScenarioId Retrieves the deployment scenario.
Value Retrieves the value associated with the corresponding FieldName.
Setup360Telemetry.Setup360DynamicUpdate
This event helps determine whether the device received supplemental content during an operating system
upgrade, to help keep Windows up-to-date.
Setup360Telemetry.Setup360MitigationResult
This event sends data indicating the result of each setup mitigation.
Setup360Telemetry.Setup360MitigationSummary
This event sends a summary of all the setup mitigations available for this update.
Setup360Telemetry.Setup360OneSettings
This event collects information regarding the post reboot phase of the new UUP (Unified Update Platform) update
scenario; which is leveraged by both Mobile and Desktop.
Setup360Telemetry.UnexpectedEvent
This event sends data indicating that the device has invoked the unexpected event phase of the upgrade, to help
keep Windows up to date.
The following fields are available:
ClientId With Windows Update, this will be the Windows Update client ID that is passed to Setup. In Media
setup, default value is Media360, but can be overwritten by the caller to a unique value.
HostOSBuildNumber The build number of the previous OS.
HostOsSkuName The OS edition which is running Setup360 instance (previous OS).
InstanceId A unique GUID that identifies each instance of setuphost.exe
Repor tId With Windows Update, this is the updateID that is passed to Setup. In media setup, this is the GUID
for the install.wim.
Setup360Extended Detailed information about the phase/action when the potential failure occurred.
Setup360Mode The phase of Setup360. Example: Predownload, Install, Finalize, Rollback.
Setup360Result The result of Setup360. This is an HRESULT error code that can be used to diagnose errors.
Setup360Scenario The Setup360 flow type. Example: Boot, Media, Update, MCT.
SetupVersionBuildNumber The build number of Setup360 (build number of target OS).
State The exit state of a Setup360 run. Example: succeeded, failed, blocked, cancelled.
TestId A string to uniquely identify a group of events.
WuId This is the Windows Update Client ID. With Windows Update, this is the same as the clientId.
Winlogon events
Microsoft.Windows.Security.Winlogon.SetupCompleteLogon
This event signals the completion of the setup process. It happens only once during the first logon.
XBOX events
Microsoft.Xbox.XamTelemetry.AppActivationError
This event indicates whether the system detected an activation error in the app.
The following fields are available:
ActivationUri Activation URI (Uniform Resource Identifier) used in the attempt to activate the app.
AppId The Xbox LIVE Title ID.
AppUserModelId The AUMID (Application User Model ID) of the app to activate.
Result The HResult error.
UserId The Xbox LIVE User ID (XUID).
Microsoft.Xbox.XamTelemetry.AppActivity
This event is triggered whenever the current app state is changed by: launch, switch, terminate, snap, etc.
The following fields are available:
AppActionId The ID of the application action.
AppCurrentVisibilityState The ID of the current application visibility state.
AppId The Xbox LIVE Title ID of the app.
AppPackageFullName The full name of the application package.
AppPreviousVisibilityState The ID of the previous application visibility state.
AppSessionId The application session ID.
AppType The type ID of the application (AppType_NotKnown, AppType_Era, AppType_Sra, AppType_Uwa).
BCACode The BCA (Burst Cutting Area) mark code of the optical disc used to launch the application.
DurationMs The amount of time (in milliseconds) since the last application state transition.
IsTrialLicense This boolean value is TRUE if the application is on a trial license.
LicenseType The type of licensed used to authorize the app (0 - Unknown, 1 - User, 2 - Subscription, 3 -
Offline, 4 - Disc).
LicenseXuid If the license type is 1 (User), this field contains the XUID (Xbox User ID) of the registered owner
of the license.
ProductGuid The Xbox product GUID (Globally-Unique ID) of the application.
UserId The XUID (Xbox User ID) of the current user.
Windows 10 diagnostic data events and fields
collected through the limit enhanced diagnostic data
policy
12/3/2019 • 17 minutes to read • Edit Online
Applies to
Windows 10, version 1709 and newer
IMPORTANT
The Upgrade Readiness and Device Health solutions of Windows Analytics are being retired on January 31, 2020. Update
Compliance will continue to be supported. For more information, see Windows Analytics retirement on January 31, 2020.
Desktop Analytics reports are powered by diagnostic data not included in the Basic level.
In Windows 10, version 1709, we introduced a new feature: "Limit Enhanced diagnostic data to the minimum
required by Windows Analytics". When enabled, this feature limits the operating system diagnostic data events
included in the Enhanced level to only those described below. Note that the Enhanced level also includes limited
crash reports, which are not described below. For more information on the Enhanced level, see Configure Windows
diagnostic data in your organization.
With the retirement of Windows Analytics, this policy will continue to be supported by Desktop Analytics, but will
not include Office related diagnostic data.
KernelProcess.AppStateChangeSummary
This event summarizes application usage and performance characteristics to help Microsoft improve performance
and reliability. Organizations can use this event with Desktop Analytics to gain insights into application reliability.
The following fields are available:
CommitChargeAtExit_Sum: Total memory commit charge for a process when it exits
CommitChargePeakAtExit_Sum : Total peak memory commit charge for a process when it exits
ContainerId: Server Silo Container ID
CrashCount: Number of crashes for a process instance
CycleCountAtExit_Sum: Total processor cycles for a process when it exited
ExtraInfoFlags: Flags indicating internal states of the logging
GhostCount_Sum: Total number of instances where the application stopped responding
HandleCountAtExit_Sum: Total handle count for a process when it exits
HangCount_Max: Maximum number of hangs detected
HangCount_Sum: Total number of application hangs detected
HardFaultCountAtExit_Sum: Total number of hard page faults detected for a process when it exits
Hear tbeatCount: Heartbeats logged for this summary
Hear tbeatSuspendedCount: Heartbeats logged for this summary where the process was suspended
LaunchCount: Number of process instances started
LicenseType: Reserved for future use
ProcessDurationMS_Sum: Total duration of wall clock process instances
ReadCountAtExit_Sum: Total IO reads for a process when it exited
ReadSizeInKBAtExit_Sum: Total IO read size for a process when it exited
ResumeCount: Number of times a process instance has resumed
RunningDurationMS_Sum: Total uptime
SuspendCount: Number of times a process instance was suspended
TargetAppId: Application identifier
TargetAppType: Application type
TargetAppVer : Application version
TerminateCount: Number of times a process terminated
WriteCountAtExit_Sum: Total number of IO writes for a process when it exited
WriteSizeInKBAtExit_Sum: Total size of IO writes for a process when it exited
Microsoft.Office.TelemetryEngine.IsPreLaunch
Applicable for Office UWP applications. This event is fired when an office application is initiated for the first-time
post upgrade/install from the store. This is part of basic diagnostic data, used to track whether a particular session
is launch session or not.
appVersionBuild: Third part of the version ..XXXXX.*
appVersionMajor : First part of the version X...*
appVersionMinor : Second part of the version .X..*
appVersionRev: Fourth part of the version ..*.XXXXX
SessionID: ID of the session
Microsoft.Office.SessionIdProvider.OfficeProcessSessionStart
This event sends basic information upon the start of a new Office session. This is used to count the number of
unique sessions seen on a given device. This is used as a heartbeat event to ensure that the application is running
on a device or not. In addition, it serves as a critical signal for overall application reliability.
AppSessionGuid: ID of the session which maps to the process of the application
processSessionId: ID of the session which maps to the process of the application
Microsoft.Office.TelemetryEngine.SessionHandOff
Applicable to Win32 Office applications. This event helps us understand whether there was a new session created
to handle a user-initiated file open event. It is a critical diagnostic information that is used to derive reliability signal
and ensure that the application is working as expected.
appVersionBuild: Third part Build version of the application ..XXXXX.*
appVersionMajor : First part of the version X...*
appVersionMinor : Second part of the version .X..*
appVersionRev: Fourth part of the version ..*.XXXXX
childSessionID: Id of the session that was created to handle the user initiated file open
parentSessionId: ID of the session that was already running
Microsoft.Office.CorrelationMetadata.UTCCorrelationMetadata
Collects Office metadata through UTC to compare with equivalent data collected through the Office telemetry
pipeline to check correctness and completeness of data.
abConfigs: List of features enabled for this session
abFlights: List of features enabled for this session
AppSessionGuid: ID of the session
appVersionBuild: Third part Build version of the application ..XXXXX.*
appVersionMajor : First part of the version X...*
appVersionMinor : Second part of the version .X..*
appVersionRevision: Fourth part of the version ..*.XXXXX
audienceGroup: Is this part of the insiders or production
audienceId: ID of the audience setting
channel: Are you part of Semi annual channel or Semi annual channel-Targeted?
deviceClass: Is this a desktop or a mobile?
impressionId: What features were available to you in this session
languageTag: Language of the app
officeUserID: A unique identifier tied to the office installation on a particular device.
osArchitecture: Is the machine 32 bit or 64 bit?
osEnvironment: Is this a win32 app or a UWP app?
osVersionString: Version of the OS
sessionID: ID of the session
Microsoft.Office.ClickToRun.UpdateStatus
Applicable to all Win32 applications. Helps us understand the status of the update process of the office suite
(Success or failure with error details).
build: App version
channel: Is this part of SAC or SAC-T?
errorCode: What error occurred during the upgrade process?
errorMessage: what was the error message during the upgrade process?
status: Was the upgrade successful or not?
targetBuild: What app version were we trying to upgrade to?
Microsoft.Office.TelemetryEngine.FirstIdle
This event is fired when the telemetry engine within an office application is ready to send telemetry. Used for
understanding whether there are issues in telemetry.
appVersionBuild: Third part of the version ..XXXXX.*
appVersionMajor : First part of the version X...*
appVersionMinor : Second part of the version .X..*
appVersionRev: Fourth part of the version ..*.XXXXX
officeUserID: This is an ID of the installation tied to the device. It does not map to a particular user
SessionID: ID of the session
Microsoft.Office.TelemetryEngine.FirstProcessed
This event is fired when the telemetry engine within an office application has processed the rules or the list of
events that we need to collect. Used for understanding whether there are issues in telemetry.
appVersionBuild: Third part of the version ..XXXXX.*
appVersionMajor : First part of the version X...*
appVersionMinor : Second part of the version .X..*
appVersionRev: Fourth part of the version ..*.XXXXX
officeUserID: This is an ID of the installation tied to the device. It does not map to a particular user
SessionID: ID of the session
Microsoft.Office.TelemetryEngine.FirstRuleRequest
This event is fired when the telemetry engine within an office application has received the first rule or list of events
that need to be sent by the app. Used for understanding whether there are issues in telemetry.
appVersionBuild: Third part of the version ..XXXXX.*
appVersionMajor : First part of the version X...*
appVersionMinor : Second part of the version .X..*
appVersionRev: Fourth part of the version ..*.XXXXX
officeUserID: This is an ID of the installation tied to the device. It does not map to a particular user
SessionID: ID of the session
Microsoft.Office.TelemetryEngine.Init
This event is fired when the telemetry engine within an office application has been initialized or not. Used for
understanding whether there are issues in telemetry.
appVersionBuild: Third part of the version ..XXXXX.*
appVersionMajor : First part of the version X...*
appVersionMinor : Second part of the version .X..*
appVersionRev: Fourth part of the version ..*.XXXXX
officeUserID: This is an ID of the installation tied to the device. It does not map to a particular user
SessionID: ID of the session
Microsoft.Office.TelemetryEngine.Resume
This event is fired when the application resumes from sleep state. Used for understanding whether there are issues
in the application life-cycle.
appVersionBuild: Third part of the version ..XXXXX.*
appVersionMajor : First part of the version X...*
appVersionMinor : Second part of the version .X..*
appVersionRev: Fourth part of the version ..*.XXXXX
maxSequenceIdSeen: How many events from this session have seen so far?
officeUserID: This is an ID of the installation tied to the device. It does not map to a particular user
rulesSubmittedBeforeResume: How many events were submitted before the process was resumed?
SessionID: ID of the session
Microsoft.Office.TelemetryEngine.RuleRequestFailed
This event is fired when the telemetry engine within an office application fails to retrieve the rules containing the
list of telemetry events. Used for understanding whether there are issues in telemetry.
appVersionBuild: Third part of the version ..XXXXX.*
appVersionMajor : First part of the version X...*
appVersionMinor : Second part of the version .X..*
appVersionRev: Fourth part of the version ..*.XXXXX
officeUserID: This is an ID of the installation tied to the device. It does not map to a particular user
SessionID: ID of the session
Microsoft.Office.TelemetryEngine.RuleRequestFailedDueToClientOffline
This event is fired when the telemetry engine within an office application fails to retrieve the rules containing the
list of telemetry events, when the device is offline. Used for understanding whether there are issues in telemetry.
appVersionBuild: Third part of the version ..XXXXX.*
appVersionMajor : First part of the version X...*
appVersionMinor : Second part of the version .X..*
appVersionRev: Fourth part of the version ..*.XXXXX
officeUserID: This is an ID of the installation tied to the device. It does not map to a particular user
SessionID: ID of the session
Microsoft.Office.TelemetryEngine.ShutdownComplete
This event is fired when the telemetry engine within an office application has processed the rules or the list of
events that we need to collect. Useful for understanding whether a particular crash is happening during an app-
shutdown, and could potentially lead in data loss or not.
appVersionBuild: Third part of the version ..XXXXX.*
appVersionMajor : First part of the version X...*
appVersionMinor : Second part of the version .X..*
appVersionRev: Fourth part of the version ..*.XXXXX
maxSequenceIdSeen: How many events from this session have seen so far?
officeUserID: This is an ID of the installation tied to the device. It does not map to a particular user
rulesSubmittedBeforeResume: How many events were submitted before the process was resumed?
SessionID: ID of the session
Microsoft.Office.TelemetryEngine.ShutdownStart
This event is fired when the telemetry engine within an office application been uninitialized, and the application is
shutting down. Useful for understanding whether a particular crash is happening during an app-shutdown, and
could potentially lead in data loss or not.
appVersionBuild: Third part of the version ..XXXXX.*
appVersionMajor : First part of the version X...*
appVersionMinor : Second part of the version .X..*
appVersionRev: Fourth part of the version ..*.XXXXX
officeUserID: This is an ID of the installation tied to the device. It does not map to a particular user
rulesSubmittedBeforeResume: How many events were submitted before the process was resumed?
SessionID: ID of the session
Microsoft.Office.TelemetryEngine.SuspendComplete
This event is fired when the telemetry engine within an office application has processed the rules or the list of
events that we need to collect. Used for understanding whether there are issues in telemetry.
appVersionBuild: Third part of the version ..XXXXX.*
appVersionMajor : First part of the version X...*
appVersionMinor : Second part of the version .X..*
appVersionRev: Fourth part of the version ..*.XXXXX
maxSequenceIdSeen: How many events from this session have seen so far?
officeUserID: This is an ID of the installation tied to the device. It does not map to a particular user
rulesSubmittedBeforeResume: How many events were submitted before the process was resumed?
SessionID: ID of the session
SuspendType: Type of suspend
Microsoft.Office.TelemetryEngine.SuspendStart
This event is fired when the office application suspends as per app life-cycle change. Used for understanding
whether there are issues in the application life-cycle.
appVersionBuild: Third part of the version ..XXXXX.*
appVersionMajor : First part of the version X...*
appVersionMinor : Second part of the version .X..*
appVersionRev: Fourth part of the version ..*.XXXXX
maxSequenceIdSeen: How many events from this session have seen so far?
officeUserID: This is an ID of the installation tied to the device. It does not map to a particular user
rulesSubmittedBeforeResume: How many events were submitted before the process was resumed?
SessionID: ID of the session
SuspendType: Type of suspend
Microsoft.OSG.OSS.CredProvFramework.ReportResultStop
This event indicates the result of an attempt to authenticate a user with a credential provider. It helps Microsoft to
improve logon reliability. Using this event with Desktop Analytics can help organizations monitor and improve
logon success for different methods (for example, biometric) on managed devices.
The following fields are available:
CredTileProviderId: ID of the Credential Provider
IsConnectedUser : Flag indicating whether a user is connected or not
IsPL APTile: Flag indicating whether this credential tile is a pre-logon access provider or not
IsRemoteSession: Flag indicating whether the session is remote or not
IsV2CredProv: Flag indicating whether the credential provider of V2 or not
OpitonalStatusText: Status text
ProcessImage: Image path to the process
ProviderId: Credential provider ID
ProviderStatusIcon: Indicates which status icon should be displayed
ReturnCode: Output of the ReportResult function
SessionId: Session identifier
Sign-in error status: The sign-in error status
SubStatus: Sign-in error sub-status
UserTag: Count of the number of times a user has selected a provider
Microsoft.Windows.Kernel.Power.OSStateChange
This event denotes the transition between operating system states (e.g., On, Off, Sleep, etc.). By using this event
with Desktop Analytics, organizations can use this to monitor reliability and performance of managed devices
The following fields are available:
AcPowerOnline: If "TRUE," the device is using AC power. If "FALSE," the device is using battery power.
ActualTransitions: The number of transitions between operating system states since the last system boot
Batter yCapacity: Maximum battery capacity in mWh
Batter yCharge: Current battery charge as a percentage of total capacity
Batter yDischarging: Flag indicating whether the battery is discharging or charging
BootId: Total boot count since the operating system was installed
BootTimeUTC: Date and time of a particular boot event (identified by BootId)
EnergyChangeV2: A snapshot value in mWh reflecting a change in power usage
EnergyChangeV2Flags: Flags for disambiguating EnergyChangeV2 context
EventSequence: A sequential number used to evaluate the completeness of the data
LastStateTransition: ID of the last operating system state transition
LastStateTransitionSub: ID of the last operating system sub-state transition
StateDurationMS: Number of milliseconds spent in the last operating system state
StateTransition: ID of the operating system state the system is transitioning to
StateTransitionSub: ID of the operating system sub-state the system is transitioning to
TotalDurationMS: Total time (in milliseconds) spent in all states since the last boot
TotalUptimeMS: Total time (in milliseconds) the device was in Up or Running states since the last boot
TransitionsToOn: Number of transitions to the Powered On state since the last boot
UptimeDeltaMS: Total time (in milliseconds) added to Uptime since the last event
Microsoft.Windows.LogonController.LogonAndUnlockSubmit
Sends details of the user attempting to sign into or unlock the device.
The following fields are available:
isSystemManagedAccount: Indicates if the user's account is System Managed
isUnlockScenario: Flag indicating whether the event is a Logon or an Unlock
userType: Indicates the user type: 0 = unknown; 1 = local; 2 = Active Directory domain user; 3 = Microsoft
Account; 4 = Azure Active Directory user
Microsoft.Windows.LogonController.SignInFailure
Sends details about any error codes detected during a failed sign-in.
The following fields are available:
ntsStatus: The NTSTATUS error code status returned from an attempted sign-in
ntsSubstatus: The NTSTATUS error code sub-status returned from an attempted sign-in
Microsoft.Windows.Security.Biometrics.Service.BioServiceActivityCaptur
e
Indicates that a biometric capture was compared to known templates
The following fields are available:
captureDetail: Result of biometric capture, either matched to an enrollment or an error
captureSuccessful: Indicates whether a biometric capture was successfully matched or not
hardwareId: ID of the sensor that collected the biometric capture
isSecureSensor : Flag indicating whether a biometric sensor was in enhanced security mode
isTrustletRunning: Indicates whether an enhanced security component is currently running
isVsmCfg: Flag indicating whether virtual secure mode is configured or not
Microsoft.Windows.Security.Winlogon.SystemBootStop
System boot has completed.
The following field is available:
ticksSinceBoot: Duration of boot event (milliseconds)
Microsoft.Windows.Shell.Desktop.LogonFramework.AllLogonTasks
This event summarizes the logon procedure to help Microsoft improve performance and reliability. By using this
event with Desktop Analytics organizations can help identify logon problems on managed devices.
The following fields are available:
isAadUser : Indicates whether the current logon is for an Azure Active Directory account
isDomainUser : Indicates whether the current logon is for a domain account
isMSA: Indicates whether the current logon is for a Microsoft Account
logonOptimizationFlags: Flags indicating optimization settings for this logon session
logonTypeFlags: Flags indicating logon type (first logon vs. a later logon)
systemManufacturer : Device manufacturer
systemProductName: Device product name
wilActivity: Indicates errors in the task to help Microsoft improve reliability.
Microsoft.Windows.Shell.Desktop.LogonFramework.LogonTask
This event describes system tasks which are part of the user logon sequence and helps Microsoft to improve
reliability.
The following fields are available:
isStar tWaitTask : Flag indicating whether the task starts a background task
isWaitMethod: Flag indicating the task is waiting on a background task
logonTask : Indicates which logon step is currently occurring
wilActivity: Indicates errors in the task to help Microsoft improve reliability.
Microsoft.Windows.Shell.Explorer.DesktopReady
Initialization of Explorer is complete.
Microsoft-Windows-Security-EFS-EDPAudit-
ApplicationLearning.EdpAuditLogApplicationLearning
For a device subject to Windows Information Protection policy, learning events are generated when an app
encounters a policy boundary (for example, trying to open a work document from a personal app). These events
help the WIP administrator tune policy rules and prevent unnecessary user disruption.
The following fields are available:
actiontype: Indicates what type of resource access the app was attempting (for example, opening a local
document vs. a network resource) when it encountered a policy boundary. Useful for Windows Information
Protection administrators to tune policy rules.
appIdType: Based on the type of application, this indicates what type of app rule a Windows Information
Protection administrator would need to create for this app.
appname: App that triggered the event
status: Indicates whether errors occurred during WIP learning events
Win32kTraceLogging.AppInteractivitySummary
Summarizes which app windows are being used (for example, have focus) to help Microsoft improve compatibility
and user experience. Also helps organizations (by using Desktop Analytics) to understand and improve application
reliability on managed devices.
The following fields are available:
AggregationDurationMS: Actual duration of aggregation period (in milliseconds)
AggregationFlags: Flags denoting aggregation settings
AggregationPeriodMS: Intended duration of aggregation period (in milliseconds)
AggregationStar tTime: Start date and time of AppInteractivity aggregation
AppId: Application ID for usage
AppSessionId: GUID identifying the application's usage session
AppVersion: Version of the application that produced this event
AudioInMS: Audio capture duration (in milliseconds)
AudioOutMS: Audio playback duration (in milliseconds)
BackgroundMouseSec: Indicates that there was a mouse hover event while the app was in the background
BitPeriodMS: Length of the period represented by InFocusBitmap
CommandLineHash: A hash of the command line
CompositionDir tyGeneratedSec: Represents the amount of time (in seconds) during which the active app
reported that it had an update
CompositionDir tyPropagatedSec: Total time (in seconds) that a separate process with visuals hosted in an
app signaled updates
CompositionRenderedSec: Time (in seconds) that an app's contents were rendered
EventSequence: [need more info]
FocusLostCount: Number of times that an app lost focus during the aggregation period
GameInputSec: Time (in seconds) there was user input using a game controller
HidInputSec: Time (in seconds) there was user input using devices other than a game controller
InFocusBitmap: Series of bits representing application having and losing focus
InFocusDurationMS: Total time (in milliseconds) the application had focus
InputSec: Total number of seconds during which there was any user input
InteractiveTimeoutPeriodMS: Total time (in milliseconds) that inactivity expired interactivity sessions
KeyboardInputSec: Total number of seconds during which there was keyboard input
MonitorFlags: Flags indicating app use of individual monitor(s)
MonitorHeight: Number of vertical pixels in the application host monitor resolution
MonitorWidth: Number of horizontal pixels in the application host monitor resolution
MouseInputSec: Total number of seconds during which there was mouse input
NewProcessCount: Number of new processes contributing to the aggregate
Par tATransform_AppSessionGuidToUserSid: Flag which influences how other parts of the event are
constructed
PenInputSec: Total number of seconds during which there was pen input
SpeechRecognitionSec: Total number of seconds of speech recognition
Summar yRound: Incrementing number indicating the round (batch) being summarized
TargetAsId: Flag which influences how other parts of the event are constructed
TotalUserOrDisplayActiveDurationMS: Total time the user or the display was active (in milliseconds)
TouchInputSec: Total number of seconds during which there was touch input
UserActiveDurationMS: Total time that the user was active including all input methods
UserActiveTransitionCount: Number of transitions in and out of user activity
UserOrDisplayActiveDurationMS: Total time the user was using the display
ViewFlags: Flags denoting properties of an app view (for example, special VR view or not)
WindowFlags: Flags denoting runtime properties of an app window
WindowHeight: Number of vertical pixels in the application window
WindowWidth: Number of horizontal pixels in the application window
Revisions
PartA_UserSid removed
A previous revision of this list stated that a field named PartA_UserSid was a member of the event
Microsoft.Windows.LogonController.LogonAndUnlockSubmit. This was incorrect. The list has been updated to
reflect that no such field is present in the event.
Office events added
In Windows 10, version 1809 (also applies to versions 1709 and 1803 starting with KB 4462932 and KB 4462933
respectively), 16 events were added, describing Office app launch and availability. These events were added to
improve the precision of Office data in Windows Analytics.
NOTE
Office data will no longer be provided through this policy in Desktop Analytics.
NOTE
You can use the Windows Diagnostic Data Viewer to observe and review events and their fields as described in this topic.
Windows 10, version 1709 and newer diagnostic data
for the Full level
12/5/2019 • 26 minutes to read • Edit Online
Applies to:
Windows 10, version 1909
Windows 10, version 1903
Windows 10, version 1809
Windows 10, version 1803
Windows 10, version 1709
Microsoft uses Windows diagnostic data to keep Windows secure and up-to-date, troubleshoot problems, and
make product improvements. For users who have turned on "Tailored experiences", it can also be used to offer you
personalized tips, ads, and recommendations to enhance Microsoft products and services for your needs. This
article describes all types of diagnostic data collected by Windows at the Full level (inclusive of data collected at
Basic), with comprehensive examples of data we collect per each type. For additional, detailed technical descriptions
of Basic data items, see Windows 10, version 1903 Basic level diagnostic events and fields.
In addition, this article provides references to equivalent definitions for the data types and examples from ISO/IEC
19944:2017 Information technology -- Cloud computing -- Cloud services and devices: Data flow, data categories
and data use. Each data type also has a Data Use statement, for diagnostics and for Tailored experiences on the
device, using the terms as defined by the standard. These Data Use statements define the purposes for which
Microsoft processes each type of Windows diagnostic data, using a uniform set of definitions referenced at the end
of this document and based on the ISO standard. Reference to the ISO standard provides additional clarity about
the information collected, and allows easy comparison with other services or guidance that also references the
standard.
The data covered in this article is grouped into the following types:
Common data extensions (diagnostic header information)
Device, Connectivity, and Configuration data
Product and Service Usage data
Product and Service Performance data
Software Setup and Inventory data
Browsing History data
Inking, Typing, and Speech Utterance data
NOTE
This isn't intended to capture user viewing, listening, or habits.
Video Width, height, color palette, encoding (compression) type, and encryption type
Instructions about how to stream content for the user -- the smooth streaming manifest of content file chunks
that must be pieced together to stream the content based on screen resolution and bandwidth
URL for a specific two-second chunk of content if there is an error
Full-screen viewing mode details
Music & TV sub-type: Information about music and TV consumption on the device
NOTE
This isn't intended to capture user viewing, listening, or habits.
Service URL for song being downloaded from the music service -- collected when an error occurs to facilitate
restoration of service
Content type (video, audio, or surround audio)
Local media library collection statistics -- number of purchased tracks and number of playlists
Region mismatch -- User's operating system region and Xbox Live region
Reading sub-type: Information about reading consumption functionality on the device
NOTE
This isn't intended to capture user viewing, listening, or habits.
App accessing content and status and options used to open a Microsoft Store book
Language of the book
Time spent reading content
Content type and size details
Photos app sub-type: Information about photos usage on the device
NOTE
This isn't intended to capture user viewing, listening, or habits.
File source data -- local, SD card, network device, and OneDrive
Image and video resolution, video length, file sizes types, and encoding
Collection view or full screen viewer use and duration of view
On-device file quer y sub-type: Information about local search activity on the device
Kind of query issued and index type (ConstraintIndex or SystemIndex)
Number of items requested and retrieved
File extension of search result with which the user interacted
Launched item type, file extension, index of origin, and the App ID of the opening app
Name of process calling the indexer and the amount of time to service the query
A hash of the search scope (file, Outlook, OneNote, or IE history). The state of the indices (fully optimized,
partially optimized, or being built)
Entitlements sub-type: Information about entitlements on the device
Service subscription status and errors
DRM and license rights details -- Groove subscription or operating system volume license
Entitlement ID, lease ID, and package ID of the install package
Entitlement revocation
License type (trial, offline versus online) and duration
License usage session
Applies to:
Windows 10, version 1703
Microsoft collects Windows diagnostic data to keep Windows up-to-date, secure, and operating properly. It also
helps us improve Windows and, for users who have turned on “tailored experiences”, can be used to provide more
relevant tips and recommendations to tailor Microsoft products to the user’s needs. This article describes all types
diagnostic data collected by Windows at the Full diagnostic data level (inclusive of data collected at Basic), with
comprehensive examples of data we collect per each type. For additional, detailed technical descriptions of Basic
data items, see Windows 10, version 1709 Basic level diagnostic events and fields and Windows 10, version 1703
Basic level diagnostic events and fields.
The data covered in this article is grouped into the following categories:
Common Data (diagnostic header information)
Device, Connectivity, and Configuration data
Product and Service Usage data
Product and Service Performance data
Software Setup and Inventory data
Browsing History data
Inking, Typing, and Speech Utterance data
NOTE
The majority of diagnostic data falls into the first four categories.
Common data
Most diagnostic events contain a header of common data:
C AT EGO RY N A M E EXA M P L ES
C AT EGO RY N A M E EXA M P L ES
C AT EGO RY N A M E EXA M P L ES
Device properties Information about the OS and device hardware, such as:
OS - version name, Edition
Installation type, subscription status, and genuine OS
status
Processor architecture, speed, number of cores,
manufacturer, and model
OEM details --manufacturer, model, and serial number
Device identifier and Xbox serial number
Firmware/BIOS -- type, manufacturer, model, and
version
Memory -- total memory, video memory, speed, and
how much memory is available after the device has
reserved memory
Storage -- total capacity and disk type
Battery -- charge capacity and InstantOn support
Hardware chassis type, color, and form factor
Is this a virtual machine?
C AT EGO RY N A M E EXA M P L ES
Device capabilities Information about the specific device capabilities such as:
Camera -- whether the device has a front facing, a rear
facing camera, or both.
Touch screen -- does the device include a touch
screen? If so, how many hardware touch points are
supported?
Processor capabilities -- CompareExchange128,
LahfSahf, NX, PrefetchW, and SSE2
Trusted Platform Module (TPM) – whether present and
what version
Virtualization hardware -- whether an IOMMU is
present, SLAT support, is virtualization enabled in the
firmware
Voice – whether voice interaction is supported and the
number of active microphones
Number of displays, resolutions, DPI
Wireless capabilities
OEM or platform face detection
OEM or platform video stabilization and quality level
set
Advanced Camera Capture mode (HDR vs. LowLight),
OEM vs. platform implementation, HDR probability,
and Low Light probability
Device preferences and settings Information about the device settings and user preferences
such as:
User Settings – System, Device, Network & Internet,
Personalization, Cortana, Apps, Accounts, Time &
Language, Gaming, Ease of Access, Privacy, Update &
Security
User-provided device name
Whether device is domain-joined, or cloud-domain
joined (i.e. part of a company-managed network)
Hashed representation of the domain name
MDM (mobile device management) enrollment settings
and status
BitLocker, Secure Boot, encryption settings, and status
Windows Update settings and status
Developer Unlock settings and status
Default app choices
Default browser choice
Default language settings for app, input, keyboard,
speech, and display
App store update settings
Enterprise OrganizationID, Commercial ID
Device network info Information about the device network configuration such as:
Network system capabilities
Local or Internet connectivity status
Proxy, gateway, DHCP, DNS details and addresses
Paid or free network
Wireless driver is emulated or not
Access point mode capable
Access point manufacturer, model, and MAC address
WDI Version
Name of networking driver service
Wi-Fi Direct details
Wi-Fi device hardware ID and manufacturer
Wi-Fi scan attempt counts and item counts
Mac randomization is supported/enabled or not
Number of spatial streams and channel frequencies
supported
Manual or Auto Connect enabled
Time and result of each connection attempt
Airplane mode status and attempts
Interface description provided by the manufacturer
Data transfer rates
Cipher algorithm
Mobile Equipment ID (IMEI) and Mobile Country Code
(MCCO)
Mobile operator and service provider name
Available SSIDs and BSSIDs
IP Address type -- IPv4 or IPv6
Signal Quality percentage and changes
Hotspot presence detection and success rate
TCP connection performance
Miracast device names
Hashed IP address
C AT EGO RY N A M E EXA M P L ES
C AT EGO RY N A M E EXA M P L ES
App usage Information about Windows and application usage such as:
OS component and app feature usage
User navigation and interaction with app and Windows
features. This could potentially include user input, such
as name of a new alarm set, user menu choices, or user
favorites.
Time of and count of app/component launches,
duration of use, session GUID, and process ID
App time in various states – running foreground or
background, sleeping, or receiving active user
interaction
User interaction method and duration – whether and
length of time user used the keyboard, mouse, pen,
touch, speech, or game controller
Cortana launch entry point/reason
Notification delivery requests and status
Apps used to edit images and videos
SMS, MMS, VCard, and broadcast message usage
statistics on primary or secondary line
Incoming and Outgoing calls and Voicemail usage
statistics on primary or secondary line
Emergency alerts are received or displayed statistics
Content searches within an app
Reading activity -- bookmarking used, print used,
layout changed
App or product state Information about Windows and application state such as:
Start Menu and Taskbar pins
Online/Offline status
App launch state –- with deep-link such as Groove
launched with an audio track to play, or share contract
such as MMS launched to share a picture.
Personalization impressions delivered
Whether the user clicked or hovered on UI controls or
hotspots
User feedback Like or Dislike or rating was provided
Caret location or position within documents and media
files -- how much of a book has been read in a single
session or how much of a song has been listened to.
Device health and crash data Information about the device and software health such as:
Error codes and error messages, name and ID of the
app, and process reporting the error
DLL library predicted to be the source of the error --
xyz.dll
System generated files -- app or product logs and
trace files to help diagnose a crash or hang
System settings such as registry keys
User generated files – .doc, .ppt, .csv files where they
are indicated as a potential cause for a crash or hang
Details and counts of abnormal shutdowns, hangs, and
crashes
Crash failure data – OS, OS component, driver, device,
1st and 3rd party app data
Crash and Hang dumps
The recorded state of the working memory at
the point of the crash.
Memory in use by the kernel at the point of the
crash.
Memory in use by the application at the point
of the crash.
All the physical memory used by Windows at
the point of the crash.
Class and function name within the module
that failed.
C AT EGO RY N A M E DESC RIP T IO N A N D EXA M P L ES
Device performance and reliability data Information about the device and software performance such
as:
User Interface interaction durations -- Start Menu
display times, browser tab switch times, app launch
and switch times, and Cortana and search performance
and reliability.
Device on/off performance -- Device boot, shutdown,
power on/off, lock/unlock times, and user
authentication times (fingerprint and face recognition
durations).
In-app responsiveness -- time to set alarm, time to
fully render in-app navigation menus, time to sync
reading list, time to start GPS navigation, time to
attach picture MMS, and time to complete a Microsoft
Store transaction.
User input responsiveness – onscreen keyboard
invocation times for different languages, time to show
auto-complete words, pen or touch latencies, latency
for handwriting recognition to words, Narrator screen
reader responsiveness, and CPU score.
UI and media performance and glitches/smoothness --
video playback frame rate, audio glitches, animation
glitches (stutter when bringing up Start), graphics
score, time to first frame, play/pause/stop/seek
responsiveness, time to render PDF, dynamic streaming
of video from OneDrive performance
Disk footprint -- Free disk space, out of memory
conditions, and disk score.
Excessive resource utilization – components impacting
performance or battery life through high CPU usage
during different screen and power states
Background task performance -- download times,
Windows Update scan duration, Windows Defender
Antivirus scan times, disk defrag times, mail fetch
times, service startup and state transition times, and
time to index on-device files for search results
Peripheral and devices -- USB device connection times,
time to connect to a wireless display, printing times,
network availability and connection times (time to
connect to Wi-Fi, time to get an IP address from DHCP
etc.), smart card authentication times, automatic
brightness environmental response times
Device setup -- first setup experience times (time to
install updates, install apps, connect to network etc.),
time to recognize connected devices (printer and
monitor), and time to setup Microsoft Account.
Power and Battery life – power draw by component
(Process/CPU/GPU/Display), hours of screen off time,
sleep state transition details, temperature and thermal
throttling, battery drain in a power state (screen off or
screen on), processes and components requesting
power use during screen off, auto-brightness details,
time device is plugged into AC vs. battery, battery
state transitions
Service responsiveness - Service URI, operation,
latency, service success/error codes, and protocol.
Diagnostic heartbeat – regular signal to validate the
health of the diagnostics system
C AT EGO RY N A M E DESC RIP T IO N A N D EXA M P L ES
Photos App Information about photos usage on the device. This isn't
intended to capture user viewing, listening or habits.
File source data -- local, SD card, network device, and
OneDrive
Image & video resolution, video length, file sizes types
and encoding
Collection view or full screen viewer use and duration
of view
C AT EGO RY N A M E DESC RIP T IO N A N D EXA M P L ES
On-device file query Information about local search activity on the device such as:
Kind of query issued and index type (ConstraintIndex,
SystemIndex)
Number of items requested and retrieved
File extension of search result user interacted with
Launched item kind, file extension, index of origin, and
the App ID of the opening app.
Name of process calling the indexer and time to service
the query.
A hash of the search scope (file, Outlook, OneNote, IE
history)
The state of the indices (fully optimized, partially
optimized, being built)
Installed Applications and Install History Information about apps, drivers, update packages, or OS
components installed on the device such as:
App, driver, update package, or component’s Name, ID,
or Package Family Name
Product, SKU, availability, catalog, content, and Bundle
IDs
OS component, app or driver publisher, language,
version and type (Win32 or UWP)
Install date, method, and install directory, count of
install attempts
MSI package code and product code
Original OS version at install time
User or administrator or mandatory installation/update
Installation type – clean install, repair, restore, OEM,
retail, upgrade, and update
C AT EGO RY N A M E DATA EXA M P L ES
Microsoft browser data Information about Address bar and search box performance
on the device such as:
Text typed in address bar and search box
Text selected for Ask Cortana search
Service response time
Auto-completed text if there was an auto-complete
Navigation suggestions provided based on local
history and favorites
Browser ID
URLs (which may include search terms)
Page title
Voice, inking, and typing Information about voice, inking and typing features such as:
Type of pen used (highlighter, ball point, pencil), pen
color, stroke height and width, and how long it is used
Pen gestures (click, double click, pan, zoom, rotate)
Palm Touch x,y coordinates
Input latency, missed pen signals, number of frames,
strokes, first frame commit time, sample rate
Ink strokes written, text before and after the ink
insertion point, recognized text entered, Input
language - processed to remove identifiers, sequencing
information, and other data (such as email addresses
and numeric values) which could be used to
reconstruct the original content or associate the input
to the user.
Text input from Windows Mobile on-screen keyboards
except from password fields and private sessions -
processed to remove identifiers, sequencing
information, and other data (such as email addresses,
and numeric values) which could be used to
reconstruct the original content or associate the input
to the user.
Text of speech recognition results -- result codes and
recognized text
Language and model of the recognizer, System Speech
language
App ID using speech features
Whether user is known to be a child
Confidence and Success/Failure of speech recognition
Manage connections from Windows 10 operating system components to
Microsoft services
3/26/2020 • 57 minutes to read • Edit Online
Applies to
Windows 10 Enterprise, version 1607 and newer
Windows Server 2016
Windows Server 2019
This article describes the network connections that Windows 10 components make to Microsoft and the Windows Settings, Group Policies and registry settings
available to IT Professionals to help manage the data shared with Microsoft. If you want to minimize connections from Windows to Microsoft services, or configure
privacy settings, there are a number of settings for consideration. For example, you can configure diagnostic data to the lowest level for your edition of Windows and
evaluate other connections Windows makes to Microsoft services you want to turn off using the instructions in this article. While it is possible to minimize network
connections to Microsoft, there are many reasons why these communications are enabled by default, such as updating malware definitions and maintaining current
certificate revocation lists. This data helps us deliver a secure, reliable, and up-to-date experience.
Microsoft provides a Windows Restricted Traffic Limited Functionality Baseline package that will allow your organization to quickly configure the settings covered in
this document to restrict connections from Windows 10 to Microsoft. The Windows Restricted Traffic Limited Baseline is based on Group Policy Administrative
Template functionality and the package you download contains further instructions on how to deploy to devices in your organization. Since some of the settings can
reduce the functionality and security configuration of your device, before deploying Windows Restricted Traffic Limited Functionality Baseline make sure
you choose the right settings configuration for your environment and ensure that Windows and Windows Defender are fully up to date . Failure to do
so may result in errors or unexpected behavior. You should not extract this package to the windows\system32 folder because it will not apply correctly.
IMPORTANT
The Allowed Traffic endpoints are listed here: Allowed Traffic
CRL (Certificate Revocation List) and OCSP (Online Certificate Status Protocol) network traffic cannot be disabled and will still show up in network traces. CRL and OCSP
checks are made to the issuing certificate authorities. Microsoft is one of these authorities. There are many others such as DigiCert, Thawte, Google, Symantec, and VeriSign.
For security reasons, it is important to take care in deciding which settings to configure as some of them may result in a less secure device. Examples of settings that can lead to a
less secure device configuration include: Windows Update, Automatic Root Certificates Update, and Windows Defender. Accordingly, we do not recommend disabling any of these
features.
It is recommended that you restart a device after making configuration changes to it.
The Get Help and Give us Feedback links no longer work after the Windows Restricted Traffic Limited Functionality Baseline is applied.
NOTE
Regarding the Windows Restricted Traffic Limited Functionality Baseline, the 1903 settings (folder) are applicable to 1909 Windows >Enterprise devices. There were no additional
settings required for the 1909 release.
WARNING
If a user executes the "Reset this PC" command (Settings -> Update & Security -> Recovery) with the "Keep my files" option (or the >"Remove Everything" option) the Windows
Restricted Traffic Limited Functionality Baseline settings will need to be re-applied in order >re-restrict the device. Egress traffic may occur prior to the re-application of the Restricted
Traffic Limited Functionality Baseline >settings.
To use Microsoft Intune cloud based device management for restricting traffic please refer to the Manage connections from Windows 10 operating system
components to Microsoft services using Microsoft Intune MDM Server
We are always striving to improve our documentation and welcome your feedback. You can provide feedback by contacting telmhelp @microsoft.com .
5. Find My Device
6. Font streaming
8. Internet Explorer
9. License Manager
16. OneDrive
18.1 General
18.2 Location
18.3 Camera
18.4 Microphone
18.5 Notifications
18.6 Speech
18.8 Contacts
18.9 Calendar
18.11 Email
18.12 Messaging
18.14 Radios
18.18 Motion
18.19 Tasks
22. Teredo
6. Font streaming
8. Internet Explorer
16. OneDrive
22. Teredo
6. Font streaming
22. Teredo
SET T IN G REGIST RY
22. Teredo
5. Find My Device
6. Font streaming
8. Internet Explorer
16. OneDrive
18.1 General
18.2 Location
18.3 Camera
18.4 Microphone
18.5 Notifications
18.6 Speech
18.8 Contacts
18.9 Calendar
18.11 Email
18.12 Messaging
18.14 Radios
18.18 Motion
18.19 Tasks
22. Teredo
By not automatically downloading the root certificates the device may not be able to connect to some websites.
For Windows 10, Windows Server 2016 with Desktop Experience, and Windows Server 2016 Server Core:
Enable the Group Policy: Computer Configuration > Administrative Templates > System > Internet Communication Management > Internet
Communication Settings > Turn off Automatic Root Cer tificates Update
-and-
1. Navigate to Computer Configuration > Windows Settings > Security Settings > Public Key Policies .
2. Double-click Cer tificate Path Validation Settings .
3. On the Network Retrieval tab, select the Define these policy settings check box.
4. Clear the Automatically update cer tificates in the Microsoft Root Cer tificate Program (recommended) check box, and then click OK .
-or-
Create the registry path HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SystemCer tificates\AuthRoot and then add a REG_DWORD registry
setting, named DisableRootAutoUpdate , with a value of 1.
-and-
1. Navigate to Computer Configuration > Windows Settings > Security Settings > Public Key Policies .
2. Double-click Cer tificate Path Validation Settings .
3. On the Network Retrieval tab, select the Define these policy settings check box.
4. Clear the Automatically update cer tificates in the Microsoft Root Cer tificate Program (recommended) check box, and then click OK .
On Windows Server 2016 Nano Server:
Create the registry path HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SystemCer tificates\AuthRoot and then add a REG_DWORD registry
setting, named DisableRootAutoUpdate , with a value of 1.
NOTE
CRL and OCSP network traffic is currently Allowed Traffic and will still show up in network traces. CRL and OCSP checks are made to the issuing certificate authorities. Microsoft is one
of them, but there are many others, such as DigiCert, Thawte, Google, Symantec, and VeriSign.
P O L IC Y DESC RIP T IO N
Allow Cortana Choose whether to let Cortana install and run on the device.
Allow search and Cortana to use location Choose whether Cortana and Search can provide location-aware search results.
Do not allow web search Choose whether to search the web from Windows Desktop Search.
Enable this policy to remove the option to search the Internet from Cortana.
Don't search the web or display web results in Search Choose whether to search the web from Cortana.
Enable this policy to stop web queries and results from showing in Search.
You can also apply the Group Policies using the following registry keys:
P O L IC Y REGIST RY PAT H
Don't search the web or display web results in Search HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Search
REG_DWORD: ConnectedSearchUseWeb
Value: 0
IMPORTANT
Using the Group Policy editor these steps are required for all supported versions of Windows 10, however they are not required for devices running Windows 10, version 1607 or
Windows Server 2016.
1. Expand Computer Configuration > Windows Settings > Security Settings > Windows Defender Firewall with Advanced Security > Windows
Defender Firewall with Advanced Security - <LDAP name> , and then click Outbound Rules .
2. Right-click Outbound Rules , and then click New Rule . The New Outbound Rule Wizard starts.
3. On the Rule Type page, click Program , and then click Next .
4. On the Program page, click This program path , type %windir%\systemapps\Microsoft.Windows.Cor tana_cw5n1h2txyewy\SearchUI.exe , and then
click Next .
5. On the Action page, click Block the connection , and then click Next .
6. On the Profile page, ensure that the Domain , Private , and Public check boxes are selected, and then click Next .
7. On the Name page, type a name for the rule, such as Cor tana firewall configuration , and then click Finish.
8. Right-click the new rule, click Proper ties , and then click Protocols and Por ts .
9. Configure the Protocols and Por ts page with the following info, and then click OK .
For Protocol type , choose TCP .
For Local por t , choose All Por ts .
For Remote por t , choose All por ts .
-or-
Create a new REG_SZ registry setting named {0DE40C8E-C126-4A27-9371-A27DAB1039F7} in
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\FirewallRules and set it to a value of
v2.25|Action=Block|Active=TRUE|Dir=Out|Protocol=6|App=%windir%\SystemApps\Microsoft.Windows.Cor tana_cw5n1h2txyewy\searchUI.exe|Name=Block
outbound Cor tana|
If your organization tests network traffic, do not use a network proxy as Windows Firewall does not block proxy traffic. Instead, use a network traffic analyzer. Based on
your needs, there are many network traffic analyzers available at no cost.
3. Date & Time
You can prevent Windows from setting the time automatically.
To turn off the feature in the UI: Settings > Time & language > Date & time > Set time automatically
-or-
Create a REG_SZ registry setting in HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Ser vices\W32Time\Parameters\Type with a value of
NoSync .
After that, configure the following:
Disable the Group Policy: Computer Configuration > Administrative Templates > System > Windows Time Ser vice > Time Providers > Enable
Windows NTP Client
-or-
Create a new REG_DWORD registry setting named Enabled in
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\W32time\TimeProviders\NtpClient and set it to 0 (zero) .
4. Device metadata retrieval
To prevent Windows from retrieving device metadata from the Internet:
Enable the Group Policy: Computer Configuration > Administrative Templates > System > Device Installation > Prevent device metadata
retrieval from the Internet .
-or -
Create a new REG_DWORD registry setting named PreventDeviceMetadataFromNetwork in
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Device Metadata and set it to 1 (one).
5. Find My Device
To turn off Find My Device:
Turn Off the feature in the UI by going to Settings -> Update & Security -> Find My Device , click the Change button, and set the value to Off
-or-
Disable the Group Policy: Computer Configuration > Administrative Template > Windows Components > Find My Device > Turn On/Off Find My
Device
-or-
You can also create a new REG_DWORD registry setting HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FindMyDevice\AllowFindMyDevice
to 0 (zero) .
6. Font streaming
Fonts that are included in Windows but that are not stored on the local device can be downloaded on demand.
If you're running Windows 10, version 1607, Windows Server 2016, or later:
Disable the Group Policy: Computer Configuration > Administrative Templates > Network > Fonts > Enable Font Providers .
-or-
Create a new REG_DWORD registry setting HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System\EnableFontProviders to 0
(zero) .
NOTE
After you apply this policy, you must restart the device for it to take effect.
NOTE
If you upgrade a device that is configured to minimize connections from Windows to Microsoft services (that is, a device configured for Restricted Traffic) to a Windows Insider Preview
build, the Feedback & Diagnostic setting will automatically be set to Full. Although the diagnostic data level may initially appear as Basic, a few hours after the UI is refreshed or the
machine is rebooted, the setting will become Full.
To turn off Insider Preview builds for a released version of Windows 10:
Disable the Group Policy: Computer Configuration > Administrative Templates > Windows Components > Data Collection and Preview Builds >
Toggle user control over Insider builds .
To turn off Insider Preview builds for Windows 10:
NOTE
If you're running a preview version of Windows 10, you must roll back to a released version before you can turn off Insider Preview builds.
Turn off the feature in the UI: Settings > Update & security > Windows Insider Program > Stop Insider Preview builds .
-or-
Enable the Group Policy Toggle user control over Insider builds under Computer Configuration > Administrative Templates > Windows
Components > Data Collection and Preview Builds
-or-
Create a new REG_DWORD registry setting named AllowBuildPreview in
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\PreviewBuilds with a value of 0 (zero)
8. Internet Explorer
NOTE
When attempting to use Internet Explorer on any edition of Windows Server be aware there are restrictions enforced by Enhanced Security Configuration (ESC). The following Group
Policies and Registry Keys are for user interactive scenarios rather than the typical idle traffic scenario. Find the Internet Explorer Group Policy objects under Computer
Configuration > Administrative Templates > Windows Components > Internet Explorer and make these settings:
P O L IC Y DESC RIP T IO N
Turn on Suggested Sites Choose whether an employee can configure Suggested Sites.
Set Value to: Disabled
You can also turn this off in the UI by clearing the Internet Options > Advanced >
Enable Suggested Sites check box.
Allow Microsoft services to provide enhanced suggestions as the user types in the Address Choose whether an employee can configure enhanced suggestions, which are presented to
Bar the employee as they type in the Address Bar.
Set Value to: Disabled
Turn off the auto-complete feature for web addresses Choose whether auto-complete suggests possible matches when employees are typing
web address in the Address Bar.
Set Value to: Enabled
You can also turn this off in the UI by clearing the Internet Options > Advanced > Use
inline AutoComplete in the Internet Explorer Address Bar and Open Dialog
check box.
Turn off browser geolocation Choose whether websites can request location data from Internet Explorer.
Set Value to: Enabled
Prevent managing Windows Defender SmartScreen Choose whether employees can manage the Windows Defender SmartScreen in Internet
Explorer.
Set Value to: Enabled and then set Select Windows Defender Smar tScreen mode
to Off .
Allow Microsoft services to provide enhanced suggestions as the user types in the Address HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer
Bar REG_DWORD: AllowServicePoweredQSA
Set Value to: 0
There are more Group Policy objects that are used by Internet Explorer:
Computer Configuration > Administrative Choose whether employees can configure Compatibility Choose whether an employee can fix website display
Templates > Windows Components > Internet View. problems that he or she may encounter while browsing.
Explorer > Compatibility View > Turn off Set to: Enabled
Compatibility View
Computer Configuration > Administrative Turn off the flip ahead with page prediction feature Choose whether an employee can swipe across a screen or
Templates > Windows Components > Internet click forward to go to the next pre-loaded page of a
Explorer > Internet Control Panel > Advanced Page website.
Set to: Enabled
Computer Configuration > Administrative Turn off background synchronization for feeds and Web Choose whether to have background synchronization for
Templates > Windows Components > RSS Feeds Slices feeds and Web Slices.
Set to: Enabled
Computer Configuration > Administrative Allow Online Tips Enables or disables the retrieval of online tips and help for
Templates > Control Panel > Allow Online Tips the Settings app.
Set to: Disabled
Turn off the flip ahead with page prediction feature HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer\FlipAhead
REG_DWORD: Enabled
Set Value to 0
Turn off background synchronization for feeds and Web Slices HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer\Feeds
REG_DWORD: BackgroundSyncStatus
Set Value to 0
P O L IC Y DESC RIP T IO N
Allow Address bar drop-down list suggestions Choose whether to show the address bar drop-down list
Set to Disabled
Allow configuration updates for the Books Library Choose whether configuration updates are done for the Books Library.
Set to Disabled
Configure Do Not Track Choose whether employees can send Do Not Track headers.
Set to Enabled
P O L IC Y DESC RIP T IO N
Configure Password Manager Choose whether employees can save passwords locally on their devices.
Set to Disabled
Configure search suggestions in Address Bar Choose whether the Address Bar shows search suggestions.
Set to Disabled
Configure Windows Defender SmartScreen (Windows 10, version 1703) Choose whether Windows Defender SmartScreen is turned on or off.
Set to Disabled
Allow web content on New Tab page Choose whether a new tab page appears.
Set to Disabled
Configure Start pages Choose the Start page for domain-joined devices.
Enabled and Set this to < about:blank >
Prevent the First Run webpage from opening on Microsoft Edge Choose whether employees see the First Run webpage.
Set to: Enable
Allow Microsoft Compatibility List Choose whether to use the Microsoft Compatibility List in Microsoft Edge.
Set to: Disabled
Prevent the First Run webpage from opening on Microsoft Edge HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\Main
REG_DWORD name: PreventFirstRunPage
Value: 1
For a complete list of the Microsoft Edge policies, see Available policies for Microsoft Edge.
14. Network Connection Status Indicator
Network Connection Status Indicator (NCSI) detects Internet connectivity and corporate network connectivity status. NCSI sends a DNS request and HTTP query to
http://www.msftconnecttest.com/connecttest.txt to determine if the device can communicate with the Internet. See the Microsoft Networking Blog to learn more.
In versions of Windows 10 prior to version 1607 and Windows Server 2016, the URL was http://www.msftncsi.com/ncsi.txt .
You can turn off NCSI by doing one of the following:
Enable the Group Policy: Computer Configuration > Administrative Templates > System > Internet Communication Management > Internet
Communication Settings > Turn off Windows Network Connectivity Status Indicator active tests
NOTE
After you apply this policy, you must restart the device for the policy setting to take effect.
-or-
Create a REG_DWORD registry setting named NoActiveProbe in
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\NetworkConnectivityStatusIndicator with a value of 1 (one).
15. Offline maps
You can turn off the ability to download and update offline maps.
Enable the Group Policy: Computer Configuration > Administrative Templates > Windows Components > Maps > Turn off Automatic Download
and Update of Map Data
-or-
Create a REG_DWORD registry setting named AutoDownloadAndUpdateMapData in
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Maps with a value of 0 (zero) .
-and-
In Windows 10, version 1607 and later, Enable the Group Policy: Computer Configuration > Administrative Templates > Windows Components >
Maps > Turn off unsolicited network traffic on the Offline Maps settings page
-or-
Create a REG_DWORD registry setting named AllowUntriggeredNetworkTrafficOnSettingsPage in
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Maps with a value of 0 (zero).
16. OneDrive
To turn off OneDrive in your organization:
Enable the Group Policy: Computer Configuration > Administrative Templates > Windows Components > OneDrive > Prevent the usage of
OneDrive for file storage
-or-
Create a REG_DWORD registry setting named DisableFileSyncNGSC in HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\OneDrive
with a value of 1 (one).
-and-
Enable the Group Policy: Computer Configuration > Administrative Templates > Windows Components > OneDrive > Prevent OneDrive from
generating network traffic until the user signs in to OneDrive (Enable)
-or-
Create a REG_DWORD registry setting named PreventNetworkTrafficPreUserSignIn in HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OneDrive
with a value of 1 (one)
17. Preinstalled apps
Some preinstalled apps get content before they are opened to ensure a great experience. You can remove these using the steps in this section.
To remove the News app:
Right-click the app in Start, and then click Uninstall .
-or-
IMPORTANT
If you have any issues with these commands, restart the system and try the scripts again.
Remove the app for new user accounts. From an elevated command prompt, run the following Windows PowerShell command: Get-
AppxProvisionedPackage -Online | Where-Object {$_.PackageName -Like "Microsoft.BingNews"} | ForEach-Object { Remove-
AppxProvisionedPackage -Online -PackageName $_.PackageName}
-and-
Remove the app for the current user. From an elevated command prompt, run the following Windows PowerShell command: Get-AppxPackage
Microsoft.BingNews | Remove-AppxPackage
To remove the Weather app:
Remove the app for new user accounts. From an elevated command prompt, run the following Windows PowerShell command: Get-
AppxProvisionedPackage -Online | Where-Object {$_.PackageName -Like "Microsoft.BingWeather"} | ForEach-Object { Remove-
AppxProvisionedPackage -Online -PackageName $_.PackageName}
-and-
Remove the app for the current user. From an elevated command prompt, run the following Windows PowerShell command: Get-AppxPackage
Microsoft.BingWeather | Remove-AppxPackage
To remove the Money app:
Right-click the app in Start, and then click Uninstall .
-or-
Remove the app for new user accounts. From an elevated command prompt, run the following Windows PowerShell command: Get-
AppxProvisionedPackage -Online | Where-Object {$_.PackageName -Like "Microsoft.BingFinance"} | ForEach-Object { Remove-
AppxProvisionedPackage -Online -PackageName $_.PackageName}
-and-
Remove the app for the current user. From an elevated command prompt, run the following Windows PowerShell command: Get-AppxPackage
Microsoft.BingFinance | Remove-AppxPackage
To remove the Sports app:
Right-click the app in Start, and then click Uninstall .
-or-
Remove the app for new user accounts. From an elevated command prompt, run the following Windows PowerShell command: Get-
AppxProvisionedPackage -Online | Where-Object {$_.PackageName -Like "Microsoft.BingSpor ts"} | ForEach-Object { Remove-
AppxProvisionedPackage -Online -PackageName $_.PackageName}
-and-
Remove the app for the current user. From an elevated command prompt, run the following Windows PowerShell command: Get-AppxPackage
Microsoft.BingSpor ts | Remove-AppxPackage
To remove the Twitter app:
Right-click the app in Start, and then click Uninstall .
-or-
Remove the app for new user accounts. From an elevated command prompt, run the following Windows PowerShell command: Get-
AppxProvisionedPackage -Online | Where-Object {$_.PackageName -Like "*.Twitter"} | ForEach-Object { Remove-AppxProvisionedPackage -
Online -PackageName $_.PackageName}
-and-
Remove the app for the current user. From an elevated command prompt, run the following Windows PowerShell command: Get-AppxPackage *.Twitter |
Remove-AppxPackage
To remove the XBOX app:
Remove the app for new user accounts. From an elevated command prompt, run the following Windows PowerShell command: Get-
AppxProvisionedPackage -Online | Where-Object {$_.PackageName -Like "Microsoft.XboxApp"} | ForEach-Object { Remove-
AppxProvisionedPackage -Online -PackageName $_.PackageName}
-and-
Remove the app for the current user. From an elevated command prompt, run the following Windows PowerShell command: Get-AppxPackage
Microsoft.XboxApp | Remove-AppxPackage
To remove the Sway app:
Right-click the app in Start, and then click Uninstall .
-or-
Remove the app for new user accounts. From an elevated command prompt, run the following Windows PowerShell command: Get-
AppxProvisionedPackage -Online | Where-Object {$_.PackageName -Like "Microsoft.Office.Sway"} | ForEach-Object { Remove-
AppxProvisionedPackage -Online -PackageName $_.PackageName}
-and-
Remove the app for the current user. From an elevated command prompt, run the following Windows PowerShell command: Get-AppxPackage
Microsoft.Office.Sway | Remove-AppxPackage
To remove the OneNote app:
Remove the app for new user accounts. From an elevated command prompt, run the following Windows PowerShell command: Get-
AppxProvisionedPackage -Online | Where-Object {$_.PackageName -Like "Microsoft.Office.OneNote"} | ForEach-Object { Remove-
AppxProvisionedPackage -Online -PackageName $_.PackageName}
-and-
Remove the app for the current user. From an elevated command prompt, run the following Windows PowerShell command: Get-AppxPackage
Microsoft.Office.OneNote | Remove-AppxPackage
To remove the Get Office app:
Right-click the app in Start, and then click Uninstall .
-or-
Remove the app for new user accounts. From an elevated command prompt, run the following Windows PowerShell command: Get-
AppxProvisionedPackage -Online | Where-Object {$_.PackageName -Like "Microsoft.MicrosoftOfficeHub"} | ForEach-Object { Remove-
AppxProvisionedPackage -Online -PackageName $_.PackageName}
-and-
Remove the app for the current user. From an elevated command prompt, run the following Windows PowerShell command: Get-AppxPackage
Microsoft.MicrosoftOfficeHub | Remove-AppxPackage
To remove the Get Skype app:
Right-click the Sports app in Start, and then click Uninstall .
-or-
Remove the app for new user accounts. From an elevated command prompt, run the following Windows PowerShell command: Get-
AppxProvisionedPackage -Online | Where-Object {$_.PackageName -Like "Microsoft.SkypeApp"} | ForEach-Object { Remove-
AppxProvisionedPackage -Online -PackageName $_.PackageName}
-and-
Remove the app for the current user. From an elevated command prompt, run the following Windows PowerShell command: Get-AppxPackage
Microsoft.SkypeApp | Remove-AppxPackage
To remove the Sticky notes app:
Remove the app for new user accounts. From an elevated command prompt, run the following Windows PowerShell command: Get-
AppxProvisionedPackage -Online | Where-Object {$_.PackageName -Like "Microsoft.MicrosoftStickyNotes"} | ForEach-Object { Remove-
AppxProvisionedPackage -Online -PackageName $_.PackageName}
-and-
Remove the app for the current user. From an elevated command prompt, run the following Windows PowerShell command: Get-AppxPackage
Microsoft.MicrosoftStickyNotes | Remove-AppxPackage
18. Settings > Privacy
Use Settings > Privacy to configure some settings that may be important to your organization. Except for the Feedback & Diagnostics page, these settings must be
configured for every user account that signs into the PC.
18.1 General
18.2 Location
18.3 Camera
18.4 Microphone
18.5 Notifications
18.6 Speech
18.7 Account info
18.8 Contacts
18.9 Calendar
18.10 Call history
18.11 Email
18.12 Messaging
18.13 Phone Calls
18.14 Radios
18.15 Other devices
18.16 Feedback & diagnostics
18.17 Background apps
18.18 Motion
18.19 Tasks
18.20 App Diagnostics
18.21 Inking & Typing
18.22 Activity History
18.23 Voice Activation
18.1 General
General includes options that don't fall into other areas.
Windows 10, version 1703 options
To turn off Let apps use adver tising ID to make ads more interesting to you based on your app usage (turning this off will reset your ID) :
NOTE
When you turn this feature off in the UI, it turns off the advertising ID, not just resets it.
NOTE
When you turn this feature off in the UI, it turns off the advertising ID, not just resets it.
NOTE
If the diagnostic data level is set to either Basic or Security , this is turned off automatically.
NOTE
Feedback frequency only applies to user-generated feedback, not diagnostic and usage data sent from the device.
To change from Automatically (Recommended) , use the drop-down list in the UI.
-or-
Enable the Group Policy: Computer Configuration > Administrative Templates > Windows Components > Data Collection and Preview Builds >
Do not show feedback notifications
-or-
Create a REG_DWORD registry setting named DoNotShowFeedbackNotifications in
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\DataCollection with a value of 1 (one).
-or-
Create the registry keys (REG_DWORD type):
HKEY_CURRENT_USER\Software\Microsoft\Siuf\Rules\PeriodInNanoSeconds
HKEY_CURRENT_USER\Software\Microsoft\Siuf\Rules\NumberOfSIUFInPeriod
Based on these settings:
Never 0 0
To change the level of diagnostic and usage data sent when you Send your device data to Microsoft :
Click either the Basic or Full options.
-or-
Enable the Group Policy: Computer Configuration\Administrative Templates\Windows Components\Data Collection And Preview Builds\Allow
Telemetr y and set it to a value of 0 .
-or-
Create a REG_DWORD registry setting in HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\DataCollection\AllowTelemetr y with a
value of 0 .
NOTE
If the Security option is configured by using Group Policy or the Registry, the value will not be reflected in the UI. The Security option is only available in Windows 10 Enterprise
edition.
To turn off tailored experiences with relevant tips and recommendations by using your diagnostics data:
Turn off the feature in the UI.
-or-
Enable the Group Policy: Computer Configuration > Administrative Templates > Windows Components > Cloud Content > Turn off Microsoft
consumer experiences
-or-
Create a REG_DWORD registry setting named DisableWindowsConsumerFeatures in
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CloudContent with a value of 1
-and-
Enable the Group Policy: User Configuration > Administrative Templates > Windows Components > Cloud Content > Do not use diagnostic data
for tailored experiences
-or-
Create a REG_DWORD registry setting named DisableTailoredExperiencesWithDiagnosticData in
HKEY_Current_User\SOFTWARE\Policies\Microsoft\Windows\CloudContent with a value of 1
18.17 Background apps
In the Background Apps area, you can choose which apps can run in the background.
To turn off Let apps run in the background :
In the Background apps settings page, set Let apps run in the background to Off .
-or-
In the Background apps settings page, turn off the feature for each app.
-or-
Enable the Group Policy (only applicable for Windows 10 version 1703 and above): Computer Configuration > Administrative Templates > Windows
Components > App Privacy > Let Windows apps run in the background and set the Select a setting box to Force Deny .
-or-
Create a REG_DWORD registry setting named LetAppsRunInBackground in
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\AppPrivacy with a value of 2 (two)
NOTE
Some apps, including Cortana and Search, might not function as expected if you set Let apps run in the background to Force Deny .
18.18 Motion
In the Motion area, you can choose which apps have access to your motion data.
To turn off Let Windows and your apps use your motion data and collect motion histor y :
Turn off the feature in the UI.
-or-
Enable the Group Policy: Computer Configuration > Administrative Templates > Windows Components > App Privacy > Let Windows apps
access motion and set the Default for all apps to Force Deny
-or-
Create a REG_DWORD registry setting named LetAppsAccessMotion in HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\AppPrivacy
with a value of 2 (two) .
18.19 Tasks
In the Tasks area, you can choose which apps have access to your tasks.
To turn this off:
Turn off the feature in the UI.
-or-
Apply the Group Policy: Computer Configuration > Administrative Templates > Windows Components > App Privacy > Let Windows apps access
Tasks . Set the Select a setting box to Force Deny .
-or-
Create a REG_DWORD registry setting named LetAppsAccessTasks in HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\AppPrivacy
with a value of 2 (two) .
18.20 App Diagnostics
In the App diagnostics area, you can choose which apps have access to your diagnostic information.
To turn this off:
Turn off the feature in the UI.
-or-
Enable the Group Policy: Computer Configuration > Administrative Templates > Windows Components > App Privacy > Let Windows apps
access diagnostic information about other apps
-or-
Create a REG_DWORD registry setting named LetAppsGetDiagnosticInfo in
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\AppPrivacy with a value of 2 (two) .
18.21 Inking & Typing
In the Inking & Typing area you can configure the functionality as such:
To turn off Inking & Typing data collection (note: there is no Group Policy for this setting):
In the UI go to Settings -> Privacy -> Diagnostics & Feedback -> Inking and typing and turn Improve inking & typing to Off
-or-
Set RestrictImplicitTextCollection registry REG_DWORD setting in HKEY_CURRENT_USER\Software\Microsoft\InputPersonalization to a value of 1
(one)
-and-
Set RestrictImplicitInkCollection registry REG_DWORD setting in HKEY_CURRENT_USER\Software\Microsoft\InputPersonalization to a value of 1
(one)
18.22 Activity History
In the Activity Histor y area, you can choose turn Off tracking of your Activity History.
To turn this Off in the UI:
Turn Off the feature in the UI by going to Settings -> Privacy -> Activity History and un-checking the Store my activity histor y on this device AND
unchecking the Send my activity Histor y to Microsoft checkboxes
-OR-
Disable the Group Policy: Computer Configuration > Administrative Templates > System > OS Policies named Enables Activity Feed
-and-
Disable the Group Policy: Computer Configuration > Administrative Templates > System > OS Policies named Allow publishing of User
Activities
-and-
Disable the Group Policy: Computer Configuration > Administrative Templates > System > OS Policies > named Allow upload of User Activities
-OR-
Create a REG_DWORD registry setting named EnableActivityFeed in HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\System with a
value of 2 (two)
-and-
Create a REG_DWORD registry setting named PublishUserActivities in HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\System with
a value of 2 (two)
-and-
Create a REG_DWORD registry setting named UploadUserActivities in HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\System with
a value of 2 (two)
18.23 Voice Activation
In the Voice activation area, you can choose turn Off apps ability to listen for a Voice keyword.
To turn this Off in the UI:
Turn Off the feature in the UI by going to Settings -> Privacy -> Voice activation and toggle Off the Allow apps to use voice activation AND also toggle
Off the Allow apps to use voice activation when this device is locked
-OR-
Disable the Group Policy: Computer Configuration > Administrative Templates > Windows Components > App Privacy > named Let Windows
apps activate with voice
-and-
Disable the Group Policy: Computer Configuration > Administrative Templates > Windows Components > App Privacy > named Let Windows
apps activate with voice while the system is locked
-OR-
Create a REG_DWORD registry setting named LetAppsActivateWithVoice in
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\AppPrivacy with a value of 2 (two)
-and-
Create a REG_DWORD registry setting named LetAppsActivateWithVoiceAboveLock in
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\AppPrivacy with a value of 2 (two)
19. Software Protection Platform
Enterprise customers can manage their Windows activation status with volume licensing using an on-premises Key Management Server. You can opt out of sending
KMS client activation data to Microsoft automatically by doing one of the following:
For Windows 10:
Enable the Group Policy: Computer Configuration > Administrative Templates > Windows Components > Software Protection Platform > Turn
off KMS Client Online AVS Validation
-or-
Create a REG_DWORD registry setting named NoGenTicket in HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows
NT\CurrentVersion\Software Protection Platform with a value of 1 (one) .
For Windows Ser ver 2019 or later :
Enable the Group Policy: Computer Configuration > Administrative Templates > Windows Components > Software Protection Platform > Turn
off KMS Client Online AVS Validation
-or-
Create a REG_DWORD registry setting named NoGenTicket in HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows
NT\CurrentVersion\Software Protection Platform with a value of 1 (one).
For Windows Ser ver 2016:
Create a REG_DWORD registry setting named NoAcquireGT in HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows
NT\CurrentVersion\Software Protection Platform with a value of 1 (one).
NOTE
Due to a known issue the Turn off KMS Client Online AVS Validation group policy does not work as intended on Windows Server 2016, the NoAcquireGT value needs to be set
instead. The Windows activation status will be valid for a rolling period of 180 days with weekly activation status checks to the KMS.
NOTE
If you disable Teredo, some XBOX gaming features and Windows Update Delivery Optimization will not work.
Enable the Group Policy: Computer Configuration > Administrative Templates > Network > TCPIP Settings > IPv6 Transition Technologies > Set
Teredo State and set it to Disabled State .
-or-
Create a new REG_SZ registry setting named Teredo_State in HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\TCPIP\v6Transition
with a value of Disabled .
23. Wi-Fi Sense
IMPORTANT
Beginning with Windows 10, version 1803, Wi-Fi Sense is no longer available. The following section only applies to Windows 10, version 1709 and prior. Please see Connecting to open
Wi-Fi hotspots in Windows 10 for more details.
Wi-Fi Sense automatically connects devices to known hotspots and to the wireless networks the person’s contacts have shared with them.
To turn off Connect to suggested open hotspots and Connect to networks shared by my contacts :
Turn off the feature in the UI in Settings > Network & Internet > Wi-Fi
-or-
Disable the Group Policy: Computer Configuration > Administrative Templates > Network > WL AN Ser vice > WL AN Settings > Allow Windows
to automatically connect to suggested open hotspots, to networks shared by contacts, and to hotspots offering paid ser vices .
-or-
Create a new REG_DWORD registry setting named AutoConnectAllowedOEM in
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WcmSvc\wifinetworkmanager\config with a value of 0 (zero) .
When turned off, the Wi-Fi Sense settings still appear on the Wi-Fi Settings screen, but they’re non-functional and they can’t be controlled by the employee.
24. Windows Defender
You can disconnect from the Microsoft Antimalware Protection Service.
IMPORTANT
Required Steps BEFORE setting the Windows Defender Group Policy or RegKey on Windows 10 version 1903
1. Ensure Windows and Windows Defender are fully up to date.
2. Search the Start menu for "Tamper Protection" by clicking on the search icon next to the Windows Start button. Then scroll down to the Tamper Protection toggle and turn it Off .
This will allow you to modify the Registry key and allow the Group Policy to make the setting. Alternatively, you can go to Windows Security Settings -> Virus & threat
protection, click on Manage Settings link and then scroll down to the Tamper Protection toggle to set it to Off .
Enable the Group Policy Computer Configuration > Administrative Templates > Windows Components > Windows Defender Antivirus > MAPS >
Join Microsoft MAPS and then select Disabled from the drop-down box named Join Microsoft MAPS
-OR-
Use the registry to set the REG_DWORD value HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Spynet\SpyNetRepor ting
to 0 (zero) .
-and-
Delete the registry setting named in HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Updates .
You can stop sending file samples back to Microsoft.
Enable the Group Policy Computer Configuration > Administrative Templates > Windows Components > Windows Defender Antivirus > MAPS
> Send file samples when fur ther analysis is required to Never Send .
-or-
Use the registry to set the REG_DWORD value HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows
Defender\Spynet\SubmitSamplesConsent to 2 (two) for Never Send .
You can stop downloading Definition Updates :
Enable the Group Policy Computer Configuration > Administrative Templates > Windows Components > Windows Defender Antivirus >
Signature Updates > Define the order of sources for downloading definition updates and set it to FileShares .
-and-
Disable the Group Policy Computer Configuration > Administrative Templates > Windows Components > Windows Defender Antivirus >
Signature Updates > Define file shares for downloading definition updates and set it to Nothing .
-or-
Create a new REG_SZ registry setting named FallbackOrder in HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows
Defender\Signature Updates with a value of FileShares .
-and-
Remove the DefinitionUpdateFileSharesSources reg value if it exists under HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows
Defender\Signature Updates
You can turn off Malicious Software Repor ting Tool (MSRT) diagnostic data :
Set the REG_DWORD value HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\MRT\DontRepor tInfectionInformation to 1 .
Note: There is no Group Policy to turn off the Malicious Software Reporting Tool diagnostic data.
You can turn off Enhanced Notifications as follows:
Set in the UI: Settings -> Update & Security -> Windows Security -> Virus & Threat Protection -> Virus & Threat Protection Manage Settings -> scroll to
bottom for Notifications, click Change Notifications Settings -> Notifications -> click Manage Notifications -> Turn off General Notifications
-or-
Enable the Group Policy Turn off enhanced notifications under Computer Configuration > Administrative Templates > Windows Components >
Windows Defender Antivirus > Repor ting .
-or-
Create a new REG_SZ registry setting named DisableEnhancedNotifications in HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows
Defender\Repor ting to a value of 1 .
24.1 Windows Defender SmartScreen
To disable Windows Defender Smartscreen:
In Group Policy, configure:
Computer Configuration > Administrative Templates > Windows Components > Windows Defender Smar tScreen > Explorer > Configure
Windows Defender Smar tScreen to be Disabled
-and-
Computer Configuration > Administrative Templates > Windows Components > File Explorer > Configure Windows Defender Smar tScreen :
Disable
-and-
Computer Configuration > Administrative Templates > Windows Components > Windows Defender Smar tScreen > Explorer > Configure
app install control : Enable , and select Turn off app recommendations
-OR-
Create a REG_DWORD registry setting named EnableSmar tScreen in HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\System with a
value of 0 (zero) .
-and-
Create a REG_DWORD registry setting named ConfigureAppInstallControlEnabled in
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Smar tScreen with a value of 1 .
-and-
Create a SZ registry setting named ConfigureAppInstallControl in HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows
Defender\Smar tScreen with a value of Anywhere .
25. Windows Spotlight
Windows Spotlight provides features such as different background images and text on the lock screen, suggested apps, Microsoft account notifications, and Windows
tips. You can control it by using the user interface or Group Policy.
If you're running Windows 10, version 1607 or later, you need to:
Enable the following Group Policy User Configuration > Administrative Templates > Windows Components > Cloud Content > Turn off all
Windows spotlight features
NOTE
This must be done within 15 minutes after Windows 10 is installed. Alternatively, you can create an image with this setting.
-or-
Create a new REG_DWORD registry setting named DisableWindowsSpotlightFeatures in
HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Windows\CloudContent with a value of 1 (one).
-AND-
Enable the following Group Policy Computer Configuration > Administrative Templates > Control Panel > Personalization > Do not display the
Lock Screen
-or-
Create a new REG_DWORD registry setting named NoLockScreen in HKEY_Local_Machine\SOFTWARE\Policies\Microsoft\Windows\Personalization
with a value of 1 (one)
-AND-
Configure the following in Settings UI:
Personalization > Lock screen > Background > Windows spotlight , select a different background, and turn off Get fun facts, tips, tricks and
more on your lock screen
Personalization > Star t > Occasionally show suggestions in Star t
System > Notifications & actions > Show me tips about Windows
-or-
Apply the Group Policies:
Enable the Computer Configuration > Administrative Templates > Control Panel > Personalization > Force a specific default lock screen
image and logon image Group Policy.
Add C:\windows\web\screen\lockscreen.jpg as the location in the Path to local lock screen image box.
Check the Turn off fun facts, tips, tricks, and more on lock screen check box.
NOTE
This will only take effect if the policy is applied before the first logon. If you cannot apply the Force a specific default lock screen image policy before the
first logon to the device, you can Enable the Do not display the lock screen policy under Computer Configuration > Administrative Templates >
Control Panel > Personalization
Alternatively, you can create a new REG_SZ registry setting named LockScreenImage in
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Personalization with a value of
C:\windows\web\screen\lockscreen.jpg and create a new REG_DWORD registry setting named LockScreenOverlaysDisabled in
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Personalization with a value of 1 (one) .
The Group Policy for the LockScreenOverlaysDisabled regkey is Force a specific default lock screen and logon image that is under
Control Panel Personalization .
-AND-
Set the Group Policy Computer Configuration > Administrative Templates > Windows Components > Cloud Content > Do not show
Windows tips to Enabled
-or-
Create a new REG_DWORD registry setting named DisableSoftLanding in
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CloudContent with a value of 1 (one)
-AND-
Set the Group Policy Computer Configuration > Administrative Templates > Windows Components > Cloud Content > Turn off Microsoft
consumer experiences to Enabled
-or-
Create a new REG_DWORD registry setting named DisableWindowsConsumerFeatures in
HKEY_LOCAL_MACHINE_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CloudContent with a value of 1 (one)
This policy setting controls whether the lock screen appears for users. The Do not display the lock screen Group Policy should be set to Enable to prevent the lock
screen from being displayed. The Group Computer Configuration\Administrative templates\Control Panel\Personalization!Do not display the lock screen.
If you enable this policy setting, users that are not required to press CTRL + ALT + DEL before signing in will see their selected tile after locking their PC.
If you disable or do not configure this policy setting, users that are not required to press CTRL + ALT + DEL before signing in will see a lock screen after locking their
PC. They must dismiss the lock screen using touch, the keyboard, or by dragging it with the mouse.
For more info, see Windows Spotlight on the lock screen.
26. Microsoft Store
You can turn off the ability to launch apps from the Microsoft Store that were preinstalled or downloaded. This will also turn off automatic app updates, and the
Microsoft Store will be disabled. In addition, new email accounts cannot be created by clicking Settings > Accounts > Email & app accounts > Add an account .
On Windows Server 2016, this will block Microsoft Store calls from Universal Windows Apps.
Disable the Group Policy: Computer Configuration > Administrative Templates > Windows Components > Store > Disable all apps from
Microsoft Store .
-or-
Create a new REG_DWORD registry setting named DisableStoreApps in HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsStore with
a value of 1 (one).
-AND-
Enable the Group Policy: Computer Configuration > Administrative Templates > Windows Components > Store > Turn off Automatic Download
and Install of updates .
-or-
Create a new REG_DWORD registry setting named AutoDownload in HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsStore with a
value of 2 (two).
27. Apps for websites
You can turn off apps for websites, preventing customers who visit websites that are registered with their associated app from directly launching the app.
Disable the Group Policy: Computer Configuration > Administrative Templates > System > Group Policy > Configure web-to-app linking with
URI handlers
-or-
Create a new REG_DWORD registry setting named EnableAppUriHandlers in
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System with a value of 0 (zero) .
28. Windows Update Delivery Optimization
Windows Update Delivery Optimization lets you get Windows updates and Microsoft Store apps from sources in addition to Microsoft, which not only helps when you
have a limited or unreliable Internet connection, but can also help you reduce the amount of bandwidth needed to keep all of your organization's PCs up-to-date. If
you have Delivery Optimization turned on, PCs on your network may send and receive updates and apps to other PCs on your local network, if you choose, or to PCs
on the Internet.
By default, PCs running Windows 10 Enterprise and Windows 10 Education will only use Delivery Optimization to get and receive updates for PCs and apps on your
local network.
Use the UI, Group Policy, or Registry Keys to set up Delivery Optimization.
In Windows 10 version 1607 and above you can stop network traffic related to Windows Update Delivery Optimization by setting Download Mode to Bypass (100),
as described below.
28.1 Settings > Update & security
You can set up Delivery Optimization from the Settings UI.
Go to Settings > Update & security > Windows Update > Advanced options > Choose how updates are delivered .
28.2 Delivery Optimization Group Policies
You can find the Delivery Optimization Group Policy objects under Computer Configuration > Administrative Templates > Windows Components >
Deliver y Optimization .
P O L IC Y DESC RIP T IO N
P O L IC Y DESC RIP T IO N
Download Mode Lets you choose where Delivery Optimization gets or sends updates and apps, including
None . Turns off Delivery Optimization.
Group . Gets or sends updates and apps to PCs on the same local network
domain.
Internet . Gets or sends updates and apps to PCs on the Internet.
L AN. Gets or sends updates and apps to PCs on the same NAT only.
Simple . Simple download mode with no peering.
Bypass . Use BITS instead of Windows Update Delivery Optimization. Set to
Bypass to restrict traffic.
Group ID Lets you provide a Group ID that limits which PCs can share apps and updates.
Note: This ID must be a GUID.
Max Cache Age Lets you specify the maximum time (in seconds) that a file is held in the Delivery
Optimization cache.
The default value is 259200 seconds (3 days).
Max Cache Size Lets you specify the maximum cache size as a percentage of disk size.
The default value is 20, which represents 20% of the disk.
Max Upload Bandwidth Lets you specify the maximum upload bandwidth (in KB/second) that a device uses across
all concurrent upload activity.
The default value is 0, which means unlimited possible bandwidth.
activation-v2.sls.microsoft.com/*
crl.microsoft.com/pki/crl/*
ocsp.digicert.com/*
www.microsoft.com/pkiops/*
To learn more, see Device update management and Configure Automatic Updates by using Group Policy.
Manage connections from Windows 10 operating system
components to Microsoft services using Microsoft Intune
MDM Server
3/26/2020 • 10 minutes to read • Edit Online
Applies to
Windows 10 Enterprise 1903 version and newer
This article describes the network connections that Windows 10 components make to Microsoft and the Mobile Device
Management/Configuration Service Provider (MDM/CSP) and custom Open Mobile Alliance Uniform Resource Identifier (OMA
URI) policies available to IT Professionals using Microsoft Intune to help manage the data shared with Microsoft. If you want to
minimize connections from Windows to Microsoft services, or configure privacy settings, there are a number of settings for
consideration. For example, you can configure diagnostic data to the lowest level for your edition of Windows and evaluate
other connections Windows makes to Microsoft services you want to turn off using the instructions in this article. While it is
possible to minimize network connections to Microsoft, there are many reasons why these communications are enabled by
default, such as updating malware definitions and maintaining current certificate revocation lists. This data helps us deliver a
secure, reliable, and up-to-date experience.
IMPORTANT
The Allowed Traffic endpoints for an MDM configuration are here: Allowed Traffic
CRL (Certificate Revocation List) and OCSP (Online Certificate Status Protocol) network traffic cannot be disabled and will still
show up in network traces. CRL and OCSP checks are made to the issuing certificate authorities. Microsoft is one of these
authorities. There are many others such as DigiCert, Thawte, Google, Symantec, and VeriSign.
There is some traffic which is specifically required for the Microsoft Intune based management of Windows 10 devices. This
traffic includes Windows Notifications Service (WNS), Automatic Root Certificates Update (ARCU), and some Windows Update
related traffic. The aforementioned traffic comprises the Allowed Traffic for Microsoft Intune MDM Server to manage Windows
10 devices.
For security reasons, it is important to take care in deciding which settings to configure as some of them may result in a less secure
device. Examples of settings that can lead to a less secure device configuration include: disabling Windows Update, disabling Automatic
Root Certificates Update, and disabling Windows Defender. Accordingly, we do not recommend disabling any of these features.
To ensure CSPs take priority over Group Policies in case of conflicts, use the ControlPolicyConflict policy.
The Get Help and Give us Feedback links in Windows may no longer work after applying some or all of the MDM/CSP settings.
WARNING
If a user executes the "Reset this PC" command (Settings -> Update & Security -> Recovery) with the "Remove Everything" option the
>Windows Restricted Traffic Limited Functionality settings will need to be re-applied in order re-restrict the device's egress traffic. >To do
this the client must be re-enrolled to the Microsoft Intune service. Egress traffic may occur during the period prior to the re->application
of the Restricted Traffic Limited Functionality settings. If the user executes a "Reset this PC" with the "Keep my files" >option the Restricted
Traffic Limited Functionality settings are retained on the device, and therefore the client will remain in a >Restricted Traffic configuration
during and after the "Keep my files" reset, and no re-enrollment is required.
For more information on Microsoft Intune please see Transform IT service delivery for your modern workplace and Microsoft
Intune documentation.
For detailed information about managing network connections to Microsoft services using Windows Settings, Group Policies
and Registry settings see Manage connections from Windows 10 operating system components to Microsoft services.
We are always striving to improve our documentation and welcome your feedback. You can provide feedback by sending email
to telmhelp @microsoft.com .
Settings for Windows 10 Enterprise edition 1903 and newer
The following table lists management options for each setting.
For Windows 10, the following MDM policies are available in the Policy CSP.
1. Automatic Root Cer tificates Update
a. MDM Policy: There is intentionally no MDM available for Automatic Root Certificate Update. This MDM does not exist
since it would prevent the operation and management of MDM management of devices.
2. Cor tana and Search
a. MDM Policy: Experience/AllowCortana. Choose whether to let Cortana install and run on the device. Set to 0 (zero)
b. MDM Policy: Search/AllowSearchToUseLocation. Choose whether Cortana and Search can provide location-aware
search results. Set to 0 (zero)
3. Date & Time
a. MDM Policy: Settings/AllowDateTime. Allows the user to change date and time settings. Set to 0 (zero)
4. Device metadata retrieval
a. MDM Policy: DeviceInstallation/PreventDeviceMetadataFromNetwork. Choose whether to prevent Windows from
retrieving device metadata from the Internet. Set to Enabled
5. Find My Device
a. MDM Policy: Experience/AllowFindMyDevice. This policy turns on Find My Device. Set to 0 (zero)
6. Font streaming
a. MDM Policy: System/AllowFontProviders. Setting that determines whether Windows is allowed to download fonts
and font catalog data from an online font provider. Set to 0 (zero)
7. Insider Preview builds
a. MDM Policy: System/AllowBuildPreview. This policy setting determines whether users can access the Insider build
controls in the Advanced Options for Windows Update. Set to 0 (zero)
8. Internet Explorer The following Microsoft Internet Explorer MDM policies are available in the Internet Explorer CSP
a. MDM Policy: InternetExplorer/AllowSuggestedSites. Recommends websites based on the user’s browsing activity. Set
to Disabled
b. MDM Policy: InternetExplorer/PreventManagingSmartScreenFilter. Prevents the user from managing Windows
Defender SmartScreen, which warns the user if the website being visited is known for fraudulent attempts to gather
personal information through "phishing," or is known to host malware. Set to String with Value:
a. <enabled/><data id=”IE9SafetyFilterOptions” value=”1”/>
c. MDM Policy: InternetExplorer/DisableFlipAheadFeature. Determines whether a user can swipe across a screen or click
Forward to go to the next pre-loaded page of a website. Set to Enabled
d. MDM Policy: InternetExplorer/DisableHomePageChange. Determines whether users can change the default Home
Page or not. Set to String with Value:
a. <enabled/><data id=”EnterHomePagePrompt” value=”Star t Page”/>
e. MDM Policy: InternetExplorer/DisableFirstRunWizard. Prevents Internet Explorer from running the First Run wizard
the first time a user starts the browser after installing Internet Explorer or Windows. Set to String with Value:
a. <enabled/><data id=”FirstRunOptions” value=”1”/>
9. Live Tiles
a. MDM Policy: Notifications/DisallowTileNotification. This policy setting turns off tile notifications. If you enable this
policy setting applications and system features will not be able to update their tiles and tile badges in the Start
screen. Integer value 1
10. Mail synchronization
a. MDM Policy: Accounts/AllowMicrosoftAccountConnection. Specifies whether the user is allowed to use an MSA
account for non-email related connection authentication and services. Set to 0 (zero)
11. Microsoft Account
a. MDM Policy: Accounts/AllowMicrosoftAccountSignInAssistant. Disable the Microsoft Account Sign-In Assistant. Set
to 0 (zero)
12. Microsoft Edge The following Microsoft Edge MDM policies are available in the Policy CSP. For a complete list of the
Microsoft Edge policies, see Available policies for Microsoft Edge.
a. MDM Policy: Browser/AllowAutoFill. Choose whether employees can use autofill on websites. Set to 0 (zero)
b. MDM Policy: Browser/AllowDoNotTrack. Choose whether employees can send Do Not Track headers. Set to 0 (zero)
c. MDM Policy: Browser/AllowMicrosoftCompatbilityList. Specify the Microsoft compatibility list in Microsoft Edge. Set
to 0 (zero)
d. MDM Policy: Browser/AllowPasswordManager. Choose whether employees can save passwords locally on their
devices. Set to 0 (zero)
e. MDM Policy: Browser/AllowSearchSuggestionsinAddressBar. Choose whether the Address Bar shows search
suggestions. Set to 0 (zero)
f. MDM Policy: Browser/AllowSmartScreen. Choose whether Windows Defender SmartScreen is turned on or off. Set
to 0 (zero)
13. Network Connection Status Indicator
a. Connectivity/DisallowNetworkConnectivityActiveTests. Note: After you apply this policy you must restart the device
for the policy setting to take effect. Set to 1 (one)
14. Offline maps
a. MDM Policy: AllowOfflineMapsDownloadOverMeteredConnection. Allows the download and update of map data
over metered connections.
Set to 0 (zero)
b. MDM Policy: EnableOfflineMapsAutoUpdate. Disables the automatic download and update of map data. Set to 0
(zero)
15. OneDrive
a. MDM Policy: DisableOneDriveFileSync. Allows IT Admins to prevent apps and features from working with files on
OneDrive. Set to 1 (one)
b. Ingest the ADMX - To get the latest OneDrive ADMX file you need an up-to-date Windows 10 client. The ADMX files
are located under the following path: %LocalAppData%\Microsoft\OneDrive\ there's a folder with the current
OneDrive build (e.g. "18.162.0812.0001"). There is a folder named "adm" which contains the admx and adml policy
definition files.
c. MDM Policy: Prevent Network Traffic before User SignIn. PreventNetworkTrafficPreUserSignIn . The OMA-URI
value is:
./Device/Vendor/MSFT/Policy/Config/OneDriveNGSC~Policy~OneDriveNGSC/PreventNetworkTrafficPreUserSignIn
Data type: String , Value: <enabled/>
16. Privacy settings Except for the Feedback & Diagnostics page, these settings must be configured for every user account
that signs into the PC.
a. General - TextInput/AllowLinguisticDataCollection. This policy setting controls the ability to send inking and typing
data to Microsoft. Set to 0 (zero)
b. Location - System/AllowLocation. Specifies whether to allow app access to the Location service. Set to 0 (zero)
c. Camera - Camera/AllowCamera. Disables or enables the camera. Set to 0 (zero)
d. Microphone - Privacy/LetAppsAccessMicrophone. Specifies whether Windows apps can access the microphone. Set
to 2 (two)
e. Notifications - Privacy/LetAppsAccessNotifications. Specifies whether Windows apps can access notifications. Set to
2 (two)
f. Notifications - Settings/AllowOnlineTips. Enables or disables the retrieval of online tips and help for the Settings app.
Integer value 0
g. Speech, Inking, & Typing - Privacy/AllowInputPersonalization. This policy specifies whether users on the device have
the option to enable online speech recognition. Set to 0 (zero)
h. Speech, Inking, & Typing - TextInput/AllowLinguisticDataCollection. This policy setting controls the ability to send
inking and typing data to Microsoft Set to 0 (zero)
i. Account info - Privacy/LetAppsAccessAccountInfo. Specifies whether Windows apps can access account information.
Set to 2 (two)
j. Contacts - Privacy/LetAppsAccessContacts. Specifies whether Windows apps can access contacts. Set to 2 (two)
k. Calendar - Privacy/LetAppsAccessCalendar. Specifies whether Windows apps can access the calendar. Set to 2 (two)
l. Call history - Privacy/LetAppsAccessCallHistory. Specifies whether Windows apps can access account information.
Set to 2 (two)
m. Email - Privacy/LetAppsAccessEmail. Specifies whether Windows apps can access email. Set to 2 (two)
n. Messaging - Privacy/LetAppsAccessMessaging. Specifies whether Windows apps can read or send messages (text or
MMS). Set to 2 (two)
o. Phone calls - Privacy/LetAppsAccessPhone. Specifies whether Windows apps can make phone calls. Set to 2 (two)
p. Radios - Privacy/LetAppsAccessRadios. Specifies whether Windows apps have access to control radios. Set to 2
(two)
q. Other devices - Privacy/LetAppsSyncWithDevices. Specifies whether Windows apps can sync with devices. Set to 2
(two)
r. Other devices - Privacy/LetAppsAccessTrustedDevices. Specifies whether Windows apps can access trusted devices.
Set to 2 (two)
s. Feedback & diagnostics - System/AllowTelemetry. Allow the device to send diagnostic and usage telemetry data,
such as Watson. Set to 0 (zero)
t. Feedback & diagnostics - Experience/DoNotShowFeedbackNotifications. Prevents devices from showing feedback
questions from Microsoft. Set to 1 (one)
u. Background apps - Privacy/LetAppsRunInBackground. Specifies whether Windows apps can run in the background.
Set to 2 (two)
v. Motion - Privacy/LetAppsAccessMotion. Specifies whether Windows apps can access motion data. Set to 2 (two)
w. Tasks - Privacy/LetAppsAccessTasks. Turn off the ability to choose which apps have access to tasks. Set to 2 (two)
x. App Diagnostics - Privacy/LetAppsGetDiagnosticInfo. Force allow, force deny or give user control of apps that can get
diagnostic information about other running apps. Set to 2 (two)
17. Software Protection Platform - Licensing/DisallowKMSClientOnlineAVSValidation. Opt out of sending KMS client
activation data to Microsoft automatically. Set to 1 (one)
18. Storage Health - Storage/AllowDiskHealthModelUpdates. Allows disk health model updates. Set to 0 (zero)
19. Sync your settings - Experience/AllowSyncMySettings. Control whether your settings are synchronized. Set to 0
(zero)
20. Teredo - No MDM needed. Teredo is Off by default . Delivery Optimization (DO) can turn on Teredo, but DO itself is
turned Off via MDM.
21. Wi-Fi Sense - No MDM needed. Wi-Fi Sense is no longer available from Windows 10 version 1803 and newer.
22. Windows Defender
a. Defender/AllowCloudProtection. Disconnect from the Microsoft Antimalware Protection Service. Set to 0 (zero)
b. Defender/SubmitSamplesConsent. Stop sending file samples back to Microsoft. Set to 2 (two)
c. Defender/EnableSmartScreenInShell. Turns off SmartScreen in Windows for app and file execution. Set to 0 (zero)
d. Windows Defender SmartScreen - Browser/AllowSmartScreen. Disable Windows Defender SmartScreen. Set to 0
(zero)
e. Windows Defender SmartScreen EnableAppInstallControl - SmartScreen/EnableAppInstallControl. Controls whether
users are allowed to install apps from places other than the Microsoft Store. Set to 0 (zero)
f. Windows Defender Potentially Unwanted Applications(PUA) Protection - Defender/PUAProtection. Specifies the level
of detection for potentially unwanted applications (PUAs). Set to 1 (one)
g. Defender/SignatureUpdateFallbackOrder. Allows you to define the order in which different definition update sources
should be contacted. The OMA-URI for this is:
./Vendor/MSFT/Policy/Config/Defender/SignatureUpdateFallbackOrder , Data type: String , Value:
FileShares
23. Windows Spotlight - Experience/AllowWindowsSpotlight. Disable Windows Spotlight. Set to 0 (zero)
24. Microsoft Store
a. ApplicationManagement/DisableStoreOriginatedApps. Boolean value that disables the launch of all apps from
Microsoft Store that came pre-installed or were downloaded. Set to 1 (one)
b. ApplicationManagement/AllowAppStoreAutoUpdate. Specifies whether automatic update of apps from Microsoft
Store are allowed. Set to 0 (zero)
25. Apps for websites - ApplicationDefaults/EnableAppUriHandlers. This policy setting determines whether Windows
supports web-to-app linking with app URI handlers. Set to 0 (zero)
26. Windows Update Deliver y Optimization - The following Delivery Optimization MDM policies are available in the
Policy CSP.
a. DeliveryOptimization/DODownloadMode. Let’s you choose where Delivery Optimization gets or sends updates and
apps. Set to 100 (one hundred)
27. Windows Update
a. Update/AllowAutoUpdate. Control automatic updates. Set to 5 (five)
b. Windows Update Allow Update Service - Update/AllowUpdateService. Specifies whether the device could use
Microsoft Update, Windows Server Update Services (WSUS), or Microsoft Store. Set to 0 (zero)
c. Windows Update Service URL - Update/UpdateServiceUrl. Allows the device to check for updates from a WSUS
server instead of Microsoft Update. Set to String with the Value:
a. <Replace><CmdID>$CmdID$<Item><Meta><Format>chr<Type>text/plain</Meta><Target>
<LocURI>./Vendor/MSFT/Policy/Config/Update/UpdateSer viceUrl</Target><Data>http://abcd-
sr v:8530</Item></Replace>
Allowed traffic for Microsoft Intune / MDM configurations
A L LO W ED T RA F F IC EN DP O IN T S
activation-v2.sls.microsoft.com/*
cdn.onenote.net
client.wns.windows.com
crl.microsoft.com/pki/crl/*
ctldl.windowsupdate.com
*displaycatalog.mp.microsoft.com
dm3p.wns.windows.com
*microsoft.com/pkiops/*
ocsp.digicert.com/*
r.manage.microsoft.com
tile-service.weather.microsoft.com
settings-win.data.microsoft.com
Manage connection endpoints for Windows 10
Enterprise, version 1903
2/28/2020 • 13 minutes to read • Edit Online
Applies to
Windows 10 Enterprise, version 1903
Some Windows components, app, and related services transfer data to Microsoft network endpoints. Some
examples include:
Connecting to Microsoft Office and Windows sites to download the latest app and security updates.
Connecting to email servers to send and receive email.
Connecting to the web for every day web browsing.
Connecting to the cloud to store and access backups.
Using your location to show a weather forecast.
This article lists different endpoints that are available on a clean installation of Windows 10, version 1709 and later.
Details about the different ways to control traffic to these endpoints are covered in Manage connections from
Windows operating system components to Microsoft services. Where applicable, each endpoint covered in this
topic includes a link to the specific details on how to control that traffic.
The following methodology was used to derive these network endpoints:
1. Set up the latest version of Windows 10 on a test virtual machine using the default settings.
2. Leave the device(s) running idle for a week ("idle" means a user is not interacting with the system/device).
3. Use globally accepted network protocol analyzer/capturing tools and log all background egress traffic.
4. Compile reports on traffic going to public IP addresses.
5. The test virtual machine(s) was logged into using a local account, and was not joined to a domain or Azure
Active Directory.
6. All traffic was captured in our lab using a IPV4 network. Therefore, no IPV6 traffic is reported here.
7. These tests were conducted in an approved Microsoft lab. It's possible your results may be different.
8. These tests were conducted for one week, but if you capture traffic for longer you may have different results.
NOTE
Microsoft uses global load balancers that can appear in network trace-routes. For example, an endpoint for *.akadns.net
might be used to load balance requests to an Azure datacenter, which can change over time.
HTTP tile-
service.weather.microsoft.co
m
HTTP tile-
service.weather.microsoft.co
m
HTTPS wbd.ms
HTTPS whiteboard.microsoft.com
A REA DESC RIP T IO N P ROTO C O L DEST IN AT IO N
HTTPS ris-prod-
atm.trafficmanager.net
HTTPS validation-
v2.sls.trafficmanager.net
HTTP ctldl.windowsupdate.com
HTTPS www.bing.com
HTTPS www.bing.com/proactive
HTTPS www.bing.com/threshold/xls.
aspx
HTTP exo-ring.msedge.net
HTTP fp.msedge.net
HTTP fp-vp.azureedge.net
HTTP odinvzc.azureedge.net
HTTP spo-ring.msedge.net
Diagnostic Data The following endpoints are Learn how to turn off traffic
used by the Connected User to all of the following
Experiences and Telemetry endpoint(s).
component and connects to
the Microsoft Data
Management service. If you
turn off traffic for this
endpoint, diagnostic and
usage information, which
helps Microsoft find and fix
problems and improve our
products and services, will
not be sent back to
Microsoft.
HTTP v10.events.data.microsoft.co
m
HTTPS v10.vortex-
win.data.microsoft.com/collec
t/v1
HTTP www.microsoft.com
HTTP cs11.wpc.v0cdn.net
HTTPS cs1137.wpc.gammacdn.net
HTTPS watson.telemetry.microsoft.c
om
HTTPS licensing.mp.microsoft.com
Location The following endpoints are Learn how to turn off traffic
used for location data. If you to all of the following
turn off traffic for this endpoint(s).
endpoint, apps cannot use
location data.
HTTPS inference.location.live.net
HTTP location-inference-
westus.cloudapp.net
HTTP maps.windows.com
HTTP us.configsvc1.live.com.akadn
s.net
HTTPS store-images.microsoft.com
HTTPS *displaycatalog.mp.microsoft.
com
HTTP storeedgefd.dsx.mp.microsof
t.com
HTTP markets.books.microsoft.com
HTTP share.microsoft.com
Office The following endpoints are Learn how to turn off traffic
used to connect to the to all of the following
Office 365 portal's shared endpoint(s).
infrastructure, including
Office in a browser. For more
info, see Office 365 URLs
and IP address ranges. You
can turn this off by
removing all Microsoft Office
apps and the Mail and
Calendar apps. If you turn
off traffic for these
endpoints, users won't be
able to save documents to
the cloud or see their
recently used documents.
HTTP *.c-msedge.net
HTTPS *.e-msedge.net
HTTPS *.s-msedge.net
HTTPS nexusrules.officeapps.live.co
m
HTTPS ocos-office365-
s2s.msedge.net
HTTPS officeclient.microsoft.com
HTTPS outlook.office365.com
HTTPS client-office365-
tas.msedge.net
HTTPS www.office.com
HTTPS onecollector.cloudapp.aria
A REA DESC RIP T IO N P ROTO C O L DEST IN AT IO N
HTTP v10.events.data.microsoft.co
m/onecollector/1.0/
HTTPS self.events.data.microsoft.co
m
OneDrive The following endpoints are Learn how to turn off traffic
related to OneDrive. If you to all of the following
turn off traffic for these endpoint(s).
endpoints, anything that
relies on g.live.com to get
updated URL information
will no longer work.
HTTP msagfx.live.com
HTTPS oneclient.sfx.ms
HTTPS cy2.settings.data.microsoft.c
om.akadns.net
HTTPS settings.data.microsoft.com
HTTPS settings-
win.data.microsoft.com
A REA DESC RIP T IO N P ROTO C O L DEST IN AT IO N
HTTPS browser.pipe.aria.microsoft.co
m
HTTP config.edge.skype.com
HTTP s2s.config.skype.com
HTTPS skypeecs-prod-usw-0-
b.cloudapp.net
Windows Defender The following endpoint is Learn how to turn off traffic
used for Windows Defender to all of the following
when Cloud-based endpoint(s).
Protection is enabled. If you
turn off traffic for this
endpoint, the device will not
use Cloud-based Protection.
HTTPS wdcp.microsoft.com
HTTPS definitionupdates.microsoft.c
om
HTTPS go.microsoft.com
HTTPS smartscreen-
sn3p.smartscreen.microsoft.c
om
HTTPS unitedstates.smartscreen-
prod.microsoft.com
A REA DESC RIP T IO N P ROTO C O L DEST IN AT IO N
Windows Spotlight The following endpoints are Learn how to turn off traffic
used to retrieve Windows to all of the following
Spotlight metadata that endpoint(s).
describes content, such as
references to image
locations, as well as
suggested apps, Microsoft
account notifications, and
Windows tips. If you turn off
traffic for these endpoints,
Windows Spotlight will still
try to deliver new lock
screen images and updated
content but it will fail;
suggested apps, Microsoft
account notifications, and
Windows tips will not be
downloaded. For more
information, see Windows
Spotlight.
HTTPS arc.msn.com
HTTPS g.msn.com*
HTTPS query.prod.cms.rt.microsoft.c
om
HTTPS ris.api.iris.microsoft.com
Windows Update The following endpoint is Learn how to turn off traffic
used for Windows Update to all of the following
downloads of apps and OS endpoint(s).
updates, including HTTP
downloads or HTTP
downloads blended with
peers. If you turn off traffic
for this endpoint, Windows
Update downloads will not
be managed, as critical
metadata that is used to
make downloads more
resilient is blocked.
Downloads may be impacted
by corruption (resulting in
re-downloads of full files).
Additionally, downloads of
the same update by multiple
devices on the same local
network will not use peer
devices for bandwidth
reduction.
HTTPS *.prod.do.dsp.mp.microsoft.c
om
A REA DESC RIP T IO N P ROTO C O L DEST IN AT IO N
HTTP emdl.ws.microsoft.com
HTTP *.windowsupdate.com
HTTPS *.update.microsoft.com
Related links
Office 365 URLs and IP address ranges
Network infrastructure requirements for Microsoft Intune
Manage connection endpoints for Windows 10
Enterprise, version 1809
12/23/2019 • 16 minutes to read • Edit Online
Applies to
Windows 10 Enterprise, version 1809
Some Windows components, app, and related services transfer data to Microsoft network endpoints. Some
examples include:
Connecting to Microsoft Office and Windows sites to download the latest app and security updates.
Connecting to email servers to send and receive email.
Connecting to the web for every day web browsing.
Connecting to the cloud to store and access backups.
Using your location to show a weather forecast.
This article lists different endpoints that are available on a clean installation of Windows 10, version 1709 and later.
Details about the different ways to control traffic to these endpoints are covered in Manage connections from
Windows operating system components to Microsoft services. Where applicable, each endpoint covered in this
topic includes a link to specific details about how to control traffic to it.
We used the following methodology to derive these network endpoints:
1. Set up the latest version of Windows 10 on a test virtual machine using the default settings.
2. Leave the devices running idle for a week (that is, a user is not interacting with the system/device).
3. Use globally accepted network protocol analyzer/capturing tools and log all background egress traffic.
4. Compile reports on traffic going to public IP addresses.
5. The test virtual machine was logged in using a local account and was not joined to a domain or Azure Active
Directory.
6. All traffic was captured in our lab using a IPV4 network. Therefore no IPV6 traffic is reported here.
NOTE
Microsoft uses global load balancers that can appear in network trace-routes. For example, an endpoint for *.akadns.net
might be used to load balance requests to an Azure datacenter, which can change over time.
HTTP blob.weather.microsoft.com
The following endpoint is used for OneNote Live Tile. To turn off traffic for this endpoint, either uninstall OneNote
or disable the Microsoft Store. If you disable the Microsoft store, other Store apps cannot be installed or updated.
Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open
them.
HTTPS cdn.onenote.net/livetile/?Language=en-
US
The following endpoints are used for Twitter updates. To turn off traffic for these endpoints, either uninstall Twitter
or disable the Microsoft Store. If you disable the Microsoft store, other Store apps cannot be installed or updated.
Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open
them.
HTTPS wildcard.twimg.com
svchost.exe oem.twimg.com/windows/tile.xml
The following endpoint is used for Facebook updates. To turn off traffic for this endpoint, either uninstall Facebook
or disable the Microsoft Store. If you disable the Microsoft store, other Store apps cannot be installed or updated.
Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open
them.
star-mini.c10r.facebook.com
The following endpoint is used by the Photos app to download configuration files, and to connect to the Office 365
portal's shared infrastructure, including Office. To turn off traffic for this endpoint, either uninstall the Photos app
or disable the Microsoft Store. If you disable the Microsoft store, other Store apps cannot be installed or updated.
Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open
them.
The following endpoint is used for Candy Crush Saga updates. To turn off traffic for this endpoint, either uninstall
Candy Crush Saga or disable the Microsoft Store. If you disable the Microsoft store, other Store apps cannot be
installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will
still be able to open them.
The following endpoint is used by the Groove Music app for update HTTP handler status. If you turn off traffic for
this endpoint, apps for websites won't work and customers who visit websites (such as
mediaredirect.microsoft.com) that are registered with their associated app (such as Groove Music) will stay at the
website and won't be able to directly launch the app.
The following endpoints are used when using the Whiteboard app. To turn off traffic for this endpoint disable the
Microsoft Store.
HTTPS wbd.ms
HTTPS int.whiteboard.microsoft.com
HTTPS whiteboard.microsoft.com
The following endpoint is used to update Cortana greetings, tips, and Live Tiles. If you turn off traffic for this
endpoint, you will block updates to Cortana greetings, tips, and Live Tiles.
The following endpoint is used to configure parameters, such as how often the Live Tile is updated. It's also used to
activate experiments. If you turn off traffic for this endpoint, parameters would not be updated and the device
would no longer participate in experiments.
SO URC E P RO C ESS P ROTO C O L DEST IN AT IO N
The following endpoint is used by Cortana to report diagnostic and diagnostic data information. If you turn off
traffic for this endpoint, Microsoft won't be aware of issues with Cortana and won't be able to fix them.
Certificates
The following endpoint is used by the Automatic Root Certificates Update component to automatically check the
list of trusted authorities on Windows Update to see if an update is available. It is possible to turn off traffic to this
endpoint, but that is not recommended because when root certificates are updated over time, applications and
websites may stop working because they did not receive an updated root certificate the application uses.
Additionally, it is used to download certificates that are publicly known to be fraudulent. These settings are critical
for both Windows security and the overall security of the Internet. We do not recommend blocking this endpoint. If
traffic to this endpoint is turned off, Windows no longer automatically downloads certificates known to be
fraudulent, which increases the attack vector on the device.
Device authentication
The following endpoint is used to authenticate a device. If you turn off traffic for this endpoint, the device will not
be authenticated.
HTTPS login.live.com/ppsecure
Device metadata
The following endpoint is used to retrieve device metadata. If you turn off traffic for this endpoint, metadata will
not be updated for the device.
dmd.metaservices.microsoft.com.akadns
.net
HTTP dmd.metaservices.microsoft.com
Diagnostic Data
The following endpoint is used by the Connected User Experiences and Telemetry component and connects to the
Microsoft Data Management service. If you turn off traffic for this endpoint, diagnostic and usage information,
which helps Microsoft find and fix problems and improve our products and services, will not be sent back to
Microsoft.
svchost cy2.vortex.data.microsoft.com.akadns.n
et
The following endpoint is used by the Connected User Experiences and Telemetry component and connects to the
Microsoft Data Management service. If you turn off traffic for this endpoint, diagnostic and usage information,
which helps Microsoft find and fix problems and improve our products and services, will not be sent back to
Microsoft.
The following endpoints are used by Windows Error Reporting. To turn off traffic for these endpoints, enable the
following Group Policy: Administrative Templates > Windows Components > Windows Error Reporting > Disable
Windows Error Reporting. This means error reporting information will not be sent back to Microsoft.
wermgr watson.telemetry.microsoft.com
Font streaming
The following endpoints are used to download fonts on demand. If you turn off traffic for these endpoints, you will
not be able to download fonts on demand.
svchost fs.microsoft.com
fs.microsoft.com/fs/windows/config.json
Licensing
The following endpoint is used for online activation and some app licensing. To turn off traffic for this endpoint,
disable the Windows License Manager Service. This will also block online activation and app licensing may not
work.
HTTP location-inference-westus.cloudapp.net
HTTPS inference.location.live.net
Maps
The following endpoint is used to check for updates to maps that have been downloaded for offline use. If you turn
off traffic for this endpoint, offline maps will not be updated.
Microsoft account
The following endpoints are used for Microsoft accounts to sign in. If you turn off traffic for these endpoints, users
cannot sign in with Microsoft accounts.
login.msa.akadns6.net
login.live.com
account.live.com
us.configsvc1.live.com.akadns.net
Microsoft Store
The following endpoint is used for the Windows Push Notification Services (WNS). WNS enables third-party
developers to send toast, tile, badge, and raw updates from their own cloud service. This provides a mechanism to
deliver new updates to your users in a power-efficient and dependable way. If you turn off traffic for this endpoint,
push notifications will no longer work, including MDM device management, mail synchronization, settings
synchronization.
HTTPS *.wns.windows.com
The following endpoint is used to revoke licenses for malicious apps in the Microsoft Store. To turn off traffic for
this endpoint, either uninstall the app or disable the Microsoft Store. If you disable the Microsoft store, other
Microsoft Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke
malicious apps and users will still be able to open them.
HTTP storecatalogrevocation.storequality.micr
osoft.com
The following endpoints are used to download image files that are called when applications run (Microsoft Store
or Inbox MSN Apps). If you turn off traffic for these endpoints, the image files won't be downloaded, and apps
cannot be installed or updated from the Microsoft Store. Additionally, the Microsoft Store won't be able to revoke
malicious apps and users will still be able to open them.
HTTPS img-prod-cms-rt-microsoft-
com.akamaized.net
The following endpoints are used to communicate with Microsoft Store. If you turn off traffic for these endpoints,
apps cannot be installed or updated from the Microsoft Store. Additionally, the Microsoft Store won't be able to
revoke malicious apps and users will still be able to open them.
HTTP storeedgefd.dsx.mp.microsoft.com
HTTP www.msftconnecttest.com/connecttest.t
xt
Office
The following endpoints are used to connect to the Office 365 portal's shared infrastructure, including Office. For
more info, see Office 365 URLs and IP address ranges. You can turn this off by removing all Microsoft Office apps
and the Mail and Calendar apps. If you turn off traffic for these endpoints, users won't be able to save documents
to the cloud or see their recently used documents.
SO URC E P RO C ESS P ROTO C O L DEST IN AT IO N
*.a-msedge.net
hxstr *.c-msedge.net
*.e-msedge.net
*.s-msedge.net
HTTPS ocos-office365-s2s.msedge.net
HTTPS nexusrules.officeapps.live.com
HTTPS officeclient.microsoft.com
The following endpoint is used to connect to the Office 365 portal's shared infrastructure, including Office. For
more info, see Office 365 URLs and IP address ranges. You can turn this off by removing all Microsoft Office apps
and the Mail and Calendar apps. If you turn off traffic for these endpoints, users won't be able to save documents
to the cloud or see their recently used documents.
The following endpoint is OfficeHub traffic used to get the metadata of Office apps. To turn off traffic for this
endpoint, either uninstall the app or disable the Microsoft Store. If you disable the Microsoft store, other Microsoft
Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious apps
and users will still be able to open them.
The following endpoint is used to connect the Office To-Do app to it's cloud service. To turn off traffic for this
endpoint, either uninstall the app or disable the Microsoft Store.
HTTPS to-do.microsoft.com
OneDrive
The following endpoint is a redirection service that’s used to automatically update URLs. If you turn off traffic for
this endpoint, anything that relies on g.live.com to get updated URL information will no longer work.
The following endpoint is used by OneDrive for Business to download and verify app updates. For more info, see
Office 365 URLs and IP address ranges. To turn off traffic for this endpoint, uninstall OneDrive for Business. In this
case, your device will not able to get OneDrive for Business app updates.
Settings
The following endpoint is used as a way for apps to dynamically update their configuration. Apps such as System
Initiated User Feedback and the Xbox app use it. If you turn off traffic for this endpoint, an app that uses this
endpoint may stop working.
dmclient cy2.settings.data.microsoft.com.akadns.
net
The following endpoint is used as a way for apps to dynamically update their configuration. Apps such as System
Initiated User Feedback and the Xbox app use it. If you turn off traffic for this endpoint, an app that uses this
endpoint may stop working.
The following endpoint is used as a way for apps to dynamically update their configuration. Apps such as
Windows Connected User Experiences and Telemetry component and Windows Insider Program use it. If you turn
off traffic for this endpoint, an app that uses this endpoint may stop working.
Skype
The following endpoint is used to retrieve Skype configuration values. To turn off traffic for this endpoint, either
uninstall the app or disable the Microsoft Store. If you disable the Microsoft store, other Microsoft Store apps
cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious apps and users
will still be able to open them.
HTTPS browser.pipe.aria.microsoft.com
skypeecs-prod-usw-0-b.cloudapp.net
Windows Defender
The following endpoint is used for Windows Defender when Cloud-based Protection is enabled. If you turn off
traffic for this endpoint, the device will not use Cloud-based Protection. For a detailed list of Windows Defender
Antivirus cloud service connections, see Allow connections to the Windows Defender Antivirus cloud service.
wdcp.microsoft.com
The following endpoints are used for Windows Defender definition updates. If you turn off traffic for these
endpoints, definitions will not be updated.
definitionupdates.microsoft.com
The following endpoints are used for Windows Defender Smartscreen reporting and notifications. If you turn off
traffic for these endpoints, Windows Defender Smartscreen notifications will no appear.
HTTPS ars.smartscreen.microsoft.com
HTTPS unitedstates.smartscreen-
prod.microsoft.com
smartscreen-
sn3p.smartscreen.microsoft.com
Windows Spotlight
The following endpoints are used to retrieve Windows Spotlight metadata that describes content, such as
references to image locations, as well as suggested apps, Microsoft account notifications, and Windows tips. If you
turn off traffic for these endpoints, Windows Spotlight will still try to deliver new lock screen images and updated
content but it will fail; suggested apps, Microsoft account notifications, and Windows tips will not be downloaded.
For more information, see Windows Spotlight.
backgroundtaskhost g.msn.com.nsatc.net
HTTPS ris.api.iris.microsoft.com
HTTPS query.prod.cms.rt.microsoft.com
Windows Update
The following endpoint is used for Windows Update downloads of apps and OS updates, including HTTP
downloads or HTTP downloads blended with peers. If you turn off traffic for this endpoint, Windows Update
downloads will not be managed, as critical metadata that is used to make downloads more resilient is blocked.
Downloads may be impacted by corruption (resulting in re-downloads of full files). Additionally, downloads of the
same update by multiple devices on the same local network will not use peer devices for bandwidth reduction.
The following endpoints are used to download operating system patches, updates, and apps from Microsoft Store.
If you turn off traffic for these endpoints, the device will not be able to download updates for the operating system.
The following endpoints enable connections to Windows Update, Microsoft Update, and the online services of the
Store. If you turn off traffic for these endpoints, the device will not be able to connect to Windows Update and
Microsoft Update to help keep the device secure. Also, the device will not be able to acquire and update apps from
the Store.
Related links
Office 365 URLs and IP address ranges
Network infrastructure requirements for Microsoft Intune
Manage connection endpoints for Windows 10
Enterprise, version 1803
12/23/2019 • 15 minutes to read • Edit Online
Applies to
Windows 10 Enterprise, version 1803
Some Windows components, app, and related services transfer data to Microsoft network endpoints. Some
examples include:
Connecting to Microsoft Office and Windows sites to download the latest app and security updates.
Connecting to email servers to send and receive email.
Connecting to the web for every day web browsing.
Connecting to the cloud to store and access backups.
Using your location to show a weather forecast.
This article lists different endpoints that are available on a clean installation of Windows 10, version 1709 and later.
Details about the different ways to control traffic to these endpoints are covered in Manage connections from
Windows operating system components to Microsoft services. Where applicable, each endpoint covered in this
topic includes a link to specific details about how to control traffic to it.
We used the following methodology to derive these network endpoints:
1. Set up the latest version of Windows 10 on a test virtual machine using the default settings.
2. Leave the devices running idle for a week (that is, a user is not interacting with the system/device).
3. Use globally accepted network protocol analyzer/capturing tools and log all background egress traffic.
4. Compile reports on traffic going to public IP addresses.
5. The test virtual machine was logged in using a local account and was not joined to a domain or Azure Active
Directory.
6. All traffic was captured in our lab using a IPV4 network. Therefore no IPV6 traffic is reported here.
NOTE
Microsoft uses global load balancers that can appear in network trace-routes. For example, an endpoint for *.akadns.net
might be used to load balance requests to an Azure datacenter, which can change over time.
HTTP blob.weather.microsoft.com
The following endpoint is used for OneNote Live Tile. To turn off traffic for this endpoint, either uninstall OneNote
or disable the Microsoft Store. If you disable the Microsoft store, other Store apps cannot be installed or updated.
Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open
them.
HTTPS cdn.onenote.net/livetile/?Language=en-
US
The following endpoints are used for Twitter updates. To turn off traffic for these endpoints, either uninstall Twitter
or disable the Microsoft Store. If you disable the Microsoft store, other Store apps cannot be installed or updated.
Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open
them.
HTTPS wildcard.twimg.com
svchost.exe oem.twimg.com/windows/tile.xml
The following endpoint is used for Facebook updates. To turn off traffic for this endpoint, either uninstall Facebook
or disable the Microsoft Store. If you disable the Microsoft store, other Store apps cannot be installed or updated.
Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open
them.
star-mini.c10r.facebook.com
The following endpoint is used by the Photos app to download configuration files, and to connect to the Office 365
portal's shared infrastructure, including Office. To turn off traffic for this endpoint, either uninstall the Photos app
or disable the Microsoft Store. If you disable the Microsoft store, other Store apps cannot be installed or updated.
Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open
them.
The following endpoint is used for Candy Crush Saga updates. To turn off traffic for this endpoint, either uninstall
Candy Crush Saga or disable the Microsoft Store. If you disable the Microsoft store, other Store apps cannot be
installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will
still be able to open them.
The following endpoint is used by the Groove Music app for update HTTP handler status. If you turn off traffic for
this endpoint, apps for websites won't work and customers who visit websites (such as
mediaredirect.microsoft.com) that are registered with their associated app (such as Groove Music) will stay at the
website and won't be able to directly launch the app.
The following endpoint is used to update Cortana greetings, tips, and Live Tiles. If you turn off traffic for this
endpoint, you will block updates to Cortana greetings, tips, and Live Tiles.
The following endpoint is used to configure parameters, such as how often the Live Tile is updated. It's also used to
activate experiments. If you turn off traffic for this endpoint, parameters would not be updated and the device
would no longer participate in experiments.
The following endpoint is used by Cortana to report diagnostic and diagnostic data information. If you turn off
traffic for this endpoint, Microsoft won't be aware of issues with Cortana and won't be able to fix them.
Certificates
The following endpoint is used by the Automatic Root Certificates Update component to automatically check the
list of trusted authorities on Windows Update to see if an update is available. It is possible to turn off traffic to this
endpoint, but that is not recommended because when root certificates are updated over time, applications and
websites may stop working because they did not receive an updated root certificate the application uses.
Additionally, it is used to download certificates that are publicly known to be fraudulent. These settings are critical
for both Windows security and the overall security of the Internet. We do not recommend blocking this endpoint. If
traffic to this endpoint is turned off, Windows no longer automatically downloads certificates known to be
fraudulent, which increases the attack vector on the device.
Device authentication
The following endpoint is used to authenticate a device. If you turn off traffic for this endpoint, the device will not
be authenticated.
HTTPS login.live.com/ppsecure
Device metadata
The following endpoint is used to retrieve device metadata. If you turn off traffic for this endpoint, metadata will
not be updated for the device.
dmd.metaservices.microsoft.com.akadns
.net
HTTP dmd.metaservices.microsoft.com
Diagnostic Data
The following endpoint is used by the Connected User Experiences and Telemetry component and connects to the
Microsoft Data Management service. If you turn off traffic for this endpoint, diagnostic and usage information,
which helps Microsoft find and fix problems and improve our products and services, will not be sent back to
Microsoft.
svchost cy2.vortex.data.microsoft.com.akadns.ne
t
The following endpoint is used by the Connected User Experiences and Telemetry component and connects to the
Microsoft Data Management service. If you turn off traffic for this endpoint, diagnostic and usage information,
which helps Microsoft find and fix problems and improve our products and services, will not be sent back to
Microsoft.
SO URC E P RO C ESS P ROTO C O L DEST IN AT IO N
svchost v10.vortex-
win.data.microsoft.com/collect/v1
The following endpoints are used by Windows Error Reporting. To turn off traffic for these endpoints, enable the
following Group Policy: Administrative Templates > Windows Components > Windows Error Reporting > Disable
Windows Error Reporting. This means error reporting information will not be sent back to Microsoft.
wermgr watson.telemetry.microsoft.com
Font streaming
The following endpoints are used to download fonts on demand. If you turn off traffic for these endpoints, you will
not be able to download fonts on demand.
svchost fs.microsoft.com
fs.microsoft.com/fs/windows/config.json
Licensing
The following endpoint is used for online activation and some app licensing. To turn off traffic for this endpoint,
disable the Windows License Manager Service. This will also block online activation and app licensing may not
work.
Location
The following endpoint is used for location data. If you turn off traffic for this endpoint, apps cannot use location
data.
HTTP location-inference-westus.cloudapp.net
Maps
The following endpoint is used to check for updates to maps that have been downloaded for offline use. If you turn
off traffic for this endpoint, offline maps will not be updated.
SO URC E P RO C ESS P ROTO C O L DEST IN AT IO N
Microsoft account
The following endpoints are used for Microsoft accounts to sign in. If you turn off traffic for these endpoints, users
cannot sign in with Microsoft accounts.
login.msa.akadns6.net
Microsoft Store
The following endpoint is used for the Windows Push Notification Services (WNS). WNS enables third-party
developers to send toast, tile, badge, and raw updates from their own cloud service. This provides a mechanism to
deliver new updates to your users in a power-efficient and dependable way. If you turn off traffic for this endpoint,
push notifications will no longer work, including MDM device management, mail synchronization, settings
synchronization.
*.wns.windows.com
The following endpoint is used to revoke licenses for malicious apps in the Microsoft Store. To turn off traffic for
this endpoint, either uninstall the app or disable the Microsoft Store. If you disable the Microsoft store, other
Microsoft Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke
malicious apps and users will still be able to open them.
HTTP storecatalogrevocation.storequality.micr
osoft.com
The following endpoints are used to download image files that are called when applications run (Microsoft Store or
Inbox MSN Apps). If you turn off traffic for these endpoints, the image files won't be downloaded, and apps cannot
be installed or updated from the Microsoft Store. Additionally, the Microsoft Store won't be able to revoke
malicious apps and users will still be able to open them.
HTTPS img-prod-cms-rt-microsoft-
com.akamaized.net
The following endpoints are used to communicate with Microsoft Store. If you turn off traffic for these endpoints,
apps cannot be installed or updated from the Microsoft Store. Additionally, the Microsoft Store won't be able to
revoke malicious apps and users will still be able to open them.
SO URC E P RO C ESS P ROTO C O L DEST IN AT IO N
HTTP storeedgefd.dsx.mp.microsoft.com
HTTP pti.store.microsoft.com
HTTP www.msftconnecttest.com/connecttest.t
xt
Office
The following endpoints are used to connect to the Office 365 portal's shared infrastructure, including Office. For
more info, see Office 365 URLs and IP address ranges. You can turn this off by removing all Microsoft Office apps
and the Mail and Calendar apps. If you turn off traffic for these endpoints, users won't be able to save documents
to the cloud or see their recently used documents.
*.a-msedge.net
hxstr *.c-msedge.net
*.e-msedge.net
*.s-msedge.net
HTTPS ocos-office365-s2s.msedge.net
The following endpoint is used to connect to the Office 365 portal's shared infrastructure, including Office. For
more info, see Office 365 URLs and IP address ranges. You can turn this off by removing all Microsoft Office apps
and the Mail and Calendar apps. If you turn off traffic for these endpoints, users won't be able to save documents
to the cloud or see their recently used documents.
The following endpoint is OfficeHub traffic used to get the metadata of Office apps. To turn off traffic for this
endpoint, either uninstall the app or disable the Microsoft Store. If you disable the Microsoft store, other Microsoft
Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious apps
and users will still be able to open them.
OneDrive
The following endpoint is a redirection service that’s used to automatically update URLs. If you turn off traffic for
this endpoint, anything that relies on g.live.com to get updated URL information will no longer work.
The following endpoint is used by OneDrive for Business to download and verify app updates. For more info, see
Office 365 URLs and IP address ranges. To turn off traffic for this endpoint, uninstall OneDrive for Business. In this
case, your device will not able to get OneDrive for Business app updates.
Settings
The following endpoint is used as a way for apps to dynamically update their configuration. Apps such as System
Initiated User Feedback and the Xbox app use it. If you turn off traffic for this endpoint, an app that uses this
endpoint may stop working.
dmclient cy2.settings.data.microsoft.com.akadns.
net
The following endpoint is used as a way for apps to dynamically update their configuration. Apps such as System
Initiated User Feedback and the Xbox app use it. If you turn off traffic for this endpoint, an app that uses this
endpoint may stop working.
The following endpoint is used as a way for apps to dynamically update their configuration. Apps such as Windows
Connected User Experiences and Telemetry component and Windows Insider Program use it. If you turn off traffic
for this endpoint, an app that uses this endpoint may stop working.
Windows Defender
The following endpoint is used for Windows Defender when Cloud-based Protection is enabled. If you turn off
traffic for this endpoint, the device will not use Cloud-based Protection.
wdcp.microsoft.com
The following endpoints are used for Windows Defender definition updates. If you turn off traffic for these
endpoints, definitions will not be updated.
definitionupdates.microsoft.com
Windows Spotlight
The following endpoints are used to retrieve Windows Spotlight metadata that describes content, such as
references to image locations, as well as suggested apps, Microsoft account notifications, and Windows tips. If you
turn off traffic for these endpoints, Windows Spotlight will still try to deliver new lock screen images and updated
content but it will fail; suggested apps, Microsoft account notifications, and Windows tips will not be downloaded.
For more information, see Windows Spotlight.
backgroundtaskhost g.msn.com.nsatc.net
HTTPS ris.api.iris.microsoft.com
HTTPS query.prod.cms.rt.microsoft.com
Windows Update
The following endpoint is used for Windows Update downloads of apps and OS updates, including HTTP
downloads or HTTP downloads blended with peers. If you turn off traffic for this endpoint, Windows Update
downloads will not be managed, as critical metadata that is used to make downloads more resilient is blocked.
Downloads may be impacted by corruption (resulting in re-downloads of full files). Additionally, downloads of the
same update by multiple devices on the same local network will not use peer devices for bandwidth reduction.
The following endpoints are used to download operating system patches, updates, and apps from Microsoft Store.
If you turn off traffic for these endpoints, the device will not be able to download updates for the operating system.
The following endpoints enable connections to Windows Update, Microsoft Update, and the online services of the
Store. If you turn off traffic for these endpoints, the device will not be able to connect to Windows Update and
Microsoft Update to help keep the device secure. Also, the device will not be able to acquire and update apps from
the Store.
Related links
Office 365 URLs and IP address ranges
Network infrastructure requirements for Microsoft Intune
Manage connection endpoints for Windows 10
Enterprise, version 1709
12/23/2019 • 15 minutes to read • Edit Online
Applies to
Windows 10 Enterprise, version 1709
Some Windows components, app, and related services transfer data to Microsoft network endpoints. Some
examples include:
Connecting to Microsoft Office and Windows sites to download the latest app and security updates.
Connecting to email servers to send and receive email.
Connecting to the web for every day web browsing.
Connecting to the cloud to store and access backups.
Using your location to show a weather forecast.
This article lists different endpoints that are available on a clean installation of Windows 10, version 1709 and later.
Details about the different ways to control traffic to these endpoints are covered in Manage connections from
Windows operating system components to Microsoft services. Where applicable, each endpoint covered in this
topic includes a link to specific details about how to control traffic to it.
We used the following methodology to derive these network endpoints:
1. Set up the latest version of Windows 10 on a test virtual machine using the default settings.
2. Leave the devices running idle for a week (that is, a user is not interacting with the system/device).
3. Use globally accepted network protocol analyzer/capturing tools and log all background egress traffic.
4. Compile reports on traffic going to public IP addresses.
5. The test virtual machine was logged in using a local account and was not joined to a domain or Azure Active
Directory.
6. All traffic was captured in our lab using a IPV4 network. Therefore no IPV6 traffic is reported here.
NOTE
Microsoft uses global load balancers that can appear in network trace-routes. For example, an endpoint for *.akadns.net
might be used to load balance requests to an Azure datacenter, which can change over time.
The following endpoint is used for OneNote Live Tile. To turn off traffic for this endpoint, either uninstall OneNote
or disable the Microsoft Store. If you disable the Microsoft store, other Store apps cannot be installed or updated.
Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open
them.
HTTPS cdn.onenote.net/livetile/?Language=en-
US
The following endpoints are used for Twitter updates. To turn off traffic for these endpoints, either uninstall Twitter
or disable the Microsoft Store. If you disable the Microsoft store, other Store apps cannot be installed or updated.
Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open
them.
HTTPS wildcard.twimg.com
svchost.exe oem.twimg.com/windows/tile.xml
The following endpoint is used for Facebook updates. To turn off traffic for this endpoint, either uninstall Facebook
or disable the Microsoft Store. If you disable the Microsoft store, other Store apps cannot be installed or updated.
Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open
them.
star-mini.c10r.facebook.com
The following endpoint is used by the Photos app to download configuration files, and to connect to the Office 365
portal's shared infrastructure, including Office. To turn off traffic for this endpoint, either uninstall the Photos app
or disable the Microsoft Store. If you disable the Microsoft store, other Store apps cannot be installed or updated.
Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open
them.
The following endpoint is used for Candy Crush Saga updates. To turn off traffic for this endpoint, either uninstall
Candy Crush Saga or disable the Microsoft Store. If you disable the Microsoft store, other Store apps cannot be
installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will
still be able to open them.
The following endpoint is used for by the Microsoft Wallet app. To turn off traffic for this endpoint, either uninstall
the Wallet app or disable the Microsoft Store. If you disable the Microsoft store, other Store apps cannot be
installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will
still be able to open them.
SO URC E P RO C ESS P ROTO C O L DEST IN AT IO N
The following endpoint is used by the Groove Music app for update HTTP handler status. If you turn off traffic for
this endpoint, apps for websites won't work and customers who visit websites (such as
mediaredirect.microsoft.com) that are registered with their associated app (such as Groove Music) will stay at the
website and won't be able to directly launch the app.
The following endpoint is used to update Cortana greetings, tips, and Live Tiles. If you turn off traffic for this
endpoint, you will block updates to Cortana greetings, tips, and Live Tiles.
The following endpoint is used to configure parameters, such as how often the Live Tile is updated. It's also used to
activate experiments. If you turn off traffic for this endpoint, parameters would not be updated and the device
would no longer participate in experiments.
The following endpoint is used by Cortana to report diagnostic and diagnostic data information. If you turn off
traffic for this endpoint, Microsoft won't be aware of issues with Cortana and won't be able to fix them.
Certificates
The following endpoint is used by the Automatic Root Certificates Update component to automatically check the
list of trusted authorities on Windows Update to see if an update is available. It is possible to turn off traffic to this
endpoint, but that is not recommended because when root certificates are updated over time, applications and
websites may stop working because they did not receive an updated root certificate the application uses.
Additionally, it is used to download certificates that are publicly known to be fraudulent. These settings are critical
for both Windows security and the overall security of the Internet. We do not recommend blocking this endpoint. If
traffic to this endpoint is turned off, Windows no longer automatically downloads certificates known to be
fraudulent, which increases the attack vector on the device.
Device authentication
The following endpoint is used to authenticate a device. If you turn off traffic for this endpoint, the device will not
be authenticated.
HTTPS login.live.com/ppsecure
Device metadata
The following endpoint is used to retrieve device metadata. If you turn off traffic for this endpoint, metadata will
not be updated for the device.
dmd.metaservices.microsoft.com.akadns
.net
Diagnostic Data
The following endpoint is used by the Connected User Experiences and Telemetry component and connects to the
Microsoft Data Management service. If you turn off traffic for this endpoint, diagnostic and usage information,
which helps Microsoft find and fix problems and improve our products and services, will not be sent back to
Microsoft.
svchost cy2.vortex.data.microsoft.com.akadns.n
et
The following endpoint is used by the Connected User Experiences and Telemetry component and connects to the
Microsoft Data Management service. If you turn off traffic for this endpoint, diagnostic and usage information,
which helps Microsoft find and fix problems and improve our products and services, will not be sent back to
Microsoft.
svchost v10.vortex-
win.data.microsoft.com/collect/v1
The following endpoints are used by Windows Error Reporting. To turn off traffic for these endpoints, enable the
following Group Policy: Administrative Templates > Windows Components > Windows Error Reporting > Disable
Windows Error Reporting. This means error reporting information will not be sent back to Microsoft.
SO URC E P RO C ESS P ROTO C O L DEST IN AT IO N
wermgr watson.telemetry.microsoft.com
Font streaming
The following endpoints are used to download fonts on demand. If you turn off traffic for these endpoints, you will
not be able to download fonts on demand.
svchost fs.microsoft.com
fs.microsoft.com/fs/windows/config.json
Licensing
The following endpoint is used for online activation and some app licensing. To turn off traffic for this endpoint,
disable the Windows License Manager Service. This will also block online activation and app licensing may not
work.
Location
The following endpoint is used for location data. If you turn off traffic for this endpoint, apps cannot use location
data.
HTTP location-inference-westus.cloudapp.net
Maps
The following endpoint is used to check for updates to maps that have been downloaded for offline use. If you turn
off traffic for this endpoint, offline maps will not be updated.
Microsoft account
The following endpoints are used for Microsoft accounts to sign in. If you turn off traffic for these endpoints, users
cannot sign in with Microsoft accounts.
SO URC E P RO C ESS P ROTO C O L DEST IN AT IO N
login.msa.akadns6.net
Microsoft Store
The following endpoint is used for the Windows Push Notification Services (WNS). WNS enables third-party
developers to send toast, tile, badge, and raw updates from their own cloud service. This provides a mechanism to
deliver new updates to your users in a power-efficient and dependable way. If you turn off traffic for this endpoint,
push notifications will no longer work, including MDM device management, mail synchronization, settings
synchronization.
*.wns.windows.com
The following endpoint is used to revoke licenses for malicious apps in the Microsoft Store. To turn off traffic for
this endpoint, either uninstall the app or disable the Microsoft Store. If you disable the Microsoft store, other
Microsoft Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke
malicious apps and users will still be able to open them.
HTTP storecatalogrevocation.storequality.micr
osoft.com
The following endpoints are used to download image files that are called when applications run (Microsoft Store
or Inbox MSN Apps). If you turn off traffic for these endpoints, the image files won't be downloaded, and apps
cannot be installed or updated from the Microsoft Store. Additionally, the Microsoft Store won't be able to revoke
malicious apps and users will still be able to open them.
HTTPS img-prod-cms-rt-microsoft-
com.akamaized.net
The following endpoints are used to communicate with Microsoft Store. If you turn off traffic for these endpoints,
apps cannot be installed or updated from the Microsoft Store. Additionally, the Microsoft Store won't be able to
revoke malicious apps and users will still be able to open them.
HTTP storeedgefd.dsx.mp.microsoft.com
HTTP pti.store.microsoft.com
HTTP www.msftconnecttest.com/connecttest.t
xt
Office
The following endpoints are used to connect to the Office 365 portal's shared infrastructure, including Office. For
more info, see Office 365 URLs and IP address ranges. You can turn this off by removing all Microsoft Office apps
and the Mail and Calendar apps. If you turn off traffic for these endpoints, users won't be able to save documents
to the cloud or see their recently used documents.
*.a-msedge.net
hxstr *.c-msedge.net
*.e-msedge.net
*.s-msedge.net
The following endpoint is used to connect to the Office 365 portal's shared infrastructure, including Office. For
more info, see Office 365 URLs and IP address ranges. You can turn this off by removing all Microsoft Office apps
and the Mail and Calendar apps. If you turn off traffic for these endpoints, users won't be able to save documents
to the cloud or see their recently used documents.
The following endpoint is OfficeHub traffic used to get the metadata of Office apps. To turn off traffic for this
endpoint, either uninstall the app or disable the Microsoft Store. If you disable the Microsoft store, other Microsoft
Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious apps
and users will still be able to open them.
OneDrive
The following endpoint is a redirection service that’s used to automatically update URLs. If you turn off traffic for
this endpoint, anything that relies on g.live.com to get updated URL information will no longer work.
SO URC E P RO C ESS P ROTO C O L DEST IN AT IO N
The following endpoint is used by OneDrive for Business to download and verify app updates. For more info, see
Office 365 URLs and IP address ranges. To turn off traffic for this endpoint, uninstall OneDrive for Business. In this
case, your device will not able to get OneDrive for Business app updates.
Settings
The following endpoint is used as a way for apps to dynamically update their configuration. Apps such as System
Initiated User Feedback and the Xbox app use it. If you turn off traffic for this endpoint, an app that uses this
endpoint may stop working.
dmclient cy2.settings.data.microsoft.com.akadns.
net
The following endpoint is used as a way for apps to dynamically update their configuration. Apps such as System
Initiated User Feedback and the Xbox app use it. If you turn off traffic for this endpoint, an app that uses this
endpoint may stop working.
The following endpoint is used as a way for apps to dynamically update their configuration. Apps such as
Windows Connected User Experiences and Telemetry component and Windows Insider Program use it. If you turn
off traffic for this endpoint, an app that uses this endpoint may stop working.
Skype
The following endpoint is used to retrieve Skype configuration values. To turn off traffic for this endpoint, either
uninstall the app or disable the Microsoft Store. If you disable the Microsoft store, other Microsoft Store apps
cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious apps and users
will still be able to open them.
wdcp.microsoft.com
The following endpoints are used for Windows Defender definition updates. If you turn off traffic for these
endpoints, definitions will not be updated.
definitionupdates.microsoft.com
Windows Spotlight
The following endpoints are used to retrieve Windows Spotlight metadata that describes content, such as
references to image locations, as well as suggested apps, Microsoft account notifications, and Windows tips. If you
turn off traffic for these endpoints, Windows Spotlight will still try to deliver new lock screen images and updated
content but it will fail; suggested apps, Microsoft account notifications, and Windows tips will not be downloaded.
For more information, see Windows Spotlight.
backgroundtaskhost g.msn.com.nsatc.net
HTTPS ris.api.iris.microsoft.com
HTTPS query.prod.cms.rt.microsoft.com
Windows Update
The following endpoint is used for Windows Update downloads of apps and OS updates, including HTTP
downloads or HTTP downloads blended with peers. If you turn off traffic for this endpoint, Windows Update
downloads will not be managed, as critical metadata that is used to make downloads more resilient is blocked.
Downloads may be impacted by corruption (resulting in re-downloads of full files). Additionally, downloads of the
same update by multiple devices on the same local network will not use peer devices for bandwidth reduction.
The following endpoints are used to download operating system patches, updates, and apps from Microsoft Store.
If you turn off traffic for these endpoints, the device will not be able to download updates for the operating system.
SO URC E P RO C ESS P ROTO C O L DEST IN AT IO N
The following endpoints enable connections to Windows Update, Microsoft Update, and the online services of the
Store. If you turn off traffic for these endpoints, the device will not be able to connect to Windows Update and
Microsoft Update to help keep the device secure. Also, the device will not be able to acquire and update apps from
the Store.
Applies to
Windows 10 Home, version 1903
Windows 10 Professional, version 1903
Windows 10 Education, version 1903
In addition to the endpoints listed for Windows 10 Enterprise, the following endpoints are available on other non-
Enterprise editions of Windows 10, version 1903.
The following methodology was used to derive the network endpoints:
1. Set up the latest version of Windows 10 on a test virtual machine using the default settings.
2. Leave the device(s) running idle for a week ("idle" means a user is not interacting with the system/device).
3. Use globally accepted network protocol analyzer/capturing tools and log all background egress traffic.
4. Compile reports on traffic going to public IP addresses.
5. The test virtual machine(s) was logged into using a local account, and was not joined to a domain or Azure
Active Directory.
6. All traffic was captured in our lab using a IPV4 network. Therefore, no IPV6 traffic is reported here.
7. These tests were conducted in an approved Microsoft lab. It's possible your results may be different.
8. These tests were conducted for one week, but if you capture traffic for longer you may have different results.
NOTE
Microsoft uses global load balancers that can appear in network trace-routes. For example, an endpoint for *.akadns.net
might be used to load balance requests to an Azure datacenter, which can change over time.
Windows 10 Family
DEST IN AT IO N P ROTO C O L DESC RIP T IO N
Windows 10 Pro
DEST IN AT IO N P ROTO C O L DESC RIP T IO N
Windows 10 Education
DEST IN AT IO N P ROTO C O L DESC RIP T IO N
Applies to
Windows 10 Home, version 1809
Windows 10 Professional, version 1809
Windows 10 Education, version 1809
In addition to the endpoints listed for Windows 10 Enterprise, the following endpoints are available on other
editions of Windows 10, version 1809.
We used the following methodology to derive these network endpoints:
1. Set up the latest version of Windows 10 on a test virtual machine using the default settings.
2. Leave the devices running idle for a week (that is, a user is not interacting with the system/device).
3. Use globally accepted network protocol analyzer/capturing tools and log all background egress traffic.
4. Compile reports on traffic going to public IP addresses.
5. The test virtual machine was logged in using a local account and was not joined to a domain or Azure Active
Directory.
6. All traffic was captured in our lab using a IPV4 network. Therefore no IPV6 traffic is reported here.
NOTE
Microsoft uses global load balancers that can appear in network trace-routes. For example, an endpoint for *.akadns.net
might be used to load balance requests to an Azure datacenter, which can change over time.
Windows 10 Family
DEST IN AT IO N P ROTO C O L DESC RIP T IO N
Windows 10 Pro
DEST IN AT IO N P ROTO C O L DESC RIP T IO N
Windows 10 Education
DEST IN AT IO N P ROTO C O L DESC RIP T IO N
Applies to
Windows 10 Home, version 1803
Windows 10 Professional, version 1803
Windows 10 Education, version 1803
In addition to the endpoints listed for Windows 10 Enterprise, the following endpoints are available on other
editions of Windows 10, version 1803.
We used the following methodology to derive these network endpoints:
1. Set up the latest version of Windows 10 on a test virtual machine using the default settings.
2. Leave the devices running idle for a week (that is, a user is not interacting with the system/device).
3. Use globally accepted network protocol analyzer/capturing tools and log all background egress traffic.
4. Compile reports on traffic going to public IP addresses.
5. The test virtual machine was logged in using a local account and was not joined to a domain or Azure Active
Directory.
6. All traffic was captured in our lab using a IPV4 network. Therefore no IPV6 traffic is reported here.
NOTE
Microsoft uses global load balancers that can appear in network trace-routes. For example, an endpoint for *.akadns.net
might be used to load balance requests to an Azure datacenter, which can change over time.
Windows 10 Family
DEST IN AT IO N P ROTO C O L DESC RIP T IO N
Windows 10 Pro
DEST IN AT IO N P ROTO C O L DESC RIP T IO N
Windows 10 Education
DEST IN AT IO N P ROTO C O L DESC RIP T IO N
Applies to
Windows 10 Home, version 1709
Windows 10 Professional, version 1709
Windows 10 Education, version 1709
In addition to the endpoints listed for Windows 10 Enterprise, the following endpoints are available on other
editions of Windows 10, version 1709.
We used the following methodology to derive these network endpoints:
1. Set up the latest version of Windows 10 on a test virtual machine using the default settings.
2. Leave the devices running idle for a week (that is, a user is not interacting with the system/device).
3. Use globally accepted network protocol analyzer/capturing tools and log all background egress traffic.
4. Compile reports on traffic going to public IP addresses.
5. The test virtual machine was logged in using a local account and was not joined to a domain or Azure Active
Directory.
6. All traffic was captured in our lab using a IPV4 network. Therefore no IPV6 traffic is reported here.
NOTE
Microsoft uses global load balancers that can appear in network trace-routes. For example, an endpoint for *.akadns.net
might be used to load balance requests to an Azure datacenter, which can change over time.
Windows 10 Home
DEST IN AT IO N P ROTO C O L DESC RIP T IO N
Windows 10 Pro
DEST IN AT IO N P ROTO C O L DESC RIP T IO N
Windows 10 Education
DEST IN AT IO N P ROTO C O L DESC RIP T IO N
| wdcp.microsoft.akadns.net | TLSv1.2 | Used for Windows Defender when Cloud-based Protection is enabled. | |
www.bing.com | HTTPS | Used for updates for Cortana, apps, and Live Tiles. |