General Data Protection Regulation (GDPR) For Windows 10

Contents
Privacy
Beginning your General Data Protection Regulation (GDPR) journey for Windows 10
Windows and the GDPR: Information for IT Administrators and Decision Makers
Windows 10 & Privacy Compliance: A Guide for IT and Compliance Professionals
Windows 10 personal data services configuration
Configure Windows diagnostic data in your organization
Diagnostic Data Viewer
Diagnostic Data Viewer Overview
Diagnostic Data Viewer for PowerShell Overview
Basic level Windows diagnostic data events and fields
Windows 10, version 1903 and Windows 10, version 1909 basic level Windows
diagnostic events and fields
Windows 10, version 1809 basic level Windows diagnostic events and fields
Enhanced level Windows diagnostic data events and fields
Windows 10 diagnostic data events and fields collected through the limit enhanced
diagnostic data policy
Full level categories
Windows 10, version 1709 and newer diagnostic data for the Full level
Windows 10, version 1703 diagnostic data for the Full level
Manage Windows 10 connection endpoints
Manage connections from Windows operating system components to Microsoft
services
Manage connections from Windows operating system components to Microsoft
services using MDM
Connection endpoints for Windows 10, version 1903
Connection endpoints for non-Enterprise editions of Windows 10, version 1903
Beginning your General Data Protection Regulation
(GDPR) journey for Windows 10
12/3/2019 • 26 minutes to read • Edit Online
This article provides info about the GDPR, including what it is, and the products Microsoft provides to help you to
become compliant.
Introduction
On May 25, 2018, a European privacy law is due to take effect that sets a new global bar for privacy rights, security,
and compliance.
The General Data Protection Regulation, or GDPR, is fundamentally about protecting and enabling the privacy
rights of individuals. The GDPR establishes strict global privacy requirements governing how you manage and
protect personal data while respecting individual choice — no matter where data is sent, processed, or stored.
Microsoft and our customers are now on a journey to achieve the privacy goals of the GDPR. At Microsoft, we
believe privacy is a fundamental right, and we believe that the GDPR is an important step forward for clarifying and
enabling individual privacy rights. But we also recognize that the GDPR will require significant changes by
organizations all over the world.
We have outlined our commitment to the GDPR and how we are supporting our customers within the Get GDPR
compliant with the Microsoft Cloud blog post by our Chief Privacy Officer Brendon Lynch and the Earning your
trust with contractual commitments to the General Data Protection Regulation” blog post by Rich Sauer - Microsoft
Corporate Vice President & Deputy General Counsel.
Although your journey to GDPR-compliance may seem challenging, we're here to help you. For specific information
about the GDPR, our commitments and how to begin your journey, please visit the GDPR section of the Microsoft
Trust Center.
GDPR and its implications

The GDPR is a complex regulation that may require significant changes in how you gather, use and manage
personal data. Microsoft has a long history of helping our customers comply with complex regulations, and when it
comes to preparing for the GDPR, we are your partner on this journey.
The GDPR imposes rules on organizations that offer goods and services to people in the European Union (EU), or
that collect and analyze data tied to EU residents, no matter where those businesses are located. Among the key
elements of the GDPR are the following:
Enhanced personal privacy rights. Strengthened data protection for residents of EU by ensuring they
have the right to access to their personal data, to correct inaccuracies in that data, to erase that data, to
object to processing of their personal data, and to move it.
Increased duty for protecting personal data. Reinforced accountability of organizations that process
personal data, providing increased clarity of responsibility in ensuring compliance.
Mandator y personal data breach repor ting. Organizations that control personal data are required to
report personal data breaches that pose a risk to the rights and freedoms of individuals to their supervisory
authorities without undue delay, and, where feasible, no later than 72 hours once they become aware of the
breach.
As you might anticipate, the GDPR can have a significant impact on your business, potentially requiring you to
update privacy policies, implement and strengthen data protection controls and breach notification procedures,
deploy highly transparent policies, and further invest in IT and training. Microsoft Windows 10 can help you
effectively and efficiently address some of these requirements.
Personal and sensitive data

As part of your effort to comply with the GDPR, you will need to understand how the regulation defines personal
and sensitive data and how those definitions relate to data held by your organization.
The GDPR considers personal data to be any information related to an identified or identifiable natural person. That
can include both direct identification (such as, your legal name) and indirect identification (such as, specific
information that makes it clear it is you the data references). The GDPR also makes clear that the concept of
personal data includes online identifiers (such as, IP addresses, mobile device IDs) and location data.
The GDPR introduces specific definitions for genetic data (such as, an individual’s gene sequence) and biometric
data. Genetic data and biometric data along with other sub categories of personal data (personal data revealing
racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership: data
concerning health; or data concerning a person’s sex life or sexual orientation) are treated as sensitive personal data
under the GDPR. Sensitive personal data is afforded enhanced protections and generally requires an individual’s
explicit consent where these data are to be processed.
Examples of info relating to an identified or identifiable natural person (data subject)
This list provides examples of several types of info that will be regulated through GDPR. This is not an exhaustive
list.
Name
Identification number (such as, SSN)
Location data (such as, home address)
Online identifier (such as, e-mail address, screen names, IP address, device IDs)
Pseudonymous data (such as, using a key to identify individuals)
Genetic data (such as, biological samples from an individual)
Biometric data (such as, fingerprints, facial recognition)
Getting started on the journey towards GDPR compliance

Given how much is involved to become GDPR-compliant, we strongly recommend that you don't wait to prepare
until enforcement begins. You should review your privacy and data management practices now. We recommend
that you begin your journey to GDPR compliance by focusing on four key steps:
Discover. Identify what personal data you have and where it resides.
Manage. Govern how personal data is used and accessed.
Protect. Establish security controls to prevent, detect, and respond to vulnerabilities and data breaches.
Repor t. Act on data requests, report data breaches, and keep required documentation.
For each of the steps, we've outlined example tools, resources, and features in various Microsoft solutions, which
can be used to help you address the requirements of that step. While this article isn't a comprehensive “how to,”
we've included links for you to find out more details, and more information is available in the GDPR section of the
Microsoft Trust Center.
Windows 10 security and privacy

As you work to comply with the GDPR, understanding the role of your desktop and laptop client machines in
creating, accessing, processing, storing and managing data that may qualify as personal and potentially sensitive
data under the GDPR is important. Windows 10 provides capabilities that will help you comply with the GDPR
requirements to implement appropriate technical and organizational security measures to protect personal data.
With Windows 10, your ability to protect, detect and defend against the types of attacks that can lead to data
breaches is greatly improved. Given the stringent requirements around breach notification within the GDPR,
ensuring that your desktop and laptop systems are well defended will lower the risks you face that could result in
costly breach analysis and notification.
In this section, we'll talk about how Windows 10 provides capabilities that fit squarely in the Protect stage of your
journey, including these 4 scenarios:
Threat protection: Pre-breach threat resistance. Disrupt the malware and hacking industry by moving
the playing field to one where they lose the attack vectors that they depend on.
Threat protection: Post-breach detection and response. Detect, investigate, and respond to advanced
threats and data breaches on your networks.
Identity protection. Next generation technology to help protect your user’s identities from abuse.
Information protection. Comprehensive data protection while meeting compliance requirements and
maintaining user productivity.
These capabilities, discussed in more detail below with references to specific GDPR requirements, are built on top of
advanced device protection that maintains the integrity and security of the operating system and data.
A key provision within the GDPR is data protection by design and by default, and helping with your ability to meet
this provision are features within Windows 10 such as the Trusted Platform Module (TPM) technology designed to
provide hardware-based, security-related functions. A TPM chip is a secure crypto-processor that is designed to
carry out cryptographic operations.
The chip includes multiple physical security mechanisms to make it tamper resistant, and malicious software is
unable to tamper with the security functions of the TPM. Some of the key advantages of using TPM technology are
that you can:
Generate, store, and limit the use of cryptographic keys.
Use TPM technology for platform device authentication by using the TPM’s unique RSA key, which is burned
into itself.
Help to ensure platform integrity by taking and storing security measurements.
Additional advanced device protection relevant to your operating without data breaches include Windows Trusted
Boot to help maintain the integrity of the system by ensuring malware is unable to start before system defenses.
Threat protection: Pre -breach threat resistance
The GDPR requires you to implement appropriate technical and organizational security measures to protect
personal data.
Your ability to meet this requirement to implement appropriate technical security measures should reflect the
threats you face in today’s increasingly hostile IT environment. Today’s security threat landscape is one of
aggressive and tenacious threats. In previous years, malicious attackers mostly focused on gaining community
recognition through their attacks or the thrill of temporarily taking a system offline. Since then, attacker’s motives
have shifted toward making money, including holding devices and data hostage until the owner pays the
demanded ransom.
Modern attacks increasingly focus on large-scale intellectual property theft; targeted system degradation that can
result in financial loss; and now even cyberterrorism that threatens the security of individuals, businesses, and
national interests all over the world. These attackers are typically highly trained individuals and security experts,
some of whom are in the employ of nation states that have large budgets and seemingly unlimited human
resources. Threats like these require an approach that can meet this challenge.
Not only are these threats a risk to your ability to maintain control of any personal or sensitive data you may have,
but they are a material risk to your overall business as well. Consider recent data from Ponemon Institute, Verizon,
and Microsoft:
The average cost of the type of data breach the GDPR will expect you to report is $3.5M. (Ponemon Institute).
63% of these breaches involve weak or stolen passwords that the GDPR expects you to address. (2016 Data
Breach Investigations Report, Verizon Enterprise).
Over 300,000 new malware samples are created and spread every day making your task to address data
protection even more challenging. (Microsoft Malware Protection Center, Microsoft).
As seen with recent ransomware attacks, once called the "black plague" of the Internet, attackers are going after
bigger targets that can afford to pay more, with potentially catastrophic consequences. Desktops and laptops, that
contain personal and sensitive data, are commonly targeted where control over data might be lost.
In response to these threats and as a part of your mechanisms to resist these types of breaches so that you remain
in compliance with the GDPR, Windows 10 provides built in technology, detailed below including the following:
Windows Defender Antivirus to respond to emerging threats on data.
Microsoft Edge to systemically disrupt phishing, malware, and hacking attacks.
Windows Defender Device Guard to block all unwanted applications on client machines.
Responding to emerging data threats
Windows Defender Antivirus is a built-in antimalware solution that provides security and antimalware
management for desktops, portable computers, and servers. In Windows 10, it uses a multi-pronged approach to
improve antimalware:
Cloud-delivered protection. Helps to detect and block new malware within seconds, even if the malware
has never been seen before.
Rich local context. Improves how malware is identified. Windows 10 informs Windows Defender Antivirus
not only about content like files and processes, but also where the content came from, where it's been
stored, and more.
Extensive global sensors. Help to keep Windows Defender Antivirus current and aware of even the
newest malware. This is accomplished in two ways: by collecting the rich local context data from end points
and by centrally analyzing that data.
Tamper proofing. Helps to guard Windows Defender Antivirus itself against malware attacks. For example,
Windows Defender Antivirus uses Protected Processes, which prevents untrusted processes from attempting
to tamper with Windows Defender Antivirus components, its registry keys, and so on.
Enterprise-level features. Give IT pros the tools and configuration options necessary to make Windows
Defender Antivirus an enterprise-class antimalware solution.
Systemically disrupting phishing, malware, and hacking attacks
In today’s threat landscape, your ability to provide those mechanisms should be tied to the specific data-focused
attacks you face through phishing, malware and hacking due to the browser-related attacks.
As part of Windows 10, Microsoft has brought you Microsoft Edge, our safest and most secure browser to-date.
Over the past two years, we have been continuously innovating, and we’re proud of the progress we’ve made. This
quality of engineering is reflected by the reduction of Common Vulnerabilities and Exposures (CVE) when
comparing Microsoft Edge with Internet Explorer over the past year. Browser-related attacks on personal and
sensitive data that you will need to protect under the GDPR means this innovation in Windows 10 is important.
While no modern browser — or any complex application — is free of vulnerabilities, many of the vulnerabilities for
Microsoft Edge have been responsibly reported by professional security researchers who work with the Microsoft
Security Response Center (MSRC) and the Microsoft Edge team to ensure customers are protected well before any
attacker might use these vulnerabilities in the wild. Even better, there is no evidence that any vulnerabilities have
been exploited in the wild as zero-day attacks.
However, many businesses worldwide have come under increasing threat of targeted attacks, where attackers are
crafting specialized attacks against a specific business, attempting to take control of corporate networks and data.
Blocking all unwanted apps
Application Control is your best defense in a world where there are more than 300,000 new malware samples each
day. As part of Windows 10, Windows Defender Device Guard is a combination of enterprise-related hardware and
software security features that, when configured together, will lock a device down so that it can only run trusted
applications that you define in your code integrity policies. If the app isn’t trusted it can’t run, period.
With hardware that meets basic requirements, it also means that even if an attacker manages to get control of the
Windows kernel, he or she will be much less likely to be able to run malicious executable code. With appropriate
hardware, Windows Defender Device Guard can use the new virtualization-based security in Windows 10 to isolate
the Code Integrity service from the Microsoft Windows kernel itself. In this case, the Code Integrity service runs
alongside the kernel in a Windows hypervisor-protected container.
Windows Defender Device Guard protects threats that can expose personal or sensitive data to attack, including:
Exposure to new malware, for which the "signature" is not yet known
Exposure to unsigned code (most malware is unsigned)
Malware that gains access to the kernel and then, from within the kernel, captures sensitive information or
damages the system
DMA-based attacks, for example, attacks launched from a malicious device that read secrets from memory,
making the enterprise more vulnerable to attack; and
Exposure to boot kits or to a physically present attacker at boot time.
Threat protection: Post-breach detection and response
The GDPR includes explicit requirements for breach notification where a personal data breach means, “a breach of
security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to,
personal data transmitted, stored or otherwise processed.”
As noted in the Windows Security Center white paper, Post Breach: Dealing with Advanced Threats, “Unlike pre-
breach, post-breach assumes a breach has already occurred – acting as a flight recorder and Crime Scene
Investigator (CSI). Post-breach provides security teams the information and toolset needed to identify, investigate,
and respond to attacks that otherwise will stay undetected and below the radar.”
Insightful security diagnostic data
For nearly two decades, Microsoft has been turning threats into useful intelligence that can help fortify our
platform and protect customers. Today, with the immense computing advantages afforded by the cloud, we are
finding new ways to use our rich analytics engines driven by threat intelligence to protect our customers.
By applying a combination of automated and manual processes, machine learning and human experts, we can
create an Intelligent Security Graph that learns from itself and evolves in real-time, reducing our collective time to
detect and respond to new incidents across our products.
The scope of Microsoft’s threat intelligence spans, literally, billions of data points: 35 billion messages scanned
monthly, 1 billion customers across enterprise and consumer segments accessing 200+ cloud services, and 14
billion authentications performed daily. All this data is pulled together on your behalf by Microsoft to create the
Intelligent Security Graph that can help you protect your front door dynamically to stay secure, remain productive,
and meet the requirements of the GDPR.
Detecting attacks and forensic investigation
Even the best endpoint defenses may be breached eventually, as cyberattacks become more sophisticated and
targeted.
Windows Defender Advanced Threat Protection (ATP) helps you detect, investigate, and respond to advanced
attacks and data breaches on your networks. GDPR expects you to protect against attacks and breaches through
technical security measures to ensure the ongoing confidentiality, integrity, and availability of personal data.
Among the key benefits of ATP are the following:
Detecting the undetectable - sensors built deep into the operating system kernel, Windows security experts,
and unique optics from over 1 billion machines and signals across all Microsoft services.
Built in, not bolted on - agentless with high performance and low impact, cloud-powered; easy management
with no deployment.
Single pane of glass for Windows security - explore 6 months of rich machine timeline that unifies security
events from Windows Defender ATP, Windows Defender Antivirus.
Power of the Microsoft graph - leverages the Microsoft Intelligence Security Graph to integrate detection and
exploration with Office 365 ATP subscription, to track back and respond to attacks.
Read more at What’s new in the Windows Defender ATP Creators Update preview.
To provide Detection capabilities, Windows 10 improves our OS memory and kernel sensors to enable detection of
attackers who are employing in-memory and kernel-level attacks – shining a light into previously dark spaces
where attackers hid from conventional detection tools. We’ve already successfully leveraged this new technology
against zero-days attacks on Windows.
We continue to upgrade our detections of ransomware and other advanced attacks, applying our behavioral and
machine-learning detection library to counter changing attacks trends. Our historical detection capability ensures
new detection rules apply to up to six months of stored data to detect attacks that previously went unnoticed.
Customers can also add customized detection rules or IOCs to augment the detection dictionary.
Customers asked us for a single pane of glass across the entire Windows security stack. Windows Defender
Antivirus detections and Windows Defender Device Guard blocks are the first to surface in the Windows Defender
ATP portal interleaved with Windows Defender ATP detections. The new user entity adds identity as a pivot,
providing insight into actions, relationships, and alerts that span machines and allow us to track attackers moving
laterally across the network.
Our alert page now includes a new process tree visualization that aggregates multiple detections and related
events into a single view that helps security teams reduce the time to resolve cases by providing the information
required to understand and resolve incidents without leaving the alert page.
Security Operations (SecOps) can hunt for evidence of attacks, such as file names or hashes, IP addresses or URLs,
behaviors, machines, or users. They can do this immediately by searching the organization’s cloud inventory, across
all machines – and going back up to 6 months in time – even if machines are offline, have been reimaged, or no
longer exist.
When detecting an attack, security teams can now take immediate action: isolate machines, ban files from the
network, kill or quarantine running processes or files, or retrieve an investigation package from a machine to
provide forensic evidence – with a click of a button. Because while detecting advanced attacks is important –
shutting them down is even more so.
Identity Protection
Identify and access management is another area where the GDPR has placed special emphasis by calling for
mechanisms to grant and restrict access to data subject personal data (for example, role-based access, segregation
of duties).
Multi-factor protection
Biometric authentication – using your face, iris, or fingerprint to unlock your devices – is much safer than traditional
passwords. You– uniquely you– plus your device are the keys to your apps, data, and even websites and services –
not a random assortment of letters and numbers that are easily forgotten, hacked, or written down and pinned to a
bulletin board.
Your ability to protect personal and sensitive data, that may be stored or accessed through desktop or laptops will
be further enhanced by adopting advanced authentication capabilities such as Windows Hello for Business and
Windows Hello companion devices. Windows Hello for Business, part of Windows 10, gives users a personal,
secured experience where the device is authenticated based on their presence. Users can log in with a look or a
touch, with no need for a password.
In conjunction with Windows Hello for Business, biometric authentication uses fingerprints or facial recognition and
is more secure, more personal, and more convenient. If an application supports Hello, Windows 10 enables you to
authenticate applications, enterprise content, and even certain online experiences without a password being stored
on your device or in a network server at all. Windows Hello for Business works with the Companion Device
Framework to enhance the user authentication experience. Using the Windows Hello Companion Device
Framework, a companion device can provide a rich experience for Windows Hello even when biometrics are not
available (for example, if the Windows 10 desktop lacks a camera for face authentication or fingerprint reader
device).
There are numerous ways one can use the Windows Hello Companion Device Framework to build a great Windows
unlock experience with a companion device. For example, users can:
Work offline (for example, while traveling on a plane)
Attach their companion device to PC via USB, touch the button on the companion device, and automatically
unlock their PC.
Carry a phone in their pocket that is already paired with their PC over Bluetooth. Upon hitting the spacebar
on their PC, their phone receives a notification. Approve it and the PC simply unlocks.
Tap their companion device to an NFC reader to quickly unlock their PC.
Wear a fitness band that has already authenticated the wearer. Upon approaching PC, and by performing a
special gesture (like clapping), the PC unlocks.
Protection against attacks by isolating user credentials
As noted in the Windows 10 Credential Theft Mitigation Guide, “the tools and techniques criminals use to carry out
credential theft and reuse attacks improve, malicious attackers are finding it easier to achieve their goals. Credential
theft often relies on operational practices or user credential exposure, so effective mitigations require a holistic
approach that addresses people, processes, and technology. In addition, these attacks rely on the attacker stealing
credentials after compromising a system to expand or persist access, so organizations must contain breaches
rapidly by implementing strategies that prevent attackers from moving freely and undetected in a compromised
network.”
An important design consideration for Windows 10 was mitigating credential theft — in particular, derived
credentials. Windows Defender Credential Guard provides significantly improved security against derived
credential theft and reuse by implementing a significant architectural change in Windows designed to help
eliminate hardware-based isolation attacks rather than simply trying to defend against them.
When Credential Manager domain credentials, NTLM, and Kerberos derived credentials are protected using
virtualization-based security, the credential theft attack techniques and tools used in many targeted attacks are
blocked. Malware running in the operating system with administrative privileges can't extract secrets that are
protected by virtualization-based security. While Windows Defender Credential Guard is a powerful mitigation,
persistent threat attacks will likely shift to new attack techniques and you should also incorporate Windows
Defender Device Guard, as described above, and other security strategies and architectures.
Information Protection
The GDPR is focused on information protection regarding data that is considered as personal or sensitive in
relation to a natural person, or data subject. Device protection, protection against threats, and identity protection
are all important elements of a Defense in Depth strategy surrounding a layer of information protection in your
laptop and desktop systems.
As to the protection of data, the GDPR recognizes that in assessing data security risk, consideration should be given
to the risks that are presented such as accidental loss, unauthorized disclosure of, or access to, personal data
transmitted, stored or otherwise processed. It also recommends that measures taken to maintain an appropriate
level of security should consider the state-of-the-art and the costs of implementation in relation to the risks among
other factors.
Windows 10 provides built in risk mitigation capabilities for today’s threat landscape. In this section, we will look at
the types of technologies that will help your journey toward GDPR compliance and at the same time provide you
with solid overall data protection as part of a comprehensive information protection strategy.
Encryption for lost or stolen devices

The GDPR calls for mechanisms that implement appropriate technical security measures to confirm the ongoing
confidentiality, integrity, and availability of both personal data and processing systems. BitLocker Encryption, first
introduced as part of Microsoft's Next-Generation Secure Computing Base architecture in 2004 and made available
with Windows Vista, is a built-in data protection feature that integrates with the operating system and addresses
the threats of data theft or exposure from lost, stolen, or inappropriately decommissioned computers.
BitLocker provides the most protection when used with a Trusted Platform Module (TPM) version 1.2 or later. The
TPM is a hardware component installed in many newer computers by the computer manufacturers. It works with
BitLocker to protect user data and to ensure that a computer has not been tampered with while the system was
offline.
Data on a lost or stolen computer is vulnerable to unauthorized access, either by running a software-attack tool
against it or by transferring the computer's hard disk to a different computer. BitLocker helps mitigate unauthorized
data access by enhancing file and system protections. BitLocker also helps render data inaccessible when BitLocker-
protected computers are decommissioned or recycled.
Related to BitLocker are Encrypted Hard Drives, a new class of hard drives that are self-encrypting at a hardware
level and allow for full disk hardware encryption. Encrypted Hard Drives use the rapid encryption that is provided
by BitLocker Drive Encryption to enhance data security and management.
By offloading the cryptographic operations to hardware, Encrypted Hard Drives increase BitLocker performance
and reduce CPU usage and power consumption. Because Encrypted Hard Drives encrypt data quickly, enterprise
devices can expand BitLocker deployment with minimal impact on productivity.
Some of the benefits of Encrypted Hard Drives include:
Better performance. Encryption hardware, integrated into the drive controller, allows the drive to operate
at full data rate with no performance degradation.
Strong security based in hardware. Encryption is always "on" and the keys for encryption never leave
the hard drive. User authentication is performed by the drive before it will unlock, independently of the
operating system
Ease of use. Encryption is transparent to the user because it is on by default. There is no user interaction
needed to enable encryption. Encrypted Hard Drives are easily erased using on-board encryption key; there
is no need to re-encrypt data on the drive.
Lower cost of ownership. There is no need for new infrastructure to manage encryption keys, since
BitLocker leverages your Active Directory Domain Services infrastructure to store recovery information. Your
device operates more efficiently because processor cycles don't need to be used for the encryption process.
Preventing accidental data leaks to unauthorized users
Part of the reality of your operating in a mobile-first, cloud-first world is the notion that some laptops will have
multiple purposes – both business and personal. Yet that data that is considered as personal and sensitive
regarding EU residents considered as “data subjects” must be protected in line with the requirements of the GDPR.
Windows Information Protection helps people separate their work and personal data and keeps data encrypted
wherever it’s stored. Your employees can safely use both work and personal data on the same device without
switching applications. Windows Information Protection helps end users avoid inadvertent data leaks by sending a
warning when copy/pasting information in non-corporate applications – end users can still proceed but the action
will be logged centrally.
For example, employees can’t send protected work files from a personal email account instead of their work
account. They also can’t accidently post personal or sensitive data from a corporate site into a tweet. Windows
Information Protection also helps ensure that they aren’t saving personal or sensitive data in a public cloud storage
location.
Capabilities to classify, assign permissions and share data
Windows Information Protection is designed to coexist with advanced data loss prevention (DLP) capabilities found
in Office 365 ProPlus, Azure Information Protection, and Azure Rights Management. Advanced DLP prevents
printing, for example, or protects work data that is emailed outside your company.
To continuously protect your data, regardless of where it is stored, with whom it is shared, or if the device is
running iOS, Android or Windows, the classification and protection needs to be built into the file itself, so this
protection can travel with the data wherever it goes. Microsoft Azure Information Protection (AIP) is designed to
provide this persistent data protection both on-premises and in the cloud.
Data classification is an important part of any data governance plan. Adopting a classification scheme that applies
throughout your business can be particularly helpful in responding to what the GDPR calls data subject (for
example, your EU employee or customer) requests, because it enables enterprises to identify more readily and
process personal data requests.
Azure Information Protection can be used to help you classify and label your data at the time of creation or
modification. Protection in the form of encryption, which the GDPR recognizes may be appropriate at times, or
visual markings can then be applied to data needing protection.
With Azure Information Protection, you can either query for data marked with a sensitivity label or intelligently
identify sensitive data when a file or email is created or modified. Once identified, you can automatically classify
and label the data – all based on the company’s desired policy.
Azure Information Protection also helps your users share sensitive data in a secure manner. In the example below,
information about a sensitive acquisition was encrypted and restricted to a group of people who were granted only
a limited set of permissions on the information – they could modify the content but could not copy or print it.
Related content for associated Windows 10 solutions

Windows Hello for Business: https://www.youtube.com/watch?v=WOvoXQdj-9E and
https://docs.microsoft.com/windows/access-protection/hello-for-business/hello-identity-verification
Windows Defender Antivirus: https://www.youtube.com/watch?v=P1aNEy09NaI and
https://docs.microsoft.com/windows/threat-protection/windows-defender-antivirus/windows-defender-
antivirus-in-windows-10
Windows Defender Advanced Threat Protection: https://www.youtube.com/watch?v=qxeGa3pxIwg
and https://docs.microsoft.com/windows/threat-protection/windows-defender-atp/windows-defender-
advanced-threat-protection
Windows Defender Device Guard: https://www.youtube.com/watch?v=F-pTkesjkhI and
https://docs.microsoft.com/windows/device-security/device-guard/device-guard-deployment-guide
Windows Defender Credential Guard: https://www.youtube.com/watch?v=F-pTkesjkhI and
https://docs.microsoft.com/windows/access-protection/credential-guard/credential-guard
Windows Information Protection: https://www.youtube.com/watch?v=wLkQOmK7-Jg and
https://docs.microsoft.com/windows/threat-protection/windows-information-protection/protect-enterprise-
data-using-wip
Windows 10 Security Guide: https://technet.microsoft.com/itpro/windows/keep-secure/windows-10-
security-guide
Disclaimer
This article is a commentary on the GDPR, as Microsoft interprets it, as of the date of publication. We’ve spent a lot
of time with GDPR and like to think we’ve been thoughtful about its intent and meaning. But the application of
GDPR is highly fact-specific, and not all aspects and interpretations of GDPR are well-settled.
As a result, this article is provided for informational purposes only and should not be relied upon as legal advice or
to determine how GDPR might apply to you and your organization. We encourage you to work with a legally-
qualified professional to discuss GDPR, how it applies specifically to your organization, and how best to ensure
compliance.
MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED, OR STATUTORY, AS TO THE INFORMATION IN THIS
ARTICLE. This article is provided “as-is.” Information and views expressed in this article, including URL and other
Internet website references, may change without notice.
This article does not provide you with any legal rights to any intellectual property in any Microsoft product. You
may copy and use this article for your internal, reference purposes only.
Published September 2017
Version 1.0
© 2017 Microsoft. All rights reserved.
Windows and the GDPR: Information for IT
Administrators and Decision Makers
Applies to:
Windows 10, version 1703 and newer
Windows 10 Team Edition, version 1703 for Surface Hub
Windows Server 2016 and newer
Desktop Analytics
This topic provides IT Decision Makers with a basic understanding of the relationship between users in an
organization and Microsoft in the context of the GDPR (General Data Protection Regulation). You will also learn
what role an IT organization plays for that relationship.
For more information about the GDPR, see:
Microsoft GDPR Overview
Microsoft Trust Center FAQs about the GDPR
Microsoft Service Trust Portal (STP)
Get Started: Support for GDPR Accountability
GDPR fundamentals
Here are some GDPR fundamentals:
On May 25, 2018, this EU data privacy law is implemented. It sets a new global bar for data privacy rights,
security, and compliance.
The GDPR is fundamentally about protecting and enabling the privacy rights of individuals – both customers
and employees.
The European law establishes strict global data privacy requirements governing how organizations manage and
protect personal data while respecting individual choice – no matter where data is sent, processed, or stored.
A request by an individual to an organization to take an action on their personal data is referred to here as a
data subject request, or DSR.
Microsoft believes data privacy is a fundamental right, and that the GDPR is an important step forward for
clarifying and enabling individual privacy rights. We also recognize that the GDPR required significant changes by
organizations all over the world with regard to the discovery, management, protection, and reporting of personal
data that is collected, processed, and stored within an organization.
What is personal data under the GDPR?
Article 4 (1) of the GDPR defines personal data as any information relating to an identified or identifiable person.
There is no distinction between a person’s private, public, or work roles. As defined by the GDPR, personal data
includes, but is not limited to:
Name
Email address
Credit card numbers
IP addresses
Social media posts
Location information
Handwriting patterns
Voice input to cloud-based speech services
Controller and processor under the GDPR: Who does what
Definition
The GDPR describes specific requirements for allocating responsibility for controller and processor activities related
to personal data. Thus, every organization that processes personal data must determine whether it is acting as a
controller or processor for a specific scenario.
Controller : GDPR Article 4 (7) defines the ‘controller’ as the natural or legal person, public authority, agency or
other body which, alone or jointly with others, determines the purposes and means of the processing of
personal data.
Processor : According to the GDPR Article 4 (8) ‘processor’ means a natural or legal person, public authority,
agency or other body which processes personal data on behalf of the controller.
Controller scenario
For example, when an organization is using Microsoft Windows Defender Advanced Threat Protection (ATP) to
detect, investigate, and respond to advanced threats on their networks as part of their IT operations, that
organization is collecting data from the user’s device – data, that might include personal data. In this scenario, the
organization is the controller of the respective personal data, since the organization controls the purpose and
means of the processing for data being collected from the devices that have Windows Defender ATP enabled.
Processor scenario
In the controller scenario described above, Microsoft is a processor because Microsoft provides data processing
services to that controller (in the given example, an organization that subscribed to Windows Defender ATP and
enabled it for the user’s device). As processor, Microsoft only processes data on behalf of the enterprise customer
and does not have the right to process data beyond their instructions as specified in a written contract, such as the
Microsoft Product Terms and the Microsoft Online Services Terms (OST).
GDPR relationship between a Windows 10 user and Microsoft

For Windows 10 services, Microsoft usually is the controller (with exceptions, such as Windows Defender ATP). The
following sections describe what that means for the related data.
Types of data exchanged with Microsoft
Microsoft collects data from or generates data through interactions with users of Windows 10 devices. This
information can contain personal data, as defined in Article 4 (1) of the GDPR, that may be used to provide,
support, and improve Windows 10 services.
Microsoft discloses data collection and privacy practices in detail, for example:
As part of the Windows 10 installation;
In the Windows 10 privacy settings;
Via the web-based Microsoft Privacy dashboard; and
In the Microsoft Privacy Statement.
It is important to differentiate between two distinct types of data Windows services are dealing with.
Windows functional data
A user action, such as performing a Skype call, usually triggers the collection and transmission of Windows
functional data. Some Windows components and applications connecting to Microsoft services also exchange
Windows functional data to provide user functionality.
Some other examples of Windows functional data:
The Weather app which can use the device’s location to retrieve local weather or community news.
Wallpaper and desktop settings that are synchronized across multiple devices.
For more info on how IT Professionals can manage Windows functional data sent from an organization to
Microsoft, see Manage connections from Windows operating system components to Microsoft services.
Windows diagnostic data
Windows diagnostic data is used to keep the operating system secure and up-to-date, troubleshoot problems, and
make product improvements. The data is encrypted before being sent back to Microsoft.
Some examples of diagnostic data include:
The type of hardware being used, information about installed apps and usage details, and reliability data on
drivers running on the device.
For users who have turned on “Tailored experiences”, it can be used to offer personalized tips, ads, and
recommendations to enhance Microsoft products and services for the needs of the user.
Diagnostic data is categorized into the levels "Security", "Basic", "Enhanced", and "Full". For a detailed discussion
about these diagnostic data levels please see Configure Windows diagnostic data in your organization. To find
more about what information is collected and how it is handled, see Understanding Windows diagnostic data.
IMPORTANT
Other Microsoft services as well as 3rd party applications and drivers running on Windows devices may implement their own
functionality, independently from Windows, to transport their diagnostic data. Please contact the publisher for further
guidance on how to control the diagnostic data collection level and transmission of these applications and services.
Windows services where Microsoft is the processor under the GDPR

Most Windows 10 services are controller services in terms of the GDPR – for both Windows functional data and
Windows diagnostic data. But there are a few Windows services where Microsoft is a processor for functional data
under the GDPR, such as Desktop Analytics, Update Compliance and Windows Defender Advanced Threat
Protection (ATP).
NOTE
Both Desktop Analytics and Windows Defender ATP are subscription services for organizations. Some functionality requires a
certain license (please see Compare Windows 10 editions).
Desktop Analytics
IMPORTANT
The Upgrade Readiness and Device Health solutions of Windows Analytics are being retired on January 31, 2020. Update
Compliance will continue to be supported. For more information, see Windows Analytics retirement on January 31, 2020.
Desktop Analytics is a cloud-based service that integrates with Configuration Manager. The service provides insight
and intelligence for you to make more informed decisions about the update readiness of Windows Windows
devices in their environment. It uses Windows diagnostic data from devices enrolled by the IT organization of an
enterprise with data aggregated from millions of devices into the Desktop Analytics service.
Windows transmits Windows diagnostic data to Microsoft datacenters, where that data is analyzed and stored.
With Desktop Analytics, the IT organization can then view the analyzed data to detect and fix issues or to improve
their processes for upgrading to Windows 10.
As a result, in terms of the GDPR, the organization that has subscribed to Desktop Analytics is acting as the
controller, while Microsoft is the processor for Desktop Analytics.
NOTE
The IT organization must explicitly enable Desktop Analytics for a device after the organization subscribes.
IMPORTANT
Desktop Analytics does not collect Windows Diagnostic data by itself. Instead, Desktop Analytics only uses a subset of
Windows Diagnostic data that is collected by Windows for an enrolled device. The Windows Diagnostic data collection is
controlled by the IT department of an organization or the user of a device. See Enable data sharing for Desktop Analytics
Windows Defender ATP

Windows Defender ATP is cloud-based service that collects and analyzes usage data from an organization’s devices
to detect security threats. Some of the data can contain personal data as defined by the GDPR. Enrolled devices
transmit usage data to Microsoft datacenters, where that data is analyzed, processed, and stored. The security
operations center (SOC) of the organization can view the analyzed data using the Windows Defender ATP portal.
As a result, in terms of the GDPR, the organization that has subscribed to Windows Defender ATP is acting as the
controller, while Microsoft is the processor for Windows Defender ATP.
NOTE
The IT organization must explicitly enable Windows Defender ATP for a device after the organization subscribes.
At a glance – Windows 10 services GDPR mode of operations

The following table lists in what GDPR mode – controller or processor – Windows 10 services are operating.
SERVIC E M IC RO SO F T GDP R M O DE O F O P ERAT IO N
Windows Functional data Controller or Processor*
Windows Diagnostic data Controller
Desktop Analytics Processor
Windows Defender Advanced Threat Detection (ATP) Processor
Table 1: Windows 10 GDPR modes of operations for different Windows 10 services

*/Depending on which application/feature this is referring to.
Windows diagnostic data and Windows 10

Recommended Windows 10 settings
Windows diagnostic data collection level for Windows 10 can be set by a user in Windows (Start > Settings >
Privacy > Diagnostics & feedback) or by the IT department of an organization, using Group Policy or Mobile Device
Management (MDM) techniques.
For Windows 10, version 1803 and version 1809, Microsoft recommends setting the Windows diagnostic level
to “Enhanced”. This enables organizations to get the full functionality of Desktop Analytics.
NOTE
For more information on the Enhanced level, see Configure Windows diagnostic data in your organization.
For Windows 10, version 1709, and Windows 10, version 1703, the recommended Windows diagnostic level
configuration for EEA and Switzerland commercial users is “Basic”.
NOTE
For Windows 7, Microsoft recommends using Commercial Data Opt-in setting to facilitate upgrade planning to Windows 10.
Additional information for Desktop Analytics

The basic functionality of Desktop Analytics works at the “Basic” diagnostic data level. Other functionality of
Desktop Analytics, such as usage or health data for updated devices, require “Enhanced”.
Those organizations who wish to share the smallest set of events for Desktop Analytics and have set the Windows
diagnostic level to “Enhanced” can use the “Limit Enhanced diagnostic data to the minimum required by Desktop
Analytics” setting. This filtering mechanism was that Microsoft introduced in Windows 10, version 1709. When
enabled, this feature limits the operating system diagnostic data events included in the Enhanced level to the
smallest set of data required by Desktop Analytics.
NOTE
Additional information can be found at Desktop Analytics and privacy.
Controlling Windows 10 data collection and notification about it

Windows 10 sends diagnostic data to Microsoft services, and some of that data can contain personal data. Both the
user and the IT organization have the ability to control the transmission of that data to Microsoft.
Adjusting privacy settings by the user
A user has the ability to adjust additional privacy settings in Windows by navigating to Start > Settings > Privacy.
For example, a user can control if location is enabled or disabled, whether or not to transmit feedback on inking
and typing input to Microsoft for improving the personal accuracy of these services, or if Windows collects
activities for syncing it with other devices.
For a standard user in an organization, some privacy settings might be controlled by their IT department. This is
done using Group Policies or Mobile Device Management (MDM) settings. If this is the case, the user will see an
alert that says ‘Some settings are hidden or managed by your organization’ when they navigate to Start > Settings
> Privacy. As such, the user can only change some settings, but not all.
Users can lower the diagnostic level
Starting with Windows 10, version 1803, a user can change the Windows diagnostics data level for their device
below to what was set by their IT department. Organizations can allow or disallow this feature by configuring the
Group Policy Computer Configuration\Administrative Templates\Windows Components\Data
Collection and Preview Builds\Configure telemetr y opt-in setting user interface or the MDM policy
ConfigureTelemetr yOptInSettingsUx .
If an IT organization has not disabled this policy, users within the organization can change their own Windows
diagnostic data collection level in Start > Settings > Privacy > Diagnostics & feedback. For example, if the IT
organization enabled this policy and set the level to “Full”, a user can modify the Windows diagnostics data level
setting to “Basic”.
Notification at logon
Windows 10, version 1803, and later can provide users with a notification during their logon. If the IT organization
has not disabled the Group Policy Computer Configuration\Administrative Templates\Windows
Components\Data Collection and Preview Builds\Configure telemetr y opt-in change notifications or
the MDM policy ConfigureTelemetr yOptInChangeNotification , Windows diagnostic data notifications can
appear at logon so that the users of a device are aware of the data collection.
This notification can also be shown when the diagnostic level for the device was changed. For instance, if the
diagnostic level on the device is set to “Basic” and the IT organization changes it to “Full”, users will be notified on
their next logon.
Diagnostic Data Viewer (DDV )
In Windows 10, version 1803 and later, users can invoke the Diagnostic Data Viewer (DDV) to see what Windows
diagnostic data is collected on their local device. This app lets a user review the diagnostic data collected on his
device that is being sent to Microsoft. The DDV groups the information into simple categories based on how it is
used by Microsoft.
A user can turn on Windows diagnostic data viewing by going to go to Start > Settings > Privacy > Diagnostics &
feedback. Under the ‘Diagnostic data viewer’ section, the user has to enable the ‘If data viewing is enabled, you can
see your diagnostics data’ option. After DDV is installed on the device, the user can start it by clicking the
‘Diagnostic Data Viewer’ in the ‘Diagnostic data viewer’ section of Start > Settings > Privacy > Diagnostics &
feedback.
Also, the user can delete all Windows diagnostic data collected from the device. This is done by clicking the ‘Delete’
button in the ‘Delete diagnostic data’ section of Start > Settings > Privacy > Diagnostics & feedback.
Microsoft assembled a list of Windows 10 services configuration settings that are useful for personal data privacy
protection and related regulations, such as the General Data Protection Regulation (GDPR). There is one section
with settings for service data that is managed at Microsoft and a section for local data that is managed by an IT
organization.
IT Professionals that are interested in this configuration, see Windows 10 personal data services configuration.
Windows 10 connections to Microsoft
To find out more about the network connections that Windows components make to Microsoft as well as the
privacy settings that affect data shared with either Microsoft or apps, see Manage connections from Windows
operating system components to Microsoft services. This article describe how these settings can be managed by an
IT Professional, and fronts an array of Windows version-specific articles.
At-a-glance: the relationship between an IT organization and the GDPR
Because Microsoft is a controller for data collected by Windows 10, the user can work with Microsoft to satisfy
GDPR requirements. While this relationship between Microsoft and a user is evident in a consumer scenario, an IT
organization can influence that relationship in an enterprise scenario. For example, the IT organization has the
ability to centrally configure the Windows diagnostic data level by using Group Policy or MDM settings.
Windows Server
Windows Server follows the same mechanisms as Windows 10 for handling of personal data – for example, when
collecting Windows diagnostic data.
More detailed information about Windows Server and the GDPR is available at Beginning your General Data
Protection Regulation (GDPR) journey for Windows Server.
Windows diagnostic data and Windows Server
The lowest diagnostic data setting level supported on Windows Server 2016 and Windows Server 2019 through
management policies is “Security”. The lowest diagnostic data setting supported through the Settings UI is “Basic”.
The default diagnostic data level for all Windows Server 2016 and Windows Server 2019 editions is “Enhanced”.
IT administrators can configure the Windows Server diagnostic data settings using familiar management tools,
such as Group Policy, MDM, or Windows Provisioning. IT administrators can also manually change settings using
Registry Editor. Setting the Windows Server diagnostic data levels through a management policy overrides any
device-level settings.
There are two options for deleting Windows diagnostic data from a Windows Server machine:
If the “Desktop Experience” option was chosen during the installation of Windows Server 2019, then there are
the same options available for an IT administrator that end users have with Windows 10, version 1803 and
version 1809, to submit a request for deleting that device’s diagnostic data. This is done by clicking the Delete
button in the Delete diagnostic data section of Star t > Settings > Privacy > Diagnostics & feedback .
Microsoft has provided a PowerShell cmdlet that IT administrators can use to delete Windows diagnostic data
via the command line on a machine running Windows Server 2016 or Windows Server 2019. This cmdlet
provides the same functionality for deleting Windows diagnostic data as with Desktop Experience on Windows
Server 2019. For more information, see the PowerShell Gallery.
Backups and Windows Server
Backups, including live backups and backups that are stored locally within an organization or in the cloud, can
contain personal data.
Backups an organizations creates, for example by using Windows Server Backup (WSB), are under its control.
For example, for exporting personal data contained in a backup, the organization needs to restore the
appropriate backup sets to facilitate the respective data subject request (DSR).
The GDPR also applies when storing backups in the cloud. For example, an organization can use Microsoft Azure
Backup to backup files and folders from physical or virtual Windows Server machines (located on-premises or
in Azure) to the cloud. The organization that is subscribed to this backup service also has the obligation to
restore the data in order to exercise the respective DSR.
Windows 10 Team Edition, Version 1703 for Surface Hub

Surface Hub is a shared device used within an organization. The device identifier collected as part of diagnostic
data is not connected to a user. For removing Windows diagnostic data sent to Microsoft for a Surface Hub,
Microsoft created the Surface Hub Delete Diagnostic Data tool available in the Microsoft Store.
NOTE
Additional apps running on the device, that are not delivered as part of the in-box experience of Surface Hub, may implement
their own diagnostic data collection and transmission functionality independently to collect and process personal data. Please
contact the app publisher for further guidance on how to control this.
An IT administrator can configure privacy- related settings, such as setting the Windows diagnostic data level to
Basic. Surface Hub does not support group policy for centralized management; however, IT administrators can use
MDM to apply these settings to Surface Hub. For more information about Surface Hub and MDM, please see
Manage settings with an MDM provider.
Further reading
Optional settings / features that further improve the protection of personal data
Personal data protection is one of the goals of the GDPR. One way of improving personal data protection is to use
the modern and advanced security features of Windows 10. An IT organization can learn more at Mitigate threats
by using Windows 10 security features and Standards for a highly secure Windows 10 device.
NOTE
Some of these features might require a particular Windows hardware, such as a computer with a Trusted Platform Module
(TPM) chip, and can depend on a particular Windows product (such as Windows 10 E5).
Windows Security Baselines

Microsoft has created Windows Security Baselines to efficiently configure Windows 10 and Windows Server. For
more information, please visit Windows Security Baselines.
Windows Restricted Traffic Limited Functionality Baseline
To make it easier to deploy settings that restrict connections from Windows 10 and Windows Server to Microsoft,
IT Professionals can apply the Windows Restricted Traffic Limited Functionality Baseline, available here.
IMPORTANT
Some of the settings of the Windows Restricted Traffic Limited Functionality Baseline will reduce the functionality and security
configuration of a device in the organization and are therefore not recommended.
Microsoft Trust Center and Service Trust Portal

Please visit our GDPR section of the Microsoft Trust Center to obtain additional resources and to learn more about
how Microsoft can help you fulfill specific GDPR requirements. There you can find lots of useful information about
the GDPR, including how Microsoft is helping customers to successfully master the GDPR, a FAQ list, and a list of
resources for GDPR compliance. Also, please check out the Compliance Manager of the Microsoft Service Trust
Portal (STP) and Get Started: Support for GDPR Accountability.
Additional resources
FAQs
Windows 10 feedback, diagnostics, and privacy
Microsoft Edge and privacy
Windows Hello and privacy
Wi-Fi Sense
Blogs
Privacy and Windows 10
Privacy Statement
Microsoft Privacy Statement
Other resources
Privacy at Microsoft
Windows 10 & Privacy Compliance:
A Guide for IT and Compliance Professionals
Applies to:
Windows 10 Team Edition, version 1703 for Surface Hub
Windows Server 2016 and newer
Windows Analytics
For more information about the GDPR, see:
Windows and the GDPR: Information for IT Administrators and Decision Makers
Microsoft GDPR Overview
Microsoft Trust Center FAQs about the GDPR
Microsoft Service Trust Portal (STP)
Get Started: Support for GDPR Accountability
Overview
At Microsoft, we are deeply committed to data privacy across all our products and services. With this guide, we
provide IT and compliance professionals with data privacy considerations for Windows 10.
Microsoft collects data through multiple interactions with users of Windows 10 devices. This information can
contain personal data that may be used to provide, secure, and improve Windows 10 services. To help users and
organizations control the collection of personal data, Windows 10 provides comprehensive transparency features,
settings choices, controls and support for data subject requests, all of which are detailed in this guide.
This information allows IT and compliance professionals work together to better manage personal data privacy
considerations and related regulations, such as the General Data Protection Regulation (GDPR).
1. Windows 10 data collection transparency

Transparency is an important part of the data collection process in Windows 10. Comprehensive information about
the features and processes used to collect data is available to users and administrators directly within Windows,
both during and after device set up.
If interested in understanding how to manage settings related to data collection skip to the next section Windows
10 data collection management.
1.1 Device set up experience and support for layered transparency
When setting up a device, a user can configure their privacy settings. Those privacy settings are key in determining
the amount of personal data collected. For each privacy setting, the user is provided information about the setting
along with the links to supporting information. This information explains what data is collected, how the data is
used and how to manage the setting after the device setup is complete. The user can also review the privacy
statement when connected to the network during this portion of setup. A brief overview of the set up experience
for privacy settings are described in this blog.
The following table provides an overview of the Windows 10 privacy settings presented during the device setup
experience that involve processing personal data and where to find additional information.
NOTE
This table is limited to the privacy settings that are available as part of setting up a Windows 10 device (Windows 10, version
1809 and later). For the full list of settings that involve data collection, see: Manage connections from Windows operating
system components to Microsoft services.
F EAT URE/ SET T IN G DESC RIP T IO N SUP P O RT IN G C O N T EN T P RIVA C Y STAT EM EN T
Diagnostic Data Microsoft uses Learn more Privacy Statement

diagnostic data to: keep
Windows secure and up Configure Windows
to date, troubleshoot diagnostic data in your
problems, and make organization
product improvements
as described in more
detail below. Regardless
of level selected, the
device will be just as
secure and will operate
normally. This data is
collected by Microsoft
and stored with one or
more unique identifiers
that can help us
recognize an individual
user on an individual
device, and understand
the device's service
issues and use patterns.
Diagnostic data is
categorized into four
levels:
Security
Information that’s
required to help keep
Windows, Windows
Server, and System
Center secure,
including data about
the Connected User
Experiences and
Telemetry
component settings,
the Malicious
Software Removal
Tool, and Windows
Defender.
Basic
Basic device info,
including: quality-
related data, app
compatibility, and
data from the
Security level.
Enhanced
Additional insights,
including: how
Windows, Windows
Server, System
Center, and apps are
used; how they
perform; advanced
reliability data; and
data from both the
Basic and the
Security levels.
Full
Information about
the websites you
browse, how you use
apps and features;
plus additional
information about
device health, device
activity, enhanced
error reporting, and
data from Enhanced,
Basic and the
Security levels.
At Full, Microsoft also
collects the memory
state of your device
when a system or
app crash occurs
(which may
unintentionally
include parts of a file
you were using when
a problem occurred).
Inking and typing Microsoft collects inking and Learn more Privacy Statement
diagnostics typing data to improve the
language recognition and
suggestion capabilities of
apps and services running
on Windows.
Speech Use your voice for dictation Learn more Privacy Statement
and to talk to Cortana and
other apps that use
Windows cloud-based
speech recognition.
Microsoft collects voice data
to help improve speech
services.
Location Get location-based Learn more Privacy Statement

experiences like directions
and weather. Let Windows
and apps request your
location and allow Microsoft
to use your location data to
improve location services.
Find my device Use your device’s location Learn more Privacy Statement
data to help you find your
device if you lose it.
Tailored Experiences Let Microsoft offer you Learn more Privacy Statement
tailored experiences based
on the diagnostic data you
have chosen (Security, Basic,
Enhanced, or Full). Tailored
experiences mean
personalized tips, ads, and
recommendations to
enhance Microsoft products
and services for your needs.
Advertising Id Apps can use advertising ID Learn more Privacy statement

to provide more
personalized advertising in
accordance with the privacy
policy of the app provider.
Activity History/Timeline – If you want timeline and Learn more Privacy statement
Cloud Sync other Windows features to
help you continue what you
were doing, even when you
switch devices, send
Microsoft your activity
history, which includes info
about websites you browse
and how you use apps and
services.
Cortana Cortana is Microsoft’s Learn more Privacy statement

personal digital
assistant, which helps Cortana integration in your
busy people get things business or enterprise
done, even while they’re
at work. Cortana on
Windows is available in
certain regions and
languages. Cortana
learns from certain data
about the user, such as
location, searches,
calendar, contacts, voice
input, speech patterns,
email, content and
communication history
from text messages. In
Microsoft Edge, Cortana
uses browsing history.
The user is in control of
how much data is
shared.
Cortana has powerful

configuration options,
specifically optimized for
a business. By signing in
with an Azure Active
Directory (Azure AD)
account, enterprise users
can give Cortana access
to their enterprise/work
identity, while getting all
the functionality
Cortana provides to
them outside of work.
1.2 Data collection monitoring

The Diagnostic Data Viewer (DDV) is a Windows app (available in Windows 10, version 1803 or later) that lets a
user review the Windows diagnostic data that is being collected on their Windows 10 device and sent to Microsoft.
DDV groups the information into simple categories based on how it is used by Microsoft. The DDV Overview
provides information on how users can get started on using this tool.
An administrator can also use the Diagnostic Data Viewer for PowerShell module to view the diagnostic data
collected from the device instead of using the Diagnostic Data Viewer UI. The Diagnostic Data Viewer for
PowerShell Overview provides further information.
2. Windows 10 data collection management

Windows 10 provides the ability to manage privacy settings through several different methods. Users can change
their privacy settings using the Windows 10 settings (Star t > Settings > Privacy ). The organization can also
manage the privacy settings using group policy or mobile device management (MDM). The following sections
provide an overview on how to manage the privacy settings previously discussed in this article.
2.1 Privacy setting options for users
Once a Windows 10 device is set up, a user can manage data collection settings by going to Star t > Settings >
Privacy . IT administrators can control privacy settings via setting policy on the device (see Section 2.2 below). If
this is the case, the user will see an alert that says ‘Some settings are hidden or managed by your organization’
when they navigate to Star t > Settings > Privacy . Meaning the user can only change settings in accordance with
the policies that the administrator has applied to the device.
2.2 Privacy setting controls for administrators
The IT department can configure and control privacy settings across their organization by using Group Policy,
registry, or Mobile Device Management (MDM) settings.
The following table provides an overview of the privacy settings discussed earlier in this document with details on
how to configure these via policy. The table also provides information on what the default value would be for each
of these privacy settings if you do not manage the setting via policy and suppress the Out-of-box Experience
(OOBE) during device setup. For an IT administrator interested in minimizing data, we also provide the
recommended value to set.
NOTE
This is not a complete list of settings that involve connecting to Microsoft services. To see a more detailed list, please refer to
Manage connections from Windows operating system components to Microsoft services.
DEFA ULT STAT E IF T H E

SET UP EXP ERIEN C E IS STAT E TO STO P / M IN IM IZ E
F EAT URE/ SET T IN G GP / M DM DO C UM EN TAT IO N SUP P RESSED DATA C O L L EC T IO N
Speech Group Policy: Off Off

Computer Configuration
> Control Panel >
Regional and Language
Options > Allow users to
enable online speech
recognition ser vices
MDM:
Privacy/AllowInputPersonaliz
ation
Location Group Policy: Off (Windows 10, version Off

Computer Configuration 1903 and later)
> Windows Components
> App Privacy > Let
Windows apps access
location
MDM:
Privacy/LetAppsAccessLocati
on
Find my device Group Policy: Off Off

> Find My Device > Turn
On/Off Find My Device
MDM:
Experience/AllFindMyDevice
DEFA ULT STAT E IF T H E
SET UP EXP ERIEN C E IS STAT E TO STO P / M IN IM IZ E
F EAT URE/ SET T IN G GP / M DM DO C UM EN TAT IO N SUP P RESSED DATA C O L L EC T IO N
Diagnostic Data Group Policy: Desktop SKUs: Security and block endpoints
Computer Configuration Basic (Windows 10, version
> Windows Components 1903 and later)
> Data Collection and
Preview Builds > Allow Server SKUs:
Telemetr y Enhanced
MDM:
System/AllowTelemetry
Inking and typing Group Policy: Off (Windows 10, version Off
diagnostics Computer Configuration 1809 and later)
> Text Input > Improve
inking and typing
recognition
MDM:
TextInput/AllowLinguisticDat
aCollection
Tailored Experiences Group Policy: Off Off

User Configuration >
Windows Components >
Cloud Content > Do not
use diagnostic data for
tailored experiences
MDM: Link TBD
Advertising ID Group Policy: Off Off

Configuration > System
> User Profile > Turn off
the adver tising Id
MDM:
Privacy/DisableAdvertisingId
Activity History/Timeline – Group Policy: Off Off

Cloud Sync Computer Configuration
> System > OS Policies >
Allow upload of User
Activities
MDM:
Privacy/EnableActivityFeed
Cortana Group Policy: Off Off

> Search > Allow
Cor tana
MDM:
Experience/AllowCortana
2.3 Guidance for configuration options

This section provides general details and links to more detailed information as well as instructions for IT
administrators and compliance professional. These instructions allow IT admins and compliance pros to manage
the device compliance. This information includes details about setting up a device, to configuring the device’s
settings after setup is completed to minimize data collected and drive privacy related user experiences.
2.3.1 Managing the device setup experience
Windows deployment can be configured using several different methods, which provide an administrator with
options to control: how a device is set up, what’s enabled by default, and what the user is able to change on the
system after they log on.
The Deploy and update Windows 10 section of the Windows IT Pro Center provides an overview of the different
options.
2.3.2 Managing connections from Windows components to Microsoft services
IT administrators can manage the data sent from their organization to Microsoft by configuring settings associated
with the functionality provided by these Windows components.
See Manage connections from Windows operating system components to Microsoft services for more details,
including the different methods available on how to configure each setting, the impact to functionality and which
versions of Windows that are applicable.
2.3.3 Managing Windows 10 connections
Some Windows components, apps, and related services transfer data to Microsoft network endpoints. An
administrator may want to block these endpoints as an additional measure of ensuring privacy compliance within
their organization.
Manage connection endpoints for Windows 10, version 1809 provides a list of endpoints for the latest Windows 10
release, along with the functionality that would be impacted. Details for additional Windows versions can be found
on the Windows Privacy site under the “Manage Windows 10 connection endpoints” section of the left-hand
navigation menu.
2.3.4 Limited functionality baseline
An organization may want to further minimize the amount of data shared with Microsoft or apps by managing the
connections and configuring additional settings on their devices. Similar to Security baselines, we have a limited
functionality baseline-focused configuring settings to minimize the data shared, however this comes with some
potential impact to functionality on the device. The Manage connections from Windows operating system
components to Microsoft services article provides details on how to apply the baseline, along with the full list of
settings covered in the baseline and the functionality that would be impacted. Administrators who don’t want to
apply the baseline can still find details on how to configure each setting individually to find the right balance
between data sharing and impact to functionality for their organization.
2.3.5 Diagnostic data: Managing notifications for change of level at logon
Windows 10, version 1803, and later provides users with a notification during sign in about changes to the
diagnostic data level on the device so they are aware of any changes where additional data may be collected. For
instance, if the diagnostic level on the device is set to Basic and an administrator changes it to Full, users will be
notified when they next sign in. The IT administrator can disable these notifications by setting Group Policy:
Computer Configuration > Administrative Templates > Windows Components > Data Collection and
Preview Builds > Configure telemetr y opt-in change notifications or the MDM policy
ConfigureTelemetryOptInChangeNotification .
2.3.6 Diagnostic data: Managing end user choice for changing the setting
Windows 10, version 1803 and later, allows users to change their diagnostic data level to a lower setting than what
their IT administrator has set. For instance, if the administrator has set the diagnostic data level to Enhanced or Full,
a user can change the setting to Basic by going into Settings > Privacy > Diagnostic & feedback . The
administrator can disable the user ability to change the setting via Setting > Privacy by setting the Group Policy:
Preview Builds > Configure telemetr y opt-in setting user interface or the MDM policy
ConfigureTelemetryOptInSettingsUx .
2.3.7 Diagnostic data: Managing device-based data delete
Windows 10, version 1803 and later, allows a user to delete diagnostic data collected from their device by going
into Settings > Privacy > Diagnostic & feedback and clicking the Delete button. An IT administrator can also
delete diagnostic data for a device using the Clear-WindowsDiagnosticData PowerShell cmdlet script.
An administrator can disable a user’s ability to delete their device’s diagnostic data by setting the Group Policy:
Preview Builds > Disable deleting diagnostic data or the MDM policy DisableDeviceDelete .
3. The process for exercising data subject rights

This section discusses the different methods Microsoft provides for users and IT administrators to exercise data
subject rights for data collected from a Windows 10 device.
3.1 Delete
Users can delete their device-based data by going to Settings > Privacy > Diagnostic & feedback and clicking
the Delete button. Administrators can also use the Clear-WindowsDiagnosticData PowerShell cmdlet script.
3.2 View
The Diagnostic Data Viewer (DDV) provides a view into the diagnostic data being collected from the Windows 10
device. IT administrators can also use the Get-DiagnosticData PowerShell cmdlet script.
3.3 Export
The Diagnostic Data Viewer (DDV) provides the ability to export the diagnostic data captured while the app is
running, by clicking the Export data button in the top menu. IT administrators can also use the Get-DiagnosticData
PowerShell cmdlet script.
3.4 Devices connected to a Microsoft account
If a user signs in to a Windows experience or app on their device with their Microsoft account (MSA), they can view,
delete, and export data associated with their MSA on the Privacy dashboard.
4. Cross-border data transfers

Microsoft complies with the EU-U.S. Privacy Shield Framework and Swiss-U.S. Privacy Shield Framework as set
forth by the U.S. Department of Commerce regarding the collection, use, and retention of personal information
transferred from the European Union, the United Kingdom, and Switzerland to the United States.
Microsoft’s Privacy Statement provides details on how we store and process personal data.
5. Related Windows product considerations

The following sections provide details about how privacy data is collected and managed across related Windows
products.
5.1 Windows Server 2016 and 2019
Windows Server follows the same mechanisms as Windows 10 for handling of personal data. There are some
differences regarding diagnostic default settings for Windows Server.
5.2 Surface Hub
Surface Hub is a shared device used within an organization. The device identifier collected as part of diagnostic data
is not connected to an individual user. For removing Windows diagnostic data sent to Microsoft for a Surface Hub,
Microsoft created the Surface Hub Delete Diagnostic Data tool available in the Microsoft Store.
For more details, see Windows 10 Team Edition, Version 1703 for Surface Hub.
5.3 Windows 10 Analytics
Windows Analytics is a set of solutions for Azure Portal that provide you with extensive data about the state of
devices in your deployment. There are currently three solutions which you can use singly or in any combination:
Device Health, Update Compliance, and Upgrade Readiness. Windows Analytics is a separate offering from
Windows 10 and is dependent on enabling a minimum set of data collection on the device to function.
For more details, see the Windows Analytics overview page.
Additional Resources
Microsoft Trust Center: GDPR Overview
Microsoft Trust Center: Privacy at Microsoft
Windows IT Pro Docs
Applies to:
Microsoft assembled a list of Windows 10 services configuration settings that are useful for personal data privacy
protection and related regulations, such as the General Data Protection Regulation (GDPR). There is one section
with settings for service data that is managed at Microsoft and a section for local data that is managed by an IT
organization.
IT Professionals that are interested in applying these settings via group policies can find the configuration for
download here.
Introduction
Microsoft collects data from or generates it through interactions with users of Windows 10 devices. This
information can contain personal data that may be used to provide, support, and improve Windows 10 services.
Many Windows 10 services are controller services. A user can manage data collection settings, for example by
opening Start > Settings > Privacy or by visiting the Microsoft Privacy dashboard. While this relationship between
Microsoft and a user is evident in a consumer type scenario, an IT organization can influence that relationship. For
example, the IT department has the ability to configure the Windows diagnostic data level across their organization
by using Group Policy, registry, or Mobile Device Management (MDM) settings.
Below is a collection of settings related to the Windows 10 personal data services configuration that IT
Professionals can use as guidance for influencing Windows diagnostic data collection and personal data protection.
Windows diagnostic data

Windows 10 collects Windows diagnostic data—such as usage data, performance data, inking, typing, and
utterance data—and sends it back to Microsoft. That data is used for keeping the operating system secure and up-
to-date, to troubleshoot problems, and to make product improvements. For users who have turned on "Tailored
experiences", that data can also be used to offer personalized tips, ads, and recommendations to enhance Microsoft
products and services for your needs.
The following options for configuring Windows diagnostic data are relevant in this context.
Diagnostic level
This setting determines the amount of Windows diagnostic data sent to Microsoft.
NOTE
In Windows 10, version 1709, Microsoft introduced a new feature: “Limit Enhanced diagnostic data to the minimum required
by Windows Analytics”. When enabled, this feature limits the operating system diagnostic data events included in the
Enhanced level to the smallest set of data required by Windows Analytics. For more information on the Enhanced level, see
Configure Windows diagnostic data in your organization.
Group Policy
Group Policy Computer Configuration\Administrative Templates\Windows
Components\Data Collection and Preview Builds
Policy Name Allow Telemetry
Default setting 2 - Enhanced
Recommended 2 - Enhanced
Group Policy User Configuration\Administrative Templates\Windows

Policy Name Allow Telemetry
Default setting 2 - Enhanced
Recommended 2 - Enhanced
NOTE
When both the Computer Configuration policy and User Configuration policy are set, the more restrictive policy is used.
Registry
Registr y key HKLM\Software\Policies\Microsoft\Windows\DataCollection
Value AllowTelemetry
Type REG_DWORD
Setting "00000002"
Registr y key HKCU\Software\Policies\Microsoft\Windows\DataCollection
Value AllowTelemetry
Type REG_DWORD
Setting "00000002"
MDM
MDM CSP System
Policy AllowTelemetry (scope: device and user)

Default setting 2 – Enhanced
Recommended 2 – Allowed
Diagnostic opt-in change notifications

This setting determines whether a device shows notifications about Windows diagnostic data levels to people on
first logon or when changes occur in the diagnostic configuration.
Group Policy

Policy Name Configure telemetry opt-in change notifications
Default setting Enabled
Recommended Enabled
Registry
Value DisableTelemetryOptInChangeNotification
Type REG_DWORD
Setting "00000000"
MDM
MDM CSP System
Policy ConfigureTelemetryOptInChangeNotification
Default setting 0 – Enabled
Recommended 0 – Enabled
Configure telemetry opt-in setting user interface

This setting determines whether people can change their own Windows diagnostic data level in Start > Settings >
Privacy > Diagnostics & feedback.
Group Policy

Policy Name Configure telemetry opt-in setting user interface
Default setting Enabled
Recommended Enabled
Registry
Value DisableTelemetryOptInSettingsUx
Type REG_DWORD
Setting "00000001"
MDM
MDM CSP System
Policy ConfigureTelemetryOptInSettingsUx
Default setting 0 – Enabled
Policies affecting personal data protection managed by the Enterprise

IT
There are additional settings usually managed by the Enterprise IT that also affect the protection of personal data.
The following options for configuring these policies are relevant in this context.
BitLocker
The following settings determine whether fixed and removable drives are protected by the BitLocker Drive
Encryption.
Fixed Data Drives
Group Policy

Components\Bitlocker Drive Encryption\Fixed Data Drives
Policy Name Deny write access to fixed drives not protected by BitLocker
Default setting Not configured
Recommended Enabled
Registry
Registr y key HKLM\System\CurrentControlSet\Policies\Microsoft\FVE
Value FDVDenyWriteAccess
Type REG_DWORD
Setting "00000001"
MDM
MDM CSP BitLocker
Policy FixedDrivesRequireEncryption
Default setting Disabled
Recommended Enabled (see instructions)
Removable Data Drives

Group Policy

Components\Bitlocker Drive Encryption\Removable Data
Drives
Policy Name Deny write access to removable drives not protected by

BitLocker
Recommended Enabled
Registry
Registr y key HKLM\System\CurrentControlSet\Policies\Microsoft\FVE
Value RDVDenyWriteAccess
Type REG_DWORD
Setting "00000001"
Registr y key HKLM\Software\Policies\Microsoft\FVE
Value RDVDenyCrossOrg
Type REG_DWORD
Setting "00000000"
MDM
MDM CSP BitLocker
Policy RemovableDrivesRequireEncryption
Recommended Enabled (see instructions)
Privacy – AdvertisingID
This setting determines if the advertising ID, which preventing apps from using the ID for experiences across apps,
is turned off.
Group Policy
Group Policy Computer Configuration\Administrative

Templates\System\User Profiles
Policy Name Turn off the advertising ID
Recommended Enabled
Registry
Registr y key HKLM\Software\Policies\Microsoft\Windows\AdvertisingInfo
Value DisabledByGroupPolicy
Type REG_DWORD
Setting "00000001"
MDM
MDM CSP Privacy
Policy DisableAdvertisingId
Default setting 65535 (default) - Not configured
Edge
These settings whether employees send “Do Not Track” from the Microsoft Edge web browser to websites.
NOTE
Please see this Microsoft blog post for more details on why the “Do Not Track” is no longer the default setting.
Group Policy

Components\Microsoft Edge
Policy Name Configure Do Not Track
Recommended Disabled

Components\Microsoft Edge
Policy Name Configure Do Not Track
Registry
Registr y key HKLM\Software\Policies\Microsoft\MicrosoftEdge\Main
Value DoNotTrack
Type REG_DWORD
Setting "00000000"
Registr y key HKCU\Software\Policies\Microsoft\MicrosoftEdge\Main
Value DoNotTrack
Type REG_DWORD
Setting "00000000"
MDM
MDM CSP Browser

Policy AllowDoNotTrack (scope: device + user)
Default setting 0 (default) – Not allowed
Recommended 0 – Not allowed
Internet Explorer
These settings whether employees send “Do Not Track” header from the Microsoft Explorer web browser to
websites.
Group Policy

Components\Internet Explorer\Internet Control
Panel\Advanced Page
Policy Name Always send Do Not Track header

Components\Internet Explorer\Internet Control
Panel\Advanced Page
Policy Name Always send Do Not Track header
Registry
Registr y key HKLM\Software\Policies\Microsoft\Internet Explorer\Main
Value DoNotTrack
Type REG_DWORD
Setting "00000000"
Registr y key HKCU\Software\Policies\Microsoft\Internet Explorer\Main
Value DoNotTrack
Type REG_DWORD
Setting "00000000"
MDM
MDM CSP N/A
FAQs
Wi-Fi Sense
Blogs
Privacy Statement
Windows Privacy on docs.microsoft.com
Manage connections from Windows operating system components to Microsoft services
Manage connections from Windows 10 operating system components to Microsoft services
Understanding Windows diagnostic data
Other resources
Configure Windows diagnostic data in your
organization
Applies to
Windows 10 Enterprise
Windows 10 Mobile
Windows Server
This article applies to Windows and Windows Server diagnostic data only. It describes the types of diagnostic
data we may gather, the ways you might manage it in your organization, and some examples of how diagnostic
data can provide you with valuable insights into your enterprise deployments. Microsoft uses the data to quickly
identify and address issues affecting its customers.
Use this article to make informed decisions about how you might configure diagnostic data in your organization.
Diagnostic data is a term that means different things to different people and organizations. For this article, we
discuss diagnostic data as system data that is uploaded by the Connected User Experiences and Telemetry
component. Microsoft uses diagnostic data to keep Windows secure and up to date, troubleshoot problems, and
make product improvements.
We are always striving to improve our documentation and welcome your feedback. You can provide feedback by
contacting telmhelp@microsoft.com.
Overview of Windows diagnostic data

At Microsoft, we use Windows diagnostic data to inform our decisions and focus our efforts in providing the
most robust, most valuable platform for your business and the people who count on Windows to enable them to
be as productive as possible. Diagnostic data gives users a voice in the operating system’s development. This
guide describes the importance of Windows diagnostic data and how we protect that data. Additionally, it
differentiates between diagnostic data and functional data. It also describes the diagnostic data levels that
Windows supports. Of course, you can choose how much diagnostic data is shared with Microsoft, and this guide
demonstrates how.
To frame a discussion about diagnostic data, it is important to understand Microsoft’s privacy principles. We earn
customer trust every day by focusing on six key privacy principles as described at privacy.microsoft.com. These
principles guided the implementation of the Windows diagnostic data system in the following ways:
Control. We offer customers control of the diagnostic data they share with us by providing easy-to-use
management tools.
Transparency. We provide information about the diagnostic data that Windows and Windows Server collects
so our customers can make informed decisions.
Security. We encrypt diagnostic data in transit from your device via TLS 1.2, and additionally use certificate
pinning to secure the connection.
Strong legal protections. We respect customers’ local privacy laws and fight for legal protection of their
privacy as a fundamental human right.
No content-based targeting. We take steps to avoid and minimize the collection of customer content, such
as the content of files, chats, or emails, through the Windows diagnostic data system. Customer content
inadvertently collected is kept confidential and not used for user targeting.
Benefits to you. We collect Windows diagnostic data to help provide you with an up-to-date, more secure,
reliable and performant product, and to improve Windows for all our customers.
In previous versions of Windows and Windows Server, Microsoft used diagnostic data to check for updated or
new Windows Defender signatures, check whether Windows Update installations were successful, gather
reliability information through the Reliability Analysis Component (RAC), and gather reliability information
through the Windows Customer Experience Improvement Program (CEIP) on Windows. In Windows 10 and
Windows Server, you can control diagnostic data streams by using the Privacy option in Settings, Group Policy, or
MDM.
For Windows 10, we invite IT pros to join the Windows Insider Program to give us feedback on what we can do
to make Windows work better for your organization.
Understanding Windows diagnostic data

Windows as a Service is a fundamental change in how Microsoft plans, builds, and delivers the operating system.
Historically, we released a major Windows version every few years. The effort required to deploy large and
infrequent Windows versions was substantial. That effort included updating the infrastructure to support the
upgrade. Windows as a Service accelerates the cadence to provide rich updates more frequently, and these
updates require substantially less effort to roll out than earlier versions of Windows. Since it provides more value
to organizations in a shorter timeframe, delivering Windows as a Service is a top priority for us.
The release cadence of Windows may be fast, so feedback is critical to its success. We rely on diagnostic data at
each stage of the process to inform our decisions and prioritize our efforts.
What is Windows diagnostic data?
Windows diagnostic data is vital technical data from Windows devices about the device and how Windows and
related software are performing. It's used in the following ways:
Keep Windows up to date
Keep Windows secure, reliable, and performant
Improve Windows – through the aggregate analysis of the use of Windows
Personalize Windows engagement surfaces
Here are some specific examples of Windows diagnostic data:
Type of hardware being used
Applications installed and usage details
Reliability information on device drivers
What is NOT diagnostic data?
Diagnostic data can sometimes be confused with functional data. Some Windows components and apps connect
to Microsoft services directly, but the data they exchange is not diagnostic data. For example, exchanging a user’s
location for local weather or news is not an example of diagnostic data—it is functional data that the app or
service requires to satisfy the user’s request.
There are subtle differences between diagnostic data and functional data. Windows collects and sends diagnostic
data in the background automatically. You can control how much information is gathered by setting the
diagnostic data level. Microsoft tries to avoid collecting personal information wherever possible (for example, if a
crash dump is collected and a document was in memory at the time of the crash).
On the other hand, functional data can contain personal information. However, a user action, such as requesting
news or asking Cortana a question, usually triggers collection and transmission of functional data.
If you’re an IT pro that wants to manage Windows functional data sent from your organization to Microsoft, see
Manage connections from Windows operating system components to Microsoft services.
The following are specific examples of functional data:
Current location for weather
Bing searches
Wallpaper and desktop settings synced across multiple devices
Diagnostic data gives users a voice
Windows and Windows Server diagnostic data gives every user a voice in the operating system’s development
and ongoing improvement. It helps us understand how Windows 10 and Windows Server behaves in the real
world, focus on user priorities, and make informed decisions that benefit them. For our enterprise customers,
representation in the dataset on which we will make future design decisions is a real benefit. The following
sections offer real examples of these benefits.
Improve app and driver quality
Our ability to collect diagnostic data that drives improvements to Windows and Windows Server helps raise the
bar for app and device driver quality. Diagnostic data helps us to quickly identify and fix critical reliability and
security issues with apps and device drivers on given configurations. For example, we can identify an app that
hangs on devices using a specific version of a video driver, allowing us to work with the app and device driver
vendor to quickly fix the issue. The result is less downtime and reduced costs and increased productivity
associated with troubleshooting these issues.
Real-world example of how Windows diagnostic data helps
There was a version of a video driver that was crashing on some devices running Windows 10, causing the
device to reboot. We detected the problem in our diagnostic data, and immediately contacted the third-party
developer who builds the video driver. Working with the developer, we provided an updated driver to Windows
Insiders within 24 hours. Based on diagnostic data from the Windows Insiders’ devices, we were able to validate
the new version of the video driver, and rolled it out to the broad public as an update the next day. Diagnostic
data helped us find, fix, and resolve this problem in just 48 hours, providing a better user experience and
reducing costly support calls.
Improve end-user productivity
Windows diagnostic data also helps Microsoft better understand how customers use (or do not use) the
operating system’s features and related services. The insights we gain from this data helps us prioritize our
engineering effort to directly impact our customers’ experiences. Examples are:
Star t menu. How do people change the Start menu layout? Do they pin other apps to it? Are there any apps
that they frequently unpin? We use this dataset to adjust the default Start menu layout to better reflect
people’s expectations when they turn on their device for the first time.
Cor tana. We use diagnostic data to monitor the scalability of our cloud service, improving search
performance.
Application switching. Research and observations from earlier Windows versions showed that people
rarely used Alt+Tab to switch between applications. After discussing this with some users, we learned they
loved the feature, saying that it would be highly productive, but they did not know about it previously. Based
on this, we created the Task View button in Windows 10 to make this feature more discoverable. Later
diagnostic data showed significantly higher usage of this feature.
These examples show how the use of diagnostic data enables Microsoft to build or enhance
features which can help organizations increase employee productivity while lowering help desk
calls.
Insights into your own organization
Sharing information with Microsoft helps make Windows and other products better, but it can also help make
your internal processes and user experiences better. Microsoft provides a set of solutions that leverage
information shared by customers to provide insights customized for your internal use. The first of these was
Upgrade Readiness, followed by Desktop Analytics. Both help organizations with Windows as a Service adoption
and potential compatibility challenges. For E5 customers, Microsoft Defender Advanced Threat Protection, a
platform designed to help enterprise networks prevent, detect, investigate, and respond to advanced threats.
How Microsoft handles diagnostic data

The diagnostic data is categorized into four levels:
Security . Information that’s required to help keep Windows and Windows Server secure, including data
about the Connected User Experiences and Telemetry component settings, the Malicious Software
Removal Tool, and Windows Defender.
Basic . Basic device info, including: quality-related data, app compatibility, and data from the Security
level.
Enhanced . Additional insights, including: how Windows, Windows Server, and apps are used, how they
perform, advanced reliability data, and data from both the Basic and the Security levels.
Full . Includes information about the websites you browse, how you use apps and features, plus additional
information about device health, device activity (sometimes referred to as usage), and enhanced error
reporting. At Full, Microsoft also collects the memory state of your device when a system or app crash
occurs. It includes data from the Security , Basic , and Enhanced levels.
Diagnostic data levels are cumulative, meaning each subsequent level includes data collected through lower
levels. For more information see the Diagnostic data levels section.
Data collection
Windows 10 and Windows Server includes the Connected User Experiences and Telemetry component, which
uses Event Tracing for Windows (ETW) tracelogging technology that gathers and stores diagnostic data events
and data. The operating system and some Microsoft management solutions, such as System Center, use the same
logging technology.
1. Operating system features and some management applications are instrumented to publish events and data.
Examples of management applications include Virtual Machine Manager (VMM), Server Manager, and Storage
Spaces.
2. Events are gathered using public operating system event logging and tracing APIs.
3. You can configure the diagnostic data level by using MDM policy, Group Policy, or registry settings.
4. The Connected User Experiences and Telemetry component transmits the diagnostic data.
Info collected at the Enhanced and Full levels of diagnostic data is typically gathered at a fractional sampling rate,
which can be as low as 1% of devices reporting data at those levels.
Data transmission
All diagnostic data is encrypted using SSL and uses certificate pinning during transfer from the device to the
Microsoft Data Management Service. With Windows 10, data is uploaded on a schedule that is sensitive to event
priority, battery use, and network cost. Real-time events, such as Windows Defender Advanced Threat Protection,
are always sent immediately. Normal events are not uploaded on metered networks, unless you are on a metered
server connection. On a free network, normal events can be uploaded every 4 hours if on battery, or every 15
minutes if on A/C power. Diagnostic and crash data are only uploaded on A/C power and free networks.
The data transmitted at the Basic and Enhanced data diagnostic levels is quite small; typically less than 1 MB per
device per day, but occasionally up to 2 MB per device per day.
Endpoints
The Microsoft Data Management Service routes data back to our secure cloud storage. Only Microsoft personnel
with a valid business justification are permitted access.
Solutions like Desktop Analytics or Microsoft Defender Advanced Threat Protection need Windows devices to
reach diagnostics endpoints which enable organizations to leverage solutions based on diagnostics data. These
solutions leverage Windows components like the Connected User Experiences and Telemetry service, Windows
Defender Advanced Threat Protection service, Windows Error Reporting, and Online Crash Analysis.
For a complete list of diagnostics endpoints leveraged by Desktop Analytics, see Enable data sharing for Desktop
Analytics. For a complete list of diagnostics endpoints leveraged by Microsoft Defender Advanced Threat
Protection, see Enable access to Microsoft Defender ATP service URLs in the proxy server.
The following table defines the endpoints for Connected User Experiences and Telemetry component:
W IN DO W S REL EA SE EN DP O IN T
Windows 10, versions 1703 or later, with the 2018-09 Diagnostics data: v10c.vortex-win.data.microsoft.com
cumulative update installed Functional: v20.vortex-win.data.microsoft.com
Microsoft Defender Advanced Threat Protection is

country specific and the prefix changes by country,
for example: de .vortex-win.data.microsoft.com
Settings: settings-win.data.microsoft.com
Windows 10, versions 1803 or later, without the 2018-09 Diagnostics data: v10.events.data.microsoft.com
cumulative update installed Functional: v20.vortex-win.data.microsoft.com

Windows 10, version 1709 or earlier Diagnostics data: v10.vortex-win.data.microsoft.com

Functional: v20.vortex-win.data.microsoft.com

The following table defines additional diagnostics endpoints not covered by services in the links above:
SERVIC E EN DP O IN T
OneDrive app for Windows 10 https://vortex.data.microsoft.com/collect/v1
The following table defines the endpoints for other diagnostic data services:
Windows Error Reporting watson.telemetry.microsoft.com
ceuswatcab01.blob.core.windows.net
ceuswatcab02.blob.core.windows.net
eaus2watcab01.blob.core.windows.net
eaus2watcab02.blob.core.windows.net
weus2watcab01.blob.core.windows.net
weus2watcab02.blob.core.windows.net
Online Crash Analysis oca.telemetry.microsoft.com
OneDrive app for Windows 10 vortex.data.microsoft.com/collect/v1
Microsoft Defender Advanced Threat Protection https://wdcp.microsoft.com

https://wdcpalt.microsoft.com
Data use and access

The principle of least privileged access guides access to diagnostic data. Microsoft does not share personal data
of our customers with third parties, except at the customer’s discretion or for the limited purposes described in
the Privacy Statement. Microsoft may share business reports with OEMs and third-party partners that include
aggregated and anonymized diagnostic data information. Data-sharing decisions are made by an internal team
including privacy, legal, and data management.
Retention
Microsoft believes in and practices information minimization. We strive to gather only the info we need and to
store it only for as long as it’s needed to provide a service or for analysis. Much of the info about how Windows
and apps are functioning is deleted within 30 days. Other info may be retained longer, such as error reporting
data or Microsoft Store purchase history.
Manage enterprise diagnostic data level

Enterprise management
Sharing diagnostic data with Microsoft is enabled by default on Windows 10, 1903 and later. Sharing this data
provides many benefits to enterprises, so we do not recommend turning it off. For most enterprise customers,
simply adjusting the diagnostic data level and managing specific components is the best option.
Customers can set the diagnostic data level in both the user interface and with existing management tools. Users
can change the diagnostic data level in the Diagnostic data setting. In the Settings app, in Privacy >
Diagnostics & feedback . They can choose between Basic and Full. The Enhanced level will only be displayed as
an option when Group Policy or Mobile Device Management (MDM) are invoked with this level. The Security
level is not available.
IT pros can use various methods, including Group Policy and Mobile Device Management (MDM), to choose a
diagnostic data level. If you’re using Windows 10 Enterprise, Windows 10 Education, or Windows Server, the
Security diagnostic data level is available when managing the policy. Setting the diagnostic data level through
policy sets the upper boundary for the users’ choices. To disable user choice after setting the level with the policy,
you will need to use the "Configure telemetry opt-in setting user interface" group policy. The remainder of this
article describes how to use group policy to configure levels and settings interface.
Manage your diagnostic data settings
Use the steps in this article to set and/or adjust the diagnostic data settings for Windows and Windows Server in
your organization.
IMPORTANT
These diagnostic data levels only apply to Windows and Windows Server components and apps that use the Connected
User Experiences and Telemetry component. Non-Windows components, such as Microsoft Office or other 3rd-party apps,
may communicate with their cloud services outside of these diagnostic data levels. You should work with your app vendors
to understand their diagnostic data policy, and how you can to opt in or opt out. For more information on how Microsoft
Office uses diagnostic data, see Overview of privacy controls for Office 365 ProPlus.
The lowest diagnostic data setting level supported through management policies is Security . The lowest
diagnostic data setting supported through the Settings UI is Basic . The default diagnostic data setting for
Windows Server is Enhanced .
Configure the diagnostic data level
You can configure your device's diagnostic data settings using the management tools you’re already using, such
as Group Policy, MDM, or Windows Provisioning. You can also manually change your settings using Registry
Editor. Setting your diagnostic data levels through a management policy sets the upper level for diagnostic data
on the device.
Use the appropriate value in the table below when you configure the management policy.
L EVEL VA L UE
Security 0
Basic 1
Enhanced 2
Full 3
NOTE
When both the Computer Configuration policy and User Configuration policy are set, the more restrictive policy is used.
Use Group Policy to set the diagnostic data level

Use a Group Policy object to set your organization’s diagnostic data level.
1. From the Group Policy Management Console, go to Computer Configuration > Administrative
Templates > Windows Components > Data Collection and Preview Builds .
2. Double-click Allow Telemetr y .
3. In the Options box, select the level that you want to configure, and then click OK .
Use MDM to set the diagnostic data level
Use the Policy Configuration Service Provider (CSP) to apply the System/AllowTelemetry MDM policy.
Use Registry Editor to set the diagnostic data level
Use Registry Editor to manually set the registry level on each device in your organization or you can write a
script to edit the registry. If a management policy already exists, such as Group Policy or MDM, it will override
this registry setting.
1. Open Registry Editor, and go to
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\DataCollection .
2. Right-click DataCollection , click New, and then click DWORD (32-bit) Value .
3. Type AllowTelemetr y , and then press ENTER.
4. Double-click AllowTelemetr y , set the desired value from the table above, and then click OK.
5. Click File > Expor t , and then save the file as a .reg file, such as C:\AllowTelemetr y.reg . You can run this
file from a script on each device in your organization.
Additional diagnostic data controls
There are a few more settings that you can turn off that may send diagnostic data information:
To turn off Windows Update diagnostic data, you have two choices. Either turn off Windows Update, or set
your devices to be managed by an on premises update server, such as Windows Server Update Services
(WSUS) or Microsoft Endpoint Configuration Manager.
Turn off Windows Defender Cloud-based Protection and Automatic sample submission in
Settings > Update & security > Windows Defender .
Manage the Malicious Software Removal Tool in your organization. For more info, see Microsoft KB article
891716.
Turn off Improve inking and typing in Settings > Privacy . At diagnostic data levels Enhanced and
Full , Microsoft uses Linguistic Data Collection info to improve language model features such as
autocomplete, spellcheck, suggestions, input pattern recognition, and dictionary.
NOTE
Microsoft does not intend to gather sensitive information, such as credit card numbers, usernames and passwords,
email addresses, or other similarly sensitive information for Linguistic Data Collection. We guard against such
events by using technologies to identify and remove sensitive information before linguistic data is sent from the
user's device. If we determine that sensitive information has been inadvertently received, we delete the information.
Diagnostic data levels

These levels are available on all desktop and mobile editions of Windows 10, except for the Security level, which
is limited to Windows 10 Enterprise, Windows 10 Education, Windows 10 Mobile Enterprise, Windows 10 IoT
Core (IoT Core), and Windows Server.
Security level
The Security level gathers only the diagnostic data info that is required to keep Windows devices, Windows
Server, and guests protected with the latest security updates. This level is only available on Windows Server,
Windows 10 Enterprise, Windows 10 Education, Windows 10 Mobile Enterprise, and Windows IoT Core editions.
NOTE
If your organization relies on Windows Update for updates, you shouldn’t use the Security level. Because no Windows
Update information is gathered at this level, important information about update failures is not sent. Microsoft uses this
information to fix the causes of those failures and improve the quality of our updates.
Windows Server Update Services (WSUS) and Microsoft Endpoint Configuration Manager functionality is not
affected at this level, nor is diagnostic data about Windows Server features or System Center gathered.
The data gathered at this level includes:
Connected User Experiences and Telemetr y component settings . If general diagnostic data has
been gathered and is queued, it is sent to Microsoft. Along with this diagnostic data, the Connected User
Experiences and Telemetry component may download a configuration settings file from Microsoft’s
servers. This file is used to configure the Connected User Experiences and Telemetry component itself. The
data gathered by the client for this request includes OS information, device id (used to identify what
specific device is requesting settings) and device class (for example, whether the device is server or
desktop).
Malicious Software Removal Tool (MSRT) The MSRT infection report contains information, including
device info and IP address.
NOTE
You can turn off the MSRT infection report. No MSRT information is included if MSRT is not used. If Windows
Update is turned off, MSRT will not be offered to users. For more info, see Microsoft KB article 891716.
Windows Defender/Endpoint Protection . Windows Defender and System Center Endpoint Protection
requires some information to function, including: anti-malware signatures, diagnostic information, User
Account Control settings, Unified Extensible Firmware Interface (UEFI) settings, and IP address.
NOTE
This reporting can be turned off and no information is included if a customer is using third-party antimalware
software, or if Windows Defender is turned off. For more info, see Windows Defender.
Microsoft recommends that Windows Update, Windows Defender, and MSRT remain enabled unless the
enterprise uses alternative solutions such as Windows Server Update Services, Microsoft Endpoint
Configuration Manager, or a third-party antimalware solution. Windows Update, Windows Defender, and
MSRT provide core Windows functionality such as driver and OS updates, including security updates.
For servers with default diagnostic data settings and no Internet connectivity, you should set the diagnostic data
level to Security . This stops data gathering for events that would not be uploaded due to the lack of Internet
connectivity.
No user content, such as user files or communications, is gathered at the Security diagnostic data level, and we
take steps to avoid gathering any information that directly identifies a company or user, such as name, email
address, or account ID. However, in rare circumstances, MSRT information may unintentionally contain personal
information. For instance, some malware may create entries in a computer’s registry that include information
such as a username, causing it to be gathered. MSRT reporting is optional and can be turned off at any time.
Basic level
The Basic level gathers a limited set of data that’s critical for understanding the device and its configuration. This
level also includes the Security level data. This level helps to identify problems that can occur on a specific
hardware or software configuration. For example, it can help determine if crashes are more frequent on devices
with a specific amount of memory or that are running a specific driver version. The Connected User Experiences
and Telemetry component does not gather diagnostic data about System Center, but it can transmit diagnostic
data for other non-Windows applications if they have user consent.
This is the default level for Windows 10 Education editions, as well as all desktop editions starting with Windows
10, version 1903.
The normal upload range for the Basic diagnostic data level is between 109 KB - 159 KB per day, per device.
Basic device data . Helps provide an understanding about the types of Windows devices and the
configurations and types of native and virtualized Windows Servers in the ecosystem. Examples include:
Device attributes, such as camera resolution and display type
Internet Explorer version
Battery attributes, such as capacity and type
Networking attributes, such as number of network adapters, speed of network adapters, mobile
operator network, and IMEI number
Processor and memory attributes, such as number of cores, architecture, speed, memory size, and
firmware
Virtualization attribute, such as Second Level Address Translation (SLAT) support and guest operating
system
Operating system attributes, such as Windows edition and virtualization state
Storage attributes, such as number of drives, type, and size
Connected User Experiences and Telemetr y component quality metrics . Helps provide an
understanding about how the Connected User Experiences and Telemetry component is functioning,
including % of uploaded events, dropped events, and the last upload time.
Quality-related information . Helps Microsoft develop a basic understanding of how a device and its
operating system are performing. Some examples are the device characteristics of a Connected Standby
device, the number of crashes or hangs, and application state change details, such as how much processor
time and memory were used, and the total uptime for an app.
Compatibility data . Helps provide an understanding about which apps are installed on a device or
virtual machine and identifies potential compatibility problems.
General app data and app data for Internet Explorer add-ons . Includes a list of apps that are
installed on a native or virtualized instance of the OS and whether these apps function correctly
after an upgrade. This app data includes the app name, publisher, version, and basic details about
which files have been blocked from usage.
Internet Explorer add-ons . Includes a list of Internet Explorer add-ons that are installed on a
device and whether these apps will work after an upgrade.
System data . Helps provide an understanding about whether a device meets the minimum
requirements to upgrade to the next version of the operating system. System information includes
the amount of memory, as well as information about the processor and BIOS.
Accessor y device data . Includes a list of accessory devices, such as printers or external storage
devices, that are connected to Windows PCs and whether these devices will function after
upgrading to a new version of the operating system.
Driver data . Includes specific driver usage that’s meant to help figure out whether apps and
devices will function after upgrading to a new version of the operating system. This can help to
determine blocking issues and then help Microsoft and our partners apply fixes and improvements.
Microsoft Store . Provides information about how the Microsoft Store performs, including app
downloads, installations, and updates. It also includes Microsoft Store launches, page views, suspend and
resumes, and obtaining licenses.
Enhanced level
The Enhanced level gathers data about how Windows and apps are used and how they perform. This level also
includes data from both the Basic and Security levels. This level helps to improve the user experience with the
operating system and apps. Data from this level can be abstracted into patterns and trends that can help
Microsoft determine future improvements.
This level is needed to quickly identify and address Windows and Windows Server quality issues.
The normal upload range for the Enhanced diagnostic data level is between 239 KB - 348 KB per day, per device.
Operating system events . Helps to gain insights into different areas of the operating system, including
networking, Hyper-V, Cortana, storage, file system, and other components.
Operating system app events . A set of events resulting from Microsoft applications and management
tools that were downloaded from the Store or pre-installed with Windows or Windows Server, including
Server Manager, Photos, Mail, and Microsoft Edge.
Device-specific events . Contains data about events that are specific to certain devices, such as Surface
Hub and Microsoft HoloLens. For example, Microsoft HoloLens sends Holographic Processing Unit (HPU)-
related events.
Some crash dump types . All crash dump types, except for heap dumps and full dumps.
If the Connected User Experiences and Telemetry component detects a problem on Windows 10 that requires
gathering more detailed instrumentation, the Connected User Experiences and Telemetry component at the
Enhanced diagnostic data level will only gather data about the events associated with the specific issue.
Full level
The Full level gathers data necessary to identify and to help fix problems, following the approval process
described below. This level also includes data from the Basic, Enhanced, and Security levels.
Additionally, at this level, devices opted in to the Windows Insider Program will send events, such as reliability
and app responsiveness. that can show Microsoft how pre-release binaries and features are performing. These
events help us make decisions on which builds are flighted. All devices in the Windows Insider Program are
automatically set to this level.
If a device experiences problems that are difficult to identify or repeat using Microsoft’s internal testing,
additional data becomes necessary. This data can include any user content that might have triggered the problem
and is gathered from a small sample of devices that have both opted into the Full diagnostic data level and have
exhibited the problem.
However, before more data is gathered, Microsoft’s privacy governance team, including privacy and other subject
matter experts, must approve the diagnostics request made by a Microsoft engineer. If the request is approved,
Microsoft engineers can use the following capabilities to get the information:
Ability to run a limited, pre-approved list of Microsoft certified diagnostic tools, such as msinfo32.exe,
powercfg.exe, and dxdiag.exe.
Ability to get registry keys.
All crash dump types, including heap dumps and full dumps.
NOTE
Crash dumps collected at this diagnostic data level may unintentionally contain personal data, such as portions of memory
from a documents, a web page, etc.
Limit Enhanced diagnostic data to the minimum required by Desktop

Analytics
IMPORTANT
Desktop Analytics reports are powered by diagnostic data not included in the Basic level, such as crash reports
and certain operating system events.
In Windows 10, version 1709, we introduced the Limit Enhanced diagnostic data to the minimum
required by Windows Analytics feature. When enabled, this feature lets you send only the following subset of
Enhanced level diagnostic data.
Operating system events. Limited to a small set required for analytics reports and documented in the
Windows 10 diagnostic data events and fields collected through the limit enhanced diagnostic data policy
topic.
Some crash dump types. Triage dumps for user mode and mini dumps for kernel mode.
NOTE
Triage dumps are a type of minidumps that go through a process of user-sensitive information scrubbing. Some user-
sensitive information may be missed in the process, and will therefore be sent with the dump.
With the retirement of Windows Analytics, this policy will continue to be supported by Desktop Analytics, but will
not include Office related diagnostic data.
Enable limiting enhanced diagnostic data to the minimum required by Desktop Analytics
1. Set the diagnostic data level to Enhanced , using either Group Policy or MDM.
a. Using Group Policy, set the Computer Configuration/Administrative Templates/Windows
Components/Data Collection and Preview Builds/Allow telemetr y setting to 2 .
-OR-
b. Using MDM, use the Policy CSP to set the System/AllowTelemetr y value to 2 .
-AND-
2. Enable the LimitEnhancedDiagnosticDataWindowsAnalytics setting, using either Group Policy or
MDM.
a. Using Group Policy, set the Computer Configuration/Administrative Templates/Windows
Components/Data collection and Preview builds/Limit Enhanced diagnostic data to the
minimum required by Windows Analytics setting to Enabled .
-OR-
b. Using MDM, use the Policy CSP to set the
System/LimitEnhancedDiagnosticDataWindowsAnalytics value to 1 .
FAQs
Cortana, Search, and privacy
Windows 10 camera and privacy
Windows 10 location service and privacy
Windows 10 speech, inking, typing, and privacy
Wi-Fi Sense
Windows Update Delivery Optimization
Blogs
Privacy Statement
TechNet
Web Pages
Diagnostic Data Viewer Overview
Applies to
Introduction
The Diagnostic Data Viewer is a Windows app that lets you review the Windows diagnostic data your device is
sending to Microsoft, grouping the info into simple categories based on how it's used by Microsoft.
Install and Use the Diagnostic Data Viewer

You must download the app before you can use the Diagnostic Data Viewer to review your device's diagnostic
data.
Turn on data viewing
Before you can use this tool for viewing Windows diagnostic data, you must turn on data viewing in the Settings
panel. Turning on data viewing lets Windows store your device's diagnostic data until you turn it off. Turning off
data viewing stops Windows from collecting your diagnostic data and clears the existing diagnostic data from
your device. Note that this setting does not affect your Office data viewing or history.
To turn on data viewing
1. Go to Star t , select Settings > Privacy > Diagnostics & feedback .
2. Under Diagnostic data , turn on the If data viewing is enabled, you can see your diagnostics data
option.
Download the Diagnostic Data Viewer

Download the app from the Microsoft Store Diagnostic Data Viewer page.
IMPORTANT
It's possible that your Windows device doesn't have the Microsoft Store available (for example, Windows Server). If this is the
case, see Diagnostic Data Viewer for PowerShell.
Start the Diagnostic Data Viewer

You can start this app from the Settings panel.
To star t the Diagnostic Data Viewer
2. Under Diagnostic data , select the Diagnostic Data Viewer button.
-OR-
Go to Star t and search for Diagnostic Data Viewer.

3. Close the Diagnostic Data Viewer app, use your device as you normally would for a few days, and then
open Diagnostic Data Viewer again to review the updated list of diagnostic data.
IMPORTANT
Turning on data viewing can use up to 1GB (by default) of disk space on your system drive. We strongly recommend
that you turn off data viewing when you're done using the Diagnostic Data Viewer. For info about turning off data
viewing, see the Turn off data viewing section in this article.
Use the Diagnostic Data Viewer

The Diagnostic Data Viewer provides you with the following features to view and filter your device's diagnostic
data.
View your Windows diagnostic events. In the left column, you can review your diagnostic events.
These events reflect activities that occurred and were sent to Microsoft.
Selecting an event opens the detailed JSON view, which provides the exact details uploaded to Microsoft.
Microsoft uses this info to continually improve the Windows operating system.
IMPORTANT
Seeing an event does not necessarily mean it has been uploaded yet. It’s possible that some events are still queued
and will be uploaded at a later time.
Search your diagnostic events. The Search box at the top of the screen lets you search amongst all of
the diagnostic event details. The returned search results include any diagnostic event that contains the
matching text.
Selecting an event opens the detailed JSON view, with the matching text highlighted.
Filter your diagnostic event categories. The app's Menu button opens the detailed menu. In here,
you'll find a list of diagnostic event categories, which define how the events are used by Microsoft. Selecting
a check box lets you filter between the diagnostic event categories.
Help to make your Windows experience better. Microsoft only needs diagnostic data from a small
amount of devices to make big improvements to the Windows operating system and ultimately, your
experience. If you’re a part of this small device group and you experience issues, Microsoft will collect the
associated event diagnostic data, allowing your info to potentially help fix the issue for others.
To signify your contribution, you’ll see this icon ( ) if your device is part of the group. In addition, if any
of your diagnostic data events are sent from your device to Microsoft to help make improvements, you’ll
see this icon ( ).
Provide diagnostic event feedback . The Feedback icon in the upper right corner of the window opens
the Feedback Hub app, letting you provide feedback about the Diagnostic Data Viewer and the diagnostic
events.
Selecting a specific event in the Diagnostic Data Viewer automatically fills in the field in the Feedback Hub.
You can add your comments to the box labeled, Give us more detail (optional) .
IMPORTANT
All content in the Feedback Hub is publicly viewable. Therefore, make sure you don't put any personal info into your
feedback comments.
View a summar y of the data you've shared with us over time. Available for users on build 19H1+,
'About my data' in Diagnostic Data Viewer lets you see an overview of the Windows data you've shared
with Microsoft.
Through this feature, you can checkout how much data you send on average each day, the breakdown of
your data by category, the top components and services that have sent data, and more.
IMPORTANT
This content is a reflection of the history of Windows data the app has stored. If you'd like to have extended
analyses, please modify the storage capacity of Diagnostic Data Viewer.
View Office Diagnostic Data

By default, Diagnostic Data Viewer shows you Windows data. You can also view Office diagnostic data by enabling
the feature in the app settings page. To learn more about how to view Office diagnostic data, please visit this page.
Turn off data viewing

When you're done reviewing your diagnostic data, you should turn of data viewing. This will also remove your
Windows data history. Note that this setting does not affect your Office data viewing or history.
To turn off data viewing
2. Under Diagnostic data , turn off the If data viewing is enabled, you can see your diagnostics data
option.
Modifying the size of your data history

By default, Diagnostic Data Viewer shows you up to 1GB or 30 days of data (whichever comes first) for Windows
diagnostic data. Once either the time or space limit is reached, the data is incrementally dropped with the oldest
data points dropped first.
IMPORTANT
Note that if you have Office diagnostic data viewing enabled, the Office data history is fixed at 1 GB and cannot be modified.
Modify the size of your data histor y

To make changes to the size of your Windows diagnostic data history, visit the app settings , located at the
bottom of the navigation menu. Data will be incrementally dropped with the oldest data points first once your
chosen size or time limit is reached.
IMPORTANT
Decreasing the maximum amount of diagnostic data viewable through the tool will remove all data history and requires a
reboot of your device. Additionally, increasing the maximum amount of diagnostic data viewable by the tool may come with
performance impacts to your machine.
View additional diagnostic data in the View problem reports tool

Available on Windows 1809 and higher, you can review additional Windows Error Reporting diagnostic data in the
View problem repor ts page within the Diagnostic Data Viewer.
This page provides you with a summary of various crash reports that are sent to Microsoft as part of Windows
Error Reporting. We use this data to find and fix specific issues that are hard to replicate and to improve the
Windows operating system.
You can also use the Windows Error Reporting tool available in the Control Panel.
To view your Windows Error Repor ting diagnostic data using the Diagnostic Data Viewer
Starting with Windows 1809 and higher, you can review Windows Error Reporting diagnostic data in the
Diagnostic Data Viewer.
To view your Windows Error Repor ting diagnostic data using the Control Panel
Go to Star t , select Control Panel > All Control Panel Items > Security and Maintenance > Problem
Repor ts .
-OR-
Go to Star t and search for Problem Reports. The Review problem repor ts tool opens, showing you your
Windows Error Reporting reports, along with a status about whether it was sent to Microsoft.
Known Issues with Diagnostic Data Viewer

Microsoft Edge diagnostic data appearing as a blob of text
Applicable to: The new Microsoft Edge (v. 79.x.x.x or higher)
Issue: In some cases, diagnostic data collected and sent from the New Microsoft Edge fails to be translated by the
decoder. When decoding fails, the data appears as a blob of text in the Diagnostic Data Viewer. We are working on
a fix for this issue.
Workaround:
Restart your computer and open Diagnostic Data Viewer.
OR
Restart the DiagTrack service, through the Services tab in task manager, and open Diagnostic Data Viewer.
Background: Some of the diagnostic data collected from the new Microsoft Edge is sent using a Protocol Buffers
(protobuf) to reduce network bandwidth and to improve data transfer efficiency. Diagnostic Data Viewer has a
decoding capability to translate this protobuf format into human readable text. Due to a bug, sometimes the
decoder fails to translate these protobuf messages and hence some of the New Microsoft Edge diagnostic data
will appear as a blob of encoded text.
Diagnostic Data Viewer for PowerShell Overview
Applies to
Windows Server, version 1803
Windows Server 2019
Introduction
The Diagnostic Data Viewer for PowerShell is a PowerShell module that lets you review the diagnostic data your
device is sending to Microsoft, grouping the info into simple categories based on how it's used by Microsoft.
Requirements
You must have administrative privilege on the device in order to use this PowerShell module. This module requires
OS version 1803 and higher.
Install and Use the Diagnostic Data Viewer for PowerShell

You must install the module before you can use the Diagnostic Data Viewer for PowerShell.
Opening an Elevated PowerShell session
Using the Diagnostic Data Viewer for PowerShell requires administrative (elevated) privilege. There are two ways to
open an elevated PowerShell prompt. You can use either method.
Go to Star t > Windows PowerShell > Run as administrator
Go to Star t > Command prompt > Run as administrator , and run the command C:\> powershell.exe
Install the Diagnostic Data Viewer for PowerShell
IMPORTANT
It is recommended to visit the documentation on Getting Started with PowerShell Gallery. This page provides more specific
details on installing a PowerShell module.
To install the newest version of the Diagnostic Data Viewer PowerShell module, run the following command within
an elevated PowerShell session:
PS C:\> Install-Module -Name Microsoft.DiagnosticDataViewer
To see more information about the module, visit PowerShell Gallery.

Turn on data viewing
Before you can use this tool, you must turn on data viewing. Turning on data viewing enables Windows to store a
local history of your device's diagnostic data for you to view until you turn it off.
Note that this setting does not control whether your device sends diagnostic data. Instead, it controls whether your
Windows device saves a local copy of the diagnostic data sent for your viewing.
To turn on data viewing through the Settings page
2. Under Diagnostic data , turn on the If data viewing is enabled, you can see your diagnostics data
option.
To turn on data viewing through PowerShell

Run the following command within an elevated PowerShell session:
PS C:\> Enable-DiagnosticDataViewing
Once data viewing is enabled, your Windows machine will begin saving a history of diagnostic data that is sent to
Microsoft from this point on.
IMPORTANT
Turning on data viewing can use up to 1GB (default setting) of disk space on your system drive. We recommend that you
turn off data viewing when you're done using the Diagnostic Data Viewer. For info about turning off data viewing, see the
Turn off data viewing section in this article.
Getting Started with Diagnostic Data Viewer for PowerShell

To see how to use the cmdlet, the parameters it accepts, and examples, run the following command from an
elevated PowerShell session:
PS C:\> Get-Help Get-DiagnosticData
To Star t Viewing Diagnostic Data

From an elevated PowerShell session, run the following command:
PS C:\> Get-DiagnosticData
If the number of events is large, and you'd like to stop the command, enter Ctrl+C .
IMPORTANT
The above command may produce little to no results if you enabled data viewing recently. It can take several minutes before
your Windows device can show diagnostic data it has sent. Use your device as you normally would in the mean time and try
again.
Doing more with the Diagnostic Data Viewer for PowerShell

The Diagnostic Data Viewer for PowerShell provides you with the following features to view and filter your device's
diagnostic data. You can also use the extensive suite of other PowerShell tools with this module.
View your diagnostic events. Running PS C:\> Get-DiagnosticData , you can review your diagnostic
events. These events reflect activities that occurred and were sent to Microsoft.
Each event is displayed as a PowerShell Object. By default each event shows the event name, the time when
it was seen by your Windows device, whether the event is Basic, its diagnostic event category, and a detailed
JSON view of the information it contains, which shows the event exactly as it was when sent to Microsoft.
Microsoft uses this info to continually improve the Windows operating system.
View diagnostic event categories. Each event shows the diagnostic event categories that it belongs to.
These categories define how events are used by Microsoft. The categories are shown as numeric identifiers.
For more information about these categories, see Windows Diagnostic Data.
To view the diagnostic category represented by each numeric identifier and what the category means, you
can run the command:
PS C:\> Get-DiagnosticDataTypes
Filter events by when they were sent. You can view events within specified time ranges by specifying a
start time and end time of each command. For example, to see all diagnostic data sent between 12 and 6
hours ago, run the following command. Note that data is shown in order of oldest first.
PS C:\> Get-DiagnosticData -StartTime (Get-Date).AddHours(-12) -EndTime (Get-Date).AddHours(-6)
Expor t the results of each command. You can export the results of each command to a separate file
such as a csv by using pipe | . For example,
PS C:\> Get-DiagnosticData | Export-Csv 'mydata.csv'
Turn off data viewing

When you're done reviewing your diagnostic data, we recommend turning off data viewing to prevent using up
more memory. Turning off data viewing stops Windows from saving a history of your diagnostic data and clears
the existing history of diagnostic data from your device.
To turn off data viewing through the Settings page
2. Under Diagnostic data , turn off the If data viewing is enabled, you can see your diagnostics data
option.
To turn off data viewing through PowerShell

Within an elevated PowerShell session, run the following command:
PS C:\> Disable-DiagnosticDataViewing
Modifying the size of your data history

By default, the tool will show you up to 1GB or 30 days of data (whichever comes first). Once either the time or
space limit is reached, the data is incrementally dropped with the oldest data points dropped first.
Modify the size of your data histor y
IMPORTANT
Modifying the maximum amount of diagnostic data viewable by the tool may come with performance impacts to your
machine.
IMPORTANT
If you modify the maximum data history size from a larger value to a lower value, you must turn off data viewing and turn it
back on in order to reclaim disk space.
You can change the maximum data history size (in megabytes) that you can view. For example, to set the maximum
data history size to 2048MB (2GB), you can run the following command.
PS C:\> Set-DiagnosticStoreCapacity -Size 2048
You can change the maximum data history time (in hours) that you can view. For example, to set the maximum data
history time to 24 hours, you can run the following command.
PS C:\> Set-DiagnosticStoreCapacity -Time 24
IMPORTANT
You may need to restart your machine for the new settings to take effect.
IMPORTANT
If you have the Diagnostic Data Viewer store app installed on the same device, modifications to the size of your data history
through the PowerShell module will also be reflected in the app.
Reset the size of your data histor y

To reset the maximum data history size back to its original 1GB default value, run the following command in an
elevated PowerShell session:
PS C:\> Set-DiagnosticStoreCapacity -Size 1024 -Time 720
When resetting the size of your data history to a lower value, be sure to turn off data viewing and turn it back on in
order to reclaim disk space.
Related Links
Module in PowerShell Gallery
Documentation for Diagnostic Data Viewer for PowerShell
Windows 10, version 1903 and Windows 10, version
1909 basic level Windows diagnostic events and fields
Applies to
Windows 10, version 1909
The Basic level gathers a limited set of information that is critical for understanding the device and its configuration
including: basic device information, quality-related information, app compatibility, and Microsoft Store. When the
level is set to Basic, it also includes the Security level information.
The Basic level helps to identify problems that can occur on a particular device hardware or software configuration.
For example, it can help determine if crashes are more frequent on devices with a specific amount of memory or
that are running a particular driver version. This helps Microsoft fix operating system or app problems.
Use this article to learn about diagnostic events, grouped by event area, and the fields within each event. A brief
description is provided for each field. Every event generated includes common data, which collects device data.
You can learn more about Windows functional and diagnostic data through these articles:
Windows 10, version 1809 basic diagnostic events and fields
AppLocker events
Microsoft.Windows.Security.AppLockerCSP.AddParams
This event indicates the parameters passed to the Add function of the AppLocker Configuration Service Provider
(CSP) to help keep Windows secure.
The following fields are available:
child The child URI of the node to add.
uri URI of the node relative to %SYSTEM32%/AppLocker.
Microsoft.Windows.Security.AppLockerCSP.AddStart
This event indicates the start of an Add operation for the AppLocker Configuration Service Provider (CSP) to help
keep Windows secure.
Microsoft.Windows.Security.AppLockerCSP.AddStop
This event indicates the end of an Add operation for the AppLocker Configuration Service Provider (CSP) to help
hr The HRESULT returned by Add function in AppLockerCSP.
Microsoft.Windows.Security.AppLockerCSP.CAppLockerCSP::Commit
This event returns information about the Commit operation in the AppLocker Configuration Service Provider (CSP)
to help keep Windows secure..
oldId The unique identifier for the most recent previous CSP transaction.
txId The unique identifier for the current CSP transaction.
Microsoft.Windows.Security.AppLockerCSP.CAppLockerCSP::Rollback
This event provides the result of the Rollback operation in the AppLocker Configuration Service Provider (CSP) to
help keep Windows secure.
oldId Previous id for the CSP transaction.
txId Current id for the CSP transaction.
Microsoft.Windows.Security.AppLockerCSP.ClearParams
This event provides the parameters passed to the Clear operation of the AppLocker Configuration Service Provider
uri The URI relative to the %SYSTEM32%\AppLocker folder.
Microsoft.Windows.Security.AppLockerCSP.ClearStart
This event indicates the start of the Clear operation of the AppLocker Configuration Service Provider (CSP) to help
Microsoft.Windows.Security.AppLockerCSP.ClearStop
This event indicates the end of the Clear operation of the AppLocker Configuration Service Provider (CSP) to help
hr HRESULT reported at the end of the 'Clear' function.
Microsoft.Windows.Security.AppLockerCSP.CreateNodeInstanceParams
This event provides the parameters that were passed to the Create Node Instance operation of the AppLocker
Configuration Service Provider (CSP) to help keep Windows secure.
NodeId NodeId passed to CreateNodeInstance.
nodeOps NodeOperations parameter passed to CreateNodeInstance.
uri URI passed to CreateNodeInstance, relative to %SYSTEM32%\AppLocker.
Microsoft.Windows.Security.AppLockerCSP.CreateNodeInstanceStart
This event indicates the start of the Create Node Instance operation of the AppLocker Configuration Service
Provider (CSP) to help keep Windows secure.
Microsoft.Windows.Security.AppLockerCSP.CreateNodeInstanceStop
This event indicates the end of the Create Node Instance operation of the AppLocker Configuration Service
hr HRESULT returned by the CreateNodeInstance function in AppLockerCSP.
Microsoft.Windows.Security.AppLockerCSP.DeleteChildParams
This event provides the parameters passed to the Delete Child operation of the AppLocker Configuration Service
child The child URI of the node to delete.
uri URI relative to %SYSTEM32%\AppLocker.
Microsoft.Windows.Security.AppLockerCSP.DeleteChildStart
This event indicates the start of the Delete Child operation of the AppLocker Configuration Service Provider (CSP)
to help keep Windows secure.
Microsoft.Windows.Security.AppLockerCSP.DeleteChildStop
This event indicates the end of the Delete Child operation of the AppLocker Configuration Service Provider (CSP)
hr HRESULT returned by the DeleteChild function in AppLockerCSP.
Microsoft.Windows.Security.AppLockerCSP.EnumPolicies
This event provides the logged Uniform Resource Identifier (URI) relative to %SYSTEM32%\AppLocker if the plug-
in GUID is null or the Configuration Service Provider (CSP) doesn't believe the old policy is present.
Microsoft.Windows.Security.AppLockerCSP.GetChildNodeNamesParams
This event provides the parameters passed to the Get Child Node Names operation of the AppLocker
uri URI relative to %SYSTEM32%/AppLocker for MDM node.
Microsoft.Windows.Security.AppLockerCSP.GetChildNodeNamesStart
This event indicates the start of the Get Child Node Names operation of the AppLocker Configuration Service
Microsoft.Windows.Security.AppLockerCSP.GetChildNodeNamesStop
This event indicates the end of the Get Child Node Names operation of the AppLocker Configuration Service
child[0] If function succeeded, the first child's name, else "NA".
count If function succeeded, the number of child node names returned by the function, else 0.
hr HRESULT returned by the GetChildNodeNames function of AppLockerCSP.
Microsoft.Windows.Security.AppLockerCSP.GetLatestId
This event provides the latest time-stamped unique identifier in the AppLocker Configuration Service Provider
dirId The latest directory identifier found by GetLatestId.
id The id returned by GetLatestId if id > 0 - otherwise the dirId parameter.
Microsoft.Windows.Security.AppLockerCSP.HResultException
This event provides the result code (HRESULT) generated by any arbitrary function in the AppLocker Configuration
Service Provider (CSP).
file File in the OS code base in which the exception occurs.
function Function in the OS code base in which the exception occurs.
hr HRESULT that is reported.
line Line in the file in the OS code base in which the exception occurs.
Microsoft.Windows.Security.AppLockerCSP.SetValueParams
This event provides the parameters that were passed to the SetValue operation in the AppLocker Configuration
Service Provider (CSP) to help keep Windows secure.
dataLength Length of the value to set.
uri The node URI to that should contain the value, relative to %SYSTEM32%\AppLocker.
Microsoft.Windows.Security.AppLockerCSP.SetValueStart
This event indicates the start of the SetValue operation in the AppLocker Configuration Service Provider (CSP) to
Microsoft.Windows.Security.AppLockerCSP.SetValueStop
End of the "SetValue" operation for the AppLockerCSP node.
hr HRESULT returned by the SetValue function in AppLockerCSP.
Microsoft.Windows.Security.AppLockerCSP.TryRemediateMissingPolicies
This event provides information for fixing a policy in the AppLocker Configuration Service Provider (CSP) to help
keep Windows secure. It includes Uniform Resource Identifier (URI) relative to %SYSTEM32%\AppLocker that
needs to be fixed.
uri URI for node relative to %SYSTEM32%/AppLocker.
Appraiser events
Microsoft.Windows.Appraiser.General.ChecksumTotalPictureCount
This event lists the types of objects and how many of each exist on the client device. This allows for a quick way to
ensure that the records present on the server match what is present on the client.
DatasourceApplicationFile_19H1 The count of the number of this particular object type present on this
device.
DatasourceApplicationFile_19H1Setup The count of the number of this particular object type present on
this device.
device.
this device.
DatasourceApplicationFile_RS1 An ID for the system, calculated by hashing hardware identifiers.
DatasourceApplicationFile_RS3 The count of the number of this particular object type present on this
device.
device.
device.
DatasourceApplicationFile_TH1 The count of the number of this particular object type present on this
device.
device.
DatasourceDevicePnp_19H1 The count of the number of this particular object type present on this device.
DatasourceDevicePnp_19H1Setup The count of the number of this particular object type present on this
device.
device.
DatasourceDevicePnp_RS1 The total DataSourceDevicePnp objects targeting Windows 10 version 1607 on
this device.
DatasourceDevicePnp_RS2 The count of the number of this particular object type present on this device.
DatasourceDevicePnp_RS3Setup The count of the number of this particular object type present on this
device.
device.
device.
DatasourceDevicePnp_TH1 The count of the number of this particular object type present on this device.
DatasourceDriverPackage_19H1 The count of the number of this particular object type present on this
device.
DatasourceDriverPackage_19H1Setup The count of the number of this particular object type present on
this device.
device.
this device.
DatasourceDriverPackage_RS1 The total DataSourceDriverPackage objects targeting Windows 10 version
1607 on this device.
DatasourceDriverPackage_RS2 The total DataSourceDriverPackage objects targeting Windows 10, version
DatasourceDriverPackage_RS3 The count of the number of this particular object type present on this device.
DatasourceDriverPackage_RS3Setup The count of the number of this particular object type present on this
device.
device.
device.
DatasourceDriverPackage_TH1 The count of the number of this particular object type present on this device.
DataSourceMatchingInfoBlock_19H1 The count of the number of this particular object type present on this
device.
DataSourceMatchingInfoBlock_19H1Setup The count of the number of this particular object type present
on this device.
device.
on this device.
DataSourceMatchingInfoBlock_RS1 The total DataSourceMatchingInfoBlock objects targeting Windows 10
version 1607 on this device.
DataSourceMatchingInfoBlock_RS2 The count of the number of this particular object type present on this
device.
device.
device.
device.
DataSourceMatchingInfoBlock_TH1 The count of the number of this particular object type present on this
device.
device.
DataSourceMatchingInfoPassive_19H1 The count of the number of this particular object type present on
this device.
DataSourceMatchingInfoPassive_19H1Setup The count of the number of this particular object type
present on this device.
this device.
DataSourceMatchingInfoPassive_RS1 The total DataSourceMatchingInfoPassive objects targeting Windows
10 version 1607 on this device.
DataSourceMatchingInfoPassive_RS2 The count of the number of this particular object type present on this
device.
device.
device.
device.
DataSourceMatchingInfoPassive_TH1 The count of the number of this particular object type present on this
device.
device.
DataSourceMatchingInfoPoltUpgrade_20H1 The count of the number of this particular object type present
on this device.
DataSourceMatchingInfoPostUpgrade_19H1 The count of the number of this particular object type
DataSourceMatchingInfoPostUpgrade_19H1Setup The count of the number of this particular object type
DataSourceMatchingInfoPostUpgrade_RS1 The total DataSourceMatchingInfoPostUpgrade objects
targeting Windows 10 version 1607 on this device.
DataSourceMatchingInfoPostUpgrade_RS4 The count of the number of this particular object type present
on this device.
on this device.
DataSourceMatchingInfoPostUpgrade_TH1 The count of the number of this particular object type present
on this device.
on this device.
DatasourceSystemBios_19ASetup The count of the number of this particular object type present on this
device.
DatasourceSystemBios_19H1 The count of the number of this particular object type present on this device.
DatasourceSystemBios_19H1Setup The count of the number of this particular object type present on this
device.
device.
DatasourceSystemBios_RS1 The total DatasourceSystemBios objects targeting Windows 10 version 1607
DatasourceSystemBios_RS3Setup The count of the number of this particular object type present on this
device.
DatasourceSystemBios_RS4 The count of the number of this particular object type present on this device.
device.
device.
DatasourceSystemBios_TH1 The count of the number of this particular object type present on this device.
DecisionApplicationFile_19H1 The count of the number of this particular object type present on this device.
DecisionApplicationFile_19H1Setup The count of the number of this particular object type present on this
device.
device.
DecisionApplicationFile_RS1 The count of the number of this particular object type present on this device.
DecisionApplicationFile_TH1 The count of the number of this particular object type present on this device.
DecisionDevicePnp_19H1 The count of the number of this particular object type present on this device.
DecisionDevicePnp_19H1Setup The count of the number of this particular object type present on this
device.
device.
DecisionDevicePnp_RS1 The total DecisionDevicePnp objects targeting Windows 10 version 1607 on this
device.
DecisionDevicePnp_RS2 The count of the number of this particular object type present on this device.
DecisionDevicePnp_RS3Setup The count of the number of this particular object type present on this device.
DecisionDevicePnp_TH1 The count of the number of this particular object type present on this device.
DecisionDriverPackage_19H1 The count of the number of this particular object type present on this device.
DecisionDriverPackage_19H1Setup The count of the number of this particular object type present on this
device.
device.
DecisionDriverPackage_RS1 The total DecisionDriverPackage objects targeting Windows 10 version 1607
on this device.
DecisionDriverPackage_RS2 The count of the number of this particular object type present on this device.
DecisionDriverPackage_RS3Setup The count of the number of this particular object type present on this
device.
device.
device.
DecisionDriverPackage_TH1 The count of the number of this particular object type present on this device.
DecisionMatchingInfoBlock_19H1 The count of the number of this particular object type present on this
device.
DecisionMatchingInfoBlock_19H1Setup The count of the number of this particular object type present on
this device.
device.
this device.
DecisionMatchingInfoBlock_RS1 The total DecisionMatchingInfoBlock objects targeting Windows 10
version 1607 present on this device.
DecisionMatchingInfoBlock_RS4 The count of the number of this particular object type present on this
device.
device.
DecisionMatchingInfoBlock_TH1 The count of the number of this particular object type present on this
device.
device.
DecisionMatchingInfoPassive_19H1 The count of the number of this particular object type present on this
device.
DecisionMatchingInfoPassive_19H1Setup The count of the number of this particular object type present
on this device.
device.
on this device.
DecisionMatchingInfoPassive_RS1 The total DecisionMatchingInfoPassive objects targeting Windows 10
DecisionMatchingInfoPassive_RS4 The count of the number of this particular object type present on this
device.
device.
DecisionMatchingInfoPassive_TH1 The count of the number of this particular object type present on this
device.
device.
DecisionMatchingInfoPoltUpgrade_20H1 The count of the number of this particular object type present on
this device.
DecisionMatchingInfoPostUpgrade_19H1 The count of the number of this particular object type present
on this device.
DecisionMatchingInfoPostUpgrade_19H1Setup The count of the number of this particular object type
on this device.
DecisionMatchingInfoPostUpgrade_RS1 The total DecisionMatchingInfoPostUpgrade objects targeting
Windows 10 version 1607 on this device.
DecisionMatchingInfoPostUpgrade_RS4 The count of the number of this particular object type present on
this device.
this device.
DecisionMatchingInfoPostUpgrade_TH1 The count of the number of this particular object type present on
this device.
this device.
DecisionMediaCenter_19H1 The count of the number of this particular object type present on this device.
DecisionMediaCenter_19H1Setup The total DecisionMediaCenter objects targeting the next release of
Windows on this device.
DecisionMediaCenter_20H1Setup The count of the number of this particular object type present on this
device.
DecisionMediaCenter_RS1 The total DecisionMediaCenter objects targeting Windows 10 version 1607
DecisionMediaCenter_RS4 The count of the number of this particular object type present on this device.
DecisionMediaCenter_TH1 The count of the number of this particular object type present on this device.
DecisionSystemBios_19ASetup The count of the number of this particular object type present on this
device.
DecisionSystemBios_19H1 The count of the number of this particular object type present on this device.
DecisionSystemBios_19H1Setup The total DecisionSystemBios objects targeting the next release of
DecisionSystemBios_20H1Setup The count of the number of this particular object type present on this
device.
DecisionSystemBios_RS1 The total DecisionSystemBios objects targeting Windows 10 version 1607 on this
device.
device.
device.
DecisionSystemBios_RS3Setup The count of the number of this particular object type present on this
device.
DecisionSystemBios_RS4 The total DecisionSystemBios objects targeting Windows 10 version, 1803 present
on this device.
DecisionSystemBios_RS4Setup The total DecisionSystemBios objects targeting the next release of Windows
on this device.
DecisionSystemBios_RS5 The total DecisionSystemBios objects targeting the next release of Windows on
this device.
device.
DecisionSystemBios_TH1 The count of the number of this particular object type present on this device.
DecisionSystemProcessor_RS2 The count of the number of this particular object type present on this device.
DecisionTest_20H1Setup The count of the number of this particular object type present on this device.
DecisionTest_RS1 An ID for the system, calculated by hashing hardware identifiers.
Inventor yApplicationFile The count of the number of this particular object type present on this device.
Inventor yDeviceContainer A count of device container objects in cache.
Inventor yDevicePnp A count of device Plug and Play objects in cache.
Inventor yDriverBinar y A count of driver binary objects in cache.
Inventor yDriverPackage A count of device objects in cache.
Inventor yLanguagePack The count of the number of this particular object type present on this device.
Inventor yMediaCenter The count of the number of this particular object type present on this device.
Inventor ySystemBios The count of the number of this particular object type present on this device.
Inventor ySystemMachine The count of the number of this particular object type present on this device.
Inventor ySystemProcessor The count of the number of this particular object type present on this device.
Inventor yTest The count of the number of this particular object type present on this device.
Inventor yUplevelDriverPackage The count of the number of this particular object type present on this
device.
PCFP The count of the number of this particular object type present on this device.
SystemMemor y The count of the number of this particular object type present on this device.
SystemProcessorCompareExchange The count of the number of this particular object type present on this
device.
SystemProcessorLahfSahf The count of the number of this particular object type present on this device.
SystemProcessorNx The total number of objects of this type present on this device.
SystemProcessorPrefetchW The total number of objects of this type present on this device.
SystemProcessorSse2 The total number of objects of this type present on this device.
SystemTouch The count of the number of this particular object type present on this device.
SystemWim The total number of objects of this type present on this device.
SystemWindowsActivationStatus The count of the number of this particular object type present on this
device.
SystemWlan The total number of objects of this type present on this device.
Wmdrm_19H1 The count of the number of this particular object type present on this device.
Wmdrm_19H1Setup The total Wmdrm objects targeting the next release of Windows on this device.
Wmdrm_RS1 An ID for the system, calculated by hashing hardware identifiers.
Wmdrm_RS4 The total Wmdrm objects targeting Windows 10, version 1803 present on this device.
Wmdrm_RS5 The count of the number of this particular object type present on this device.
Wmdrm_TH1 The count of the number of this particular object type present on this device.
Microsoft.Windows.Appraiser.General.DatasourceApplicationFileAdd
Represents the basic metadata about specific application files installed on the system.
This event includes fields from Ms.Device.DeviceInventoryChange.
AppraiserVersion The version of the appraiser file that is generating the events.
AvDisplayName If the app is an anti-virus app, this is its display name.
CompatModelIndex The compatibility prediction for this file.
HasCitData Indicates whether the file is present in CIT data.
HasUpgradeExe Indicates whether the anti-virus app has an upgrade.exe file.
IsAv Is the file an anti-virus reporting EXE?
ResolveAttempted This will always be an empty string when sending diagnostic data.
SdbEntries An array of fields that indicates the SDB entries that apply to this file.
Microsoft.Windows.Appraiser.General.DatasourceApplicationFileRemove
This event indicates that the DatasourceApplicationFile object is no longer present.
AppraiserVersion The version of the Appraiser file that is generating the events.
Microsoft.Windows.Appraiser.General.DatasourceApplicationFileStartSync
This event indicates that a new set of DatasourceApplicationFileAdd events will be sent.
Microsoft.Windows.Appraiser.General.DatasourceDevicePnpAdd
This event sends compatibility data for a Plug and Play device, to help keep Windows up to date.
ActiveNetworkConnection Indicates whether the device is an active network device.
AppraiserVersion The version of the appraiser file generating the events.
CosDeviceRating An enumeration that indicates if there is a driver on the target operating system.
CosDeviceSolution An enumeration that indicates how a driver on the target operating system is available.
CosDeviceSolutionUrl Microsoft.Windows.Appraiser.General.DatasourceDevicePnpAdd . Empty string
CosPopulatedFromId The expected uplevel driver matching ID based on driver coverage data.
IsBootCritical Indicates whether the device boot is critical.
UplevelInboxDriver Indicates whether there is a driver uplevel for this device.
WuDriverCoverage Indicates whether there is a driver uplevel for this device, according to Windows Update.
WuDriverUpdateId The Windows Update ID of the applicable uplevel driver.
WuPopulatedFromId The expected uplevel driver matching ID based on driver coverage from Windows
Update.
Microsoft.Windows.Appraiser.General.DatasourceDevicePnpRemove
This event indicates that the DatasourceDevicePnp object is no longer present.
Microsoft.Windows.Appraiser.General.DatasourceDevicePnpStartSync
This event indicates that a new set of DatasourceDevicePnpAdd events will be sent.
Microsoft.Windows.Appraiser.General.DatasourceDriverPackageAdd
This event sends compatibility database data about driver packages to help keep Windows up to date.
Microsoft.Windows.Appraiser.General.DatasourceDriverPackageRemove
This event indicates that the DatasourceDriverPackage object is no longer present.
Microsoft.Windows.Appraiser.General.DatasourceDriverPackageStartSync
This event indicates that a new set of DatasourceDriverPackageAdd events will be sent.
Microsoft.Windows.Appraiser.General.DataSourceMatchingInfoBlockAdd
This event sends blocking data about any compatibility blocking entries on the system that are not directly related
to specific applications or devices, to help keep Windows up to date.
Microsoft.Windows.Appraiser.General.DataSourceMatchingInfoBlockStartSync
This event indicates that a full set of DataSourceMatchingInfoBlockStAdd events have been sent.
Microsoft.Windows.Appraiser.General.DataSourceMatchingInfoPassiveAdd
This event sends compatibility database information about non-blocking compatibility entries on the system that
are not keyed by either applications or devices, to help keep Windows up to date.
Microsoft.Windows.Appraiser.General.DataSourceMatchingInfoPassiveStartSync
This event indicates that a new set of DataSourceMatchingInfoPassiveAdd events will be sent.
Microsoft.Windows.Appraiser.General.DataSourceMatchingInfoPostUpgradeAdd
This event sends compatibility database information about entries requiring reinstallation after an upgrade on the
system that are not keyed by either applications or devices, to help keep Windows up to date.
Microsoft.Windows.Appraiser.General.DataSourceMatchingInfoPostUpgradeStartSync
This event indicates that a new set of DataSourceMatchingInfoPostUpgradeAdd events will be sent.
Microsoft.Windows.Appraiser.General.DatasourceSystemBiosAdd
This event sends compatibility database information about the BIOS to help keep Windows up to date.
AppraiserVersion The version of the Appraiser file generating the events.
Microsoft.Windows.Appraiser.General.DatasourceSystemBiosStartSync
This event indicates that a new set of DatasourceSystemBiosAdd events will be sent.
Microsoft.Windows.Appraiser.General.DecisionApplicationFileAdd
This event sends compatibility decision data about a file to help keep Windows up to date.
BlockAlreadyInbox The uplevel runtime block on the file already existed on the current OS.
BlockingApplication Indicates whether there are any application issues that interfere with the upgrade due to
the file in question.
DisplayGenericMessage Will be a generic message be shown for this file?
DisplayGenericMessageGated Indicates whether a generic message be shown for this file.
HardBlock This file is blocked in the SDB.
HasUxBlockOverride Does the file have a block that is overridden by a tag in the SDB?
MigApplication Does the file have a MigXML from the SDB associated with it that applies to the current
upgrade mode?
MigRemoval Does the file have a MigXML from the SDB that will cause the app to be removed on upgrade?
NeedsDismissAction Will the file cause an action that can be dismissed?
NeedsInstallPostUpgradeData After upgrade, the file will have a post-upgrade notification to install a
replacement for the app.
NeedsNotifyPostUpgradeData Does the file have a notification that should be shown after upgrade?
NeedsReinstallPostUpgradeData After upgrade, this file will have a post-upgrade notification to reinstall the
app.
NeedsUninstallAction The file must be uninstalled to complete the upgrade.
SdbBlockUpgrade The file is tagged as blocking upgrade in the SDB,
SdbBlockUpgradeCanReinstall The file is tagged as blocking upgrade in the SDB. It can be reinstalled after
upgrade.
SdbBlockUpgradeUntilUpdate The file is tagged as blocking upgrade in the SDB. If the app is updated, the
upgrade can proceed.
SdbReinstallUpgrade The file is tagged as needing to be reinstalled after upgrade in the SDB. It does not
block upgrade.
SdbReinstallUpgradeWarn The file is tagged as needing to be reinstalled after upgrade with a warning in the
SDB. It does not block upgrade.
SoftBlock The file is softblocked in the SDB and has a warning.
Microsoft.Windows.Appraiser.General.DecisionApplicationFileRemove
This event indicates that the DecisionApplicationFile object is no longer present.
Microsoft.Windows.Appraiser.General.DecisionApplicationFileStartSync
This event indicates that a new set of DecisionApplicationFileAdd events will be sent.
Microsoft.Windows.Appraiser.General.DecisionDevicePnpAdd
This event sends compatibility decision data about a Plug and Play (PNP) device to help keep Windows up to date.
AssociatedDriverIsBlocked Is the driver associated with this PNP device blocked?
AssociatedDriverWillNotMigrate Will the driver associated with this plug-and-play device migrate?
BlockAssociatedDriver Should the driver associated with this PNP device be blocked?
BlockingDevice Is this PNP device blocking upgrade?
BlockUpgradeIfDriverBlocked Is the PNP device both boot critical and does not have a driver included with
the OS?
BlockUpgradeIfDriverBlockedAndOnlyActiveNetwork Is this PNP device the only active network device?
DisplayGenericMessage Will a generic message be shown during Setup for this PNP device?
DisplayGenericMessageGated Indicates whether a generic message will be shown during Setup for this PNP
device.
DriverAvailableInbox Is a driver included with the operating system for this PNP device?
DriverAvailableOnline Is there a driver for this PNP device on Windows Update?
DriverAvailableUplevel Is there a driver on Windows Update or included with the operating system for this
PNP device?
DriverBlockOverridden Is there is a driver block on the device that has been overridden?
NeedsDismissAction Will the user would need to dismiss a warning during Setup for this device?
NotRegressed Does the device have a problem code on the source OS that is no better than the one it would
have on the target OS?
SdbDeviceBlockUpgrade Is there an SDB block on the PNP device that blocks upgrade?
SdbDriverBlockOverridden Is there an SDB block on the PNP device that blocks upgrade, but that block was
overridden?
Microsoft.Windows.Appraiser.General.DecisionDevicePnpRemove
This event indicates that the DecisionDevicePnp object is no longer present.
Microsoft.Windows.Appraiser.General.DecisionDevicePnpStartSync
The DecisionDevicePnpStartSync event indicates that a new set of DecisionDevicePnpAdd events will be sent.
Microsoft.Windows.Appraiser.General.DecisionDriverPackageAdd
This event sends decision data about driver package compatibility to help keep Windows up to date.
DisplayGenericMessageGated Indicates whether a generic offer block message will be shown for this driver
package.
DriverBlockOverridden Does the driver package have an SDB block that blocks it from migrating, but that
block has been overridden?
DriverIsDeviceBlocked Was the driver package was blocked because of a device block?
DriverIsDriverBlocked Is the driver package blocked because of a driver block?
DriverIsTroubleshooterBlocked Indicates whether the driver package is blocked because of a troubleshooter
block.
DriverShouldNotMigrate Should the driver package be migrated during upgrade?
SdbDriverBlockOverridden Does the driver package have an SDB block that blocks it from migrating, but
that block has been overridden?
Microsoft.Windows.Appraiser.General.DecisionDriverPackageRemove
This event indicates that the DecisionDriverPackage object is no longer present.
Microsoft.Windows.Appraiser.General.DecisionDriverPackageStartSync
This event indicates that a new set of DecisionDriverPackageAdd events will be sent.
Microsoft.Windows.Appraiser.General.DecisionMatchingInfoBlockAdd
This event sends compatibility decision data about blocking entries on the system that are not keyed by either
applications or devices, to help keep Windows up to date.
BlockingApplication Are there are any application issues that interfere with upgrade due to matching info
blocks?
DisplayGenericMessage Will a generic message be shown for this block?
NeedsUninstallAction Does the user need to take an action in setup due to a matching info block?
SdbBlockUpgrade Is a matching info block blocking upgrade?
SdbBlockUpgradeCanReinstall Is a matching info block blocking upgrade, but has the can reinstall tag?
SdbBlockUpgradeUntilUpdate Is a matching info block blocking upgrade but has the until update tag?
Microsoft.Windows.Appraiser.General.DecisionMatchingInfoBlockStartSync
This event indicates that a new set of DecisionMatchingInfoBlockAdd events will be sent.
Microsoft.Windows.Appraiser.General.DecisionMatchingInfoPassiveAdd
This event sends compatibility decision data about non-blocking entries on the system that are not keyed by either
BlockingApplication Are there any application issues that interfere with upgrade due to matching info
blocks?
DisplayGenericMessageGated Indicates whether a generic offer block message will be shown due to
matching info blocks.
MigApplication Is there a matching info block with a mig for the current mode of upgrade?
Microsoft.Windows.Appraiser.General.DecisionMatchingInfoPassiveStartSync
This event indicates that a new set of DecisionMatchingInfoPassiveAdd events will be sent.
Microsoft.Windows.Appraiser.General.DecisionMatchingInfoPostUpgradeAdd
This event sends compatibility decision data about entries that require reinstall after upgrade. It's used to help keep
Windows up to date.
NeedsInstallPostUpgradeData Will the file have a notification after upgrade to install a replacement for the
app?
NeedsNotifyPostUpgradeData Should a notification be shown for this file after upgrade?
NeedsReinstallPostUpgradeData Will the file have a notification after upgrade to reinstall the app?
SdbReinstallUpgrade The file is tagged as needing to be reinstalled after upgrade in the compatibility
database (but is not blocking upgrade).
Microsoft.Windows.Appraiser.General.DecisionMatchingInfoPostUpgradeStartSync
This event indicates that a new set of DecisionMatchingInfoPostUpgradeAdd events will be sent.
Microsoft.Windows.Appraiser.General.DecisionMediaCenterAdd
This event sends decision data about the presence of Windows Media Center, to help keep Windows up to date.
BlockingApplication Is there any application issues that interfere with upgrade due to Windows Media
Center?
MediaCenterActivelyUsed If Windows Media Center is supported on the edition, has it been run at least once
and are the MediaCenterIndicators are true?
MediaCenterIndicators Do any indicators imply that Windows Media Center is in active use?
MediaCenterInUse Is Windows Media Center actively being used?
MediaCenterPaidOrActivelyUsed Is Windows Media Center actively being used or is it running on a
supported edition?
NeedsDismissAction Are there any actions that can be dismissed coming from Windows Media Center?
Microsoft.Windows.Appraiser.General.DecisionMediaCenterStartSync
This event indicates that a new set of DecisionMediaCenterAdd events will be sent.
Microsoft.Windows.Appraiser.General.DecisionSystemBiosAdd
This event sends compatibility decision data about the BIOS to help keep Windows up to date.
Blocking Is the device blocked from upgrade due to a BIOS block?
DisplayGenericMessageGated Indicates whether a generic offer block message will be shown for the bios.
HasBiosBlock Does the device have a BIOS block?
Microsoft.Windows.Appraiser.General.DecisionSystemBiosStartSync
This event indicates that a new set of DecisionSystemBiosAdd events will be sent.
Microsoft.Windows.Appraiser.General.DecisionTestRemove
This event provides data that allows testing of “Remove” decisions to help keep Windows up to date.
AppraiserVersion The version of the appraiser binary (executable) generating the events.
Microsoft.Windows.Appraiser.General.DecisionTestStartSync
This event provides data that allows testing of “Start Sync” decisions to help keep Windows up to date.
Microsoft.Windows.Appraiser.General.GatedRegChange
This event sends data about the results of running a set of quick-blocking instructions, to help keep Windows up to
date.
NewData The data in the registry value after the scan completed.
OldData The previous data in the registry value before the scan ran.
PCFP An ID for the system calculated by hashing hardware identifiers.
RegKey The registry key name for which a result is being sent.
RegValue The registry value for which a result is being sent.
Time The client time of the event.
Microsoft.Windows.Appraiser.General.InventoryApplicationFileAdd
This event represents the basic metadata about a file on the system. The file must be part of an app and either have
a block in the compatibility database or be part of an antivirus program.
AvDisplayName If the app is an antivirus app, this is its display name.
AvProductState Indicates whether the antivirus program is turned on and the signatures are up to date.
Binar yType A binary type. Example: UNINITIALIZED, ZERO_BYTE, DATA_ONLY, DOS_MODULE, NE16_MODULE,
PE32_UNKNOWN, PE32_I386, PE32_ARM, PE64_UNKNOWN, PE64_AMD64, PE64_ARM64, PE64_IA64,
PE32_CLR_32, PE32_CLR_IL, PE32_CLR_IL_PREFER32, PE64_CLR_64.
BinFileVersion An attempt to clean up FileVersion at the client that tries to place the version into 4 octets.
BinProductVersion An attempt to clean up ProductVersion at the client that tries to place the version into 4
octets.
BoeProgramId If there is no entry in Add/Remove Programs, this is the ProgramID that is generated from the
file metadata.
CompanyName The company name of the vendor who developed this file.
FileId A hash that uniquely identifies a file.
FileVersion The File version field from the file metadata under Properties -> Details.
HasUpgradeExe Indicates whether the antivirus app has an upgrade.exe file.
IsAv Indicates whether the file an antivirus reporting EXE.
LinkDate The date and time that this file was linked on.
LowerCaseLongPath The full file path to the file that was inventoried on the device.
Name The name of the file that was inventoried.
ProductName The Product name field from the file metadata under Properties -> Details.
ProductVersion The Product version field from the file metadata under Properties -> Details.
ProgramId A hash of the Name, Version, Publisher, and Language of an application used to identify it.
Size The size of the file (in hexadecimal bytes).
Microsoft.Windows.Appraiser.General.InventoryApplicationFileRemove
This event indicates that the InventoryApplicationFile object is no longer present.
Microsoft.Windows.Appraiser.General.InventoryApplicationFileStartSync
This event indicates that a new set of InventoryApplicationFileAdd events will be sent.
Microsoft.Windows.Appraiser.General.InventoryLanguagePackAdd
This event sends data about the number of language packs installed on the system, to help keep Windows up to
date.
HasLanguagePack Indicates whether this device has 2 or more language packs.
LanguagePackCount The number of language packs are installed.
Microsoft.Windows.Appraiser.General.InventoryLanguagePackRemove
This event indicates that the InventoryLanguagePack object is no longer present.
Microsoft.Windows.Appraiser.General.InventoryLanguagePackStartSync
This event indicates that a new set of InventoryLanguagePackAdd events will be sent.
Microsoft.Windows.Appraiser.General.InventoryMediaCenterAdd
This event sends true/false data about decision points used to understand whether Windows Media Center is used
on the system, to help keep Windows up to date.
EverLaunched Has Windows Media Center ever been launched?
HasConfiguredTv Has the user configured a TV tuner through Windows Media Center?
HasExtendedUserAccounts Are any Windows Media Center Extender user accounts configured?
HasWatchedFolders Are any folders configured for Windows Media Center to watch?
IsDefaultLauncher Is Windows Media Center the default app for opening music or video files?
IsPaid Is the user running a Windows Media Center edition that implies they paid for Windows Media Center?
IsSuppor ted Does the running OS support Windows Media Center?
Microsoft.Windows.Appraiser.General.InventoryMediaCenterRemove
This event indicates that the InventoryMediaCenter object is no longer present.
Microsoft.Windows.Appraiser.General.InventoryMediaCenterStartSync
This event indicates that a new set of InventoryMediaCenterAdd events will be sent.
Microsoft.Windows.Appraiser.General.InventorySystemBiosAdd
This event sends basic metadata about the BIOS to determine whether it has a compatibility block.
BiosDate The release date of the BIOS in UTC format.
BiosName The name field from Win32_BIOS.
Manufacturer The manufacturer field from Win32_ComputerSystem.
Model The model field from Win32_ComputerSystem.
Microsoft.Windows.Appraiser.General.InventorySystemBiosStartSync
This event indicates that a new set of InventorySystemBiosAdd events will be sent.
AppraiserVersion The version of the Appraiser binary (executable) generating the events.
Microsoft.Windows.Appraiser.General.InventorySystemProcessorEndSync
This event indicates that a full set of InventorySystemProcessorAdd events has been sent.
Microsoft.Windows.Appraiser.General.InventorySystemProcessorStartSync
This event indicates that a new set of InventorySystemProcessorAdd events will be sent.
Microsoft.Windows.Appraiser.General.InventoryTestRemove
This event provides data that allows testing of “Remove” decisions to help keep Windows up to date.
Microsoft.Windows.Appraiser.General.InventoryTestStartSync
This event provides data that allows testing of “Start Sync” decisions to help keep Windows up to date.
Microsoft.Windows.Appraiser.General.InventoryUplevelDriverPackageAdd
This event is only runs during setup. It provides a listing of the uplevel driver packages that were downloaded
before the upgrade. Is critical to understanding if failures in setup can be traced to not having sufficient uplevel
drivers before the upgrade.
BootCritical Is the driver package marked as boot critical?
Build The build value from the driver package.
CatalogFile The name of the catalog file within the driver package.
Class The device class from the driver package.
ClassGuid The device class unique ID from the driver package.
Date The date from the driver package.
Inbox Is the driver package of a driver that is included with Windows?
OriginalName The original name of the INF file before it was renamed. Generally a path under
$WINDOWS.~BT\Drivers\DU.
Provider The provider of the driver package.
PublishedName The name of the INF file after it was renamed.
Revision The revision of the driver package.
SignatureStatus Indicates if the driver package is signed. Unknown = 0, Unsigned = 1, Signed = 2.
VersionMajor The major version of the driver package.
VersionMinor The minor version of the driver package.
Microsoft.Windows.Appraiser.General.InventoryUplevelDriverPackageRemove
This event indicates that the InventoryUplevelDriverPackage object is no longer present.
Microsoft.Windows.Appraiser.General.InventoryUplevelDriverPackageStartSync
This event indicates that a new set of InventoryUplevelDriverPackageAdd events will be sent.
Microsoft.Windows.Appraiser.General.RunContext
This event indicates what should be expected in the data payload.
AppraiserBranch The source branch in which the currently running version of Appraiser was built.
AppraiserProcess The name of the process that launched Appraiser.
CensusId A unique hardware identifier.
Context Indicates what mode Appraiser is running in. Example: Setup or Telemetry.
Subcontext Indicates what categories of incompatibilities appraiser is scanning for. Can be N/A, Resolve, or a
semicolon-delimited list that can include App, Dev, Sys, Gat, or Rescan.
Microsoft.Windows.Appraiser.General.SystemMemoryAdd
This event sends data on the amount of memory on the system and whether it meets requirements, to help keep
Windows up to date.
Blocking Is the device from upgrade due to memory restrictions?
Memor yRequirementViolated Was a memory requirement violated?
pageFile The current committed memory limit for the system or the current process, whichever is smaller (in
bytes).
ram The amount of memory on the device.
ramKB The amount of memory (in KB).
vir tual The size of the user-mode portion of the virtual address space of the calling process (in bytes).
vir tualKB The amount of virtual memory (in KB).
Microsoft.Windows.Appraiser.General.SystemMemoryStartSync
This event indicates that a new set of SystemMemoryAdd events will be sent.
Microsoft.Windows.Appraiser.General.SystemProcessorCompareExchangeAdd
This event sends data indicating whether the system supports the CompareExchange128 CPU requirement, to help
keep Windows up to date.
Blocking Is the upgrade blocked due to the processor?
CompareExchange128Suppor t Does the CPU support CompareExchange128?
Microsoft.Windows.Appraiser.General.SystemProcessorCompareExchangeStartSync
This event indicates that a new set of SystemProcessorCompareExchangeAdd events will be sent.
Microsoft.Windows.Appraiser.General.SystemProcessorLahfSahfAdd
This event sends data indicating whether the system supports the LAHF & SAHF CPU requirement, to help keep
Windows up to date.
LahfSahfSuppor t Does the CPU support LAHF/SAHF?
Microsoft.Windows.Appraiser.General.SystemProcessorLahfSahfStartSync
This event indicates that a new set of SystemProcessorLahfSahfAdd events will be sent.
Microsoft.Windows.Appraiser.General.SystemProcessorNxAdd
This event sends data indicating whether the system supports the NX CPU requirement, to help keep Windows up
to date.
NXDriverResult The result of the driver used to do a non-deterministic check for NX support.
NXProcessorSuppor t Does the processor support NX?
Microsoft.Windows.Appraiser.General.SystemProcessorNxStartSync
This event indicates that a new set of SystemProcessorNxAdd events will be sent.
Microsoft.Windows.Appraiser.General.SystemProcessorPrefetchWAdd
This event sends data indicating whether the system supports the PrefetchW CPU requirement, to help keep
Windows up to date.
PrefetchWSuppor t Does the processor support PrefetchW?
Microsoft.Windows.Appraiser.General.SystemProcessorPrefetchWStartSync
This event indicates that a new set of SystemProcessorPrefetchWAdd events will be sent.
Microsoft.Windows.Appraiser.General.SystemProcessorSse2Add
This event sends data indicating whether the system supports the SSE2 CPU requirement, to help keep Windows
up to date.
SSE2ProcessorSuppor t Does the processor support SSE2?
Microsoft.Windows.Appraiser.General.SystemProcessorSse2StartSync
This event indicates that a new set of SystemProcessorSse2Add events will be sent.
Microsoft.Windows.Appraiser.General.SystemTouchAdd
This event sends data indicating whether the system supports touch, to help keep Windows up to date.
IntegratedTouchDigitizerPresent Is there an integrated touch digitizer?
MaximumTouches The maximum number of touch points supported by the device hardware.
Microsoft.Windows.Appraiser.General.SystemTouchStartSync
This event indicates that a new set of SystemTouchAdd events will be sent.
Microsoft.Windows.Appraiser.General.SystemWimAdd
This event sends data indicating whether the operating system is running from a compressed Windows Imaging
Format (WIM) file, to help keep Windows up to date.
IsWimBoot Is the current operating system running from a compressed WIM file?
Registr yWimBootValue The raw value from the registry that is used to indicate if the device is running from
a WIM.
Microsoft.Windows.Appraiser.General.SystemWimStartSync
This event indicates that a new set of SystemWimAdd events will be sent.
Microsoft.Windows.Appraiser.General.SystemWindowsActivationStatusAdd
This event sends data indicating whether the current operating system is activated, to help keep Windows up to
date.
WindowsIsLicensedApiValue The result from the API that's used to indicate if operating system is activated.
WindowsNotActivatedDecision Is the current operating system activated?
Microsoft.Windows.Appraiser.General.SystemWindowsActivationStatusRemove
This event indicates that the SystemWindowsActivationStatus object is no longer present.
Microsoft.Windows.Appraiser.General.SystemWindowsActivationStatusStartSync
This event indicates that a new set of SystemWindowsActivationStatusAdd events will be sent.
Microsoft.Windows.Appraiser.General.SystemWlanAdd
This event sends data indicating whether the system has WLAN, and if so, whether it uses an emulated driver that
could block an upgrade, to help keep Windows up to date.
Blocking Is the upgrade blocked because of an emulated WLAN driver?
HasWlanBlock Does the emulated WLAN driver have an upgrade block?
WlanEmulatedDriver Does the device have an emulated WLAN driver?
WlanExists Does the device support WLAN at all?
WlanModulePresent Are any WLAN modules present?
WlanNativeDriver Does the device have a non-emulated WLAN driver?
Microsoft.Windows.Appraiser.General.SystemWlanStartSync
This event indicates that a new set of SystemWlanAdd events will be sent.
Microsoft.Windows.Appraiser.General.TelemetryRunHealth
This event indicates the parameters and result of a diagnostic data run. This allows the rest of the data sent over
the course of the run to be properly contextualized and understood, which is then used to keep Windows up to
date.
AppraiserBranch The source branch in which the version of Appraiser that is running was built.
AppraiserDataVersion The version of the data files being used by the Appraiser diagnostic data run.
AppraiserVersion The file version (major, minor and build) of the Appraiser DLL, concatenated without dots.
AuxFinal Obsolete, always set to false.
AuxInitial Obsolete, indicates if Appraiser is writing data files to be read by the Get Windows 10 app.
DeadlineDate A timestamp representing the deadline date, which is the time until which appraiser will wait to
do a full scan.
EnterpriseRun Indicates whether the diagnostic data run is an enterprise run, which means appraiser was run
from the command line with an extra enterprise parameter.
FullSync Indicates if Appraiser is performing a full sync, which means that full set of events representing the
state of the machine are sent. Otherwise, only the changes from the previous run are sent.
InboxDataVersion The original version of the data files before retrieving any newer version.
IndicatorsWritten Indicates if all relevant UEX indicators were successfully written or updated.
Inventor yFullSync Indicates if inventory is performing a full sync, which means that the full set of events
representing the inventory of machine are sent.
PerfBackoff Indicates if the run was invoked with logic to stop running when a user is present. Helps to
understand why a run may have a longer elapsed time than normal.
PerfBackoffInsurance Indicates if appraiser is running without performance backoff because it has run with
perf backoff and failed to complete several times in a row.
RunAppraiser Indicates if Appraiser was set to run at all. If this if false, it is understood that data events will
not be received from this device.
RunDate The date that the diagnostic data run was stated, expressed as a filetime.
RunGeneralTel Indicates if the generaltel.dll component was run. Generaltel collects additional diagnostic data
on an infrequent schedule and only from machines at diagnostic data levels higher than Basic.
RunOnline Indicates if appraiser was able to connect to Windows Update and theefore is making decisions
using up-to-date driver coverage information.
RunResult The hresult of the Appraiser diagnostic data run.
ScheduledUploadDay The day scheduled for the upload.
SendingUtc Indicates whether the Appraiser client is sending events during the current diagnostic data run.
StoreHandleIsNotNull Obsolete, always set to false
Telementr ySent Indicates whether diagnostic data was successfully sent.
ThrottlingUtc Indicates whether the Appraiser client is throttling its output of CUET events to avoid being
disabled. This increases runtime but also diagnostic data reliability.
VerboseMode Indicates if appraiser ran in Verbose mode, which is a test-only mode with extra logging.
WhyFullSyncWithoutTablePrefix Indicates the reason or reasons that a full sync was generated.
Microsoft.Windows.Appraiser.General.WmdrmAdd
This event sends data about the usage of older digital rights management on the system, to help keep Windows up
to date. This data does not indicate the details of the media using the digital rights management, only whether any
such files exist. Collecting this data was critical to ensuring the correct mitigation for customers, and should be able
to be removed once all mitigations are in place.
BlockingApplication Same as NeedsDismissAction.
NeedsDismissAction Indicates if a dismissible message is needed to warn the user about a potential loss of
data due to DRM deprecation.
WmdrmApiResult Raw value of the API used to gather DRM state.
WmdrmCdRipped Indicates if the system has any files encrypted with personal DRM, which was used for
ripped CDs.
WmdrmIndicators WmdrmCdRipped OR WmdrmPurchased.
WmdrmInUse WmdrmIndicators AND dismissible block in setup was not dismissed.
WmdrmNonPermanent Indicates if the system has any files with non-permanent licenses.
WmdrmPurchased Indicates if the system has any files with permanent licenses.
Microsoft.Windows.Appraiser.General.WmdrmStartSync
This event indicates that a new set of WmdrmAdd events will be sent.
Audio endpoint events

MicArrayGeometry
This event provides information about the layout of the individual microphone elements in the microphone array.
MicCoords The location and orientation of the microphone element.
usFrequencyBandHi The high end of the frequency range for the microphone.
usFrequencyBandLo The low end of the frequency range for the microphone.
usMicArrayType The type of the microphone array.
usNumberOfMicrophones The number of microphones in the array.
usVersion The version of the microphone array specification.
wHorizontalAngleBegin The horizontal angle of the start of the working volume (reported as radians times
10,000).
wHorizontalAngleEnd The horizontal angle of the end of the working volume (reported as radians times
10,000).
wVer ticalAngleBegin The vertical angle of the start of the working volume (reported as radians times
10,000).
wVer ticalAngleEnd The vertical angle of the end of the working volume (reported as radians times 10,000).
MicCoords
This event provides information about the location and orientation of the microphone element.
usType The type of microphone.
wHorizontalAngle The horizontal angle of the microphone (reported as radians times 10,000).
wVer ticalAngle The vertical angle of the microphone (reported as radians times 10,000).
wXCoord The x-coordinate of the microphone.
wYCoord The y-coordinate of the microphone.
wZCoord The z-coordinate of the microphone.
Microsoft.Windows.Audio.EndpointBuilder.DeviceInfo
This event logs the successful enumeration of an audio endpoint (such as a microphone or speaker) and provides
information about the audio endpoint.
BusEnumeratorName The name of the bus enumerator (for example, HDAUDIO or USB).
ContainerId An identifier that uniquely groups the functional devices associated with a single-function or
multifunction device.
DeviceInstanceId The unique identifier for this instance of the device.
EndpointDevnodeId The IMMDevice identifier of the associated devnode.
endpointEffectClsid The COM Class Identifier (CLSID) for the endpoint effect audio processing object.
endpointEffectModule Module name for the endpoint effect audio processing object.
EndpointFormFactor The enumeration value for the form factor of the endpoint device (for example speaker,
microphone, remote network device).
endpointID The unique identifier for the audio endpoint.
endpointInstanceId The unique identifier for the software audio endpoint. Used for joining to other audio
event.
Flow Indicates whether the endpoint is capture (1) or render (0).
globalEffectClsid COM Class Identifier (CLSID) for the legacy global effect audio processing object.
globalEffectModule Module name for the legacy global effect audio processing object.
HWID The hardware identifier for the endpoint.
IsBluetooth Indicates whether the device is a Bluetooth device.
isFarField A flag indicating whether the microphone endpoint is capable of hearing far field audio.
IsSideband Indicates whether the device is a sideband device.
IsUSB Indicates whether the device is a USB device.
JackSubType A unique ID representing the KS node type of the endpoint.
localEffectClsid The COM Class Identifier (CLSID) for the legacy local effect audio processing object.
localEffectModule Module name for the legacy local effect audio processing object.
MicArrayGeometr y Describes the microphone array, including the microphone position, coordinates, type,
and frequency range. See MicArrayGeometry.
modeEffectClsid The COM Class Identifier (CLSID) for the mode effect audio processing object.
modeEffectModule Module name for the mode effect audio processing object.
persistentId A unique ID for this endpoint which is retained across migrations.
streamEffectClsid The COM Class Identifier (CLSID) for the stream effect audio processing object.
streamEffectModule Module name for the stream effect audio processing object.
Census events
Census.App
This event sends version data about the Apps running on this device, to help keep Windows up to date.
AppraiserEnterpriseErrorCode The error code of the last Appraiser enterprise run.
AppraiserErrorCode The error code of the last Appraiser run.
AppraiserRunEndTimeStamp The end time of the last Appraiser run.
AppraiserRunIsInProgressOrCrashed Flag that indicates if the Appraiser run is in progress or has crashed.
AppraiserRunStar tTimeStamp The start time of the last Appraiser run.
AppraiserTaskEnabled Whether the Appraiser task is enabled.
AppraiserTaskExitCode The Appraiser task exist code.
AppraiserTaskLastRun The last runtime for the Appraiser task.
CensusVersion The version of Census that generated the current data for this device.
IEVersion The version of Internet Explorer that is running on the device.
Census.Azure
This event returns data from Microsoft-internal Azure server machines (only from Microsoft-internal machines
with Server SKUs). All other machines (those outside Microsoft and/or machines that are not part of the “Azure
fleet”) return empty data sets.
CloudCoreBuildEx The Azure CloudCore build number.
CloudCoreSuppor tBuildEx The Azure CloudCore support build number.
NodeID The node identifier on the device that indicates whether the device is part of the Azure fleet.
Census.Battery
This event sends type and capacity data about the battery on the device, as well as the number of connected
standby devices in use, type to help keep Windows up to date.
InternalBatter yCapablities Represents information about what the battery is capable of doing.
InternalBatter yCapacityCurrent Represents the battery's current fully charged capacity in mWh (or relative).
Compare this value to DesignedCapacity to estimate the battery's wear.
InternalBatter yCapacityDesign Represents the theoretical capacity of the battery when new, in mWh.
InternalBatter yNumberOfCharges Provides the number of battery charges. This is used when creating new
products and validating that existing products meets targeted functionality performance.
IsAlwaysOnAlwaysConnectedCapable Represents whether the battery enables the device to be
AlwaysOnAlwaysConnected . Boolean value.
Census.Camera
This event sends data about the resolution of cameras on the device, to help keep Windows up to date.
FrontFacingCameraResolution Represents the resolution of the front facing camera in megapixels. If a front
facing camera does not exist, then the value is 0.
RearFacingCameraResolution Represents the resolution of the rear facing camera in megapixels. If a rear
Census.Enterprise
This event sends data about Azure presence, type, and cloud domain use in order to provide an understanding of
the use and integration of devices in an enterprise, cloud, and server environment.
AADDeviceId Azure Active Directory device ID.
AzureOSIDPresent Represents the field used to identify an Azure machine.
AzureVMType Represents whether the instance is Azure VM PAAS, Azure VM IAAS or any other VMs.
CDJType Represents the type of cloud domain joined for the machine.
CommercialId Represents the GUID for the commercial entity which the device is a member of. Will be used
to reflect insights back to customers.
ContainerType The type of container, such as process or virtual machine hosted.
EnrollmentType Defines the type of MDM enrollment on the device.
HashedDomain The hashed representation of the user domain used for login.
IsCloudDomainJoined Is this device joined to an Azure Active Directory (AAD) tenant? true/false
IsDERequirementMet Represents if the device can do device encryption.
IsDeviceProtected Represents if Device protected by BitLocker/Device Encryption
IsDomainJoined Indicates whether a machine is joined to a domain.
IsEDPEnabled Represents if Enterprise data protected on the device.
IsMDMEnrolled Whether the device has been MDM Enrolled or not.
MPNId Returns the Partner ID/MPN ID from Regkey.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\DeployID
SCCMClientId This ID correlate systems that send data to Compat Analytics (OMS) and other OMS based
systems with systems in an Enterprise SCCM environment.
Ser verFeatures Represents the features installed on a Windows Server. This can be used by developers and
administrators who need to automate the process of determining the features installed on a set of server
computers.
SystemCenterID The SCCM ID is an anonymized one-way hash of the Active Directory Organization identifier
Census.Firmware
This event sends data about the BIOS and startup embedded in the device, to help keep Windows up to date.
FirmwareManufacturer Represents the manufacturer of the device's firmware (BIOS).
FirmwareReleaseDate Represents the date the current firmware was released.
FirmwareType Represents the firmware type. The various types can be unknown, BIOS, UEFI.
FirmwareVersion Represents the version of the current firmware.
Census.Flighting
This event sends Windows Insider data from customers participating in improvement testing and feedback
programs, to help keep Windows up to date.
DeviceSampleRate The telemetry sample rate assigned to the device.
DriverTargetRing Indicates if the device is participating in receiving pre-release drivers and firmware
contrent.
EnablePreviewBuilds Used to enable Windows Insider builds on a device.
FlightIds A list of the different Windows Insider builds on this device.
FlightingBranchName The name of the Windows Insider branch currently used by the device.
IsFlightsDisabled Represents if the device is participating in the Windows Insider program.
MSA_Accounts Represents a list of hashed IDs of the Microsoft Accounts that are flighting (pre-release builds)
on this device.
SSRK Retrieves the mobile targeting settings.
Census.Hardware
This event sends data about the device, including hardware type, OEM brand, model line, model, telemetry level
setting, and TPM support, to help keep Windows up to date.
ActiveMicCount The number of active microphones attached to the device.
ChassisType Represents the type of device chassis, such as desktop or low profile desktop. The possible values
can range between 1 - 36.
ComputerHardwareID Identifies a device class that is represented by a hash of different SMBIOS fields.
D3DMaxFeatureLevel Supported Direct3D version.
DeviceColor Indicates a color of the device.
DeviceForm Indicates the form as per the device classification.
DeviceName The device name that is set by the user.
DigitizerSuppor t Is a digitizer supported?
DUID The device unique ID.
Gyroscope Indicates whether the device has a gyroscope (a mechanical component that measures and
maintains orientation).
Inventor yId The device ID used for compatibility testing.
Magnetometer Indicates whether the device has a magnetometer (a mechanical component that works like a
compass).
NFCProximity Indicates whether the device supports NFC (a set of communication protocols that helps
establish communication when applicable devices are brought close together.)
OEMDigitalMarkerFileName The name of the file placed in the \Windows\system32\drivers directory that
specifies the OEM and model name of the device.
OEMManufacturerName The device manufacturer name. The OEMName for an inactive device is not
reprocessed even if the clean OEM name is changed at a later date.
OEMModelBaseBoard The baseboard model used by the OEM.
OEMModelBaseBoardVersion Differentiates between developer and retail devices.
OEMModelName The device model name.
OEMModelNumber The device model number.
OEMModelSKU The device edition that is defined by the manufacturer.
OEMModelSystemFamily The system family set on the device by an OEM.
OEMModelSystemVersion The system model version set on the device by the OEM.
OEMOptionalIdentifier A Microsoft assigned value that represents a specific OEM subsidiary.
OEMSerialNumber The serial number of the device that is set by the manufacturer.
PhoneManufacturer The friendly name of the phone manufacturer.
PowerPlatformRole The OEM preferred power management profile. It's used to help to identify the basic form
factor of the device.
SoCName The firmware manufacturer of the device.
StudyID Used to identify retail and non-retail device.
Telemetr yLevel The telemetry level the user has opted into, such as Basic or Enhanced.
Telemetr yLevelLimitEnhanced The telemetry level for Windows Analytics-based solutions.
Telemetr ySettingAuthority Determines who set the telemetry level, such as GP, MDM, or the user.
TPMManufacturerId The ID of the TPM manufacturer.
TPMManufacturerVersion The version of the TPM manufacturer.
TPMVersion The supported Trusted Platform Module (TPM) on the device. If no TPM is present, the value is 0.
VoiceSuppor ted Does the device have a cellular radio capable of making voice calls?
Census.Memory
This event sends data about the memory on the device, including ROM and RAM, to help keep Windows up to
date.
TotalPhysicalRAM Represents the physical memory (in MB).
TotalVisibleMemor y Represents the memory that is not reserved by the system.
Census.Network
This event sends data about the mobile and cellular network used by the device (mobile service provider, network,
device ID, and service cost factors), to help keep Windows up to date.
IMEI0 Represents the International Mobile Station Equipment Identity. This number is usually unique and used
by the mobile operator to distinguish different phone hardware. Microsoft does not have access to mobile
operator billing data so collecting this data does not expose or identify the user. The two fields represent phone
with dual sim coverage.
MCC0 Represents the Mobile Country Code (MCC). It used with the Mobile Network Code (MNC) to uniquely
identify a mobile network operator. The two fields represent phone with dual sim coverage.
MEID Represents the Mobile Equipment Identity (MEID). MEID is a worldwide unique phone ID assigned to
CDMA phones. MEID replaces electronic serial number (ESN), and is equivalent to IMEI for GSM and WCDMA
phones. Microsoft does not have access to mobile operator billing data so collecting this data does not expose
or identify the user.
MNC0 Retrieves the Mobile Network Code (MNC). It used with the Mobile Country Code (MCC) to uniquely
MobileOperatorBilling Represents the telephone company that provides services for mobile phone users.
MobileOperatorCommercialized Represents which reseller and geography the phone is commercialized for.
This is the set of values on the phone for who and where it was intended to be used. For example, the
commercialized mobile operator code AT&T in the US would be ATT-US.
MobileOperatorNetwork0 Represents the operator of the current mobile network that the device is used on.
(AT&T, T-Mobile, Vodafone). The two fields represent phone with dual sim coverage.
NetworkAdapterGUID The GUID of the primary network adapter.
NetworkCost Represents the network cost associated with a connection.
SPN0 Retrieves the Service Provider Name (SPN). For example, these might be AT&T, Sprint, T-Mobile, or
Verizon. The two fields represent phone with dual sim coverage.
Census.OS
This event sends data about the operating system such as the version, locale, update service configuration, when
and how it was originally installed, and whether it is a virtual device, to help keep Windows up to date.
ActivationChannel Retrieves the retail license key or Volume license key for a machine.
AssignedAccessStatus Kiosk configuration mode.
CompactOS Indicates if the Compact OS feature from Win10 is enabled.
DeveloperUnlockStatus Represents if a device has been developer unlocked by the user or Group Policy.
DeviceTimeZone The time zone that is set on the device. Example: Pacific Standard Time
GenuineState Retrieves the ID Value specifying the OS Genuine check.
InstallationType Retrieves the type of OS installation. (Clean, Upgrade, Reset, Refresh, Update).
InstallLanguage The first language installed on the user machine.
IsDeviceRetailDemo Retrieves if the device is running in demo mode.
IsEduData Returns Boolean if the education data policy is enabled.
IsPor tableOperatingSystem Retrieves whether OS is running Windows-To-Go
IsSecureBootEnabled Retrieves whether Boot chain is signed under UEFI.
LanguagePacks The list of language packages installed on the device.
LicenseStateReason Retrieves why (or how) a system is licensed or unlicensed. The HRESULT may indicate an
error code that indicates a key blocked error, or it may indicate that we are running an OS License granted by
the MS store.
OA3xOriginalProductKey Retrieves the License key stamped by the OEM to the machine.
OSEdition Retrieves the version of the current OS.
OSInstallType Retrieves a numeric description of what install was used on the device i.e. clean, upgrade,
refresh, reset, etc
OSOOBEDateTime Retrieves Out of Box Experience (OOBE) Date in Coordinated Universal Time (UTC).
OSSKU Retrieves the Friendly Name of OS Edition.
OSSubscriptionStatus Represents the existing status for enterprise subscription feature for PRO machines.
OSSubscriptionTypeId Returns boolean for enterprise subscription feature for selected PRO machines.
OSTimeZoneBiasInMins Retrieves the time zone set on machine.
OSUILocale Retrieves the locale of the UI that is currently used by the OS.
ProductActivationResult Returns Boolean if the OS Activation was successful.
ProductActivationTime Returns the OS Activation time for tracking piracy issues.
ProductKeyID2 Retrieves the License key if the machine is updated with a new license key.
RACw7Id Retrieves the Microsoft Reliability Analysis Component (RAC) Win7 Identifier. RAC is used to monitor
and analyze system usage and reliability.
Ser viceMachineIP Retrieves the IP address of the KMS host used for anti-piracy.
Ser viceMachinePor t Retrieves the port of the KMS host used for anti-piracy.
Ser viceProductKeyID Retrieves the License key of the KMS
SharedPCMode Returns Boolean for education devices used as shared cart
Signature Retrieves if it is a signature machine sold by Microsoft store.
SLICStatus Whether a SLIC table exists on the device.
SLICVersion Returns OS type/version from SLIC table.
Census.PrivacySettings
This event provides information about the device level privacy settings and whether device-level access was
granted to these capabilities. Not all settings are applicable to all devices. Each field records the consent state for
the corresponding privacy setting. The consent state is encoded as a 16-bit signed integer, where the first 8 bits
represents the effective consent value, and the last 8 bits represent the authority that set the value. The effective
consent (first 8 bits) is one of the following values: -3 = unexpected consent value, -2 = value was not requested, -1
= an error occurred while attempting to retrieve the value, 0 = undefined, 1 = allow, 2 = deny, 3 = prompt. The
consent authority (last 8 bits) is one of the following values: -3 = unexpected authority, -2 = value was not
requested, -1 = an error occurred while attempting to retrieve the value, 0 = system, 1 = a higher authority (a
gating setting, the system-wide setting, or a group policy), 2 = advertising ID group policy, 3 = advertising ID
policy for child account, 4 = privacy setting provider doesn't know the actual consent authority, 5 = consent was
not configured and a default set in code was used, 6 = system default, 7 = organization policy, 8 = OneSettings.
Activity Current state of the activity history setting.
ActivityHistor yCloudSync Current state of the activity history cloud sync setting.
ActivityHistor yCollection Current state of the activity history collection setting.
Adver tisingId Current state of the advertising ID setting.
AppDiagnostics Current state of the app diagnostics setting.
Appointments Current state of the calendar setting.
Bluetooth Current state of the Bluetooth capability setting.
BluetoothSync Current state of the Bluetooth sync capability setting.
BroadFileSystemAccess Current state of the broad file system access setting.
CellularData Current state of the cellular data capability setting.
Chat Current state of the chat setting.
Contacts Current state of the contacts setting.
DocumentsLibrar y Current state of the documents library setting.
Email Current state of the email setting.
FindMyDevice Current state of the "find my device" setting.
GazeInput Current state of the gaze input setting.
HumanInterfaceDevice Current state of the human interface device setting.
InkTypeImprovement Current state of the improve inking and typing setting.
Location Current state of the location setting.
LocationHistor y Current state of the location history setting.
LocationHistor yCloudSync Current state of the location history cloud sync setting.
LocationHistor yOnTimeline Current state of the location history on timeline setting.
Microphone Current state of the microphone setting.
PhoneCall Current state of the phone call setting.
PhoneCallHistor y Current state of the call history setting.
PicturesLibrar y Current state of the pictures library setting.
Radios Current state of the radios setting.
SensorsCustom Current state of the custom sensor setting.
SerialCommunication Current state of the serial communication setting.
Sms Current state of the text messaging setting.
SpeechPersonalization Current state of the speech services setting.
USB Current state of the USB setting.
UserAccountInformation Current state of the account information setting.
UserDataTasks Current state of the tasks setting.
UserNotificationListener Current state of the notifications setting.
VideosLibrar y Current state of the videos library setting.
Webcam Current state of the camera setting.
WiFiDirect Current state of the Wi-Fi direct setting.
Census.Processor
This event sends data about the processor to help keep Windows up to date.
KvaShadow This is the micro code information of the processor.
MMSettingOverride Microcode setting of the processor.
MMSettingOverrideMask Microcode setting override of the processor.
PreviousUpdateRevision Previous microcode revision
ProcessorArchitecture Retrieves the processor architecture of the installed operating system.
ProcessorClockSpeed Clock speed of the processor in MHz.
ProcessorCores Number of logical cores in the processor.
ProcessorIdentifier Processor Identifier of a manufacturer.
ProcessorManufacturer Name of the processor manufacturer.
ProcessorModel Name of the processor model.
ProcessorPhysicalCores Number of physical cores in the processor.
ProcessorUpdateRevision The microcode revision.
ProcessorUpdateStatus Enum value that represents the processor microcode load status
SocketCount Count of CPU sockets.
SpeculationControl If the system has enabled protections needed to validate the speculation control
vulnerability.
Census.Security
This event provides information on about security settings used to help keep Windows up to date and secure.
AvailableSecurityProper ties This field helps to enumerate and report state on the relevant security
properties for Device Guard.
CGRunning Credential Guard isolates and hardens key system and user secrets against compromise, helping
to minimize the impact and breadth of a Pass the Hash style attack in the event that malicious code is already
running via a local or network based vector. This field tells if Credential Guard is running.
DGState This field summarizes the Device Guard state.
HVCIRunning Hypervisor Code Integrity (HVCI) enables Device Guard to help protect kernel mode processes
and drivers from vulnerability exploits and zero days. HVCI uses the processor’s functionality to force all
software running in kernel mode to safely allocate memory. This field tells if HVCI is running.
IsSawGuest Indicates whether the device is running as a Secure Admin Workstation Guest.
IsSawHost Indicates whether the device is running as a Secure Admin Workstation Host.
RequiredSecurityProper ties Describes the required security properties to enable virtualization-based
security.
SecureBootCapable Systems that support Secure Boot can have the feature turned off via BIOS. This field tells
if the system is capable of running Secure Boot, regardless of the BIOS setting.
SModeState The Windows S mode trail state.
VBSState Virtualization-based security (VBS) uses the hypervisor to help protect the kernel and other parts of
the operating system. Credential Guard and Hypervisor Code Integrity (HVCI) both depend on VBS to
isolate/protect secrets, and kernel-mode code integrity validation. VBS has a tri-state that can be Disabled,
Enabled, or Running.
Census.Speech
This event is used to gather basic speech settings on the device.
AboveLockEnabled Cortana setting that represents if Cortana can be invoked when the device is locked.
GPAllowInputPersonalization Indicates if a Group Policy setting has enabled speech functionalities.
HolographicSpeechInputDisabled Holographic setting that represents if the attached HMD devices have
speech functionality disabled by the user.
HolographicSpeechInputDisabledRemote Indicates if a remote policy has disabled speech functionalities
for the HMD devices.
KeyVer Version information for the census speech event.
KWSEnabled Cortana setting that represents if a user has enabled the "Hey Cortana" keyword spotter (KWS).
MDMAllowInputPersonalization Indicates if an MDM policy has enabled speech functionalities.
RemotelyManaged Indicates if the device is being controlled by a remote administrator (MDM or Group
Policy) in the context of speech functionalities.
SpeakerIdEnabled Cortana setting that represents if keyword detection has been trained to try to respond to
a single user's voice.
SpeechSer vicesEnabled Windows setting that represents whether a user is opted-in for speech services on
the device.
SpeechSer vicesValueSource Indicates the deciding factor for the effective online speech recognition privacy
policy settings: remote admin, local admin, or user preference.
Census.Storage
This event sends data about the total capacity of the system volume and primary disk, to help keep Windows up to
date.
Primar yDiskTotalCapacity Retrieves the amount of disk space on the primary disk of the device in MB.
Primar yDiskType Retrieves an enumerator value of type STORAGE_BUS_TYPE that indicates the type of bus to
which the device is connected. This should be used to interpret the raw device properties at the end of this
structure (if any).
StorageReser vePassedPolicy Indicates whether the Storage Reserve policy, which ensures that updates have
enough disk space and customers are on the latest OS, is enabled on this device.
SystemVolumeTotalCapacity Retrieves the size of the partition that the System volume is installed on in MB.
Census.Userdefault
This event sends data about the current user's default preferences for browser and several of the most popular
extensions and protocols, to help keep Windows up to date.
CalendarType The calendar identifiers that are used to specify different calendars.
DefaultApp The current uer's default program selected for the following extension or protocol: .html, .htm, .jpg,
.jpeg, .png, .mp3, .mp4, .mov, .pdf.
DefaultBrowserProgId The ProgramId of the current user's default browser.
LocaleName Name of the current user locale given by LOCALE_SNAME via the GetLocaleInfoEx() function.
LongDateFormat The long date format the user has selected.
Shor tDateFormat The short date format the user has selected.
Census.UserDisplay
This event sends data about the logical/physical display size, resolution and number of internal/external displays,
and VRAM on the system, to help keep Windows up to date.
InternalPrimar yDisplayLogicalDPIX Retrieves the logical DPI in the x-direction of the internal display.
InternalPrimar yDisplayLogicalDPIY Retrieves the logical DPI in the y-direction of the internal display.
InternalPrimar yDisplayPhysicalDPIX Retrieves the physical DPI in the x-direction of the internal display.
InternalPrimar yDisplayPhysicalDPIY Retrieves the physical DPI in the y-direction of the internal display.
InternalPrimar yDisplayResolutionHorizontal Retrieves the number of pixels in the horizontal direction of
the internal display.
InternalPrimar yDisplayResolutionVer tical Retrieves the number of pixels in the vertical direction of the
internal display.
InternalPrimar yDisplaySizePhysicalH Retrieves the physical horizontal length of the display in mm. Used
for calculating the diagonal length in inches .
InternalPrimar yDisplaySizePhysicalY Retrieves the physical vertical length of the display in mm. Used for
calculating the diagonal length in inches
NumberofExternalDisplays Retrieves the number of external displays connected to the machine
NumberofInternalDisplays Retrieves the number of internal displays in a machine.
VRAMDedicated Retrieves the video RAM in MB.
VRAMDedicatedSystem Retrieves the amount of memory on the dedicated video card.
VRAMSharedSystem Retrieves the amount of RAM memory that the video card can use.
Census.UserNLS
This event sends data about the default app language, input, and display language preferences set by the user, to
help keep Windows up to date.
DefaultAppLanguage The current user Default App Language.
DisplayLanguage The current user preferred Windows Display Language.
HomeLocation The current user location, which is populated using GetUserGeoId() function.
KeyboardInputLanguages The Keyboard input languages installed on the device.
SpeechInputLanguages The Speech Input languages installed on the device.
Census.UserPrivacySettings
This event provides information about the current users privacy settings and whether device-level access was
represents the effective consent value, and the last 8 bits represents the authority that set the value. The effective
consent is one of the following values: -3 = unexpected consent value, -2 = value was not requested, -1 = an error
occurred while attempting to retrieve the value, 0 = undefined, 1 = allow, 2 = deny, 3 = prompt. The consent
authority is one of the following values: -3 = unexpected authority, -2 = value was not requested, -1 = an error
occurred while attempting to retrieve the value, 0 = user, 1 = a higher authority (a gating setting, the system-wide
setting, or a group policy), 2 = advertising ID group policy, 3 = advertising ID policy for child account, 4 = privacy
setting provider doesn't know the actual consent authority, 5 = consent was not configured and a default set in
code was used, 6 = system default, 7 = organization policy, 8 = OneSettings.
InkTypePersonalization Current state of the inking and typing personalization setting.
Census.VM
This event sends data indicating whether virtualization is enabled on the device, and its various characteristics, to
CloudSer vice Indicates which cloud service, if any, that this virtual machine is running within.
HyperVisor Retrieves whether the current OS is running on top of a Hypervisor.
IOMMUPresent Represents if an input/output memory management unit (IOMMU) is present.
IsVDI Is the device using Virtual Desktop Infrastructure?
IsVir tualDevice Retrieves that when the Hypervisor is Microsoft's Hyper-V Hypervisor or other Hv#1
Hypervisor, this field will be set to FALSE for the Hyper-V host OS and TRUE for any guest OS's. This field should
not be relied upon for non-Hv#1 Hypervisors.
SL ATSuppor ted Represents whether Second Level Address Translation (SLAT) is supported by the hardware.
Vir tualizationFirmwareEnabled Represents whether virtualization is enabled in the firmware.
VMId A string that uniquely identifies a virtual machine.
Census.WU
This event sends data about the Windows update server and other App store policies, to help keep Windows up to
date.
AppraiserGatedStatus Indicates whether a device has been gated for upgrading.
AppStoreAutoUpdate Retrieves the Appstore settings for auto upgrade. (Enable/Disabled).
AppStoreAutoUpdateMDM Retrieves the App Auto Update value for MDM: 0 - Disallowed. 1 - Allowed. 2 -
Not configured. Default: [2] Not configured
AppStoreAutoUpdatePolicy Retrieves the Microsoft Store App Auto Update group policy setting
DelayUpgrade Retrieves the Windows upgrade flag for delaying upgrades.
OSAssessmentFeatureOutOfDate How many days has it been since a the last feature update was released
but the device did not install it?
OSAssessmentForFeatureUpdate Is the device is on the latest feature update?
OSAssessmentForQualityUpdate Is the device on the latest quality update?
OSAssessmentForSecurityUpdate Is the device on the latest security update?
OSAssessmentQualityOutOfDate How many days has it been since a the last quality update was released
OSAssessmentReleaseInfoTime The freshness of release information used to perform an assessment.
OSRollbackCount The number of times feature updates have rolled back on the device.
OSRolledBack A flag that represents when a feature update has rolled back during setup.
OSUninstalled A flag that represents when a feature update is uninstalled on a device .
OSWUAutoUpdateOptions Retrieves the auto update settings on the device.
OSWUAutoUpdateOptionsSource The source of auto update setting that appears in the
OSWUAutoUpdateOptions field. For example: Group Policy (GP), Mobile Device Management (MDM), and
Default.
UninstallActive A flag that represents when a device has uninstalled a previous upgrade recently.
UpdateSer viceURLConfigured Retrieves if the device is managed by Windows Server Update Services
(WSUS).
WUDeferUpdatePeriod Retrieves if deferral is set for Updates.
WUDeferUpgradePeriod Retrieves if deferral is set for Upgrades.
WUDODownloadMode Retrieves whether DO is turned on and how to acquire/distribute updates Delivery
Optimization (DO) allows users to deploy previously downloaded WU updates to other devices on the same
network.
WUMachineId Retrieves the Windows Update (WU) Machine Identifier.
WUPauseState Retrieves WU setting to determine if updates are paused.
WUSer ver Retrieves the HTTP(S) URL of the WSUS server that is used by Automatic Updates and API callers
(by default).
Common data extensions

Common Data Extensions.app
Describes the properties of the running application. This extension could be populated by a client app or a web
app.
asId An integer value that represents the app session. This value starts at 0 on the first app launch and
increments after each subsequent app launch per boot session.
env The environment from which the event was logged.
expId Associates a flight, such as an OS flight, or an experiment, such as a web site UX experiment, with an
event.
id Represents a unique identifier of the client application currently loaded in the process producing the event;
and is used to group events together and understand usage pattern, errors by application.
locale The locale of the app.
name The name of the app.
userId The userID as known by the application.
ver Represents the version number of the application. Used to understand errors by Version, Usage by Version
across an app.
Common Data Extensions.container
Describes the properties of the container for events logged within a container.
epoch An ID that's incremented for each SDK initialization.
localId The device ID as known by the client.
osVer The operating system version.
seq An ID that's incremented for each event.
type The container type. Examples: Process or VMHost
Common Data Extensions.device
Describes the device-related fields.
deviceClass The device classification. For example, Desktop, Server, or Mobile.
localId A locally-defined unique ID for the device. This is not the human-readable device name. Most likely
equal to the value stored at HKLM\Software\Microsoft\SQMClient\MachineId
make Device manufacturer.
model Device model.
Common Data Extensions.Envelope
Represents an envelope that contains all of the common data extensions.
data Represents the optional unique diagnostic data for a particular event schema.
ext_app Describes the properties of the running application. This extension could be populated by either a
client app or a web app. See Common Data Extensions.app.
ext_container Describes the properties of the container for events logged within a container. See Common
Data Extensions.container.
ext_device Describes the device-related fields. See Common Data Extensions.device.
ext_mscv Describes the correlation vector-related fields. See Common Data Extensions.mscv.
ext_os Describes the operating system properties that would be populated by the client. See Common Data
Extensions.os.
ext_sdk Describes the fields related to a platform library required for a specific SDK. See Common Data
Extensions.sdk.
ext_user Describes the fields related to a user. See Common Data Extensions.user.
ext_utc Describes the fields that might be populated by a logging library on Windows. See Common Data
Extensions.utc.
ext_xbl Describes the fields related to XBOX Live. See Common Data Extensions.xbl.
iKey Represents an ID for applications or other logical groupings of events.
name Represents the uniquely qualified name for the event.
time Represents the event date time in Coordinated Universal Time (UTC) when the event was generated on the
client. This should be in ISO 8601 format.
ver Represents the major and minor version of the extension.
Common Data Extensions.mscv
Describes the correlation vector-related fields.
cV Represents the Correlation Vector: A single field for tracking partial order of related events across
component boundaries.
Common Data Extensions.os
Describes some properties of the operating system.
bootId An integer value that represents the boot session. This value starts at 0 on first boot after OS install and
increments after every reboot.
expId Represents the experiment ID. The standard for associating a flight, such as an OS flight (pre-release
build), or an experiment, such as a web site UX experiment, with an event is to record the flight / experiment IDs
in Part A of the common schema.
locale Represents the locale of the operating system.
name Represents the operating system name.
Common Data Extensions.sdk
Used by platform specific libraries to record fields that are required for a specific SDK.
epoch An ID that is incremented for each SDK initialization.
installId An ID that's created during the initialization of the SDK for the first time.
libVer The SDK version.
seq An ID that is incremented for each event.
ver The version of the logging SDK.
Common Data Extensions.user
Describes the fields related to a user.
authId This is an ID of the user associated with this event that is deduced from a token such as a Microsoft
Account ticket or an XBOX token.
locale The language and region.
localId Represents a unique user identity that is created locally and added by the client. This is not the user's
account ID.
Common Data Extensions.utc
Describes the properties that could be populated by a logging library on Windows.
aId Represents the ETW ActivityId. Logged via TraceLogging or directly via ETW.
bSeq Upload buffer sequence number in the format: buffer identifier:sequence number
cat Represents a bitmask of the ETW Keywords associated with the event.
cpId The composer ID, such as Reference, Desktop, Phone, Holographic, Hub, IoT Composer.
epoch Represents the epoch and seqNum fields, which help track how many events were fired and how many
events were uploaded, and enables identification of data lost during upload and de-duplication of events on the
ingress server.
eventFlags Represents a collection of bits that describe how the event should be processed by the Connected
User Experience and Telemetry component pipeline. The lowest-order byte is the event persistence. The next
byte is the event latency.
flags Represents the bitmap that captures various Windows specific flags.
loggingBinar y The binary (executable, library, driver, etc.) that fired the event.
mon Combined monitor and event sequence numbers in the format: monitor sequence : event sequence
op Represents the ETW Op Code.
pgName The short form of the provider group name associated with the event.
popSample Represents the effective sample rate for this event at the time it was generated by a client.
providerGuid The ETW provider ID associated with the provider name.
raId Represents the ETW Related ActivityId. Logged via TraceLogging or directly via ETW.
seq Represents the sequence field used to track absolute order of uploaded events. It is an incrementing
identifier for each event added to the upload queue. The Sequence helps track how many events were fired and
how many events were uploaded and enables identification of data lost during upload and de-duplication of
events on the ingress server.
stId Represents the Scenario Entry Point ID. This is a unique GUID for each event in a diagnostic scenario. This
used to be Scenario Trigger ID.
wcmp The Windows Shell Composer ID.
wPId The Windows Core OS product ID.
wsId The Windows Core OS session ID.
Common Data Extensions.xbl
Describes the fields that are related to XBOX Live.
claims Any additional claims whose short claim name hasn't been added to this structure.
did XBOX device ID
dty XBOX device type
dvr The version of the operating system on the device.
eid A unique ID that represents the developer entity.
exp Expiration time
ip The IP address of the client device.
nbf Not before time
pid A comma separated list of PUIDs listed as base10 numbers.
sbx XBOX sandbox identifier
sid The service instance ID.
sty The service type.
tid The XBOX Live title ID.
tvr The XBOX Live title version.
uts A bit field, with 2 bits being assigned to each user ID listed in xid. This field is omitted if all users are retail
accounts.
xid A list of base10-encoded XBOX User IDs.
Common data fields

Ms.Device.DeviceInventoryChange
Describes the installation state for all hardware and software components available on a particular device.
action The change that was invoked on a device inventory object.
inventor yId Device ID used for Compatibility testing
objectInstanceId Object identity which is unique within the device scope.
objectType Indicates the object type that the event applies to.
syncId A string used to group StartSync, EndSync, Add, and Remove operations that belong together. This field
is unique by Sync period and is used to disambiguate in situations where multiple agents perform overlapping
inventories for the same object.
Component-based servicing events

CbsServicingProvider.CbsCapabilityEnumeration
This event reports on the results of scanning for optional Windows content on Windows Update.
architecture Indicates the scan was limited to the specified architecture.
capabilityCount The number of optional content packages found during the scan.
clientId The name of the application requesting the optional content.
duration The amount of time it took to complete the scan.
hrStatus The HReturn code of the scan.
language Indicates the scan was limited to the specified language.
majorVersion Indicates the scan was limited to the specified major version.
minorVersion Indicates the scan was limited to the specified minor version.
namespace Indicates the scan was limited to packages in the specified namespace.
sourceFilter A bitmask indicating the scan checked for locally available optional content.
stackBuild The build number of the servicing stack.
stackMajorVersion The major version number of the servicing stack.
stackMinorVersion The minor version number of the servicing stack.
stackRevision The revision number of the servicing stack.
CbsServicingProvider.CbsCapabilitySessionFinalize
This event provides information about the results of installing or uninstalling optional Windows content from
Windows Update.
capabilities The names of the optional content packages that were installed.
currentID The ID of the current install session.
downloadSource The source of the download.
highestState The highest final install state of the optional content.
hrLCUReser vicingStatus Indicates whether the optional content was updated to the latest available version.
hrStatus The HReturn code of the install operation.
rebootCount The number of reboots required to complete the install.
retr yID The session ID that will be used to retry a failed operation.
retr yStatus Indicates whether the install will be retried in the event of failure.
CbsServicingProvider.CbsCapabilitySessionPended
This event provides information about the results of installing optional Windows content that requires a reboot to
pendingDecision Indicates the cause of reboot, if applicable.
CbsServicingProvider.CbsLateAcquisition
This event sends data to indicate if some Operating System packages could not be updated as part of an upgrade,
to help keep Windows up to date.
Features The list of feature packages that could not be updated.
Retr yID The ID identifying the retry attempt to update the listed packages.
CbsServicingProvider.CbsPackageRemoval
This event provides information about the results of uninstalling a Windows Cumulative Security Update to help
buildVersion The build number of the security update being uninstalled.
clientId The name of the application requesting the uninstall.
currentStateEnd The final state of the update after the operation.
failureDetails Information about the cause of a failure, if applicable.
failureSourceEnd The stage during the uninstall where the failure occurred.
hrStatusEnd The overall exit code of the operation.
initiatedOffline Indicates if the uninstall was initiated for a mounted Windows image.
majorVersion The major version number of the security update being uninstalled.
minorVersion The minor version number of the security update being uninstalled.
originalState The starting state of the update before the operation.
primitiveExecutionContext The state during system startup when the uninstall was completed.
revisionVersion The revision number of the security update being uninstalled.
transactionCanceled Indicates whether the uninstall was cancelled.
CbsServicingProvider.CbsQualityUpdateInstall
This event reports on the performance and reliability results of installing Servicing content from Windows Update
to keep Windows up to date.
buildVersion The build version number of the update package.
corruptionHistor yFlags A bitmask of the types of component store corruption that have caused update
failures on the device.
corruptionType An enumeration listing the type of data corruption responsible for the current update failure.
currentStateEnd The final state of the package after the operation has completed.
doqTimeSeconds The time in seconds spent updating drivers.
executeTimeSeconds The number of seconds required to execute the install.
failureDetails The driver or installer that caused the update to fail.
failureSourceEnd An enumeration indicating at what phase of the update a failure occurred.
hrStatusEnd The return code of the install operation.
initiatedOffline A true or false value indicating whether the package was installed into an offline Windows
Imaging Format (WIM) file.
majorVersion The major version number of the update package.
minorVersion The minor version number of the update package.
originalState The starting state of the package.
overallTimeSeconds The time (in seconds) to perform the overall servicing operation.
planTimeSeconds The time in seconds required to plan the update operations.
poqTimeSeconds The time in seconds processing file and registry operations.
postRebootTimeSeconds The time (in seconds) to do startup processing for the update.
preRebootTimeSeconds The time (in seconds) between execution of the installation and the reboot.
primitiveExecutionContext An enumeration indicating at what phase of shutdown or startup the update was
installed.
rebootCount The number of reboots required to install the update.
rebootTimeSeconds The time (in seconds) before startup processing begins for the update.
resolveTimeSeconds The time in seconds required to resolve the packages that are part of the update.
revisionVersion The revision version number of the update package.
rptTimeSeconds The time in seconds spent executing installer plugins.
shutdownTimeSeconds The time (in seconds) required to do shutdown processing for the update.
stageTimeSeconds The time (in seconds) required to stage all files that are part of the update.
CbsServicingProvider.CbsSelectableUpdateChangeV2
This event reports the results of enabling or disabling optional Windows Content to keep Windows up to date.
applicableUpdateState Indicates the highest applicable state of the optional content.
buildVersion The build version of the package being installed.
clientId The name of the application requesting the optional content change.
downloadSource Indicates if optional content was obtained from Windows Update or a locally accessible file.
downloadtimeInSeconds Indicates if optional content was obtained from Windows Update or a locally
accessible file.
executionID A unique ID used to identify events associated with a single servicing operation and not reused
for future operations.
executionSequence A counter that tracks the number of servicing operations attempted on the device.
firstMergedExecutionSequence The value of a pervious executionSequence counter that is being merged
with the current operation, if applicable.
firstMergedID A unique ID of a pervious servicing operation that is being merged with this operation, if
applicable.
hrDownloadResult The return code of the download operation.
hrStatusUpdate The return code of the servicing operation.
identityHash A pseudonymized (hashed) identifier for the Windows Package that is being installed or
uninstalled.
initiatedOffline Indicates whether the operation was performed against an offline Windows image file or a
running instance of Windows.
majorVersion The major version of the package being installed.
minorVersion The minor version of the package being installed.
packageArchitecture The architecture of the package being installed.
packageLanguage The language of the package being installed.
packageName The name of the package being installed.
rebootRequired Indicates whether a reboot is required to complete the operation.
revisionVersion The revision number of the package being installed.
stackBuild The build number of the servicing stack binary performing the installation.
stackMajorVersion The major version number of the servicing stack binary performing the installation.
stackMinorVersion The minor version number of the servicing stack binary performing the installation.
stackRevision The revision number of the servicing stack binary performing the installation.
updateName The name of the optional Windows Operation System feature being enabled or disabled.
updateStar tState A value indicating the state of the optional content before the operation started.
updateTargetState A value indicating the desired state of the optional content.
CbsServicingProvider.CbsUpdateDeferred
This event reports the results of deferring Windows Content to keep Windows up to date.
Diagnostic data events

TelClientSynthetic.AbnormalShutdown_0
This event sends data about boot IDs for which a normal clean shutdown was not observed, to help keep Windows
up to date.
AbnormalShutdownBootId BootId of the abnormal shutdown being reported by this event.
AbsCausedbyAutoChk This flag is set when AutoCheck forces a device restart to indicate that the shutdown
was not an abnormal shutdown.
AcDcStateAtLastShutdown Identifies if the device was on battery or plugged in.
Batter yLevelAtLastShutdown The last recorded battery level.
Batter yPercentageAtLastShutdown The battery percentage at the last shutdown.
CrashDumpEnabled Are crash dumps enabled?
CumulativeCrashCount Cumulative count of operating system crashes since the BootId reset.
CurrentBootId BootId at the time the abnormal shutdown event was being reported.
Firmwaredata->ResetReasonEmbeddedController The reset reason that was supplied by the firmware.
Firmwaredata->ResetReasonEmbeddedControllerAdditional Additional data related to reset reason
provided by the firmware.
Firmwaredata->ResetReasonPch The reset reason that was supplied by the hardware.
Firmwaredata->ResetReasonPchAdditional Additional data related to the reset reason supplied by the
hardware.
Firmwaredata->ResetReasonSupplied Indicates whether the firmware supplied any reset reason or not.
FirmwareType ID of the FirmwareType as enumerated in DimFirmwareType.
HardwareWatchdogTimerGeneratedLastReset Indicates whether the hardware watchdog timer caused the
last reset.
HardwareWatchdogTimerPresent Indicates whether hardware watchdog timer was present or not.
InvalidBootStat This is a sanity check flag that ensures the validity of the bootstat file.
LastBugCheckBootId bootId of the last captured crash.
LastBugCheckCode Code that indicates the type of error.
LastBugCheckContextFlags Additional crash dump settings.
LastBugCheckOriginalDumpType The type of crash dump the system intended to save.
LastBugCheckOtherSettings Other crash dump settings.
LastBugCheckParameter1 The first parameter with additional info on the type of the error.
LastBugCheckProgress Progress towards writing out the last crash dump.
LastBugCheckVersion The version of the information struct written during the crash.
LastSuccessfullyShutdownBootId BootId of the last fully successful shutdown.
LongPowerButtonPressDetected Identifies if the user was pressing and holding power button.
OOBEInProgress Identifies if OOBE is running.
OSSetupInProgress Identifies if the operating system setup is running.
PowerButtonCumulativePressCount How many times has the power button been pressed?
PowerButtonCumulativeReleaseCount How many times has the power button been released?
PowerButtonErrorCount Indicates the number of times there was an error attempting to record power
button metrics.
PowerButtonLastPressBootId BootId of the last time the power button was pressed.
PowerButtonLastPressTime Date and time of the last time the power button was pressed.
PowerButtonLastReleaseBootId BootId of the last time the power button was released.
PowerButtonLastReleaseTime Date and time of the last time the power button was released.
PowerButtonPressCurrentCsPhase Represents the phase of Connected Standby exit when the power button
was pressed.
PowerButtonPressIsShutdownInProgress Indicates whether a system shutdown was in progress at the last
time the power button was pressed.
PowerButtonPressLastPowerWatchdogStage Progress while the monitor is being turned on.
PowerButtonPressPowerWatchdogArmed Indicates whether or not the watchdog for the monitor was
active at the time of the last power button press.
ShutdownDeviceType Identifies who triggered a shutdown. Is it because of battery, thermal zones, or through
a Kernel API.
SleepCheckpoint Provides the last checkpoint when there is a failure during a sleep transition.
SleepCheckpointSource Indicates whether the source is the EFI variable or bootstat file.
SleepCheckpointStatus Indicates whether the checkpoint information is valid.
StaleBootStatData Identifies if the data from bootstat is stale.
TransitionInfoBootId BootId of the captured transition info.
TransitionInfoCSCount l number of times the system transitioned from Connected Standby mode.
TransitionInfoCSEntr yReason Indicates the reason the device last entered Connected Standby mode.
TransitionInfoCSExitReason Indicates the reason the device last exited Connected Standby mode.
TransitionInfoCSInProgress At the time the last marker was saved, the system was in or entering Connected
Standby mode.
TransitionInfoLastReferenceTimeChecksum The checksum of TransitionInfoLastReferenceTimestamp,
TransitionInfoLastReferenceTimestamp The date and time that the marker was last saved.
TransitionInfoLidState Describes the state of the laptop lid.
TransitionInfoPowerButtonTimestamp The date and time of the last time the power button was pressed.
TransitionInfoSleepInProgress At the time the last marker was saved, the system was in or entering sleep
mode.
TransitionInfoSleepTranstionsToOn Total number of times the device transitioned from sleep mode.
TransitionInfoSystemRunning At the time the last marker was saved, the device was running.
TransitionInfoSystemShutdownInProgress Indicates whether a device shutdown was in progress when the
power button was pressed.
TransitionInfoUserShutdownInProgress Indicates whether a user shutdown was in progress when the
power button was pressed.
TransitionLatestCheckpointId Represents a unique identifier for a checkpoint during the device state
transition.
TransitionLatestCheckpointSeqNumber Represents the chronological sequence number of the checkpoint.
TransitionLatestCheckpointType Represents the type of the checkpoint, which can be the start of a phase,
end of a phase, or just informational.
Vir tualMachineId If the operating system is on a virtual Machine, it gives the virtual Machine ID (GUID) that
can be used to correlate events on the host.
TelClientSynthetic.AuthorizationInfo_RuntimeTransition
This event sends data indicating that a device has undergone a change of telemetry opt-in level detected at UTC
startup, to help keep Windows up to date. The telemetry opt-in level signals what data we are allowed to collect.
CanAddMsaToMsTelemetr y True if we can add MSA PUID and CID to telemetry, false otherwise.
CanCollectAnyTelemetr y True if we are allowed to collect partner telemetry, false otherwise.
CanCollectCoreTelemetr y True if we can collect CORE/Basic telemetry, false otherwise.
CanCollectHear tbeats True if we can collect heartbeat telemetry, false otherwise.
CanCollectOsTelemetr y True if we can collect diagnostic data telemetry, false otherwise.
CanCollectWindowsAnalyticsEvents True if we can collect Windows Analytics data, false otherwise.
CanPerformDiagnosticEscalations True if we can perform diagnostic escalation collection, false otherwise.
CanRepor tScenarios True if we can report scenario completions, false otherwise.
PreviousPermissions Bitmask of previous telemetry state.
TransitionFromEver ythingOff True if we are transitioning from all telemetry being disabled, false otherwise.
TelClientSynthetic.AuthorizationInfo_Startup
Fired by UTC at startup to signal what data we are allowed to collect.
TelClientSynthetic.ConnectivityHeartBeat_0
This event sends data about the connectivity status of the Connected User Experience and Telemetry component
that uploads telemetry events. If an unrestricted free network (such as Wi-Fi) is available, this event updates the
last successful upload time. Otherwise, it checks whether a Connectivity Heartbeat event was fired in the past 24
hours, and if not, it sends an event. A Connectivity Heartbeat event is also sent when a device recovers from costed
network to free network.
CensusExitCode Returns last execution codes from census client run.
CensusStar tTime Returns timestamp corresponding to last successful census run.
CensusTaskEnabled Returns Boolean value for the census task (Enable/Disable) on client machine.
LastConnectivityLossTime Retrieves the last time the device lost free network.
NetworkState Retrieves the network state: 0 = No network. 1 = Restricted network. 2 = Free network.
NoNetworkTime Retrieves the time spent with no network (since the last time) in seconds.
RestrictedNetworkTime Retrieves the time spent on a metered (cost restricted) network in seconds.
TelClientSynthetic.GetFileInfoAction_FilePathNotApproved_0
This event occurs when the DiagTrack escalation fails due to the scenario requesting a path that is not approved for
GetFileInfo actions.
FilePath The unexpanded path in the scenario XML.
ScenarioId The globally unique identifier (GUID) of the scenario.
ScenarioInstanceId The error code denoting which path failed (internal or external).
TelClientSynthetic.HeartBeat_5
This event sends data about the health and quality of the diagnostic data from the given device, to help keep
Windows up to date. It also enables data analysts to determine how 'trusted' the data is from a given device.
AgentConnectionErrorsCount Number of non-timeout errors associated with the host/agent channel.
CensusExitCode The last exit code of the Census task.
CensusStar tTime Time of last Census run.
CensusTaskEnabled True if Census is enabled, false otherwise.
CompressedBytesUploaded Number of compressed bytes uploaded.
ConsumerDroppedCount Number of events dropped at consumer layer of telemetry client.
CriticalDataDbDroppedCount Number of critical data sampled events dropped at the database layer.
CriticalDataThrottleDroppedCount The number of critical data sampled events that were dropped because
of throttling.
CriticalOverflowEntersCounter Number of times critical overflow mode was entered in event DB.
DbCriticalDroppedCount Total number of dropped critical events in event DB.
DbDroppedCount Number of events dropped due to DB fullness.
DbDroppedFailureCount Number of events dropped due to DB failures.
DbDroppedFullCount Number of events dropped due to DB fullness.
DecodingDroppedCount Number of events dropped due to decoding failures.
EnteringCriticalOverflowDroppedCounter Number of events dropped due to critical overflow mode being
initiated.
EtwDroppedBufferCount Number of buffers dropped in the UTC ETW session.
EtwDroppedCount Number of events dropped at ETW layer of telemetry client.
EventsPersistedCount Number of events that reached the PersistEvent stage.
EventStoreLifetimeResetCounter Number of times event DB was reset for the lifetime of UTC.
EventStoreResetCounter Number of times event DB was reset.
EventStoreResetSizeSum Total size of event DB across all resets reports in this instance.
EventsUploaded Number of events uploaded.
Flags Flags indicating device state such as network state, battery state, and opt-in state.
FullTriggerBufferDroppedCount Number of events dropped due to trigger buffer being full.
Hear tBeatSequenceNumber The sequence number of this heartbeat.
InvalidHttpCodeCount Number of invalid HTTP codes received from contacting Vortex.
LastAgentConnectionError Last non-timeout error encountered in the host/agent channel.
LastEventSizeOffender Event name of last event which exceeded max event size.
LastInvalidHttpCode Last invalid HTTP code received from Vortex.
MaxActiveAgentConnectionCount The maximum number of active agents during this heartbeat timeframe.
MaxInUseScenarioCounter Soft maximum number of scenarios loaded by UTC.
PreviousHear tBeatTime Time of last heartbeat event (allows chaining of events).
PrivacyBlockedCount The number of events blocked due to privacy settings or tags.
RepeatedUploadFailureDropped Number of events lost due to repeated upload failures for a single buffer.
SettingsHttpAttempts Number of attempts to contact OneSettings service.
SettingsHttpFailures The number of failures from contacting the OneSettings service.
ThrottledDroppedCount Number of events dropped due to throttling of noisy providers.
TopUploaderErrors List of top errors received from the upload endpoint.
UploaderDroppedCount Number of events dropped at the uploader layer of telemetry client.
UploaderErrorCount Number of errors received from the upload endpoint.
Vor texFailuresTimeout The number of timeout failures received from Vortex.
Vor texHttpAttempts Number of attempts to contact Vortex.
Vor texHttpFailures4xx Number of 400-499 error codes received from Vortex.
Vor texHttpResponseFailures Number of Vortex responses that are not 2XX or 400.
Vor texHttpResponsesWithDroppedEvents Number of Vortex responses containing at least 1 dropped
event.
TelClientSynthetic.HeartBeat_Agent_5
This event sends data about the health and quality of the diagnostic data from the specified device (agent), to help
ConsumerDroppedCount The number of events dropped at the consumer layer of the diagnostic data
collection client.
ContainerBufferFullDropCount The number of events dropped due to the container buffer being full.
ContainerBufferFullSevilleDropCount The number of “Seville” events dropped due to the container buffer
being full.
CriticalDataThrottleDroppedCount The number of critical data sampled events dropped due to data
throttling.
DecodingDroppedCount The number of events dropped due to decoding failures.
EtwDroppedBufferCount The number of buffers dropped in the ETW (Event Tracing for Windows) session.
EtwDroppedCount The number of events dropped at the ETW (Event Tracing for Windows) layer of the
diagnostic data collection client on the user’s device.
EventsFor wardedToHost The number of events forwarded from agent (device) to host (server).
FullTriggerBufferDroppedCount The number of events dropped due to the trigger buffer being full.
Hear tBeatSequenceNumber The heartbeat sequence number associated with this event.
HostConnectionErrorsCount The number of non-timeout errors encountered in the host (server)/agent
(device) socket transport channel.
HostConnectionTimeoutsCount The number of connection timeouts between the host (server) and agent
(device).
LastHostConnectionError The last error from a connection between host (server) and agent (device).
PreviousHear tBeatTime The timestamp of the last heartbeat event.
ThrottledDroppedCount The number of events dropped due to throttling of “noisy” providers.
TelClientSynthetic.HeartBeat_DevHealthMon_5
This event sends data (for Surface Hub devices) to monitor and ensure the correct functioning of those Surface
Hub devices. This data helps ensure the device is up to date with the latest security and safety features.
Hear tBeatSequenceNumber The heartbeat sequence number associated with this event.
PreviousHear tBeatTime The timestamp of the last heartbeat event.
TelClientSynthetic.LifetimeManager_ConsumerBaseTimestampChange_0
This event sends data when the Windows Diagnostic data collection mechanism detects a timestamp adjustment
for incoming diagnostic events. This data is critical for dealing with time changes during diagnostic data analysis,
to help keep the device up to date.
NewBaseTime The new QPC (Query Performance Counter) base time from ETW (Event Tracing for Windows).
NewSystemTime The new system time of the device.
OldSystemTime The previous system time of the device.
TelClientSynthetic.MatchEngine_ScenarioCompletionThrottled_0
This event sends data when scenario completion is throttled (truncated or otherwise restricted) because the
scenario is excessively large.
MaxHourlyCompletionsSetting The maximum number of scenario completions per hour until throttling
kicks in.
ScenarioId The globally unique identifier (GUID) of the scenario being throttled.
ScenarioName The name of the scenario being throttled.
TelClientSynthetic.OsEvents_BootStatReset_0
This event sends data when the Windows diagnostic data collection mechanism resets the Boot ID. This data helps
ensure Windows is up to date.
BootId The current Boot ID.
ResetReason The reason code for resetting the Boot ID.
TelClientSynthetic.ProducerThrottled_At_TriggerBuffer_0
This event sends data when a producer is throttled due to the trigger buffer exceeding defined thresholds.
BufferSize The size of the trigger buffer.
DataType The type of event that this producer generates (Event Tracing for Windows, Time, Synthetic).
EstSeenCount Estimated total number of inputs determining other “Est…” values.
EstTopEvent1Count The count for estimated “noisiest” event from this producer.
EstTopEvent1Name The name for estimated “noisiest” event from this producer.
EstTopEvent2Count The count for estimated second “noisiest” event from this producer.
EstTopEvent2Name The name for estimated second “noisiest” event from this producer.
Hit The number of events seen from this producer.
IKey The IKey identifier of the producer, if available.
ProviderId The provider ID of the producer being throttled.
ProviderName The provider name of the producer being throttled.
Threshold The threshold crossed, which caused the throttling.
TelClientSynthetic.ProducerThrottled_Event_Rate_0
This event sends data when an event producer is throttled by the Windows Diagnostic data collection mechanism.
This data helps ensure Windows is up to date.
EstSeenCount Estimated total number of inputs determining other “Est…” values.
EstTopEvent1Count The count for estimated “noisiest” event from this producer.
EstTopEvent1Name The name for estimated “noisiest” event from this producer.
EstTopEvent2Count The count for estimated second “noisiest” event from this producer.
EstTopEvent2Name The name for estimated second “noisiest” event from this producer.
EventPerProviderThreshold The trigger point for throttling (value for each provider). This value is only
applied once EventRateThreshold has been met.
EventRateThreshold The total event rate trigger point for throttling.
Hit The number of events seen from this producer.
IKey The IKey identifier of the producer, if available.
ProviderId The provider ID of the producer being throttled.
ProviderName The provider name of the producer being throttled.
TelClientSynthetic.RunExeWithArgsAction_ExeTerminated_0
This event sends data when an executable (EXE) file is terminated during escalation because it exceeded its
maximum runtime (the maximum amount of time it was expected to run). This data helps ensure Windows is up to
date.
ExpandedExeName The expanded name of the executable (EXE) file.
MaximumRuntimeMs The maximum runtime (in milliseconds) for this action.
ScenarioId The globally unique identifier (GUID) of the scenario that was terminated.
ScenarioInstanceId The globally unique identifier (GUID) of the scenario instance that was terminated.
TelClientSynthetic.RunExeWithArgsAction_ProcessReturnedNonZeroExitCode
This event sends data when the RunExe process finishes during escalation, but returns a non-zero exit code. This
data helps ensure Windows is up to date.
ExitCode The exit code of the process
ExpandedExeName The expanded name of the executable (EXE) file.
ScenarioId The globally unique identifier (GUID) of the escalating scenario.
ScenarioInstanceId The globally unique identifier (GUID) of the scenario instance.
TelClientSynthetic.ServiceMain_DevHealthMonEvent
This event is a low latency health alert that is part of the 4Nines device health monitoring feature currently
available on Surface Hub devices. For a device that is opted in, this event is sent before shutdown to signal that the
device is about to be powered down.
DISM events
Microsoft.Windows.StartRepairCore.DISMLatestInstalledLCU
The DISM Latest Installed LCU sends information to report result of search for latest installed LCU after last
successful boot.
dismInstalledLCUPackageName The name of the latest installed package.
Microsoft.Windows.StartRepairCore.DISMPendingInstall
The DISM Pending Install event sends information to report pending package installation found.
dismPendingInstallPackageName The name of the pending package.
Microsoft.Windows.StartRepairCore.DISMRevertPendingActions
errorCode The result code returned by the event.
Microsoft.Windows.StartRepairCore.DISMUninstallLCU
The DISM Uninstall LCU sends information to report result of uninstall attempt for found LCU.
Microsoft.Windows.StartRepairCore.SRTRepairActionEnd
The DISM Uninstall LCU sends information to report result of uninstall attempt for found LCU.
failedUninstallCount The number of driver updates that failed to uninstall.
failedUninstallFlightIds The Flight IDs (identifiers of beta releases) of driver updates that failed to uninstall.
foundDriverUpdateCount The number of found driver updates.
sr tRepairAction The scenario name for a repair.
successfulUninstallCount The number of successfully uninstalled driver updates.
successfulUninstallFlightIds The Flight IDs (identifiers of beta releases) of successfully uninstalled driver
updates.
Microsoft.Windows.StartRepairCore.SRTRepairActionStart
The SRT Repair Action Start event sends information to report repair operation started for given plug-in.
sr tRepairAction The scenario name for a repair.
Microsoft.Windows.StartRepairCore.SRTRootCauseDiagEnd
The SRT Root Cause Diagnosis End event sends information to report diagnosis operation completed for given
plug-in.
flightIds The Flight IDs (identifier of the beta release) of found driver updates.
sr tRootCauseDiag The scenario name for a diagnosis event.
Microsoft.Windows.StartRepairCore.SRTRootCauseDiagStart
The SRT Root Cause Diagnosis Start event sends information to report diagnosis operation started for given plug-
in.
Driver installation events

Microsoft.Windows.DriverInstall.DeviceInstall
This critical event sends information about the driver installation that took place.
ClassGuid The unique ID for the device class.
ClassLowerFilters The list of lower filter class drivers.
ClassUpperFilters The list of upper filter class drivers.
CoInstallers The list of coinstallers.
ConfigFlags The device configuration flags.
DeviceConfigured Indicates whether this device was configured through the kernel configuration.
DeviceInstalled Indicates whether the legacy install code path was used.
DeviceInstanceId The unique identifier of the device in the system.
DeviceStack The device stack of the driver being installed.
DriverDate The date of the driver.
DriverDescription A description of the driver function.
DriverInfName Name of the INF file (the setup information file) for the driver.
DriverInfSectionName Name of the DDInstall section within the driver INF file.
DriverPackageId The ID of the driver package that is staged to the driver store.
DriverProvider The driver manufacturer or provider.
DriverUpdated Indicates whether the driver is replacing an old driver.
DriverVersion The version of the driver file.
EndTime The time the installation completed.
Error Provides the WIN32 error code for the installation.
ExtensionDrivers List of extension drivers that complement this installation.
FinishInstallAction Indicates whether the co-installer invoked the finish-install action.
FinishInstallUI Indicates whether the installation process shows the user interface.
FirmwareDate The firmware date that will be stored in the EFI System Resource Table (ESRT).
FirmwareRevision The firmware revision that will be stored in the EFI System Resource Table (ESRT).
FirmwareVersion The firmware version that will be stored in the EFI System Resource Table (ESRT).
FirstHardwareId The ID in the hardware ID list that provides the most specific device description.
FlightIds A list of the different Windows Insider builds on the device.
GenericDriver Indicates whether the driver is a generic driver.
Inbox Indicates whether the driver package is included with Windows.
InstallDate The date the driver was installed.
LastCompatibleId The ID in the hardware ID list that provides the least specific device description.
LastInstallFunction The last install function invoked in a co-installer if the install timeout was reached while a
co-installer was executing.
LegacyInstallReasonError The error code for the legacy installation.
LowerFilters The list of lower filter drivers.
MatchingDeviceId The hardware ID or compatible ID that Windows used to install the device instance.
NeedReboot Indicates whether the driver requires a reboot.
OriginalDriverInfName The original name of the INF file before it was renamed.
ParentDeviceInstanceId The device instance ID of the parent of the device.
PendedUntilReboot Indicates whether the installation is pending until the device is rebooted.
Problem Error code returned by the device after installation.
ProblemStatus The status of the device after the driver installation.
RebootRequiredReason DWORD (Double Word—32-bit unsigned integer) containing the reason why the
device required a reboot during install.
Secondar yDevice Indicates whether the device is a secondary device.
Ser viceName The service name of the driver.
SessionGuid GUID (Globally Unique IDentifier) for the update session.
SetupMode Indicates whether the driver installation took place before the Out Of Box Experience (OOBE) was
completed.
Star tTime The time when the installation started.
SubmissionId The driver submission identifier assigned by the Windows Hardware Development Center.
UpperFilters The list of upper filter drivers.
Microsoft.Windows.DriverInstall.NewDevInstallDeviceEnd
This event sends data about the driver installation once it is completed.
DriverUpdated Indicates whether the driver was updated.
Error The Win32 error code of the installation.
FlightId The ID of the Windows Insider build the device received.
InstallFlags The driver installation flags.
OptionalData Metadata specific to WU (Windows Update) associated with the driver (flight IDs, recovery IDs,
etc.)
RebootRequired Indicates whether a reboot is required after the installation.
RollbackPossible Indicates whether this driver can be rolled back.
WuTargetedHardwareId Indicates that the driver was installed because the device hardware ID was targeted
by the Windows Update.
WuUntargetedHardwareId Indicates that the driver was installed because Windows Update performed a
generic driver update for all devices of that hardware class.
Microsoft.Windows.DriverInstall.NewDevInstallDeviceStart
This event sends data about the driver that the new driver installation is replacing.
FirstInstallDate The first time a driver was installed on this device.
LastDriverDate Date of the driver that is being replaced.
LastDriverInbox Indicates whether the previous driver was included with Windows.
LastDriverInfName Name of the INF file (the setup information file) of the driver being replaced.
LastDriverVersion The version of the driver that is being replaced.
LastFirmwareDate The date of the last firmware reported from the EFI System Resource Table (ESRT).
LastFirmwareRevision The last firmware revision number reported from EFI System Resource Table (ESRT).
LastFirmwareVersion The last firmware version reported from the EFI System Resource Table (ESRT).
LastInstallDate The date a driver was last installed on this device.
LastMatchingDeviceId The hardware ID or compatible ID that Windows last used to install the device
instance.
LastProblem The previous problem code that was set on the device.
LastProblemStatus The previous problem code that was set on the device.
LastSubmissionId The driver submission identifier of the driver that is being replaced.
DxgKernelTelemetry events
DxgKrnlTelemetry.GPUAdapterInventoryV2
This event sends basic GPU and display driver information to keep Windows and display drivers up-to-date.
AdapterTypeValue The numeric value indicating the type of Graphics adapter.
aiSeqId The event sequence ID.
bootId The system boot ID.
BrightnessVersionViaDDI The version of the Display Brightness Interface.
ComputePreemptionLevel The maximum preemption level supported by GPU for compute payload.
DedicatedSystemMemor yB The amount of system memory dedicated for GPU use (in bytes).
DedicatedVideoMemor yB The amount of dedicated VRAM of the GPU (in bytes).
Display1UMDFilePath File path to the location of the Display User Mode Driver in the Driver Store.
DisplayAdapterLuid The display adapter LUID.
DriverDate The date of the display driver.
DriverRank The rank of the display driver.
DriverVersion The display driver version.
DriverWorkarounds Numeric value indicating the driver workarounds enabled for this device.
DX10UMDFilePath The file path to the location of the DirectX 10 Display User Mode Driver in the Driver Store.
GPUDeviceID The GPU device ID.
GPUPreemptionLevel The maximum preemption level supported by GPU for graphics payload.
GPURevisionID The GPU revision ID.
GPUVendorID The GPU vendor ID.
InterfaceId The GPU interface ID.
IsDisplayDevice Does the GPU have displaying capabilities?
IsHwSchEnabled Boolean value indicating whether hardware scheduling is enabled.
IsHwSchSuppor ted Indicates whether the adapter supports hardware scheduling.
IsHybridDiscrete Does the GPU have discrete GPU capabilities in a hybrid device?
IsHybridIntegrated Does the GPU have integrated GPU capabilities in a hybrid device?
IsLDA Is the GPU comprised of Linked Display Adapters?
IsMiracastSuppor ted Does the GPU support Miracast?
IsMismatchLDA Is at least one device in the Linked Display Adapters chain from a different vendor?
IsMPOSuppor ted Does the GPU support Multi-Plane Overlays?
IsMsMiracastSuppor ted Are the GPU Miracast capabilities driven by a Microsoft solution?
IsPostAdapter Is this GPU the POST GPU in the device?
IsRemovable TRUE if the adapter supports being disabled or removed.
IsRenderDevice Does the GPU have rendering capabilities?
IsSoftwareDevice Is this a software implementation of the GPU?
KMDFilePath The file path to the location of the Display Kernel Mode Driver in the Driver Store.
MeasureEnabled Is the device listening to MICROSOFT_KEYWORD_MEASURES?
NumVidPnSources The number of supported display output sources.
NumVidPnTargets The number of supported display output targets.
SharedSystemMemor yB The amount of system memory shared by GPU and CPU (in bytes).
SubSystemID The subsystem ID.
SubVendorID The GPU sub vendor ID.
Telemetr yEnabled Is the device listening to MICROSOFT_KEYWORD_TELEMETRY?
TelInvEvntTrigger What triggered this event to be logged? Example: 0 (GPU enumeration) or 1
(DxgKrnlTelemetry provider toggling)
version The event version.
WDDMVersion The Windows Display Driver Model version.
Failover Clustering events

Microsoft.Windows.Server.FailoverClusteringCritical.ClusterSummary2
This event returns information about how many resources and of what type are in the server cluster. This data is
collected to keep Windows Server safe, secure, and up to date. The data includes information about whether
hardware is configured correctly, if the software is patched correctly, and assists in preventing crashes by
attributing issues (like fatal errors) to workloads and system configurations.
autoAssignSite The cluster parameter: auto site.
autoBalancerLevel The cluster parameter: auto balancer level.
autoBalancerMode The cluster parameter: auto balancer mode.
blockCacheSize The configured size of the block cache.
ClusterAdConfiguration The ad configuration of the cluster.
clusterAdType The cluster parameter: mgmt_point_type.
clusterDumpPolicy The cluster configured dump policy.
clusterFunctionalLevel The current cluster functional level.
clusterGuid The unique identifier for the cluster.
clusterWitnessType The witness type the cluster is configured for.
countNodesInSite The number of nodes in the cluster.
crossSiteDelay The cluster parameter: CrossSiteDelay.
crossSiteThreshold The cluster parameter: CrossSiteThreshold.
crossSubnetDelay The cluster parameter: CrossSubnetDelay.
crossSubnetThreshold The cluster parameter: CrossSubnetThreshold.
csvCompatibleFilters The cluster parameter: ClusterCsvCompatibleFilters.
csvIncompatibleFilters The cluster parameter: ClusterCsvIncompatibleFilters.
csvResourceCount The number of resources in the cluster.
currentNodeSite The name configured for the current site for the cluster.
dasModeBusType The direct storage bus type of the storage spaces.
downLevelNodeCount The number of nodes in the cluster that are running down-level.
drainOnShutdown Specifies whether a node should be drained when it is shut down.
dynamicQuorumEnabled Specifies whether dynamic Quorum has been enabled.
enforcedAntiAffinity The cluster parameter: enforced anti affinity.
genAppNames The win32 service name of a clustered service.
genSvcNames The command line of a clustered genapp.
hangRecover yAction The cluster parameter: hang recovery action.
hangTimeOut Specifies the “hang time out” parameter for the cluster.
isCalabria Specifies whether storage spaces direct is enabled.
isMixedMode Identifies if the cluster is running with different version of OS for nodes.
isRunningDownLevel Identifies if the current node is running down-level.
logLevel Specifies the granularity that is logged in the cluster log.
logSize Specifies the size of the cluster log.
lowerQuorumPriorityNodeId The cluster parameter: lower quorum priority node ID.
minNeverPreempt The cluster parameter: minimum never preempt.
minPreemptor The cluster parameter: minimum preemptor priority.
netftIpsecEnabled The parameter: netftIpsecEnabled.
NodeCount The number of nodes in the cluster.
nodeId The current node number in the cluster.
nodeResourceCounts Specifies the number of node resources.
nodeResourceOnlineCounts Specifies the number of node resources that are online.
numberOfSites The number of different sites.
numNodesInNoSite The number of nodes not belonging to a site.
plumbAllCrossSubnetRoutes The cluster parameter: plumb all cross subnet routes.
preferredSite The preferred site location.
privateCloudWitness Specifies whether a private cloud witness exists for this cluster.
quarantineDuration The quarantine duration.
quarantineThreshold The quarantine threshold.
quorumArbitrationTimeout In the event of an arbitration event, this specifies the quorum timeout period.
resiliencyLevel Specifies the level of resiliency.
resourceCounts Specifies the number of resources.
resourceTypeCounts Specifies the number of resource types in the cluster.
resourceTypes Data representative of each resource type.
resourceTypesPath Data representative of the DLL path for each resource type.
sameSubnetDelay The cluster parameter: same subnet delay.
sameSubnetThreshold The cluster parameter: same subnet threshold.
secondsInMixedMode The amount of time (in seconds) that the cluster has been in mixed mode (nodes with
different operating system versions in the same cluster).
securityLevel The cluster parameter: security level.
securityLevelForStorage The cluster parameter: security level for storage.
sharedVolumeBlockCacheSize Specifies the block cache size for shared for shared volumes.
shutdownTimeoutMinutes Specifies the amount of time it takes to time out when shutting down.
upNodeCount Specifies the number of nodes that are up (online).
useClientAccessNetworksForCsv The cluster parameter: use client access networks for CSV.
vmIsolationTime The cluster parameter: VM isolation time.
witnessDatabaseWriteTimeout Specifies the timeout period for writing to the quorum witness database.
Fault Reporting events

Microsoft.Windows.FaultReporting.AppCrashEvent
This event sends data about crashes for both native and managed applications, to help keep Windows up to date.
The data includes information about the crashing process and a summary of its exception record. It does not
contain any Watson bucketing information. The bucketing information is recorded in a Windows Error Reporting
(WER) event that is generated when the WER client reports the crash to the Watson service, and the WER event will
contain the same ReportID (see field 14 of crash event, field 19 of WER event) as the crash event for the crash
being reported. AppCrash is emitted once for each crash handled by WER (e.g. from an unhandled exception or
FailFast or ReportException). Note that Generic Watson event types (e.g. from PLM) that may be considered
crashes" by a user DO NOT emit this event.
AppName The name of the app that has crashed.
AppSessionGuid GUID made up of process ID and is used as a correlation vector for process instances in the
telemetry backend.
AppTimeStamp The date/time stamp of the app.
AppVersion The version of the app that has crashed.
ExceptionCode The exception code returned by the process that has crashed.
ExceptionOffset The address where the exception had occurred.
Flags Flags indicating how reporting is done. For example, queue the report, do not offer JIT debugging, or do
not terminate the process after reporting.
FriendlyAppName The description of the app that has crashed, if different from the AppName. Otherwise, the
process name.
IsFatal True/False to indicate whether the crash resulted in process termination.
ModName Exception module name (e.g. bar.dll).
ModTimeStamp The date/time stamp of the module.
ModVersion The version of the module that has crashed.
PackageFullName Store application identity.
PackageRelativeAppId Store application identity.
ProcessArchitecture Architecture of the crashing process, as one of the PROCESSOR_ARCHITECTURE_*
constants: 0: PROCESSOR_ARCHITECTURE_INTEL. 5: PROCESSOR_ARCHITECTURE_ARM. 9:
PROCESSOR_ARCHITECTURE_AMD64. 12: PROCESSOR_ARCHITECTURE_ARM64.
ProcessCreateTime The time of creation of the process that has crashed.
ProcessId The ID of the process that has crashed.
Repor tId A GUID used to identify the report. This can used to track the report across Watson.
TargetAppId The kernel reported AppId of the application being reported.
TargetAppVer The specific version of the application being reported
TargetAsId The sequence number for the hanging process.
Feature update events

Microsoft.Windows.Upgrade.Uninstall.UninstallFailed
This event sends diagnostic data about failures when uninstalling a feature update, to help resolve any issues
preventing customers from reverting to a known state.
failureReason Provides data about the uninstall initialization operation failure.
hr Provides the Win32 error code for the operation failure.
Microsoft.Windows.Upgrade.Uninstall.UninstallFinalizedAndRebootTriggered
This event indicates that the uninstall was properly configured and that a system reboot was initiated.
Hang Reporting events

Microsoft.Windows.HangReporting.AppHangEvent
This event sends data about hangs for both native and managed applications, to help keep Windows up to date. It
does not contain any Watson bucketing information. The bucketing information is recorded in a Windows Error
Reporting (WER) event that is generated when the WER client reports the hang to the Watson service, and the WER
event will contain the same ReportID (see field 13 of hang event, field 19 of WER event) as the hang event for the
hang being reported. AppHang is reported only on PC devices. It handles classic Win32 hangs and is emitted only
once per report. Some behaviors that may be perceived by a user as a hang are reported by app managers (e.g.
PLM/RM/EM) as Watson Generics and will not produce AppHang events.
AppName The name of the app that has hung.
AppSessionGuid GUID made up of process id used as a correlation vector for process instances in the
telemetry backend.
AppVersion The version of the app that has hung.
IsFatal True/False based on whether the hung application caused the creation of a Fatal Hang Report.
ProcessArchitecture Architecture of the hung process, as one of the PROCESSOR_ARCHITECTURE_*
ProcessCreateTime The time of creation of the process that has hung.
ProcessId The ID of the process that has hung.
TargetAppVer The specific version of the application being reported.
TypeCode Bitmap describing the hang type.
WaitingOnAppName If this is a cross process hang waiting for an application, this has the name of the
application.
WaitingOnAppVersion If this is a cross process hang, this has the version of the application for which it is
waiting.
WaitingOnPackageFullName If this is a cross process hang waiting for a package, this has the full name of
the package for which it is waiting.
WaitingOnPackageRelativeAppId If this is a cross process hang waiting for a package, this has the relative
application id of the package.
Holographic events
Microsoft.Windows.Analog.Spectrum.TelemetryHolographicDeviceAdded
This event indicates Windows Mixed Reality device state. This event is also used to count WMR device.
ClassGuid Windows Mixed Reality device class GUID.
DeviceInterfaceId Windows Mixed Reality device interface ID.
DeviceName Windows Mixed Reality device name.
DriverVersion Windows Mixed Reality device driver version.
FirmwareVersion Windows Mixed Reality firmware version.
Manufacturer Windows Mixed Reality device manufacturer.
ModelName Windows Mixed Reality device model name.
SerialNumber Windows Mixed Reality device serial number.
Microsoft.Windows.Holographic.Coordinator.HoloShellStateUpdated
This event indicates Windows Mixed Reality HoloShell State. This event is also used to count WMR device.
HmdState Windows Mixed Reality Headset HMD state.
NewHoloShellState Windows Mixed Reality HoloShell state.
PriorHoloShellState Windows Mixed Reality state prior to entering to HoloShell.
SimulationEnabled Windows Mixed Reality Simulation state.
Microsoft.Windows.Shell.HolographicFirstRun.AppActivated
This event indicates Windows Mixed Reality Portal app activation state. This event also used to count WMR device.
IsDemoMode Windows Mixed Reality Portal app state of demo mode.
IsDeviceSetupComplete Windows Mixed Reality Portal app state of device setup completion.
PackageVersion Windows Mixed Reality Portal app package version.
PreviousExecutionState Windows Mixed Reality Portal app prior execution state.
wilActivity Windows Mixed Reality Portal app wilActivity ID. See wilActivity.
Microsoft.Windows.Shell.HolographicFirstRun.AppLifecycleService_Resuming
This event indicates Windows Mixed Reality Portal app resuming. This event is also used to count WMR device.
TraceLoggingOasisUsbHostApiProvider.DeviceInformation
This event provides Windows Mixed Reality device information. This event is also used to count WMR device and
device type.
BootloaderMajorVer Windows Mixed Reality device boot loader major version.
BootloaderMinorVer Windows Mixed Reality device boot loader minor version.
BootloaderRevisionNumber Windows Mixed Reality device boot loader revision number.
BTHFWMajorVer Windows Mixed Reality device BTHFW major version. This event also used to count WMR
device.
BTHFWMinorVer Windows Mixed Reality device BTHFW minor version. This event also used to count WMR
device.
BTHFWRevisionNumber Windows Mixed Reality device BTHFW revision number.
CalibrationBlobSize Windows Mixed Reality device calibration blob size.
CalibrationFwMajorVer Windows Mixed Reality device calibration firmware major version.
CalibrationFwMinorVer Windows Mixed Reality device calibration firmware minor version.
CalibrationFwRevNum Windows Mixed Reality device calibration firmware revision number.
DeviceInfoFlags Windows Mixed Reality device info flags.
DeviceName Windows Mixed Reality device Name. This event is also used to count WMR device.
DeviceReleaseNumber Windows Mixed Reality device release number.
FirmwareMajorVer Windows Mixed Reality device firmware major version.
FirmwareMinorVer Windows Mixed Reality device firmware minor version.
FirmwareRevisionNumber Windows Mixed Reality device calibration firmware revision number.
FpgaFwMajorVer Windows Mixed Reality device FPGA firmware major version.
FpgaFwMinorVer Windows Mixed Reality device FPGA firmware minor version.
FpgaFwRevisionNumber Windows Mixed Reality device FPGA firmware revision number.
FriendlyName Windows Mixed Reality device friendly name.
HashedSerialNumber Windows Mixed Reality device hashed serial number.
HeaderSize Windows Mixed Reality device header size.
HeaderVersion Windows Mixed Reality device header version.
LicenseKey Windows Mixed Reality device header license key.
Make Windows Mixed Reality device make.
ManufacturingDate Windows Mixed Reality device manufacturing date.
Model Windows Mixed Reality device model.
PresenceSensorHidVendorPage Windows Mixed Reality device presence sensor HID vendor page.
PresenceSensorHidVendorUsage Windows Mixed Reality device presence sensor HID vendor usage.
PresenceSensorUsbVid Windows Mixed Reality device presence sensor USB VId.
ProductBoardRevision Windows Mixed Reality device product board revision number.
SerialNumber Windows Mixed Reality device serial number.
Inventory events
Microsoft.Windows.Inventory.Core.AmiTelCacheChecksum
This event captures basic checksum data about the device inventory items stored in the cache for use in
validating data completeness for Microsoft.Windows.Inventory.Core events. The fields in this event may change
over time, but they will always represent a count of a given object.
Device A count of device objects in cache.
DeviceCensus A count of device census objects in cache.
DriverPackageExtended A count of driverpackageextended objects in cache.
File A count of file objects in cache.
FileSigningInfo A count of file signing objects in cache.
Generic A count of generic objects in cache.
HwItem A count of hwitem objects in cache.
Inventor yApplication A count of application objects in cache.
Inventor yApplicationAppV A count of application AppV objects in cache.
Inventor yApplicationDriver A count of application driver objects in cache
Inventor yApplicationFile A count of application file objects in cache.
Inventor yApplicationFramework A count of application framework objects in cache
Inventor yApplicationShor tcut A count of application shortcut objects in cache
Inventor yDeviceInterface A count of Plug and Play device interface objects in cache.
Inventor yDeviceMediaClass A count of device media objects in cache.
Inventor yDeviceUsbHubClass A count of device usb objects in cache
Inventor yMiscellaneousOfficeAddIn A count of office add-in objects in cache
Inventor yMiscellaneousOfficeAddInUsage A count of office add-in usage objects in cache.
Inventor yMiscellaneousOfficeIdentifiers A count of office identifier objects in cache
Inventor yMiscellaneousOfficeIESettings A count of office ie settings objects in cache
Inventor yMiscellaneousOfficeInsights A count of office insights objects in cache
Inventor yMiscellaneousOfficeProducts A count of office products objects in cache
Inventor yMiscellaneousOfficeSettings A count of office settings objects in cache
Inventor yMiscellaneousOfficeVBA A count of office vba objects in cache
Inventor yMiscellaneousOfficeVBARuleViolations A count of office vba rule violations objects in cache
Inventor yMiscellaneousUUPInfo A count of uup info objects in cache
Inventor yVersion The version of the inventory file generating the events.
Metadata A count of metadata objects in cache.
Orphan A count of orphan file objects in cache.
Programs A count of program objects in cache.
Microsoft.Windows.Inventory.Core.AmiTelCacheVersions
This event sends inventory component versions for the Device Inventory data.
aeinv The version of the App inventory component.
devinv The file version of the Device inventory component.
Microsoft.Windows.Inventory.Core.FileSigningInfoAdd
This event enumerates the signatures of files, either driver packages or application executables. For driver
packages, this data is collected on demand via Telecommand to limit it only to unrecognized driver packages,
saving time for the client and space on the server. For applications, this data is collected for up to 10 random
executables on a system.
CatalogSigners Signers from catalog. Each signer starts with Chain.
DigestAlgorithm The pseudonymizing (hashing) algorithm used when the file or package was signed.
DriverPackageStrongName Optional. Available only if FileSigningInfo is collected on a driver package.
EmbeddedSigners Embedded signers. Each signer starts with Chain.
FileName The file name of the file whose signatures are listed.
FileType Either exe or sys, depending on if a driver package or application executable.
Thumbprint Comma separated hash of the leaf node of each signer. Semicolon is used to separate
CatalogSigners from EmbeddedSigners. There will always be a trailing comma.
Microsoft.Windows.Inventory.Core.InventoryApplicationAdd
This event sends basic metadata about an application on the system to help keep Windows up to date.
HiddenArp Indicates whether a program hides itself from showing up in ARP.
InstallDate The date the application was installed (a best guess based on folder creation date heuristics).
InstallDateArpLastModified The date of the registry ARP key for a given application. Hints at install date but
not always accurate. Passed as an array. Example: 4/11/2015 00:00:00
InstallDateFromLinkFile The estimated date of install based on the links to the files. Passed as an array.
InstallDateMsi The install date if the application was installed via Microsoft Installer (MSI). Passed as an array.
Language The language code of the program.
MsiPackageCode A GUID that describes the MSI Package. Multiple 'Products' (apps) can make up an
MsiPackage.
MsiProductCode A GUID that describe the MSI Product.
Name The name of the application.
OSVersionAtInstallTime The four octets from the OS version at the time of the application's install.
PackageFullName The package full name for a Store application.
ProgramInstanceId A hash of the file IDs in an app.
Publisher The Publisher of the application. Location pulled from depends on the 'Source' field.
RootDirPath The path to the root directory where the program was installed.
Source How the program was installed (for example, ARP, MSI, Appx).
StoreAppType A sub-classification for the type of Microsoft Store app, such as UWP or Win8StoreApp.
Type One of ("Application", "Hotfix", "BOE", "Service", "Unknown"). Application indicates Win32 or Appx app,
Hotfix indicates app updates (KBs), BOE indicates it's an app with no ARP or MSI entry, Service indicates that it is
a service. Application and BOE are the ones most likely seen.
Version The version number of the program.
Microsoft.Windows.Inventory.Core.InventoryApplicationDriverAdd
This event represents what drivers an application installs.
Inventor yVersion The version of the inventory component
ProgramIds The unique program identifier the driver is associated with
Microsoft.Windows.Inventory.Core.InventoryApplicationDriverStartSync
The InventoryApplicationDriverStartSync event indicates that a new set of InventoryApplicationDriverStartAdd
events will be sent.
Inventor yVersion The version of the inventory component.
Microsoft.Windows.Inventory.Core.InventoryApplicationFileAdd
This event provides file-level information about the applications that exist on the system. This event is used to
understand the applications on a device to determine if those applications will experience compatibility issues
when upgrading Windows.
Binar yType The architecture of the binary (executable) file.
BinFileVersion Version information for the binary (executable) file.
BinProductVersion The product version provided by the binary (executable) file.
BoeProgramId The “bag of evidence” program identifier.
CompanyName The company name included in the binary (executable) file.
FileId A pseudonymized (hashed) unique identifier derived from the file itself.
FileVersion The version of the file.
Language The language declared in the binary (executable) file.
LinkDate The compiler link date.
LowerCaseLongPath The file path in “long” format.
Name The file name.
ProductName The product name declared in the binary (executable) file.
ProductVersion The product version declared in the binary (executable) file.
ProgramId The program identifier associated with the binary (executable) file.
Size The size of the binary (executable) file.
Microsoft.Windows.Inventory.Core.InventoryApplicationFrameworkAdd
This event provides the basic metadata about the frameworks an application may depend on.
Frameworks The list of frameworks this file depends on.
Microsoft.Windows.Inventory.Core.InventoryApplicationFrameworkStartSync
This event indicates that a new set of InventoryApplicationFrameworkAdd events will be sent.
Microsoft.Windows.Inventory.Core.InventoryApplicationRemove
This event indicates that a new set of InventoryDevicePnpAdd events will be sent.
Microsoft.Windows.Inventory.Core.InventoryApplicationStartSync
This event indicates that a new set of InventoryApplicationAdd events will be sent.
Microsoft.Windows.Inventory.Core.InventoryDeviceContainerAdd
This event sends basic metadata about a device container (such as a monitor or printer as opposed to a Plug and
Play device) to help keep Windows up to date.
Categories A comma separated list of functional categories in which the container belongs.
Discover yMethod The discovery method for the device container.
FriendlyName The name of the device container.
IsActive Is the device connected, or has it been seen in the last 14 days?
IsConnected For a physically attached device, this value is the same as IsPresent. For wireless a device, this
value represents a communication link.
IsMachineContainer Is the container the root device itself?
IsNetworked Is this a networked device?
IsPaired Does the device container require pairing?
Manufacturer The manufacturer name for the device container.
ModelId A unique model ID.
ModelName The model name.
ModelNumber The model number for the device container.
Primar yCategor y The primary category for the device container.
Microsoft.Windows.Inventory.Core.InventoryDeviceContainerRemove
This event indicates that the InventoryDeviceContainer object is no longer present.
Microsoft.Windows.Inventory.Core.InventoryDeviceContainerStartSync
This event indicates that a new set of InventoryDeviceContainerAdd events will be sent.
Microsoft.Windows.Inventory.Core.InventoryDeviceInterfaceAdd
This event retrieves information about what sensor interfaces are available on the device.
Accelerometer3D Indicates if an Accelerator3D sensor is found.
ActivityDetection Indicates if an Activity Detection sensor is found.
AmbientLight Indicates if an Ambient Light sensor is found.
Barometer Indicates if a Barometer sensor is found.
Custom Indicates if a Custom sensor is found.
EnergyMeter Indicates if an Energy sensor is found.
FloorElevation Indicates if a Floor Elevation sensor is found.
GeomagneticOrientation Indicates if a Geo Magnetic Orientation sensor is found.
GravityVector Indicates if a Gravity Detector sensor is found.
Gyrometer3D Indicates if a Gyrometer3D sensor is found.
Humidity Indicates if a Humidity sensor is found.
LinearAccelerometer Indicates if a Linear Accelerometer sensor is found.
Magnetometer3D Indicates if a Magnetometer3D sensor is found.
Orientation Indicates if an Orientation sensor is found.
Pedometer Indicates if a Pedometer sensor is found.
Proximity Indicates if a Proximity sensor is found.
RelativeOrientation Indicates if a Relative Orientation sensor is found.
SimpleDeviceOrientation Indicates if a Simple Device Orientation sensor is found.
Temperature Indicates if a Temperature sensor is found.
Microsoft.Windows.Inventory.Core.InventoryDeviceInterfaceStartSync
This event indicates that a new set of InventoryDeviceInterfaceAdd events will be sent.
Microsoft.Windows.Inventory.Core.InventoryDeviceMediaClassAdd
This event sends additional metadata about a Plug and Play device that is specific to a particular class of devices to
help keep Windows up to date while reducing overall size of data payload.
Audio.CaptureDriver The capture driver endpoint for the audio device.
Audio.RenderDriver The render driver for the audio device.
Audio_CaptureDriver The Audio device capture driver endpoint.
Audio_RenderDriver The Audio device render driver endpoint.
Microsoft.Windows.Inventory.Core.InventoryDeviceMediaClassRemove
This event indicates that the InventoryDeviceMediaClassRemove object is no longer present.
Microsoft.Windows.Inventory.Core.InventoryDeviceMediaClassStartSync
This event indicates that a new set of InventoryDeviceMediaClassSAdd events will be sent.
Microsoft.Windows.Inventory.Core.InventoryDevicePnpAdd
This event sends basic metadata about a PNP device and its associated driver to help keep Windows up to date.
This information is used to assess if the PNP device and driver will remain compatible when upgrading Windows.
BusRepor tedDescription The description of the device reported by the bux.
Class The device setup class of the driver loaded for the device.
ClassGuid The device class GUID from the driver package
COMPID The device setup class guid of the driver loaded for the device.
ContainerId The list of compat ids for the device.
Description System-supplied GUID that uniquely groups the functional devices associated with a single-
function or multifunction device installed in the computer.
DeviceDriverFlightId The test build (Flight) identifier of the device driver.
DeviceExtDriversFlightIds The test build (Flight) identifier for all extended device drivers.
DeviceInterfaceClasses The device interfaces that this device implements.
DeviceState The device description.
DriverId DeviceState is a bitmask of the following: DEVICE_IS_CONNECTED 0x0001 (currently only for
container). DEVICE_IS_NETWORK_DEVICE 0x0002 (currently only for container). DEVICE_IS_PAIRED 0x0004
(currently only for container). DEVICE_IS_ACTIVE 0x0008 (currently never set). DEVICE_IS_MACHINE 0x0010
(currently only for container). DEVICE_IS_PRESENT 0x0020 (currently always set). DEVICE_IS_HIDDEN 0x0040.
DEVICE_IS_PRINTER 0x0080 (currently only for container). DEVICE_IS_WIRELESS 0x0100.
DEVICE_IS_WIRELESS_FAT 0x0200. The most common values are therefore: 32 (0x20)= device is present. 96
(0x60)= device is present but hidden. 288 (0x120)= device is a wireless device that is present
DriverName A unique identifier for the driver installed.
DriverPackageStrongName The immediate parent directory name in the Directory field of
InventoryDriverPackage
DriverVerDate Name of the .sys image file (or wudfrd.sys if using user mode driver framework).
DriverVerVersion The immediate parent directory name in the Directory field of InventoryDriverPackage.
Enumerator The date of the driver loaded for the device.
ExtendedInfs The extended INF file names.
FirstInstallDate The first time this device was installed on the machine.
HWID The version of the driver loaded for the device.
Inf The bus that enumerated the device.
InstallDate The date of the most recent installation of the device on the machine.
InstallState The device installation state. One of these values:
https://msdn.microsoft.com/library/windows/hardware/ff543130.aspx
Inventor yVersion List of hardware ids for the device.
LowerClassFilters Lower filter class drivers IDs installed for the device
LowerFilters Lower filter drivers IDs installed for the device
Manufacturer INF file name (the name could be renamed by OS, such as oemXX.inf)
MatchingID Device installation state.
Model The version of the inventory binary generating the events.
ParentId Lower filter class drivers IDs installed for the device.
ProblemCode Lower filter drivers IDs installed for the device.
Provider The device manufacturer.
Ser vice The device service name
STACKID Represents the hardware ID or compatible ID that Windows uses to install a device instance.
UpperClassFilters Upper filter drivers IDs installed for the device
UpperFilters The device model.
Microsoft.Windows.Inventory.Core.InventoryDevicePnpRemove
This event indicates that the InventoryDevicePnpRemove object is no longer present.
Microsoft.Windows.Inventory.Core.InventoryDevicePnpStartSync
Microsoft.Windows.Inventory.Core.InventoryDeviceUsbHubClassAdd
This event sends basic metadata about the USB hubs on the device.
TotalUserConnectablePor ts Total number of connectable USB ports.
TotalUserConnectableTypeCPor ts Total number of connectable USB Type C ports.
Microsoft.Windows.Inventory.Core.InventoryDeviceUsbHubClassStartSync
This event indicates that a new set of InventoryDeviceUsbHubClassAdd events will be sent.
Microsoft.Windows.Inventory.Core.InventoryDriverBinaryAdd
This event provides the basic metadata about driver binaries running on the system.
DriverCheckSum The checksum of the driver file.
DriverCompany The company name that developed the driver.
DriverInBox Is the driver included with the operating system?
DriverIsKernelMode Is it a kernel mode driver?
DriverName The file name of the driver.
DriverPackageStrongName The strong name of the driver package
DriverSigned The strong name of the driver package
DriverTimeStamp The low 32 bits of the time stamp of the driver file.
DriverType A bitfield of driver attributes: 1. define DRIVER_MAP_DRIVER_TYPE_PRINTER 0x0001. 2. define
DRIVER_MAP_DRIVER_TYPE_KERNEL 0x0002. 3. define DRIVER_MAP_DRIVER_TYPE_USER 0x0004. 4. define
DRIVER_MAP_DRIVER_IS_SIGNED 0x0008. 5. define DRIVER_MAP_DRIVER_IS_INBOX 0x0010. 6. define
DRIVER_MAP_DRIVER_IS_WINQUAL 0x0040. 7. define DRIVER_MAP_DRIVER_IS_SELF_SIGNED 0x0020. 8.
define DRIVER_MAP_DRIVER_IS_CI_SIGNED 0x0080. 9. define DRIVER_MAP_DRIVER_HAS_BOOT_SERVICE
0x0100. 10. define DRIVER_MAP_DRIVER_TYPE_I386 0x10000. 11. define DRIVER_MAP_DRIVER_TYPE_IA64
0x20000. 12. define DRIVER_MAP_DRIVER_TYPE_AMD64 0x40000. 13. define
DRIVER_MAP_DRIVER_TYPE_ARM 0x100000. 14. define DRIVER_MAP_DRIVER_TYPE_THUMB 0x200000. 15.
define DRIVER_MAP_DRIVER_TYPE_ARMNT 0x400000. 16. define DRIVER_MAP_DRIVER_IS_TIME_STAMPED
0x800000.
ImageSize The size of the driver file.
Inf The name of the INF file.
Product The product name that is included in the driver file.
ProductVersion The product version that is included in the driver file.
Ser vice The name of the service that is installed for the device.
WdfVersion The Windows Driver Framework version.
Microsoft.Windows.Inventory.Core.InventoryDriverBinaryRemove
This event indicates that the InventoryDriverBinary object is no longer present.
Microsoft.Windows.Inventory.Core.InventoryDriverBinaryStartSync
This event indicates that a new set of InventoryDriverBinaryAdd events will be sent.
Microsoft.Windows.Inventory.Core.InventoryDriverPackageAdd
This event sends basic metadata about drive packages installed on the system to help keep Windows up to date.
Class The class name for the device driver.
ClassGuid The class GUID for the device driver.
Date The driver package date.
Director y The path to the driver package.
Inf The INF name of the driver package.
Provider The provider for the driver package.
SubmissionId The HLK submission ID for the driver package.
Version The version of the driver package.
Microsoft.Windows.Inventory.Core.InventoryDriverPackageRemove
This event indicates that the InventoryDriverPackageRemove object is no longer present.
Microsoft.Windows.Inventory.Core.InventoryDriverPackageStartSync
This event indicates that a new set of InventoryDriverPackageAdd events will be sent.
Microsoft.Windows.Inventory.Core.StartUtcJsonTrace
This event collects traces of all other Core events, not used in typical customer scenarios. This event signals the
beginning of the event download, and that tracing should begin.
key The globally unique identifier (GUID) used to identify the specific Json Trace logging session.
Microsoft.Windows.Inventory.Core.StopUtcJsonTrace
This event collects traces of all other Core events, not used in typical customer scenarios. This event signals the end
of the event download, and that tracing should end.
Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeAddInAdd
Provides data on the installed Office Add-ins.
AddinCLSID The class identifier key for the Microsoft Office add-in.
AddInId The identifier for the Microsoft Office add-in.
AddinType The type of the Microsoft Office add-in.
BinFileTimestamp The timestamp of the Office add-in.
BinFileVersion The version of the Microsoft Office add-in.
Description Description of the Microsoft Office add-in.
FileId The file identifier of the Microsoft Office add-in.
FileSize The file size of the Microsoft Office add-in.
FriendlyName The friendly name for the Microsoft Office add-in.
FullPath The full path to the Microsoft Office add-in.
Inventor yVersion The version of the inventory binary generating the events.
LoadBehavior Integer that describes the load behavior.
LoadTime Load time for the Office add-in.
OfficeApplication The Microsoft Office application associated with the add-in.
OfficeArchitecture The architecture of the add-in.
OfficeVersion The Microsoft Office version for this add-in.
OutlookCrashingAddin Indicates whether crashes have been found for this add-in.
ProductCompany The name of the company associated with the Office add-in.
ProductName The product name associated with the Microsoft Office add-in.
ProductVersion The version associated with the Office add-in.
ProgramId The unique program identifier of the Microsoft Office add-in.
Provider Name of the provider for this add-in.
Usage Data about usage for the add-in.
Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeAddInRemove
Indicates that this particular data object represented by the objectInstanceId is no longer present.
Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeAddInStartSync
This event indicates that a new sync is being generated for this object type.
Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeIdentifiersAdd
Provides data on the Office identifiers.
OAudienceData Sub-identifier for Microsoft Office release management, identifying the pilot group for a
device
OAudienceId Microsoft Office identifier for Microsoft Office release management, identifying the pilot group
for a device
OMID Identifier for the Office SQM Machine
OPlatform Whether the installed Microsoft Office product is 32-bit or 64-bit
OTenantId Unique GUID representing the Microsoft O365 Tenant
OVersion Installed version of Microsoft Office. For example, 16.0.8602.1000
OWowMID Legacy Microsoft Office telemetry identifier (SQM Machine ID) for WoW systems (32-bit Microsoft
Office on 64-bit Windows)
Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeIdentifiersStartSync
Diagnostic event to indicate a new sync is being generated for this object type.
Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeIESettingsAdd
Provides data on Office-related Internet Explorer features.
OIeFeatureAddon Flag indicating which Microsoft Office products have this setting enabled. The
FEATURE_ADDON_MANAGEMENT feature lets applications hosting the WebBrowser Control to respect add-on
management selections made using the Add-on Manager feature of Internet Explorer. Add-ons disabled by the
user or by administrative group policy will also be disabled in applications that enable this feature.
OIeMachineLockdown Flag indicating which Microsoft Office products have this setting enabled. When the
FEATURE_LOCALMACHINE_LOCKDOWN feature is enabled, Internet Explorer applies security restrictions on
content loaded from the user's local machine, which helps prevent malicious behavior involving local files.
OIeMimeHandling Flag indicating which Microsoft Office products have this setting enabled. When the
FEATURE_MIME_HANDLING feature control is enabled, Internet Explorer handles MIME types more securely.
Only applies to Windows Internet Explorer 6 for Windows XP Service Pack 2 (SP2)
OIeMimeSniffing Flag indicating which Microsoft Office products have this setting enabled. Determines a
file's type by examining its bit signature. Windows Internet Explorer uses this information to determine how to
render the file. The FEATURE_MIME_SNIFFING feature, when enabled, allows to be set differently for each
security zone by using the URLACTION_FEATURE_MIME_SNIFFING URL action flag
OIeNoAxInstall Flag indicating which Microsoft Office products have this setting enabled. When a webpage
attempts to load or install an ActiveX control that isn't already installed, the
FEATURE_RESTRICT_ACTIVEXINSTALL feature blocks the request. When a webpage tries to load or install an
ActiveX control that isn't already installed, the FEATURE_RESTRICT_ACTIVEXINSTALL feature blocks the request
OIeNoDownload Flag indicating which Microsoft Office products have this setting enabled. The
FEATURE_RESTRICT_FILEDOWNLOAD feature blocks file download requests that navigate to a resource, that
display a file download dialog box, or that are not initiated explicitly by a user action (for example, a mouse click
or key press). Only applies to Windows Internet Explorer 6 for Windows XP Service Pack 2 (SP2)
OIeObjectCaching Flag indicating which Microsoft Office products have this setting enabled. When enabled,
the FEATURE_OBJECT_CACHING feature prevents webpages from accessing or instantiating ActiveX controls
cached from different domains or security contexts
OIePasswordDisable Flag indicating which Microsoft Office products have this setting enabled. After
Windows Internet Explorer 6 for Windows XP Service Pack 2 (SP2), Internet Explorer no longer allows
usernames and passwords to be specified in URLs that use the HTTP or HTTPS protocols. URLs using other
protocols, such as FTP, still allow usernames and passwords
OIeSafeBind Flag indicating which Microsoft Office products have this setting enabled. The
FEATURE_SAFE_BINDTOOBJECT feature performs additional safety checks when calling MonikerBindToObject to
create and initialize Microsoft ActiveX controls. Specifically, prevent the control from being created if
COMPAT_EVIL_DONT_LOAD is in the registry for the control
OIeSecurityBand Flag indicating which Microsoft Office products have this setting enabled. The
FEATURE_SECURITYBAND feature controls the display of the Internet Explorer Information bar. When enabled,
the Information bar appears when file download or code installation is restricted
OIeUncSaveCheck Flag indicating which Microsoft Office products have this setting enabled. The
FEATURE_UNC_SAVEDFILECHECK feature enables the Mark of the Web (MOTW) for local files loaded from
network locations that have been shared by using the Universal Naming Convention (UNC)
OIeValidateUrl Flag indicating which Microsoft Office products have this setting enabled. When enabled, the
FEATURE_VALIDATE_NAVIGATE_URL feature control prevents Windows Internet Explorer from navigating to a
badly formed URL
OIeWebOcPopup Flag indicating which Microsoft Office products have this setting enabled. The
FEATURE_WEBOC_POPUPMANAGEMENT feature allows applications hosting the WebBrowser Control to
receive the default Internet Explorer pop-up window management behavior
OIeWinRestrict Flag indicating which Microsoft Office products have this setting enabled. When enabled, the
FEATURE_WINDOW_RESTRICTIONS feature adds several restrictions to the size and behavior of popup
windows
OIeZoneElevate Flag indicating which Microsoft Office products have this setting enabled. When enabled, the
FEATURE_ZONE_ELEVATION feature prevents pages in one zone from navigating to pages in a higher security
zone unless the navigation is generated by the user
Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeIESettingsStartSync
Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeInsightsAdd
This event provides insight data on the installed Office products
OfficeApplication The name of the Office application.
OfficeArchitecture The bitness of the Office application.
OfficeVersion The version of the Office application.
Value The insights collected about this entity.
Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeInsightsRemove
Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeInsightsStartSync
This diagnostic event indicates that a new sync is being generated for this object type.
Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeProductsAdd
Describes Office Products installed.
OC2rApps A GUID the describes the Office Click-To-Run apps
OC2rSkus Comma-delimited list (CSV) of Office Click-To-Run products installed on the device. For example,
Office 2016 ProPlus
OMsiApps Comma-delimited list (CSV) of Office MSI products installed on the device. For example, Microsoft
Word
OProductCodes A GUID that describes the Office MSI products
Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeProductsStartSync
Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeSettingsAdd
This event describes various Office settings
BrowserFlags Browser flags for Office-related products.
ExchangeProviderFlags Provider policies for Office Exchange.
SharedComputerLicensing Office shared computer licensing policies.
Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeSettingsStartSync
Indicates a new sync is being generated for this object type.
Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeVBAAdd
This event provides a summary rollup count of conditions encountered while performing a local scan of Office
files, analyzing for known VBA programmability compatibility issues between legacy office version and ProPlus,
and between 32 and 64-bit versions
Design Count of files with design issues found.
Design_x64 Count of files with 64 bit design issues found.
DuplicateVBA Count of files with duplicate VBA code.
HasVBA Count of files with VBA code.
Inaccessible Count of files that were inaccessible for scanning.
Issues Count of files with issues detected.
Issues_x64 Count of files with 64-bit issues detected.
IssuesNone Count of files with no issues detected.
IssuesNone_x64 Count of files with no 64-bit issues detected.
Locked Count of files that were locked, preventing scanning.
NoVBA Count of files with no VBA inside.
Protected Count of files that were password protected, preventing scanning.
RemLimited Count of files that require limited remediation changes.
RemLimited_x64 Count of files that require limited remediation changes for 64-bit issues.
RemSignificant Count of files that require significant remediation changes.
RemSignificant_x64 Count of files that require significant remediation changes for 64-bit issues.
Score Overall compatibility score calculated for scanned content.
Score_x64 Overall 64-bit compatibility score calculated for scanned content.
Total Total number of files scanned.
Validation Count of files that require additional manual validation.
Validation_x64 Count of files that require additional manual validation for 64-bit issues.
Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeVBARemove
Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeVBARuleViolationsAdd
This event provides data on Microsoft Office VBA rule violations, including a rollup count per violation type, giving
an indication of remediation requirements for an organization. The event identifier is a unique GUID, associated
with the validation rule
Count Count of total Microsoft Office VBA rule violations
Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeVBARuleViolationsRemove
Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeVBARuleViolationsStartSync
Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeVBAStartSync
Microsoft.Windows.Inventory.General.InventoryMiscellaneousUUPInfoAdd
Provides data on Unified Update Platform (UUP) products and what version they are at.
Identifier UUP identifier
LastActivatedVersion Last activated version
PreviousVersion Previous version
Source UUP source
Version UUP version
Microsoft.Windows.Inventory.General.InventoryMiscellaneousUUPInfoRemove
Microsoft.Windows.Inventory.General.InventoryMiscellaneousUUPInfoStartSync
Microsoft.Windows.Inventory.Indicators.Checksum
This event summarizes the counts for the InventoryMiscellaneousUexIndicatorAdd events.
ChecksumDictionar y A count of each operating system indicator.
PCFP Equivalent to the InventoryId field that is found in other core events.
Microsoft.Windows.Inventory.Indicators.InventoryMiscellaneousUexIndicatorAdd
These events represent the basic metadata about the OS indicators installed on the system which are used for
keeping the device up to date.
IndicatorValue The indicator value.
Microsoft.Windows.Inventory.Indicators.InventoryMiscellaneousUexIndicatorEndSync
This event indicates that a new set of InventoryMiscellaneousUexIndicatorAdd events has been sent. This data
helps ensure the device is up to date.
Microsoft.Windows.Inventory.Indicators.InventoryMiscellaneousUexIndicatorRemove
This event is a counterpart to InventoryMiscellaneousUexIndicatorAdd that indicates that the item has been
removed.
Microsoft.Windows.Inventory.Indicators.InventoryMiscellaneousUexIndicatorStartSync
This event indicates that a new set of InventoryMiscellaneousUexIndicatorAdd events will be sent.
IoT events
Microsoft.Windows.IoT.Client.CEPAL.MonitorStarted
This event identifies Windows Internet of Things (IoT) devices which are running the CE PAL subsystem by sending
data during CE PAL startup.
Kernel events
IO
This event indicates the number of bytes read from or read by the OS and written to or written by the OS upon
system startup.
BytesRead The total number of bytes read from or read by the OS upon system startup.
BytesWritten The total number of bytes written to or written by the OS upon system startup.
Microsoft.Windows.Kernel.BootEnvironment.OsLaunch
OS information collected during Boot, used to evaluate the success of the upgrade process.
BootApplicationId This field tells us what the OS Loader Application Identifier is.
BootAttemptCount The number of consecutive times the boot manager has attempted to boot into this
operating system.
BootSequence The current Boot ID, used to correlate events related to a particular boot session.
BootStatusPolicy Identifies the applicable Boot Status Policy.
BootType Identifies the type of boot (e.g.: "Cold", "Hiber", "Resume").
EventTimestamp Seconds elapsed since an arbitrary time point. This can be used to identify the time
difference in successive boot attempts being made.
FirmwareResetReasonEmbeddedController Reason for system reset provided by firmware.
FirmwareResetReasonEmbeddedControllerAdditional Additional information on system reset reason
provided by firmware if needed.
FirmwareResetReasonPch Reason for system reset provided by firmware.
FirmwareResetReasonPchAdditional Additional information on system reset reason provided by firmware
if needed.
FirmwareResetReasonSupplied Flag indicating that a reason for system reset was provided by firmware.
IO Amount of data written to and read from the disk by the OS Loader during boot. See IO.
LastBootSucceeded Flag indicating whether the last boot was successful.
LastShutdownSucceeded Flag indicating whether the last shutdown was successful.
MaxAbove4GbFreeRange This field describes the largest memory range available above 4Gb.
MaxBelow4GbFreeRange This field describes the largest memory range available below 4Gb.
MeasuredLaunchCapable Indicates the system is capable of booting with Dynamic Root of Trust for
Measurement (DRTM) support.
MeasuredLaunchPrepared This field tells us if the OS launch was initiated using Measured/Secure Boot over
DRTM (Dynamic Root of Trust for Measurement).
MeasuredLaunchResume This field tells us if Dynamic Root of Trust for Measurement (DRTM) was used when
resuming from hibernation.
MenuPolicy Type of advanced options menu that should be shown to the user (Legacy, Standard, etc.).
Recover yEnabled Indicates whether recovery is enabled.
TcbLaunch Indicates whether the Trusted Computing Base was used during the boot flow.
UserInputTime The amount of time the loader application spent waiting for user input.
Microsoft.Windows.Kernel.DeviceConfig.DeviceConfig
This critical device configuration event provides information about drivers for a driver installation that took place
within the kernel.
DeviceInstanceId The unique ID for the device on the system.
DriverFlightIds The IDs for the driver flights.
DriverInfName Driver INF file name.
DriverSubmissionId The driver submission ID assigned by the hardware developer center.
DriverVersion The driver version number.
ExtensionDrivers The list of extension driver INF files, extension IDs, and associated flight IDs.
InboxDriver Indicates whether the driver package is included with Windows.
InstallDate Date the driver was installed.
Legacy Indicates whether the driver is a legacy driver.
SetupMode Indicates whether the device configuration occurred during the Out Of Box Experience (OOBE).
StatusCode The NTSTATUS of device configuration operation.
Microsoft.Windows.Kernel.PnP.AggregateClearDevNodeProblem
This event is sent when a problem code is cleared from a device.
Count The total number of events.
DeviceInstanceId The unique identifier of the device on the system.
LastProblem The previous problem that was cleared.
LastProblemStatus The previous NTSTATUS value that was cleared.
Ser viceName The name of the driver or service attached to the device.
Microsoft.Windows.Kernel.PnP.AggregateSetDevNodeProblem
This event is sent when a new problem code is assigned to a device.
LastProblemStatus The previous NTSTATUS value that was set on the device.
Problem The new problem code that was set on the device.
ProblemStatus The new NTSTATUS value that was set on the device.
Ser viceName The driver or service name that is attached to the device.
Microsoft.Windows.Kernel.Power.PreviousShutdownWasThermalShutdown
This event sends Product and Service Performance data on which area of the device exceeded safe temperature
limits and caused the device to shutdown. This information is used to ensure devices are behaving as they are
expected to.
temperature Contains the actual temperature measurement, in tenths of degrees Kelvin, for the area that
exceeded the limit.
thermalZone Contains an identifier that specifies which area it was that exceeded temperature limits.
Microsoft Edge events

Aria.160f0649efde47b7832f05ed000fc453.Microsoft.WebBrowser.SystemInfo.Config
This event sends basic device connectivity and configuration information from Microsoft Edge about the current
data collection consent, app version, and installation state to keep Microsoft Edge up to date and secure.
app_version The internal Microsoft Edge build version string.
appConsentState Bit flags that describe the consent for data collection on the device, or zero if the state was
not retrieved. The following are true when the associated bit is set: consent was granted (0x1), consent was
communicated at install (0x2), diagnostic data consent granted (0x20000), browsing data consent granted
(0x40000).
Channel An integer indicating the channel of the installation (Canary or Dev).
client_id A non-durable unique identifier with which all other diagnostic client data is associated. This value is
reset whenever UMA data collection is disabled, or when the application is uninstalled.
ConnectionType The first reported type of network connection currently connected. Possible values:
Unknown, Ethernet, WiFi, 2G, 3G, 4G, None, or Bluetooth
container_client_id The client ID of the container if the device is in Windows Defender Application Guard
mode.
container_session_id The session ID of the container if the device is in Windows Defender Application Guard
mode.
Etag Etag is an identifier representing all service applied configurations and experiments for the current
browser session. There is not value in this field is the device is at the Basic diagnostic data level.
EventInfo.Level The minimum Windows diagnostic data level required for the event. Possible values: 1 --
Basic, 2 -- Enhanced, 3 -- Full
install_date The date and time of the most recent installation in seconds since midnight on January 1, 1970
UTC, rounded down to the nearest hour.
installSource An enumeration representing the source of this installation. Possible values: source was not
retrieved (0), unspecified source (1), website installer (2), enterprise MSI (3), Windows update (4), Edge updater
(5), scheduled or timed task (6, 7), uninstall (8), Edge about page (9), self-repair (10), other install command line
(11), reserved (12), unknown source (13).
PayloadClass The base class used to serialize and deserialize the Protobuf binary payload.
PayloadGUID A random identifier generated for each original monolithic Protobuf payload, before the payload
is potentially broken up into manageably-sized chunks for transmission.
PayloadLogType The log type for the event correlating with. Possible values: 0 -- Unknown, 1 -- Stability, 2 --
On-going, 3 -- Independent, 4 -- UKM, or 5 -- Instance level
session_id An ordered identifier that is guaranteed to be greater than the previous session identifier each time
the user launches the application, reset on subsequent launch after client_id changes. session_id is seeded
during the initial installation of the application. session_id is effectively unique per client_id value. Several other
internal identifier values, such as window or tab IDs, are only meaningful within a particular session. The
session_id value is forgotten when the application is uninstalled, but not during an upgrade.
Aria.29e24d069f27450385c7acaa2f07e277.Microsoft.WebBrowser.SystemInfo.Config
(0x40000).
mode.
mode.
Aria.7005b72804a64fa4b2138faab88f877b.Microsoft.WebBrowser.SystemInfo.Config
(0x40000).
mode.
mode.
Aria.754de735ccd546b28d0bfca8ac52c3de.Microsoft.WebBrowser.SystemInfo.Config
This config event sends basic device connectivity and configuration information from Microsoft Edge about the
current data collection consent, app version, and installation state to keep Microsoft Edge up to date and secure.
(0x40000).
mode.
mode.
Aria.af397ef28e484961ba48646a5d38cf54.Microsoft.WebBrowser.Installer.EdgeUpdate.Ping
This event sends hardware and software inventory information about the Microsoft Edge Update service, Microsoft
Edge applications, and the current system environment, including app configuration, update configuration, and
hardware capabilities. It's used to measure the reliability and performance of the EdgeUpdate service and if
Microsoft Edge applications are up to date.
appAp Microsoft Edge Update parameters, including channel, architecture, platform, and additional parameters
identifying the release of Microsoft Edge to update and how to install it. Example: 'beta-arch_x64-full'. Default: ''.
appAppId The GUID that identifies the product channels such as Edge Canary, Dev, Beta, Stable, and Edge
Update.
appBrandCode The 4-digit brand code under which the the product was installed, if any. Possible values:
'GGLS' (default), 'GCEU' (enterprise install), and '' (unknown).
appChannel An integer indicating the channel of the installation (e.g. Canary or Dev).
appClientId A generalized form of the brand code that can accept a wider range of values and is used for
similar purposes. Default: ''.
appCohor t A machine-readable string identifying the release channel that the app belongs to. Limited to ASCII
characters 32 to 127 (inclusive) and a maximum length of 1024 characters. Default: ''.
appCohor tHint A machine-readable enum indicating that the client has a desire to switch to a different
release cohort. Limited to ASCII characters 32 to 127 (inclusive) and a maximum length of 1024 characters.
Default: ''.
appCohor tName A stable non-localized human-readable enum indicating which (if any) set of messages the
app should display to the user. For example, an app with a cohort name of 'beta' might display beta-specific
branding to the user. Limited to ASCII characters 32 to 127 (inclusive) and a maximum length of 1024
characters. Default: ''.
appConsentState Bit flags describing the diagnostic data disclosure and response flow where 1 indicates the
affirmative and 0 indicates the negative or unspecified data. Bit 1 indicates consent was given, bit 2 indicates
data originated from the download page, bit 18 indicates choice for sending data about how the browser is
used, and bit 19 indicates choice for sending data about websites visited.
appDayOfInstall The date-based counting equivalent of appInstallTimeDiffSec (the numeric calendar day that
the app was installed on). This value is provided by the server in the response to the first request in the
installation flow. Default: '-2' (Unknown).
appExperiments A semicolon-delimited key/value list of experiment identifiers and treatment groups. This
field is unused and always empty in Edge Update. Default: ''.
appInstallTimeDiffSec The difference between the current time and the install date in seconds. '0' if
unknown. Default: '-1'.
appLang The language of the product install, in IETF BCP 47 representation. Default: ''.
appNextVersion The version of the app that the update attempted to reach, regardless of the success or
failure of the update operation. Default: '0.0.0.0'.
appPingEventAppSize The total number of bytes of all downloaded packages. Default: '0'.
appPingEventDownloadMetricsDownloadedBytes For events representing a download, the number of
bytes expected to be downloaded. For events representing an entire update flow, the sum of all such expected
bytes over the course of the update flow. Default: '0'.
appPingEventDownloadMetricsDownloader A string identifying the download algorithm and/or stack.
Example values include: 'bits', 'direct', 'winhttp', 'p2p'. Sent in events that have an event type of '14' only.
Default: ''.
appPingEventDownloadMetricsDownloadTimeMs For events representing a download, the time elapsed
between the start of the download and the end of the download, in milliseconds. For events representing an
entire update flow, the sum of all such download times over the course of the update flow. Sent in events that
have an event type of '1', '2', '3', and '14' only. Default: '0'.
appPingEventDownloadMetricsError The error code (if any) of the operation, encoded as a signed base-10
integer. Default: '0'.
appPingEventDownloadMetricsSer verIpHint For events representing a download, the CDN Host IP
address that corresponds to the update file server. The CDN host is controlled by Microsoft servers and always
maps to IP addresses hosting *.delivery.mp.microsoft.com or msedgesetup.azureedge.net. Default: ''.
appPingEventDownloadMetricsTotalBytes For events representing a download, the number of bytes
expected to be downloaded. For events representing an entire update flow, the sum of all such expected bytes
over the course of the update flow. Default: '0'.
appPingEventDownloadMetricsUrl For events representing a download, the CDN URL provided by the
update server for the client to download the update, the URL is controlled by Microsoft servers and always
maps back to either *.delivery.mp.microsoft.com or msedgesetup.azureedge.net. Default: ''.
appPingEventDownloadTimeMs For events representing a download, the time elapsed between the start of
the download and the end of the download, in milliseconds. For events representing an entire update flow, the
sum of all such download times over the course of the update flow. Sent in events that have an event type of '1',
'2', '3', and '14' only. Default: '0'.
appPingEventErrorCode The error code (if any) of the operation, encoded as a signed, base-10 integer.
Default: '0'.
appPingEventEventResult An enumeration indicating the result of the event. Common values are '0' (Error)
and '1' (Success). Default: '0' (Error).
appPingEventEventType An enumeration indicating the type of the event and the event stage. Default: '0'
(Unknown).
appPingEventExtraCode1 Additional numeric information about the operation's result, encoded as a signed,
base-10 integer. Default: '0'.
appPingEventInstallTimeMs For events representing an install, the time elapsed between the start of the
install and the end of the install, in milliseconds. For events representing an entire update flow, the sum of all
such durations. Sent in events that have an event type of '2' and '3' only. Default: '0'.
appPingEventNumBytesDownloaded The number of bytes downloaded for the specified application.
Default: '0'.
appPingEventSequenceId An ID that uniquely identifies particular events within one requestId. Since a
request can contain multiple ping events, this field is necessary to uniquely identify each possible event.
appPingEventSourceUrlIndex For events representing a download, the position of the download URL in the
list of URLs supplied by the server in a tag.
appPingEventUpdateCheckTimeMs For events representing an entire update flow, the time elapsed
between the start of the update check and the end of the update check, in milliseconds. Sent in events that have
an event type of '2' and '3' only. Default: '0'.
appUpdateCheckIsUpdateDisabled The state of whether app updates are restricted by group policy. True if
updates have been restricted by group policy or false if they have not.
appUpdateCheckTargetVersionPrefix A component-wise prefix of a version number, or a complete version
number suffixed with the $ character. The prefix is interpreted a dotted-tuple that specifies the exactly-matching
elements; it is not a lexical prefix (for example, '1.2.3' MUST match '1.2.3.4' but MUST NOT match '1.2.34').
Default: ''.
appUpdateCheckTtToken An opaque access token that can be used to identify the requesting client as a
member of a trusted-tester group. If non-empty, the request is sent over SSL or another secure protocol. This
field is unused by Edge Update and always empty. Default: ''.
appVersion The version of the product install. Default: '0.0.0.0'.
EventInfo.Level The minimum Windows diagnostic data level required for the event where 1 is basic, 2 is
enhanced, and 3 is full.
eventType A string representation of appPingEventEventType indicating the type of the event.
hwHasAvx '1' if the client's hardware supports the SSE instruction set. '0' if the client's hardware does not
support the SSE instruction set. '-1' if unknown. Default: '-1'.
hwHasSse '1' if the client's hardware supports the SSE instruction set. '0' if the client's hardware does not
hwHasSse2 '1' if the client's hardware supports the SSE2 instruction set. '0' if the client's hardware does not
support the SSE2 instruction set. '-1' if unknown. Default: '-1'.
hwHasSse41 '1' if the client's hardware supports the SSE4.1 instruction set. '0' if the client's hardware does
not support the SSE4.1 instruction set. '-1' if unknown. Default: '-1'.
hwHasSsse3 '1' if the client's hardware supports the SSSE3 instruction set. '0' if the client's hardware does not
support the SSSE3 instruction set. '-1' if unknown. Default: '-1'.
hwPhysmemor y The physical memory available to the client, truncated down to the nearest gibibyte. '-1' if
unknown. This value is intended to reflect the maximum theoretical storage capacity of the client, not including
any hard drive or paging to a hard drive or peripheral. Default: '-1'.
isMsftDomainJoined '1' if the client is a member of a Microsoft domain. '0' otherwise. Default: '0'.
osArch The architecture of the operating system (e.g. 'x86', 'x64', 'arm'). '' if unknown. Default: ''.
osPlatform The operating system family that the within which the Omaha client is running (e.g. 'win', 'mac',
'linux', 'ios', 'android'). '' if unknown. The operating system name should be transmitted in lowercase with
minimal formatting. Default: ''.
osSer vicePack The secondary version of the operating system. '' if unknown. Default: ''.
osVersion The primary version of the operating system. '' if unknown. Default: ''.
requestCheckPeriodSec The update interval in seconds. The value is read from the registry. Default: '-1'.
requestDlpref A comma-separated list of values specifying the preferred download URL behavior. The first
value is the highest priority, further values reflect secondary, tertiary, et cetera priorities. Legal values are '' (in
which case the entire list must be empty, indicating unknown or no-preference) or 'cacheable' (the server
should prioritize sending URLs that are easily cacheable). Default: ''.
requestDomainJoined '1' if the device is part of a managed enterprise domain. Otherwise '0'.
requestInstallSource A string specifying the cause of the update flow. For example: 'ondemand', or
'scheduledtask'. Default: ''.
requestIsMachine '1' if the client is known to be installed with system-level or administrator privileges. '0'
otherwise. Default: '0'.
requestOmahaShellVersion The version of the Omaha installation folder. Default: ''.
requestOmahaVersion The version of the Omaha updater itself (the entity sending this request). Default:
'0.0.0.0'.
requestProtocolVersion The version of the Omaha protocol. Compatible clients MUST provide a value of
'3.0'. Compatible clients MUST always transmit this attribute. Default: undefined.
requestRequestId A randomly-generated (uniformly distributed) GUID, corresponding to the Omaha request.
Default: ''.
requestSessionCorrelationVectorBase A client generated random MS Correlation Vector base code used to
correlate the update session with update and CDN servers. Default: ''.
requestSessionId A randomly-generated (uniformly distributed) GUID. Each single update flow (e.g. update
check, update application, event ping sequence) should have (with high probability) a single unique sessionid.
Default: ''.
requestTestSource Either '', 'dev', 'qa', 'prober', 'auto', or 'ossdev'. Any value except '' indicates that the
request is a test and should not be counted toward normal metrics. Default: ''.
requestUid A randomly-generated (uniformly distributed) GUID, corresponding to the Omaha user. Each
request attempt should have (with high probability) a unique request id. Default: ''.
Aria.f4a7d46e472049dfba756e11bdbbc08f.Microsoft.WebBrowser.SystemInfo.Config
(0x40000).
mode.
mode.
Migration events
Microsoft.Windows.MigrationCore.MigObjectCountDLUsr
This event returns data to track the count of the migration objects across various phases during feature update.
currentSid Indicates the user SID for which the migration is being performed.
knownFoldersUsr[i] Predefined folder path locations.
migDiagSession->CString The phase of the upgrade where migration occurs. (E.g.: Validate tracked content)
objectCount The count for the number of objects that are being transferred.
Microsoft.Windows.MigrationCore.MigObjectCountKFSys
This event returns data about the count of the migration objects across various phases during feature update.
knownFoldersSys[i] The predefined folder path locations.
migDiagSession->CString Identifies the phase of the upgrade where migration happens.
objectCount The count of the number of objects that are being transferred.
Microsoft.Windows.MigrationCore.MigObjectCountKFUsr
migDiagSession->CString The phase of the upgrade where the migration occurs. (For example, Validate
tracked content.)
objectCount The number of objects that are being transferred.
Miracast events
Microsoft.Windows.Cast.Miracast.MiracastSessionEnd
This event sends data at the end of a Miracast session that helps determine RTSP related Miracast failures along
with some statistics about the session
AudioChannelCount The number of audio channels.
AudioSampleRate The sample rate of audio in terms of samples per second.
AudioSubtype The unique subtype identifier of the audio codec (encoding method) used for audio encoding.
AverageBitrate The average video bitrate used during the Miracast session, in bits per second.
AverageDataRate The average available bandwidth reported by the WiFi driver during the Miracast session,
in bits per second.
AveragePacketSendTimeInMs The average time required for the network to send a sample, in milliseconds.
ConnectorType The type of connector used during the Miracast session.
EncodeAverageTimeMS The average time to encode a frame of video, in milliseconds.
EncodeCount The count of total frames encoded in the session.
EncodeMaxTimeMS The maximum time to encode a frame, in milliseconds.
EncodeMinTimeMS The minimum time to encode a frame, in milliseconds.
EncoderCreationTimeInMs The time required to create the video encoder, in milliseconds.
ErrorSource Identifies the component that encountered an error that caused a disconnect, if applicable.
FirstFrameTime The time (tick count) when the first frame is sent.
FirstLatencyMode The first latency mode.
FrameAverageTimeMS Average time to process an entire frame, in milliseconds.
FrameCount The total number of frames processed.
FrameMaxTimeMS The maximum time required to process an entire frame, in milliseconds.
FrameMinTimeMS The minimum time required to process an entire frame, in milliseconds.
Glitches The number of frames that failed to be delivered on time.
HardwareCursorEnabled Indicates if hardware cursor was enabled when the connection ended.
HDCPState The state of HDCP (High-bandwidth Digital Content Protection) when the connection ended.
HighestBitrate The highest video bitrate used during the Miracast session, in bits per second.
HighestDataRate The highest available bandwidth reported by the WiFi driver, in bits per second.
LastLatencyMode The last reported latency mode.
LogTimeReference The reference time, in tick counts.
LowestBitrate The lowest video bitrate used during the Miracast session, in bits per second.
LowestDataRate The lowest video bitrate used during the Miracast session, in bits per second.
MediaErrorCode The error code reported by the media session, if applicable.
MiracastEntr y The time (tick count) when the Miracast driver was first loaded.
MiracastM1 The time (tick count) when the M1 request was sent.
MiracastSessionState The state of the Miracast session when the connection ended.
MiracastStreaming The time (tick count) when the Miracast session first started processing frames.
ProfileCount The count of profiles generated from the receiver M4 response.
ProfileCountAfterFiltering The count of profiles after filtering based on available bandwidth and encoder
capabilities.
RefreshRate The refresh rate set on the remote display.
RotationSuppor ted Indicates if the Miracast receiver supports display rotation.
RTSPSessionId The unique identifier of the RTSP session. This matches the RTSP session ID for the receiver for
the same session.
SessionGuid The unique identifier of to correlate various Miracast events from a session.
SinkHadEdid Indicates if the Miracast receiver reported an EDID.
Suppor tMicrosoftColorSpaceConversion Indicates whether the Microsoft color space conversion for extra
color fidelity is supported by the receiver.
Suppor tsMicrosoftDiagnostics Indicates whether the Miracast receiver supports the Microsoft Diagnostics
Miracast extension.
Suppor tsMicrosoftFormatChange Indicates whether the Miracast receiver supports the Microsoft Format
Change Miracast extension.
Suppor tsMicrosoftLatencyManagement Indicates whether the Miracast receiver supports the Microsoft
Latency Management Miracast extension.
Suppor tsMicrosoftRTCP Indicates whether the Miracast receiver supports the Microsoft RTCP Miracast
extension.
Suppor tsMicrosoftVideoFormats Indicates whether the Miracast receiver supports Microsoft video format
for 3:2 resolution.
Suppor tsWiDi Indicates whether Miracast receiver supports Intel WiDi extensions.
TeardownErrorCode The error code reason for teardown provided by the receiver, if applicable.
TeardownErrorReason The text string reason for teardown provided by the receiver, if applicable.
UIBCEndState Indicates whether UIBC was enabled when the connection ended.
UIBCEverEnabled Indicates whether UIBC was ever enabled.
UIBCStatus The result code reported by the UIBC setup process.
VideoBitrate The starting bitrate for the video encoder.
VideoCodecLevel The encoding level used for encoding, specific to the video subtype.
VideoHeight The height of encoded video frames.
VideoSubtype The unique subtype identifier of the video codec (encoding method) used for video encoding.
VideoWidth The width of encoded video frames.
WFD2Suppor ted Indicates if the Miracast receiver supports WFD2 protocol.
OneDrive events
Microsoft.OneDrive.Sync.Setup.OSUpgradeInstallationOperation
This event is related to the OS version when the OS is upgraded with OneDrive installed.
CurrentOneDriveVersion The current version of OneDrive.
CurrentOSBuildBranch The current branch of the operating system.
CurrentOSBuildNumber The current build number of the operating system.
CurrentOSVersion The current version of the operating system.
HResult The HResult of the operation.
SourceOSBuildBranch The source branch of the operating system.
SourceOSBuildNumber The source build number of the operating system.
SourceOSVersion The source version of the operating system.
Privacy consent logging events

Microsoft.Windows.Shell.PrivacyConsentLogging.PrivacyConsentCompleted
This event is used to determine whether the user successfully completed the privacy consent experience.
presentationVersion Which display version of the privacy consent experience the user completed
privacyConsentState The current state of the privacy consent experience
settingsVersion Which setting version of the privacy consent experience the user completed
userOobeExitReason The exit reason of the privacy consent experience
Microsoft.Windows.Shell.PrivacyConsentLogging.PrivacyConsentStatus
Event tells us effectiveness of new privacy experience.
isAdmin whether the person who is logging in is an admin
isExistingUser whether the account existed in a downlevel OS
isLaunching Whether or not the privacy consent experience will be launched
isSilentElevation whether the user has most restrictive UAC controls
privacyConsentState whether the user has completed privacy experience
userRegionCode The current user's region setting
Push Button Reset events
Microsoft.Windows.PBR.BitLockerWipeFinished
This event sends error data after the BitLocker wipe finishes if there were any issues during the wipe.
error The error code if there were any issues during the BitLocker wipe.
sessionID This is the session ID.
succeeded Indicates the BitLocker wipe successful completed.
timestamp Time the event occurred.
Microsoft.Windows.PBR.BootState
This event sends data on the Windows Recovery Environment (WinRE) boot, which can be used to determine
whether the boot was successful.
BsdSummar yInfo Summary of the last boot.
sessionID The ID of the push-button reset session.
timestamp The timestamp of the boot state.
Microsoft.Windows.PBR.ClearTPMStarted
This event sends basic data about the recovery operation on the device to allow investigation.
sessionID The ID for this push-button restart session.
timestamp The time when the Trusted Platform Module will be erased.
Microsoft.Windows.PBR.ClientInfo
This event indicates whether push-button reset (PBR) was initiated while the device was online or offline.
name Name of the user interface entry point.
sessionID The ID of this push-button reset session.
timestamp The time when this event occurred.
Microsoft.Windows.PBR.Completed
This event sends data about the recovery operation on the device to allow for investigation.
sessionID The ID of the push-button reset session.
timestamp Timestamp of this push-button reset event.
Microsoft.Windows.PBR.DataVolumeCount
This event provides the number of additional data volumes that the push-button reset operation has detected.
count The number of attached data drives.
Microsoft.Windows.PBR.DiskSpaceRequired
This event sends the peak disk usage required for the push-button reset operation.
numBytes The number of bytes required for the reset operation.
Microsoft.Windows.PBR.EnterAPI
This event is sent at the beginning of each push-button reset (PRB) operation.
apiName Name of the API command that is about to execute.
sessionID The session ID.
Microsoft.Windows.PBR.EnteredOOBE
This event is sent when the push-button reset (PRB) process enters the Out Of Box Experience (OOBE).
Microsoft.Windows.PBR.LeaveAPI
This event is sent when the push-button reset operation is complete.
apiName Name of the API command that completed.
errorCode Error code if an error occurred during the API call.
success Indicates whether the API call was successful.
Microsoft.Windows.PBR.OEMExtensionFinished
This event is sent when the OEM extensibility scripts have completed.
exitCode The exit code from OEM extensibility scripts to push-button reset.
param Parameters used for the OEM extensibility script.
phase Name of the OEM extensibility script phase.
script The path to the OEM extensibility script.
succeeded Indicates whether the OEM extensibility script executed successfully.
timedOut Indicates whether the OEM extensibility script timed out.
Microsoft.Windows.PBR.OEMExtensionStarted
This event is sent when the OEM extensibility scripts start to execute.
param The parameters used by the OEM extensibility script.
phase The name of the OEM extensibility script phase.
script The path to the OEM extensibility script.
Microsoft.Windows.PBR.OperationExecuteFinished
This event is sent at the end of a push-button reset (PBR) operation.
error Indicates the result code of the event.
index The operation index.
operation The name of the operation.
phase The name of the operation phase.
succeeded Indicates whether the operation successfully completed.
Microsoft.Windows.PBR.OperationExecuteStarted
This event is sent at the beginning of a push-button reset operation.
index The index of this operation.
operation The name of this operation.
phase The phase of this operation.
weight The weight of the operation used to distribute the change in percentage.
Microsoft.Windows.PBR.OperationQueueConstructFinished
This event is sent when construction of the operation queue for push-button reset is finished.
error The result code for operation queue construction.
succeeded Indicates whether the operation successfully completed.
Microsoft.Windows.PBR.OperationQueueConstructStarted
This event is sent when construction of the operation queue for push-button reset is started.
Microsoft.Windows.PBR.PBRClearTPMFailed
This event is sent when there was a failure while clearing the Trusted Platform Module (TPM).
SessionID The ID of this push-button reset session.
Microsoft.Windows.PBR.PBRCreateNewSystemReconstructionFailed
This event is sent when the push-button reset operation fails to construct a new copy of the operating system.
HRESULT Indicates the result code of the event.
PBRType The type of push-button reset.
SPErrorCode The error code for the Setup Platform operation.
SPOperation The last Setup Platform operation.
SPPhase The last phase of the Setup Platform operation.
Microsoft.Windows.PBR.PBRFailed
This event is sent when the push-button reset operation fails and rolls back to the previous state.
ErrorType The result code for the push-button reset error.
Microsoft.Windows.PBR.PBRFinalUserSelection
This event is sent when the user makes the final selection in the user interface.
PBREraseData Indicates whether the option to erase data is selected.
PBRRecover yStrategy The recovery strategy for the push-button reset operation.
PBRRepar titionDisk Indicates whether the user has selected the option to repartition the disk.
PBRVariation Indicates the push-button reset type.
PBRWipeDataDrives Indicates whether the option to wipe the data drives is selected.
Microsoft.Windows.PBR.PBROEM1Failed
This event is sent when the first OEM extensibility operation is successfully completed.
HRESULT The result error code from the OEM extensibility script.
Parameters The parameters that were passed to the OEM extensibility script.
ScriptName The path to the OEM extensibility script.
Microsoft.Windows.PBR.PBRReachedOOBE
This event returns data when the PBR (Push Button Reset) process reaches the OOBE (Out of Box Experience).
Microsoft.Windows.PBR.PBRReconstructionInitiated
This event returns data when a PBR (Push Button Reset) reconstruction operation begins.
Microsoft.Windows.PBR.PBRRequirementChecks
This event returns data when PBR (Push Button Reset) requirement checks begin.
DeploymentType The type of deployment.
InstallType The type of installation.
SessionID The ID for this push-button reset session.
Microsoft.Windows.PBR.PBRRequirementChecksFailed
This event returns data when PBR (Push Button Reset) requirement checks fail.
DiskSpaceAvailable The disk space available for the push-button reset.
DiskSpaceRequired The disk space required for the push-button reset.
ErrorType The type of error that occurred during the requirement checks phase of the push-button reset
operation.
PBRImageVersion The image version of the push-button reset tool.
PBRRecover yStrategy The recovery strategy for this phase of push-button reset.
PBRStar tedFrom Identifies the push-button reset entry point.
PBRType The type of push-button reset specified by the user interface.
Microsoft.Windows.PBR.PBRRequirementChecksPassed
This event returns data when PBR (Push Button Reset) requirement checks are passed.
OSVersion The OS version installed on the device.
PBRImageType The push-button reset image type.
PBRImageVersion The version of the push-button reset image.
PBRRecover yStrategy The push-button reset recovery strategy.
PBRStar tedFrom Identifies the push-button reset entry point.
Microsoft.Windows.PBR.PBRSucceed
This event returns data when PBR (Push Button Reset) succeeds.
OSVersion The OS version installed on the device.
Microsoft.Windows.PBR.PhaseFinished
This event returns data when a phase of PBR (Push Button Reset) has completed.
error The result code for this phase of push-button reset.
phase The name of this push-button reset phase.
succeeded Indicates whether this phase of push-button reset executed successfully.
timestamp The timestamp for this push-button reset event.
Microsoft.Windows.PBR.PhaseStarted
This event is sent when a phase of the push-button reset (PBR) operation starts.
phase The name of this phase of push-button reset.
Microsoft.Windows.PBR.ReconstructionInfo
This event returns data about the PBR (Push Button Reset) reconstruction.
numPackagesAbandoned The number of packages that were abandoned during the reconstruction operation
of push-button reset.
numPackagesFailed The number of packages that failed during the reconstruction operation of push-button
reset.
slowMode The mode of reconstruction.
targetVersion The target version of the OS for the reconstruction.
timestamp The timestamp of this push-button reset event.
Microsoft.Windows.PBR.ResetOptions
This event returns data about the PBR (Push Button Reset) reset options selected by the user.
over writeSpace Indicates whether the option was selected to erase data during push-button reset.
preser veWorkplace Indicates whether the option was selected to reserve the workplace during push-button
reset.
scenario The selected scenario for the push-button on reset operation.
sessionID The ID of this push-button on reset session.
timestamp The timestamp of this push-button on reset event.
usePayload Indicates whether Cloud PBR or Reconstruction was used.
wipeData Indicates whether the option was selected to wipe additional drives during push-button reset.
Microsoft.Windows.PBR.RetryQueued
This event returns data about the retry count when PBR (Push Button Reset) is restarted due to a reboot.
attempt The number of retry attempts that were made
Microsoft.Windows.PBR.ReturnedToOldOS
This event returns data after PBR (Push Button Reset) has completed the rollback.
Microsoft.Windows.PBR.ReturnTaskSchedulingFailed
This event returns data when there is a failure scheduling a boot into WinRE (Windows Recovery).
errorCode The error that occurred while scheduling the task.
taskName The name of the task.
timestamp The ID of this push-button reset event.
Microsoft.Windows.PBR.RollbackFinished
This event returns data when the PBR (Push Button Reset) rollback completes.
error Any errors that occurred during rollback to the old operating system.
succeeded Indicates whether the rollback succeeded.
Microsoft.Windows.PBR.RollbackStarted
This event returns data when the PBR (Push Button Reset) rollback begins.
Microsoft.Windows.PBR.ScenarioNotSupported
This event returns data when the PBR (Push Button Reset) scenario selected is not supported on the device.
errorCode The error that occurred.
reason The reason why this push-button reset scenario is not supported.
sessionID The ID for this push-button reset session.
Microsoft.Windows.PBR.SessionCreated
This event returns data when the PRB (Push Button Reset) session is created at the beginning of the UI (user
interface) process.
Microsoft.Windows.PBR.SessionResumed
This event returns data when the PRB (Push Button Reset) session is resumed after reboots.
Microsoft.Windows.PBR.SessionSaved
This event returns data when the PRB (Push Button Reset) session is suspended between reboots.
Microsoft.Windows.PBR.SetupExecuteFinished
This event returns data when the PBR (Push Button Reset) setup finishes.
systemState Information about the system state of the Setup Platform operation.
Microsoft.Windows.PBR.SetupExecuteStarted
This event returns data when the PBR (Push Button Reset) setup starts.
Microsoft.Windows.PBR.SetupFinalizeStarted
This event returns data when the Finalize operation is completed by setup during PBR (Push Button Reset).
Microsoft.Windows.PBR.SetupOperationFailed
This event returns data when a PRB (Push Button Reset) setup operation fails.
errorCode An error that occurred during the setup phase of push-button reset.
setupExecutionOperation The name of the Setup Platform operation.
setupExecutionPhase The phase of the setup operation that failed.
Microsoft.Windows.PBR.SystemInfoField
This event returns data about the device when the user initiates the PBR UI (Push Button Reset User Interface), to
ensure the appropriate reset options are shown to the user.
name Name of the system information field.
value The system information field value.
Microsoft.Windows.PBR.SystemInfoListItem
This event returns data about the device when the user initiates the PBR UI (Push Button Reset User Interface), to
ensure the appropriate options can be shown to the user.
index The index number associated with the system information item.
name The name of the list of system information items.
value The value of the system information item.
Microsoft.Windows.PBR.SystemInfoSenseFinished
This event returns data when System Info Sense is finished.
error The error code if an error occurred while querying for system information.
succeeded Indicates whether the query for system information was successful.
Microsoft.Windows.PBR.SystemInfoSenseStarted
This event returns data when System Info Sense is started.
sessionID The ID of this push-button reset event.
Microsoft.Windows.PBR.UserAcknowledgeCleanupWarning
This event returns data when the user acknowledges the cleanup warning pop-up after PRB (Push Button Reset) is
complete.
Microsoft.Windows.PBR.UserCancel
This event returns data when the user confirms they wish to cancel PBR (Push Button Reset) from the user
interface.
pageID The page ID for the page the user canceled.
Microsoft.Windows.PBR.UserConfirmStart
This event returns data when the user confirms they wish to reset their device and PBR (Push Button Reset) begins.
Microsoft.Windows.PBR.WinREInstallFinished
This event returns data when WinRE (Windows Recovery) installation is complete.
errorCode Any error that occurred during the Windows Recovery Environment (WinRE) installation.
success Indicates whether the Windows Recovery Environment (WinRE) installation successfully completed.
Microsoft.Windows.PBR.WinREInstallStarted
This event returns data when WinRE (Windows Recovery) installation starts.
Sediment events
Microsoft.Windows.Sediment.Info.DetailedState
This event is sent when detailed state information is needed from an update trial run.
Data Data relevant to the state, such as what percent of disk space the directory takes up.
Id Identifies the trial being run, such as a disk related trial.
ReleaseVer The version of the component.
State The state of the reporting data from the trial, such as the top-level directory analysis.
Time The time the event was fired.
Microsoft.Windows.Sediment.Info.PhaseChange
The event indicates progress made by the updater. This information assists in keeping Windows up to date.
NewPhase The phase of progress made.
ReleaseVer The version information for the component in which the change occurred.
Time The system time at which the phase chance occurred.
Setup events
SetupPlatformTel.SetupPlatformTelActivityEvent
This event sends basic metadata about the SetupPlatform update installation process, to help keep Windows up to
date.
FieldName Retrieves the event name/data point. Examples: InstallStartTime, InstallEndtime, OverallResult etc.
GroupName Retrieves the groupname the event belongs to. Example: Install Information, DU Information, Disk
Space Information etc.
Value Value associated with the corresponding event name. For example, time-related events will include the
system time
SetupPlatformTel.SetupPlatformTelActivityStarted
This event sends basic metadata about the update installation process generated by SetupPlatform to help keep
Windows up to date.
Name The name of the dynamic update type. Example: GDR driver
SetupPlatformTel.SetupPlatformTelActivityStopped
Windows up to date.
SetupPlatformTel.SetupPlatformTelEvent
This service retrieves events generated by SetupPlatform, the engine that drives the various deployment scenarios.
Value Retrieves the value associated with the corresponding event name (Field Name). For example: For time
related events this will include the system time.
Software update events

SoftwareUpdateClientTelemetry.CheckForUpdates
Scan process event on Windows Update client. See the EventScenario field for specifics (started/failed/succeeded).
ActivityMatchingId Contains a unique ID identifying a single CheckForUpdates session from initialization to
completion.
AllowCachedResults Indicates if the scan allowed using cached results.
ApplicableUpdateInfo Metadata for the updates which were detected as applicable
BiosFamily The family of the BIOS (Basic Input Output System).
BiosName The name of the device BIOS.
BiosReleaseDate The release date of the device BIOS.
BiosSKUNumber The sku number of the device BIOS.
BIOSVendor The vendor of the BIOS.
BiosVersion The version of the BIOS.
BranchReadinessLevel The servicing branch configured on the device.
CachedEngineVersion For self-initiated healing, the version of the SIH engine that is cached on the device. If
the SIH engine does not exist, the value is null.
CallerApplicationName The name provided by the caller who initiated API calls into the software distribution
client.
CapabilityDetectoidGuid The GUID for a hardware applicability detectoid that could not be evaluated.
CDNCountr yCode Two letter country abbreviation for the Content Distribution Network (CDN) location.
CDNId The unique identifier of a specific device, used to identify how many devices are encountering success
or a particular issue.
ClientVersion The version number of the software distribution client.
CommonProps A bitmask for future flags associated with the Windows Update client behavior. No data is
currently reported in this field. Expected value for this field is 0.
Context Gives context on where the error has occurred. Example: AutoEnable, GetSLSData, AddService, Misc, or
Unknown
CurrentMobileOperator The mobile operator the device is currently connected to.
DeferralPolicySources Sources for any update deferral policies defined (GPO = 0x10, MDM = 0x100, Flight =
0x1000, UX = 0x10000).
DeferredUpdates Update IDs which are currently being deferred until a later time
DeviceModel What is the device model.
DriverError The error code hit during a driver scan. This is 0 if no error was encountered.
DriverExclusionPolicy Indicates if the policy for not including drivers with Windows Update is enabled.
DriverSyncPassPerformed Were drivers scanned this time?
EventInstanceID A globally unique identifier for event instance.
EventScenario Indicates the purpose of sending this event - whether because the software distribution just
started checking for content, or whether it was cancelled, succeeded, or failed.
ExtendedMetadataCabUrl Hostname that is used to download an update.
ExtendedStatusCode Secondary error code for certain scenarios where StatusCode wasn't specific enough.
FailedUpdateGuids The GUIDs for the updates that failed to be evaluated during the scan.
FailedUpdatesCount The number of updates that failed to be evaluated during the scan.
FeatureUpdateDeferral The deferral period configured for feature OS updates on the device (in days).
FeatureUpdatePause Indicates whether feature OS updates are paused on the device.
FeatureUpdatePausePeriod The pause duration configured for feature OS updates on the device (in days).
FlightBranch The branch that a device is on if participating in flighting (pre-release builds).
FlightRing The ring (speed of getting builds) that a device is on if participating in flighting (pre-release builds).
HomeMobileOperator The mobile operator that the device was originally intended to work with.
IntentPFNs Intended application-set metadata for atomic update scenarios.
IPVersion Indicates whether the download took place over IPv4 or IPv6
IsWUfBDualScanEnabled Indicates if Windows Update for Business dual scan is enabled on the device.
IsWUfBEnabled Indicates if Windows Update for Business is enabled on the device.
IsWUfBFederatedScanDisabled Indicates if Windows Update for Business federated scan is disabled on the
device.
MetadataIntegrityMode The mode of the update transport metadata integrity check. 0-Unknown, 1-Ignoe, 2-
Audit, 3-Enforce
MSIError The last error that was encountered during a scan for updates.
NetworkConnectivityDetected Indicates the type of network connectivity that was detected. 0 - IPv4, 1 - IPv6
NumberOfApplicableUpdates The number of updates which were ultimately deemed applicable to the
system after the detection process is complete
NumberOfApplicationsCategor yScanEvaluated The number of categories (apps) for which an app update
scan checked
NumberOfLoop The number of round trips the scan required
NumberOfNewUpdatesFromSer viceSync The number of updates which were seen for the first time in this
scan
NumberOfUpdatesEvaluated The total number of updates which were evaluated as a part of the scan
NumFailedMetadataSignatures The number of metadata signatures checks which failed for new metadata
synced down.
Online Indicates if this was an online scan.
PausedUpdates A list of UpdateIds which that currently being paused.
PauseFeatureUpdatesEndTime If feature OS updates are paused on the device, this is the date and time for
the end of the pause time window.
PauseFeatureUpdatesStar tTime If feature OS updates are paused on the device, this is the date and time for
the beginning of the pause time window.
PauseQualityUpdatesEndTime If quality OS updates are paused on the device, this is the date and time for
PauseQualityUpdatesStar tTime If quality OS updates are paused on the device, this is the date and time for
PhonePreviewEnabled Indicates whether a phone was getting preview build, prior to flighting (pre-release
builds) being introduced.
ProcessName The process name of the caller who initiated API calls, in the event where
CallerApplicationName was not provided.
QualityUpdateDeferral The deferral period configured for quality OS updates on the device (in days).
QualityUpdatePause Indicates whether quality OS updates are paused on the device.
QualityUpdatePausePeriod The pause duration configured for quality OS updates on the device (in days).
RelatedCV The previous Correlation Vector that was used before swapping with a new one
ScanDurationInSeconds The number of seconds a scan took
ScanEnqueueTime The number of seconds it took to initialize a scan
ScanProps This is a 32-bit integer containing Boolean properties for a given Windows Update scan. The
following bits are used; all remaining bits are reserved and set to zero. Bit 0 (0x1): IsInteractive - is set to 1 if the
scan is requested by a user, or 0 if the scan is requested by Automatic Updates. Bit 1 (0x2): IsSeeker - is set to 1
if the Windows Update client's Seeker functionality is enabled. Seeker functionality is enabled on certain
interactive scans, and results in the scans returning certain updates that are in the initial stages of release (not
yet released for full adoption via Automatic Updates).
Ser viceGuid An ID which represents which service the software distribution client is checking for content
(Windows Update, Microsoft Store, etc.).
Ser viceUrl The environment URL a device is configured to scan with
ShippingMobileOperator The mobile operator that a device shipped on.
StatusCode Indicates the result of a CheckForUpdates event (success, cancellation, failure code HResult).
SyncType Describes the type of scan the event was
SystemBIOSMajorRelease Major version of the BIOS.
SystemBIOSMinorRelease Minor version of the BIOS.
TargetMetadataVersion For self-initiated healing, this is the target version of the SIH engine to download (if
needed). If not, the value is null.
TotalNumMetadataSignatures The total number of metadata signatures checks done for new metadata that
was synced down.
WebSer viceRetr yMethods Web service method requests that needed to be retried to complete operation.
WUDeviceID The unique identifier of a specific device, used to identify how many devices are encountering
success or a particular issue.
SoftwareUpdateClientTelemetry.Commit
This event tracks the commit process post the update installation when software update client is trying to update
the device.
BiosFamily Device family as defined in the system BIOS
BiosName Name of the system BIOS
BiosReleaseDate Release date of the system BIOS
BiosSKUNumber Device SKU as defined in the system BIOS
BIOSVendor Vendor of the system BIOS
BiosVersion Version of the system BIOS
BundleId Identifier associated with the specific content bundle; should not be all zeros if the bundleID was
found.
BundleRevisionNumber Identifies the revision number of the content bundle
CallerApplicationName Name provided by the caller who initiated API calls into the software distribution
client
ClientVersion Version number of the software distribution client
DeploymentProviderMode The mode of operation of the update deployment provider.
DeviceModel Device model as defined in the system bios
EventInstanceID A globally unique identifier for event instance
EventScenario Indicates the purpose of the event - whether because scan started, succeded, failed, etc.
EventType Possible values are "Child", "Bundle", "Relase" or "Driver".
FlightId The specific id of the flight the device is getting
HandlerType Indicates the kind of content (app, driver, windows patch, etc.)
RevisionNumber Identifies the revision number of this specific piece of content
Ser viceGuid A unique identifier for the service that the software distribution client is installing content for
(Windows Update, Microsoft Store, etc).
SystemBIOSMajorRelease Major release version of the system bios
SystemBIOSMinorRelease Minor release version of the system bios
UpdateId Identifier associated with the specific piece of content
WUDeviceID Unique device id controlled by the software distribution client
SoftwareUpdateClientTelemetry.Download
Download process event for target update on Windows Update client. See the EventScenario field for specifics
(started/failed/succeeded).
ActiveDownloadTime Number of seconds the update was actively being downloaded.
AppXBlockHashFailures Indicates the number of blocks that failed hash validation during download.
AppXBlockHashValidationFailureCount A count of the number of blocks that have failed validation after
being downloaded.
AppXDownloadScope Indicates the scope of the download for application content.
AppXScope Indicates the scope of the app download.
BundleBytesDownloaded Number of bytes downloaded for the specific content bundle.
found.
BundleRepeatFailCount Indicates whether this particular update bundle previously failed.
BundleRepeatFailFlag Indicates whether this particular update bundle previously failed to download.
BundleRevisionNumber Identifies the revision number of the content bundle.
BytesDownloaded Number of bytes that were downloaded for an individual piece of content (not the entire
bundle).
CachedEngineVersion The version of the “Self-Initiated Healing” (SIH) engine that is cached on the device, if
applicable.
client.
CbsDownloadMethod Indicates whether the download was a full- or a partial-file download.
CbsMethod The method used for downloading the update content related to the Component Based Servicing
(CBS) technology.
CDNId ID which defines which CDN the software distribution client downloaded the content from.
CommonProps A bitmask for future flags associated with the Windows Update client behavior.
ConnectTime Indicates the cumulative amount of time (in seconds) it took to establish the connection for all
updates in an update bundle.
DeviceModel The model of the device.
DownloadPriority Indicates whether a download happened at background, normal, or foreground priority.
DownloadProps Information about the download operation properties in the form of a bitmask.
DownloadScenarioId A unique ID for a given download, used to tie together Windows Update and Delivery
Optimizer events.
DownloadType Differentiates the download type of “Self-Initiated Healing” (SIH) downloads between
Metadata and Payload downloads.
started downloading content, or whether it was cancelled, succeeded, or failed.
EventType Possible values are Child, Bundle, or Driver.
FlightBuildNumber If this download was for a flight (pre-release build), this indicates the build number of
that flight.
FlightId The specific ID of the flight (pre-release build) the device is getting.
HandlerType Indicates what kind of content is being downloaded (app, driver, windows patch, etc.).
HardwareId If this download was for a driver targeted to a particular device model, this ID indicates the model
of the device.
HostName The hostname URL the content is downloading from.
IPVersion Indicates whether the download took place over IPv4 or IPv6.
IsDependentSet Indicates whether a driver is a part of a larger System Hardware/Firmware Update
NetworkCost A flag indicating the cost of the network (congested, fixed, variable, over data limit, roaming, etc.)
used for downloading the update content.
NetworkCostBitMask Indicates what kind of network the device is connected to (roaming, metered, over data
cap, etc.)
NetworkRestrictionStatus More general version of NetworkCostBitMask, specifying whether Windows
considered the current network to be "metered."
PackageFullName The package name of the content.
PhonePreviewEnabled Indicates whether a phone was opted-in to getting preview builds, prior to flighting
(pre-release builds) being introduced.
PostDnldTime Time taken (in seconds) to signal download completion after the last job has completed
downloading payload.
Reason A 32-bit integer representing the reason the update is blocked from being downloaded in the
background.
RegulationResult The result code (HResult) of the last attempt to contact the regulation web service for
download regulation of update content.
RelatedCV The previous Correlation Vector that was used before swapping with a new one.
RepeatFailCount Indicates whether this specific content has previously failed.
RepeatFailFlag Indicates whether this specific content previously failed to download.
RevisionNumber The revision number of the specified piece of content.
Setup360Phase Identifies the active phase of the upgrade download if the current download is for an
Operating System upgrade.
ShippingMobileOperator The mobile operator linked to the device when the device shipped.
SizeCalcTime Time taken (in seconds) to calculate the total download size of the payload.
StatusCode Indicates the result of a Download event (success, cancellation, failure code HResult).
TargetGroupId For drivers targeted to a specific device model, this ID indicates the distribution group of
devices receiving that driver.
TargetingVersion For drivers targeted to a specific device model, this is the version number of the drivers
being distributed to the device.
TargetMetadataVersion The version of the currently downloading (or most recently downloaded) package.
ThrottlingSer viceHResult Result code (success/failure) while contacting a web service to determine whether
this device should download content yet.
TimeToEstablishConnection Time (in milliseconds) it took to establish the connection prior to beginning
downloaded.
TotalExpectedBytes The total count of bytes that the download is expected to be.
UpdateId An identifier associated with the specific piece of content.
UpdateID An identifier associated with the specific piece of content.
UpdateImpor tance Indicates whether a piece of content was marked as Important, Recommended, or
Optional.
UsedDO Whether the download used the delivery optimization service.
UsedSystemVolume Indicates whether the content was downloaded to the device's main system storage
drive, or an alternate storage drive.
SoftwareUpdateClientTelemetry.DownloadCheckpoint
This event provides a checkpoint between each of the Windows Update download phases for UUP content
client
ClientVersion The version number of the software distribution client
started checking for content, or whether it was cancelled, succeeded, or failed
EventType Possible values are "Child", "Bundle", "Relase" or "Driver"
ExtendedStatusCode Secondary error code for certain scenarios where StatusCode wasn't specific enough
FileId A hash that uniquely identifies a file
FileName Name of the downloaded file
FlightId The unique identifier for each flight
RevisionNumber Unique revision number of Update
(Windows Update, Microsoft Store, etc.)
StatusCode Indicates the result of a CheckForUpdates event (success, cancellation, failure code HResult)
UpdateId Unique Update ID
success or a particular issue
SoftwareUpdateClientTelemetry.DownloadHeartbeat
This event allows tracking of ongoing downloads and contains data to explain the current state of the download
BytesTotal Total bytes to transfer for this content
BytesTransferred Total bytes transferred for this content at the time of heartbeat
client
ConnectionStatus Indicates the connectivity state of the device at the time of heartbeat
CurrentError Last (transient) error encountered by the active download
DownloadFlags Flags indicating if power state is ignored
DownloadState Current state of the active download for this content (queued, suspended, or progressing)
EventType Possible values are "Child", "Bundle", or "Driver"
IsNetworkMetered Indicates whether Windows considered the current network to be ?metered"
MOAppDownloadLimit Mobile operator cap on size of application downloads, if any
MOUpdateDownloadLimit Mobile operator cap on size of operating system update downloads, if any
PowerState Indicates the power state of the device at the time of heartbeart (DC, AC, Battery Saver, or
Connected Standby)
RelatedCV The previous correlation vector that was used by the client, before swapping with a new one
ResumeCount Number of times this active download has resumed from a suspended state
Ser viceGuid Identifier for the service to which the software distribution client is connecting (Windows Update,
Microsoft Store, etc)
SuspendCount Number of times this active download has entered a suspended state
SuspendReason Last reason for why this active download entered a suspended state
SoftwareUpdateClientTelemetry.Install
This event sends tracking data about the software distribution client installation of the content for that update, to
found.
BundleRepeatFailCount Indicates whether this particular update bundle has previously failed.
BundleRepeatFailFlag Indicates whether this particular update bundle previously failed to install.
client.
CommonProps A bitmask for future flags associated with the Windows Update client behavior. No value is
CSIErrorType The stage of CBS installation where it failed.
CurrentMobileOperator The mobile operator to which the device is currently connected.
DeviceModel The device model.
DriverPingBack Contains information about the previous driver and system state.
DriverRecover yIds The list of identifiers that could be used for uninstalling the drivers if a recovery is
required.
started installing content, or whether it was cancelled, succeeded, or failed.
ExtendedErrorCode The extended error code.
ExtendedStatusCode Secondary error code for certain scenarios where StatusCode is not specific enough.
FlightBranch The branch that a device is on if participating in the Windows Insider Program.
FlightBuildNumber If this installation was for a Windows Insider build, this is the build number of that build.
FlightId The specific ID of the Windows Insider build the device is getting.
FlightRing The ring that a device is on if participating in the Windows Insider Program.
HandlerType Indicates what kind of content is being installed (for example, app, driver, Windows update).
HardwareId If this install was for a driver targeted to a particular device model, this ID indicates the model of
the device.
InstallProps A bitmask for future flags associated with the install operation. No value is currently reported in
this field. Expected value for this field is 0.
IsDependentSet Indicates whether the driver is part of a larger System Hardware/Firmware update.
IsFinalOutcomeEvent Indicates whether this event signals the end of the update/upgrade process.
IsFirmware Indicates whether this update is a firmware update.
IsSuccessFailurePostReboot Indicates whether the update succeeded and then failed after a restart.
IsWUfBDualScanEnabled Indicates whether Windows Update for Business dual scan is enabled on the device.
IsWUfBEnabled Indicates whether Windows Update for Business is enabled on the device.
MergedUpdate Indicates whether the OS update and a BSP update merged for installation.
MsiAction The stage of MSI installation where it failed.
MsiProductCode The unique identifier of the MSI installer.
PackageFullName The package name of the content being installed.
PhonePreviewEnabled Indicates whether a phone was getting preview build, prior to flighting being
introduced.
ProcessName The process name of the caller who initiated API calls, in the event that CallerApplicationName
was not provided.
RepeatFailCount Indicates whether this specific piece of content has previously failed.
RepeatFailFlag Indicates whether this specific piece of content previously failed to install.
RevisionNumber The revision number of this specific piece of content.
Ser viceGuid An ID which represents which service the software distribution client is installing content for
Setup360Phase If the install is for an operating system upgrade, indicates which phase of the upgrade is
underway.
StatusCode Indicates the result of an installation event (success, cancellation, failure code HResult).
TransactionCode The ID that represents a given MSI installation.
UpdateId Unique update ID.
Optional.
UsedSystemVolume Indicates whether the content was downloaded and then installed from the device's main
system storage drive, or an alternate storage drive.
SoftwareUpdateClientTelemetry.Revert
Revert event for target update on Windows Update Client. See EventScenario field for specifics (for example,
Started/Failed/Succeeded).
BundleId Identifier associated with the specific content bundle. Should not be all zeros if the BundleId was
found.
CallerApplicationName Name of application making the Windows Update request. Used to identify context
of request.
ClientVersion Version number of the software distribution client.
CommonProps A bitmask for future flags associated with the Windows Update client behavior. There is no
value being reported in this field right now. Expected value for this field is 0.
CSIErrorType Stage of CBS installation that failed.
required.
EventScenario Indicates the purpose of the event (scan started, succeeded, failed, etc.).
EventType Event type (Child, Bundle, Release, or Driver).
ExtendedStatusCode Secondary status code for certain scenarios where StatusCode is not specific enough.
FlightBuildNumber Indicates the build number of the flight.
FlightId The specific ID of the flight the device is getting.
HandlerType Indicates the kind of content (app, driver, windows patch, etc.).
of the device.
IsFirmware Indicates whether an update was a firmware update.
IsSuccessFailurePostReboot Indicates whether an initial success was a failure after a reboot.
IsWUfBDualScanEnabled Flag indicating whether WU-for-Business dual scan is enabled on the device.
IsWUfBEnabled Flag indicating whether WU-for-Business is enabled on the device.
MergedUpdate Indicates whether an OS update and a BSP update were merged for install.
ProcessName Process name of the caller who initiated API calls into the software distribution client.
RelatedCV The previous correlation vector that was used by the client before swapping with a new one.
RevisionNumber Identifies the revision number of this specific piece of content.
StatusCode Result code of the event (success, cancellation, failure code HResult).
UpdateId The identifier associated with the specific piece of content.
UpdateImpor tance Indicates the importance of a driver, and why it received that importance level (0-
Unknown, 1-Optional, 2-Important-DNF, 3-Important-Generic, 4-Important-Other, 5-Recommended).
UsedSystemVolume Indicates whether the device's main system storage drive or an alternate storage drive
was used.
WUDeviceID Unique device ID controlled by the software distribution client.
SoftwareUpdateClientTelemetry.TaskRun
Start event for Server Initiated Healing client. See EventScenario field for specifics (for example,
started/completed).
of request.
CmdLineArgs Command line arguments passed in by the caller.
EventInstanceID A globally unique identifier for the event instance.
Microsoft Store, etc.).
SoftwareUpdateClientTelemetry.Uninstall
Uninstall event for target update on Windows Update Client. See EventScenario field for specifics (for example,
BundleId The identifier associated with the specific content bundle. This should not be all zeros if the bundleID
was found.
CallerApplicationName Name of the application making the Windows Update request. Used to identify
context of request.
DeploymentProviderMode The mode of operation of the Update Deployment Provider.
DriverRecover yIds The list of identifiers that could be used for uninstalling the drivers when a recovery is
required.
EventScenario Indicates the purpose of the event (a scan started, succeded, failed, etc.).
EventType Indicates the event type. Possible values are "Child", "Bundle", "Release" or "Driver".
HardwareId If the download was for a driver targeted to a particular device model, this ID indicates the model
of the device.
IsSuccessFailurePostReboot Indicates whether an initial success was then a failure after a reboot.
RepeatFailCount Indicates whether this specific piece of content previously failed.
UpdateId Identifier associated with the specific piece of content.
UpdateImpor tance Indicates the importance of a driver and why it received that importance level (0-
UsedSystemVolume Indicates whether the device’s main system storage drive or an alternate storage drive
was used.
SoftwareUpdateClientTelemetry.UpdateDetected
This event sends data about an AppX app that has been updated from the Microsoft Store, including what app
needs an update and what version/architecture is required, in order to understand and address problems with
apps getting required updates.
ApplicableUpdateInfo Metadata for the updates which were detected as applicable.
client.
NumberOfApplicableUpdates The number of updates ultimately deemed applicable to the system after the
detection process is complete.
Ser viceGuid An ID that represents which service the software distribution client is connecting to (Windows
Update, Microsoft Store, etc.).
WUDeviceID The unique device ID controlled by the software distribution client.
SoftwareUpdateClientTelemetry.UpdateMetadataIntegrity
Ensures Windows Updates are secure and complete. Event helps to identify whether update content has been
tampered with and protects against man-in-the-middle attack.
of request.
EndpointUrl The endpoint URL where the device obtains update metadata. This is used to distinguish between
test, staging, and production environments.
EventScenario The purpose of this event, such as scan started, scan succeeded, or scan failed.
ExtendedStatusCode Secondary status code for certain scenarios where StatusCode was not specific enough.
LeafCer tId The integral ID from the FragmentSigning data for the certificate that failed.
ListOfSHA256OfIntermediateCerData A semicolon delimited list of base64 encoding of hashes for the
Base64CerData in the FragmentSigning data of an intermediate certificate.
MetadataIntegrityMode The mode of the transport metadata integrity check. 0 = unknown; 1 = ignore; 2 =
audit; 3 = enforce
MetadataSignature A base64-encoded string of the signature associated with the update metadata (specified
by revision ID).
RawMode The raw unparsed mode string from the SLS response. This field is null if not applicable.
RawValidityWindowInDays The raw unparsed validity window string in days of the timestamp token. This
field is null if not applicable.
RevisionId The revision ID for a specific piece of content.
RevisionNumber The revision number for a specific piece of content.
Ser viceGuid Identifies the service to which the software distribution client is connected, Example: Windows
Update or Microsoft Store
SHA256OfLeafCerData A base64 encoding of the hash for the Base64CerData in the FragmentSigning data
of the leaf certificate.
SHA256OfLeafCer tPublicKey A base64 encoding of the hash of the Base64CertData in the FragmentSigning
data of the leaf certificate.
SHA256OfTimestampToken An encoded string of the timestamp token.
SignatureAlgorithm The hash algorithm for the metadata signature.
SLSPrograms A test program to which a device may have opted in. Example: Insider Fast
StatusCode Result code of the event (success, cancellation, failure code HResult)
TimestampTokenCer tThumbprint The thumbprint of the encoded timestamp token.
TimestampTokenId The time this was created. It is encoded in a timestamp blob and will be zero if the token is
malformed.
UpdateId The update ID for a specific piece of content.
ValidityWindowInDays The validity window that's in effect when verifying the timestamp.
System reset events

Microsoft.Windows.SysReset.FlightUninstallCancel
This event indicates the customer has cancelled uninstallation of Windows.
Microsoft.Windows.SysReset.FlightUninstallError
This event sends an error code when the Windows uninstallation fails.
ErrorCode Error code for uninstallation failure.
Microsoft.Windows.SysReset.FlightUninstallReboot
This event is sent to signal an upcoming reboot during uninstallation of Windows.
Microsoft.Windows.SysReset.FlightUninstallStart
This event indicates that the Windows uninstallation has started.
Microsoft.Windows.SysReset.FlightUninstallUnavailable
This event sends diagnostic data when the Windows uninstallation is not available.
AddedProfiles Indicates that new user profiles have been created since the flight was installed.
MissingExternalStorage Indicates that the external storage used to install the flight is not available.
MissingInfra Indicates that uninstall resources are missing.
MovedProfiles Indicates that the user profile has been moved since the flight was installed.
Microsoft.Windows.SysReset.HasPendingActions
This event is sent when users have actions that will block the uninstall of the latest quality update.
Microsoft.Windows.SysReset.IndicateLCUWasUninstalled
This event is sent when the registry indicates that the latest cumulative Windows update package has finished
uninstalling.
errorCode The error code if there was a failure during uninstallation of the latest cumulative Windows update
package.
Microsoft.Windows.SysReset.LCUUninstall
This event is sent when the latest cumulative Windows update was uninstalled on a device.
errorCode An error that occurred while the Windows update package was being uninstalled.
packageName The name of the Windows update package that is being uninstalled.
removalTime The amount of time it took to uninstall the Windows update package.
Microsoft.Windows.SysReset.PBRBlockedByPolicy
This event is sent when a push-button reset operation is blocked by the System Administrator.
PBRBlocked Reason the push-button reset operation was blocked.
PBRType The type of push-button reset operation that was blocked.
Microsoft.Windows.SysReset.PBREngineInitFailed
This event signals a failed handoff between two recovery binaries.
Operation Legacy customer scenario.
Microsoft.Windows.SysReset.PBREngineInitSucceed
This event signals successful handoff between two recovery binaries.
Operation Legacy customer scenario.
Microsoft.Windows.SysReset.PBRFailedOffline
This event reports the error code when recovery fails.
HRESULT Error code for the failure.
PBRType The recovery scenario.
SessionID The unique ID for the recovery session.
Microsoft.Windows.SystemReset.EsimPresentCheck
This event is sent when a device is checked to see whether it has an embedded SIM (eSIM).
errorCode Any error that occurred while checking for the presence of an embedded SIM.
esimPresent Indicates whether an embedded SIM is present on the device.
sessionID The ID of this session.
Microsoft.Windows.SystemReset.PBRCorruptionRepairOption
This event sends corruption repair diagnostic data when the PBRCorruptionRepairOption encounters a corruption
error.
cbsSessionOption The corruption repair configuration.
errorCode The error code encountered.
meteredConnection Indicates whether the device is connected to a metered network (wired or WiFi).
sessionID The globally unique identifier (GUID) for the session.
Microsoft.Windows.SystemReset.RepairNeeded
This event provides information about whether a system reset needs repair.
repairNeeded Indicates whether there was corruption in the system reset which needs repair.
UEFI events
Microsoft.Windows.UEFI.ESRT
This event sends basic data during boot about the firmware loaded or recently installed on the machine. This helps
DriverFirmwareFilename The firmware file name reported by the device hardware key.
DriverFirmwarePolicy The optional version update policy value.
DriverFirmwareStatus The firmware status reported by the device hardware key.
DriverFirmwareVersion The firmware version reported by the device hardware key.
FirmwareId The UEFI (Unified Extensible Firmware Interface) identifier.
FirmwareLastAttemptStatus The reported status of the most recent firmware installation attempt, as
reported by the EFI System Resource Table (ESRT).
FirmwareLastAttemptVersion The version of the most recent attempted firmware installation, as reported
by the EFI System Resource Table (ESRT).
FirmwareType The UEFI (Unified Extensible Firmware Interface) type.
FirmwareVersion The UEFI (Unified Extensible Firmware Interface) version as reported by the EFI System
Resource Table (ESRT).
InitiateUpdate Indicates whether the system is ready to initiate an update.
LastAttemptDate The date of the most recent attempted firmware installation.
LastAttemptStatus The result of the most recent attempted firmware installation.
LastAttemptVersion The version of the most recent attempted firmware installation.
LowestSuppor tedFirmwareVersion The oldest (lowest) version of firmware supported.
MaxRetr yCount The maximum number of retries, defined by the firmware class key.
Retr yCount The number of attempted installations (retries), reported by the driver software key.
Status The status returned to the PnP (Plug-and-Play) manager.
UpdateAttempted Indicates if installation of the current update has been attempted before.
Update events
Update360Telemetry.Revert
This event sends data relating to the Revert phase of updating Windows.
ErrorCode The error code returned for the Revert phase.
FlightId Unique ID for the flight (test instance version).
ObjectId The unique value for each Update Agent mode.
RebootRequired Indicates reboot is required.
RelatedCV The correlation vector value generated from the latest USO (Update Service Orchestrator) scan.
Result The HResult of the event.
Rever tResult The result code returned for the Revert operation.
ScenarioId The ID of the update scenario.
SessionId The ID of the update attempt.
UpdateId The ID of the update.
Update360Telemetry.UpdateAgentCommit
This event collects information regarding the commit phase of the new Unified Update Platform (UUP) update
scenario, which is leveraged by both Mobile and Desktop.
ErrorCode The error code returned for the current install phase.
FlightId Unique ID for each flight.
ObjectId Unique value for each Update Agent mode.
RelatedCV Correlation vector value generated from the latest USO scan.
Result Outcome of the install phase of the update.
ScenarioId Indicates the update scenario.
SessionId Unique value for each update attempt.
UpdateId Unique ID for each update.
Update360Telemetry.UpdateAgentDownloadRequest
This event sends data for the download request phase of updating Windows via the new Unified Update Platform
(UUP) scenario. Applicable to PC and Mobile.
ContainsSafeOSDUPackage Boolean indicating whether Safe DU packages are part of the payload.
DeletedCorruptFiles Boolean indicating whether corrupt payload was deleted.
DownloadComplete Indicates if the download is complete.
DownloadRequests Number of times a download was retried.
ErrorCode The error code returned for the current download request phase.
ExtensionName Indicates whether the payload is related to Operating System content or a plugin.
InternalFailureResult Indicates a non-fatal error from a plugin.
ObjectId Unique value for each Update Agent mode (same concept as InstanceId for Setup360).
PackageCategoriesSkipped Indicates package categories that were skipped, if applicable.
PackageCountOptional Number of optional packages requested.
PackageCountRequired Number of required packages requested.
PackageCountTotal Total number of packages needed.
PackageCountTotalCanonical Total number of canonical packages.
PackageCountTotalDiff Total number of diff packages.
PackageCountTotalExpress Total number of express packages.
PackageCountTotalPSFX The total number of PSFX packages.
PackageExpressType Type of express package.
PackageSizeCanonical Size of canonical packages in bytes.
PackageSizeDiff Size of diff packages in bytes.
PackageSizeExpress Size of express packages in bytes.
PackageSizePSFX The size of PSFX packages, in bytes.
RangeRequestState Indicates the range request type used.
Result Outcome of the download request phase of update.
SandboxTaggedForReser ves The sandbox for reserves.
SessionId Unique value for each attempt (same value for initialize, download, install commit phases).
Update360Telemetry.UpdateAgentExpand
This event collects information regarding the expansion phase of the new Unified Update Platform (UUP) update
CanonicalRequestedOnError Indicates if an error caused a reversion to a different type of compressed
update (TRUE or FALSE).
ElapsedTickCount Time taken for expand phase.
EndFreeSpace Free space after expand phase.
EndSandboxSize Sandbox size after expand phase.
Star tFreeSpace Free space before expand phase.
Star tSandboxSize Sandbox size after expand phase.
Update360Telemetry.UpdateAgentInitialize
This event sends data for the initialize phase of updating Windows via the new Unified Update Platform (UUP)
scenario, which is applicable to both PCs and Mobile.
FlightMetadata Contains the FlightId and the build being flighted.
SessionData String containing instructions to update agent for processing FODs and DUICs (Null for other
scenarios).
Update360Telemetry.UpdateAgentInstall
This event sends data for the install phase of updating Windows.
FlightId Unique value for each Update Agent mode (same concept as InstanceId for Setup360).
ObjectId Correlation vector value generated from the latest USO scan.
Result The result for the current install phase.
Update360Telemetry.UpdateAgentMerge
The UpdateAgentMerge event sends data on the merge phase when updating Windows.
ErrorCode The error code returned for the current merge phase.
MergeId The unique ID to join two update sessions being merged.
RelatedCV Related correlation vector value.
Result Outcome of the merge phase of the update.
SessionId Unique value for each attempt.
Update360Telemetry.UpdateAgentMitigationResult
This event sends data indicating the result of each update agent mitigation.
Applicable Indicates whether the mitigation is applicable for the current update.
CommandCount The number of command operations in the mitigation entry.
CustomCount The number of custom operations in the mitigation entry.
FileCount The number of file operations in the mitigation entry.
FlightId Unique identifier for each flight.
Index The mitigation index of this particular mitigation.
MitigationScenario The update scenario in which the mitigation was executed.
Name The friendly name of the mitigation.
OperationIndex The mitigation operation index (in the event of a failure).
OperationName The friendly name of the mitigation operation (in the event of failure).
Registr yCount The number of registry operations in the mitigation entry.
RelatedCV The correlation vector value generated from the latest USO scan.
Result The HResult of this operation.
ScenarioId The update agent scenario ID.
TimeDiff The amount of time spent performing the mitigation (in 100-nanosecond increments).
UpdateId Unique ID for each Update.
Update360Telemetry.UpdateAgentMitigationSummary
This event sends a summary of all the update agent mitigations available for an this update.
Applicable The count of mitigations that were applicable to the system and scenario.
Failed The count of mitigations that failed.
MitigationScenario The update scenario in which the mitigations were attempted.
TimeDiff The amount of time spent performing all mitigations (in 100-nanosecond increments).
Total Total number of mitigations that were available.
Update360Telemetry.UpdateAgentModeStart
This event sends data for the start of each mode during the process of updating Windows via the new Unified
Update Platform (UUP) scenario. Applicable to both PCs and Mobile.
Mode Indicates the mode that has started.
Version Version of update
Update360Telemetry.UpdateAgentOneSettings
This event collects information regarding the post reboot phase of the new UUP (Unified Update Platform) update
scenario; which is leveraged by both Mobile and Desktop.
Count The count of applicable OneSettings for the device.
Parameters The set of name value pair parameters sent to OneSettings to determine if there are any
applicable OneSettings.
Values The values sent back to the device, if applicable.
Update360Telemetry.UpdateAgentPostRebootResult
This event collects information for both Mobile and Desktop regarding the post reboot phase of the new Unified
Update Platform (UUP) update scenario.
ErrorCode The error code returned for the current post reboot phase.
PostRebootResult Indicates the Hresult.
ScenarioId The scenario ID. Example: MobileUpdate, DesktopLanguagePack, DesktopFeatureOnDemand, or
DesktopDriverUpdate.
Update360Telemetry.UpdateAgentReboot
This event sends information indicating that a request has been sent to suspend an update.
ErrorCode The error code returned for the current reboot.
IsSuspendable Indicates whether the update has the ability to be suspended and resumed at the time of
reboot. When the machine is rebooted and the update is in middle of Predownload or Install and Setup.exe is
running, this field is TRUE, if not its FALSE.
Reason Indicates the HResult why the machine could not be suspended. If it is successfully suspended, the
result is 0.
UpdateState Indicates the state of the machine when Suspend is called. For example, Install, Download,
Commit.
Update360Telemetry.UpdateAgentSetupBoxLaunch
The UpdateAgent_SetupBoxLaunch event sends data for the launching of the setup box when updating Windows
via the new Unified Update Platform (UUP) scenario. This event is only applicable to PCs.
ContainsExpressPackage Indicates whether the download package is express.
FreeSpace Free space on OS partition.
InstallCount Number of install attempts using the same sandbox.
Quiet Indicates whether setup is running in quiet mode.
SandboxSize Size of the sandbox.
SetupMode Mode of setup to be launched.
UserSession Indicates whether install was invoked by user actions.
Update notification events
Microsoft.Windows.UpdateNotificationPipeline.UNPCampaignManagerHeartbeat
This event is sent at the start of the CampaignManager event and is intended to be used as a heartbeat.
CampaignConfigVersion Configuration version for the current campaign.
CampaignID Currently campaign that is running on Update Notification Pipeline (UNP).
ConfigCatalogVersion Current catalog version of UNP.
ContentVersion Content version for the current campaign on UNP.
CV Correlation vector.
DetectorVersion Most recently run detector version for the current campaign on UNP.
GlobalEventCounter Client-side counter that indicates the event ordering sent by the user.
PackageVersion Current UNP package version.
Upgrade events
FacilitatorTelemetry.DCATDownload
This event indicates whether devices received additional or critical supplemental content during an OS Upgrade, to
help keep Windows up to date and secure.
DownloadSize Download size of payload.
ElapsedTime Time taken to download payload.
MediaFallbackUsed Used to determine if we used Media CompDBs to figure out package requirements for
the upgrade.
ResultCode Result returned by the Facilitator DCAT call.
Scenario Dynamic update scenario (Image DU, or Setup DU).
Type Type of package that was downloaded.
UpdateId The ID of the update that was downloaded.
FacilitatorTelemetry.DUDownload
This event returns data about the download of supplemental packages critical to upgrading a device to the next
version of Windows.
PackageCategoriesFailed Lists the categories of packages that failed to download.
PackageCategoriesSkipped Lists the categories of package downloads that were skipped.
FacilitatorTelemetry.InitializeDU
This event determines whether devices received additional or critical supplemental content during an OS upgrade.
DCATUrl The Delivery Catalog (DCAT) URL we send the request to.
DownloadRequestAttributes The attributes we send to DCAT.
ResultCode The result returned from the initiation of Facilitator with the URL/attributes.
Scenario Dynamic Update scenario (Image DU, or Setup DU).
Url The Delivery Catalog (DCAT) URL we send the request to.
Version Version of Facilitator.
Setup360Telemetry.Downlevel
This event sends data indicating that the device has started the downlevel phase of the upgrade, to help keep
Windows up to date and secure.
ClientId If using Windows Update, this will be the Windows Update client ID that is passed to Setup. In Media
setup, the default value is Media360, but it can be overwritten by the caller to a unique value.
FlightData Unique value that identifies the flight.
HostOSBuildNumber The build number of the downlevel OS.
HostOsSkuName The operating system edition which is running Setup360 instance (downlevel OS).
InstanceId A unique GUID that identifies each instance of setuphost.exe.
Repor tId In the Windows Update scenario, this is the updateID that is passed to Setup. In media setup, this is
the GUID for the install.wim.
Setup360Extended More detailed information about phase/action when the potential failure occurred.
Setup360Mode The phase of Setup360 (for example, Predownload, Install, Finalize, Rollback).
Setup360Result The result of Setup360 (HRESULT used to diagnose errors).
Setup360Scenario The Setup360 flow type (for example, Boot, Media, Update, MCT).
SetupVersionBuildNumber The build number of Setup360 (build number of the target OS).
State Exit state of given Setup360 run. Example: succeeded, failed, blocked, cancelled.
TestId An ID that uniquely identifies a group of events.
WuId This is the Windows Update Client ID. In the Windows Update scenario, this is the same as the clientId.
Setup360Telemetry.Finalize
This event sends data indicating that the device has started the phase of finalizing the upgrade, to help keep
Windows up-to-date and secure.
ClientId With Windows Update, this will be the Windows Update client ID that is passed to Setup. In Media
setup, default value is Media360, but can be overwritten by the caller to a unique value.
HostOSBuildNumber The build number of the previous OS.
HostOsSkuName The OS edition which is running Setup360 instance (previous OS).
InstanceId A unique GUID that identifies each instance of setuphost.exe
Repor tId With Windows Update, this is the updateID that is passed to Setup. In media setup, this is the GUID
for the install.wim.
Setup360Extended More detailed information about the phase/action when the potential failure occurred.
Setup360Mode The phase of Setup360. Example: Predownload, Install, Finalize, Rollback.
Setup360Result The result of Setup360. This is an HRESULT error code that is used to diagnose errors.
Setup360Scenario The Setup360 flow type. Example: Boot, Media, Update, MCT.
SetupVersionBuildNumber The build number of Setup360 (build number of target OS).
State The exit state of a Setup360 run. Example: succeeded, failed, blocked, cancelled.
TestId ID that uniquely identifies a group of events.
WuId This is the Windows Update Client ID. With Windows Update, this is the same as the clientId.
Setup360Telemetry.OsUninstall
This event sends data regarding OS updates and upgrades from Windows 7, Windows 8, and Windows 10.
Specifically, it indicates the outcome of an OS uninstall.
ClientId For Windows Update, this will be the Windows Update client ID that is passed to Setup. In Media
HostOsSkuName The OS edition which is running the Setup360 instance (previous OS).
Repor tId For Windows Update, this will be the Windows Update client ID that is passed to Setup. In Media
setup, this is the GUID for the install.wim.
Setup360Extended Detailed information about the phase or action when the potential failure occurred.
Setup360Scenario The Setup360 flow type. Example: Boot, Media, Update, MCT
State Exit state of a Setup360 run. Example: succeeded, failed, blocked, cancelled.
WuId Windows Update client ID.
Setup360Telemetry.PostRebootInstall
This event sends data indicating that the device has invoked the post reboot install phase of the upgrade, to help
keep Windows up-to-date.
ClientId With Windows Update, this is the Windows Update client ID that is passed to Setup. In Media setup,
the default value is Media360, but can be overwritten by the caller to a unique value.
Setup360Extended Extension of result - more granular information about phase/action when the potential
failure happened
Setup360Mode The phase of Setup360. Example: Predownload, Install, Finalize, Rollback
Setup360Result The result of Setup360. This is an HRESULT error code that's used to diagnose errors.
State The exit state of a Setup360 run. Example: succeeded, failed, blocked, cancelled
TestId A string to uniquely identify a group of events.
WuId This is the Windows Update Client ID. With Windows Update, this is the same as ClientId.
Setup360Telemetry.PreDownloadQuiet
This event sends data indicating that the device has invoked the predownload quiet phase of the upgrade, to help
ClientId Using Windows Update, this will be the Windows Update client ID that is passed to Setup. In Media
HostOsSkuName The OS edition which is running Setup360 instance (previous operating system).
Repor tId Using Windows Update, this is the updateID that is passed to Setup. In media setup, this is the GUID
Setup360Extended Detailed information about the phase/action when the potential failure occurred.
State The exit state of a Setup360 run. Example: succeeded, failed, blocked, canceled.
WuId This is the Windows Update Client ID. Using Windows Update, this is the same as the clientId.
Setup360Telemetry.PreDownloadUX
This event sends data regarding OS Updates and Upgrades from Windows 7.X, Windows 8.X, Windows 10 and RS,
to help keep Windows up-to-date and secure. Specifically, it indicates the outcome of the PredownloadUX portion
of the update process.
FlightData In the WU scenario, this will be the WU client ID that is passed to Setup. In Media setup, default
value is Media360, but can be overwritten by the caller to a unique value.
HostOSBuildNumber The build number of the previous operating system.
HostOsSkuName The OS edition which is running the Setup360 instance (previous operating system).
InstanceId Unique GUID that identifies each instance of setuphost.exe.
Setup360Result The result of Setup360. This is an HRESULT error code that can be used to diagnose errors.
State The exit state of the Setup360 run. Example: succeeded, failed, blocked, cancelled.
Setup360Telemetry.PreInstallQuiet
This event sends data indicating that the device has invoked the preinstall quiet phase of the upgrade, to help keep
Windows up-to-date.
Setup360Scenario Setup360 flow type (Boot, Media, Update, MCT).
Setup360Telemetry.PreInstallUX
This event sends data regarding OS updates and upgrades from Windows 7, Windows 8, and Windows 10, to help
keep Windows up-to-date. Specifically, it indicates the outcome of the PreinstallUX portion of the update process.
Setup360Scenario The Setup360 flow type, Example: Boot, Media, Update, MCT.
Setup360Telemetry.Setup360
This event sends data about OS deployment scenarios, to help keep Windows up-to-date.
ClientId Retrieves the upgrade ID. In the Windows Update scenario, this will be the Windows Update client ID.
In Media setup, default value is Media360, but can be overwritten by the caller to a unique value.
FieldName Retrieves the data point.
FlightData Specifies a unique identifier for each group of Windows Insider builds.
InstanceId Retrieves a unique identifier for each instance of a setup session.
Repor tId Retrieves the report ID.
ScenarioId Retrieves the deployment scenario.
Value Retrieves the value associated with the corresponding FieldName.
Setup360Telemetry.Setup360DynamicUpdate
This event helps determine whether the device received supplemental content during an operating system
upgrade, to help keep Windows up-to-date.
Operation Facilitator’s last known operation (scan, download, etc.).
Repor tId ID for tying together events stream side.
ResultCode Result returned for the entire setup operation.
ScenarioId Identifies the update scenario.
TargetBranch Branch of the target OS.
TargetBuild Build of the target OS.
Setup360Telemetry.Setup360MitigationResult
This event sends data indicating the result of each setup mitigation.
Applicable TRUE if the mitigation is applicable for the current update.
ClientId In the Windows Update scenario, this is the client ID passed to Setup. In Media setup, default value is
Media360, but can be overwritten by the caller to a unique value.
FlightData The unique identifier for each flight (test release).
InstanceId The GUID (Globally Unique ID) that identifies each instance of SetupHost.EXE.
Name The friendly (descriptive) name of the mitigation.
OperationName The friendly (descriptive) name of the mitigation operation (in the event of failure).
Repor tId In the Windows Update scenario, the Update ID that is passed to Setup. In media setup, this is the
GUID for the INSTALL.WIM.
Result HResult of this operation.
ScenarioId Setup360 flow type.
Setup360Telemetry.Setup360MitigationSummary
This event sends a summary of all the setup mitigations available for this update.
ClientId The Windows Update client ID passed to Setup.
Total The total number of mitigations that were available.
Setup360Telemetry.Setup360OneSettings
FlightData The ID for the flight (test instance version).
InstanceId The GUID (Globally-Unique ID) that identifies each instance of setuphost.exe.
Repor tId The Update ID passed to Setup.
Result The HResult of the event error.
ScenarioId The update scenario ID.
Values Values sent back to the device, if applicable.
Setup360Telemetry.UnexpectedEvent
This event sends data indicating that the device has invoked the unexpected event phase of the upgrade, to help
Setup360Result The result of Setup360. This is an HRESULT error code that can be used used to diagnose
errors.
Windows as a Service diagnostic events

Microsoft.Windows.WaaSMedic.SummaryEvent
Result of the WaaSMedic operation.
callerApplication The name of the calling application.
capsuleCount The number of Sediment Pack capsules.
capsuleFailureCount The number of capsule failures.
detectionSummar y Result of each applicable detection that was run.
featureAssessmentImpact WaaS Assessment impact for feature updates.
hrEngineBlockReason Indicates the reason for stopping WaaSMedic.
hrEngineResult Error code from the engine operation.
hrLastSandboxError The last error sent by the WaaSMedic sandbox.
initSummar y Summary data of the initialization method.
isInteractiveMode The user started a run of WaaSMedic.
isManaged Device is managed for updates.
isWUConnected Device is connected to Windows Update.
noMoreActions No more applicable diagnostics.
pluginFailureCount The number of plugins that have failed.
pluginsCount The number of plugins.
qualityAssessmentImpact WaaS Assessment impact for quality updates.
remediationSummar y Result of each operation performed on a device to fix an invalid state or configuration
that's preventing the device from getting updates. For example, if Windows Update service is turned off, the fix
is to turn the it back on.
usingBackupFeatureAssessment Relying on backup feature assessment.
usingBackupQualityAssessment Relying on backup quality assessment.
usingCachedFeatureAssessment WaaS Medic run did not get OS build age from the network on the
previous run.
usingCachedQualityAssessment WaaS Medic run did not get OS revision age from the network on the
previous run.
versionString Version of the WaaSMedic engine.
waasMedicRunMode Indicates whether this was a background regular run of the medic or whether it was
triggered by a user launching Windows Update Troubleshooter.
Windows Error Reporting events

Microsoft.Windows.WERVertical.OSCrash
This event sends binary data from the collected dump file wheneveer a bug check occurs, to help keep Windows
up to date. The is the OneCore version of this event.
BootId Uint32 identifying the boot number for this device.
BugCheckCode Uint64 "bugcheck code" that identifies a proximate cause of the bug check.
BugCheckParameter1 Uint64 parameter providing additional information.
DumpFileAttributes Codes that identify the type of data contained in the dump file
DumpFileSize Size of the dump file
IsValidDumpFile True if the dump file is valid for the debugger, false otherwise
Repor tId WER Report Id associated with this bug check (used for finding the corresponding report archive in
Watson).
Value
This event returns data about Mean Time to Failure (MTTF) for Windows devices. It is the primary means of
estimating reliability problems in Basic Diagnostic reporting with very strong privacy guarantees. Since Basic
Diagnostic reporting does not include system up-time, and since that information is important to ensuring the safe
and stable operation of Windows, the data provided by this event provides that data in a manner which does not
threaten a user’s privacy.
Algorithm The algorithm used to preserve privacy.
DPRange The upper bound of the range being measured.
DPValue The randomized response returned by the client.
Epsilon The level of privacy to be applied.
HistType The histogram type if the algorithm is a histogram algorithm.
Per tProb The probability the entry will be Perturbed if the algorithm chosen is “heavy-hitters”.
Windows Error Reporting MTT events

Microsoft.Windows.WER.MTT.Denominator
This event provides a denominator to calculate MTTF (mean-time-to-failure) for crashes and other errors, to help
Value Standard UTC emitted DP value structure See Value.
Windows Hardware Error Architecture events

WheaProvider.WheaErrorRecord
This event collects data about common platform hardware error recorded by the Windows Hardware Error
Architecture (WHEA) mechanism.
creatorId The unique identifier for the entity that created the error record.
errorFlags Any flags set on the error record.
notifyType The unique identifier for the notification mechanism which reported the error to the operating
system.
par titionId The unique identifier for the partition on which the hardware error occurred.
platformId The unique identifier for the platform on which the hardware error occurred.
record A collection of binary data containing the full error record.
recordId The identifier of the error record.
sectionFlags The flags for each section recorded in the error record.
sectionTypes The unique identifier that represents the type of sections contained in the error record.
severityCount The severity of each individual section.
timeStamp The error time stamp as recorded in the error record.
Windows Security Center events

Microsoft.Windows.Security.WSC.DatastoreMigratedVersion
This event provides information about the datastore migration and whether it was successful.
datastoreisvtype The product category of the datastore.
datastoremigrated The version of the datastore that was migrated.
status The result code of the migration.
Microsoft.Windows.Security.WSC.GetCallerViaWdsp
This event returns data if the registering product EXE (executable file) does not allow COM (Component Object
Model) impersonation.
callerExe The registering product EXE that does not support COM impersonation.
Windows Store events

Microsoft.Windows.StoreAgent.Telemetry.AbortedInstallation
This event is sent when an installation or update is canceled by a user or the system and is used to help keep
Windows Apps up to date and secure.
AggregatedPackageFullNames The names of all packages to be downloaded and installed.
AttemptNumber Number of retry attempts before it was canceled.
BundleId The Item Bundle ID.
Categor yId The Item Category ID.
ClientAppId The identity of the app that initiated this operation.
HResult The result code of the last action performed before this operation.
IsBundle Is this a bundle?
IsInteractive Was this requested by a user?
IsMandator y Was this a mandatory update?
IsRemediation Was this a remediation install?
IsRestore Is this automatically restoring a previously acquired product?
IsUpdate Flag indicating if this is an update.
ParentBundleId The product ID of the parent (if this product is part of a bundle).
PFN The product family name of the product being installed.
ProductId The identity of the package or packages being installed.
SystemAttemptNumber The total number of automatic attempts at installation before it was canceled.
UserAttemptNumber The total number of user attempts at installation before it was canceled.
WUContentId The Windows Update content ID.
Microsoft.Windows.StoreAgent.Telemetry.BeginGetInstalledContentIds
This event is sent when an inventory of the apps installed is started to determine whether updates for those apps
are available. It's used to help keep Windows up-to-date and secure.
Microsoft.Windows.StoreAgent.Telemetry.BeginUpdateMetadataPrepare
This event is sent when the Store Agent cache is refreshed with any available package updates. It's used to help
keep Windows up-to-date and secure.
Microsoft.Windows.StoreAgent.Telemetry.CancelInstallation
This event is sent when an app update or installation is canceled while in interactive mode. This can be canceled by
the user or the system. It's used to help keep Windows up-to-date and secure.
AggregatedPackageFullNames The names of all package or packages to be downloaded and installed.
AttemptNumber Total number of installation attempts.
BundleId The identity of the Windows Insider build that is associated with this product.
Categor yId The identity of the package or packages being installed.
IsMandator y Is this a mandatory update?
IsRemediation Is this repairing a previous installation?
IsRestore Is this an automatic restore of a previously acquired product?
IsUpdate Is this a product update?
PFN The name of all packages to be downloaded and installed.
PreviousHResult The previous HResult code.
PreviousInstallState Previous installation state before it was canceled.
ProductId The name of the package or packages requested for installation.
RelatedCV Correlation Vector of a previous performed action on this product.
SystemAttemptNumber Total number of automatic attempts to install before it was canceled.
UserAttemptNumber Total number of user attempts to install before it was canceled.
Microsoft.Windows.StoreAgent.Telemetry.CompleteInstallOperationRequest
This event is sent at the end of app installations or updates to help keep Windows up-to-date and secure.
CatalogId The Store Product ID of the app being installed.
HResult HResult code of the action being performed.
PackageFamilyName The name of the package being installed.
ProductId The Store Product ID of the product being installed.
SkuId Specific edition of the item being installed.
Microsoft.Windows.StoreAgent.Telemetry.EndAcquireLicense
This event is sent after the license is acquired when a product is being installed. It's used to help keep Windows up-
to-date and secure.
AggregatedPackageFullNames Includes a set of package full names for each app that is part of an atomic
set.
AttemptNumber The total number of attempts to acquire this product.
BundleId The identity of the test build (flight) associated with this product.
HResult HResult code to show the result of the operation (success/failure).
IsInteractive Did the user initiate the installation?
IsRestore Is this happening after a device restore?
IsUpdate Is this an update?
ParentBundleId The product identifier of the parent if this product is part of a bundle.
PFN Product Family Name of the product being installed.
ProductId The Store Product ID for the product being installed.
SystemAttemptNumber The number of attempts by the system to acquire this product.
UserAttemptNumber The number of attempts by the user to acquire this product
Microsoft.Windows.StoreAgent.Telemetry.EndDownload
This event is sent after an app is downloaded to help keep Windows up-to-date and secure.
AggregatedPackageFullNames The name of all packages to be downloaded and installed.
BundleId The identity of the Windows Insider build associated with this product.
DownloadSize The total size of the download.
ExtendedHResult Any extended HResult error codes.
HResult The result code of the last action performed.
IsInteractive Is this initiated by the user?
IsMandator y Is this a mandatory installation?
IsRestore Is this a restore of a previously acquired product?
ParentBundleId The parent bundle ID (if it's part of a bundle).
PFN The Product Family Name of the app being download.
SystemAttemptNumber The number of attempts by the system to download.
UserAttemptNumber The number of attempts by the user to download.
Microsoft.Windows.StoreAgent.Telemetry.EndFrameworkUpdate
This event is sent when an app update requires an updated Framework package and the process starts to
download it. It is used to help keep Windows up-to-date and secure.
Microsoft.Windows.StoreAgent.Telemetry.EndGetInstalledContentIds
This event is sent after sending the inventory of the products installed to determine whether updates for those
products are available. It's used to help keep Windows up-to-date and secure.
Microsoft.Windows.StoreAgent.Telemetry.EndInstall
This event is sent after a product has been installed to help keep Windows up-to-date and secure.
AttemptNumber The number of retry attempts before it was canceled.
BundleId The identity of the build associated with this product.
ExtendedHResult The extended HResult error code.
IsInteractive Is this an interactive installation?
SystemAttemptNumber The total number of system attempts.
UserAttemptNumber The total number of user attempts.
Microsoft.Windows.StoreAgent.Telemetry.EndScanForUpdates
This event is sent after a scan for product updates to determine if there are packages to install. It's used to help
IsApplicability Is this request to only check if there are any applicable packages to install?
IsInteractive Is this user requested?
IsOnline Is the request doing an online check?
Microsoft.Windows.StoreAgent.Telemetry.EndSearchUpdatePackages
This event is sent after searching for update packages to install. It is used to help keep Windows up-to-date and
secure.
AttemptNumber The total number of retry attempts before it was canceled.
IsRestore Is this restoring previously acquired content?
PFN The name of the package or packages requested for install.
Microsoft.Windows.StoreAgent.Telemetry.EndStageUserData
This event is sent after restoring user data (if any) that needs to be restored following a product install. It is used to
UserAttemptNumber The total number of system attempts.
Microsoft.Windows.StoreAgent.Telemetry.EndUpdateMetadataPrepare
This event is sent after a scan for available app updates to help keep Windows up-to-date and secure.
Microsoft.Windows.StoreAgent.Telemetry.FulfillmentComplete
This event is sent at the end of an app install or update to help keep Windows up-to-date and secure.
CatalogId The name of the product catalog from which this app was chosen.
FailedRetr y Indicates whether the installation or update retry was successful.
HResult The HResult code of the operation.
PFN The Package Family Name of the app that is being installed or updated.
ProductId The product ID of the app that is being updated or installed.
Microsoft.Windows.StoreAgent.Telemetry.FulfillmentInitiate
This event is sent at the beginning of an app install or update to help keep Windows up-to-date and secure.
FulfillmentPluginId The ID of the plugin needed to install the package type of the product.
PluginTelemetr yData Diagnostic information specific to the package-type plug-in.
Microsoft.Windows.StoreAgent.Telemetry.InstallOperationRequest
This event is sent when a product install or update is initiated, to help keep Windows up-to-date and secure.
CatalogId If this product is from a private catalog, the Store Product ID for the product being installed.
SkuId Specific edition ID being installed.
VolumePath The disk path of the installation.
Microsoft.Windows.StoreAgent.Telemetry.PauseInstallation
This event is sent when a product install or update is paused (either by a user or the system), to help keep
PFN The Product Full Name.
PreviousHResult The result code of the last action performed before this operation.
PreviousInstallState Previous state before the installation or update was paused.
Microsoft.Windows.StoreAgent.Telemetry.ResumeInstallation
This event is sent when a product install or update is resumed (either by a user or the system), to help keep
IsUserRetr y Did the user initiate the retry?
PreviousHResult The previous HResult error code.
PreviousInstallState Previous state before the installation was paused.
RelatedCV Correlation Vector for the original install before it was resumed.
ResumeClientId The ID of the app that initiated the resume operation.
Microsoft.Windows.StoreAgent.Telemetry.ResumeOperationRequest
This event is sent when a product install or update is resumed by a user or on installation retries, to help keep
Microsoft.Windows.StoreAgent.Telemetry.SearchForUpdateOperationRequest
This event is sent when searching for update packages to install, to help keep Windows up-to-date and secure.
CatalogId The Store Catalog ID for the product being installed.
SkuId Specfic edition of the app being updated.
Microsoft.Windows.StoreAgent.Telemetry.StateTransition
Products in the process of being fulfilled (installed or updated) are maintained in a list. This event is sent any time
there is a change in a product's fulfillment status (pending, working, paused, cancelled, or complete), to help keep
CatalogId The ID for the product being installed if the product is from a private catalog, such as the Enterprise
catalog.
HResult The resulting HResult error/success code of this operation.
NewState The current fulfillment state of this product.
PluginLastStage The most recent product fulfillment step that the plug-in has reported (different than its
state).
Prevstate The previous fulfillment state of this product.
ProductId Product ID of the app that is being updated or installed.
Microsoft.Windows.StoreAgent.Telemetry.UpdateAppOperationRequest
This event occurs when an update is requested for an app, to help keep Windows up-to-date and secure.
PFamN The name of the app that is requested for update.
Windows Update CSP events

Microsoft.Windows.UpdateCsp.ExecuteRollBackFeatureFailed
This event sends basic telemetry on the failure of the Feature Rollback.
current Result of currency check.
dismOperationSucceeded Dism uninstall operation status.
hResult Failure error code.
oSVersion Build number of the device.
paused Indicates whether the device is paused.
rebootRequestSucceeded Reboot Configuration Service Provider (CSP) call success status.
sacDevice This is the device info.
wUfBConnected Result of WUfB connection check.
Microsoft.Windows.UpdateCsp.ExecuteRollBackFeatureNotApplicable
This event sends basic telemetry on whether Feature Rollback (rolling back features updates) is applicable to a
device.
sacDevice Represents the device info.
Microsoft.Windows.UpdateCsp.ExecuteRollBackFeatureStarted
This event sends basic information indicating that Feature Rollback has started.
Windows Update Delivery Optimization events

Microsoft.OSG.DU.DeliveryOptClient.DownloadCanceled
This event describes when a download was canceled with Delivery Optimization. It's used to understand and
address problems regarding downloads.
background Is the download being done in the background?
bytesFromCacheSer ver Bytes received from a cache host.
bytesFromCDN The number of bytes received from a CDN source.
bytesFromGroupPeers The number of bytes received from a peer in the same group.
bytesFromIntPeers The number of bytes received from peers not in the same LAN or in the same group.
bytesFromLinkLocalPeers The number of bytes received from local peers.
bytesFromLocalCache Bytes copied over from local (on disk) cache.
bytesFromPeers The number of bytes received from a peer in the same LAN.
cdnErrorCodes A list of CDN connection errors since the last FailureCDNCommunication event.
cdnErrorCounts The number of times each error in cdnErrorCodes was encountered.
cdnIp The IP Address of the source CDN (Content Delivery Network).
cdnUrl The URL of the source CDN (Content Delivery Network).
dataSourcesTotal Bytes received per source type, accumulated for the whole session.
errorCode The error code that was returned.
experimentId When running a test, this is used to correlate events that are part of the same test.
fileID The ID of the file being downloaded.
gCurMemor yStreamBytes Current usage for memory streaming.
gMaxMemor yStreamBytes Maximum usage for memory streaming.
isVpn Is the device connected to a Virtual Private Network?
jobID Identifier for the Windows Update job.
predefinedCallerName The name of the API Caller.
reasonCode Reason the action or event occurred.
routeToCacheSer ver The cache server setting, source, and value.
sessionID The ID of the file download session.
updateID The ID of the update being downloaded.
usedMemor yStream TRUE if the download is using memory streaming for App downloads.
Microsoft.OSG.DU.DeliveryOptClient.DownloadCompleted
This event describes when a download has completed with Delivery Optimization. It's used to understand and
background Is the download a background download?
bytesFromGroupPeers The number of bytes received from a peer in the same domain group.
bytesFromIntPeers The number of bytes received from peers not in the same LAN or in the same domain
group.
bytesRequested The total number of bytes requested for download.
cacheSer verConnectionCount Number of connections made to cache hosts.
cdnConnectionCount The total number of connections made to the CDN.
cdnIp The IP address of the source CDN.
cdnUrl Url of the source Content Distribution Network (CDN).
congestionPrevention Indicates a download may have been suspended to prevent network congestion.
doErrorCode The Delivery Optimization error code that was returned.
downlinkBps The maximum measured available download bandwidth (in bytes per second).
downlinkUsageBps The download speed (in bytes per second).
downloadMode The download mode used for this file download session.
downloadModeReason Reason for the download.
downloadModeSrc Source of the DownloadMode setting.
experimentId When running a test, this is used to correlate with other events that are part of the same test.
expiresAt The time when the content will expire from the Delivery Optimization Cache.
fileSize The size of the file being downloaded.
groupConnectionCount The total number of connections made to peers in the same group.
internetConnectionCount The total number of connections made to peers not in the same LAN or the same
group.
isEncr ypted TRUE if the file is encrypted and will be decrypted after download.
isThrottled Indicates the Event Rate was throttled (event represent aggregated data).
lanConnectionCount The total number of connections made to peers in the same LAN.
linkLocalConnectionCount The number of connections made to peers in the same Link-local network.
numPeers The total number of peers used for this download.
numPeersLocal The total number of local peers used for this download.
restrictedUpload Is the upload restricted?
sessionID The ID of the download session.
totalTimeMs Duration of the download (in seconds).
uplinkBps The maximum measured available upload bandwidth (in bytes per second).
uplinkUsageBps The upload speed (in bytes per second).
Microsoft.OSG.DU.DeliveryOptClient.DownloadPaused
This event represents a temporary suspension of a download with Delivery Optimization. It's used to understand
and address problems regarding downloads.
fileID The ID of the file being paused.
predefinedCallerName The name of the API Caller object.
reasonCode The reason for pausing the download.
updateID The ID of the update being paused.
Microsoft.OSG.DU.DeliveryOptClient.DownloadStarted
This event sends data describing the start of a new download to enable Delivery Optimization. It's used to
understand and address problems regarding downloads.
background Indicates whether the download is happening in the background.
bytesRequested Number of bytes requested for the download.
cdnUrl The URL of the source Content Distribution Network (CDN).
costFlags A set of flags representing network cost.
deviceProfile Identifies the usage or form factor (such as Desktop, Xbox, or VM).
diceRoll Random number used for determining if a client will use peering.
doClientVersion The version of the Delivery Optimization client.
downloadMode The download mode used for this file download session (CdnOnly = 0, Lan = 1, Group = 2,
Internet = 3, Simple = 99, Bypass = 100).
downloadModeSrc Source of the DownloadMode setting (KvsProvider = 0, GeoProvider = 1, GeoVerProvider
= 2, CpProvider = 3, DiscoveryProvider = 4, RegistryProvider = 5, GroupPolicyProvider = 6, MdmProvider = 7,
SettingsProvider = 8, InvalidProviderType = 9).
experimentId ID used to correlate client/services calls that are part of the same test during A/B testing.
filePath The path to where the downloaded file will be written.
fileSize Total file size of the file that was downloaded.
fileSizeCaller Value for total file size provided by our caller.
groupID ID for the group.
isEncr ypted Indicates whether the download is encrypted.
isVpn Indicates whether the device is connected to a Virtual Private Network.
jobID The ID of the Windows Update job.
peerID The ID for this delivery optimization client.
predefinedCallerName Name of the API caller.
routeToCacheSer ver Cache server setting, source, and value.
sessionID The ID for the file download session.
setConfigs A JSON representation of the configurations that have been set, and their sources.
usedMemor yStream Indicates whether the download used memory streaming.
Microsoft.OSG.DU.DeliveryOptClient.FailureCdnCommunication
This event represents a failure to download from a CDN with Delivery Optimization. It's used to understand and
cdnHeaders The HTTP headers returned by the CDN.
cdnIp The IP address of the CDN.
cdnUrl The URL of the CDN.
errorCount The total number of times this error code was seen since the last FailureCdnCommunication event
was encountered.
httpStatusCode The HTTP status code returned by the CDN.
isHeadRequest The type of HTTP request that was sent to the CDN. Example: HEAD or GET
peerType The type of peer (LAN, Group, Internet, CDN, Cache Host, etc.).
requestOffset The byte offset within the file in the sent request.
requestSize The size of the range requested from the CDN.
responseSize The size of the range response received from the CDN.
Microsoft.OSG.DU.DeliveryOptClient.JobError
This event represents a Windows Update job error. It allows for investigation of top errors.
doErrorCode Error code returned for delivery optimization.
errorCode The error code returned.
jobID The Windows Update job ID.
Windows Update events

Microsoft.Windows.Update.DeviceUpdateAgent.UpdateAgentAnalysisSummary
This event collects information regarding the state of devices and drivers on the system following a reboot after
the install phase of the new device manifest UUP (Unified Update Platform) update scenario which is used to install
a device manifest describing a set of driver packages.
activated Whether the entire device manifest update is considered activated and in use.
analysisErrorCount The number of driver packages that could not be analyzed because errors occurred
during analysis.
flightId Unique ID for each flight.
missingDriverCount The number of driver packages delivered by the device manifest that are missing from
the system.
missingUpdateCount The number of updates in the device manifest that are missing from the system.
objectId Unique value for each diagnostics session.
publishedCount The number of drivers packages delivered by the device manifest that are published and
available to be used on devices.
relatedCV Correlation vector value generated from the latest USO scan.
scenarioId Indicates the update scenario.
sessionId Unique value for each update session.
summar y A summary string that contains basic information about driver packages that are part of the device
manifest and any devices on the system that those driver packages match.
summar yAppendError A Boolean indicating if there was an error appending more information to the
summary string.
truncatedDeviceCount The number of devices missing from the summary string because there is not enough
room in the string.
truncatedDriverCount The number of driver packages missing from the summary string because there is not
enough room in the string.
unpublishedCount How many drivers packages that were delivered by the device manifest that are still
unpublished and unavailable to be used on devices.
updateId The unique ID for each update.
Microsoft.Windows.Update.DeviceUpdateAgent.UpdateAgentCommit
This event collects information regarding the final commit phase of the new device manifest UUP (Unified Update
Platform) update scenario, which is used to install a device manifest describing a set of driver packages.
errorCode The error code returned for the current session initialization.
flightId The unique identifier for each flight.
objectId The unique GUID for each diagnostics session.
relatedCV A correlation vector value generated from the latest USO scan.
result Outcome of the initialization of the session.
scenarioId Identifies the Update scenario.
sessionId The unique value for each update session.
updateId The unique identifier for each Update.
Microsoft.Windows.Update.DeviceUpdateAgent.UpdateAgentDownloadRequest
This event collects information regarding the download request phase of the new device manifest UUP (Unified
Update Platform) update scenario, which is used to install a device manifest describing a set of driver packages.
deletedCorruptFiles Indicates if UpdateAgent found any corrupt payload files and whether the payload was
deleted.
objectId Unique value for each Update Agent mode.
packageCountOptional Number of optional packages requested.
packageCountRequired Number of required packages requested.
packageCountTotal Total number of packages needed.
packageCountTotalCanonical Total number of canonical packages.
packageCountTotalDiff Total number of diff packages.
packageCountTotalExpress Total number of express packages.
packageSizeCanonical Size of canonical packages in bytes.
packageSizeDiff Size of diff packages in bytes.
packageSizeExpress Size of express packages in bytes.
rangeRequestState Represents the state of the download range request.
result Result of the download request phase of update.
scenarioId The scenario ID. Example: MobileUpdate, DesktopLanguagePack, DesktopFeatureOnDemand, or
sessionId Unique value for each Update Agent mode attempt.
updateId Unique ID for each update.
Microsoft.Windows.Update.DeviceUpdateAgent.UpdateAgentInitialize
This event sends data for initializing a new update session for the new device manifest UUP (Unified Update
flightMetadata Contains the FlightId and the build being flighted.
result Result of the initialize phase of the update. 0 = Succeeded, 1 = Failed, 2 = Cancelled, 3 = Blocked, 4 =
BlockCancelled.
sessionData Contains instructions to update agent for processing FODs and DUICs (Null for other scenarios).
Microsoft.Windows.Update.DeviceUpdateAgent.UpdateAgentInstall
This event collects information regarding the install phase of the new device manifest UUP (Unified Update
errorCode The error code returned for the current install phase.
objectId The unique identifier for each diagnostics session.
result Outcome of the install phase of the update.
scenarioId The unique identifier for the update scenario.
updateId The unique identifier for each update.
Microsoft.Windows.Update.DeviceUpdateAgent.UpdateAgentModeStart
This event sends data for the start of each mode during the process of updating device manifest assets via the UUP
(Unified Update Platform) update scenario, which is used to install a device manifest describing a set of driver
packages.
mode The mode that is starting.
objectId The unique value for each diagnostics session.
updateId Unique identifier for each update.
Microsoft.Windows.Update.NotificationUx.DialogNotificationToBeDisplayed
This event indicates that a notification dialog box is about to be displayed to user.
AcceptAutoModeLimit The maximum number of days for a device to automatically enter Auto Reboot mode.
AutoToAutoFailedLimit The maximum number of days for Auto Reboot mode to fail before the RebootFailed
dialog box is shown.
DaysSinceRebootRequired Number of days since restart was required.
DeviceLocalTime The local time on the device sending the event.
EngagedModeLimit The number of days to switch between DTE dialog boxes.
EnterAutoModeLimit The maximum number of days for a device to enter Auto Reboot mode.
ETag OneSettings versioning value.
IsForcedEnabled Indicates whether Forced Reboot mode is enabled for this device.
IsUltimateForcedEnabled Indicates whether Ultimate Forced Reboot mode is enabled for this device.
NotificationUxState Indicates which dialog box is shown.
NotificationUxStateString Indicates which dialog box is shown.
RebootUxState Indicates the state of the restart (Engaged, Auto, Forced, or UltimateForced).
RebootUxStateString Indicates the state of the restart (Engaged, Auto, Forced, or UltimateForced).
RebootVersion Version of DTE.
SkipToAutoModeLimit The minimum length of time to pass in restart pending before a device can be put into
auto mode.
UpdateId The ID of the update that is pending restart to finish installation.
UpdateRevision The revision of the update that is pending restart to finish installation.
UtcTime The time the dialog box notification will be displayed, in Coordinated Universal Time.
Microsoft.Windows.Update.NotificationUx.EnhancedEngagedRebootAcceptAutoDialog
This event indicates that the Enhanced Engaged restart "accept automatically" dialog box was displayed.
EnterpriseAttributionValue Indicates whether the Enterprise attribution is on in this dialog box.
ExitCode Indicates how users exited the dialog box.
UserResponseString The option that user chose on this dialog box.
UtcTime The time that the dialog box was displayed, in Coordinated Universal Time.
Microsoft.Windows.Update.NotificationUx.EnhancedEngagedRebootRebootFailedDialog
This event indicates that the Enhanced Engaged restart "restart failed" dialog box was displayed.
DeviceLocalTime The local time of the device sending the event.
UserResponseString The option that the user chose in this dialog box.
Microsoft.Windows.Update.NotificationUx.EnhancedEngagedRebootRebootImminentDialog
This event indicates that the Enhanced Engaged restart "restart imminent" dialog box was displayed.
DeviceLocalTime Time the dialog box was shown on the local device.
UserResponseString The option that user chose in this dialog box.
UtcTime The time that dialog box was displayed, in Coordinated Universal Time.
Microsoft.Windows.Update.NotificationUx.EnhancedEngagedRebootReminderDialog
This event returns information relating to the Enhanced Engaged reboot reminder dialog that was displayed.
DeviceLocalTime The time at which the reboot reminder dialog was shown (based on the local device time
settings).
EnterpriseAttributionValue Indicates whether Enterprise attribution is on for this dialog.
ETag The OneSettings versioning value.
ExitCode Indicates how users exited the reboot reminder dialog box.
RebootVersion The version of the DTE (Direct-to-Engaged).
UpdateId The ID of the update that is waiting for reboot to finish installation.
UpdateRevision The revision of the update that is waiting for reboot to finish installation.
UserResponseString The option chosen by the user on the reboot dialog box.
UtcTime The time at which the reboot reminder dialog was shown (in UTC).
Microsoft.Windows.Update.NotificationUx.RebootScheduled
Indicates when a reboot is scheduled by the system or a user for a security, quality, or feature update.
activeHoursApplicable Indicates whether an Active Hours policy is present on the device.
IsEnhancedEngagedReboot Indicates whether this is an Enhanced Engaged reboot.
rebootArgument Argument for the reboot task. It also represents specific reboot related action.
rebootOutsideOfActiveHours Indicates whether a restart is scheduled outside of active hours.
rebootScheduledByUser Indicates whether the restart was scheduled by user (if not, it was scheduled
automatically).
rebootState The current state of the restart.
rebootUsingSmar tScheduler Indicates whether the reboot is scheduled by smart scheduler.
revisionNumber Revision number of the update that is getting installed with this restart.
scheduledRebootTime Time of the scheduled restart.
scheduledRebootTimeInUTC Time of the scheduled restart in Coordinated Universal Time.
updateId ID of the update that is getting installed with this restart.
wuDeviceid Unique device ID used by Windows Update.
Microsoft.Windows.Update.Orchestrator.ActivityRestrictedByActiveHoursPolicy
This event indicates a policy is present that may restrict update activity to outside of active hours.
activeHoursEnd The end of the active hours window.
activeHoursStar t The start of the active hours window.
Microsoft.Windows.Update.Orchestrator.BlockedByActiveHours
This event indicates that update activity was blocked because it is within the active hours window.
updatePhase The current state of the update process.
Microsoft.Windows.Update.Orchestrator.BlockedByBatteryLevel
This event indicates that Windows Update activity was blocked due to low battery level.
batter yLevel The current battery charge capacity.
batter yLevelThreshold The battery capacity threshold to stop update activity.
wuDeviceid Device ID.
Microsoft.Windows.Update.Orchestrator.DeferRestart
This event indicates that a restart required for installing updates was postponed.
displayNeededReason List of reasons for needing display.
eventScenario Indicates the purpose of the event (scan started, succeeded, failed, etc.).
filteredDeferReason Applicable filtered reasons why reboot was postponed (such as user active, or low
battery).
gameModeReason Name of the executable that caused the game mode state check to start.
ignoredReason List of reasons that were intentionally ignored.
IgnoreReasonsForRestar t List of reasons why restart was deferred.
revisionNumber Update ID revision number.
systemNeededReason List of reasons why system is needed.
updateId Update ID.
updateScenarioType Update session type.
Microsoft.Windows.Update.Orchestrator.Detection
This event indicates that a scan for a Windows Update occurred.
deferReason Reason why the device could not check for updates.
detectionBlockingPolicy State of update action.
detectionBlockreason The reason detection did not complete.
detectionRetr yMode Indicates whether we will try to scan again.
errorCode The error code returned for the current process.
eventScenario End-to-end update session ID, or indicates the purpose of sending this event - whether because
the software distribution just started installing content, or whether it was cancelled, succeeded, or failed.
flightID The specific ID of the Windows Insider build the device is getting.
interactive Indicates whether the session was user initiated.
networkStatus Error info
revisionNumber Update revision number.
scanTriggerSource Source of the triggered scan.
updateId Update ID.
updateScenarioType Identifies the type of update session being performed.
wuDeviceid The unique device ID used by Windows Update.
Microsoft.Windows.Update.Orchestrator.DetectionActivity
This event returns data about detected updates, as well as the types of update (optional or recommended). This
data helps keep Windows up to date.
applicableUpdateIdList The list of update identifiers.
applicableUpdateList The list of available updates.
durationInSeconds The amount of time (in seconds) it took for the event to run.
expeditedMode Indicates whether Expedited Mode is on.
networkCostPolicy The network cost.
scanTriggerSource Indicates whether the scan is Interactive or Background.
scenario The result code of the event.
scenarioReason The reason for the result code (scenario).
seekerUpdateIdList The list of “seeker” update identifiers.
seekerUpdateList The list of “seeker” updates.
ser vices The list of services that were called during update.
wilActivity The activity results. See wilActivity.
Microsoft.Windows.Update.Orchestrator.DisplayNeeded
This event indicates the reboot was postponed due to needing a display.
displayNeededReason Reason the display is needed.
eventScenario Indicates the purpose of sending this event - whether because the software distribution just
rebootOutsideOfActiveHours Indicates whether the reboot was to occur outside of active hours.
revisionNumber Revision number of the update.
updateId Update ID.
updateScenarioType The update session type.
uxRebootstate Indicates the exact state of the user experience at the time the required reboot was initiated.
wuDeviceid The unique identifier of a specific device, used to identify how many devices are encountering
Microsoft.Windows.Update.Orchestrator.Download
This event sends launch data for a Windows Update download to help keep Windows up to date.
deferReason Reason for download not completing.
errorCode An error code represented as a hexadecimal value.
eventScenario End-to-end update session ID.
interactive Indicates whether the session is user initiated.
updateId Update ID.
Microsoft.Windows.Update.Orchestrator.EscalationRiskLevels
This event is sent during update scan, download, or install, and indicates that the device is at risk of being out-of-
date.
configVersion The escalation configuration version on the device.
downloadElapsedTime Indicates how long since the download is required on device.
downloadRiskLevel At-risk level of download phase.
installElapsedTime Indicates how long since the install is required on device.
installRiskLevel The at-risk level of install phase.
isSediment Assessment of whether is device is at risk.
scanElapsedTime Indicates how long since the scan is required on device.
scanRiskLevel At-risk level of the scan phase.
wuDeviceid Device ID used by Windows Update.
Microsoft.Windows.Update.Orchestrator.FailedToAddTimeTriggerToScanTask
This event indicated that USO failed to add a trigger time to a task.
errorCode The Windows Update error code.
wuDeviceid The Windows Update device ID.
Microsoft.Windows.Update.Orchestrator.FlightInapplicable
This event indicates that the update is no longer applicable to this device.
EventPublishedTime Time when this event was generated.
flightID The specific ID of the Windows Insider build.
inapplicableReason The reason why the update is inapplicable.
updateId Unique Windows Update ID.
UpdateStatus Last status of update.
UUPFallBackConfigured Indicates whether UUP fallback is configured.
wuDeviceid Unique Device ID.
Microsoft.Windows.Update.Orchestrator.InitiatingReboot
This event sends data about an Orchestrator requesting a reboot from power management to help keep Windows
up to date.
EventPublishedTime Time of the event.
flightID Unique update ID
interactive Indicates whether the reboot initiation stage of the update process was entered as a result of user
action.
updateId Update ID.
Microsoft.Windows.Update.Orchestrator.Install
This event sends launch data for a Windows Update install to help keep Windows up to date.
batter yLevel Current battery capacity in mWh or percentage left.
deferReason Reason for install not completing.
errorCode The error code reppresented by a hexadecimal value.
flightID The ID of the Windows Insider build the device is getting.
flightUpdate Indicates whether the update is a Windows Insider build.
ForcedRebootReminderSet A boolean value that indicates if a forced reboot will happen for updates.
IgnoreReasonsForRestar t The reason(s) a Postpone Restart command was ignored.
installCommitfailedtime The time it took for a reboot to happen but the upgrade failed to progress.
installRebootinitiatetime The time it took for a reboot to be attempted.
interactive Identifies if session is user initiated.
minutesToCommit The time it took to install updates.
rebootOutsideOfActiveHours Indicates whether a reboot is scheduled outside of active hours.
updateId Update ID.
uxRebootstate Indicates the exact state of the user experience at the time the required reboot was initiated to
ensure the correct update process and experience is provided to keep Windows up to date.
Microsoft.Windows.Update.Orchestrator.LowUptimes
This event is sent if a device is identified as not having sufficient uptime to reliably process updates in order to
keep secure.
availableHistor yMinutes The number of minutes available from the local machine activity history.
isLowUptimeMachine Is the machine considered low uptime or not.
lowUptimeMinHours Current setting for the minimum number of hours needed to not be considered low
uptime.
lowUptimeQuer yDays Current setting for the number of recent days to check for uptime.
uptimeMinutes Number of minutes of uptime measured.
wuDeviceid Unique device ID for Windows Update.
Microsoft.Windows.Update.Orchestrator.OneshotUpdateDetection
This event returns data about scans initiated through settings UI, or background scans that are urgent; to help keep
Windows up to date.
externalOneshotupdate The last time a task-triggered scan was completed.
interactiveOneshotupdate The last time an interactive scan was completed.
oldlastscanOneshotupdate The last time a scan completed successfully.
wuDeviceid The Windows Update Device GUID (Globally-Unique ID).
Microsoft.Windows.Update.Orchestrator.PreShutdownStart
This event is generated before the shutdown and commit operations.
Microsoft.Windows.Update.Orchestrator.RebootFailed
This event sends information about whether an update required a reboot and reasons for failure, to help keep
Windows up to date.
EventPublishedTime The time that the reboot failure occurred.
flightID Unique update ID.
rebootOutsideOfActiveHours Indicates whether a reboot was scheduled outside of active hours.
RebootResults Hex code indicating failure reason. Typically, we expect this to be a specific USO generated hex
code.
updateId Update ID.
Microsoft.Windows.Update.Orchestrator.RefreshSettings
This event sends basic data about the version of upgrade settings applied to the system to help keep Windows up
to date.
errorCode Hex code for the error message, to allow lookup of the specific error.
settingsDownloadTime Timestamp of the last attempt to acquire settings.
settingsETag Version identifier for the settings.
Microsoft.Windows.Update.Orchestrator.RestoreRebootTask
This event sends data indicating that a reboot task is missing unexpectedly on a device and the task is restored
because a reboot is still required, to help keep Windows up to date.
RebootTaskMissedTimeUTC The time when the reboot task was scheduled to run, but did not.
RebootTaskNextTimeUTC The time when the reboot task was rescheduled for.
RebootTaskRestoredTime Time at which this reboot task was restored.
wuDeviceid Device ID for the device on which the reboot is restored.
Microsoft.Windows.Update.Orchestrator.ScanTriggered
This event indicates that Update Orchestrator has started a scan operation.
interactive Indicates whether the scan is interactive.
isDTUEnabled Indicates whether DTU (internal abbreviation for Direct Feature Update) channel is enabled on
the client system.
isScanPastSla Indicates whether the SLA has elapsed for scanning.
isScanPastTriggerSla Indicates whether the SLA has elapsed for triggering a scan.
minutesOverScanSla Indicates how many minutes the scan exceeded the scan SLA.
minutesOverScanTriggerSla Indicates how many minutes the scan exceeded the scan trigger SLA.
scanTriggerSource Indicates what caused the scan.
Microsoft.Windows.Update.Orchestrator.SeekerUpdateAvailable
This event defines when an optional update is available for the device to help keep Windows up to date.
flightID The unique identifier of the Windows Insider build on this device.
isFeatureUpdate Indicates whether the update is a Feature Update.
revisionNumber The revision number of the update.
updateId The GUID (Globally Unique Identifier) of the update.
wuDeviceid The Windows Update device identifier.
Microsoft.Windows.Update.Orchestrator.SeekUpdate
This event occurs when user initiates "seeker" scan. This helps keep Windows up to date.
flightID The ID of the Windows Insider builds on the device.
isFeatureUpdate Indicates that the target of the Seek is a feature update.
updateId The identifier of the update.
Microsoft.Windows.Update.Orchestrator.StickUpdate
This event is sent when the update service orchestrator (USO) indicates the update cannot be superseded by a
newer update.
updateId Identifier associated with the specific piece of content.
wuDeviceid Unique device ID controlled by the software distribution client.
Microsoft.Windows.Update.Orchestrator.SystemNeeded
This event sends data about why a device is unable to reboot, to help keep Windows up to date.
systemNeededReason List of apps or tasks that are preventing the system from restarting.
updateId Update ID.
Microsoft.Windows.Update.Orchestrator.TerminatedByActiveHours
This event indicates that update activity was stopped due to active hours starting.
wuDeviceid The device identifier.
Microsoft.Windows.Update.Orchestrator.UniversalOrchestratorInvalidSignature
This event is sent when an updater has attempted to register a binary that is not signed by Microsoft.
updaterCmdLine The callback executable for the updater.
updaterId The ID of the updater.
Microsoft.Windows.Update.Orchestrator.UniversalOrchestratorScheduleWorkInvalidCmd
Event to indicate a critical error with the callback binary requested by the updater
Microsoft.Windows.Update.Orchestrator.UnstickUpdate
This event is sent when the update service orchestrator (USO) indicates that the update can be superseded by a
newer update.
Microsoft.Windows.Update.Orchestrator.UpdateNotApplicableForReserves
This event reports a critical error when using update reserves for OS updates to help keep Windows up to date.
Microsoft.Windows.Update.Orchestrator.UpdatePolicyCacheRefresh
This event sends data on whether Update Management Policies were enabled on a device, to help keep Windows
up to date.
configuredPoliciescount Number of policies on the device.
policiesNamevaluesource Policy name and source of policy (group policy, MDM or flight).
policyCacherefreshtime Time when policy cache was refreshed.
updateInstalluxsetting Indicates whether a user has set policies via a user experience option.
Microsoft.Windows.Update.Orchestrator.UpdaterCallbackFailed
This event is sent when an updater failed to execute the registered callback.
updaterArgument The argument to pass to the updater callback.
Microsoft.Windows.Update.Orchestrator.UpdateRebootRequired
This event sends data about whether an update required a reboot to help keep Windows up to date.
action.
updateId Update ID.
Microsoft.Windows.Update.Orchestrator.UpdaterMalformedData
This event is sent when a registered updater has missing or corrupted information, to help keep Windows up to
date.
malformedRegValue The registry value that contains the malformed or missing entry.
Microsoft.Windows.Update.Orchestrator.updateSettingsFlushFailed
This event sends information about an update that encountered problems and was not able to complete.
wuDeviceid The ID of the device in which the error occurred.
Microsoft.Windows.Update.Orchestrator.UsoSession
This event represents the state of the USO service at start and completion.
activeSessionid A unique session GUID.
eventScenario The state of the update action.
interactive Is the USO session interactive?
lastErrorcode The last error that was encountered.
lastErrorstate The state of the update when the last error was encountered.
sessionType A GUID that refers to the update session type.
updateScenarioType A descriptive update session type.
wuDeviceid The Windows Update device GUID.
Microsoft.Windows.Update.Ux.MusNotification.EnhancedEngagedRebootUxState
This event sends information about the configuration of Enhanced Direct-to-Engaged (eDTE), which includes values
for the timing of how eDTE will progress through each phase of the reboot.
AutoToAutoFailedLimit The maximum number of days for Auto Reboot mode to fail before a Reboot Failed
dialog will be shown.
DeviceLocalTime The date and time (based on the device date/time settings) the reboot mode changed.
EngagedModeLimit The number of days to switch between DTE (Direct-to-Engaged) dialogs.
EnterAutoModeLimit The maximum number of days a device can enter Auto Reboot mode.
ETag The Entity Tag that represents the OneSettings version.
IsForcedEnabled Identifies whether Forced Reboot mode is enabled for the device.
IsUltimateForcedEnabled Identifies whether Ultimate Forced Reboot mode is enabled for the device.
OldestUpdateLocalTime The date and time (based on the device date/time settings) this update’s reboot
began pending.
RebootUxState Identifies the reboot state: Engaged, Auto, Forced, UltimateForced.
SkipToAutoModeLimit The maximum number of days to switch to start while in Auto Reboot mode.
Microsoft.Windows.Update.Ux.MusNotification.RebootNoLongerNeeded
This event is sent when a security update has successfully completed.
UtcTime The Coordinated Universal Time that the restart was no longer needed.
Microsoft.Windows.Update.Ux.MusNotification.RebootScheduled
This event sends basic information about scheduling an update-related reboot, to get security updates and to help
activeHoursApplicable Indicates whether Active Hours applies on this device.
IsEnhancedEngagedReboot Indicates whether Enhanced reboot was enabled.
rebootOutsideOfActiveHours True, if a reboot is scheduled outside of active hours. False, otherwise.
rebootScheduledByUser True, if a reboot is scheduled by user. False, if a reboot is scheduled automatically.
rebootState Current state of the reboot.
rebootUsingSmar tScheduler Indicates that the reboot is scheduled by SmartScheduler.
revisionNumber Revision number of the OS.
scheduledRebootTime Time scheduled for the reboot.
scheduledRebootTimeInUTC Time scheduled for the reboot, in UTC.
updateId Identifies which update is being scheduled.
Microsoft.Windows.Update.Ux.MusUpdateSettings.RebootScheduled
This event sends basic information for scheduling a device restart to install security updates. It's used to help keep
Windows up-to-date
activeHoursApplicable Is the restart respecting Active Hours?
IsEnhancedEngagedReboot TRUE if the reboot path is Enhanced Engaged. Otherwise, FALSE.
rebootArgument The arguments that are passed to the OS for the restarted.
rebootOutsideOfActiveHours Was the restart scheduled outside of Active Hours?
rebootScheduledByUser Was the restart scheduled by the user? If the value is false, the restart was
scheduled by the device.
rebootState The state of the restart.
rebootUsingSmar tScheduler TRUE if the reboot should be performed by the Smart Scheduler. Otherwise,
FALSE.
revisionNumber The revision number of the OS being updated.
scheduledRebootTime Time of the scheduled reboot
scheduledRebootTimeInUTC Time of the scheduled restart, in Coordinated Universal Time.
updateId The Windows Update device GUID.
wilActivity
This event provides a Windows Internal Library context used for Product and Service diagnostics.
callContext The function where the failure occurred.
currentContextId The ID of the current call context where the failure occurred.
currentContextMessage The message of the current call context where the failure occurred.
currentContextName The name of the current call context where the failure occurred.
failureCount The number of failures for this failure ID.
failureId The ID of the failure that occurred.
failureType The type of the failure that occurred.
fileName The file name where the failure occurred.
function The function where the failure occurred.
hresult The HResult of the overall activity.
lineNumber The line number where the failure occurred.
message The message of the failure that occurred.
module The module where the failure occurred.
originatingContextId The ID of the originating call context that resulted in the failure.
originatingContextMessage The message of the originating call context that resulted in the failure.
originatingContextName The name of the originating call context that resulted in the failure.
threadId The ID of the thread on which the activity is executing.
Windows Update mitigation events

Mitigation360Telemetry.MitigationCustom.CleanupSafeOsImages
This event sends data specific to the CleanupSafeOsImages mitigation used for OS Updates.
ClientId The client ID used by Windows Update.
FlightId The ID of each Windows Insider build the device received.
InstanceId A unique device ID that identifies each update instance.
MountedImageCount The number of mounted images.
MountedImageMatches The number of mounted image matches.
MountedImagesFailed The number of mounted images that could not be removed.
MountedImagesRemoved The number of mounted images that were successfully removed.
MountedImagesSkipped The number of mounted images that were not found.
ScenarioId ID indicating the mitigation scenario.
ScenarioSuppor ted Indicates whether the scenario was supported.
UpdateId Unique ID for each Windows Update.
WuId Unique ID for the Windows Update client.
Mitigation360Telemetry.MitigationCustom.FixAppXReparsePoints
This event sends data specific to the FixAppXReparsePoints mitigation used for OS updates.
ClientId In the WU scenario, this will be the WU client ID that is passed to Setup. In Media setup, default value
is Media360, but can be overwritten by the caller to a unique value.
InstanceId Unique GUID that identifies each instances of setuphost.exe.
ReparsePointsFailed Number of reparse points that are corrupted but we failed to fix them.
ReparsePointsFixed Number of reparse points that were corrupted and were fixed by this mitigation.
ReparsePointsSkipped Number of reparse points that are not corrupted and no action is required.
Mitigation360Telemetry.MitigationCustom.FixupEditionId
This event sends data specific to the FixupEditionId mitigation used for OS updates.
EditionIdUpdated Determine whether EditionId was changed.
ProductEditionId Expected EditionId value based on GetProductInfo.
ProductType Value returned by GetProductInfo.
Registr yEditionId EditionId value in the registry.
Windows Update Reserve Manager events

Microsoft.Windows.UpdateReserveManager.BeginScenario
This event is sent when the Update Reserve Manager is called to begin a scenario.
Flags The flags that are passed to the begin scenario function.
HardReser veSize The size of the hard reserve.
HardReser veUsedSpace The used space in the hard reserve.
OwningScenarioId The scenario ID the client that called the begin scenario function.
ReturnCode The return code for the begin scenario operation.
ScenarioId The scenario ID that is internal to the reserve manager.
SoftReser veSize The size of the soft reserve.
SoftReser veUsedSpace The amount of soft reserve space that was used.
Microsoft.Windows.UpdateReserveManager.ClearReserve
This event is sent when the Update Reserve Manager clears one of the reserves.
FinalReser veUsedSpace The amount of used space for the reserve after it was cleared.
InitialReser veUsedSpace The amount of used space for the reserve before it was cleared.
Reser veId The ID of the reserve that needs to be cleared.
Microsoft.Windows.UpdateReserveManager.CommitPendingHardReserveAdjustment
This event is sent when the Update Reserve Manager commits a hard reserve adjustment that was pending.
FinalAdjustment Final adjustment for the hard reserve following the addition or removal of optional content.
InitialAdjustment Initial intended adjustment for the hard reserve following the addition or removal of
optional content.
Microsoft.Windows.UpdateReserveManager.EndScenario
This event is sent when the Update Reserve Manager ends an active scenario.
ActiveScenario The current active scenario.
Flags The flags passed to the end scenario call.
HardReser veSize The size of the hard reserve when the end scenario is called.
HardReser veUsedSpace The used space in the hard reserve when the end scenario is called.
ReturnCode The return code of this operation.
ScenarioId The ID of the internal reserve manager scenario.
SoftReser veSize The size of the soft reserve when end scenario is called.
SoftReser veUsedSpace The amount of the soft reserve used when end scenario is called.
Microsoft.Windows.UpdateReserveManager.FunctionReturnedError
This event is sent when the Update Reserve Manager returns an error from one of its internal functions.
FailedExpression The failed expression that was returned.
FailedFile The binary file that contained the failed function.
FailedFunction The name of the function that originated the failure.
FailedLine The line number of the failure.
ReturnCode The return code of the function.
Microsoft.Windows.UpdateReserveManager.InitializeReserves
This event is sent when reserves are initialized on the device.
FallbackInitUsed Indicates whether fallback initialization is used.
FinalUserFreeSpace The amount of user free space after initialization.
Flags The flags used in the initialization of Update Reserve Manager.
FreeSpaceToLeaveInUpdateScratch The amount of space that should be left free after using the reserves.
HardReser veFinalSize The final size of the hard reserve.
HardReser veFinalUsedSpace The used space in the hard reserve.
HardReser veInitialSize The size of the hard reserve after initialization.
HardReser veInitialUsedSpace The utilization of the hard reserve after initialization.
HardReser veTargetSize The target size that was set for the hard reserve.
InitialUserFreeSpace The user free space during initialization.
PostUpgradeFreeSpace The free space value passed into the Update Reserve Manager to determine reserve
sizing post upgrade.
SoftReser veFinalSize The final size of the soft reserve.
SoftReser veFinalUsedSpace The used space in the soft reserve.
SoftReser veInitialSize The soft reserve size after initialization.
SoftReser veInitialUsedSpace The utilization of the soft reserve after initialization.
SoftReser veTargetSize The target size that was set for the soft reserve.
TargetUserFreeSpace The target user free space that was passed into the reserve manager to determine
reserve sizing post upgrade.
UpdateScratchFinalUsedSpace The used space in the scratch reserve.
UpdateScratchInitialUsedSpace The utilization of the scratch reserve after initialization.
UpdateScratchReser veFinalSize The utilization of the scratch reserve after initialization.
UpdateScratchReser veInitialSize The size of the scratch reserve after initialization.
Microsoft.Windows.UpdateReserveManager.InitializeUpdateReserveManager
This event returns data about the Update Reserve Manager, including whether it’s been initialized.
ClientId The ID of the caller application.
Flags The enumerated flags used to initialize the manager.
FlightId The flight ID of the content the calling client is currently operating with.
Offline Indicates whether or the reserve manager is called during offline operations.
PolicyPassed Indicates whether the machine is able to use reserves.
ReturnCode Return code of the operation.
Version The version of the Update Reserve Manager.
Microsoft.Windows.UpdateReserveManager.PrepareTIForReserveInitialization
This event is sent when the Update Reserve Manager prepares the Trusted Installer to initialize reserves on the next
boot.
FallbackLogicUsed Indicates whether fallback logic was used for initialization.
Flags The flags that are passed to the function to prepare the Trusted Installer for reserve initialization.
Microsoft.Windows.UpdateReserveManager.ReevaluatePolicy
This event is sent when the Update Reserve Manager reevaluates policy to determine reserve usage.
PolicyChanged Indicates whether the policy has changed.
PolicyFailedEnum The reason why the policy failed.
PolicyPassed Indicates whether the policy passed.
Microsoft.Windows.UpdateReserveManager.RemovePendingHardReserveAdjustment
This event is sent when the Update Reserve Manager removes a pending hard reserve adjustment.
Microsoft.Windows.UpdateReserveManager.TurnOffReserves
This event is sent when the Update Reserve Manager turns off reserve functionality for certain operations.
Flags Flags used in the turn off reserves function.
HardReser veSize The size of the hard reserve when Turn Off is called.
HardReser veUsedSpace The amount of space used by the hard reserve when Turn Off is called
ScratchReser veSize The size of the scratch reserve when Turn Off is called.
ScratchReser veUsedSpace The amount of space used by the scratch reserve when Turn Off is called.
SoftReser veSize The size of the soft reserve when Turn Off is called.
SoftReser veUsedSpace The amount of the soft reserve used when Turn Off is called.
Microsoft.Windows.UpdateReserveManager.UpdatePendingHardReserveAdjustment
This event is sent when the Update Reserve Manager needs to adjust the size of the hard reserve after the option
content is installed.
ChangeSize The change in the hard reserve size based on the addition or removal of optional content.
Disposition The parameter for the hard reserve adjustment function.
Flags The flags passed to the hard reserve adjustment function.
PendingHardReser veAdjustment The final change to the hard reserve size.
UpdateType Indicates whether the change is an increase or decrease in the size of the hard reserve.
Winlogon events
Microsoft.Windows.Security.Winlogon.SetupCompleteLogon
This event signals the completion of the setup process. It happens only once during the first logon.
XBOX events
Microsoft.Xbox.XamTelemetry.AppActivationError
This event indicates whether the system detected an activation error in the app.
ActivationUri Activation URI (Uniform Resource Identifier) used in the attempt to activate the app.
AppId The Xbox LIVE Title ID.
AppUserModelId The AUMID (Application User Model ID) of the app to activate.
Result The HResult error.
UserId The Xbox LIVE User ID (XUID).
Microsoft.Xbox.XamTelemetry.AppActivity
This event is triggered whenever the current app state is changed by: launch, switch, terminate, snap, etc.
AppActionId The ID of the application action.
AppCurrentVisibilityState The ID of the current application visibility state.
AppId The Xbox LIVE Title ID of the app.
AppPackageFullName The full name of the application package.
AppPreviousVisibilityState The ID of the previous application visibility state.
AppSessionId The application session ID.
AppType The type ID of the application (AppType_NotKnown, AppType_Era, AppType_Sra, AppType_Uwa).
BCACode The BCA (Burst Cutting Area) mark code of the optical disc used to launch the application.
DurationMs The amount of time (in milliseconds) since the last application state transition.
IsTrialLicense This boolean value is TRUE if the application is on a trial license.
LicenseType The type of licensed used to authorize the app (0 - Unknown, 1 - User, 2 - Subscription, 3 - Offline,
4 - Disc).
LicenseXuid If the license type is 1 (User), this field contains the XUID (Xbox User ID) of the registered owner of
the license.
ProductGuid The Xbox product GUID (Globally-Unique ID) of the application.
UserId The XUID (Xbox User ID) of the current user.
Windows 10, version 1809 basic level Windows
Applies to
The Basic level gathers a limited set of information that is critical for understanding the device and its
configuration including: basic device information, quality-related information, app compatibility, and Microsoft
Store. When the level is set to Basic, it also includes the Security level information.
The Basic level helps to identify problems that can occur on a particular device hardware or software configuration.
For example, it can help determine if crashes are more frequent on devices with a specific amount of memory or
that are running a particular driver version. This helps Microsoft fix operating system or app problems.
Windows 10, version 1903 and Windows 10, version 1909 basic diagnostic events and fields
Account trace logging provider events

Microsoft.Windows.Mitigation.AccountTraceLoggingProvider.General
This event provides information about application properties to indicate the successful execution.
AppMode Indicates the mode the app is being currently run around privileges.
ExitCode Indicates the exit code of the app.
Help Indicates if the app needs to be launched in the help mode.
ParseError Indicates if there was a parse error during the execution.
RightsAcquired Indicates if the right privileges were acquired for successful execution.
RightsWereEnabled Indicates if the right privileges were enabled for successful execution.
TestMode Indicates whether the app is being run in test mode.
Microsoft.Windows.Mitigation.AccountTraceLoggingProvider.GetCount
This event provides information about the properties of user accounts in the Administrator group.
Internal Indicates the internal property associated with the count group.
LastError The error code (if applicable) for the cause of the failure to get the count of the user account.
AppLocker events
Microsoft.Windows.Security.AppLockerCSP.ActivityStoppedAutomatically
Automatically closed activity for start/stop operations that aren't explicitly closed.
Microsoft.Windows.Security.AppLockerCSP.AddParams
This event indicates the parameters passed to the Add function of the AppLocker Configuration Service Provider
child The child URI of the node to add.
uri URI of the node relative to %SYSTEM32%/AppLocker.
Microsoft.Windows.Security.AppLockerCSP.AddStart
This event indicates the start of an Add operation for the AppLocker Configuration Service Provider (CSP) to help
Microsoft.Windows.Security.AppLockerCSP.AddStop
This event indicates the end of an Add operation for the AppLocker Configuration Service Provider (CSP) to help
hr The HRESULT returned by Add function in AppLockerCSP.
Microsoft.Windows.Security.AppLockerCSP.CAppLockerCSP::Rollback
This event provides the result of the Rollback operation in the AppLocker Configuration Service Provider (CSP) to
oldId Previous id for the CSP transaction.
txId Current id for the CSP transaction.
Microsoft.Windows.Security.AppLockerCSP.ClearParams
This event provides the parameters passed to the Clear operation of the AppLocker Configuration Service Provider
uri The URI relative to the %SYSTEM32%\AppLocker folder.
Microsoft.Windows.Security.AppLockerCSP.ClearStart
This event indicates the start of the Clear operation of the AppLocker Configuration Service Provider (CSP) to help
Microsoft.Windows.Security.AppLockerCSP.ClearStop
This event indicates the end of the Clear operation of the AppLocker Configuration Service Provider (CSP) to help
hr HRESULT reported at the end of the 'Clear' function.
Microsoft.Windows.Security.AppLockerCSP.ConfigManagerNotificationStart
This event indicates the start of the Configuration Manager Notification operation of the AppLocker Configuration
NotifyState State sent by ConfigManager to AppLockerCSP.
Microsoft.Windows.Security.AppLockerCSP.ConfigManagerNotificationStop
This event indicates the end of the Configuration Manager Notification operation of the AppLocker Configuration
hr HRESULT returned by the ConfigManagerNotification function in AppLockerCSP.
Microsoft.Windows.Security.AppLockerCSP.CreateNodeInstanceParams
This event provides the parameters that were passed to the Create Node Instance operation of the AppLocker
NodeId NodeId passed to CreateNodeInstance.
nodeOps NodeOperations parameter passed to CreateNodeInstance.
uri URI passed to CreateNodeInstance, relative to %SYSTEM32%\AppLocker.
Microsoft.Windows.Security.AppLockerCSP.CreateNodeInstanceStart
This event indicates the start of the Create Node Instance operation of the AppLocker Configuration Service
Microsoft.Windows.Security.AppLockerCSP.CreateNodeInstanceStop
This event indicates the end of the Create Node Instance operation of the AppLocker Configuration Service
hr HRESULT returned by the CreateNodeInstance function in AppLockerCSP.
Microsoft.Windows.Security.AppLockerCSP.DeleteChildParams
This event provides the parameters passed to the Delete Child operation of the AppLocker Configuration Service
child The child URI of the node to delete.
Microsoft.Windows.Security.AppLockerCSP.DeleteChildStart
This event indicates the start of the Delete Child operation of the AppLocker Configuration Service Provider (CSP)
Microsoft.Windows.Security.AppLockerCSP.DeleteChildStop
This event indicates the end of the Delete Child operation of the AppLocker Configuration Service Provider (CSP)
hr HRESULT returned by the DeleteChild function in AppLockerCSP.
Microsoft.Windows.Security.AppLockerCSP.EnumPolicies
This event provides the logged Uniform Resource Identifier (URI) relative to %SYSTEM32%\AppLocker if the plug-
in GUID is null or the Configuration Service Provider (CSP) doesn't believe the old policy is present.
Microsoft.Windows.Security.AppLockerCSP.GetChildNodeNamesParams
This event provides the parameters passed to the Get Child Node Names operation of the AppLocker
uri URI relative to %SYSTEM32%/AppLocker for MDM node.
Microsoft.Windows.Security.AppLockerCSP.GetChildNodeNamesStart
This event indicates the start of the Get Child Node Names operation of the AppLocker Configuration Service
Microsoft.Windows.Security.AppLockerCSP.GetChildNodeNamesStop
This event indicates the end of the Get Child Node Names operation of the AppLocker Configuration Service
child[0] If function succeeded, the first child's name, else "NA".
count If function succeeded, the number of child node names returned by the function, else 0.
hr HRESULT returned by the GetChildNodeNames function of AppLockerCSP.
Microsoft.Windows.Security.AppLockerCSP.GetLatestId
This event provides the latest time-stamped unique identifier in the AppLocker Configuration Service Provider
dirId The latest directory identifier found by GetLatestId.
id The id returned by GetLatestId if id > 0 - otherwise the dirId parameter.
Microsoft.Windows.Security.AppLockerCSP.HResultException
This event provides the result code (HRESULT) generated by any arbitrary function in the AppLocker Configuration
Service Provider (CSP).
file File in the OS code base in which the exception occurs.
function Function in the OS code base in which the exception occurs.
hr HRESULT that is reported.
line Line in the file in the OS code base in which the exception occurs.
Microsoft.Windows.Security.AppLockerCSP.SetValueParams
This event provides the parameters that were passed to the SetValue operation in the AppLocker Configuration
dataLength Length of the value to set.
uri The node URI to that should contain the value, relative to %SYSTEM32%\AppLocker.
Microsoft.Windows.Security.AppLockerCSP.SetValueStart
This event indicates the start of the SetValue operation in the AppLocker Configuration Service Provider (CSP) to
Microsoft.Windows.Security.AppLockerCSP.SetValueStop
End of the "SetValue" operation for the AppLockerCSP node.
hr HRESULT returned by the SetValue function in AppLockerCSP.
Microsoft.Windows.Security.AppLockerCSP.TryRemediateMissingPolicies
This event provides information for fixing a policy in the AppLocker Configuration Service Provider (CSP) to help
keep Windows secure. It includes Uniform Resource Identifier (URI) relative to %SYSTEM32%\AppLocker that
needs to be fixed.
uri URI for node relative to %SYSTEM32%/AppLocker.
Appraiser events
DatasourceApplicationFile_19ASetup The count of the number of this particular object type present on this
device.
device.
this device.
device.
this device.
device.
DatasourceApplicationFile_RS3Setup The count of the number of this particular object type present on this
device.
device.
device.
device.
device.
device.
device.
DatasourceDevicePnp_19ASetup The count of the number of this particular object type present on this
device.
device.
device.
this device.
device.
device.
device.
DatasourceDriverPackage_19ASetup The count of the number of this particular object type present on this
device.
device.
this device.
device.
this device.
DatasourceDriverPackage_RS2 The total DataSourceDriverPackage objects targeting Windows 10, version
device.
device.
device.
DataSourceMatchingInfoBlock_19ASetup The count of the number of this particular object type present
on this device.
device.
on this device.
device.
on this device.
device.
device.
DataSourceMatchingInfoBlock_RS3Setup The count of the number of this particular object type present
on this device.
device.
on this device.
device.
on this device.
device.
device.
DataSourceMatchingInfoPassive_19ASetup The count of the number of this particular object type present
on this device.
this device.
this device.
device.
device.
DataSourceMatchingInfoPassive_RS3Setup The count of the number of this particular object type present
on this device.
device.
on this device.
device.
on this device.
device.
device.
DataSourceMatchingInfoPostUpgrade_19ASetup The count of the number of this particular object type
DataSourceMatchingInfoPostUpgrade_RS3Setup The count of the number of this particular object type
on this device.
on this device.
on this device.
on this device.
DatasourceSystemBios_19ASetup The count of the number of this particular object type present on this
device.
device.
device.
device.
device.
device.
DecisionApplicationFile_19ASetup The count of the number of this particular object type present on this
device.
device.
device.
DecisionApplicationFile_RS3Setup The count of the number of this particular object type present on this
device.
device.
device.
DecisionDevicePnp_19ASetup The count of the number of this particular object type present on this device.
device.
device.
device.
DecisionDriverPackage_19ASetup The count of the number of this particular object type present on this
device.
device.
device.
on this device.
device.
device.
device.
DecisionMatchingInfoBlock_19ASetup The count of the number of this particular object type present on
this device.
device.
this device.
device.
this device.
DecisionMatchingInfoBlock_RS3Setup The count of the number of this particular object type present on
this device.
this device.
device.
this device.
device.
device.
DecisionMatchingInfoPassive_19ASetup The count of the number of this particular object type present on
this device.
device.
on this device.
device.
on this device.
DecisionMatchingInfoPassive_RS3Setup The count of the number of this particular object type present on
this device.
device.
this device.
device.
this device.
device.
device.
DecisionMatchingInfoPostUpgrade_19ASetup The count of the number of this particular object type
on this device.
on this device.
DecisionMatchingInfoPostUpgrade_RS3Setup The count of the number of this particular object type
this device.
this device.
this device.
this device.
DecisionMediaCenter_19ASetup The count of the number of this particular object type present on this
device.
DecisionMediaCenter_19H1Setup The total DecisionMediaCenter objects targeting the next release of
DecisionMediaCenter_20H1Setup The count of the number of this particular object type present on this
device.
DecisionMediaCenter_RS3Setup The count of the number of this particular object type present on this
device.
device.
device.
DecisionSystemBios_19ASetup The total DecisionSystemBios objects targeting the next release of Windows
on this device.
DecisionSystemBios_20H1Setup The count of the number of this particular object type present on this
device.
device.
device.
device.
device.
on this device.
on this device.
this device.
on this device.
DecisionSystemProcessor_RS2 The count of the number of this particular object type present on this
device.
DecisionTest_20H1Setup The count of the number of this particular object type present on this device.
Inventor ySystemMachine The count of the number of this particular object type present on this device.
Inventor ySystemProcessor The count of the number of this particular object type present on this device.
device.
PCFP The count of the number of this particular object type present on this device.
device.
device.
Wmdrm_19ASetup The count of the number of this particular object type present on this device.
Wmdrm_20H1Setup The count of the number of this particular object type present on this device.
Wmdrm_RS3Setup The count of the number of this particular object type present on this device.
CosDeviceRating An enumeration that indicates if there is a driver on the target operating system.
CosDeviceSolution An enumeration that indicates how a driver on the target operating system is available.
CosDeviceSolutionUrl Microsoft.Windows.Appraiser.General.DatasourceDevicePnpAdd . Empty string
CosPopulatedFromId The expected uplevel driver matching ID based on driver coverage data.
UplevelInboxDriver Indicates whether there is a driver uplevel for this device.
Update.
Microsoft.Windows.Appraiser.General.DataSourceMatchingInfoBlockRemove
This event indicates that the DataSourceMatchingInfoBlock object is no longer present.
Microsoft.Windows.Appraiser.General.DataSourceMatchingInfoPassiveRemove
This event indicates that the DataSourceMatchingInfoPassive object is no longer present.
Microsoft.Windows.Appraiser.General.DataSourceMatchingInfoPostUpgradeRemove
This event indicates that the DataSourceMatchingInfoPostUpgrade object is no longer present.
Microsoft.Windows.Appraiser.General.DatasourceSystemBiosRemove
This event indicates that the DatasourceSystemBios object is no longer present.
upgrade mode?
app.
upgrade.
block upgrade.
the OS?
DisplayGenericMessageGated Indicates whether a generic message will be shown during Setup for this PNP
device.
PNP device?
overridden?
package.
DriverIsTroubleshooterBlocked Indicates whether the driver package is blocked because of a troubleshooter
block.
blocks?
Microsoft.Windows.Appraiser.General.DecisionMatchingInfoBlockRemove
This event indicates that the DecisionMatchingInfoBlock object is no longer present.
blocks?
Microsoft.Windows.Appraiser.General.DecisionMatchingInfoPassiveRemove
This event Indicates that the DecisionMatchingInfoPassive object is no longer present.
This event sends compatibility decision data about entries that require reinstall after upgrade. It's used to help keep
Windows up to date.
app?
Microsoft.Windows.Appraiser.General.DecisionMatchingInfoPostUpgradeRemove
This event indicates that the DecisionMatchingInfoPostUpgrade object is no longer present.
Center?
MediaCenterActivelyUsed If Windows Media Center is supported on the edition, has it been run at least
once and are the MediaCenterIndicators are true?
supported edition?
Microsoft.Windows.Appraiser.General.DecisionMediaCenterRemove
This event indicates that the DecisionMediaCenter object is no longer present.
Microsoft.Windows.Appraiser.General.DecisionSystemBiosRemove
This event indicates that the DecisionSystemBios object is no longer present.
date.
This event represents the basic metadata about a file on the system. The file must be part of an app and either
have a block in the compatibility database or be part of an antivirus program.
octets.
file metadata.
date.
biosDate The release date of the BIOS in UTC format.
biosName The name field from Win32_BIOS.
manufacturer The manufacturer field from Win32_ComputerSystem.
model The model field from Win32_ComputerSystem.
Microsoft.Windows.Appraiser.General.InventorySystemBiosRemove
This event indicates that the InventorySystemBios object is no longer present.
Windows up to date.
bytes).
Microsoft.Windows.Appraiser.General.SystemMemoryRemove
This event that the SystemMemory object is no longer present.
Microsoft.Windows.Appraiser.General.SystemProcessorCompareExchangeRemove
This event indicates that the SystemProcessorCompareExchange object is no longer present.
Windows up to date.
Microsoft.Windows.Appraiser.General.SystemProcessorLahfSahfRemove
This event indicates that the SystemProcessorLahfSahf object is no longer present.
to date.
Microsoft.Windows.Appraiser.General.SystemProcessorNxRemove
This event indicates that the SystemProcessorNx object is no longer present.
Windows up to date.
Microsoft.Windows.Appraiser.General.SystemProcessorPrefetchWRemove
This event indicates that the SystemProcessorPrefetchW object is no longer present.
up to date.
Microsoft.Windows.Appraiser.General.SystemProcessorSse2Remove
This event indicates that the SystemProcessorSse2 object is no longer present.
Microsoft.Windows.Appraiser.General.SystemTouchRemove
This event indicates that the SystemTouch object is no longer present.
a WIM.
Microsoft.Windows.Appraiser.General.SystemWimRemove
This event indicates that the SystemWim object is no longer present.
date.
Microsoft.Windows.Appraiser.General.SystemWlanRemove
This event indicates that the SystemWlan object is no longer present.
date.
do a full scan.
ScheduledUploadDay The day scheduled for the upload.
WhyRunSkipped Indicates the reason or reasons that an appraiser run was skipped.
This event sends data about the usage of older digital rights management on the system, to help keep Windows up
to date. This data does not indicate the details of the media using the digital rights management, only whether any
such files exist. Collecting this data was critical to ensuring the correct mitigation for customers, and should be able
to be removed once all mitigations are in place.
ripped CDs.
Microsoft.Windows.Appraiser.General.WmdrmRemove
This event indicates that the Wmdrm object is no longer present.
Audio endpoint events

Microsoft.Windows.Audio.EndpointBuilder.DeviceInfo
This event logs the successful enumeration of an audio endpoint (such as a microphone or speaker) and provides
information about the audio endpoint.
BusEnumeratorName The name of the bus enumerator (for example, HDAUDIO or USB).
ContainerId An identifier that uniquely groups the functional devices associated with a single-function or
multifunction device.
DeviceInstanceId The unique identifier for this instance of the device.
EndpointDevnodeId The IMMDevice identifier of the associated devnode.
EndpointFormFactor The enumeration value for the form factor of the endpoint device (for example speaker,
microphone, remote network device).
endpointID The unique identifier for the audio endpoint.
endpointInstanceId The unique identifier for the software audio endpoint. Used for joining to other audio
event.
Flow Indicates whether the endpoint is capture (1) or render (0).
HWID The hardware identifier for the endpoint.
IsBluetooth Indicates whether the device is a Bluetooth device.
IsSideband Indicates whether the device is a sideband device.
IsUSB Indicates whether the device is a USB device.
JackSubType A unique ID representing the KS node type of the endpoint.
MicArrayGeometr y Describes the microphone array, including the microphone position, coordinates, type,
and frequency range. See MicArrayGeometry.
persistentId A unique ID for this endpoint which is retained across migrations.
MicArrayGeometry
This event provides information about the layout of the individual microphone elements in the microphone array.
MicCoords The location and orientation of the microphone element.
usFrequencyBandHi The high end of the frequency range for the microphone.
usFrequencyBandLo The low end of the frequency range for the microphone.
usMicArrayType The type of the microphone array.
usNumberOfMicrophones The number of microphones in the array.
usVersion The version of the microphone array specification.
wHorizontalAngleBegin The horizontal angle of the start of the working volume (reported as radians times
10,000).
wHorizontalAngleEnd The horizontal angle of the end of the working volume (reported as radians times
10,000).
wVer ticalAngleBegin The vertical angle of the start of the working volume (reported as radians times
10,000).
wVer ticalAngleEnd The vertical angle of the end of the working volume (reported as radians times 10,000).
Census events
Census.App
Census.Azure
Census.Battery
Census.Camera
Census.Enterprise
computers.
Census.Firmware
Census.Flighting
on this device.
Census.Hardware
compass).
PowerPlatformRole The OEM preferred power management profile. It's used to help to identify the basic
form factor of the device.
TPMManufacturerId The ID of the TPM manufacturer.
TPMManufacturerVersion The version of the TPM manufacturer.
Census.Memory
date.
Census.Network
Census.OS
the MS store.
refresh, reset, etc
consent (first 8 bits) is one of the following values: -3 = unexpected consent value, -2 = value was not requested, -
1 = an error occurred while attempting to retrieve the value, 0 = undefined, 1 = allow, 2 = deny, 3 = prompt. The
Census.Processor
PreviousUpdateRevision Previous microcode revision
SpeculationControl Indicates whether the system has enabled protections needed to validate the speculation
control vulnerability.
Census.Security
security.
SecureBootCapable Systems that support Secure Boot can have the feature turned off via BIOS. This field
tells if the system is capable of running Secure Boot, regardless of the BIOS setting.
Census.Speech
KeyVer Version information for the census speech event.
the device.
SpeechSer vicesValueSource Indicates the deciding factor for the effective online speech recognition privacy
policy settings: remote admin, local admin, or user preference.
Census.Storage
date.
structure (if any).
StorageReser vePassedPolicy Indicates whether the Storage Reserve policy, which ensures that updates have
enough disk space and customers are on the latest OS, is enabled on this device.
Census.Userdefault
CalendarType The calendar identifiers that are used to specify different calendars.
DefaultApp The current uer's default program selected for the following extension or protocol: .html, .htm, .jpg,
.jpeg, .png, .mp3, .mp4, .mov, .pdf.
LongDateFormat The long date format the user has selected.
Shor tDateFormat The short date format the user has selected.
Census.UserDisplay
internal display.
Census.UserNLS
LocationHistor yCloudSync Current state of the location history cloud synchronization setting.
Census.VM
VMId A string that identifies a virtual machine.
Census.WU
date.
Default.
(WSUS).
network.
(by default).
Census.Xbox
This event sends data about the Xbox Console, such as Serial Number and DeviceId, to help keep Windows up to
date.
XboxConsolePreferredLanguage Retrieves the preferred language selected by the user on Xbox console.
XboxConsoleSerialNumber Retrieves the serial number of the Xbox console.
XboxLiveDeviceId Retrieves the unique device ID of the console.
XboxLiveSandboxId Retrieves the developer sandbox ID if the device is internal to Microsoft.

app.
event.
across an app.
Common Data Extensions.cs
Describes properties related to the schema of the event.
sig A common schema signature that identifies new and modified event schemas.
model Device model.
cV Represents the Correlation Vector: A single field for tracking partial order of related telemetry events across
ext_cs Describes properties related to the schema of the event. See Common Data Extensions.cs.
Extensions.os.
Extensions.sdk.
Extensions.utc.
flags Represents a collection of bits that describe how the event should be processed by the Connected User
Experience and Telemetry component pipeline. The lowest-order byte is the event persistence. The next byte is
the event latency.
time Represents the event date time in Coordinated Universal Time (UTC) when the event was generated on
the client. This should be in ISO 8601 format.
account ID.
ingress server.
did XBOX device ID
exp Expiration time
nbf Not before time
accounts.
Common data fields

Compatibility events
Microsoft.Windows.Compatibility.Apphelp.SdbFix
Product instrumentation for helping debug/troubleshoot issues with inbox compatibility components.
AppName Name of the application impacted by SDB.
FixID SDB GUID.
Flags List of flags applied.
ImageName Name of file.
Component-based servicing events

Windows Update.
downloadSource The source of the download.
CbsServicingProvider.CbsLateAcquisition
This event sends data to indicate if some Operating System packages could not be updated as part of an upgrade,
to help keep Windows up to date.
Features The list of feature packages that could not be updated.
Retr yID The ID identifying the retry attempt to update the listed packages.
installed.
downloadtimeInSeconds The number of seconds required to complete the optional content download.
applicable.
uninstalled.
Deployment extensions
DeploymentTelemetry.Deployment_End
This event indicates that a Deployment 360 API has completed.
ClientId Client ID of the user utilizing the D360 API.
ErrorCode Error code of action.
Mode Phase in upgrade.
RelatedCV The correction vector (CV) of any other related events
Result End result of the action.
DeploymentTelemetry.Deployment_SetupBoxLaunch
This event indicates that the Deployment 360 APIs have launched Setup Box.
ClientId The client ID of the user utilizing the D360 API.
Quiet Whether Setup will run in quiet mode or full mode.
RelatedCV The correlation vector (CV) of any other related events.
SetupMode The current setup phase.
DeploymentTelemetry.Deployment_SetupBoxResult
This event indicates that the Deployment 360 APIs have received a return from Setup Box.
ErrorCode Error code of the action.
Quiet Indicates whether Setup will run in quiet mode or full mode.
SetupMode The current Setup phase.
DeploymentTelemetry.Deployment_Start
This event indicates that a Deployment 360 API has been called.
Mode The current phase of the upgrade.

CanPerformTraceEscalations True if we can perform trace escalation collection, false otherwise.
of throttling.
initiated.
EventSubStoreResetCounter Number of times event DB was reset.
EventSubStoreResetSizeSum Total size of event DB across all resets reports in this instance.
event.
TelClientSynthetic.HeartBeat_Aria_5
This event is the telemetry client ARIA heartbeat.
CriticalOverflowEntersCounter Number of times critical overflow mode was entered in event database.
DbCriticalDroppedCount Total number of dropped critical events in event database.
DbDroppedCount Number of events dropped at the database layer.
DbDroppedFailureCount Number of events dropped due to database failures.
DbDroppedFullCount Number of events dropped due to database being full.
initiated.
EventStoreLifetimeResetCounter Number of times the event store has been reset.
EventStoreResetCounter Number of times the event store has been reset during this heartbeat.
EventStoreResetSizeSum Size of event store reset in bytes.
PreviousHear tBeatTime The FILETIME of the previous heartbeat fire.
SettingsHttpFailures Number of failures from contacting OneSettings service.
Vor texFailuresTimeout Number of time out failures received from Vortex.
event.
TelClientSynthetic.HeartBeat_Seville_5
This event is sent by the universal telemetry client (UTC) as a heartbeat signal for Sense.
AgentConnectionErrorsCount Number of non-timeout errors associated with the host or agent channel.
ConsumerDroppedCount Number of events dropped at consumer layer of the telemetry client.
CriticalDataThrottleDroppedCount Number of critical data sampled events dropped due to throttling.
DailyUploadQuotaInBytes Daily upload quota for Sense in bytes (only in in-proc mode).
DbDroppedCount Number of events dropped due to database being full.
DiskSizeInBytes Size of event store for Sense in bytes (only in in-proc mode).
initiated.
EtwDroppedBufferCount Number of buffers dropped in the universal telemetry client (UTC) event tracing for
Windows (ETW) session.
EtwDroppedCount Number of events dropped at the event tracing for Windows (ETW) layer of telemetry
client.
EventStoreLifetimeResetCounter Number of times event the database was reset for the lifetime of the
universal telemetry client (UTC).
EventStoreResetCounter Number of times the event database was reset.
EventStoreResetSizeSum Total size of the event database across all resets reports in this instance.
Flags Flags indicating device state, such as network state, battery state, and opt-in state.
LastEventSizeOffender Event name of last event which exceeded the maximum event size.
MaxActiveAgentConnectionCount Maximum number of active agents during this heartbeat timeframe.
NormalUploadTimerMillis Number of milliseconds between each upload of normal events for SENSE (only
in in-proc mode).
RepeatedUploadFailureDropped Number of events lost due to repeated failed uploaded attempts.
SettingsHttpFailures Number of failures from contacting the OneSettings service.
TopUploaderErrors Top uploader errors, grouped by endpoint and error type.
UploaderDroppedCount Number of events dropped at the uploader layer of the telemetry client.
UploaderErrorCount Number of input for the TopUploaderErrors mode estimation.
event.
Direct to update events

Microsoft.Windows.DirectToUpdate.DTUCoordinatorCheckApplicability
Event to indicate that the Coordinator CheckApplicability call succeeded.
ApplicabilityResult Result of CheckApplicability function.
CampaignID Campaign ID being run.
ClientID Client ID being run.
CoordinatorVersion Coordinator version of DTU.
IsDeviceAADDomainJoined Indicates whether the device is logged in to the AAD (Azure Active Directory)
domain.
IsDeviceADDomainJoined Indicates whether the device is logged in to the AD (Active Directory) domain.
IsDeviceCloverTrail Indicates whether the device has a Clover Trail system installed.
IsDeviceFeatureUpdatingPaused Indicates whether Feature Update is paused on the device.
IsDeviceNetworkMetered Indicates whether the device is connected to a metered network.
IsDeviceOobeBlocked Indicates whether user approval is required to install updates on the device.
IsDeviceRequireUpdateApproval Indicates whether user approval is required to install updates on the
device.
IsDeviceSccmManaged Indicates whether the device is running the Microsoft Endpoint Configuration
Manager client to keep the operating system and applications up to date.
IsDeviceUninstallActive Indicates whether the OS (operating system) on the device was recently updated.
IsDeviceUpdateNotificationLevel Indicates whether the device has a set policy to control update
notifications.
IsDeviceUpdateSer viceManaged Indicates whether the device uses WSUS (Windows Server Update
Services).
IsDeviceZeroExhaust Indicates whether the device subscribes to the Zero Exhaust policy to minimize
connections from Windows to Microsoft.
IsGreaterThanMaxRetr y Indicates whether the DTU (Direct to Update) service has exceeded its maximum
retry count.
IsVolumeLicensed Indicates whether a volume license was used to authenticate the operating system or
applications on the device.
Microsoft.Windows.DirectToUpdate.DTUCoordinatorCheckApplicabilityGenericFailure
This event indicatse that we have received an unexpected error in the Direct to Update (DTU) Coordinators
CheckApplicability call.
CampaignID ID of the campaign being run.
ClientID ID of the client receiving the update.
CoordinatorVersion Coordinator version of Direct to Update.
hResult HRESULT of the failure.
Microsoft.Windows.DirectToUpdate.DTUCoordinatorCleanupGenericFailure
This event indicates that we have received an unexpected error in the Direct to Update (DTU) Coordinator Cleanup
call.
CampaignID Campaign ID being run
ClientID Client ID being run
CoordinatorVersion Coordinator version of DTU
CV Correlation vector
hResult HRESULT of the failure
Microsoft.Windows.DirectToUpdate.DTUCoordinatorCleanupSuccess
This event indicates that the Coordinator Cleanup call succeeded.
Microsoft.Windows.DirectToUpdate.DTUCoordinatorCommitGenericFailure
This event indicates that we have received an unexpected error in the Direct to Update (DTU) Coordinator Commit
call.
Microsoft.Windows.DirectToUpdate.DTUCoordinatorCommitSuccess
This event indicates that the Coordinator Commit call succeeded.
Microsoft.Windows.DirectToUpdate.DTUCoordinatorDownloadGenericFailure
This event indicates that we have received an unexpected error in the Direct to Update (DTU) Coordinator
Download call.
Microsoft.Windows.DirectToUpdate.DTUCoordinatorDownloadIgnoredFailure
This event indicates that we have received an error in the Direct to Update (DTU) Coordinator Download call that
will be ignored.
Microsoft.Windows.DirectToUpdate.DTUCoordinatorDownloadSuccess
This event indicates that the Coordinator Download call succeeded.
Microsoft.Windows.DirectToUpdate.DTUCoordinatorHandleShutdownGenericFailure
HandleShutdown call.
CoordinatorVersion Coordinate version of DTU.
Microsoft.Windows.DirectToUpdate.DTUCoordinatorHandleShutdownSuccess
This event indicates that the Coordinator HandleShutdown call succeeded.
Microsoft.Windows.DirectToUpdate.DTUCoordinatorInitializeGenericFailure
This event indicates that we have received an unexpected error in the Direct to Update (DTU) Coordinator Initialize
call.
Microsoft.Windows.DirectToUpdate.DTUCoordinatorInitializeSuccess
This event indicates that the Coordinator Initialize call succeeded.
Microsoft.Windows.DirectToUpdate.DTUCoordinatorInstallGenericFailure
This event indicates that we have received an unexpected error in the Direct to Update (DTU) Coordinator Install
call.
Microsoft.Windows.DirectToUpdate.DTUCoordinatorInstallIgnoredFailure
This event indicates that we have received an error in the Direct to Update (DTU) Coordinator Install call that will be
ignored.
Microsoft.Windows.DirectToUpdate.DTUCoordinatorInstallSuccess
This event indicates that the Coordinator Install call succeeded.
Microsoft.Windows.DirectToUpdate.DTUCoordinatorProgressCallBack
This event indicates that the Coordinator's progress callback has been called.
DeployPhase Current Deploy Phase.
Microsoft.Windows.DirectToUpdate.DTUCoordinatorSetCommitReadySuccess
This event indicates that the Coordinator SetCommitReady call succeeded.
CampaignID ID of the update campaign being run.
Microsoft.Windows.DirectToUpdate.DTUCoordinatorWaitForRebootUiNotShown
This event indicates that the Coordinator WaitForRebootUi call succeeded.
Microsoft.Windows.DirectToUpdate.DTUCoordinatorWaitForRebootUiSelection
This event indicates that the user selected an option on the Reboot UI.
rebootUiSelection Selection on the Reboot UI.
Microsoft.Windows.DirectToUpdate.DTUCoordinatorWaitForRebootUiSuccess
Microsoft.Windows.DirectToUpdate.DTUHandlerCheckApplicabilityGenericFailure
This event indicates that we have received an unexpected error in the Direct to Update (DTU) Handler
CV_new New correlation vector
Microsoft.Windows.DirectToUpdate.DTUHandlerCheckApplicabilityInternalGenericFailure
CheckApplicabilityInternal call.
Microsoft.Windows.DirectToUpdate.DTUHandlerCheckApplicabilityInternalSuccess
This event indicates that the Handler CheckApplicabilityInternal call succeeded.
ApplicabilityResult The result of the applicability check.
Microsoft.Windows.DirectToUpdate.DTUHandlerCheckApplicabilitySuccess
This event indicates that the Handler CheckApplicability call succeeded.
ApplicabilityResult The result code indicating whether the update is applicable.
CV_new New correlation vector.
Microsoft.Windows.DirectToUpdate.DTUHandlerCheckIfCoordinatorMinApplicableVersionSuccess
This event indicates that the Handler CheckIfCoordinatorMinApplicableVersion call succeeded.
CheckIfCoordinatorMinApplicableVersionResult Result of CheckIfCoordinatorMinApplicableVersion
function.
Microsoft.Windows.DirectToUpdate.DTUHandlerCommitGenericFailure
This event indicates that we have received an unexpected error in the Direct to Update (DTU) Handler Commit call.
Microsoft.Windows.DirectToUpdate.DTUHandlerCommitSuccess
This event indicates that the Handler Commit call succeeded.
CampaignID ID of the update campaign being run.run
Microsoft.Windows.DirectToUpdate.DTUHandlerDownloadAndExtractCabFailure
This event indicates that the Handler Download and Extract cab call failed.
DownloadAndExtractCabFunction_failureReason Reason why the update download and extract process
failed.
Microsoft.Windows.DirectToUpdate.DTUHandlerDownloadAndExtractCabSuccess
This event indicates that the Handler Download and Extract cab call succeeded.
Microsoft.Windows.DirectToUpdate.DTUHandlerDownloadGenericFailure
This event indicates that we have received an unexpected error in the Direct to Update (DTU) Handler Download
call.
Microsoft.Windows.DirectToUpdate.DTUHandlerDownloadSuccess
This event indicates that the Handler Download call succeeded.
Microsoft.Windows.DirectToUpdate.DTUHandlerInitializeGenericFailure
This event indicates that we have received an unexpected error in the Direct to Update (DTU) Handler Initialize call.
DownloadAndExtractCabFunction_hResult HRESULT of the download and extract.
Microsoft.Windows.DirectToUpdate.DTUHandlerInitializeSuccess
This event indicates that the Handler Initialize call succeeded.
DownloadAndExtractCabFunction_hResult HRESULT of the download and extraction.
Microsoft.Windows.DirectToUpdate.DTUHandlerInstallGenericFailure
This event indicates that we have received an unexpected error in the Direct to Update (DTU) Handler Install call.
Microsoft.Windows.DirectToUpdate.DTUHandlerInstallSuccess
Microsoft.Windows.DirectToUpdate.DTUHandlerSetCommitReadySuccess
This event indicates that the Handler SetCommitReady call succeeded.
Microsoft.Windows.DirectToUpdate.DTUHandlerWaitForRebootUiGenericFailure
WaitForRebootUi call.
CampaignID The ID of the campaigning being run.
hResult The HRESULT of the failure.
Microsoft.Windows.DirectToUpdate.DTUHandlerWaitForRebootUiSuccess
This event indicates that the Handler WaitForRebootUi call succeeded.
DISM events
Microsoft.Windows.StartRepairCore.DISMLatestInstalledLCU
The DISM Latest Installed LCU sends information to report result of search for latest installed LCU after last
successful boot.
dismInstalledLCUPackageName The name of the latest installed package.
Microsoft.Windows.StartRepairCore.DISMPendingInstall
dismPendingInstallPackageName The name of the pending package.
Microsoft.Windows.StartRepairCore.SRTRootCauseDiagEnd
The SRT Root Cause Diagnosis End event sends information to report diagnosis operation completed for given
plug-in.
flightIds The Flight IDs (identifier of the beta release) of found driver updates.
Microsoft.Windows.StartRepairCore.SRTRootCauseDiagStart
The SRT Root Cause Diagnosis Start event sends information to report diagnosis operation started for given plug-
in.
Driver installation events

Microsoft.Windows.DriverInstall.DeviceInstall
This critical event sends information about the driver installation that took place.
ClassLowerFilters The list of lower filter class drivers.
ClassUpperFilters The list of upper filter class drivers.
CoInstallers The list of coinstallers.
ConfigFlags The device configuration flags.
DeviceConfigured Indicates whether this device was configured through the kernel configuration.
DeviceStack The device stack of the driver being installed.
DriverDescription A description of the driver function.
DriverInfName Name of the INF file (the setup information file) for the driver.
DriverInfSectionName Name of the DDInstall section within the driver INF file.
DriverPackageId The ID of the driver package that is staged to the driver store.
DriverUpdated Indicates whether the driver is replacing an old driver.
EndTime The time the installation completed.
Error Provides the WIN32 error code for the installation.
ExtensionDrivers List of extension drivers that complement this installation.
FinishInstallAction Indicates whether the co-installer invoked the finish-install action.
FinishInstallUI Indicates whether the installation process shows the user interface.
FirmwareDate The firmware date that will be stored in the EFI System Resource Table (ESRT).
FirmwareRevision The firmware revision that will be stored in the EFI System Resource Table (ESRT).
FirmwareVersion The firmware version that will be stored in the EFI System Resource Table (ESRT).
FlightIds A list of the different Windows Insider builds on the device.
GenericDriver Indicates whether the driver is a generic driver.
Inbox Indicates whether the driver package is included with Windows.
LegacyInstallReasonError The error code for the legacy installation.
LowerFilters The list of lower filter drivers.
MatchingDeviceId The hardware ID or compatible ID that Windows used to install the device instance.
OriginalDriverInfName The original name of the INF file before it was renamed.
ParentDeviceInstanceId The device instance ID of the parent of the device.
PendedUntilReboot Indicates whether the installation is pending until the device is rebooted.
Problem Error code returned by the device after installation.
ProblemStatus The status of the device after the driver installation.
RebootRequiredReason DWORD (Double Word—32-bit unsigned integer) containing the reason why the
device required a reboot during install.
Secondar yDevice Indicates whether the device is a secondary device.
Ser viceName The service name of the driver.
SetupMode Indicates whether the driver installation took place before the Out Of Box Experience (OOBE) was
completed.
Star tTime The time when the installation started.
SubmissionId The driver submission identifier assigned by the Windows Hardware Development Center.
UpperFilters The list of upper filter drivers.
Microsoft.Windows.DriverInstall.NewDevInstallDeviceEnd
This event sends data about the driver installation once it is completed.
DriverUpdated Indicates whether the driver was updated.
Error The Win32 error code of the installation.
FlightId The ID of the Windows Insider build the device received.
InstallFlags The driver installation flags.
OptionalData Metadata specific to WU (Windows Update) associated with the driver (flight IDs, recovery IDs,
etc.)
RebootRequired Indicates whether a reboot is required after the installation.
RollbackPossible Indicates whether this driver can be rolled back.
WuTargetedHardwareId Indicates that the driver was installed because the device hardware ID was targeted
by the Windows Update.
WuUntargetedHardwareId Indicates that the driver was installed because Windows Update performed a
generic driver update for all devices of that hardware class.
Microsoft.Windows.DriverInstall.NewDevInstallDeviceStart
This event sends data about the driver that the new driver installation is replacing.
FirstInstallDate The first time a driver was installed on this device.
LastDriverDate Date of the driver that is being replaced.
LastDriverInbox Indicates whether the previous driver was included with Windows.
LastDriverInfName Name of the INF file (the setup information file) of the driver being replaced.
LastDriverVersion The version of the driver that is being replaced.
LastFirmwareDate The date of the last firmware reported from the EFI System Resource Table (ESRT).
LastFirmwareRevision The last firmware revision number reported from EFI System Resource Table (ESRT).
LastFirmwareVersion The last firmware version reported from the EFI System Resource Table (ESRT).
LastInstallDate The date a driver was last installed on this device.
LastMatchingDeviceId The hardware ID or compatible ID that Windows last used to install the device
instance.
LastProblemStatus The previous problem code that was set on the device.
LastSubmissionId The driver submission identifier of the driver that is being replaced.
DDIInterfaceVersion The device driver interface version.
DriverWorkarounds Bitfield data for specific driver workarounds enabled for this device.
DriverWorkarounds.Length The length of the DriverWorkarounds bitfield.
InterfaceFuncPointersProvided1 The number of device driver interface function pointers provided.
InterfaceFuncPointersProvided2 The number of device driver interface function pointers provided.
IsHwSchEnabled Indicates whether Hardware Scheduling is enabled.
IsHwSchSuppor ted Indicates whether the adapter supports hardware scheduling.
MsHybridDiscrete Indicates whether the adapter is a discrete adapter in a hybrid configuration.

(WER) event that is generated when the WER client reports the crash to the Watson service, and the WER event will
contain the same ReportID (see field 14 of crash event, field 19 of WER event) as the crash event for the crash
telemetry backend.
process name.

Microsoft.Windows.Upgrade.Uninstall.UninstallGoBackButtonClicked
This event sends basic metadata about the starting point of uninstalling a feature update, which helps ensure
customers can safely revert to a well-known state if the update caused any problems.

Reporting (WER) event that is generated when the WER client reports the hang to the Watson service, and the
WER event will contain the same ReportID (see field 13 of hang event, field 19 of WER event) as the hang event for
the hang being reported. AppHang is reported only on PC devices. It handles classic Win32 hangs and is emitted
only once per report. Some behaviors that may be perceived by a user as a hang are reported by app managers
(e.g. PLM/RM/EM) as Watson Generics and will not produce AppHang events.
telemetry backend.
application.
waiting.
Inventory events
DeviceCensus A count of device census objects in cache.
Inventor yApplicationDriver A count of application driver objects in cache
Inventor yApplicationFramework A count of application framework objects in cache
Inventor yApplicationShor tcut A count of application shortcut objects in cache
Inventor yMiscellaneousOfficeAddIn A count of office add-in objects in cache
Inventor yMiscellaneousOfficeIdentifiers A count of office identifier objects in cache
Inventor yMiscellaneousOfficeIESettings A count of office ie settings objects in cache
Inventor yMiscellaneousOfficeInsights A count of office insights objects in cache
Inventor yMiscellaneousOfficeProducts A count of office products objects in cache
Inventor yMiscellaneousOfficeSettings A count of office settings objects in cache
Inventor yMiscellaneousOfficeVBA A count of office vba objects in cache
Inventor yMiscellaneousOfficeVBARuleViolations A count of office vba rule violations objects in cache
Inventor yMiscellaneousUUPInfo A count of uup info objects in cache
Microsoft.Windows.Inventory.Core.AmiTelCacheFileInfo
Diagnostic data about the inventory cache.
CacheFileSize Size of the cache.
Inventor yVersion Inventory version of the cache.
TempCacheCount Number of temp caches created.
TempCacheDeletedCount Number of temp caches deleted.
MsiPackage.
Hotfix indicates app updates (KBs), BOE indicates it's an app with no ARP or MSI entry, Service indicates that it is
a service. Application and BOE are the ones most likely seen.
ProgramIds The unique program identifier the driver is associated with.
audio.captureDriver Audio device capture driver. Example:
hdaudio.inf:db04a16ce4e8d6ee:HdAudModel:10.0.14887.1000:hdaudio\func_01
audio.renderDriver Audio device render driver. Example:
hdaudio.inf:db04a16ce4e8d6ee:HdAudModel:10.0.14889.1001:hdaudio\func_01
BusRepor tedDescription The description of the device reported by the bux.
ClassGuid The device class unique identifier of the driver package loaded on the device.
COMPID The list of “Compatible IDs” for this device.
ContainerId The system-supplied unique identifier that specifies which group(s) the device(s) installed on the
parent (main) device belong to.
Description The description of the device.
DeviceDriverFlightId The test build (Flight) identifier of the device driver.
DeviceExtDriversFlightIds The test build (Flight) identifier for all extended device drivers.
DeviceInterfaceClasses The device interfaces that this device implements.
DeviceState Identifies the current state of the parent (main) device.
DriverId The unique identifier for the installed driver.
DriverName The name of the driver image file.
InventoryDriverPackage.
DriverVerDate The date associated with the driver installed on the device.
DriverVerVersion The version number of the driver installed on the device.
Enumerator Identifies the bus that enumerated the device.
ExtendedInfs The extended INF file names.
FirstInstallDate The first time this device was installed on the machine.
HWID A list of hardware IDs for the device.
Inf The name of the INF file (possibly renamed by the OS, such as oemXX.inf).
InstallDate The date of the most recent installation of the device on the machine.
InstallState The device installation state. One of these values:
Inventor yVersion The version number of the inventory process generating the events.
LowerClassFilters The identifiers of the Lower Class filters installed for the device.
LowerFilters The identifiers of the Lower filters installed for the device.
Manufacturer The manufacturer of the device.
MatchingID The Hardware ID or Compatible ID that Windows uses to install a device instance.
Model Identifies the model of the device.
ParentId The Device Instance ID of the parent of the device.
ProblemCode The error code currently returned by the device, if applicable.
Provider Identifies the device provider.
Ser vice The name of the device service.
STACKID The list of hardware IDs for the stack.
UpperClassFilters The identifiers of the Upper Class filters installed for the device.
UpperFilters The identifiers of the Upper filters installed for the device.
0x800000.
Microsoft.Windows.Inventory.Core.StartUtcJsonTrace
This event collects traces of all other Core events, not used in typical customer scenarios. This event signals the
beginning of the event download, and that tracing should begin.
Microsoft.Windows.Inventory.Core.StopUtcJsonTrace
This event collects traces of all other Core events, not used in typical customer scenarios. This event signals the end
of the event download, and that tracing should end.
Microsoft.Windows.Inventory.General.AppHealthStaticAdd
This event sends details collected for a specific application on the source device.
Microsoft.Windows.Inventory.General.AppHealthStaticStartSync
This event indicates the beginning of a series of AppHealthStaticAdd events.
Provides data on the installed Office Add-ins.
AddInCLSID The class identifier key for the Microsoft Office add-in.
device
for a device
badly formed URL
windows
Office 2016 ProPlus
Word
Design Count of files with design issues found.
Design_x64 Count of files with 64 bit design issues found.
DuplicateVBA Count of files with duplicate VBA code.
HasVBA Count of files with VBA code.
Inaccessible Count of files that were inaccessible for scanning.
Issues Count of files with issues detected.
Issues_x64 Count of files with 64-bit issues detected.
IssuesNone Count of files with no issues detected.
IssuesNone_x64 Count of files with no 64-bit issues detected.
Locked Count of files that were locked, preventing scanning.
NoVBA Count of files with no VBA inside.
Protected Count of files that were password protected, preventing scanning.
RemLimited Count of files that require limited remediation changes.
RemLimited_x64 Count of files that require limited remediation changes for 64-bit issues.
RemSignificant Count of files that require significant remediation changes.
RemSignificant_x64 Count of files that require significant remediation changes for 64-bit issues.
Score Overall compatibility score calculated for scanned content.
Score_x64 Overall 64-bit compatibility score calculated for scanned content.
Total Total number of files scanned.
Validation Count of files that require additional manual validation.
Validation_x64 Count of files that require additional manual validation for 64-bit issues.
Source UUP source
Version UUP version
Value Describes an operating system indicator that may be relevant for the device upgrade.
removed.
Kernel events
IO
system startup.
operating system.
if needed.
MeasuredLaunchResume This field tells us if Dynamic Root of Trust for Measurement (DRTM) was used
when resuming from hibernation.
SecureLaunchPrepared This field indicates if DRTM was prepared during boot.
TcbLaunch Indicates whether the Trusted Computing Base was used during the boot flow.
Microsoft.Windows.Kernel.DeviceConfig.DeviceConfig
This critical device configuration event provides information about drivers for a driver installation that took place
within the kernel.
DeviceInstanceId The unique ID for the device on the system.
DriverFlightIds The IDs for the driver flights.
DriverInfName Driver INF file name.
DriverSubmissionId The driver submission ID assigned by the hardware developer center.
DriverVersion The driver version number.
ExtensionDrivers The list of extension driver INF files, extension IDs, and associated flight IDs.
InboxDriver Indicates whether the driver package is included with Windows.
InstallDate Date the driver was installed.
Legacy Indicates whether the driver is a legacy driver.
SetupMode Indicates whether the device configuration occurred during the Out Of Box Experience (OOBE).
StatusCode The NTSTATUS of device configuration operation.
Microsoft.Windows.Kernel.PnP.AggregateClearDevNodeProblem
This event is sent when a problem code is cleared from a device.
DeviceInstanceId The unique identifier of the device on the system.
LastProblem The previous problem that was cleared.
LastProblemStatus The previous NTSTATUS value that was cleared.
Problem The new problem code set on the device node.
ProblemStatus The new NT_STATUS set on the device node.
Ser viceName The name of the driver or service attached to the device.
Microsoft.Windows.Kernel.PnP.AggregateSetDevNodeProblem
This event is sent when a new problem code is assigned to a device.
LastProblemStatus The previous NTSTATUS value that was set on the device.
Problem The new problem code that was set on the device.
ProblemStatus The new NTSTATUS value that was set on the device.
Ser viceName The driver or service name that is attached to the device.

(0x40000).
mode.
mode.
PayloadGUID A random identifier generated for each original monolithic Protobuf payload, before the
payload is potentially broken up into manageably-sized chunks for transmission.
(0x40000).
mode.
mode.
(0x40000).
mode.
mode.
(0x40000).
mode.
mode.
This event sends hardware and software inventory information about the Microsoft Edge Update service,
Microsoft Edge applications, and the current system environment, including app configuration, update
configuration, and hardware capabilities. It's used to measure the reliability and performance of the EdgeUpdate
service and if Microsoft Edge applications are up to date.
identifying the release of Microsoft Edge to update and how to install it. Example: 'beta-arch_x64-full'. Default: ''.
Update.
Default: ''.
Default: ''.
sum of all such download times over the course of the update flow. Sent in events that have an event type of '1',
'2', '3', and '14' only. Default: '0'.
Default: '0'.
(Unknown).
Default: '0'.
Default: ''.
'0.0.0.0'.
Default: ''.
Default: ''.
(0x40000).
mode.
mode.
Migration events
migDiagSession->CString The phase of the upgrade where migration occurs. (E.g.: Validate tracked content)
objectCount The count for the number of objects that are being transferred.
knownFoldersSys[i] The predefined folder path locations.
migDiagSession->CString Identifies the phase of the upgrade where migration happens.
objectCount The count of the number of objects that are being transferred.
migDiagSession->CString The phase of the upgrade where the migration occurs. (For example, Validate
tracked content.)
objectCount The number of objects that are being transferred.
Miracast events
in bits per second.
capabilities.
the same session.
Miracast extension.
extension.
for 3:2 resolution.
OneDrive events
Microsoft.OneDrive.Sync.Setup.APIOperation
This event includes basic data about install and uninstall OneDrive API operations.
APIName The name of the API.
Duration How long the operation took.
IsSuccess Was the operation successful?
ResultCode The result code.
ScenarioName The name of the scenario.
Microsoft.OneDrive.Sync.Setup.EndExperience
This event includes a success or failure summary of the installation.
HResult HResult of the operation
IsSuccess Whether the operation is successful or not
Microsoft.OneDrive.Sync.Setup.RegisterStandaloneUpdaterAPIOperation
This event is related to registering or unregistering the OneDrive update task.
RegisterNewTaskResult The HResult of the RegisterNewTask operation.
UnregisterOldTaskResult The HResult of the UnregisterOldTask operation.
Microsoft.OneDrive.Sync.Updater.ComponentInstallState
This event includes basic data about the installation state of dependent OneDrive components.
ComponentName The name of the dependent component.
isInstalled Is the dependent component installed?
Microsoft.OneDrive.Sync.Updater.OverlayIconStatus
This event indicates if the OneDrive overlay icon is working correctly. 0 = healthy; 1 = can be fixed; 2 = broken
32bit The status of the OneDrive overlay icon on a 32-bit operating system.
Microsoft.OneDrive.Sync.Updater.UpdateOverallResult
This event sends information describing the result of the update.
hr The HResult of the operation.
IsLoggingEnabled Indicates whether logging is enabled for the updater.
UpdaterVersion The version of the updater.
Microsoft.OneDrive.Sync.Updater.UpdateXmlDownloadHResult
This event determines the status when downloading the OneDrive update configuration file.
Microsoft.OneDrive.Sync.Updater.WebConnectionStatus
This event determines the error code that was returned when verifying Internet connectivity.
failedCheck The error code returned by the operation.
winInetError The HResult of the operation.

isExistingUser whether the account existed in a downlevel OS
wilActivity
Privacy notifier events

Microsoft.Windows.Shell.PrivacyNotifierLogging.PrivacyNotifierCompleted
This event returns data to report the efficacy of a single-use tool to inform users impacted by a known issue and to
take corrective action to address the issue.
cleanupTask Indicates whether the task that launched the dialog should be cleaned up.
cleanupTaskResult The return code of the attempt to clean up the task used to show the dialog.
deviceEvaluated Indicates whether the device was eligible for evaluation of a known issue.
deviceImpacted Indicates whether the device was impacted by a known issue.
modalAction The action the user took on the dialog that was presented to them.
modalResult The return code of the attempt to show a dialog to the user explaining the issue.
resetSettingsResult The return code of the action to correct the known issue.
Remediation events
Microsoft.Windows.Remediation.Applicable
This event indicates whether Windows Update sediment remediations need to be applied to the sediment device to
keep Windows up to date. A sediment device is one that has been on a previous OS version for an extended
period. The remediations address issues on the system that prevent the device from receiving OS updates.
AllowAutoUpdateExists Indicates whether the Automatic Update feature is turned on.
AllowAutoUpdateProviderSetExists Indicates whether the Allow Automatic Update provider exists.
AppraiserBinariesValidResult Indicates whether the plug-in was appraised as valid.
AppraiserRegistr yValidResult Indicates whether the registry entry checks out as valid.
AppraiserTaskRepairDisabled Task repair performed by the Appraiser plug-in is disabled.
AppraiserTaskValid Indicates that the Appraiser task is valid.
AUOptionsExists Indicates whether the Automatic Update options exist.
CTACTargetingAttributesInvalid Indicates whether the Common Targeting Attribute Client (CTAC) attributes
are valid. CTAC is a Windows Runtime client library.
CTACVersion The Common Targeting Attribute Client (CTAT) version on the device. CTAT is a Windows
Runtime client library.
DataStoreSizeInBytes Size of the data store, in bytes.
DateTimeDifference The difference between local and reference clock times.
DateTimeSyncEnabled Indicates whether the Datetime Sync plug-in is enabled.
daysSinceInstallThreshold The maximum number of days since the operating system was installed before
the device is checked to see if remediation is needed.
daysSinceInstallValue Number of days since the operating system was installed.
DaysSinceLastSIH The number of days since the most recent SIH executed.
DaysToNextSIH The number of days until the next scheduled SIH execution.
DetectConditionEnabled Indicates whether a condition that the remediation tool can repair was detected.
DetectedCondition Indicates whether detected condition is true and the perform action will be run.
DetectionFailedReason Indicates why a given remediation failed to fix a problem that was detected.
DiskFreeSpaceBeforeSedimentPackInMB Number of megabytes of disk space available on the device
before running the Sediment Pack.
DiskSpaceBefore The amount of free disk space available before a remediation was run.
EditionIdFixCorrupted Indicates whether the Edition ID is corrupted.
EscalationTimerResetFixResult The result of fixing the escalation timer.
EvalAndRepor tAppraiserRegEntries Indicates the EvalAndReportAppraiserRegEntriesFailed event failed.
FixedEditionId Indicates whether we fixed the edition ID.
FlightRebootTime The amount of time before the system is rebooted.
ForcedRebootToleranceDays The maximum number of days before a system reboot is forced on the devie.
FreeSpaceRequirement The amount of free space required.
GlobalEventCounter Client side counter that indicates ordering of events sent by the remediation system.
HResult The HRESULT for detection or perform action phases of the plugin.
installDateValue The date of the installation.
IsAppraiserLatestResult The HRESULT from the appraiser task.
IsConfigurationCorrected Indicates whether the configuration of SIH task was successfully corrected.
IsEscalationTimerResetFixNeeded Determines whether a fix is applicable.
IsForcedModeEnabled Indicates whether forced reboot mode is enabled.
IsHomeSku Indicates whether the device is running the Windows 10 Home edition.
IsRebootForcedMode Indicates whether the forced reboot mode is turned on.
IsSer viceHardeningEnabled Indicates whether the Windows Service Hardening feature was turned on for
the device.
IsSer viceHardeningNeeded Indicates whether Windows Service Hardening was needed for the device
(multiple instances of service tampering were detected.)
isThreshold Indicates whether the value meets our threshold.
IsUsoRebootPending Indicates whether a system reboot is pending.
IsUsoRebootPendingInUpdateStore Indicates whether a reboot is pending.
IsUsoRebootTaskEnabled Indicates whether the Update Service Orchestrator (USO) reboot task is enabled
IsUsoRebootTaskExists Indicates whether the Update Service Orchestrator (USO) reboot task exists.
IsUsoRebootTaskValid Indicates whether the Update Service Orchestrator (USO) reboot task is valid.
LastHresult The HRESULT for detection or perform action phases of the plugin.
LastRebootTaskRunResult Indicates the result of the last reboot task.
LastRebootTaskRunTime The length of time the last reboot task took to run.
LastRun The date of the most recent SIH run.
LPCountBefore The number of language packs on the device before remediation started.
NextCheck Indicates when remediation will next be attempted.
NextRebootTaskRunTime Indicates when the next system reboot task will run.
NextRun Date of the next scheduled SIH run.
NoAutoUpdateExists Indicates whether the Automatic Updates feature is turned off.
NumberOfDaysStuckInReboot The number of days tht the device has been unable to successfully reboot.
OriginalEditionId The Windows edition ID before remediation started.
PackageVersion The version of the current remediation package.
PluginName Name of the plugin specified for each generic plugin event.
ProductType The product type of Windows 10.
QualityUpdateSedimentFunnelState Provides information about whether Windows Quality Updates are
missing on the device.
QualityUpdateSedimentJsonSchemaVersion The schema version of the Quality Update Sediment
Remediation.
QualityUpdateSedimentLastRunSeconds The number of seconds since the Quality Updates were run.
QualityUpdateSedimentLocalStar tTime Provides information about when Quality Updates were run.
QualityUpdateSedimentLocaltTime The local time of the device running the Quality Update Sediment
Remediation.
QualityUpdateSedimentTargetedPlugins Provides the list of remediation plug-ins that are applicable to
enable Quality Updates on the device.
QualityUpdateSedimentTargetedTriggers Provides information about remediations that are applicable to
enable Quality Updates on the device.
RegkeysExist Indicates whether specified registry keys exist.
Reload True if SIH reload is required.
RemediationAutoUACleanupNeeded Automatic Update Assistant cleanup is required.
RemediationAutoUAIsInstalled Indicates whether the Automatic Update Assistant tool is installed.
RemediationAutoUATaskDisabled Indicates whether the Automatic Update Assistant tool task is disabled.
RemediationAutoUATaskNotExists Indicates whether an Automatic Update Assistant tool task does not exist.
RemediationAutoUATasksStalled Indicates whether an Automatic Update Assistant tool task is stalled.
RemediationCorruptionRepairBuildNumber The build number to use to repair corruption.
RemediationCorruptionRepairCorruptionsDetected Indicates whether corruption was detected.
RemediationCorruptionRepairDetected Indicates whether an attempt was made to repair the corruption.
RemediationDeliverToastBuildNumber Indicates a build number that should be applicable to this device.
RemediationDeliverToastDetected Indicates that a plug-in has been detected.
RemediationDeliverToastDeviceExcludedNation Indicates the geographic identity (GEO ID) that is not
applicable for a given plug-in.
RemediationDeliverToastDeviceFreeSpaceInMB Indicates the amount of free space, in megabytes.
RemediationDeliverToastDeviceHomeSku Indicates whether the plug-in is applicable for the Windows 10
Home edition.
RemediationDeliverToastDeviceIncludedNation Indicates the geographic identifier (GEO ID) that is
applicable for a given plug-in.
RemediationDeliverToastDeviceProSku Indicates whether the plug-in is applicable for the Windows 10
Professional edition.
RemediationDeliverToastDeviceSystemDiskSizeInMB Indicates the size of a system disk, in megabytes.
RemediationDeliverToastGeoId Indicates the geographic identifier (GEO ID) that is applicable for a given
plug-in.
RemediationDeviceSkuId The Windows 10 edition ID that maps to the version of Windows 10 on the device.
RemediationGetCurrentFolderExist Indicates whether the GetCurrent folder exists.
RemediationNoisyHammerAcLineStatus Indicates the AC Line Status of the device.
RemediationNoisyHammerAutoStar tCount The number of times hammer auto-started.
RemediationNoisyHammerCalendarTaskEnabled Event that indicates Update Assistant Calendar Task is
enabled.
RemediationNoisyHammerCalendarTaskExists Event that indicates an Update Assistant Calendar Task
exists.
RemediationNoisyHammerCalendarTaskTriggerEnabledCount Event that indicates calendar triggers are
enabled in the task.
RemediationNoisyHammerDaysSinceLastTaskRunTime The number of days since the most recent Noisy
Hammer task ran.
RemediationNoisyHammerGetCurrentSize Size in MB of the $GetCurrent folder.
RemediationNoisyHammerIsInstalled TRUE if the noisy hammer is installed.
RemediationNoisyHammerLastTaskRunResult The result of the last hammer task run.
RemediationNoisyHammerMeteredNetwork TRUE if the machine is on a metered network.
RemediationNoisyHammerTaskEnabled Indicates whether the Update Assistant Task (Noisy Hammer) is
enabled.
RemediationNoisyHammerTaskExists Indicates whether the Update Assistant Task (Noisy Hammer) exists.
RemediationNoisyHammerTasksStalled Indicates whether a task (Noisy Hammer) is stalled.
RemediationNoisyHammerTaskTriggerEnabledCount Indicates whether counting is enabled for the
Update Assistant (Noisy Hammer) task trigger.
RemediationNoisyHammerUAExitCode The exit code of the Update Assistant (Noisy Hammer) task.
RemediationNoisyHammerUAExitState The code for the exit state of the Update Assistant (Noisy Hammer)
task.
RemediationNoisyHammerUserLoggedIn TRUE if there is a user logged in.
RemediationNoisyHammerUserLoggedInAdmin TRUE if there is the user currently logged in is an Admin.
RemediationNotifyUserFixIssuesBoxStatusKey Status of the remediation plug-in.
RemediationNotifyUserFixIssuesBuildNumber The build number of the remediation plug-in.
RemediationNotifyUserFixIssuesDetected Indicates whether the remediation is necessary.
RemediationNotifyUserFixIssuesDiskSpace Indicates whether the remediation is necessary due to low disk
space.
RemediationNotifyUserFixIssuesFeatureUpdateBlocked Indicates whether the remediation is necessary
due to Feature Updates being blocked.
RemediationNotifyUserFixIssuesFeatureUpdateInProgress Indicates whether the remediation is
necessary due to Feature Updates in progress.
RemediationNotifyUserFixIssuesIsUserAdmin Indicates whether the remediation requires that an
Administrator is logged in.
RemediationNotifyUserFixIssuesIsUserLoggedIn Indicates whether the remediation can take place when a
non-Administrator is logged in.
RemediationProgramDataFolderSizeInMB The size (in megabytes) of the Program Data folder on the
device.
RemediationProgramFilesFolderSizeInMB The size (in megabytes) of the Program Files folder on the
device.
RemediationShellDeviceApplicabilityFailedReason The reason the Remediation is not applicable to the
device (expressed as a bitmap).
RemediationShellDeviceEducationSku Indicates whether the Windows 10 Education edition is detected on
the device.
RemediationShellDeviceEnterpriseSku Indicates whether the Windows 10 Enterprise edition is detected on
the device.
RemediationShellDeviceFeatureUpdatesPaused Indicates whether Feature Updates are paused on the
device.
RemediationShellDeviceHomeSku Indicates whether the Windows 10 Home edition is detected on the
device.
RemediationShellDeviceIsAllowedSku Indicates whether the Windows 10 edition is applicable to the
device.
RemediationShellDeviceManaged TRUE if the device is WSUS managed or Windows Updated disabled.
RemediationShellDeviceNewOS TRUE if the device has a recently installed OS.
RemediationShellDeviceProSku Indicates whether a Windows 10 Professional edition is detected.
RemediationShellDeviceQualityUpdatesPaused Indicates whether Quality Updates are paused on the
device.
RemediationShellDeviceSccm TRUE if the device is managed by Microsoft Endpoint Configuration Manager.
RemediationShellDeviceSedimentMutexInUse Indicates whether the Sediment Pack mutual exclusion
object (mutex) is in use.
RemediationShellDeviceSetupMutexInUse Indicates whether device setup is in progress.
RemediationShellDeviceWuRegistr yBlocked Indicates whether the Windows Update is blocked on the
device via the registry.
RemediationShellDeviceZeroExhaust TRUE if the device has opted out of Windows Updates completely.
RemediationShellHasExpired Indicates whether the remediation iterations have ended.
RemediationShellHasUpgraded Indicates whether the device upgraded.
RemediationShellIsDeviceApplicable Indicates whether the remediation is applicable to the device.
RemediationTargetMachine Indicates whether the device is a target of the specified fix.
RemediationTaskHealthAutochkProxy True/False based on the health of the AutochkProxy task.
RemediationTaskHealthChkdskProactiveScan True/False based on the health of the Check Disk task.
RemediationTaskHealthDiskCleanup_SilentCleanup True/False based on the health of the Disk Cleanup
task.
RemediationTaskHealthMaintenance_WinSAT True/False based on the health of the Health Maintenance
task.
RemediationTaskHealthSer vicing_ComponentCleanupTask True/False based on the health of the Health
Servicing Component task.
RemediationTaskHealthUSO_ScheduleScanTask True/False based on the health of the USO (Update
Session Orchestrator) Schedule task.
RemediationTaskHealthWindowsUpdate_ScheduledStar tTask True/False based on the health of the
Windows Update Scheduled Start task.
RemediationTaskHealthWindowsUpdate_SihbootTask True/False based on the health of the Sihboot task.
RemediationUHSer viceDisabledBitMap A bitmap indicating which services were disabled.
RemediationUHSer viceNotExistBitMap A bitmap indicating which services were deleted.
RemediationUsersFolderSizeInMB The size (in megabytes) of the Users folder on the device.
RemediationWindows10UpgradeFolderExist Indicates whether the Windows 10 Upgrade folder exists.
RemediationWindows10UpgradeFolderSizeInMB The size (in megabytes) of the Windows 10 Upgrade
folder on the device.
RemediationWindowsAppsFolderSizeInMB The size (in megabytes) of the Windows Applications folder on
the device.
RemediationWindowsBtFolderSizeInMB The size (in megabytes) of the Windows BT folder on the device.
RemediationWindowsFolderSizeInMB The size (in megabytes) of the Windows folder on the device.
RemediationWindowsSer viceProfilesFolderSizeInMB The size (in megabytes) of the Windows service
profile on the device.
Result This is the HRESULT for Detection or Perform Action phases of the plugin.
RunTask TRUE if SIH task should be run by the plug-in.
StorageSenseDiskCompresserEstimateInMB The estimated amount of free space that can be cleaned up
by running Storage Sense.
StorageSenseHelloFaceRecognitionFodCleanupEstimateInByte The estimated amount of space that can
be cleaned up by running Storage Sense and removing Windows Hello facial recognition.
StorageSenseRestorePointCleanupEstimateInMB The estimated amount of free space (in megabytes) that
can be cleaned up by running Storage Sense.
StorageSenseUserDownloadFolderCleanupEstimateInByte The estimated amount of space that can be
cleaned up by running Storage Sense to clean up the User Download folder.
TimeSer viceNTPSer ver The URL for the NTP time server used by device.
TimeSer viceStar tType The startup type for the NTP time service.
TimeSer viceSyncDomainJoined True if device domain joined and hence uses DC for clock.
TimeSer viceSyncType Type of sync behavior for Date & Time service on device.
uninstallActiveValue Indicates whether an uninstall is in progress.
UpdateApplicabilityFixerTriggerBitMap A bitmap containing the reason(s) why the Update Applicability
Fixer Plugin was executed.
UpdateRebootTime The amount of time it took to reboot to install the updates.
usoScanHoursSinceLastScan The number of hours since the last scan by the Update Service Orchestrator
(USO).
usoScanPastThreshold Indicates whether the Update Service Orchestrator (USO) scan is overdue.
WindowsHiberFilSysSizeInMegabytes The size of the Windows Hibernation file, in megabytes.
WindowsInstallerFolderSizeInMegabytes The size of the Windows Installer folder, in megabytes.
WindowsPageFileSysSizeInMegabytes The size of the Windows Page file, in megabytes.
WindowsSoftwareDistributionFolderSizeInMegabytes The size of the Software Distribution folder, in
megabytes.
WindowsSwapFileSysSizeInMegabytes The size of the Windows Swap file, in megabytes.
WindowsSxsFolderSizeInMegabytes The size of the WinSxS (Windows Side-by-Side) folder, in megabytes.
Microsoft.Windows.Remediation.Completed
This event is sent when Windows Update sediment remediations have completed on the sediment device to keep
Windows up to date. A sediment device is one that has been on a previous OS version for an extended period. The
remediations address issues on the system that prevent the device from receiving OS updates.
ActionName Name of the action to be completed by the plug-in.
AppraiserTaskMissing TRUE if the Appraiser task is missing.
branchReadinessLevel Branch readiness level policy.
cloudControlState Value indicating whether the shell is enabled on the cloud control settings.
CV The Correlation Vector.
DateTimeDifference The difference between the local and reference clocks.
DiskFreeSpaceAfterSedimentPackInMB The amount of free disk space (in megabytes) after executing the
Sediment Pack.
DiskFreeSpaceBeforeSedimentPackInMB The amount of free disk space (in megabytes) before executing
the Sediment Pack.
DiskMbFreeAfterCleanup The amount of free hard disk space after cleanup, measured in Megabytes.
DiskMbFreeBeforeCleanup The amount of free hard disk space before cleanup, measured in Megabytes.
DiskSpaceCleanedByComponentCleanup The amount of disk space (in megabytes) in the component store
that was cleaned up by the plug-in.
DiskSpaceCleanedByNGenRemoval The amount of diskspace (megabytes) in the Native Image Generator
(NGEN) cache that was cleaned up by the plug-in.
DiskSpaceCleanedByRestorePointRemoval The amount of disk space (megabytes) in restore points that
was cleaned up by the plug-in.
ForcedAppraiserTaskTriggered TRUE if Appraiser task ran from the plug-in.
GlobalEventCounter Client-side counter that indicates ordering of events sent by the active user.
HandlerCleanupFreeDiskInMegabytes The amount of hard disk space cleaned by the storage sense
handlers, measured in megabytes.
hasRolledBack Indicates whether the client machine has rolled back.
hasUninstalled Indicates whether the client machine has uninstalled a later version of the OS.
hResult The result of the event execution.
HResult The result of the event execution.
installDate The value of installDate registry key. Indicates the install date.
isNetworkMetered Indicates whether the client machine has uninstalled a later version of the OS.
LatestState The final state of the plug-in component.
MicrosoftCompatibilityAppraiser The name of the component targeted by the Appraiser plug-in.
PackageVersion The package version for the current Remediation.
PluginName The name of the plug-in specified for each generic plug-in event.
QualityUpdateSedimentExecutedPlugins The number of plug-ins executed by the Windows Quality Update
remediation.
QualityUpdateSedimentFunnelState The state of the Windows Quality Update remediation funnel for the
device.
Remediation.
QualityUpdateSedimentLocalEndTime The local time on the device when the Windows Quality Update
remediation executed.
Remediation.
QualityUpdateSedimentMatchedTriggers The list of triggers that were matched by the Windows Quality
Update remediation.
QualityUpdateSedimentModelExecutionSeconds The number of seconds needed to execute the Windows
Quality Update remediation.
recoveredFromTargetOS Indicates whether the device recovered from the target operating system (OS).
RemediationAutoUASpaceSaved Amount of disk space saved in MB after cleaning up AutoUA folders.
RemediationBatter yPowerBatter yLevel Indicates the battery level at which it is acceptable to continue
operation.
RemediationBatter yPowerExitDueToLowBatter y True when we exit due to low battery power.
RemediationBatter yPowerOnBatter y True if we allow execution on battery.
RemediationCbsTempDiskSpaceCleanedInMB The amount of space (in megabytes) that the plug-in
cleaned up in the CbsTemp folder.
RemediationCbsTempEstimateInMB The amount of space (megabytes) in the CbsTemp folder that is
available for cleanup by the plug-in.
RemediationComponentCleanupEstimateInMB The amount of space (megabytes) in the WinSxS
(Windows Side-by-Side) folder that is available for cleanup by the plug-in.
RemediationConfigurationTroubleshooterIpconfigFix TRUE if IPConfig Fix completed successfully.
RemediationConfigurationTroubleshooterNetShFix TRUE if network card cache reset ran successfully.
RemediationCorruptionIsManifestFix Boolean indicating if the manifest was repaired.
RemediationCorruptionRepairCorruptionsDetected Number of corruptions detected on the device.
RemediationCorruptionRepairCorruptionsFixed Number of detected corruptions that were fixed on the
device.
RemediationCorruptionRepairDownloadCompleted Boolean indicating if the download of manifest cab
was completed.
RemediationCorruptionRepairDownloadRequired Boolean indicating if the download of manifest cab is
required for repair.
RemediationCorruptionRepairMeteredNetwork Boolean indicating if the device is on a metered network.
RemediationCorruptionRepairPerformActionSuccessful Indicates whether corruption repair was
successful on the device.
RemediationDiskCleanupSearchFileSizeInMB The size of the Cleanup Search index file, measured in
megabytes.
RemediationDiskSpaceSavedByCompressionInMB The amount of disk space (megabytes) that was
compressed by the plug-in.
RemediationDiskSpaceSavedByUserProfileCompressionInMB The amount of User disk space (in
megabytes) that was compressed by the plug-in.
remediationExecution Remediation shell is in "applying remediation" state.
RemediationHandlerCleanupEstimateInMB The estimated amount of disk space (in megabytes) to be
cleaned up by running Storage Sense.
RemediationHibernationMigrated TRUE if hibernation was migrated.
RemediationHibernationMigrationSucceeded TRUE if hibernation migration succeeded.
RemediationNGenDiskSpaceRestored The amount of disk space (in megabytes) that was restored after re-
running the Native Image Generator (NGEN).
RemediationNGenEstimateInMB The amount of disk space (in megabytes) estimated to be in the Native
Image Generator (NGEN) cache by the plug-in.
RemediationNGenMigrationSucceeded Indicates whether the Native Image Generator (NGEN) migration
succeeded.
RemediationRestorePointEstimateInMB The amount of disk space (in megabytes) estimated to be used by
storage points found by the plug-in.
RemediationSearchFileSizeEstimateInMB The amount of disk space (megabytes) estimated to be used by
the Cleanup Search index file found by the plug-in.
RemediationShellHasUpgraded TRUE if the device upgraded.
RemediationShellMinimumTimeBetweenShellRuns Indicates the time between shell runs exceeded the
minimum required to execute plugins.
RemediationShellRunFromSer vice TRUE if the shell driver was run from the service.
RemediationShellSessionIdentifier Unique identifier tracking a shell session.
RemediationShellSessionTimeInSeconds Indicates the time the shell session took in seconds.
RemediationShellTaskDeleted Indicates that the shell task has been deleted so no additional sediment pack
runs occur for this installation.
RemediationSoftwareDistributionCleanedInMB The amount of disk space (megabytes) in the Software
Distribution folder that was cleaned up by the plug-in.
RemediationSoftwareDistributionEstimateInMB The amount of disk space (megabytes) in the Software
Distribution folder that is available for clean up by the plug-in.
RemediationTotalDiskSpaceCleanedInMB The total disk space (in megabytes) that was cleaned up by the
plug-in.
RemediationUpdateSer viceHealthRemediationResult The result of the Update Service Health plug-in.
RemediationUpdateTaskHealthRemediationResult The result of the Update Task Health plug-in.
RemediationUpdateTaskHealthTaskList A list of tasks fixed by the Update Task Health plug-in.
RemediationUserFolderCompressionEstimateInMB The amount of disk space (in megabytes) estimated
to be compressible in User folders by the plug-in.
RemediationUserProfileCompressionEstimateInMB The amount of disk space (megabytes) estimated to
be compressible in User Profile folders by the plug-in.
RemediationUSORebootRequred Indicates whether a reboot is determined to be required by calling the
Update Service Orchestrator (USO).
RemediationWindowsCompactedEstimateInMB The amount of disk space (megabytes) estimated to be
available by compacting the operating system using the plug-in.
RemediationWindowsLogSpaceEstimateInMB The amount of disk space (in megabytes) available in
Windows logs that can be cleaned by the plug-in.
RemediationWindowsLogSpaceFreed The amount of disk space freed by deleting the Windows log files,
measured in Megabytes.
RemediationWindowsOldSpaceEstimateInMB The amount of disk space (megabytes) in the Windows.OLD
folder that can be cleaned up by the plug-in.
RemediationWindowsSpaceCompactedInMB The amount of disk space (megabytes) that can be cleaned
up by the plug-in.
RemediationWindowsStoreSpaceCleanedInMB The amount of disk space (megabytes) from the Windows
Store cache that was cleaned up by the plug-in.
RemediationWindowsStoreSpaceEstimateInMB The amount of disk space (megabytes) in the Windows
store cache that is estimated to be cleanable by the plug-in.
Result The HRESULT for Detection or Perform Action phases of the plug-in.
RunCount The number of times the plugin has executed.
RunResult The HRESULT for Detection or Perform Action phases of the plug-in.
Ser viceHardeningExitCode The exit code returned by Windows Service Repair.
Ser viceHealthEnabledBitMap List of services updated by the plugin.
Ser viceHealthInstalledBitMap List of services installed by the plugin.
StorageSenseDiskCompresserTotalInMB The total number of megabytes that Storage Sense cleaned up in
the User Download folder.
StorageSenseHelloFaceRecognitionFodCleanupTotalInByte The amount of space that Storage Sense was
able to clean up in the User Download folder by removing Windows Hello facial recognition.
StorageSenseRestorePointCleanupTotalInMB The total number of megabytes that Storage Sense cleaned
up in the User Download folder.
StorageSenseUserDownloadFolderCleanupTotalInByte The total number of bytes that Storage Sense
cleaned up in the User Download folder.
systemDriveFreeDiskSpace Indicates the free disk space on system drive, in megabytes.
systemUptimeInHours Indicates the amount of time the system in hours has been on since the last boot.
uninstallActive TRUE if previous uninstall has occurred for current OS
UpdateApplicabilityFixedBitMap Bitmap indicating which fixes were applied by the plugin.
usoScanDaysSinceLastScan The number of days since the last USO (Update Session Orchestrator) scan.
usoScanInProgress TRUE if a USO (Update Session Orchestrator) scan is in progress, to prevent multiple
simultaneous scans.
usoScanIsAllowAutoUpdateKeyPresent TRUE if the AllowAutoUpdate registry key is set.
usoScanIsAllowAutoUpdateProviderSetKeyPresent TRUE if AllowAutoUpdateProviderSet registry key is
set.
usoScanIsAuOptionsPresent TRUE if Auto Update Options registry key is set.
usoScanIsFeatureUpdateInProgress TRUE if a USO (Update Session Orchestrator) scan is in progress, to
prevent multiple simultaneous scans.
usoScanIsNetworkMetered TRUE if the device is currently connected to a metered network.
usoScanIsNoAutoUpdateKeyPresent TRUE if no Auto Update registry key is set/present.
usoScanIsUserLoggedOn TRUE if the user is logged on.
usoScanPastThreshold TRUE if the most recent Update Session Orchestrator (USO) scan is past the threshold
(late).
usoScanType The type of USO (Update Session Orchestrator) scan: "Interactive" or "Background".
windows10UpgraderBlockWuUpdates Event to report the value of Windows 10 Upgrader
BlockWuUpdates Key.
windowsEditionId Event to report the value of Windows Edition ID.
WindowsOldSpaceCleanedInMB The amount of disk space freed by removing the Windows.OLD folder,
windowsUpgradeRecoveredFromRs4 Event to report the value of the Windows Upgrade Recovered key.
Microsoft.Windows.Remediation.Started
This event is sent when Windows Update sediment remediations have started on the sediment device to keep
GlobalEventCounter Client side counter which indicates ordering of events sent by this user.
QualityUpdateSedimentFunnelState Provides information about whether quality updates are missing on
the device.
QualityUpdateSedimentFunnelType Indicates whether the Remediation is for Quality Updates or Feature
Updates.
Remediation.
QualityUpdateSedimentLastRunSeconds The number of seconds since Quality Updates were run.
Remediation.
QualityUpdateSedimentMatchedTriggers The list of triggers that were matched by the Windows Quality
Update Remediation.
QualityUpdateSedimentSelectedPlugins The number of plugins that were selected for execution in the
Quality Update Sediment Remediation.
QualityUpdateSedimentTargetedPlugins The list of plug-ins targeted by the current Quality Update
Sediment Remediation.
QualityUpdateSedimentTargetedTriggers The list of triggers targeted by the current Quality Update
Sediment Remediation.
RemediationProgramDataFolderSizeInMB The size (in megabytes) of the Program Data folder on the
device.
RemediationProgramFilesFolderSizeInMB The size (in megabytes) of the Program Files folder on the
device.
RemediationUsersFolderSizeInMB The size (in megabytes) of the Users folder on the device.
RemediationWindowsAppsFolderSizeInMB The size (in megabytes) of the Windows Applications folder on
the device.
RemediationWindowsBtFolderSizeInMB The size (in megabytes) of the Windows BT folder on the device.
RemediationWindowsFolderSizeInMB The size (in megabytes) of the Windows folder on the device.
RemediationWindowsSer viceProfilesFolderSizeInMB The size (in megabytes) of the Windows Service
Profiles folder on the device.
RemediationWindowsTotalSystemDiskSize The total storage capacity of the System disk drive, measured
in megabytes.
Result This is the HRESULT for detection or perform action phases of the plugin.
RunCount The number of times the remediation event started (whether it completed successfully or not).
WindowsHiberFilSysSizeInMegabytes The size of the Windows Hibernation file, measured in megabytes.
WindowsInstallerFolderSizeInMegabytes The size of the Windows Installer folder, measured in megabytes.
WindowsOldFolderSizeInMegabytes The size of the Windows.OLD folder, measured in megabytes.
WindowsPageFileSysSizeInMegabytes The size of the Windows Page file, measured in megabytes.
WindowsSoftwareDistributionFolderSizeInMegabytes The size of the Software Distribution folder,
measured in megabytes.
WindowsSwapFileSysSizeInMegabytes The size of the Windows Swap file, measured in megabytes.
WindowsSxsFolderSizeInMegabytes The size of the WinSxS (Windows Side-by-Side) folder, measured in
megabytes.
Sediment events
Microsoft.Windows.Sediment.Info.Error
This event indicates an error in the updater payload. This information assists in keeping Windows up to date.
FailureType The type of error encountered.
FileName The code file in which the error occurred.
HResult The failure error code.
LineNumber The line number in the code file at which the error occurred.
ReleaseVer The version information for the component in which the error occurred.
Time The system time at which the error occurred.
Microsoft.Windows.SedimentLauncher.Applicable
This event is sent when the Windows Update sediment remediations launcher finds that an applicable plug-in to
address issues that may be preventing the sediment device from receiving OS updates. A sediment device is one
that has been on a previous OS version for an extended period.
DetectedCondition Boolean true if detect condition is true and perform action will be run.
FileVersion The version of the data-link library (DLL) that will be applied by the self-update process.
IsHashMismatch Indicates whether the hash is a mismatch.
IsSelfUpdateEnabledInOneSettings True if self update enabled in Settings.
IsSelfUpdateNeeded True if self update needed by device.
PackageVersion Current package version of Remediation.
Microsoft.Windows.SedimentLauncher.Completed
This event is sent when the Windows Update sediment remediations launcher finishes running a plug-in to
FailedReasons Concatenated list of failure reasons.
SedLauncherExecutionResult HRESULT for one execution of the Sediment Launcher.
Microsoft.Windows.SedimentLauncher.Started
This event is sent when the Windows Update sediment remediations launcher starts running a plug-in to address
issues that may be preventing the sediment device from receiving OS updates. A sediment device is one that has
been on a previous OS version for an extended period.
Microsoft.Windows.SedimentService.Applicable
This event is sent when the Windows Update sediment remediations service finds that an applicable plug-in to
DetectedCondition Determine whether action needs to run based on device properties.
FileVersion The version of the dynamic-link library (DLL) that will be applied by the self-update process.
IsHashMismatch Indicates whether the hash is a mismatch.
IsSelfUpdateEnabledInOneSettings Indicates if self update is enabled in One Settings.
IsSelfUpdateNeeded Indicates if self update is needed.
PluginName Name of the plugin.
Microsoft.Windows.SedimentService.Completed
This event is sent when the Windows Update sediment remediations service finishes running a plug-in to address
FailedReasons List of reasons when the plugin action failed.
SedimentSer viceCheckTaskFunctional True/False if scheduled task check succeeded.
SedimentSer viceCurrentBytes Number of current private bytes of memory consumed by sedsvc.exe.
SedimentSer viceKillSer vice True/False if service is marked for kill (Shell.KillService).
SedimentSer viceMaximumBytes Maximum bytes allowed for the service.
SedimentSer viceRanShell Indicates whether the shell was run by the service.
SedimentSer viceRetrievedKillSer vice True/False if result of One Settings check for kill succeeded - we only
send back one of these indicators (not for each call).
SedimentSer viceShellRunHResult The HRESULT returned when the shell was run by the service.
SedimentSer viceStopping True/False indicating whether the service is stopping.
SedimentSer viceTaskFunctional True/False if scheduled task is functional. If task is not functional this
indicates plugins will be run.
SedimentSer viceTotalIterations Number of 5 second iterations service will wait before running again.
Microsoft.Windows.SedimentService.Started
This event is sent when the Windows Update sediment remediations service starts running a plug-in to address
GlobalEventCounter The client-side counter that indicates ordering of events.
PackageVersion The version number of the current remediation package.
Setup events
date.
system time
Windows up to date.
Windows up to date.
SIH events
SIHEngineTelemetry.EvalApplicability
This event is sent when targeting logic is evaluated to determine if a device is eligible for a given action.
ActionReasons If an action has been assessed as inapplicable, the additional logic prevented it.
AdditionalReasons If an action has been assessed as inapplicable, the additional logic prevented it.
CachedEngineVersion The engine DLL version that is being used.
EventInstanceID A unique identifier for event instance.
EventScenario Indicates the purpose of sending this event – whether because the software distribution just
HandlerReasons If an action has been assessed as inapplicable, the installer technology-specific logic
prevented it.
IsExecutingAction If the action is presently being executed.
Ser viceGuid A unique identifier that represents which service the software distribution client is connecting to
(SIH, Windows Update, Microsoft Store, etc.)
SihclientVersion The client version that is being used.
StandardReasons If an action has been assessed as inapplicable, the standard logic the prevented it.
UpdateID A unique identifier for the action being acted upon.
WuapiVersion The Windows Update API version that is currently installed.
WuaucltVersion The Windows Update client version that is currently installed.
WuauengVersion The Windows Update engine version that is currently installed.
WUDeviceID The unique identifier controlled by the software distribution client.
SIHEngineTelemetry.ExecuteAction
This event is triggered with SIH attempts to execute (e.g. install) the update or action in question. Includes
important information like if the update required a reboot.
EventScenario Indicates the purpose of sending this event, whether because the software distribution just
RebootRequired Indicates if a reboot was required to complete the action.
(SIH, Windows Update, Microsoft Store, etc.).
SihclientVersion The SIH version.
WuapiVersion The Windows Update API version.
WuaucltVersion The Windows Update version identifier for SIH.
WuauengVersion The Windows Update engine version identifier.
SIHEngineTelemetry.PostRebootReport
This event reports the status of an action following a reboot, should one have been required.
SihclientVersion Version of SIH Client on the device.
WuapiVersion Version of Windows Update DLL on the device.
WuaucltVersion Version of WUAUCLT (Windows Update Auto-Update Client) on the device.
WuauengVersion Version of Windows Update (Auto-Update) engine on the device.

Scan process event on Windows Update client. See the EventScenario field for specifics (started/failed/succeeded).
completion.
client.
CommonProps A bitmask for future flags associated with the Windows Update client behavior. No data is
Context Gives context on where the error has occurred. Example: AutoEnable, GetSLSData, AddService, Misc, or
Unknown
0x1000, UX = 0x10000).
device.
Audit, 3-Enforce
NetworkConnectivityDetected Indicates the type of network connectivity that was detected. 0 - IPv4, 1 - IPv6
scan checked
scan
synced down.
ScanProps This is a 32-bit integer containing Boolean properties for a given Windows Update scan. The
following bits are used; all remaining bits are reserved and set to zero. Bit 0 (0x1): IsInteractive - is set to 1 if the
scan is requested by a user, or 0 if the scan is requested by Automatic Updates. Bit 1 (0x2): IsSeeker - is set to 1
if the Windows Update client's Seeker functionality is enabled. Seeker functionality is enabled on certain
interactive scans, and results in the scans returning certain updates that are in the initial stages of release (not
yet released for full adoption via Automatic Updates).
was synced down.
the device.
found.
client
Download process event for target update on Windows Update client. See the EventScenario field for specifics
ActiveDownloadTime How long the download took, in seconds, excluding time where the update wasn't
actively being downloaded.
AppXBlockHashFailures Indicates the number of blocks that failed hash validation during download of the
app payload.
being downloaded.
AppXScope Indicates the scope of the app download.
BundleId Identifier associated with the specific content bundle.
bundle).
applicable.
CallerApplicationName The name provided by the application that initiated API calls into the software
distribution client.
CbsMethod The method used for downloading the update content related to the Component Based Servicing
(CBS) technology.
CommonProps A bitmask for future flags associated with the Windows Update client behavior.
ConnectTime Indicates the cumulative amount of time (in seconds) it took to establish the connection for all
updates in an update bundle.
DownloadProps Information about the download operation properties in the form of a bitmask.
Optimizer events.
EventScenario Indicates the purpose for sending this event: whether because the software distribution just
started downloading content; or whether it was cancelled, succeeded, or failed.
EventType Identifies the type of the event (Child, Bundle, or Driver).
that flight.
of the device.
HostName The hostname URL the content is downloading from.
NetworkCost A flag indicating the cost of the network (congested, fixed, variable, over data limit, roaming,
etc.) used for downloading the update content.
cap, etc.)
PostDnldTime Time (in seconds) taken to signal download completion after the last job completed
downloading the payload.
ProcessName The process name of the application that initiated API calls, in the event where
Reason A 32-bit integer representing the reason the update is blocked from being downloaded in the
background.
RegulationReason The reason that the update is regulated
RegulationResult The result code (HResult) of the last attempt to contact the regulation web service for
download regulation of update content.
RelatedCV The Correlation Vector that was used before the most recent change to a new Correlation Vector.
RepeatFailCount Indicates whether this specific content has previously failed.
RepeatFailFlag Indicates whether this specific content previously failed to download.
SizeCalcTime Time (in seconds) taken to calculate the total download size of the payload.
downloaded.
TotalExpectedBytes The total size (in Bytes) expected to be downloaded.
UpdateImpor tance Indicates whether the content was marked as Important, Recommended, or Optional.
UsedDO Indicates whether the download used the Delivery Optimization (DO) service.
client
client
Connected Standby)
found.
client.
CommonProps A bitmask for future flags associated with the Windows Update client behavior. No value is
required.
the device.
InstallProps A bitmask for future flags associated with the install operation. No value is currently reported in
this field. Expected value for this field is 0.
IsWUfBDualScanEnabled Indicates whether Windows Update for Business dual scan is enabled on the
device.
introduced.
was not provided.
underway.
Optional.
UsedSystemVolume Indicates whether the content was downloaded and then installed from the device's
main system storage drive, or an alternate storage drive.
SoftwareUpdateClientTelemetry.Revert
Revert event for target update on Windows Update Client. See EventScenario field for specifics (for example,
BundleId Identifier associated with the specific content bundle. Should not be all zeros if the BundleId was
found.
of request.
CSIErrorType Stage of CBS installation that failed.
required.
EventType Event type (Child, Bundle, Release, or Driver).
of the device.
IsSuccessFailurePostReboot Indicates whether an initial success was a failure after a reboot.
UpdateId The identifier associated with the specific piece of content.
UpdateImpor tance Indicates the importance of a driver, and why it received that importance level (0-
UsedSystemVolume Indicates whether the device's main system storage drive or an alternate storage drive
was used.
SoftwareUpdateClientTelemetry.TaskRun
Start event for Server Initiated Healing client. See EventScenario field for specifics (for example,
started/completed).
of request.
CmdLineArgs Command line arguments passed in by the caller.
EventInstanceID A globally unique identifier for the event instance.
Microsoft Store, etc.).
SoftwareUpdateClientTelemetry.Uninstall
Uninstall event for target update on Windows Update Client. See EventScenario field for specifics (for example,
BundleId The identifier associated with the specific content bundle. This should not be all zeros if the bundleID
was found.
CallerApplicationName Name of the application making the Windows Update request. Used to identify
context of request.
DriverRecover yIds The list of identifiers that could be used for uninstalling the drivers when a recovery is
required.
EventScenario Indicates the purpose of the event (a scan started, succeded, failed, etc.).
EventType Indicates the event type. Possible values are "Child", "Bundle", "Release" or "Driver".
HardwareId If the download was for a driver targeted to a particular device model, this ID indicates the model
of the device.
IsSuccessFailurePostReboot Indicates whether an initial success was then a failure after a reboot.
RepeatFailCount Indicates whether this specific piece of content previously failed.
UpdateId Identifier associated with the specific piece of content.
UpdateImpor tance Indicates the importance of a driver and why it received that importance level (0-
UsedSystemVolume Indicates whether the device’s main system storage drive or an alternate storage drive
was used.
client.
of request.
audit; 3 = enforce
by revision ID).
TimestampTokenId The time this was created. It is encoded in a timestamp blob and will be zero if the token
is malformed.
System Resource Usage Monitor events

Microsoft.Windows.Srum.Sdp.CpuUsage
This event provides information on CPU usage.
UsageMax The maximum of hourly average CPU usage.
UsageMean The mean of hourly average CPU usage.
UsageMedian The median of hourly average CPU usage.
UsageTwoHourMaxMean The mean of the maximum of every two hour of hourly average CPU usage.
Microsoft.Windows.Srum.Sdp.NetworkUsage
This event provides information on network usage.
AdapterGuid The unique ID of the adapter.
BytesTotalMax The maximum of the hourly average bytes total.
BytesTotalMean The mean of the hourly average bytes total.
BytesTotalMedian The median of the hourly average bytes total.
BytesTotalTwoHourMaxMean The mean of the maximum of every two hours of hourly average bytes total.
LinkSpeed The adapter link speed.
Update events
Rever tResult The result code returned for the Revert operation.
ContainsSafeOSDUPackage Boolean indicating whether Safe DU packages are part of the payload.
DownloadComplete Indicates if the download is complete.
PackageCountTotalPSFX The total number of PSFX packages.
PackageSizePSFX The size of PSFX packages, in bytes.
SandboxTaggedForReser ves The sandbox for reserves.
Update360Telemetry.UpdateAgentFellBackToCanonical
This event collects information when express could not be used and we fall back to canonical during the new
Unified Update Platform (UUP) update scenario, which is leveraged by both Mobile and Desktop.
PackageCount Number of packages that feel back to canonical.
PackageList PackageIds which fell back to canonical.
scenarios).
MergeId The unique ID to join two update sessions being merged.
IsSuspendable Indicates whether the update has the ability to be suspended and resumed at the time of
reboot. When the machine is rebooted and the update is in middle of Predownload or Install and Setup.exe is
running, this field is TRUE, if not its FALSE.
Reason Indicates the HResult why the machine could not be suspended. If it is successfully suspended, the
result is 0.
UpdateState Indicates the state of the machine when Suspend is called. For example, Install, Download,
Commit.
SetupLaunchAttemptCount Indicates the count of attempts to launch setup for the current Update Agent
instance.

Microsoft.Windows.UpdateNotificationPipeline.UNPCampaignHeartbeat
This event is sent at the start of each campaign, to be used as a heartbeat.
CampaignID Current campaign that is running on Update Notification Pipeline.
ConfigCatalogVersion Current catalog version of Update Notification Pipeline.
ContentVersion Content version for the current campaign on Update Notification Pipeline.
DetectorVersion Most recently run detector version for the current campaign on Update Notification Pipeline.
PackageVersion Current package version for Update Notification Pipeline.
Microsoft.Windows.UpdateNotificationPipeline.UnpCampaignManagerRunCampaignFailed
This event is sent when the Campaign Manager encounters an unexpected error while running the campaign.
CampaignID Currently campaign that's running on Update Notification Pipeline (UNP).
hresult HRESULT of the failure.
Upgrade events
the upgrade.
Scenario Dynamic update scenario (Image DU, or Setup DU).
UpdateId The ID of the update that was downloaded.
version of Windows.
ResultCode The result returned from the initiation of Facilitator with the URL/attributes.
failure happened
Windows up-to-date.
errors.

callerApplication The name of the calling application.
capsuleCount The number of Sediment Pack capsules.
capsuleFailureCount The number of capsule failures.
hrEngineBlockReason Indicates the reason for stopping WaaSMedic.
hrLastSandboxError The last error sent by the WaaSMedic sandbox.
initSummar y Summary data of the initialization method.
insufficientSessions Device not eligible for diagnostics.
isInteractiveMode The user started a run of WaaSMedic.
pluginFailureCount The number of plugins that have failed.
pluginsCount The number of plugins.
previous run.
previous run.
waasMedicRunMode Indicates whether this was a background regular run of the medic or whether it was
triggered by a user launching Windows Update Troubleshooter.

Watson).
Value
This event returns data about Mean Time to Failure (MTTF) for Windows devices. It is the primary means of
estimating reliability problems in Basic Diagnostic reporting with very strong privacy guarantees. Since Basic
Diagnostic reporting does not include system up-time, and since that information is important to ensuring the safe
and stable operation of Windows, the data provided by this event provides that data in a manner which does not
threaten a user’s privacy.
Algorithm The algorithm used to preserve privacy.
DPRange The upper bound of the range being measured.
DPValue The randomized response returned by the client.
Epsilon The level of privacy to be applied.
HistType The histogram type if the algorithm is a histogram algorithm.
Per tProb The probability the entry will be Perturbed if the algorithm chosen is “heavy-hitters”.
DPRange Maximum mean value range.
DPValue Randomized bit value (0 or 1) that can be reconstituted over a large population to estimate the mean.
Value Standard UTC emitted DP value structure See Value.

to-date and secure.
set.
BundleId The identity of the test build (flight) associated with this product.
ParentBundleId The product identifier of the parent if this product is part of a bundle.
secure.
ResumeClientId The ID of the app that initiated the resume operation.
Windows System Kit events

Microsoft.Windows.Kits.WSK.WskImageCreate
This event sends simple Product and Service usage data when a user is using the Windows System Kit to create
new OS “images”. The data includes the version of the Windows System Kit and the state of the event and is used
to help investigate “image” creation failures.
Phase The image creation phase. Values are “Start” or “End”.
Result Result of the image creation phase. Indicates if the image was created successfully. Value is integer.
WorkspaceArchitecture Architecture of image created.
WorkspaceOsEdition OSEdition of the image created.
WskImageEnvironment Type of environment image was created for "Lab" or "Non-Lab".
WskSessionId A string identifier (GUID) for the workspace.
WskVersion The version of the Windows System Kit being used.
Microsoft.Windows.Kits.WSK.WskImageCustomization
This event sends simple Product and Service usage data when a user is using the Windows System Kit to
create/modify configuration files allowing the customization of a new OS image with Apps or Drivers. The data
includes the version of the Windows System Kit, the state of the event, the customization type (drivers or apps) and
the mode (new or updating) and is used to help investigate configuration file creation failures.
CustomizationMode Indicates the mode of the customization (new or updating).
CustomizationType Indicates the type of customization (drivers or apps).
Mode The mode of update to image configuration files. Values are “New” or “Update”.
Result Result of the image creation phase.
Type The type of update to image configuration files. Values are “Apps” or “Drivers”.
Microsoft.Windows.Kits.WSK.WskWorkspaceCreate
This event sends simple Product and Service usage data when a user is using the Windows System Kit to create
new workspace for generating OS “images”. The data includes the version of the Windows System Kit and the state
of the event and is used to help investigate workspace creation failures.
Architecture The OS architecture that the workspace will target. Values are one of: “AMD64”, “ARM64”, “x86”,
or “ARM”.
OsEdition The Operating System Edition that the workspace will target.
Result Stage result. Values are integers.
WorkspaceArchitecture The operating system architecture that the workspace will target.
WorkspaceOsEdition The operating system edition that the workspace will target.

isVpn Indicates whether the device is connected to a VPN (Virtual Private Network).
group.
cdnUrl Url of the source Content Distribution Network (CDN).
expiresAt The time when the content will expire from the Delivery Optimization Cache.
group.
linkLocalConnectionCount The number of connections made to peers in the same Link-local network.
numPeersLocal The total number of local peers used for this download.
routeToCacheSer ver Cache server setting, source, and value.
was encountered.

the install phase of the new device manifest UUP (Unified Update Platform) update scenario which is used to install
a device manifest describing a set of driver packages.
during analysis.
the system.
summary string.
truncatedDeviceCount The number of devices missing from the summary string because there is not
deleted.
BlockCancelled.
flightId The unique identifier for each flight (pre-release builds).
objectId The unique identifier for each diagnostics session.
relatedCV Correlation vector value generated from the latest scan.
DesktopDriverUpdate
sessionId The unique identifier for each update session.
This event sends data for the start of each mode during the process of updating device manifest assets via the UUP
(Unified Update Platform) update scenario, which is used to install a device manifest describing a set of driver
packages.
mode Indicates the active Update Agent mode.
SkipToAutoModeLimit The minimum length of time to pass in restart pending before a device can be put
into auto mode.
Microsoft.Windows.Update.NotificationUx.EnhancedEngagedRebootFirstReminderDialog
This event indicates that the Enhanced Engaged restart "first reminder" dialog box was displayed..
settings).
Microsoft.Windows.Update.NotificationUx.EnhancedEngagedRebootReminderToast
This event indicates that the Enhanced Engaged restart reminder pop-up banner was displayed.
ExitCode Indicates how users exited the pop-up banner.
RebootVersion The version of the reboot logic.
UserResponseString The option that the user chose in the pop-up banner.
UtcTime The time that the pop-up banner was displayed, in Coordinated Universal Time.
automatically).
rebootUsingSmar tScheduler Indicates whether the reboot is scheduled by smart scheduler.
Microsoft.Windows.Update.Orchestrator.CommitFailed
This event indicates that a device was unable to restart after an update.
battery).
IgnoreReasonsForRestar t List of reasons why restart was deferred.
updateId Update ID.
deferReason The reason why the device could not check for updates.
detectionBlockingPolicy The Policy that blocked detection.
eventScenario End-to-end update session ID, or indicates the purpose of sending this event - whether
because the software distribution just started installing content, or whether it was cancelled, succeeded, or
failed.
flightID The unique identifier for the flight (Windows Insider pre-release build) should be delivered to the
device, if applicable.
interactive Indicates whether the user initiated the session.
networkStatus Indicates if the device is connected to the internet.
revisionNumber The Update revision number.
scanTriggerSource The source of the triggered scan.
updateId The unique identifier of the Update.
Microsoft.Windows.Update.Orchestrator.DetectionActivity
This event returns data about detected updates, as well as the types of update (optional or recommended). This
data helps keep Windows up to date.
applicableUpdateIdList The list of update identifiers.
applicableUpdateList The list of available updates.
durationInSeconds The amount of time (in seconds) it took for the event to run.
expeditedMode Indicates whether Expedited Mode is on.
networkCostPolicy The network cost.
scanTriggerSource Indicates whether the scan is Interactive or Background.
scenario The result code of the event.
scenarioReason The reason for the result code (scenario).
seekerUpdateIdList The list of “seeker” update identifiers.
seekerUpdateList The list of “seeker” updates.
ser vices The list of services that were called during update.
wilActivity The activity results. See wilActivity.
Microsoft.Windows.Update.Orchestrator.DetectionResult
This event runs when an update is detected. This helps ensure Windows is kept up to date.
applicableUpdateIdList A list of applicable update IDs.
applicableUpdateList A list of applicable update names.
seekerUpdateIdList A list of optional update IDs.
seekerUpdateList A list of optional update names.
updateId Update ID.
updateId Update ID.
Microsoft.Windows.Update.Orchestrator.DTUCompletedWhenWuFlightPendingCommit
This event indicates that DTU completed installation of the electronic software delivery (ESD), when Windows
Update was already in Pending Commit phase of the feature update.
Microsoft.Windows.Update.Orchestrator.DTUEnabled
This event indicates that Inbox DTU functionality was enabled.
Microsoft.Windows.Update.Orchestrator.DTUInitiated
This event indicates that Inbox DTU functionality was intiated.
dtuErrorCode Return code from creating the DTU Com Server.
isDtuApplicable Determination of whether DTU is applicable to the machine it is running on.
date.
Microsoft.Windows.Update.Orchestrator.FailedToAddTimeTriggerToScanTask
This event indicated that USO failed to add a trigger time to a task.
errorCode The Windows Update error code.
wuDeviceid The Windows Update device ID.
inapplicableReason The reason why the update is inapplicable.
up to date.
action.
updateId Update ID.
IgnoreReasonsForRestar t The reason(s) a Postpone Restart command was ignored.
updateId Update ID.
keep secure.
availableHistor yMinutes The number of minutes available from the local machine activity history.
uptime.
Windows up to date.
Microsoft.Windows.Update.Orchestrator.PostInstall
This event is sent after a Windows update install completes.
batter yLevel Current battery capacity in megawatt-hours (mWh) or percentage left.
bundleId The unique identifier associated with the specific content bundle.
bundleRevisionnumber Identifies the revision number of the content bundle.
errorCode The error code returned for the current phase.
eventScenario State of update action.
sessionType The Windows Update session type (Interactive or Background).
updateScenarioType Identifies the type of Update session being performed.
wuDeviceid The unique device identifier used by Windows Update.
Windows up to date.
code.
updateId Update ID.
to date.
RebootTaskMissedTimeUTC The time when the reboot task was scheduled to run, but did not.
RebootTaskNextTimeUTC The time when the reboot task was rescheduled for.
errorCode The error code returned for the current scan operation.
eventScenario Indicates the purpose of sending this event.
isDTUEnabled Indicates whether DTU (internal abbreviation for Direct Feature Update) channel is enabled on
the client system.
Microsoft.Windows.Update.Orchestrator.StickUpdate
This event is sent when the update service orchestrator (USO) indicates the update cannot be superseded by a
newer update.
updateId Update ID.
Microsoft.Windows.Update.Orchestrator.TerminatedByBatteryLevel
This event is sent when update activity was stopped due to a low battery level.
Microsoft.Windows.Update.Orchestrator.UnstickUpdate
This event is sent when the update service orchestrator (USO) indicates that the update can be superseded by a
newer update.
up to date.
action.
updateId Update ID.
began pending.
rebootUsingSmar tScheduler Indicates that the reboot is scheduled by SmartScheduler.
Microsoft.Windows.Update.Ux.MusNotification.UxBrokerScheduledTask
This event is sent when MUSE broker schedules a task.
TaskArgument The arguments with which the task is scheduled.
TaskName Name of the task.
Windows up to date.
rebootUsingSmar tScheduler TRUE if the reboot should be performed by the Smart Scheduler. Otherwise,
FALSE.

FlightId Unique GUID that identifies each instances of setuphost.exe.
ReparsePointsFailed Number of reparse points that were corrupted but were not fixed by this mitigation.
SessionId Unique ID for the update session.
UpdateId Unique ID for the Windows Update.

FinalAdjustment Final adjustment for the hard reserve following the addition or removal of optional content.
InitialAdjustment Initial intended adjustment for the hard reserve following the addition/removal of optional
content.
FailedExpression The failed expression that was returned.
FailedFile The binary file that contained the failed function.
FailedFunction The name of the function that originated the failure.
FailedLine The line number of the failure.
ReturnCode The return code of the function.
ClientId The ID of the caller application.
Flags The enumerated flags used to initialize the manager.
FlightId The flight ID of the content the calling client is currently operating with.
Offline Indicates whether or the reserve manager is called during offline operations.
PolicyPassed Indicates whether the machine is able to use reserves.
ReturnCode Return code of the operation.
Version The version of the Update Reserve Manager.
This event is sent when the Update Reserve Manager prepares the Trusted Installer to initialize reserves on the next
boot.
FallbackLogicUsed Indicates whether fallback logic was used for initialization.
Flags The flags that are passed to the function to prepare the Trusted Installer for reserve initialization.
ChangeSize The change in the hard reserve size based on the addition or removal of optional content.
Disposition The parameter for the hard reserve adjustment function.
Flags The flags passed to the hard reserve adjustment function.
PendingHardReser veAdjustment The final change to the hard reserve size.
UpdateType Indicates whether the change is an increase or decrease in the size of the hard reserve.
Winlogon events
XBOX events
LicenseType The type of licensed used to authorize the app (0 - Unknown, 1 - User, 2 - Subscription, 3 -
Offline, 4 - Disc).
LicenseXuid If the license type is 1 (User), this field contains the XUID (Xbox User ID) of the registered owner
of the license.
Applies to
The Basic level helps to identify problems that can occur on a particular device hardware or software
configuration. For example, it can help determine if crashes are more frequent on devices with a specific amount of
memory or that are running a particular driver version. This helps Microsoft fix operating system or app problems.
Appraiser events
device.
device.
this device.
DatasourceDriverPackage_RS3 The count of the number of this particular object type present on this
device.
device.
device.
device.
DataSourceMatchingInfoPassive_RS3 The count of the number of this particular object type present on
this device.
this device.
on this device.
device.
DecisionApplicationFile_RS1 An ID for the system, calculated by hashing hardware identifiers.
device.
on this device.
device.
device.
this device.
device.
device.
this device.
device.
device.
PCFP An ID for the system, calculated by hashing hardware identifiers.
device.
SystemTouch The count of SystemTouch objects present on this machine.
SystemWindowsActivationStatus The count of SystemWindowsActivationStatus objects present on this
machine.
IsAv Is the file an antivirus reporting EXE?
Update.
upgrade mode?
app.
upgrade.
block upgrade.
the OS?
DisplayGenericMessageGated Indicates whether a generic message will be shown during Setup for this
PNP device.
PNP device?
overridden?
package.
blocks?
blocks?
This event sends compatibility decision data about entries that require reinstall after upgrade. It's used to help
app?
Center?
supported edition?
date.
octets.
file metadata.
date.
Windows up to date.
bytes).
Windows up to date.
to date.
Windows up to date.
up to date.
a WIM.
date.
Microsoft.Windows.Appraiser.General.SystemWindowsActivationStatusEndSync
This event indicates that a full set of SystemWindowsActivationStatusAdd events has succeeded in being sent.
date.
do a full scan.
This event sends data about the usage of older digital rights management on the system, to help keep Windows
up to date. This data does not indicate the details of the media using the digital rights management, only whether
any such files exist. Collecting this data was critical to ensuring the correct mitigation for customers, and should be
able to be removed once all mitigations are in place.
ripped CDs.
Census events
Census.App
Census.Azure
Par tA_PrivTags The privacy tags associated with the event.
Census.Battery
Census.Camera
Census.Enterprise
computers.
Census.Firmware
Census.Flighting
on this device.
Census.Hardware
compass).
Census.Memory
date.
Census.Network
Census.OS
the MS store.
refresh, reset, etc
consent (first 8 bits) is one of the following values: -3 = unexpected consent value, -2 = value was not requested, -
1 = an error occurred while attempting to retrieve the value, 0 = undefined, 1 = allow, 2 = deny, 3 = prompt. The
Census.Processor
PreviousUpdateRevision Previous microcode revision.
ProcessorUpdateStatus Enum value that represents the processor microcode load status.
Census.Security
security.
Census.Speech
the device.
Census.Storage
date.
structure (if any).
Census.Userdefault
DefaultApp The current uer's default program selected for the following extension or protocol: .html, .htm,
.jpg, .jpeg, .png, .mp3, .mp4, .mov, .pdf.
Census.UserDisplay
internal display.
Census.UserNLS
Census.VM
Census.WU
date.
Default.
(WSUS).
network.
(by default).
Census.Xbox
date.

app.
event.
across an app.
model Device model.
Extensions.os.
Extensions.sdk.
Extensions.utc.
the event latency.
account ID.
ingress server.
did XBOX device ID
exp Expiration time
nbf Not before time
accounts.
Common data fields

Compatibility events
Microsoft.Windows.Compatibility.Apphelp.SdbFix
Product instrumentation for helping debug/troubleshoot issues with inbox compatibility components.
AppName Name of the application impacted by SDB.
FixID SDB GUID.
Flags List of flags applied.
ImageName Name of file.
Component-based Servicing events

Windows Update.
Par tA_PrivTags The privacy tags associated with the event.
installed.
accessible file.
applicable.
uninstalled.
Deployment extensions
DeploymentTelemetry.Deployment_End
This event indicates that a Deployment 360 API has completed.
ErrorCode Error code of action.
Mode Phase in upgrade.
RelatedCV The correction vector (CV) of any other related events
DeploymentTelemetry.Deployment_Initialize
This event indicates that the Deployment 360 APIs have been initialized for use.
ClientId Client ID of user utilizing the D360 API.
RelatedCV The correlation vector of any other related events.
DeploymentTelemetry.Deployment_SetupBoxLaunch
This event indicates that the Deployment 360 APIs have launched Setup Box.
ClientId The client ID of the user utilizing the D360 API.
Quiet Whether Setup will run in quiet mode or full mode.
SetupMode The current setup phase.
DeploymentTelemetry.Deployment_SetupBoxResult
This event indicates that the Deployment 360 APIs have received a return from Setup Box.
Quiet Indicates whether Setup will run in quiet mode or full mode.
SetupMode The current Setup phase.
DeploymentTelemetry.Deployment_Start
This event indicates that a Deployment 360 API has been called.
Mode The current phase of the upgrade.

TelClientSynthetic.ConnectivityHeartbeat_0
CensusExitCode Last exit code of the Census task.
LastFreeNetworkLossTime The FILETIME at which the last free network loss occurred.
NetworkState The network state of the device.
NoNetworkTimeSec The total number of seconds without network during this heartbeat period.
RestrictedNetworkTimeSec The total number of seconds with restricted network during this heartbeat
period.
of throttling.
initiated.
EventSubStoreResetCounter Number of times event DB was reset.
EventSubStoreResetSizeSum Total size of event DB across all resets reports in this instance.
event.
initiated.
EventSubStoreResetCounter Number of times event database was reset.
EventSubStoreResetSizeSum Total size of event database across all resets reports in this instance.
PreviousHear tBeatTime The FILETIME of the previous heartbeat fire.
event.
Direct to update events

Microsoft.Windows.DirectToUpdate.DTUCoordinatorCheckApplicability
This event indicates that the Coordinator CheckApplicability call succeeded.
ApplicabilityResult Result of CheckApplicability function.
Microsoft.Windows.DirectToUpdate.DTUCoordinatorCheckApplicabilityGenericFailure
This event indicatse that we have received an unexpected error in the Direct to Update (DTU) Coordinators
Microsoft.Windows.DirectToUpdate.DTUCoordinatorCleanupGenericFailure
This event indicates that we have received an unexpected error in the Direct to Update (DTU) Coordinator Cleanup
call.
Microsoft.Windows.DirectToUpdate.DTUCoordinatorCleanupSuccess
This event indicates that the Coordinator Cleanup call succeeded.
Microsoft.Windows.DirectToUpdate.DTUCoordinatorCommitGenericFailure
This event indicates that we have received an unexpected error in the Direct to Update (DTU) Coordinator Commit
call.
Microsoft.Windows.DirectToUpdate.DTUCoordinatorCommitSuccess
This event indicates that the Coordinator Commit call succeeded.
Microsoft.Windows.DirectToUpdate.DTUCoordinatorDownloadGenericFailure
Download call.
Microsoft.Windows.DirectToUpdate.DTUCoordinatorDownloadIgnoredFailure
This event indicates that we have received an error in the Direct to Update (DTU) Coordinator Download call that
will be ignored.
Microsoft.Windows.DirectToUpdate.DTUCoordinatorDownloadSuccess
This event indicates that the Coordinator Download call succeeded.
Microsoft.Windows.DirectToUpdate.DTUCoordinatorHandleShutdownGenericFailure
HandleShutdown call.
CoordinatorVersion Coordinate version of DTU.
Microsoft.Windows.DirectToUpdate.DTUCoordinatorHandleShutdownSuccess
This event indicates that the Coordinator HandleShutdown call succeeded.
Microsoft.Windows.DirectToUpdate.DTUCoordinatorInitializeGenericFailure
This event indicates that we have received an unexpected error in the Direct to Update (DTU) Coordinator Initialize
call.
Microsoft.Windows.DirectToUpdate.DTUCoordinatorInitializeSuccess
This event indicates that the Coordinator Initialize call succeeded.
Microsoft.Windows.DirectToUpdate.DTUCoordinatorInstallGenericFailure
This event indicates that we have received an unexpected error in the Direct to Update (DTU) Coordinator Install
call.
Microsoft.Windows.DirectToUpdate.DTUCoordinatorInstallIgnoredFailure
This event indicates that we have received an error in the Direct to Update (DTU) Coordinator Install call that will
be ignored.
Microsoft.Windows.DirectToUpdate.DTUCoordinatorInstallSuccess
Microsoft.Windows.DirectToUpdate.DTUCoordinatorProgressCallBack
This event indicates that the Coordinator's progress callback has been called.
DeployPhase Current Deploy Phase.
Microsoft.Windows.DirectToUpdate.DTUCoordinatorSetCommitReadyGenericFailure
SetCommitReady call.
Microsoft.Windows.DirectToUpdate.DTUCoordinatorSetCommitReadySuccess
This event indicates that the Coordinator SetCommitReady call succeeded.
Microsoft.Windows.DirectToUpdate.DTUCoordinatorWaitForRebootUiGenericFailure
Microsoft.Windows.DirectToUpdate.DTUCoordinatorWaitForRebootUiNotShown
Microsoft.Windows.DirectToUpdate.DTUCoordinatorWaitForRebootUiSelection
This event indicates that the user selected an option on the Reboot UI.
rebootUiSelection Selection on the Reboot UI.
Microsoft.Windows.DirectToUpdate.DTUCoordinatorWaitForRebootUiSuccess
Microsoft.Windows.DirectToUpdate.DTUHandlerCheckApplicabilityGenericFailure
CV_new New correlation vector
Microsoft.Windows.DirectToUpdate.DTUHandlerCheckApplicabilityInternalGenericFailure
CheckApplicabilityInternal call.
Microsoft.Windows.DirectToUpdate.DTUHandlerCheckApplicabilityInternalSuccess
This event indicates that the Handler CheckApplicabilityInternal call succeeded.
ApplicabilityResult The result of the applicability check.
Microsoft.Windows.DirectToUpdate.DTUHandlerCheckApplicabilitySuccess
This event indicates that the Handler CheckApplicability call succeeded.
ApplicabilityResult The result code indicating whether the update is applicable.
Microsoft.Windows.DirectToUpdate.DTUHandlerCheckIfCoordinatorMinApplicableVersionGenericFailure
CheckIfCoordinatorMinApplicableVersion call.
Microsoft.Windows.DirectToUpdate.DTUHandlerCheckIfCoordinatorMinApplicableVersionSuccess
This event indicates that the Handler CheckIfCoordinatorMinApplicableVersion call succeeded.
CheckIfCoordinatorMinApplicableVersionResult Result of CheckIfCoordinatorMinApplicableVersion
function.
Microsoft.Windows.DirectToUpdate.DTUHandlerCommitGenericFailure
This event indicates that we have received an unexpected error in the Direct to Update (DTU) Handler Commit call.
Microsoft.Windows.DirectToUpdate.DTUHandlerCommitSuccess
This event indicates that the Handler Commit call succeeded.
Microsoft.Windows.DirectToUpdate.DTUHandlerDownloadAndExtractCabAlreadyDownloaded
This event indicates that the Handler Download and Extract cab returned a value indicating that the cab has already
been downloaded.
Microsoft.Windows.DirectToUpdate.DTUHandlerDownloadAndExtractCabFailure
This event indicates that the Handler Download and Extract cab call failed.
DownloadAndExtractCabFunction_failureReason Reason why the update download and extract process
failed.
Microsoft.Windows.DirectToUpdate.DTUHandlerDownloadAndExtractCabSuccess
This event indicates that the Handler Download and Extract cab call succeeded.
Microsoft.Windows.DirectToUpdate.DTUHandlerDownloadGenericFailure
This event indicates that we have received an unexpected error in the Direct to Update (DTU) Handler Download
call.
Microsoft.Windows.DirectToUpdate.DTUHandlerDownloadSuccess
This event indicates that the Handler Download call succeeded.
Microsoft.Windows.DirectToUpdate.DTUHandlerInitializeGenericFailure
This event indicates that we have received an unexpected error in the Direct to Update (DTU) Handler Initialize call.
DownloadAndExtractCabFunction_hResult HRESULT of the download and extract.
Microsoft.Windows.DirectToUpdate.DTUHandlerInitializeSuccess
This event indicates that the Handler Initialize call succeeded.
DownloadAndExtractCabFunction_hResult HRESULT of the download and extraction.
Microsoft.Windows.DirectToUpdate.DTUHandlerInstallGenericFailure
This event indicates that we have received an unexpected error in the Direct to Update (DTU) Handler Install call.
Microsoft.Windows.DirectToUpdate.DTUHandlerInstallSuccess
Microsoft.Windows.DirectToUpdate.DTUHandlerSetCommitReadyGenericFailure
SetCommitReady call.
Microsoft.Windows.DirectToUpdate.DTUHandlerSetCommitReadySuccess
This event indicates that the Handler SetCommitReady call succeeded.
Microsoft.Windows.DirectToUpdate.DTUHandlerWaitForRebootUiGenericFailure
CampaignID The ID of the campaigning being run.
hResult The HRESULT of the failure.
Microsoft.Windows.DirectToUpdate.DTUHandlerWaitForRebootUiSuccess
This event indicates that the Handler WaitForRebootUi call succeeded.


(WER) event that is generated when the WER client reports the crash to the Watson service, and the WER event
will contain the same ReportID (see field 14 of crash event, field 19 of WER event) as the crash event for the crash
telemetry backend.
process name.
IsCrashFatal (Deprecated) True/False to indicate whether the crash resulted in process termination.


telemetry backend.
application.
waiting.
Inventory events
DeviceCensus A count of devicecensus objects in cache.
Inventor yApplicationDriver A count of application driver objects in cache.
Inventor yApplicationFramework A count of application framework objects in cache.
Inventor yApplicationShor tcut A count of application shortcut objects in cache.
Inventor yMiscellaneousOfficeAddIn A count of office add-in objects in cache.
Inventor yMiscellaneousOfficeIdentifiers A count of office identifier objects in cache.
Inventor yMiscellaneousOfficeIESettings A count of office IE settings objects in cache.
Inventor yMiscellaneousOfficeInsights A count of office insights objects in cache.
Inventor yMiscellaneousOfficeProducts A count of office products objects in cache.
Inventor yMiscellaneousOfficeSettings A count of office settings objects in cache.
Inventor yMiscellaneousOfficeVBA A count of office VBA objects in cache.
Inventor yMiscellaneousOfficeVBARuleViolations A count of office VBA rule violations objects in cache.
Inventor yMiscellaneousUUPInfo A count of UUP info objects in cache.
MsiPackage.
Hotfix indicates app updates (KBs), BOE indicates it's an app with no ARP or MSI entry, Service indicates that it
is a service. Application and BOE are the ones most likely seen.
BusRepor tedDescription The description of the device reported by the bus.
DriverVerDate The date associated with the driver loaded on the device.
DriverVerVersion The immediate parent directory name in the Directory field of InventoryDriverPackage.
InstallState The device installation state. For a list of values, see:
0x800000.
AhaVersion The binary version of the App Health Analyzer tool.
ApplicationErrors The count of application errors from the event log.
Bitness The architecture type of the application (16 Bit or 32 bit or 64 bit).
device_level Various JRE/JAVA versions installed on a particular device.
ExtendedProper ties Attribute used for aggregating all other attributes under this event type.
Jar Flag to determine if an app has a Java JAR file dependency.
Jre Flag to determine if an app has JRE framework dependency.
Jre_version JRE versions an app has declared framework dependency for.
Name Name of the application.
NonDPIAware Flag to determine if an app is non-DPI aware
NumBinaries Count of all binaries (.sys,.dll,.ini) from application install location.
ProgramId The ID of the associated program.
RequiresAdmin Flag to determine if an app requests admin privileges for execution.
RequiresAdminv2 Additional flag to determine if an app requests admin privileges for execution.
RequiresUIAccess Flag to determine if an app is based on UI features for accessibility.
VB6 Flag to determine if an app is based on VB6 framework.
VB6v2 Additional flag to determine if an app is based on VB6 framework.
Version Version of the application.
VersionCheck Flag to determine if an app has a static dependency on OS version.
VersionCheckv2 Additional flag to determine if an app has a static dependency on OS version.
AllowTelemetr y Indicates the presence of the 'allowtelemetry' command line argument.
CommandLineArgs Command line arguments passed when launching the App Health Analyzer executable.
Enhanced Indicates the presence of the 'enhanced' command line argument.
Star tTime UTC date and time at which this event was sent.
Provides data on the installed Office Add-ins
LoadTime Load time for the office addin
Provides data on the Office identifiers
device
for a device
Office-related Internet Explorer features
badly formed URL
windows
Describes Office Products installed
Office 2016 ProPlus
Word
Design Count of files with design issues found
Design_x64 Count of files with 64 bit design issues found
DuplicateVBA Count of files with duplicate VBA code
HasVBA Count of files with VBA code
Inaccessible Count of files that were inaccessible for scanning
Issues Count of files with issues detected
Issues_x64 Count of files with 64-bit issues detected
IssuesNone Count of files with no issues detected
IssuesNone_x64 Count of files with no 64-bit issues detected
Locked Count of files that were locked, preventing scanning
NoVBA Count of files with no VBA inside
Protected Count of files that were password protected, preventing scanning
RemLimited Count of files that require limited remediation changes
RemLimited_x64 Count of files that require limited remediation changes for 64-bit issues
RemSignificant Count of files that require significant remediation changes
RemSignificant_x64 Count of files that require significant remediation changes for 64-bit issues
Score Overall compatibility score calculated for scanned content
Score_x64 Overall 64-bit compatibility score calculated for scanned content
Total Total number of files scanned
Validation Count of files that require additional manual validation
Validation_x64 Count of files that require additional manual validation for 64-bit issues
Source UUP source
Version UUP version
removed.
Kernel events
IO
system startup.
operating system.
if needed.
SecureLaunchPrepared This field indicates if DRTM was prepared during boot.
Microsoft.Windows.Kernel.Power.OSStateChange
This event indicates an OS state change.
AcPowerOnline If "TRUE," the device is using AC power. If "FALSE," the device is using battery power.
ActualTransitions The number of transitions between operating system states since the last system boot
Batter yCapacity Maximum battery capacity in mWh
Batter yCharge Current battery charge as a percentage of total capacity
Batter yDischarging Flag indicating whether the battery is discharging or charging
BootId Total boot count since the operating system was installed
BootTimeUTC Date and time of a particular boot event (identified by BootId)
EnergyChangeV2 A snapshot value in mWh reflecting a change in power usage
EnergyChangeV2Flags Flags for disambiguating EnergyChangeV2 context
EventSequence Indicates the sequence order for this event instance, relative to previous instances of
OSStateChange events that have occurred since boot
LastStateTransition ID of the last operating system state transition
LastStateTransitionSub ID of the last operating system sub-state transition
StateDurationMS Number of milliseconds spent in the last operating system state
StateTransition ID of the operating system state the system is transitioning to
StateTransitionSub ID of the operating system sub-state the system is transitioning to
TotalDurationMS Total time (in milliseconds) spent in all states since the last boot
TotalUptimeMS Total time (in milliseconds) the device was in Up or Running states since the last boot
TransitionsToOn Number of transitions to the Powered On state since the last boot
UptimeDeltaMS Total time (in milliseconds) added to Uptime since the last event

(0x40000).
mode.
mode.
(0x40000).
mode.
mode.
(0x40000).
mode.
mode.
(0x40000).
mode.
mode.
This event sends hardware and software inventory information about the Microsoft Edge Update service,
Microsoft Edge applications, and the current system environment, including app configuration, update
configuration, and hardware capabilities. It's used to measure the reliability and performance of the EdgeUpdate
service and if Microsoft Edge applications are up to date.
identifying the release of Microsoft Edge to update and how to install it. Example: 'beta-arch_x64-full'. Default:
''.
Update.
Default: ''.
Default: ''.
sum of all such download times over the course of the update flow. Sent in events that have an event type of
'1', '2', '3', and '14' only. Default: '0'.
Default: '0'.
(Unknown).
Default: '0'.
Default: ''.
'0.0.0.0'.
Default: ''.
Default: ''.
(0x40000).
mode.
mode.
Migration events
Miracast events
in bits per second.
LastLatencyTime The last reported latency time.
capabilities.
the same session.
Miracast extension.
extension.
for 3:2 resolution.
OneDrive events
HResult HResult of the operation
IsSuccess Whether the operation is successful or not

Microsoft.Windows.Shell.PrivacyConsentLogging.PrivacyConsentPrep
This event is used to determine whether the user needs to see the privacy consent experience or not.
s0 Indicates the error level encountered during Privacy Consent Preparation. See
Microsoft.Windows.Shell.PrivacyConsentLogging.wilActivity.
wilActivity Information of the thread where the error occurred (thread ID). See wilActivity.
Microsoft.Windows.Shell.PrivacyConsentLogging.wilActivity
This event returns information if an error is encountered while computing whether the user needs to complete
privacy consents in certain upgrade scenarios.
callContext A list of Windows Diagnostic activities/events containing this error.
currentContextId The ID for the newest activity/event containing this error.
currentContextMessage Any custom message for the activity context.
currentContextName The name of the newest activity/event context containing this error.
failureType The type of failure observed: exception, returned error, etc.
fileName The name of the fine in which the error was encountered.
hresult The Result Code of the error.
lineNumber The line number where the error was encountered.
message Any message associated with the error.
module The name of the binary module where the error was encountered.
originatingContextId The ID of the oldest telemetry activity containing this error.
originatingContextMessage Any custom message associated with the oldest Windows Diagnostic
activity/event containing this error.
originatingContextName The name associated with the oldest Windows Diagnostic activity/event containing
this error.
threadId The ID of the thread the activity was run on.
Privacy logging notification events

Remediation events
deny
ActionName The name of the action to be taken by the plug-in.
AppraiserDetectCondition Indicates whether the plug-in passed the appraiser's check.
AppraiserTaskDisabled Indicates the appraiser task is disabled.
AppraiserTaskValidFailed Indicates the Appraiser task did not function and requires intervention.
EvalAndRepor tAppraiserBinariesFailed Indicates the EvalAndReportAppraiserBinaries event failed.
EvalAndRepor tAppraiserRegEntriesFailed Indicates the EvalAndReportAppraiserRegEntriesFailed event
failed.
enabled.
exists.
Hammer task ran.
enabled.
task.
task.
task.
RemediationUHSer viceBitsSer viceEnabled Indicates whether BITS service is enabled.
RemediationUHSer viceDeviceInstallEnabled Indicates whether Device Install service is enabled.
RemediationUHSer viceDoSvcSer viceEnabled Indicates whether DO service is enabled.
RemediationUHSer viceDsmsvcEnabled Indicates whether DSMSVC service is enabled.
RemediationUHSer viceLicensemanagerEnabled Indicates whether License Manager service is enabled.
RemediationUHSer viceMpssvcEnabled Indicates whether MPSSVC service is enabled.
RemediationUHSer viceTokenBrokerEnabled Indicates whether Token Broker service is enabled.
RemediationUHSer viceTrustedInstallerSer viceEnabled Indicates whether Trusted Installer service is
enabled.
RemediationUHSer viceUsoSer viceEnabled Indicates whether USO (Update Session Orchestrator) service
is enabled.
RemediationUHSer vicew32timeSer viceEnabled Indicates whether W32 Time service is enabled.
RemediationUHSer viceWecsvcEnabled Indicates whether WECSVC service is enabled.
RemediationUHSer viceWinmgmtEnabled Indicates whether WMI service is enabled.
RemediationUHSer viceWpnSer viceEnabled Indicates whether WPN service is enabled.
RemediationUHSer viceWuauser vSer viceEnabled Indicates whether WUAUSERV service is enabled.
RunAppraiserFailed Indicates RunAppraiser failed to run correctly.
Microsoft.Windows.Remediation.ChangePowerProfileDetection
Indicates whether the remediation system can put in a request to defer a system-initiated sleep to enable
installation of security or quality updates.
ActionName A descriptive name for the plugin action
CurrentPowerPlanGUID The ID of the current power plan configured on the device
GlobalEventCounter Counter that indicates the ordering of events on the device
PackageVersion Current package version of remediation service
RemediationBatter yPowerBatter yLevel Integer between 0 and 100 indicating % battery power remaining
(if not on battery, expect 0)
RemediationFUInProcess Result that shows whether the device is currently installing a feature update
RemediationFURebootRequred Indicates that a feature update reboot required was detected so the plugin
will exit.
RemediationScanInProcess Result that shows whether the device is currently scanning for updates
RemediationTargetMachine Result that shows whether this device is a candidate for remediation(s) that will
fix update issues
SetupMutexAvailable Result that shows whether setup mutex is available or not
SysPowerStatusAC Result that shows whether system is on AC power or not
AppraiserTaskCreationFailed TRUE if the appraiser task creation failed to complete successfully.
AppraiserTaskDeleteFailed TRUE if deletion of appraiser task failed to complete successfully.
AppraiserTaskExistFailed TRUE if detection of the appraiser task failed to complete successfully.
AppraiserTaskLoadXmlFailed TRUE if the Appraiser XML Loader failed to complete successfully.
AppraiserTaskTimeTriggerUpdateFailedId TRUE if the Appraiser Task Time Trigger failed to update
successfully.
AppraiserTaskValidateTaskXmlFailed TRUE if the Appraiser Task XML failed to complete successfully.
CrossedDiskSpaceThreshold Indicates if cleanup resulted in hard drive usage threshold required for feature
update to be exceeded.
DaysSinceOsInstallation The number of days since the installation of the Operating System.
DiskMbCleaned The amount of space cleaned on the hard disk, measured in megabytes.
PageFileCount The number of Windows Page files.
PageFileCurrentSize The size of the Windows Page file, measured in Megabytes.
PageFileLocation The storage location (directory path) of the Windows Page file.
PageFilePeakSize The maximum amount of hard disk space used by the Windows Page file, measured in
Megabytes.
RanCleanup TRUE if the plug-in ran disk cleanup.
operation.
RemediationConfigurationTroubleshooterExecuted True/False based on whether the Remediation
Configuration Troubleshooter executed successfully.
RemediationDiskCleanSizeBtWindowsFolderInMegabytes The size of the Windows BT folder (used to
store Windows upgrade files), measured in Megabytes.
RemediationDiskCleanupBTFolderEsdSizeInMB The size of the Windows BT folder (used to store Windows
upgrade files) ESD (Electronic Software Delivery), measured in Megabytes.
RemediationDiskCleanupGetCurrentEsdSizeInMB The size of any existing ESD (Electronic Software
Delivery) folder, measured in Megabytes.
RemediationDiskCleanupSearchFileSizeInMegabytes The size of the Cleanup Search index file, measured
in Megabytes.
RemediationDiskCleanupUpdateAssistantSizeInMB The size of the Update Assistant folder, measured in
Megabytes.
RemediationDoorstopChangeSucceeded TRUE if Doorstop registry key was successfully modified.
RemediationDoorstopExists TRUE if there is a One Settings Doorstop value.
RemediationDoorstopRegkeyError TRUE if an error occurred accessing the Doorstop registry key.
RemediationDRFKeyDeleteSucceeded TRUE if the RecoveredFrom (Doorstop) registry key was successfully
deleted.
RemediationDUABuildNumber The build number of the DUA.
RemediationDUAKeyDeleteSucceeded TRUE if the UninstallActive registry key was successfully deleted.
RemediationDuplicateTokenSucceeded TRUE if the user token was successfully duplicated.
RemediationImpersonateUserSucceeded TRUE if the user was successfully impersonated.
RemediationNoisyHammerTaskFixSuccessId Indicates whether the Update Assistant task fix was
successful.
RemediationNoisyHammerTaskKickOffIsSuccess TRUE if the NoisyHammer task started successfully.
RemediationQuer yTokenSucceeded TRUE if the user token was successfully queried.
RemediationRanHibernation TRUE if the system entered Hibernation.
RemediationRever tToSystemSucceeded TRUE if reversion to the system context succeeded.
RemediationWindowsLogSpaceFound The size of the Windows log files found, measured in Megabytes.
RemediationWindowsSecondar yDriveFreeSpace The amount of free space on the secondary drive,
RemediationWindowsSecondar yDriveLetter The letter designation of the first secondary drive with a total
capacity of 10GB or more.
RemediationWindowsSecondar yDriveTotalSpace The total storage capacity of the secondary drive,
RemediationWindowsTotalSystemDiskSize The total storage capacity of the System Disk Drive, measured
in Megabytes.
Ser viceHardeningExitCode The exit code returned by Windows Service Repair.
Ser viceHealthEnabledBitMap List of services updated by the plugin.
Ser viceHealthInstalledBitMap List of services installed by the plugin.
Ser viceHealthPlugin The nae of the Service Health plug-in.
Star tComponentCleanupTask TRUE if the Component Cleanup task started successfully.
TotalSizeofOrphanedInstallerFilesInMegabytes The size of any orphaned Windows Installer files,
TotalSizeofStoreCacheAfterCleanupInMegabytes The size of the Microsoft Store cache after cleanup,
TotalSizeofStoreCacheBeforeCleanupInMegabytes The size of the Microsoft Store cache (prior to
cleanup), measured in Megabytes.
simultaneous scans.
set.
(late).
BlockWuUpdates Key.
WindowsHyberFilSysSizeInMegabytes The size of the Windows Hibernation file, measured in Megabytes.
WindowsInstallerFolderSizeInMegabytes The size of the Windows Installer folder, measured in Megabytes.
WindowsOldFolderSizeInMegabytes The size of the Windows.OLD folder, measured in Megabytes.
WindowsPageFileSysSizeInMegabytes The size of the Windows Page file, measured in Megabytes.
WindowsSoftwareDistributionFolderSizeInMegabytes The size of the SoftwareDistribution folder,
WindowsSwapFileSysSizeInMegabytes The size of the Windows Swap file, measured in Megabytes.
Megabytes.
WindowsSxsTempFolderSizeInMegabytes The size of the WinSxS (Windows Side-by-Side) Temp folder,
Microsoft.Windows.Remediation.RemediationShellMainExeEventId
Enables tracking of completion of process that remediates issues preventing security and quality updates.
CV Client side counter which indicates ordering of events sent by the remediation system.
GlobalEventCounter Client side counter which indicates ordering of events sent by the remediation system.
RemediationShellCanAcquireSedimentMutex True if the remediation was able to acquire the sediment
mutex. False if it is already running.
RemediationShellExecuteShellResult Indicates if the remediation system completed without errors.
RemediationShellFoundDriverDll Result whether the remediation system found its component files to run
properly.
RemediationShellLoadedShellDriver Result whether the remediation system loaded its component files to
run properly.
RemediationShellLoadedShellFunction Result whether the remediation system loaded the functions from
its component files to run properly.
RunCount The number of times the remediation event started (whether it completed successfully or not).
Sediment events
Microsoft.Windows.Sediment.OSRSS.CheckingOneSettings
This event indicates the parameters that the Operating System Remediation System Service (OSRSS) uses for a
secure ping to Microsoft to help ensure Windows is up to date.
CustomVer The registry value for targeting.
IsMetered TRUE if the machine is on a metered network.
LastVer The version of the last successful run.
Ser viceVersionMajor The Major version information of the component.
Ser viceVersionMinor The Minor version information of the component.
Time The system time at which the event occurred.
Microsoft.Windows.Sediment.OSRSS.DownloadingUrl
This event provides information about the URL from which the Operating System Remediation System Service
(OSRSS) is attempting to download. This information helps ensure Windows is up to date.
AttemptNumber The count indicating which download attempt is starting.
Url The URL from which data was downloaded.
Microsoft.Windows.Sediment.OSRSS.DownloadSuccess
This event indicates the Operating System Remediation System Service (OSRSS) successfully download data from
the indicated URL. This information helps ensure Windows is up to date.
Microsoft.Windows.Sediment.OSRSS.Error
This event indicates an error occurred in the Operating System Remediation System Service (OSRSS). The
information provided helps ensure future upgrade/update attempts are more successful.
Microsoft.Windows.Sediment.OSRSS.ExeSignatureValidated
This event indicates the Operating System Remediation System Service (OSRSS) successfully validated the
signature of an EXE from the indicated URL. The information provided helps ensure Windows is up to date.
Url The URL from which the validated EXE was downloaded.
Microsoft.Windows.Sediment.OSRSS.ExtractSuccess
This event indicates that the Operating System Remediation System Service (OSRSS) successfully extracted
downloaded content. The information provided helps ensure Windows is up to date.
Url The URL from which the successfully extracted content was downloaded.
Microsoft.Windows.Sediment.OSRSS.NewUrlFound
This event indicates the Operating System Remediation System Service (OSRSS) succeeded in finding a new URL
to download from. This helps ensure Windows is up to date.
Url The new URL from which content will be downloaded.
Microsoft.Windows.Sediment.OSRSS.ProcessCreated
This event indicates the Operating System Remediation System Service (OSRSS) created a new process to execute
content downloaded from the indicated URL. This information helps ensure Windows is up to date.
Url The new URL from which content will be executed.
Microsoft.Windows.Sediment.OSRSS.SelfUpdate
This event returns metadata after Operating System Remediation System Service (OSRSS) successfully replaces
itself with a new version.
Ser viceVersionMajor The major version number for the component.
Ser viceVersionMinor The minor version number for the component.
Time The system timestamp for when the event occurred.
Microsoft.Windows.Sediment.OSRSS.UrlState
This event indicates the state the Operating System Remediation System Service (OSRSS) is in while attempting a
download from the URL.
Id A number identifying the URL.
Ser viceVersionMajor Version information for the component.
Ser viceVersionMinor Version information for the component.
StateData State-specific data, such as the attempt number for the download.
StateNumber A number identifying the current state of the URL (for example, found, downloading, extracted).
Time System timestamp when the event was started.
Microsoft.Windows.Sediment.ServiceInstaller.AttemptingUpdate
This event indicates the Operating System Remediation System Service (OSRSS) installer is attempting an update
to itself. This information helps ensure Windows is up to date.
InstallerVersion The version information of the Installer component.
Microsoft.Windows.Sediment.ServiceInstaller.BinaryUpdated
This event indicates the Operating System Remediation System Service (OSRSS) updated installer binaries with
new binaries as part of its self-update process. This information helps ensure Windows is up to date.
Microsoft.Windows.Sediment.ServiceInstaller.ServiceRestarted
This event indicates the Operating System Remediation System Service (OSRSS) has restarted after installing an
updated version of itself. This information helps ensure Windows is up to date.
Microsoft.Windows.Sediment.ServiceInstaller.ServiceStopped
This event indicates the Operating System Remediation System Service (OSRSS) was stopped by a self-updated to
install an updated version of itself. This information helps ensure Windows is up to date.
Microsoft.Windows.Sediment.ServiceInstaller.UpdaterCompleted
This event indicates the Operating System Remediation System Service (OSRSS) successfully completed the self-
update operation. This information helps ensure Windows is up to date.
Microsoft.Windows.Sediment.ServiceInstaller.UpdaterLaunched
This event indicates the Operating System Remediation System Service (OSRSS) successfully launched the self-
updater after downloading it. This information helps ensure Windows is up to date.
Setup events
date.
system time
Windows up to date.
Windows up to date.
Shared PC events
Microsoft.Windows.SharedPC.AccountManager.DeleteUserAccount
Activity for deletion of a user account for devices set up for Shared PC mode as part of the Transient Account
Manager to help keep Windows up to date. Deleting un-used user accounts on Education/Shared PCs frees up disk
space to improve Windows Update success rates.
accountType The type of account that was deleted. Example: AD, AAD, or Local
deleteState Whether the attempted deletion of the user account was successful.
userSid The security identifier of the account.
wilActivity Windows Error Reporting data collected when there is a failure in deleting a user account with the
Transient Account Manager. See wilActivity.
Microsoft.Windows.SharedPC.AccountManager.SinglePolicyEvaluation
Activity for run of the Transient Account Manager that determines if any user accounts should be deleted for
devices set up for Shared PC mode to help keep Windows up to date. Deleting unused user accounts on shared
devices frees up disk space to improve Windows Update success rates
evaluationTrigger When was the Transient Account Manager policies ran? Example: At log off or during
maintenance hours
totalAccountCount The number of accounts on a device after running the Transient Account Manager
policies.
wilActivity Windows Error Reporting data collected when there is a failure in evaluating accounts to be
deleted with the Transient Account Manager. See wilActivity.
wilActivity
wilResult
callContext The call context stack where failure occurred.
SIH events
SIHEngineTelemetry.SLSActionData
This event reports if the SIH client was able to successfully parse the manifest describing the actions to be
evaluated.
FailedParseActions The list of actions that were not successfully parsed.
ParsedActions The list of actions that were successfully parsed.
SihclientVersion The client version that is being used.
WuapiVersion The Windows Update API version that is currently installed.
WuaucltVersion The Windows Update client version that is currently installed.
WuauengVersion The Windows Update engine version that is currently installed.

Scan process event on Windows Update client (see eventscenario field for specifics, e.g.: started/failed/succeeded)
completion.
client.
Context Gives context on where the error has occurred. Example: AutoEnable, GetSLSData, AddService, Misc,
or Unknown
0x1000, UX = 0x10000).
device.
Audit, 3-Enforce
NetworkConnectivityDetected Indicates the type of network connectivity that was detected. 0 - IPv4, 1 -
IPv6
scan checked
scan
synced down.
was synced down.
the device.
found.
client
Download process event for target update on Windows Update client. See EventScenario field for specifics
being downloaded.
BiosSKUNumber The SKU number of the device BIOS.
bundle).
CbsDownloadMethod The method used for downloading the update content related to the Component
Based Servicing (CBS) technology.
Optimizer events.
that flight.
of the device.
HostName The parent URL the content is downloading from.
NetworkCostBitMask A flag indicating the cost of the network (congested, fixed, variable, over data limit,
roaming, etc.) used for downloading the update content.
ProcessName The process name of the application that initiated API calls, in the event where
RegulationReason The reason that the update is regulated
RepeatFailFlag Indicates whether this specific piece of content had previously failed to download.
downloaded.
UsedDO Whether the download used the Delivery Optimization (DO) service.
client
client
Connected Standby)
found.
client.
the device.
IsWUfBDualScanEnabled Indicates whether Windows Update for Business dual scan is enabled on the
device.
introduced.
was not provided.
underway.
Optional.
client.
of request.
audit; 3 = enforce
by revision ID).
is malformed.
Update Assistant events

Microsoft.Windows.UpdateAssistant.Orchestrator.BlockingEventId
The event sends basic info on the reason that Windows 10 was not updated due to compatibility issues, previous
rollbacks, or admin policies.
ApplicabilityBlockedReason Blocked due to an applicability issue.
BlockWuUpgrades The upgrade assistant is currently blocked.
clientID An identification of the current release of Update Assistant.
CloverTrail This device is Clovertrail.
DeviceIsMdmManaged This device is MDM managed.
IsNetworkAvailable If the device network is not available.
IsNetworkMetered If network is metered.
IsSccmManaged This device is SCCM managed.
NewlyInstalledOs OS is newly installed quiet period.
PausedByPolicy Updates are paused by policy.
RecoveredFromRS3 Previously recovered from RS3.
RS1UninstallActive Blocked due to an active RS1 uninstall.
RS3RollBacks Exceeded number of allowable RS3 rollbacks.
triggerTaskSource Describe which task launches this instance.
WsusManaged This device is WSUS managed.
ZeroExhaust This device is zero exhaust.
Microsoft.Windows.UpdateAssistant.Orchestrator.DeniedLaunchEventId
The event sends basic info when a device was blocked or prevented from updating to the latest Windows 10
version.
denyReason All the reasons why the Update Assistant was prevented from launching. Bitmask with values
from UpdateAssistant.cpp eUpgradeModeReason.
Microsoft.Windows.UpdateAssistant.Orchestrator.FailedLaunchEventId
Event to mark that Update Assistant Orchestrator failed to launch Update Assistant.
calendarRun Standard time-based triggered task.
hResult Error code of the Update Assistant Orchestrator failure.
Microsoft.Windows.UpdateAssistant.Orchestrator.FailedOneSettingsQueryEventId
Event indicating One Settings was not queried by update assistant.
hResult Error code of One Settings query failure.
Microsoft.Windows.UpdateAssistant.Orchestrator.LaunchEventId
This event sends basic information on whether the device should be updated to the latest Windows 10 version.
autoStar tRunCount The auto start run count of Update Assistant.
clientID The ID of the current release of Update Assistant.
launchMode Indicates the type of launch performed.
launchTypeReason A bitmask of all the reasons for type of launch.
triggerTaskSource Indicates which task launches this instance.
Microsoft.Windows.UpdateAssistant.Orchestrator.RestoreEventId
The event sends basic info on whether the Windows 10 update notification has previously launched.
clientID ID of the current release of Update Assistant.
restoreReason All the reasons for the restore.
Update events
scenarios).

Microsoft.Windows.UpdateNotificationPipeline.JavascriptJavascriptCriticalGenericMessage
This event indicates that Javascript is reporting a schema and a set of values for critical telemetry.
CampaignConfigVersion Configuration version of the current campaign.
CampaignID ID of the currently running campaign.
ConfigCatalogVersion Current catalog version of the update notification.
ContentVersion Content version of the current update notification campaign.
DetectorVersion Most recently run detector version for the current campaign.
GlobalEventCounter Client side counter that indicates the ordering of events sent by this user.
key1 UI interaction data.
key26 The interaction data for the user interface.
PackageVersion Current package version of the update notification.
schema UI interaction type.
Microsoft.Windows.UpdateNotificationPipeline.UNPCampaignManagerCleaningCampaign
This event indicates that the Campaign Manager is cleaning up the campaign content.
CampaignID The current campaign that is running on Update Notification Pipeline (UNP).
ConfigCatalogVersion The current catalog version of the Update Notification Pipeline (UNP).
Microsoft.Windows.UpdateNotificationPipeline.UnpCampaignManagerGetIsCamppaignCompleteFailed
This event is sent when a campaign completion status query fails.
CampaignID Current campaign that is running on Update Notification Pipeline (UNP).
Upgrade events
the upgrade.
version of Windows.
ResultCode The result returned from the initialization of Facilitator with the URL/attributes.
failure happened
Windows up-to-date.
errors.

insufficientSessions Device not eligible for diagnostics.
previous run.
previous run.
Watson).

Value Standard UTC emitted DP value structure See Microsoft.Windows.WER.MTT.Value.
Microsoft.Windows.WER.MTT.Value
This event is used for differential privacy.
Algorithm Privacy protecting algorithm used for randomization.
DPRange Maximum mean value range.
DPValue Randomized bit value (0 or 1) that can be reconstituted over a large population to estimate mean.
Epsilon Constant used in algorithm for randomization.
HistType Histogram type.
Per tProb Constant used in algorithm for randomization.

Microsoft.Windows.Store.StoreActivating
This event sends tracking data about when the Store app activation via protocol URI is in progress, to help keep
Windows up to date.
correlationVectorRoot Identifies multiple events within a session/sequence. Initial value before
incrementation or extension.
protocolUri Protocol URI used to activate the store.
reason The reason for activating the store.
to-date and secure.
set.
BundleId The bundle ID
WUContentId Licensing identity of this package.
secure.
HResult Resulting HResult error/success code of this call
PFN Package Family Name of the app that being installed or updated
ProductId Product Id of the app that is being updated or installed

Microsoft.Windows.UpdateCsp.ExecuteRollBackFeatureFailed
This event sends basic telemetry on the failure of the Feature Rollback.
Microsoft.Windows.UpdateCsp.ExecuteRollBackFeatureNotApplicable
This event sends basic telemetry on whether Feature Rollback (rolling back features updates) is applicable to a
device.
Microsoft.Windows.UpdateCsp.ExecuteRollBackFeatureSucceeded
This event sends basic telemetry on the success of the rollback of feature updates.
Microsoft.Windows.UpdateCsp.ExecuteRollBackQualityFailed
This event sends basic telemetry on the failure of the rollback of the Quality/LCU builds.
wUfBConnected Result of Windows Update for Business connection check.
Microsoft.Windows.UpdateCsp.ExecuteRollBackQualityNotApplicable
This event informs you whether a rollback of Quality updates is applicable to the devices that you are attempting
to rollback.
Microsoft.Windows.UpdateCsp.ExecuteRollBackQualityStarted
This event indicates that the Quality Rollback process has started.
Microsoft.Windows.UpdateCsp.ExecuteRollBackQualitySucceeded
This event sends basic telemetry on the success of the rollback of the Quality/LCU builds.

callerName Name of the API caller.
scenarioID The ID of the scenario.
group.
group.
callerName The name of the API caller.
minDiskSizeGB The minimum disk size (in GB) policy set for the device to allow peering with delivery
optimization.
minDiskSizePolicyEnforced Indicates whether there is an enforced minimum disk size requirement for
peering.
minFileSizePolicy The minimum content file size policy to allow the download using peering with delivery
optimization.
was encountered.

the install phase of the new device manifest UUP (Unified Update Platform) update scenario which is used to
install a device manifest describing a set of driver packages.
during analysis.
the system.
summary string.
truncatedDeviceCount The number of devices missing from the summary string because there is not
deleted.
BlockCancelled.
Platform) update scenario which is used to install a device manifest describing a set of driver packages.
DesktopDriverUpdate
updateId Unique ID for each Update.
This event sends data for the start of each mode during the process of updating device manifest assets via the
UUP (Unified Update Platform) update scenario which is used to install a device manifest describing a set of driver
packages.
DesktopDriverUpdate
into auto mode.
This event indicates that the Enhanced Engaged restart "first reminder" dialog box was displayed.
Microsoft.Windows.Update.NotificationUx.EnhancedEngagedRebootForcedPrecursorDialog
This event indicates that the Enhanced Engaged restart "forced precursor" dialog box was displayed.
UtcTime The time the dialog box was displayed, in Coordinated Universal Time.
Microsoft.Windows.Update.NotificationUx.EnhancedEngagedRebootForcedWarningDialog
This event indicates that the Enhanced Engaged "forced warning" dialog box was displayed.
This event indicates that the Enhanced Engaged restart "restart imminent" dialog box was displayed..
settings).
Microsoft.Windows.Update.NotificationUx.EnhancedEngagedRebootSecondReminderDialog
This event indicates that the second reminder dialog box was displayed for Enhanced Engaged restart.
DeviceLocalTime The time the dialog box was shown on the local device.
Microsoft.Windows.Update.NotificationUx.EnhancedEngagedRebootThirdReminderDialog
This event indicates that the third reminder dialog box for Enhanced Engaged restart was displayed.
Microsoft.Windows.Update.NotificationUx.EnhancedEngagedSecondRebootReminderDialog
This event is sent when a second reminder dialog is displayed during Enhanced Engaged Reboot.
automatically).
blockReason Reason for stopping the update activity.
blockReason Reason for stopping Windows Update activity.
battery).
raisedDeferReason Indicates all potential reasons for postponing restart (such as user active, or low battery).
updateId Update ID.
detectionBlockingPolicy The Policy that blocked detection.
failed.
networkStatus Indicates if the device is connected to the internet.
scanTriggerSource The source of the triggered scan.
Microsoft.Windows.Update.Orchestrator.DetectionResult
This event runs when an update is detected. This helps ensure Windows is kept up to date.
applicableUpdateIdList A list of applicable update IDs.
applicableUpdateList A list of applicable update names.
seekerUpdateIdList A list of optional update IDs.
seekerUpdateList A list of optional update names.
updateId Update ID.
updateId Update ID.
Microsoft.Windows.Update.Orchestrator.DTUCompletedWhenWuFlightPendingCommit
This event indicates that DTU completed installation of the electronic software delivery (ESD), when Windows
Update was already in Pending Commit phase of the feature update.
Microsoft.Windows.Update.Orchestrator.DTUEnabled
This event indicates that Inbox DTU functionality was enabled.
Microsoft.Windows.Update.Orchestrator.DTUInitiated
This event indicates that Inbox DTU functionality was intiated.
dtuErrorCode Return code from creating the DTU Com Server.
isDtuApplicable Determination of whether DTU is applicable to the machine it is running on.
Microsoft.Windows.Update.Orchestrator.Escalation
This event is sent when USO takes an Escalation action on a device.
configVersion Escalation config version on device.
escalationAction Indicate the specific escalation action that took place on device.
updateClassificationGUID GUID of the update the device is offered.
updateId ID of the update the device is offered.
date.
Microsoft.Windows.Update.Orchestrator.EscalationsRefreshFailed
USO has a set of escalation actions to prevent a device from becoming out-of-date, and the actions are triggered
based on the Escalation configuration that USO obtains from OneSettings. This event is sent when USO fails to
refresh the escalation configuration from OneSettings.
configVersion Current escalation config version on device.
errorCode Error code for the refresh failure.
Microsoft.Windows.Update.Orchestrator.GameActive
This event indicates that an enabled GameMode process prevented the device from restarting to complete an
update.
gameModeReason Name of the enabled GameMode process that prevented the device from restarting to
complete an update.
up to date.
action.
updateId Update ID.
updateId Update ID.
keep secure.
uptime.
Windows up to date.
Microsoft.Windows.Update.Orchestrator.PowerMenuOptionsChanged
This event is sent when the options in power menu changed, usually due to an update pending reboot, or after a
update is installed.
powermenuNewOptions The new options after the power menu changed.
powermenuOldOptions The old options before the power menu changed.
rebootPendingMinutes If the power menu changed because a reboot is pending due to a update, this
indicates how long that reboot has been pending.
wuDeviceid The device ID recorded by Windows Update if the power menu changed because a reboot is
pending due to an update.
Microsoft.Windows.Update.Orchestrator.Progress
This event is sent when the download of a update reaches a milestone change, such as a change in network cost
policy, completion of an internal phase, or change in a transient state.
errorCode Error code returned.
interactive Identifies whether the session is user initiated.
networkCostPolicy The current network cost policy on device.
updateScenarioType Update Session type.
updateState Subphase of the download.
UpdateStatus Subphase of the update.
Windows up to date.
code.
updateId Update ID.
to date.
errorCode The error code returned for the current scan operation.
eventScenario Indicates the purpose of sending this event.
updateId Update ID.
Microsoft.Windows.Update.Orchestrator.TerminatedByBatteryLevel
This event is sent when update activity was stopped due to a low battery level.
up to date.
action.
updateId Update ID.
Microsoft.Windows.Update.Orchestrator.USODiagnostics
This event sends data on whether the state of the update attempt, to help keep Windows up to date.
LastApplicableUpdateFoundTime The time when the last applicable update was found.
LastDownloadDeferredReason The last reason download was deferred.
LastDownloadDeferredTime The time of the download deferral.
LastDownloadFailureError The last download failure.
LastDownloadFailureTime The time of the last download failure.
LastInstallCompletedTime The time when the last successful install completed.
LastInstallDeferredReason The reason the last install was deferred.
LastInstallDeferredTime The time when the last install was deferred.
LastInstallFailureError The error code associated with the last install failure.
LastInstallFailureTime The time when the last install failed to complete.
LastRebootDeferredReason The reason the last reboot was deferred.
LastRebootDeferredTime The time when the last reboot was deferred.
LastRebootPendingTime The time when the last reboot state was set to “Pending”.
LastScanDeferredReason The reason the last scan was deferred.
LastScanDeferredTime The time when the last scan was deferred.
LastScanFailureError The error code for the last scan failure.
LastScanFailureTime The time when the last scan failed.
LastUpdateCheckTime The time of the last update check.
LastUpdateDownloadTime The time when the last update was downloaded.
LastUpgradeInstallFailureError The error code for the last upgrade install failure.
LastUpgradeInstallFailureTime The time of the last upgrade install failure.
LowUpTimeDetectTime The last time “low up-time” was detected.
NoLowUpTimeDetectTime The last time no “low up-time” was detected.
UpgradeInProgressTime The amount of time a feature update has been in progress.
WaaSFeatureAssessmentDays The number of days Feature Update Assessment has been out of date.
WaaSFeatureAssessmentImpact The impact of the Feature Update Assessment.
WaaSUpToDateAssessmentDays The number of days Quality Update Assessment has been out of date.
WaaSUpToDateAssessmentImpact The impact of Quality Update Assessment.
wuDeviceid Unique ID for Device
began pending.
Microsoft.Windows.Update.Ux.MusNotification.RebootRequestReasonsToIgnore
This event is sent when the reboot can be deferred based on some reasons, before reboot attempts.
Reason The reason sent which will cause the reboot to defer.
Microsoft.Windows.Update.Ux.MusNotification.UxBrokerFirstReadyToReboot
This event is fired the first time when the reboot is required.
This event is sent when MUSE broker schedules a task.
TaskArgument The arguments with which the task is scheduled.
TaskName Name of the task.
Windows up to date.

ReparsePointsFailed Number of reparse points that are corrupted but we failed to fix them.

This event is sent when the Update Reserve Manager prepares the Trusted Installer to initialize reserves on the
next boot.
Winlogon events
XBOX events
Offline, 4 - Disc).
of the license.
Applies to
configuration. For example, it can help determine if crashes are more frequent on devices with a specific amount of
memory or that are running a particular driver version. This helps Microsoft fix operating system or app problems.
Appraiser events
Invalid Signature - This event is superseded by an event that contains additional fields.
DatasourceDevicePnp_RS4 An ID for the system, calculated by hashing hardware identifiers.
device.
device.
this device.
on this device.
device.
device.
device.
this device.
on this device.
Inventor yLanguagePack The count of InventoryLanguagePack objects present on this machine.
device.
PCFP An ID for the system, calculated by hashing hardware identifiers.
device.
SystemProcessorSse2 The count of SystemProcessorSse2 objects present on this machine.
device.
Update.
upgrade mode?
app.
upgrade.
block upgrade.
the OS?
PNP device?
overridden?
blocks?
blocks?
app?
Center?
supported edition?
date.
octets.
file metadata.
date.
Windows up to date.
bytes).
Windows up to date.
to date.
Windows up to date.
up to date.
a WIM.
date.
date.
AppraiserDataVersion The version of the data files being used by the Appraiser telemetry run.
do a full scan.
ripped CDs.
Census events
Census.App
Census.Battery
Census.Camera
Census.Enterprise
computers.
Census.Firmware
Census.Flighting
on this device.
Census.Hardware
compass).
Census.Memory
date.
Census.Network
Census.OS
the MS store.
refresh, reset, etc
Census.Processor
Census.Security
security.
Census.Speech
the device.
Census.Storage
date.
structure (if any).
Census.Userdefault
Census.UserDisplay
internal display.
Census.UserNLS
Census.VM
Census.WU
date.
(WSUS).
network.
(by default).
Census.Xbox
date.

app.
event.
across an app.
deviceClass Represents the classification of the device, the device “family”. For example, Desktop, Server, or
Mobile.
localId Represents a locally defined unique ID for the device, not the human readable device name. Most likely
appId Represents a unique identifier of the client application currently loaded in the process producing the
event; and is used to group events together and understand usage pattern, errors by application.
appVer Represents the version number of the application. Used to understand errors by version and usage by
version across an app.
epoch ID used to help distinguish events in the sequence by indicating the current boot session.
Extensions.os.
Extensions.utc.
the event latency.
os The operating system name.
seqNum Used to track the absolute order of uploaded events.
tags A header for semi-managed extensions.
account ID.
sqmId The Windows SQM (Software Quality Metrics—a precursor of Windows 10 Diagnostic Data collection)
device identifier.
tickets An array of strings that refer back to a key in the X-Tickets http header that the client uploaded along
with a batch of events.
did XBOX device ID
exp Expiration time
nbf Not before time
accounts.
Common data fields

Windows Update.
accessible file.
applicable.
uninstalled.

CompressedBytesUploaded Number of compressed bytes uploaded
initiated.
EventSubStoreResetCounter Number of times event database was reset.
EventSubStoreResetSizeSum Total size of event database across all resets reports in this instance.
InvalidHttpCodeCounter Number of invalid HTTP codes received from contacting Vortex.
event.
TelClientSynthetic.TailoredExperiencesWithDiagnosticDataUpdate
This event is triggered when UTC determines it needs to send information about personalization settings of the
user.


telemetry backend.

name Name of the event

telemetry backend.
application.
waiting.
Inventory events
MsiPackage.
This event indicates that a new set of InventoryApplicationDriverStartAdd events will be sent.
ProgramId A hash of the Name, Version, Publisher, and Language of an application used to identify it
BusRepor tedDescription The description of the device reported by the bus.
DriverName The file name of the installed driver image.
DriverVerDate The date associated with the driver installed on the device.
DriverVerVersion The version number of the driver installed on the device.
0x800000.
Invalid variant - Provides data on the installed Office Add-ins
Usage Data regarding usage of the add-in.
This event indicates that the particular data object represented by the objectInstanceId is no longer present.
This event provides data on the Office identifiers
device
for a device
Diagnostic event to indicate a new sync is being generated for this object type
This event includes the Office-related Internet Explorer features
badly formed URL
windows
Provides insight data on the installed Office products
This event list all installed Office products
Office 2016 ProPlus
Word
ExchangeProviderFlags Office Exchange provider policies
SharedComputerLicensing Office Shared Computer Licensing policies
Design Count of files with design issues found
Design_x64 Count of files with 64 bit design issues found
DuplicateVBA Count of files with duplicate VBA code
HasVBA Count of files with VBA code
Inaccessible Count of files that were inaccessible for scanning
Issues Count of files with issues detected
Issues_x64 Count of files with 64-bit issues detected
IssuesNone Count of files with no issues detected
IssuesNone_x64 Count of files with no 64-bit issues detected
Locked Count of files that were locked, preventing scanning
NoVBA Count of files with no VBA inside
Protected Count of files that were password protected, preventing scanning
RemLimited Count of files that require limited remediation changes
RemLimited_x64 Count of files that require limited remediation changes for 64-bit issues
RemSignificant Count of files that require significant remediation changes
RemSignificant_x64 Count of files that require significant remediation changes for 64-bit issues
Score Overall compatibility score calculated for scanned content
Score_x64 Overall 64-bit compatibility score calculated for scanned content
Total Total number of files scanned
Validation Count of files that require additional manual validation
Validation_x64 Count of files that require additional manual validation for 64-bit issues
Source UUP source
Version UUP version
removed.
Kernel events
IO
system startup.
operating system.
if needed.
Migration events
OneDrive events
HResult The result code of the last action performed before this operation

Remediation events
deny
failed.
enabled.
exists.
Hammer task ran.
enabled.
task.
task.
task.
enabled.
is enabled.
Microsoft.Windows.Remediation.ChangePowerProfileDetection
Indicates whether the remediation system can put in a request to defer a system-initiated sleep to enable
installation of security or quality updates.
ActionName A descriptive name for the plugin action
CurrentPowerPlanGUID The ID of the current power plan configured on the device
GlobalEventCounter Counter that indicates the ordering of events on the device
PackageVersion Current package version of remediation service
RemediationBatter yPowerBatter yLevel Integer between 0 and 100 indicating % battery power remaining
(if not on battery, expect 0)
RemediationFUInProcess Result that shows whether the device is currently installing a feature update
RemediationFURebootRequred Indicates that a feature update reboot required was detected so the plugin
will exit.
RemediationScanInProcess Result that shows whether the device is currently scanning for updates
RemediationTargetMachine Result that shows whether this device is a candidate for remediation(s) that will
fix update issues
SetupMutexAvailable Result that shows whether setup mutex is available or not
SysPowerStatusAC Result that shows whether system is on AC power or not
successfully.
Megabytes.
operation.
in Megabytes.
Megabytes.
RemediationDoorstopExists TRUE if there is a One Settings Doorstop value.
deleted.
in Megabytes.
simultaneous scans.
set.
(late).
BlockWuUpdates Key.
Megabytes.
Microsoft.Windows.Remediation.RemediationShellMainExeEventId
Enables tracking of completion of process that remediates issues preventing security and quality updates.
CV Client side counter which indicates ordering of events sent by the remediation system.
GlobalEventCounter Client side counter which indicates ordering of events sent by the remediation system.
RemediationShellCanAcquireSedimentMutex True if the remediation was able to acquire the sediment
mutex. False if it is already running.
RemediationShellExecuteShellResult Indicates if the remediation system completed without errors.
RemediationShellFoundDriverDll Result whether the remediation system found its component files to run
properly.
RemediationShellLoadedShellDriver Result whether the remediation system loaded its component files to
run properly.
RemediationShellLoadedShellFunction Result whether the remediation system loaded the functions from
its component files to run properly.
Sediment events
Id A number identifying the URL
Ser viceVersionMajor Version info for the component
Ser viceVersionMinor Version info for the component
StateData State-specific data, such as which attempt number for the download
StateNumber A number identifying which state the URL is in (found, downloading, extracted, etc.)
Time System timestamp the event was fired
Microsoft.Windows.Sediment.ServiceInstaller.ApplicabilityCheckFailed
This event returns data relating to the error state after one of the applicability checks for the installer component
of the Operating System Remediation System Service (OSRSS) has failed.
CheckName The name of the applicability check that failed.
InstallerVersion The version information for the installer component.
Microsoft.Windows.Sediment.ServiceInstaller.InstallerLaunched
This event indicates the Operating System Remediation System Service (OSRSS) has launched. The information
provided helps ensure Windows is up to date.
Microsoft.Windows.Sediment.ServiceInstaller.ServiceInstalled
This event indicates the Operating System Remediation System Service (OSRSS) successfully installed the Installer
Component. This information helps ensure Windows is up to date.
Microsoft.Windows.Sediment.ServiceInstaller.ServiceStarted
This event indicates the Operating System Remediation System Service (OSRSS) has started after installing an
Microsoft.Windows.SedimentLauncher.Error
Error occurred during execution of the plugin.
HResult The result for the Detection or Perform Action phases of the plug-in.
Message A message containing information about the error that occurred (if any).
Microsoft.Windows.SedimentLauncher.FallbackError
This event indicates that an error occurred during execution of the plug-in fallback.
s0 Error occurred during execution of the plugin fallback. See Microsoft.Windows.SedimentLauncher.wilResult.
wilResult Result from executing wil based function. See wilResult.
Microsoft.Windows.SedimentLauncher.Information
This event provides general information returned from the plug-in.
HResult This is the HRESULT for detection or perform action phases of the plugin.
Message Information message returned from a plugin containing only information internal to the plugins
execution.
Microsoft.Windows.SedimentLauncher.wilResult
This event provides the result from the Windows internal library.
callContext List of telemetry activities containing this error.
currentContextId Identifier for the newest telemetry activity containing this error.
currentContextMessage Custom message associated with the newest telemetry activity containing this error
(if any).
currentContextName Name of the newest telemetry activity containing this error.
failureCount Number of failures seen within the binary where the error occurred.
failureId Identifier assigned to this failure.
failureType Indicates what type of failure was observed (exception, returned error, logged error or fail fast).
fileName Source code file name where the error occurred.
function Name of the function where the error occurred.
hresult Failure error code.
lineNumber Line number within the source code file where the error occurred.
message Custom message associated with the failure (if any).
module Name of the binary where the error occurred.
originatingContextId Identifier for the oldest telemetry activity containing this error.
originatingContextMessage Custom message associated with the oldest telemetry activity containing this
error (if any).
originatingContextName Name of the oldest telemetry activity containing this error.
threadId Identifier of the thread the error occurred on.
Microsoft.Windows.SedimentService.Error
This event indicates whether an error condition occurred in the plug-in.
Message Custom message associated with the failure (if any).
Microsoft.Windows.SedimentService.FallbackError
This event indicates whether an error occurred for a fallback in the plug-in.
s0 Event returned when an error occurs for a fallback in the plugin. See
Microsoft.Windows.SedimentService.wilResult.
wilResult Result for wil based function. See wilResult.
Microsoft.Windows.SedimentService.Information
Microsoft.Windows.SedimentService.wilResult
(if any).
error (if any).
Setup events
date.
system time
Windows up to date.
Windows up to date.
Shared PC events
Manager to help keep Windows up to date. Deleting un-used user accounts on Education/Shared PCs frees up disk
space to improve Windows Update success rates.
deleteState Whether the attempted deletion of the user account was successful.
maintenance hours
policies.
wilActivity
wilResult
SIH events
This event is sent when targeting logic is evaluated to determine if a device is eligible a given action.
ActionReasons If an action has been assessed as inapplicable, the additional logic prevented it.
HandlerReasons If an action has been assessed as inapplicable, the installer technology-specific logic
prevented it.
StandardReasons If an action has been assessed as inapplicable, the standard logic the prevented it.
RebootRequired Indicates if a reboot was required to complete the action.
SIHEngineTelemetry.ServiceStateChange
This event reports the status of attempts to stop or start a service as part of executing an action.
Ser vice The service that is being stopped/started.
StateChange The service operation (stop/start) is being attempted.
SIHEngineTelemetry.SLSActionData
This event reports if the SIH client was able to successfully parse the manifest describing the actions to be
evaluated.
FailedParseActions The list of actions that were not successfully parsed.
ParsedActions The list of actions that were successfully parsed.

Scan process event on Windows Update client (see eventscenario field for specifics, e.g.: started/failed/succeeded)
completion.
client.
or Unknown
0x1000, UX = 0x10000).
device.
Audit, 3-Enforce
IPv6
scan checked
scan
synced down.
was synced down.
the device.
found.
client
EventScenario State of call
EventType Possible values are "Child", "Bundle", or "Driver".
Ser verId Identifier for the service to which the software distribution client is connecting, such as Windows
Update and Microsoft Store.
WUDeviceID UniqueDeviceID
Download process event for target update on Windows Update client (see eventscenario field for specifics, e.g.:
started/failed/succeeded)
being downloaded.
BundleRepeatFailFlag Indicates whether this particular update bundle had previously failed to download.
bundle).
applicable.
Optimizer events.
that flight.
FlightId The specific id of the flight (pre-release build) the device is getting.
of the device.
cap, etc.)
downloaded.
client
BundleID Identifier associated with the specific content bundle. If this value is found, it shouldn't report as all
zeros
client
Connected Standby)
Ser viceID Identifier for the service to which the software distribution client is connecting (Windows Update,
found.
client.
HandlerType Indicates what kind of content is being installed. Example: app, driver, Windows update
the device.
IsWUfBDualScanEnabled Is Windows Update for Business dual scan enabled on the device?
introduced.
was not provided.
underway.
Optional.
client.
audit; 3 = enforce
by revision ID).
StatusCode The status code of the event.
is malformed.

IsSccmManaged This device is SCCM managed.
version.
calendarRun Indicates the calendar run task invoked the update assistant wrapper.
UALaunchRunCount Total number of times Update Assistant launched.
calendarRun Indicates the update assistant wrapper was started by the calendar run task.
Update events
Update360Telemetry.UpdateAgent_DownloadRequest
This event sends data during the download request phase of updating Windows.
PackageCountOptional # of optional packages requested.
PackageCountRequired # of required packages requested.
PackageCountTotal Total # of packages needed.
SessionId Unique value for each attempt (same value for initialize, download, install commit phases)
Update360Telemetry.UpdateAgent_FellBackToCanonical
This event collects information when Express could not be used, and the update had to fall back to “canonical”
during the new UUP (Unified Update Platform) update scenario; which is leveraged by both Mobile and Desktop.
PackageCount The number of packages that fell back to “canonical”.
PackageList PackageIDs which fell back to “canonical”.
Update360Telemetry.UpdateAgent_Initialize
This event sends data during the initialize phase of updating Windows.
ErrorCode The error code returned for the current initialize phase.
Result Result of the initialize phase of update. 0 = Succeeded, 1 = Failed, 2 = Cancelled, 3 = Blocked, 4 =
BlockCancelled
DesktopDriverUpdate
SessionData Contains instructions to update agent for processing FODs and DUICs (Null for other scenarios).
SessionId Unique value for each Update Agent mode attempt .
Update360Telemetry.UpdateAgent_Install
This event sends data during the install phase of updating Windows.
RelatedCV Correlation vector value generated from the latest scan.
Result Result of the install phase of update. 0 = Succeeded 1 = Failed, 2 = Cancelled, 3 = Blocked, 4 =
BlockCancelled
DesktopDriverUpdate
SessionId Unique value for each Update Agent mode attempt.
Update360Telemetry.UpdateAgent_Merge
This event sends data on the merge phase when updating Windows.
Update360Telemetry.UpdateAgent_ModeStart
This event sends data for the start of each mode during the process of updating Windows.
Mode Indicates that the Update Agent mode that has started. 1 = Initialize, 2 = DownloadRequest, 3 = Install, 4
= Commit
RelatedCV The correlation vector value generated from the latest scan.
DesktopDriverUpdate
Update360Telemetry.UpdateAgent_SetupBoxLaunch
This event sends data during the launching of the setup box when updating Windows.
Quiet Indicates whether setup is running in quiet mode. 0 = false 1 = true
SandboxSize The size of the sandbox folder on the device.
DesktopDriverUpdate
SetupMode Setup mode 1 = predownload, 2 = install, 3 = finalize
scenarios).
Result Indicates the Hresult

Microsoft.Windows.UpdateNotificationPipeline.JavascriptJavascriptCriticalGenericMessage
This event indicates that Javascript is reporting a schema and a set of values for critical telemetry.
CampaignConfigVersion Configuration version of the current campaign.
CampaignID ID of the currently running campaign.
ConfigCatalogVersion Current catalog version of the update notification.
ContentVersion Content version of the current update notification campaign.
DetectorVersion Most recently run detector version for the current campaign.
GlobalEventCounter Client side counter that indicates the ordering of events sent by this user.
PackageVersion Current package version of the update notification.
schema UI interaction type.
Microsoft.Windows.UpdateNotificationPipeline.UNPCampaignManagerCleaningCampaign
This event indicates that the Campaign Manager is cleaning up the campaign content.
CampaignID The current campaign that is running on Update Notification Pipeline (UNP).
ConfigCatalogVersion The current catalog version of the Update Notification Pipeline (UNP).
Microsoft.Windows.UpdateNotificationPipeline.UnpCampaignManagerGetIsCamppaignCompleteFailed
This event is sent when a campaign completion status query fails.
CampaignID Current campaign that is running on Update Notification Pipeline (UNP).
Upgrade events
version of Windows.
Setup360Extended d
failure happened
Windows up-to-date.
errors.

Microsoft.Windows.WaaSAssessment.Error
This event returns the name of the missing setting needed to determine the Operating System build age.
m The WaaS (“Workspace as a Service”—cloud-based “workspace”) Assessment Error String.
Microsoft.Windows.WaaSMedic.RemediationFailed
This event is sent when the WaaS Medic update stack remediation tool fails to apply a described resolution to a
problem that is blocking Windows Update from operating correctly on a target device.
diagnostic Parameter where the resolution failed.
hResult Error code that resulted from attempting the resolution.
isRemediated Indicates whether the condition was remediated.
pluginName Name of the attempted resolution.
Microsoft.Windows.WaaSMedic.Summary
This event provides the results of the WaaSMedic diagnostic run
detectionSummar y Result of each detection that ran
featureAssessmentImpact Windows as a Service (WaaS) Assessment impact on feature updates
insufficientSessions True, if the device has enough activity to be eligible for update diagnostics. False, if
otherwise
isManaged Indicates the device is managed for updates
isWUConnected Indicates the device is connected to Windows Update
noMoreActions All available WaaSMedic diagnostics have run. There are no pending diagnostics and
corresponding actions
qualityAssessmentImpact Windows as a Service (WaaS) Assessment impact for quality updates
is to turn the it back on
usingBackupFeatureAssessment The WaaSMedic engine contacts Windows as a Service (WaaS)
Assessment to determine whether the device is up-to-date. If WaaS Assessment isn't available, the engine falls
back to backup feature assessments, which are determined programmatically on the client
usingBackupQualityAssessment The WaaSMedic engine contacts Windows as a Service (WaaS) Assessment
to determine whether the device is up-to-date. If WaaS Assessment isn't available, the engine falls back to
backup quality assessments, which are determined programmatically on the client
versionString Installed version of the WaaSMedic engine
This event provides the results from the WaaSMedic engine
featureAssessmentImpact Windows as a Service (WaaS) Assessment impact on feature updates
hrEngineResult Indicates the WaaSMedic engine operation error codes
insufficientSessions True, if the device has enough activity to be eligible for update diagnostics. False, if
otherwise
isManaged Indicates the device is managed for updates
isWUConnected Indicates the device is connected to Windows Update
noMoreActions All available WaaSMedic diagnostics have run. There are no pending diagnostics and
corresponding actions
qualityAssessmentImpact Windows as a Service (WaaS) Assessment impact for quality updates
usingBackupFeatureAssessment The WaaSMedic engine contacts Windows as a Service (WaaS)
Assessment to determine whether the device is up-to-date. If WaaS Assessment isn't available, the engine falls
back to backup feature assessments, which are determined programmatically on the client
usingBackupQualityAssessment The WaaSMedic engine contacts Windows as a Service (WaaS) Assessment
to determine whether the device is up-to-date. If WaaS Assessment isn't available, the engine falls back to
backup quality assessments, which are determined programmatically on the client
versionString Installed version of the WaaSMedic engine

Watson).

Microsoft.Windows.Store.Partner.ReportApplication
Report application event for Microsoft Store client.
Windows up to date.
This event is sent at the end of the installs or updates. Store Agent events are needed to help keep Windows Apps
up to date and secure, like the Mail and Calendar Apps. App install or update failures can be unique across devices
and without this data from every device we will not be able to track failures and fix future vulnerabilities related to
these Windows Apps.
to-date and secure.
set.
secure.
This event is sent after restoring user data (if any) that needs to be restored following a product install. Store Agent
events are needed to help keep Windows Apps up to date and secure, like the Mail and Calendar Apps. App install
or update failures can be unique across devices and without this data from every device we will not be able to
track failures and fix future vulnerabilities related to these Windows Apps.
FulfillmentComplete event is fired at the end of an app install or update. We use this to track the very end of the
install/update process. StoreAgent events are needed to help keep Windows pre-installed 1st party apps up to
date and secure such as the mail and calendar apps. App update failure can be unique across devices and without
this data from every device we will not be able to track the success/failure and fix any future vulnerabilities related
to these built in Windows Apps.
FailedRetr y Tells us if the retry for an install or update was successful or not.
HResult Resulting HResult error/success code of this call
PFN Package Family Name of the app that being installed or updated
ProductId Product Id of the app that is being updated or installed
FulfillmentInitiate event is fired at the start of an app install or update. We use this to track the very beginning of
the install/update process. StoreAgent events are needed to help keep Windows pre-installed 1st party apps up to
date and secure such as the mail and calendar apps. App update failure can be unique across devices and without
this data from every device we will not be able to track the success/failure and fix any future vulnerabilities related
to these built in Windows Apps.
This event is sent when a product install or update is initiated. Store Agent events are needed to help keep
Windows Apps up to date and secure, like the Mail and Calendar Apps. App install or update failures can be unique
across devices and without this data from every device we will not be able to track failures and fix future
vulnerabilities related to these Windows Apps.
This event is sent when a product install or update is paused either by a user or the system. Store Agent events are
needed to help keep Windows Apps up to date and secure, like the Mail and Calendar Apps. App install or update
failures can be unique across devices and without this data from every device we will not be able to track failures
and fix future vulnerabilities related to these Windows Apps.
This event is sent when a product install or update is resumed either by a user or the system. Store Agent events
are needed to help keep Windows Apps up to date and secure, like the Mail and Calendar Apps. App install or
update failures can be unique across devices and without this data from every device we will not be able to track
failures and fix future vulnerabilities related to these Windows Apps.
This event is sent when a product install or update is resumed by a user and on install retries. Store Agent events
are needed to help keep Windows Apps up to date and secure, like the Mail and Calendar Apps. App install or
update failures can be unique across devices and without this data from every device we will not be able to track
failures and fix future vulnerabilities related to these Windows Apps.
This event is sent when searching for update packages to install. Store Agent events are needed to help keep
Windows Apps up to date and secure, like the Mail and Calendar Apps. App install or update failures can be unique
across devices and without this data from every device we will not be able to track failures and fix future
vulnerabilities related to these Windows Apps.

clientTelId A random number used for device sampling.
group.
group.
callerName The name of the API caller.
cdnUrl The URL of the source CDN.
clientTelId Random number used for device selection
optimization.
peering.
optimization.
was encountered.

Platform) update scenario, which is used to install a device manifest describing a set of driver packages
Update Platform) update scenario, which is used to install a device manifest describing a set of driver packages
deleted.
packageSizeExpress Size of express packages in bytes
BlockCancelled.
DesktopDriverUpdate
updateId Unique ID for each Update.
This event sends data for the start of each mode during the process of updating device manifest assets via the
UUP (Unified Update Platform) update scenario. The update scenario is used to install a device manifest describing
a set of driver packages.
DesktopDriverUpdate
automatically).
Microsoft.Windows.Update.Orchestrator.AttemptImmediateReboot
This event sends data when the Windows Update Orchestrator is set to reboot immediately after installing the
update.
battery).
failed.
updateId Update ID.
updateId Update ID.
Microsoft.Windows.Update.Orchestrator.GameActive
This event indicates that an enabled GameMode process prevented the device from restarting to complete an
update.
gameModeReason Name of the enabled GameMode process that prevented the device from restarting to
complete an update.
up to date.
action.
updateId Update ID.
updateId Update ID.
keep secure.
uptime.
Windows up to date.
Windows up to date.
code.
updateId Update ID.
to date.
updateId Update ID.
up to date.
action.
updateId Update ID.
errorCode result showing success or failure of current update
LastApplicableUpdateFoundTime The time when the last applicable update was found.
LastDownloadDeferredReason The last reason download was deferred.
LastDownloadDeferredTime The time of the download deferral.
LastDownloadFailureError The last download failure.
LastDownloadFailureTime The time of the last download failure.
LastInstallCompletedTime The time when the last successful install completed.
LastInstallDeferredReason The reason the last install was deferred.
LastInstallDeferredTime The time when the last install was deferred.
LastInstallFailureError The error code associated with the last install failure.
LastInstallFailureTime The time when the last install failed to complete.
LastRebootDeferredReason The reason the last reboot was deferred.
LastRebootDeferredTime The time when the last reboot was deferred.
LastRebootPendingTime The time when the last reboot state was set to “Pending”.
LastScanDeferredReason The reason the last scan was deferred.
LastScanDeferredTime The time when the last scan was deferred.
LastScanFailureError The error code for the last scan failure.
LastScanFailureTime The time when the last scan failed.
LastUpdateCheckTime The time of the last update check.
LastUpdateDownloadTime The time when the last update was downloaded.
LastUpgradeInstallFailureError The error code for the last upgrade install failure.
LastUpgradeInstallFailureTime The time of the last upgrade install failure.
LowUpTimeDetectTime The last time “low up-time” was detected.
NoLowUpTimeDetectTime The last time no “low up-time” was detected.
revisionNumber Unique revision number of the Update
updateId Unique ID for Update
updateState Progress within an update state
UpgradeInProgressTime The amount of time a feature update has been in progress.
WaaSFeatureAssessmentDays The number of days Feature Update Assessment has been out of date.
WaaSFeatureAssessmentImpact The impact of the Feature Update Assessment.
WaaSUpToDateAssessmentDays The number of days Quality Update Assessment has been out of date.
WaaSUpToDateAssessmentImpact The impact of Quality Update Assessment.
began pending.
Microsoft.Windows.Update.Ux.MusNotification.RebootRequestReasonsToIgnore
This event is sent when the reboot can be deferred based on some reasons, before reboot attempts
Reason The reason sent which will cause the reboot to defer.
forcedReboot True, if a reboot is forced on the device. Otherwise, this is False
Microsoft.Windows.Update.Ux.MusNotification.UxBrokerFirstReadyToReboot
This event is fired the first time when the reboot is required.
This event is sent when MUSE broker schedules a task
TaskArgument The arguments which the task is scheduled with
TaskName Name of the task
Windows up to date.


Winlogon events
XBOX events
Applies to
configuration. For example, it can help determine if crashes are more frequent on devices with a specific amount
of memory or that are running a particular driver version. This helps Microsoft fix operating system or app
problems.
Appraiser events
DatasourceApplicationFile_RS3 The total DecisionApplicationFile objects targeting the next release of
DatasourceDevicePnp_RS3 The total DatasourceDevicePnp objects targeting the next release of Windows
on this device.
DatasourceDriverPackage_RS3 The total DatasourceDriverPackage objects targeting the next release of
DataSourceMatchingInfoBlock_RS3 The total DataSourceMatchingInfoBlock objects targeting the next
release of Windows on this device.
DataSourceMatchingInfoPassive_RS3 The total DataSourceMatchingInfoPassive objects targeting the next
targeting the next release of Windows on this device.
DatasourceSystemBios_RS3 The total DatasourceSystemBios objects targeting the next release of Windows
on this device.
DecisionApplicationFile_RS3 The total DecisionApplicationFile objects targeting the next release of
DecisionDevicePnp_RS2 The count of DataSourceMatchingInfoBlock objects present on this machine
targeting the next release of Windows
DecisionDevicePnp_RS3 The total DecisionDevicePnp objects targeting the next release of Windows on this
device.
DecisionDriverPackage_RS3 The total DecisionDriverPackage objects targeting the next release of Windows
on this device.
DecisionMatchingInfoBlock_RS3 The total DecisionMatchingInfoBlock objects targeting the next release of
DecisionMatchingInfoPassive_RS3 The total DataSourceMatchingInfoPassive objects targeting the next
DecisionMatchingInfoPostUpgrade_RS3 The total DecisionMatchingInfoPostUpgrade objects targeting the
next release of Windows on this device.
DecisionMediaCenter_RS3 The total DecisionMediaCenter objects targeting the next release of Windows on
this device.
this device.
Inventor yLanguagePack The count of DecisionApplicationFile objects present on this machine targeting the
next release of Windows
Inventor ySystemBios The count of DecisionDevicePnp objects present on this machine targeting the next
release of Windows
PCFP The count of DecisionDriverPackage objects present on this machine targeting the next release of
Windows
SystemProcessorCompareExchange The count of DecisionMatchingInfoBlock objects present on this
machine targeting the next release of Windows
SystemWindowsActivationStatus The count of DecisionSystemBios objects present on this machine
targeting the next release of Windows
SdbEntries An array of fields indicating the SDB entries that apply to this device.
WuDriverUpdateID The Update ID of the applicable uplevel driver from Windows Update.
Update.
WuPopulatedFromID The expected uplevel driver matching ID based on driver coverage from Windows
Update.
SdbEntries An array of fields indicating the SDB entries that apply to this BIOS.
upgrade mode?
NeedsDismissAction Will the file cause an action that can be dimissed?
app.
upgrade.
block upgrade.
the OS?
PNP device?
overridden?
blocks?
blocks?
app?
Center?
supported edition?
Microsoft.Windows.Appraiser.General.EnterpriseScenarioWithDiagTrackServiceRunning
This event indicates that Appraiser has been triggered to run an enterprise scenario while the DiagTrack service is
installed. This event can only be sent if a special flag is used to trigger the enterprise scenario.
date.
octets.
file metadata.
date.
Windows up to date.
bytes).
This event sends data indicating whether the system supports the CompareExchange128 CPU requirement, to
Windows up to date.
to date.
Windows up to date.
up to date.
a WIM.
date.
date.
do a full scan.
ripped CDs.
Census events
Census.App
Census.Battery
InternalBatter yCapacityCurrent Represents the battery's current fully charged capacity in mWh (or
relative). Compare this value to DesignedCapacity to estimate the battery's wear.
Census.Camera
Census.Enterprise
systems with systems in an Enterprise Microsoft Endpoint Configuration Manager environment.
computers.
SystemCenterID The Microsoft Endpoint Configuration Manager ID is an anonymized one-way hash of the
Active Directory Organization identifier.
Census.Firmware
Census.Flighting
on this device.
Census.Hardware
Census.Memory
date.
Census.Network
Census.OS
the MS store.
OSInstallDateTime Retrieves the date the OS was installed using ISO 8601 (Date part) == yyyy-mm-dd
refresh, reset, etc
Census.Processor
ProcessorClockSpeed Retrieves the clock speed of the processor in MHz.
ProcessorCores Retrieves the number of cores in the processor.
ProcessorIdentifier The processor identifier of a manufacturer.
ProcessorManufacturer Retrieves the name of the processor's manufacturer.
ProcessorModel Retrieves the name of the processor model.
SocketCount Number of physical CPU sockets of the machine.
Census.Security
Provides information on several important data points about security settings.
Census.Speech
RemotelyManaged Indicates if the device is being controlled by a remote admininistrator (MDM or Group
the device.
Census.Storage
date.
Primar yDiskType Retrieves an enumerator value of type STORAGE_BUS_TYPE that indicates the type of bus
to which the device is connected. This should be used to interpret the raw device properties at the end of this
structure (if any).
Census.Userdefault
Census.UserDisplay
internal display.
InternalPrimar yDisplayType Represents the type of technology used in the monitor, such as Plasma, LED,
LCOS, etc.
Census.UserNLS
Census.VM
Hypervisor, this field will be set to FALSE for the Hyper-V host OS and TRUE for any guest OS's. This field
should not be relied upon for non-Hv#1 Hypervisors.
Census.WU
date.
(WSUS).
network.
(by default).
Census.Xbox
date.

app.
event.
across an app.
deviceClass Represents the classification of the device, the device “family”. For example, Desktop, Server, or
Mobile.
localId Represents a locally defined unique ID for the device, not the human readable device name. Most likely
appId Represents a unique identifier of the client application currently loaded in the process producing the
event; and is used to group events together and understand usage pattern, errors by application.
appVer Represents the version number of the application. Used to understand errors by version and usage by
version across an app.
epoch ID used to help distinguish events in the sequence by indicating the current boot session.
Extensions.os.
Extensions.utc.
the event latency.
os The operating system name.
seqNum Used to track the absolute order of uploaded events.
tags A header for semi-managed extensions.
account ID.
sqmId The Windows SQM (Software Quality Metrics—a precursor of Windows 10 Diagnostic Data collection)
device identifier.
tickets An array of strings that refer back to a key in the X-Tickets http header that the client uploaded along
with a batch of events.
did XBOX device ID
exp Expiration time
nbf Not before time
accounts.
Common data fields


Windows Update.
accessible file.
applicable.
uninstalled.
Content Delivery Manager events

Microsoft.Windows.ContentDeliveryManager.ProcessCreativeEvent
This event sends tracking data about the reliability of interactions with Windows spotlight content, to help keep
Windows up to date.
creativeId A serialized string containing the ID of the offer being rendered, the ID of the current rotation
period, the ID of the surface/ring/market combination, the offer index in the current branch, the ID of the batch,
the rotation period length, and the expiration timestamp.
eventToken In there are multiple item offers, such as Start tiles, this indicates which tile the event corresponds
to.
eventType A code that indicates the type of creative event, such a impression, click, positive feedback, negative
feedback, etc..
placementId Name of surface, such as LockScreen or Start.
Microsoft.Windows.ContentDeliveryManager.ReportPlacementHealth
This event sends aggregated client health data, summarizing information about the state of offers on a device, to
dataVersion Schema version of the event that is used to determine what serialized content is available for
placementReportedInfo and trackingInfo fields.
healthResult A code that identifies user account health status as Unknown, Healthy, Unhealthy.
healthStateFlags A code that represents a set of flags used to group devices in a health/unhealthy way. For
example, Unhealthy, Healthy, RefreshNotScheduled, EmptyResponse, RenderedDefault, RenderFailure,
RenderDelayed, and CacheEmpty.
placementHealthId A code that represents which surface's health is being reported. For example, Default,
LockScreen, LockScreenOverlay, StartMenu, SoftLanding, DefaultStartLayout1, DefaultStartLayout2,
OemPreInstalledApps, FeatureManagement, SilentInstalledApps, NotificationChannel,
SuggestedPenAppsSubscribedContent, TestAppSubscribedContent,
OneDriveSyncNamespaceSubscribedContent, OneDriveLocalNamespaceSubscribedContent,
OneDriveSyncNamespaceInternalSubscribedContent, and
OneDriveLocalNamespaceInternalSubscribedContent.
placementRepor tedInfo Serialized information that contains domain-specific health information written by
each surface, such as lastUpportunityTime, lastOpportunityReportedTime, expectedExpirationTime, and
rotationPeriod.
trackingInfo Serialized information that contains domain-specific health information written by the content
delivery manager, such as lastRefreshTime, nextRefreshTime,
nextUpdateTime,renderPriorToLastOpportunityTime, lastRenderTime, lastImpressionTime,
lastRulesRegistrationTime, registrationTime, lastRefreshBatchCount, lastEligibleCreativeCount,
availableAppSlotCount, placeholderAppSlotCount, lastRenderSuccess, lastRenderDefault, isEnabled.
Microsoft.Windows.ContentDeliveryManager.ReportPlacementState
This event sends data about the opt-out state of a device or user that uses Windows spotlight, to help keep
Windows up to date.
isEnabled Indicates if the surface is enable to receive offers.
lastImpressionTime The time when the last offer was seen.
lastRenderedCreativeId ID of the last offer rendered by the surface.
lastRenderedTime The time that the last offer was rendered.
nextRotationTime The time in which the next offer will be rendered.
placementName Name of surface, such as LockScreen or Start.
placementStateRepor tFlags Flags that represent if the surface is capable of receiving offers, such as off by
edition, off by Group Policy, off by user choice.
selectedPlacementId ID of the surface/ring/markey combination, such as Lock-Internal-en-US.

CanAddMsaToMsTelemetr y True if UTC is allowed to add MSA user identity onto telemetry from the OS
provider groups.
CanCollectAnyTelemetr y True if UTC is allowed to collect non-OS telemetry. Non-OS telemetry is
responsible for providing its own opt-in mechanism.
CanCollectCoreTelemetr y True if UTC is allowed to collect data which is tagged with both
MICROSOFT_KEYWORD_CRITICAL_DATA and MICROSOFT_EVENTTAG_CORE_DATA.
CanCollectHear tbeats True if UTC is allowed to collect heartbeats.
CanCollectOsTelemetr y True if UTC is allowed to collect telemetry from the OS provider groups (often called
Microsoft Telemetry).
CanPerformDiagnosticEscalations True if UTC is allowed to perform all scenario escalations.
CanPerformScripting True if UTC is allowed to perform scripting.
CanPerformTraceEscalations True if UTC is allowed to perform scenario escalations with tracing actions.
CanRepor tScenarios True if UTC is allowed to load and report scenario completion, failure, and cancellation
events.
PreviousPermissions Bitmask representing the previously configured permissions since the telemetry opt-in
level was last changed.
TransitionFromEver ythingOff True if this transition is moving from not allowing core telemetry to allowing
core telemetry.
CanAddMsaToMsTelemetr y True if UTC is allowed to add MSA user identity onto telemetry from the OS
provider groups.
CanCollectAnyTelemetr y True if UTC is allowed to collect non-OS telemetry. Non-OS telemetry is
responsible for providing its own opt-in mechanism.
CanCollectCoreTelemetr y True if UTC is allowed to collect data which is tagged with both
MICROSOFT_KEYWORD_CRITICAL_DATA and MICROSOFT_EVENTTAG_CORE_DATA.
CanCollectHear tbeats True if UTC is allowed to collect heartbeats.
CanCollectOsTelemetr y True if UTC is allowed to collect telemetry from the OS provider groups (often called
Microsoft Telemetry).
CanPerformDiagnosticEscalations True if UTC is allowed to perform all scenario escalations.
CanPerformScripting True if UTC is allowed to perform scripting.
CanPerformTraceEscalations True if UTC is allowed to perform scenario escalations with tracing actions.
PreviousPermissions Bitmask representing the previously configured permissions since the telemetry client
was last started.
TransitionFromEver ythingOff True if this transition is moving from not allowing core telemetry to allowing
core telemetry.
LastConntectivityLossTime Retrieves the last time the device lost free network.
AgentConnectionErrorsCount The number of non-timeout errors associated with the host/agent channel.
CensusStar tTime The time of the last Census run.
CensusTaskEnabled Indicates whether Census is enabled.
ConsumerDroppedCount The number of events dropped by the consumer layer of the telemetry client.
CriticalDataDbDroppedCount The number of critical data sampled events that were dropped at the
database layer.
of throttling.
CriticalOverflowEntersCounter The number of times a critical overflow mode was entered into the event
database.
DbCriticalDroppedCount The total number of dropped critical events in the event database.
DbDroppedCount The number of events that were dropped because the database was full.
DecodingDroppedCount The number of events dropped because of decoding failures.
EnteringCriticalOverflowDroppedCounter The number of events that was dropped because a critical
overflow mode was initiated.
EtwDroppedBufferCount The number of buffers dropped in the CUET ETW session.
EtwDroppedCount The number of events dropped by the ETW layer of the telemetry client.
EventSubStoreResetCounter The number of times the event database was reset.
EventSubStoreResetSizeSum The total size of the event database across all resets reports in this instance.
EventsUploaded The number of events that have been uploaded.
Flags Flags that indicate device state, such as network, battery, and opt-in state.
FullTriggerBufferDroppedCount The number of events that were dropped because the trigger buffer was
full.
Hear tBeatSequenceNumber A monotonically increasing heartbeat counter.
InvalidHttpCodeCount The number of invalid HTTP codes received from Vortex.
LastAgentConnectionError The last non-timeout error that happened in the host/agent channel.
LastEventSizeOffender The name of the last event that exceeded the maximum event size.
LastInvalidHttpCode The last invalid HTTP code received from Vortex.
MaxInUseScenarioCounter The soft maximum number of scenarios loaded by the Connected User
Experience and Telemetry component.
PreviousHear tBeatTime The time of last heartbeat event. This allows chaining of events.
SettingsHttpAttempts The number of attempts to contact the OneSettings service.
ThrottledDroppedCount The number of events dropped due to throttling of noisy providers.
UploaderDroppedCount The number of events dropped by the uploader layer of the telemetry client.
Vor texHttpAttempts The number of attempts to contact the Vortex service.
Vor texHttpFailures4xx The number of 400-499 error codes received from Vortex.
Vor texHttpFailures5xx The number of 500-599 error codes received from Vortex.
TelClientSynthetic.HeartBeat_Seville_5
This event is sent by the universal telemetry client (UTC) as a heartbeat signal for Sense.
TelClientSynthetic.TailoredExperiencesWithDiagnosticDataUpdate
This event is triggered when UTC determines it needs to send information about personalization settings of the
user.


telemetry backend.


telemetry backend.
application.
waiting.
Inventory events
ChecksumDictionary
The list of values sent by each object type.
Key The object type being described.
Value The number of objects of this type that were sent.
COMPID
This event provides a device's internal application compatible ID, a vendor-defined identification that Windows
uses to match a device to an INF file. A device can have a list of compatible IDs associated with it.
Order The index of the array of compatible IDs for the device.
Value The array of compatible IDs for the device.
HWID
This event provides a device's internal hardware ID, a vendor-defined identification that Windows uses to match a
device to an INF file. In most cases, a device has associated with it a list of hardware IDs.
Order The index of the array of internal hardware IDs for the device.
Value The array of internal hardware IDs for the device.
InstallDateArpLastModified
This event indicates the date the add/remove program (ARP) entry was last modified by an update.
Order The index of the ordered array.
Value The value contained in the ordered array.
InstallDateFromLinkFile
This event provides the application installation date from the linked file.
InstallDateMsi
The install date from the Microsoft installer (MSI) database.
This event captures basic checksum data about the device inventory items stored in the cache for use in validating
data completeness for Microsoft.Windows.Inventory.Core events. The fields in this event may change over time,
but they will always represent a count of a given object.
aeinv.dll The version of the App inventory component.
devinv.dll The file version of the Device inventory component.
Microsoft.Windows.Inventory.Core.FileSigningInfoAdd
This event enumerates the signatures of files, either driver packages or application executables. For driver
packages, this data is collected on demand via Telecommand to limit it only to unrecognized driver packages,
saving time for the client and space on the server. For applications, this data is collected for up to 10 random
executables on a system.
CatalogSigners Signers from catalog. Each signer starts with Chain.
DriverPackageStrongName Optional. Available only if FileSigningInfo is collected on a driver package.
EmbeddedSigners Embedded signers. Each signer starts with Chain.
FileName The file name of the file whose signatures are listed.
FileType Either exe or sys, depending on if a driver package or application executable.
Thumbprint Comma separated hash of the leaf node of each signer. Semicolon is used to separate
CatalogSigners from EmbeddedSigners. There will always be a trailing comma.
not always accurate. Passed as an array. Example: 4/11/2015 00:00:00 See InstallDateArpLastModified.
InstallDateFromLinkFile The estimated date of install based on the links to the files. Passed as an array. See
InstallDateFromLinkFile.
See InstallDateMsi.
MsiPackage.
This event represents the basic metadata about a plug and play (PNP) device and its associated driver.
COMPID The list of “Compatible IDs” for this device. See COMPID.
DriverVerDate The date of the driver loaded for the device
DriverVerVersion The version of the driver loaded for the device
HWID A list of hardware IDs for the device. See HWID.
STACKID The list of hardware IDs for the stack. See STACKID.
0x800000.
Invalid variant - Provides data on the installed Office Add-ins
ChecksumDictionar y A count of each operating system indicator. See ChecksumDictionary.
Value Describes an operating system indicator that may be relevant for the device upgrade.
Microsoft.Windows.Inventory.Indicators.InventoryMiscellaneousUexIndicatorEndSync
This event indicates that a new set of InventoryMiscellaneousUexIndicatorAdd events has been sent.
removed.
STACKID
This event provides the internal compatible ID for the stack.
Kernel events
IO
system startup.
This event includes basic data about the Operating System, collected during Boot and used to evaluate the success
of the upgrade process.
operating system.
if needed.
This event denotes the transition between operating system states (e.g., On, Off, Sleep, etc.). By using this event
with Windows Analytics, organizations can use this to help monitor reliability and performance of managed
devices.
AcPowerOnline If "TRUE," the device is using AC power. If "FALSE," the device is using battery power.
ActualTransitions This will give the actual transitions number
Batter yCapacity Maximum battery capacity in mWh
Batter yCharge Current battery charge as a percentage of total capacity
Batter yDischarging Flag indicating whether the battery is discharging or charging
BootId Monotonically increasing boot id, reset on upgrades.
BootTimeUTC Boot time in UTC file time.
EventSequence Monotonically increasing event number for OsStateChange events logged during this boot.
LastStateTransition The previous state transition on the device.
LastStateTransitionSub The previous state subtransition on the device.
StateDurationMS Milliseconds spent in the state being departed
StateTransition Transition type PowerOn=1, Shutdown, Suspend, Resume, Heartbeat.
StateTransitionSub Subtransition type Normal=1, Reboot, Hiberboot, Standby, Hibernate, ConnectedStandby,
Reserved, HybridSleep.
TotalDurationMS Total time device has been up in milliseconds in wall clock time.
TotalUptimeMS Total time device has been on (not in a suspended state) in milliseconds.
TransitionsToOn TransitionsToOn increments each time the system successfully completes a system sleep
event, and is sent as part of the PowerTransitionEnd ETW event.
UptimeDeltaMS Duration in last state in milliseconds.
Migration events
OneDrive events
HResult Indicates the result code of the event
Microsoft.OneDrive.Sync.Updater.OfficeRegistration
This event indicates the status of the OneDrive integration with Microsoft Office.
isValid Is the Microsoft Office registration valid?
Microsoft.OneDrive.Sync.Updater.RepairResult
The event determines the result of the installation repair.
Microsoft.OneDrive.Sync.Updater.SetupBinaryDownloadHResult
This event indicates the status when downloading the OneDrive setup file.
Microsoft.OneDrive.Sync.Updater.UpdateTierReg
This event determines status of the update tier registry values.
regReadEnterpriseHr The HResult of the enterprise reg read value.
regReadTeamHr The HResult of the team reg read value.

This event returns data to report the efficacy of a single-use tool to inform users impacted by a known issue and
to take corrective action to address the issue.
Remediation events
deny
AppraiserTaskValidFailed Indicates the Appraiser task did not function and requires intervention.
failed.
enabled.
exists.
Hammer task ran.
enabled.
task.
task.
task.
enabled.
is enabled.
successfully.
Megabytes.
in Megabytes.
Megabytes.
RemediationDoorstopExists TRUE if there is a OneSettings Doorstop value.
deleted.
in Megabytes.
simultaneous scans.
set.
usoScanPastThreshold TRUE if the most recent Update Session Orchestrator (USO) scan is past the
threshold (late).
Megabytes.
Microsoft.Windows.Remediation.DiskCleanUnExpectedErrorEvent
This event indicates that an unexpected error occurred during an update and provides information to help address
the issue.
CV The Correlation vector.
ErrorMessage A description of any errors encountered while the plug-in was running.
Hresult The result of the event execution.
SessionGuid GUID associated with a given execution of sediment pack.
Microsoft.Windows.Remediation.Error
This event indicates a Sediment Pack error (update stack failure) has been detected and provides information to
help address the issue.
Message A message containing information about the error that occurred.
Microsoft.Windows.Remediation.FallbackError
This event indicates an error when Self Update results in a Fallback and provides information to help address the
issue.
s0 Indicates the Fallback error level. See Microsoft.Windows.Remediation.wilResult.
wilResult The result of the Windows Installer Logging. See wilResult.
Microsoft.Windows.Remediation.RemediationNotifyUserFixIssuesInvokeUIEvent
This event occurs when the Notify User task executes and provides information about the cause of the notification.
CV The Correlation vector.
RemediationNotifyUserFixIssuesCallResult The result of calling the USO (Update Session Orchestrator)
sequence steps.
RemediationNotifyUserFixIssuesUsoDownloadCalledHr The error code from the USO (Update Session
Orchestrator) download call.
RemediationNotifyUserFixIssuesUsoInitializedHr The error code from the USO (Update Session
Orchestrator) initialize call.
RemediationNotifyUserFixIssuesUsoProxyBlanketHr The error code from the USO (Update Session
Orchestrator) proxy blanket call.
RemediationNotifyUserFixIssuesUsoSetSessionHr The error code from the USO (Update Session
Orchestrator) session call.
Microsoft.Windows.Remediation.RemediationShellFailedAutomaticAppUpdateModifyEventId
This event provides the modification of the date on which an Automatic App Update scheduled task failed and
provides information about the failure.
Microsoft.Windows.Remediation.RemediationShellUnexpectedExceptionId
This event identifies the remediation plug-in that returned an unexpected exception and provides information
about the exception.
RemediationShellUnexpectedExceptionId The ID of the remediation plug-in that caused the exception.
Microsoft.Windows.Remediation.RemediationUHEnableServiceFailed
This event tracks the health of key update (Remediation) services and whether they are enabled.
ser viceName The name associated with the operation.
Microsoft.Windows.Remediation.RemediationUpgradeSucceededDataEventId
This event returns information about the upgrade upon success to help ensure Windows is up to date.
AppraiserPlugin TRUE / FALSE depending on whether the Appraiser plug-in task fix was successful.
ClearAUOptionsPlugin TRUE / FALSE depending on whether the AU (Auto Updater) Options registry keys
were successfully deleted.
DatetimeSyncPlugin TRUE / FALSE depending on whether the DateTimeSync plug-in ran successfully.
DiskCleanupPlugin TRUE / FALSE depending on whether the DiskCleanup plug-in ran successfully.
NoisyHammerPlugin TRUE / FALSE depending on whether the NoisyHammer plug-in ran successfully.
RebootRequiredPlugin TRUE / FALSE depending on whether the Reboot plug-in ran successfully.
RemediationNotifyUserFixIssuesPlugin TRUE / FALSE depending on whether the User Fix Issues plug-in
ran successfully
RemediationPostUpgradeDiskSpace The amount of disk space available after the upgrade.
RemediationPostUpgradeHibernationSize The size of the Hibernation file after the upgrade.
Ser viceHealthPlugin A list of services updated by the plug-in.
SIHHealthPlugin TRUE / FALSE depending on whether the SIH Health plug-in ran successfully.
StackDataResetPlugin TRUE / FALSE depending on whether the update stack completed successfully.
TaskHealthPlugin A list of tasks updated by the plug-in.
UpdateApplicabilityFixerPlugin TRUE / FALSE depending on whether the update applicability fixer plug-in
completed successfully.
WindowsUpdateEndpointPlugin TRUE / FALSE depending on whether the Windows Update Endpoint was
successful.
deny
Microsoft.Windows.Remediation.wilResult
This event provides Self Update information to help keep Windows up to date.
callContext A list of diagnostic activities containing this error.
currentContextId An identifier for the newest diagnostic activity containing this error.
currentContextMessage A message associated with the most recent diagnostic activity containing this error
(if any).
currentContextName Name of the most recent diagnostic activity containing this error.
failureId The identifier assigned to this failure.
failureType Indicates the type of failure observed (exception, returned, error, logged error, or fail fast).
fileName The source code file name where the error occurred.
function The name of the function where the error occurred.
hresult The failure error code.
lineNumber The Line Number within the source code file where the error occurred.
message A message associated with the failure (if any).
module The name of the binary module in which the error occurred.
originatingContextId The identifier for the oldest diagnostic activity containing this error.
originatingContextMessage A message associated with the oldest diagnostic activity containing this error (if
any).
originatingContextName The name of the oldest diagnostic activity containing this error.
threadId The identifier of the thread the error occurred on.
Sediment events
Microsoft.Windows.Sediment.Info.AppraiserData
This event provides data on the current Appraiser status of the device to help ensure Windows is up to date.
ErrorCode The value of the Return Code for the registry query.
GStatus The pre-upgrade GStatus value.
PayloadVersion The version information for the remediation component.
RegKeyName The name of the registry subkey where data was found for this event.
Time The system time at which the event began.
UpgEx The pre-upgrade UpgEx value.
Microsoft.Windows.Sediment.Info.BinaryInfo
This event provides information about the binary returned by the Operating System Remediation System Service
(OSRSS) to help ensure Windows is up to date.
Binar yPath The sanitized name of the system binary from which the data was gathered.
ErrorCode The value of the return code for querying the version from the binary.
FileVerBuild The binary’s build number.
FileVerMajor The binary’s major version number.
FileVerMinor The binary’s minor version number.
FileVerRev The binary’s revision number.
Time The system time at which the event began.
Microsoft.Windows.Sediment.Info.DownloadServiceError
This event provides information when the Download Service returns an error. The information provided helps
Architecture The platform architecture used to identify the correct download payload.
BuildNumber The starting build number used to identify the correct download payload.
Edition The Operating System Edition used to identify the correct download payload.
Error The description of the error encountered.
LanguageCode The system User Interface Language used to identify the correct download payload.
Stack Details about the error encountered.
WorkingDirector y The folder location (path) downloader was attempting to say the payload to.
Microsoft.Windows.Sediment.Info.DownloadServiceProgress
This event indicates the progress of the downloader in 1% increments.
Percentage The amount successfully downloaded, measured as a percentage of the whole.
ReleaseVer The version information for the component in which the error occurred.
Time The system time at which the error occurred.
Microsoft.Windows.Sediment.Info.ServiceInfo
This event provide information about the system service for which data is being gathered by the Operating
System Remediation System Service (OSRSS) to help ensure Windows is up to date.
ErrorCode The value returned by the error for querying the service information.
Ser viceName The name of the system service for which data was gathered.
Ser viceStatus The status of the specified service.
Microsoft.Windows.Sediment.Info.Uptime
This event provides information about how long the device has been operating. This information helps ensure
Windows is up to date.
Days The number of days the device has been on.
Hours The number of hours the device has been on.
Minutes The number of minutes the device has been on.
Seconds The number of seconds the machine has been on.
Ticks The number of system clock “ticks” the device has been on.
Id A number identifying the URL
Ser viceVersionMajor Version info for the component
Ser viceVersionMinor Version info for the component
StateData State-specific data, such as which attempt number for the download
StateNumber A number identifying which state the URL is in (found, downloading, extracted, etc.)
Time System timestamp the event was fired
Microsoft.Windows.Sediment.ServiceInstaller.ApplicabilityCheckFailed
This event returns data relating to the error state after one of the applicability checks for the installer component
of the Operating System Remediation System Service (OSRSS) has failed.
CheckName The name of the applicability check that failed.
InstallerVersion The version information for the installer component.
Microsoft.Windows.Sediment.ServiceInstaller.Error
Microsoft.Windows.Sediment.ServiceInstaller.InstallerLaunched
This event indicates the Operating System Remediation System Service (OSRSS) has launched. The information
provided helps ensure Windows is up to date.
Microsoft.Windows.Sediment.ServiceInstaller.ServiceInstalled
This event indicates the Operating System Remediation System Service (OSRSS) successfully installed the Installer
Component. This information helps ensure Windows is up to date.
Microsoft.Windows.Sediment.ServiceInstaller.ServiceStarted
This event indicates the Operating System Remediation System Service (OSRSS) has started after installing an
Microsoft.Windows.Sediment.ServiceInstaller.UninstallerCompleted
This event indicates the Operating System Remediation System Service (OSRSS) successfully uninstalled the
installed version as part of a self-update. This information helps ensure Windows is up to date.
Microsoft.Windows.Sediment.ServiceInstaller.UninstallerLaunched
This event indicates the Operating System Remediation System Service (OSRSS) successfully started the
Uninstaller as part of a self-update. This information helps ensure Windows is up to date.
Microsoft.Windows.SedimentLauncher.Error
This event indicates an error occurred during the execution of the plug-in. The information provided helps ensure
future upgrade/update attempts are more successful.
HResult The result for the Detection or Perform Action phases of the plug-in.
Message A message containing information about the error that occurred (if any).
Microsoft.Windows.SedimentLauncher.FallbackError
This event indicates that an error occurred during execution of the plug-in fallback.
s0 Error occurred during execution of the plugin fallback. See Microsoft.Windows.SedimentLauncher.wilResult.
Microsoft.Windows.SedimentLauncher.Information
Message Information message returned from a plugin containing only information internal to the plugins
execution.
Microsoft.Windows.SedimentLauncher.wilResult
(if any).
error (if any).
Microsoft.Windows.SedimentService.Error
This event indicates whether an error condition occurred in the plug-in.
Microsoft.Windows.SedimentService.FallbackError
This event indicates whether an error occurred for a fallback in the plug-in.
s0 Event returned when an error occurs for a fallback in the plugin. See
Microsoft.Windows.SedimentService.wilResult.
Microsoft.Windows.SedimentService.Information
Microsoft.Windows.SedimentService.wilResult
(if any).
error (if any).
Setup events
date.
ActivityId Provides a unique Id to correlate events that occur between a activity start event, and a stop event
ActivityName Provides a friendly name of the package type that belongs to the ActivityId (Setup,
LanguagePack, GDR, Driver, etc.)
GroupName Retrieves the groupname the event belongs to. Example: Install Information, DU Information,
Disk Space Information etc.
value Value associated with the corresponding event name. For example, time-related events will include the
system time
system time
Windows up to date.
Windows up to date.
GroupName Retrieves the groupname the event belongs to. Example: Install Information, DU Information,
Disk Space Information etc.
Shared PC events
Manager to help keep Windows up to date. Deleting unused user accounts on shared devices frees up disk space
to improve Windows Update success rates.
maintenance hours
policies.
wilActivity
wilResult
SIH events
This event is sent when targeting logic is evaluated to determine if a device is eligible for a given action.

This event sends tracking data about the software distribution client check for content that is applicable to a
device, to help keep Windows up to date
completion.
client.
or Unknown
DeferralPolicySources Sources for any update deferral policies defined (GPO = 0x10, MDM = 0x100, Flight
= 0x1000, UX = 0x10000).
MetadataIntegrityMode The mode of the update transport metadata integrity check. 0-Unknown, 1-Ignoe,
2-Audit, 3-Enforce
IPv6
scan checked
scan
synced down.
was synced down.
This event sends data on whether the Update Service has been called to execute an upgrade, to help keep
Windows up to date.
found.
client
EventScenario State of call
EventType Possible values are "Child", "Bundle", or "Driver".
Ser verId Identifier for the service to which the software distribution client is connecting, such as Windows
Update and Microsoft Store.
WUDeviceID UniqueDeviceID
This event sends tracking data about the software distribution client download of the content for that update, to
being downloaded.
BundleRepeatFailFlag Indicates whether this particular update bundle had previously failed to download.
BytesDownloaded How many bytes were downloaded for an individual piece of content (not the entire
bundle).
applicable.
ClientManagedByWSUSSer ver Indicates whether the client is managed by Windows Server Update
Services (WSUS).
DeviceOEM Identifies the Original Equipment Manufacturer (OEM) of the device.
Optimizer events.
Edition Identifies the edition of Windows currently running on the device.
EventNamespaceID The ID of the test events environment.
that flight.
FlightId The specific id of the flight (pre-release build) the device is getting.
of the device.
IsAOACDevice Indicates whether the device is an Always On, Always Connected (AOAC) device.
NetworkCostBitMask A flag indicating the cost of the network (congested, fixed, variable, over data limit,
roaming, etc.) used for downloading the update content.
PlatformRole The role of the OS platform (Desktop, Mobile, Workstation, etc.).
ProcessorArchitecture Processor architecture of the system (x86, AMD64, ARM).
downloaded.
WUSetting Indicates the users' current updating settings.
client
BundleID Identifier associated with the specific content bundle. If this value is found, it shouldn't report as all
zeros
Connected Standby)
Ser viceID Identifier for the service to which the software distribution client is connecting (Windows Update,
BundleBytesDownloaded How many bytes were downloaded for the specific content bundle?
found.
BundleRepeatFailFlag Has this particular update bundle previously failed to install?
client.
CbsDownloadMethod Was the download a full download or a partial download?
ClientManagedByWSUSSer ver Is the client managed by Windows Server Update Services (WSUS)?
CurrentMobileOperator Mobile operator that device is currently connected to.
DeviceOEM What OEM does this device belong to.
DownloadPriority The priority of the download activity.
DownloadScenarioId A unique ID for a given download used to tie together WU and DO events.
Edition Indicates the edition of Windows being used.
EventNamespaceID Indicates whether the event succeeded or failed. Has the format EventType+Event where
Event is Succeeded, Cancelled, Failed, etc.
FeatureUpdatePause Are feature OS updates paused on the device?
HandlerType Indicates what kind of content is being installed. Example: app, driver, Windows update
the device.
IsAOACDevice Is it Always On, Always Connected? (Mobile device usage model)
IsDependentSet Is the driver part of a larger System Hardware/Firmware update?
IsFinalOutcomeEvent Does this event signal the end of the update/upgrade process?
IsFirmware Is this update a firmware update?
IsSuccessFailurePostReboot Did it succeed and then fail after a restart?
IsWUfBDualScanEnabled Is Windows Update for Business dual scan enabled on the device?
IsWUfBEnabled Is Windows Update for Business enabled on the device?
MergedUpdate Was the OS update and a BSP update merged for installation?
introduced.
PlatformRole The PowerPlatformRole as defined on MSDN.
ProcessorArchitecture Processor architecture of the system (x86, AMD64, ARM).
QualityUpdatePause Are quality OS updates paused on the device?
RepeatFailFlag Indicates whether this specific piece of content had previously failed to install.
RepeatSuccessInstallFlag Indicates whether this specific piece of content had previously installed successful,
for example if another user had already installed it.
underway.
TransactionCode The ID which represents a given MSI installation
UpdateId Unique update ID
Optional.
WUSetting Indicates the user's current updating settings.
SoftwareUpdateClientTelemetry.SLSDiscovery
This event sends data about the ability of Windows to discover the location of a backend server with which it must
connect to perform updates or content acquisition, in order to determine disruptions in availability of update
services and provide context for Windows Update errors.
HResult Indicates the result code of the event (success, cancellation, failure code HResult)
IsBackground Indicates whether the SLS discovery event took place in the foreground or background
NextExpirationTime Indicates when the SLS cab expires
Ser viceID An ID which represents which service the software distribution client is connecting to (Windows
Update, Microsoft Store, etc.)
SusClientId The unique device ID controlled by the software distribution client
UrlPath Path to the SLS cab that was downloaded
WUAVersion The version number of the software distribution client
client.
This event identifies whether updates have been tampered with and protects against man-in-the-middle attacks.
audit; 3 = enforce
by revision ID).
SHA256OfLeafCer tPublicKey A base64 encoding of the hash of the Base64CertData in the
FragmentSigning data of the leaf certificate.
StatusCode The status code of the event.
is malformed.

IsSccmManaged This device is managed by Microsoft Endpoint Configuration Manager.
version.
UALaunchRunCount Total number of times Update Assistant launched.
Update events
Update360Telemetry.UpdateAgent_DownloadRequest
This event sends data during the download request phase of updating Windows.
DeletedCorruptFiles Indicates if UpdateAgent found any corrupt payload files and whether the payload was
deleted.
PackageSizeCanonical Size of canonical packages in bytes
PackageSizeDiff Size of diff packages in bytes
PackageSizeExpress Size of express packages in bytes
RangeRequestState Represents the state of the download range request.
Result Result of the download request phase of update.
DesktopDriverUpdate
Update360Telemetry.UpdateAgent_FellBackToCanonical
This event collects information when Express could not be used, and the update had to fall back to “canonical”
during the new UUP (Unified Update Platform) update scenario; which is leveraged by both Mobile and Desktop.
PackageCount The number of packages that fell back to “canonical”.
PackageList PackageIDs which fell back to “canonical”.
Update360Telemetry.UpdateAgent_Initialize
This event sends data during the initialize phase of updating Windows.
ErrorCode The error code returned for the current initialize phase.
Result Result of the initialize phase of update. 0 = Succeeded, 1 = Failed, 2 = Cancelled, 3 = Blocked, 4 =
BlockCancelled
DesktopDriverUpdate
SessionData Contains instructions to update agent for processing FODs and DUICs (Null for other scenarios).
SessionId Unique value for each Update Agent mode attempt .
Update360Telemetry.UpdateAgent_Install
This event sends data during the install phase of updating Windows.
Result Result of the install phase of update. 0 = Succeeded 1 = Failed, 2 = Cancelled, 3 = Blocked, 4 =
BlockCancelled
DesktopDriverUpdate
Update360Telemetry.UpdateAgent_Merge
This event sends data on the merge phase when updating Windows.
Update360Telemetry.UpdateAgent_ModeStart
This event sends data for the start of each mode during the process of updating Windows.
Mode Indicates that the Update Agent mode that has started. 1 = Initialize, 2 = DownloadRequest, 3 = Install, 4
= Commit
RelatedCV The correlation vector value generated from the latest scan.
DesktopDriverUpdate
Update360Telemetry.UpdateAgent_SetupBoxLaunch
This event sends data during the launching of the setup box when updating Windows.
Quiet Indicates whether setup is running in quiet mode. 0 = false 1 = true
SandboxSize The size of the sandbox folder on the device.
DesktopDriverUpdate
SetupMode Setup mode 1 = predownload, 2 = install, 3 = finalize
scenarios).
Upgrade events
version of Windows.
failure happened
Windows up-to-date.

Watson).
WerTraceloggingProvider.AppCrashEvent
The data includes information about the crashing process and a summary of its exception record.
AppName The name of the app that crashed.
AppSessionGuid The unique ID used as a correlation vector for process instances in the telemetry backend.
AppTimeStamp The date time stamp of the app.
AppVersion The version of the app that crashed.
ExceptionCode The exception code returned by the process that crashed.
ExceptionOffset The address where the exception occurred.
Flags Flags indicating how reporting is done. For example, queue the report, do not offer JIT debugging, do
ModName The module name of the process that crashed.
ModTimeStamp The date time stamp of the module.
ModVersion The module version of the process that crashed.
PackageFullName The package name if the crashing application is packaged.
PackageRelativeAppId The relative application ID if the crashing application is packaged.
ProcessArchitecture The architecture of the system.
ProcessCreateTime The time of creation of the process that crashed.
ProcessId The ID of the process that crashed.
Repor tId A unique ID used to identify the report. This can be used to track the report.
TargetAppId The target app ID.
TargetAppVer The target app version.
Windows Phone events

Microsoft.Windows.Phone.Telemetry.OnBoot.RebootReason
This event lists the reboot reason when an app is going to reboot.
BootId The system boot ID.
BoottimeSinceLastShutdown The boot time since the last shutdown.
RebootReason Reason for the reboot.

Microsoft.Windows.Store.Partner.ReportApplication
Report application event for Microsoft Store client.
Windows up to date.
IntentPFNs Intent Product Family Name
UpdateId Update ID (if this is an update)
This event is sent after the license is acquired when a product is being installed. It's used to help keep Windows
up-to-date and secure.
set.
IsWin32 Flag indicating if this is a Win32app.
ParentBundledId The product's parent bundle ID.
UpdateId The update ID (if this is an update)
IsWin32 Flag indicating if this is a Win32 app (unused).
IsWin32 Flag indicating if this a Win32 app (unused).
secure.
IntentPFNs The licensing identity of this package.
IsWin32 Flag indicating if this a Win32 app (unused).
This event happens after a scan for available app updates. It's used to help keep Windows up-to-date and secure.

group.
group.
cdnUrl The URL of the source CDN.
optimization.
peering.
optimization.
was encountered.

Microsoft.Windows.Update.DataMigrationFramework.DmfMigrationCompleted
This event sends data collected at the end of the Data Migration Framework (DMF) and parameters involved in its
invocation, to help keep Windows up to date.
MigrationDurationInMilliseconds How long the DMF migration took (in milliseconds)
MigrationEndTime A system timestamp of when the DMF migration completed.
RevisionNumbers A collection of revision numbers for the updates associated with the DMF session.
UpdateIds A collection of GUIDs for updates that are associated with the DMF session.
WuClientId The GUID of the Windows Update client responsible for triggering the DMF migration
Microsoft.Windows.Update.DataMigrationFramework.DmfMigrationStarted
This event sends data collected at the beginning of the Data Migration Framework (DMF) and parameters involved
in its invocation, to help keep Windows up to date.
MigrationMicrosoftPhases Revision numbers for the updates that were installed.
MigrationOEMPhases WU Update IDs for the updates that were installed.
MigrationStar tTime The timestamp representing the beginning of the DMF migration
RevisionNumbers A collection of the revision numbers associated with the UpdateIds.
UpdateIds A collection of GUIDs identifying the upgrades that are running.
WuClientId The GUID of the Windows Update client invoking DMF
Microsoft.Windows.Update.DataMigrationFramework.MigratorResult
This event sends DMF migrator data to help keep Windows up to date.
CurrentStep This is the last step the migrator reported before returning a result. This tells us how far through
the individual migrator the device was before failure.
ErrorCode The result (as an HRESULT) of the migrator that just completed.
MigratorId A GUID identifying the migrator that just completed.
MigratorName The name of the migrator that just completed.
RunDurationInSeconds The time it took for the migrator to complete.
TotalSteps Migrators report progress in number of completed steps against the total steps. This is the total
number of steps.
into auto mode.
Microsoft.Windows.Update.NotificationUx.EnhancedEngagedRebootForcedPrecursorDialog
This event indicates that the Enhanced Engaged restart "forced precursor" dialog box was displayed.
Microsoft.Windows.Update.NotificationUx.EnhancedEngagedRebootForcedWarningDialog
This event indicates that the Enhanced Engaged "forced warning" dialog box was displayed.
battery).
detectionDeferreason A log of deferral reasons for every update state.
failed.
detectionDeferreason Reason for download not completing
updateId Update ID.
up to date.
action.
updateId Update ID.
updateId Update ID.
keep secure.
uptime.
This event returns data about scans initiated through settings UI, or background scans that are urgent; to help
powermenuNewOptions The new options after the power menu changed.
powermenuOldOptions The old options before the power menu changed.
rebootPendingMinutes If the power menu changed because a reboot is pending due to a update, this
indicates how long that reboot has been pending.
wuDeviceid The device ID recorded by Windows Update if the power menu changed because a reboot is
pending due to an update.
Windows up to date.
installRebootDeferreason Reason for reboot not occurring.
code.
updateId Update ID.
to date.
updateId Update ID.
updateId Update ID.
up to date.
action.
updateId Update ID.
errorCode result showing success or failure of current update
revisionNumber Unique revision number of the Update
updateId Unique ID for Update
updateState Progress within an update state
Microsoft.Windows.Update.UpdateStackServicing.CheckForUpdates
This event sends data about the UpdateStackServicing check for updates, to help keep Windows up to date.
BspVersion The version of the BSP.
CallerApplicationName The name of the USS scheduled task. Example UssScheduled or UssBoot
ClientVersion The version of the client.
CommercializationOperator The name of the operator.
DetectionVersion The string returned from the GetDetectionVersion export of the downloaded detection DLL.
DeviceName The name of the device.
EventInstanceID The USS session ID.
EventScenario The scenario of the event. Example: Started, Failed, or Succeeded
OemName The name of the manufacturer.
Ser viceGuid The GUID of the service.
StatusCode The HRESULT code of the operation.
WUDeviceID The Windows Update device ID.
This event sends information about the configuration of Enhanced Direct-to-Engaged (eDTE), which includes
values for the timing of how eDTE will progress through each phase of the reboot.
began pending.
This event sends data about a required reboot that is scheduled with no user interaction, to help keep Windows up
to date.
Microsoft.Windows.Update.Ux.MusNotification.ToastDisplayedToScheduleReboot
This event is sent when a toast notification is shown to the user about scheduling a device restart.
UtcTime The Coordinated Universal Time when the toast notification was shown.
Windows up to date.

This event sends data specific to the FixupEditionId mitigation used for OS Updates.

Winlogon events
XBOX events
Offline, 4 - Disc).
of the license.
Windows 10 diagnostic data events and fields
collected through the limit enhanced diagnostic data
policy
Applies to
IMPORTANT
Desktop Analytics reports are powered by diagnostic data not included in the Basic level.
In Windows 10, version 1709, we introduced a new feature: "Limit Enhanced diagnostic data to the minimum
required by Windows Analytics". When enabled, this feature limits the operating system diagnostic data events
included in the Enhanced level to only those described below. Note that the Enhanced level also includes limited
crash reports, which are not described below. For more information on the Enhanced level, see Configure Windows
diagnostic data in your organization.
With the retirement of Windows Analytics, this policy will continue to be supported by Desktop Analytics, but will
not include Office related diagnostic data.
KernelProcess.AppStateChangeSummary
This event summarizes application usage and performance characteristics to help Microsoft improve performance
and reliability. Organizations can use this event with Desktop Analytics to gain insights into application reliability.
CommitChargeAtExit_Sum: Total memory commit charge for a process when it exits
CommitChargePeakAtExit_Sum : Total peak memory commit charge for a process when it exits
ContainerId: Server Silo Container ID
CrashCount: Number of crashes for a process instance
CycleCountAtExit_Sum: Total processor cycles for a process when it exited
ExtraInfoFlags: Flags indicating internal states of the logging
GhostCount_Sum: Total number of instances where the application stopped responding
HandleCountAtExit_Sum: Total handle count for a process when it exits
HangCount_Max: Maximum number of hangs detected
HangCount_Sum: Total number of application hangs detected
HardFaultCountAtExit_Sum: Total number of hard page faults detected for a process when it exits
Hear tbeatCount: Heartbeats logged for this summary
Hear tbeatSuspendedCount: Heartbeats logged for this summary where the process was suspended
LaunchCount: Number of process instances started
LicenseType: Reserved for future use
ProcessDurationMS_Sum: Total duration of wall clock process instances
ReadCountAtExit_Sum: Total IO reads for a process when it exited
ReadSizeInKBAtExit_Sum: Total IO read size for a process when it exited
ResumeCount: Number of times a process instance has resumed
RunningDurationMS_Sum: Total uptime
SuspendCount: Number of times a process instance was suspended
TargetAppId: Application identifier
TargetAppType: Application type
TargetAppVer : Application version
TerminateCount: Number of times a process terminated
WriteCountAtExit_Sum: Total number of IO writes for a process when it exited
WriteSizeInKBAtExit_Sum: Total size of IO writes for a process when it exited
Microsoft.Office.TelemetryEngine.IsPreLaunch
Applicable for Office UWP applications. This event is fired when an office application is initiated for the first-time
post upgrade/install from the store. This is part of basic diagnostic data, used to track whether a particular session
is launch session or not.
appVersionBuild: Third part of the version ..XXXXX.*
appVersionMajor : First part of the version X...*
appVersionMinor : Second part of the version .X..*
appVersionRev: Fourth part of the version ..*.XXXXX
SessionID: ID of the session
Microsoft.Office.SessionIdProvider.OfficeProcessSessionStart
This event sends basic information upon the start of a new Office session. This is used to count the number of
unique sessions seen on a given device. This is used as a heartbeat event to ensure that the application is running
on a device or not. In addition, it serves as a critical signal for overall application reliability.
AppSessionGuid: ID of the session which maps to the process of the application
processSessionId: ID of the session which maps to the process of the application
Microsoft.Office.TelemetryEngine.SessionHandOff
Applicable to Win32 Office applications. This event helps us understand whether there was a new session created
to handle a user-initiated file open event. It is a critical diagnostic information that is used to derive reliability signal
and ensure that the application is working as expected.
appVersionBuild: Third part Build version of the application ..XXXXX.*
childSessionID: Id of the session that was created to handle the user initiated file open
parentSessionId: ID of the session that was already running
Microsoft.Office.CorrelationMetadata.UTCCorrelationMetadata
Collects Office metadata through UTC to compare with equivalent data collected through the Office telemetry
pipeline to check correctness and completeness of data.
abConfigs: List of features enabled for this session
abFlights: List of features enabled for this session
AppSessionGuid: ID of the session
appVersionBuild: Third part Build version of the application ..XXXXX.*
appVersionRevision: Fourth part of the version ..*.XXXXX
audienceGroup: Is this part of the insiders or production
audienceId: ID of the audience setting
channel: Are you part of Semi annual channel or Semi annual channel-Targeted?
deviceClass: Is this a desktop or a mobile?
impressionId: What features were available to you in this session
languageTag: Language of the app
officeUserID: A unique identifier tied to the office installation on a particular device.
osArchitecture: Is the machine 32 bit or 64 bit?
osEnvironment: Is this a win32 app or a UWP app?
osVersionString: Version of the OS
sessionID: ID of the session
Microsoft.Office.ClickToRun.UpdateStatus
Applicable to all Win32 applications. Helps us understand the status of the update process of the office suite
(Success or failure with error details).
build: App version
channel: Is this part of SAC or SAC-T?
errorCode: What error occurred during the upgrade process?
errorMessage: what was the error message during the upgrade process?
status: Was the upgrade successful or not?
targetBuild: What app version were we trying to upgrade to?
Microsoft.Office.TelemetryEngine.FirstIdle
This event is fired when the telemetry engine within an office application is ready to send telemetry. Used for
understanding whether there are issues in telemetry.
officeUserID: This is an ID of the installation tied to the device. It does not map to a particular user
Microsoft.Office.TelemetryEngine.FirstProcessed
This event is fired when the telemetry engine within an office application has processed the rules or the list of
events that we need to collect. Used for understanding whether there are issues in telemetry.
Microsoft.Office.TelemetryEngine.FirstRuleRequest
This event is fired when the telemetry engine within an office application has received the first rule or list of events
that need to be sent by the app. Used for understanding whether there are issues in telemetry.
Microsoft.Office.TelemetryEngine.Init
This event is fired when the telemetry engine within an office application has been initialized or not. Used for
understanding whether there are issues in telemetry.
Microsoft.Office.TelemetryEngine.Resume
This event is fired when the application resumes from sleep state. Used for understanding whether there are issues
in the application life-cycle.
maxSequenceIdSeen: How many events from this session have seen so far?
rulesSubmittedBeforeResume: How many events were submitted before the process was resumed?
Microsoft.Office.TelemetryEngine.RuleRequestFailed
This event is fired when the telemetry engine within an office application fails to retrieve the rules containing the
list of telemetry events. Used for understanding whether there are issues in telemetry.
Microsoft.Office.TelemetryEngine.RuleRequestFailedDueToClientOffline
This event is fired when the telemetry engine within an office application fails to retrieve the rules containing the
list of telemetry events, when the device is offline. Used for understanding whether there are issues in telemetry.
Microsoft.Office.TelemetryEngine.ShutdownComplete
events that we need to collect. Useful for understanding whether a particular crash is happening during an app-
shutdown, and could potentially lead in data loss or not.
Microsoft.Office.TelemetryEngine.ShutdownStart
This event is fired when the telemetry engine within an office application been uninitialized, and the application is
shutting down. Useful for understanding whether a particular crash is happening during an app-shutdown, and
could potentially lead in data loss or not.
Microsoft.Office.TelemetryEngine.SuspendComplete
events that we need to collect. Used for understanding whether there are issues in telemetry.
SuspendType: Type of suspend
Microsoft.Office.TelemetryEngine.SuspendStart
This event is fired when the office application suspends as per app life-cycle change. Used for understanding
whether there are issues in the application life-cycle.
SuspendType: Type of suspend
Microsoft.OSG.OSS.CredProvFramework.ReportResultStop
This event indicates the result of an attempt to authenticate a user with a credential provider. It helps Microsoft to
improve logon reliability. Using this event with Desktop Analytics can help organizations monitor and improve
logon success for different methods (for example, biometric) on managed devices.
CredTileProviderId: ID of the Credential Provider
IsConnectedUser : Flag indicating whether a user is connected or not
IsPL APTile: Flag indicating whether this credential tile is a pre-logon access provider or not
IsRemoteSession: Flag indicating whether the session is remote or not
IsV2CredProv: Flag indicating whether the credential provider of V2 or not
OpitonalStatusText: Status text
ProcessImage: Image path to the process
ProviderId: Credential provider ID
ProviderStatusIcon: Indicates which status icon should be displayed
ReturnCode: Output of the ReportResult function
SessionId: Session identifier
Sign-in error status: The sign-in error status
SubStatus: Sign-in error sub-status
UserTag: Count of the number of times a user has selected a provider
This event denotes the transition between operating system states (e.g., On, Off, Sleep, etc.). By using this event
with Desktop Analytics, organizations can use this to monitor reliability and performance of managed devices
AcPowerOnline: If "TRUE," the device is using AC power. If "FALSE," the device is using battery power.
ActualTransitions: The number of transitions between operating system states since the last system boot
Batter yCapacity: Maximum battery capacity in mWh
Batter yCharge: Current battery charge as a percentage of total capacity
Batter yDischarging: Flag indicating whether the battery is discharging or charging
BootId: Total boot count since the operating system was installed
BootTimeUTC: Date and time of a particular boot event (identified by BootId)
EnergyChangeV2: A snapshot value in mWh reflecting a change in power usage
EnergyChangeV2Flags: Flags for disambiguating EnergyChangeV2 context
EventSequence: A sequential number used to evaluate the completeness of the data
LastStateTransition: ID of the last operating system state transition
LastStateTransitionSub: ID of the last operating system sub-state transition
StateDurationMS: Number of milliseconds spent in the last operating system state
StateTransition: ID of the operating system state the system is transitioning to
StateTransitionSub: ID of the operating system sub-state the system is transitioning to
TotalDurationMS: Total time (in milliseconds) spent in all states since the last boot
TotalUptimeMS: Total time (in milliseconds) the device was in Up or Running states since the last boot
TransitionsToOn: Number of transitions to the Powered On state since the last boot
UptimeDeltaMS: Total time (in milliseconds) added to Uptime since the last event
Microsoft.Windows.LogonController.LogonAndUnlockSubmit
Sends details of the user attempting to sign into or unlock the device.
isSystemManagedAccount: Indicates if the user's account is System Managed
isUnlockScenario: Flag indicating whether the event is a Logon or an Unlock
userType: Indicates the user type: 0 = unknown; 1 = local; 2 = Active Directory domain user; 3 = Microsoft
Account; 4 = Azure Active Directory user
Microsoft.Windows.LogonController.SignInFailure
Sends details about any error codes detected during a failed sign-in.
ntsStatus: The NTSTATUS error code status returned from an attempted sign-in
ntsSubstatus: The NTSTATUS error code sub-status returned from an attempted sign-in
Microsoft.Windows.Security.Biometrics.Service.BioServiceActivityCaptur
e
Indicates that a biometric capture was compared to known templates
captureDetail: Result of biometric capture, either matched to an enrollment or an error
captureSuccessful: Indicates whether a biometric capture was successfully matched or not
hardwareId: ID of the sensor that collected the biometric capture
isSecureSensor : Flag indicating whether a biometric sensor was in enhanced security mode
isTrustletRunning: Indicates whether an enhanced security component is currently running
isVsmCfg: Flag indicating whether virtual secure mode is configured or not
Microsoft.Windows.Security.Winlogon.SystemBootStop
System boot has completed.
The following field is available:
ticksSinceBoot: Duration of boot event (milliseconds)
Microsoft.Windows.Shell.Desktop.LogonFramework.AllLogonTasks
This event summarizes the logon procedure to help Microsoft improve performance and reliability. By using this
event with Desktop Analytics organizations can help identify logon problems on managed devices.
isAadUser : Indicates whether the current logon is for an Azure Active Directory account
isDomainUser : Indicates whether the current logon is for a domain account
isMSA: Indicates whether the current logon is for a Microsoft Account
logonOptimizationFlags: Flags indicating optimization settings for this logon session
logonTypeFlags: Flags indicating logon type (first logon vs. a later logon)
systemManufacturer : Device manufacturer
systemProductName: Device product name
wilActivity: Indicates errors in the task to help Microsoft improve reliability.
Microsoft.Windows.Shell.Desktop.LogonFramework.LogonTask
This event describes system tasks which are part of the user logon sequence and helps Microsoft to improve
reliability.
isStar tWaitTask : Flag indicating whether the task starts a background task
isWaitMethod: Flag indicating the task is waiting on a background task
logonTask : Indicates which logon step is currently occurring
wilActivity: Indicates errors in the task to help Microsoft improve reliability.
Microsoft.Windows.Shell.Explorer.DesktopReady
Initialization of Explorer is complete.
Microsoft-Windows-Security-EFS-EDPAudit-
ApplicationLearning.EdpAuditLogApplicationLearning
For a device subject to Windows Information Protection policy, learning events are generated when an app
encounters a policy boundary (for example, trying to open a work document from a personal app). These events
help the WIP administrator tune policy rules and prevent unnecessary user disruption.
actiontype: Indicates what type of resource access the app was attempting (for example, opening a local
document vs. a network resource) when it encountered a policy boundary. Useful for Windows Information
Protection administrators to tune policy rules.
appIdType: Based on the type of application, this indicates what type of app rule a Windows Information
Protection administrator would need to create for this app.
appname: App that triggered the event
status: Indicates whether errors occurred during WIP learning events
Win32kTraceLogging.AppInteractivitySummary
Summarizes which app windows are being used (for example, have focus) to help Microsoft improve compatibility
and user experience. Also helps organizations (by using Desktop Analytics) to understand and improve application
reliability on managed devices.
AggregationDurationMS: Actual duration of aggregation period (in milliseconds)
AggregationFlags: Flags denoting aggregation settings
AggregationPeriodMS: Intended duration of aggregation period (in milliseconds)
AggregationStar tTime: Start date and time of AppInteractivity aggregation
AppId: Application ID for usage
AppSessionId: GUID identifying the application's usage session
AppVersion: Version of the application that produced this event
AudioInMS: Audio capture duration (in milliseconds)
AudioOutMS: Audio playback duration (in milliseconds)
BackgroundMouseSec: Indicates that there was a mouse hover event while the app was in the background
BitPeriodMS: Length of the period represented by InFocusBitmap
CommandLineHash: A hash of the command line
CompositionDir tyGeneratedSec: Represents the amount of time (in seconds) during which the active app
reported that it had an update
CompositionDir tyPropagatedSec: Total time (in seconds) that a separate process with visuals hosted in an
app signaled updates
CompositionRenderedSec: Time (in seconds) that an app's contents were rendered
EventSequence: [need more info]
FocusLostCount: Number of times that an app lost focus during the aggregation period
GameInputSec: Time (in seconds) there was user input using a game controller
HidInputSec: Time (in seconds) there was user input using devices other than a game controller
InFocusBitmap: Series of bits representing application having and losing focus
InFocusDurationMS: Total time (in milliseconds) the application had focus
InputSec: Total number of seconds during which there was any user input
InteractiveTimeoutPeriodMS: Total time (in milliseconds) that inactivity expired interactivity sessions
KeyboardInputSec: Total number of seconds during which there was keyboard input
MonitorFlags: Flags indicating app use of individual monitor(s)
MonitorHeight: Number of vertical pixels in the application host monitor resolution
MonitorWidth: Number of horizontal pixels in the application host monitor resolution
MouseInputSec: Total number of seconds during which there was mouse input
NewProcessCount: Number of new processes contributing to the aggregate
Par tATransform_AppSessionGuidToUserSid: Flag which influences how other parts of the event are
constructed
PenInputSec: Total number of seconds during which there was pen input
SpeechRecognitionSec: Total number of seconds of speech recognition
Summar yRound: Incrementing number indicating the round (batch) being summarized
TargetAsId: Flag which influences how other parts of the event are constructed
TotalUserOrDisplayActiveDurationMS: Total time the user or the display was active (in milliseconds)
TouchInputSec: Total number of seconds during which there was touch input
UserActiveDurationMS: Total time that the user was active including all input methods
UserActiveTransitionCount: Number of transitions in and out of user activity
UserOrDisplayActiveDurationMS: Total time the user was using the display
ViewFlags: Flags denoting properties of an app view (for example, special VR view or not)
WindowFlags: Flags denoting runtime properties of an app window
WindowHeight: Number of vertical pixels in the application window
WindowWidth: Number of horizontal pixels in the application window
Revisions
PartA_UserSid removed
A previous revision of this list stated that a field named PartA_UserSid was a member of the event
Microsoft.Windows.LogonController.LogonAndUnlockSubmit. This was incorrect. The list has been updated to
reflect that no such field is present in the event.
Office events added
In Windows 10, version 1809 (also applies to versions 1709 and 1803 starting with KB 4462932 and KB 4462933
respectively), 16 events were added, describing Office app launch and availability. These events were added to
improve the precision of Office data in Windows Analytics.
NOTE
Office data will no longer be provided through this policy in Desktop Analytics.
CertAnalytics events removed

In Windows 10, version 1809 (also applies to versions 1709 and 1803 starting with KB 4462932 and KB 4462933
respectively), 3 "CertAnalytics" events were removed, as they are no longer required for Desktop Analytics.
NOTE
You can use the Windows Diagnostic Data Viewer to observe and review events and their fields as described in this topic.
Windows 10, version 1709 and newer diagnostic data
for the Full level
Applies to:
Microsoft uses Windows diagnostic data to keep Windows secure and up-to-date, troubleshoot problems, and
make product improvements. For users who have turned on "Tailored experiences", it can also be used to offer you
personalized tips, ads, and recommendations to enhance Microsoft products and services for your needs. This
article describes all types of diagnostic data collected by Windows at the Full level (inclusive of data collected at
Basic), with comprehensive examples of data we collect per each type. For additional, detailed technical descriptions
of Basic data items, see Windows 10, version 1903 Basic level diagnostic events and fields.
In addition, this article provides references to equivalent definitions for the data types and examples from ISO/IEC
19944:2017 Information technology -- Cloud computing -- Cloud services and devices: Data flow, data categories
and data use. Each data type also has a Data Use statement, for diagnostics and for Tailored experiences on the
device, using the terms as defined by the standard. These Data Use statements define the purposes for which
Microsoft processes each type of Windows diagnostic data, using a uniform set of definitions referenced at the end
of this document and based on the ISO standard. Reference to the ISO standard provides additional clarity about
the information collected, and allows easy comparison with other services or guidance that also references the
standard.
The data covered in this article is grouped into the following types:
Common data extensions (diagnostic header information)
Device, Connectivity, and Configuration data
Product and Service Usage data
Product and Service Performance data
Software Setup and Inventory data
Browsing History data
Inking, Typing, and Speech Utterance data

Most diagnostic events contain a header of common data. In each example, the info in parentheses provides the
equivalent definition for ISO/IEC 19944:2017.
Data Use for Common data extensions Header data supports the use of data associated with all diagnostic
events. Therefore, Common data is used to provide Windows 10, and may be used to improve, personalize,
recommend, offer, or promote Microsoft and third-party products and services, depending on the uses described in
the Data Use statements for each data category.
Data Description for Common data extensions type
Common data extensions type
Information that is added to most diagnostic events, if relevant and available:
Diagnostic level -- Basic or Full, Sample level -- for sampled data, what sample level is this device opted into
(8.2.3.2.4 Observed Usage of the Service Capability)
Operating system name, version, build, and locale (8.2.3.2.2 Telemetry data)
Event collection time (8.2.3.2.2 Telemetry data)
User ID -- a unique identifier associated with the user's Microsoft Account (if one is used) or local account. The
user's Microsoft Account identifier is not collected from devices configured to send Basic - diagnostic data (8.2.5
Account data)
Xbox UserID (8.2.5 Account data)
Device ID -- This is not the user provided device name, but an ID that is unique for that device. (8.2.3.2.3
Connectivity data)
Device class -- Desktop, Server, or Mobile (8.2.3.2.3 Connectivity data)
Environment from which the event was logged -- Application ID of app or component that logged the event,
Session GUID. Used to track events over a given period of time, such as the amount of time an app is running or
between boots of the operating system (8.2.4 Cloud service provider data)
Diagnostic event name, Event ID, ETW opcode, version, schema signature, keywords, and flags (8.2.4 Cloud
service provider data)
HTTP header information, including the IP address. This IP address is the source address that’s provided by the
network packet header and received by the diagnostics ingestion service (8.2.4 Cloud service provider data)
Various IDs that are used to correlate and sequence related events together (8.2.4 Cloud service provider data)

This type of data includes details about the device, its configuration and connectivity capabilities, and status. Device,
Connectivity, and Configuration Data is equivalent to ISO/IEC 19944:2017, 8.2.3.2.3 Connectivity data.
Data Use for Device, Connectivity, and Configuration data
For Diagnostics:
Pseudonymized Device, Connectivity, and Configuration data from Windows 10 is used by Microsoft to provide and
improve Windows 10 and related Microsoft products and services. For example:
Device, Connectivity, and Configuration data is used to understand the unique device characteristics that can
contribute to an error experienced on the device, to identify patterns, and to more quickly resolve problems
that impact devices with unique hardware, capabilities, or settings. For example:
Data about the use of cellular modems and their configuration on your devices is used to troubleshoot
cellular modem issues.
Data about the use of USB hubs use and their configuration on your devices is used to troubleshoot USB
hub issues.
Data about the use of connected Bluetooth devices is used to troubleshoot compatibility issues with
Bluetooth devices.
Data about device properties, such as the operating system version and available memory, is used to
determine whether the device is due to, and able to, receive a Windows update.
Data about device peripherals is used to determine whether a device has installed drivers that might be
negatively impacted by a Windows update.
Data about which devices, peripherals, and settings are most-used by customers, is used to prioritize
Windows 10 improvements to determine the greatest positive impact to the most Windows 10 users.
With (optional) Tailored experiences:
If a user has enabled Tailored experiences on the device, Pseudonymized Device, Connectivity, and Configuration
data from Windows 10 is used by Microsoft to personalize, recommend, and offer Microsoft products and services
to Windows 10 users. Also, if a user has enabled Tailored experiences on the device, Pseudonymized Device,
Connectivity, and Configuration data from Windows 10 is used by Microsoft to promote third-party Windows apps,
services, hardware, and peripherals to Windows 10 users. For example:
Data about device properties and capabilities is used to provide tips about how to use or configure the
device to get the best performance and user experience.
Data about device capabilities, such as whether the device is pen-enabled, is used to recommend (Microsoft
and third-party) apps that are appropriate for the device. These may be free or paid apps.
Data Description for Device, Connectivity, and Configuration data type

Device proper ties sub-type: Information about the operating system and device hardware
Operating system - version name, edition
Installation type, subscription status, and genuine operating system status
Processor architecture, speed, number of cores, manufacturer, and model
OEM details --manufacturer, model, and serial number
Device identifier and Xbox serial number
Firmware/BIOS operating system -- type, manufacturer, model, and version
Memory -- total memory, video memory, speed, and how much memory is available after the device has
reserved memory
Storage -- total capacity and disk type
Battery -- charge capacity and InstantOn support
Hardware chassis type, color, and form factor
Is this a virtual machine?
Device capabilities sub-type: Information about the capabilities of the device
Camera -- whether the device has a front facing camera, a rear facing camera, or both.
Touch screen -- Whether the device has a touch screen? If yes, how many hardware touch points are supported?
Processor capabilities -- CompareExchange128, LahfSahf, NX, PrefetchW, and SSE2
Trusted Platform Module (TPM) -- whether a TPM exists and if yes, what version
Virtualization hardware -- whether an IOMMU exists, whether it includes SLAT support, and whether
virtualization is enabled in the firmware
Voice -- whether voice interaction is supported and the number of active microphones
Number of displays, resolutions, and DPI
Wireless capabilities
OEM or platform face detection
OEM or platform video stabilization and quality-level set
Advanced Camera Capture mode (HDR versus Low Light), OEM versus platform implementation, HDR
probability, and Low Light probability
Device preferences and settings sub-type: Information about the device settings and user preferences
User Settings -- System, Device, Network & Internet, Personalization, Cortana, Apps, Accounts, Time &
Language, Gaming, Ease of Access, Privacy, Update & Security
User-provided device name
Whether device is domain-joined, or cloud-domain joined (for example, part of a company-managed network)
Hashed representation of the domain name
MDM (mobile device management) enrollment settings and status
BitLocker, Secure Boot, encryption settings, and status
Windows Update settings and status
Developer Unlock settings and status
Default app choices
Default browser choice
Default language settings for app, input, keyboard, speech, and display
App store update settings
Enterprise OrganizationID, Commercial ID
Device peripherals sub-type: Information about the peripherals of the device
Peripheral name, device model, class, manufacturer, and description
Peripheral device state, install state, and checksum
Driver name, package name, version, and manufacturer
HWID - A hardware vendor-defined ID to match a device to a driver INF file
Driver state, problem code, and checksum
Whether driver is kernel mode, signed, and image size
Device network info sub-type: Information about the device network configuration
Network system capabilities
Local or Internet connectivity status
Proxy, gateway, DHCP, DNS details, and addresses
Whether it's a paid or free network
Whether the wireless driver is emulated
Whether it's access point mode-capable
Access point manufacturer, model, and MAC address
WDI Version
Name of networking driver service
Wi-Fi Direct details
Wi-Fi device hardware ID and manufacturer
Wi-Fi scan attempt and item counts
Whether MAC randomization is supported and enabled
Number of supported spatial streams and channel frequencies
Whether Manual or Auto-connect is enabled
Time and result of each connection attempt
Airplane mode status and attempts
Interface description provided by the manufacturer
Data transfer rates
Cipher algorithm
Mobile Equipment ID (IMEI) and Mobile Country Code (MCCO)
Mobile operator and service provider name
Available SSIDs and BSSIDs
IP Address type -- IPv4 or IPv6
Signal Quality percentage and changes
Hotspot presence detection and success rate
TCP connection performance
Miracast device names
Hashed IP address
This type of data includes details about the usage of the device, operating system, applications and services.
Product and Service Usage data is equivalent to ISO/IEC 19944:2017, 8.2.3.2.4 Observed Usage of the Service
Capability.
Data Use for Product and Service Usage data
For Diagnostics:
Pseudonymized Product and Service Usage data from Windows 10 is used by Microsoft to provide and improve
Windows 10 and related Microsoft product and services. For example:
Data about the specific apps that are in-use when an error occurs is used to troubleshoot and repair issues with
Windows features and Microsoft apps.
Data about the specific apps that are most-used by customers, is used to prioritize Windows 10 improvements
to determine the greatest positive impact to the most Windows 10 users.
Data about whether devices have Suggestions turned off from the Settings Phone screen is to improve the
Suggestions feature.
Data about whether a user canceled the authentication process in their browser is used to help troubleshoot
issues with and improve the authentication process.
Data about when and what feature invoked Cortana is used to prioritize efforts for improvement and innovation
in Cortana.
Data about when a context menu in the photo app is closed is used to troubleshoot and improve the photo app.
If a user has enabled Tailored experiences on the device, pseudonymized Product and Service Usage data from
Windows 10 is used by Microsoft to personalize, recommend, and offer Microsoft products and services to
Windows 10 users. Also, if a user has enabled Tailored experiences on the device, pseudonymized Product and
Service Usage data from Windows 10 is used by Microsoft to promote third-party Windows apps, services,
hardware, and peripherals to Windows 10 users. For example:
If data shows that a user has not used a particular feature of Windows, we may recommend that the user try
that feature.
Data about which apps are most-used on a device is used to provide recommendations for similar or
complementary (Microsoft or third-party) apps. These may be free or paid apps.
Data Description for Product and Service Usage data type
App usage sub-type: Information about Windows and application usage
Operating system component and app feature usage
User navigation and interaction with app and Windows features. This could potentially include user input, such
as name of a new alarm set, user menu choices, or user favorites
Time of and count of app and component launches, duration of use, session GUID, and process ID
App time in various states –- running in the foreground or background, sleeping, or receiving active user
interaction
User interaction method and duration –- whether the user used a keyboard, mouse, pen, touch, speech, or game
controller, and for how long
Cortana launch entry point and reason
Notification delivery requests and status
Apps used to edit images and videos
SMS, MMS, VCard, and broadcast message usage statistics on primary or secondary lines
Incoming and outgoing calls and voicemail usage statistics on primary or secondary lines
Emergency alerts are received or displayed statistics
Content searches within an app
Reading activity -- bookmarked, printed, or had the layout changed
App or product state sub-type: Information about Windows and application state
Start Menu and Taskbar pins
Online and offline status
App launch state –- with deep-links, such as Groove launching with an audio track to play or MMS launching to
share a picture
Personalization impressions delivered
Whether the user clicked on, or hovered over, UI controls or hotspots
User provided feedback, such as Like, Dislike or a rating
Caret location or position within documents and media files -- how much has been read in a book in a single
session, or how much of a song has been listened to.
Purchasing sub-type: Information about purchases made on the device
Product ID, edition ID and product URI
Offer details -- price
Date and time an order was requested
Microsoft Store client type -- web or native client
Purchase quantity and price
Payment type -- credit card type and PayPal
Login proper ties sub-type: Information about logins on the device
Login success or failure
Login sessions and state

This type of data includes details about the health of the device, operating system, apps, and drivers. Product and
Service Performance data is equivalent to ISO/IEC 19944:2017 8.2.3.2.2 EUII Telemetry data.
Data Use for Product and Service Performance data
For Diagnostics:
Pseudonymized Product and Service Performance data from Windows 10 is used by Microsoft to provide and
improve Windows 10 and related Microsoft product and services. For example:
Data about the reliability of content that appears in the Windows Spotlight (rotating lock screen images) is used
for Windows Spotlight reliability investigations.
Timing data about how quickly Cortana responds to voice commands is used to improve Cortana listening
performance.
Timing data about how quickly the facial recognition feature starts up and finishes is used to improve facial
recognition performance.
Data about when an Application Window fails to appear is used to investigate issues with Application Window
reliability and performance.
If a user has enabled Tailored experiences on the device, pseudonymized Product and Service Performance data
from Windows 10 is used by Microsoft to personalize, recommend, and offer Microsoft products and services to
Windows 10 users. Also, if a user has enabled Tailored experiences on the device, pseudonymized Product and
Service Performance data from Windows 10 is used by Microsoft to promote third-party Windows apps, services,
hardware, and peripherals to Windows 10 users.
Data about battery performance on a device may be used to recommend settings changes that can improve
battery performance.
If data shows a device is running low on file storage, we may recommend Windows-compatible cloud storage
solutions to free up space.
If data shows the device is experiencing performance issues, we may provide recommendations for Windows
apps that can help diagnose or resolve these issues. These may be free or paid apps.
Microsoft doesn't use crash and hang dump data to personalize , recommend , offer , or promote any
product or ser vice.
Data Description for Product and Service Performance data type
Device health and crash data sub-type: Information about the device and software health
Error codes and error messages, name and ID of the app, and process reporting the error
DLL library predicted to be the source of the error -- for example, xyz.dll
System generated files -- app or product logs and trace files to help diagnose a crash or hang
System settings, such as registry keys
User generated files -- files that are indicated as a potential cause for a crash or hang. For example, .doc, .ppt,
.csv files
Details and counts of abnormal shutdowns, hangs, and crashes
Crash failure data -- operating system, operating system component, driver, device, and 1st and 3rd-party app
data
Crash and hang dumps, including:
The recorded state of the working memory at the point of the crash
Memory in-use by the kernel at the point of the crash.
Memory in-use by the application at the point of the crash
All the physical memory used by Windows at the point of the crash
Class and function name within the module that failed.
Device performance and reliability data sub-type: Information about the device and software performance
User interface interaction durations -- Start menu display times, browser tab switch times, app launch and
switch times, and Cortana and Search performance and reliability
Device on and off performance -- Device boot, shutdown, power on and off, lock and unlock times, and user
authentication times (fingerprint and face recognition durations)
In-app responsiveness -- time to set alarm, time to fully render in-app navigation menus, time to sync reading
list, time to start GPS navigation, time to attach picture MMS, and time to complete a Microsoft Store transaction
User input responsiveness -- onscreen keyboard invocation times for different languages, time to show auto-
complete words, pen or touch latencies, latency for handwriting recognition to words, Narrator screen reader
responsiveness, and CPU score
UI and media performance and glitches versus smoothness -- video playback frame rate, audio glitches,
animation glitches (stutter when bringing up Start), graphics score, time to first frame, play/pause/stop/seek
responsiveness, time to render PDF, dynamic streaming of video from OneDrive performance
Disk footprint -- Free disk space, out of memory conditions, and disk score
Excessive resource utilization -- components impacting performance or battery life through high CPU usage
during different screen and power states
Background task performance -- download times, Windows Update scan duration, Windows Defender Antivirus
scan times, disk defrag times, mail fetch times, service startup and state transition times, and time to index on-
device files for search results
Peripheral and devices -- USB device connection times, time to connect to a wireless display, printing times,
network availability and connection times (time to connect to Wi-Fi, time to get an IP address from DHCP etc.),
smart card authentication times, automatic brightness, and environmental response times
Device setup -- first setup experience times (time to install updates, install apps, connect to network, and so on),
time to recognize connected devices (printer and monitor), and time to set up a Microsoft Account
Power and Battery life -- power draw by component (Process/CPU/GPU/Display), hours of time the screen is off,
sleep state transition details, temperature and thermal throttling, battery drain in a power state (screen off or
screen on), processes and components requesting power use while the screen is off, auto-brightness details,
time device is plugged into AC versus battery, and battery state transitions
Service responsiveness -- Service URI, operation, latency, service success and error codes, and protocol
Diagnostic heartbeat -- regular signal used to validate the health of the diagnostics system
Movies sub-type: Information about movie consumption functionality on the device
NOTE
This isn't intended to capture user viewing, listening, or habits.
Video Width, height, color palette, encoding (compression) type, and encryption type
Instructions about how to stream content for the user -- the smooth streaming manifest of content file chunks
that must be pieced together to stream the content based on screen resolution and bandwidth
URL for a specific two-second chunk of content if there is an error
Full-screen viewing mode details
Music & TV sub-type: Information about music and TV consumption on the device
NOTE
Service URL for song being downloaded from the music service -- collected when an error occurs to facilitate
restoration of service
Content type (video, audio, or surround audio)
Local media library collection statistics -- number of purchased tracks and number of playlists
Region mismatch -- User's operating system region and Xbox Live region
Reading sub-type: Information about reading consumption functionality on the device
NOTE
App accessing content and status and options used to open a Microsoft Store book
Language of the book
Time spent reading content
Content type and size details
Photos app sub-type: Information about photos usage on the device
NOTE
File source data -- local, SD card, network device, and OneDrive
Image and video resolution, video length, file sizes types, and encoding
Collection view or full screen viewer use and duration of view
On-device file quer y sub-type: Information about local search activity on the device
Kind of query issued and index type (ConstraintIndex or SystemIndex)
Number of items requested and retrieved
File extension of search result with which the user interacted
Launched item type, file extension, index of origin, and the App ID of the opening app
Name of process calling the indexer and the amount of time to service the query
A hash of the search scope (file, Outlook, OneNote, or IE history). The state of the indices (fully optimized,
partially optimized, or being built)
Entitlements sub-type: Information about entitlements on the device
Service subscription status and errors
DRM and license rights details -- Groove subscription or operating system volume license
Entitlement ID, lease ID, and package ID of the install package
Entitlement revocation
License type (trial, offline versus online) and duration
License usage session

This type of data includes software installation and update information on the device. Software Setup and Inventory
Data is a sub-type of ISO/IEC 19944:2017 8.2.3.2.4 Observed Usage of the Service Capability.
Data Use for Software Setup and Inventory data
For Diagnostics:
Pseudonymized Software Setup and Inventory data from Windows 10 is used by Microsoft to provide and improve
Windows 10 and related Microsoft product and services. For example:
Data about the specific drivers that are installed on a device is used to understand whether there are any
hardware or driver compatibility issues which should block or delay a Windows update.
Data about when a download starts and finishes on a device is used to understand and address download
problems.
Data about the specific Microsoft Store apps that are installed on a device is used to determine which app
updates to provide to the device.
Data about the antimalware installed on a device is used to understand malware transmissions vectors.
If a user has enabled Tailored experiences on the device, pseudonymized Software Setup and Inventory data from
Windows 10 is used by Microsoft to personalize, recommend, and offer Microsoft products and services to
Windows 10 users. Also, if a user has enabled Tailored experiences on the device, pseudonymized Software Setup
and Inventory data from Windows 10 is used by Microsoft to promote third-party Windows apps, services,
hardware, and peripherals to Windows 10 users. For example:
Data about the specific apps that are installed on a device is used to provide recommendations for similar or
complementary apps in the Microsoft Store.
Data Description for Software Setup and Inventory data type
Installed applications and install histor y sub-type: Information about apps, drivers, update packages, or
operating system components installed on the device
App, driver, update package, or component’s Name, ID, or Package Family Name
Product, SKU, availability, catalog, content, and Bundle IDs
Operating system component, app or driver publisher, language, version and type (Win32 or UWP)
Install date, method, install directory, and count of install attempts
MSI package and product code
Original operating system version at install time
User, administrator, or mandatory installation or update
Installation type -- clean install, repair, restore, OEM, retail, upgrade, or update
Device update information sub-type: Information about apps, drivers, update packages, or operating system
components installed on the device
Update Readiness analysis of device hardware, operating system components, apps, and drivers (progress,
status, and results)
Number of applicable updates, importance, and type
Update download size and source -- CDN or LAN peers
Delay upgrade status and configuration
Operating system uninstall and rollback status and count
Windows Update server and service URL
Windows Update machine ID
Windows Insider build details

This type of data includes details about web browsing in the Microsoft browsers. Browsing History data is
equivalent to ISO/IEC 19944:2017 8.2.3.2.8 Client side browsing history.
Data Use for Browsing History data
For Diagnostics:
Pseudonymized Browsing History data from Windows 10 is used by Microsoft to provide and improve Windows
10 and related Microsoft product and services. For example:
Data about when the Block Content dialog box has been shown is used for investigations of blocked content.
Data about potentially abusive or malicious domains is used to make updates to Microsoft Edge and Windows
Defender SmartScreen to warn users about the domain.
Data about when the Address bar is used for navigation purposes is used to improve the Suggested Sites
feature and to understand and address problems arising from navigation.
Data about when a Web Notes session starts is used to measure popular domains and URLs for the Web Notes
feature.
Data about when a default Home page is changed by a user is used to measure which default Home pages are
the most popular and how often users change the default Home page.
If a user has enabled Tailored experiences on the device, pseudonymized Browsing History data from Windows 10
is used by Microsoft to personalize, recommend, and offer Microsoft products and services to Windows 10 users.
Also, if a user has enabled Tailored experiences on the device, pseudonymized Browsing History data from
Windows 10 is used by Microsoft to promote third-party Windows apps, services, hardware, and peripherals to
Windows 10 users. For example:
We may recommend that a user download a compatible app from the Microsoft Store if they have browsed to
the related website. For example, if a user uses the Facebook website, we may recommend the Facebook app.
Data Description for Browsing History data type
Microsoft browser data sub-type: Information about Address bar and Search box performance on the device
Text typed in Address bar and Search box
Text selected for an Ask Cortana search
Service response time
Auto-completed text, if there was an auto-complete
Navigation suggestions provided based on local history and favorites
Browser ID
URLs (may include search terms)
Page title
Inking Typing and Speech Utterance data

This type of data gathers details about the voice, inking, and typing input features on the device. Inking, Typing and
Speech Utterance data is a sub-type of ISO/IEC 19944:2017 8.2.3.2.1 End User Identifiable information.
Data Use for Inking, Typing, and Speech Utterance data
For Diagnostics:
Anonymized Inking, Typing, and Speech Utterance data from Windows 10 is used by Microsoft to improve natural
language capabilities in Microsoft products and services. For example:
Data about words marked as spelling mistakes and replaced with another word from the context menu is used
to improve the spelling feature.
Data about alternate words shown and selected by the user after right-clicking is used to improve the word
recommendation feature.
Data about auto-corrected words that were restored back to the original word by the user is used to improve
the auto-correct feature.
Data about whether Narrator detected and recognized a touch gesture is used to improve touch gesture
recognition.
Data about handwriting samples sent from the Handwriting Panel is used to help Microsoft improve
handwriting recognition.
Microsoft doesn't use Windows Inking, Typing, and Speech Utterance data for Tailored experiences.
Data Description for Inking, Typing, and Speech Utterance data type
Voice, inking, and typing sub-type: Information about voice, inking and typing features
Type of pen used (highlighter, ball point, or pencil), pen color, stroke height and width, and how long it is used
Pen gestures (click, double click, pan, zoom, or rotate)
Palm Touch x,y coordinates
Input latency, missed pen signals, number of frames, strokes, first frame commit time, and sample rate
Ink strokes written, text before and after the ink insertion point, recognized text entered, input language --
processed to remove identifiers, sequencing information, and other data (such as email addresses and - numeric
values), which could be used to reconstruct the original content or associate the input to the user
Text input from Windows 10 Mobile on-screen keyboards, except from password fields and private sessions --
processed to remove identifiers, sequencing information, and other data (such as email addresses and numeric
values), which could be used to reconstruct the original content or associate the input to the user
Text of speech recognition results -- result codes and recognized text
Language and model of the recognizer and the System Speech language
App ID using speech features
Whether user is known to be a child
Confidence and success or failure of speech recognition
ISO/IEC 19944:2017-specific terminology

This section provides the ISO/IEC 19944:2017-specific definitions for use and de-identification qualifiers used in
this article.
Provide
ISO/IEC 19944:2017 Reference: 9.3.2 Provide
Use of a specified data category by a Microsoft product or service to protect and provide the described service,
including, (i) troubleshoot and fix issues with the product or service or (ii) provide product or service updates.
Improve
ISO/IEC 19944:2017 Reference: 9.3.3 Improve
Use of a specified data category to improve or increase the quality of a Microsoft product or service. Those
improvements may be available to end users.
Personalize
ISO/IEC 19944:2017 Reference: 9.3.4 Personalize
Use of the specified data categories to create a customized experience for the end user in any Microsoft product or
service.
Recommend
ISO/IEC 19944:2017 Reference: 9.3.4 Personalize
“Recommend” means use of the specified data categories to Personalize (9.3.4) the end user’s experience by
recommending Microsoft products or services that can be accessed without the need to make a purchase or pay
money.
Use of the specified data categories give recommendations about Microsoft products or services the end user may
act on where the recommendation is (i) contextually relevant to the product or service in which it appears, (ii) that
can be accessed without the need to make a purchase or pay money, and (iii) Microsoft receives no compensation
for the placement.
Offer
ISO/IEC 19944:2017 Reference: 9.3.5 Offer upgrades or upsell
Implies the source of the data is Microsoft products and services, and the upgrades offered come from Microsoft
products and services that are relevant to the context of the current capability. The target audience for the offer is
Microsoft customers.
Specifically, use of the specified data categories to make an offer or upsell new capability or capacity of a Microsoft
product or service which is (i) contextually relevant to the product or service in which it appears; (ii) likely to result
in additional future revenue for Microsoft from end user; and (iii) Microsoft receives no consideration for
placement.
Promote
ISO/IEC 19944:2017 Reference: 9.3.6 Market/adver tise/promote
Use of the specified data categories to promote a product or service in or on a first-party Microsoft product or
service.
Data identification qualifiers
Here are the list of data identification qualifiers and the ISO/IEC 19944:2017 reference:
Pseudonymized Data 8.3.3 Pseudonymized data. Microsoft usage notes are as defined.
Anonymized Data 8.3.5 Anonymized data. Microsoft usage notes are as defined.
8.3.6 Aggregated data. Microsoft usage notes are as defined.
Ag g r e g a t e d Da t a
Windows 10 diagnostic data for the Full diagnostic
data level
Applies to:
Microsoft collects Windows diagnostic data to keep Windows up-to-date, secure, and operating properly. It also
helps us improve Windows and, for users who have turned on “tailored experiences”, can be used to provide more
relevant tips and recommendations to tailor Microsoft products to the user’s needs. This article describes all types
diagnostic data collected by Windows at the Full diagnostic data level (inclusive of data collected at Basic), with
comprehensive examples of data we collect per each type. For additional, detailed technical descriptions of Basic
data items, see Windows 10, version 1709 Basic level diagnostic events and fields and Windows 10, version 1703
Basic level diagnostic events and fields.
The data covered in this article is grouped into the following categories:
Common Data (diagnostic header information)
Inking, Typing, and Speech Utterance data
NOTE
The majority of diagnostic data falls into the first four categories.
Common data
Most diagnostic events contain a header of common data:
C AT EGO RY N A M E EXA M P L ES
Common Data Information that is added to most diagnostic events, if

relevant and available:
OS name, version, build, and locale
User ID -- a unique identifier associated with the user's
Microsoft Account (if one is used) or local account. The
user's Microsoft Account identifier is not collected from
devices configured to send Basic diagnostic data
Xbox UserID
Environment from which the event was logged --
Application ID of app or component that logged the
event, Session GUID. Used to track events over a given
period of time such the period an app is running or
between boots of the OS.
The diagnostic event name, Event ID, ETW opcode,
version, schema signature, keywords, and flags
HTTP header information, including the IP address. This
IP address is the source address that’s provided by the
network packet header and received by the diagnostics
ingestion service.
Various IDs that are used to correlate and sequence
related events together.
Device ID. This is not the user provided device name,
but an ID that is unique for that device.
Device class -- Desktop, Server, or Mobile
Event collection time
Diagnostic level -- Basic or Full, Sample level -- for
sampled data, what sample level is this device opted
into

This type of data includes details about the device, its configuration and connectivity capabilities, and status.
Device properties Information about the OS and device hardware, such as:
OS - version name, Edition
Installation type, subscription status, and genuine OS
status
Processor architecture, speed, number of cores,
manufacturer, and model
OEM details --manufacturer, model, and serial number
Device identifier and Xbox serial number
Firmware/BIOS -- type, manufacturer, model, and
version
Memory -- total memory, video memory, speed, and
how much memory is available after the device has
reserved memory
Storage -- total capacity and disk type
Battery -- charge capacity and InstantOn support
Hardware chassis type, color, and form factor
Is this a virtual machine?
Device capabilities Information about the specific device capabilities such as:
Camera -- whether the device has a front facing, a rear
facing camera, or both.
Touch screen -- does the device include a touch
screen? If so, how many hardware touch points are
supported?
Processor capabilities -- CompareExchange128,
LahfSahf, NX, PrefetchW, and SSE2
Trusted Platform Module (TPM) – whether present and
what version
Virtualization hardware -- whether an IOMMU is
present, SLAT support, is virtualization enabled in the
firmware
Voice – whether voice interaction is supported and the
number of active microphones
Number of displays, resolutions, DPI
Wireless capabilities
OEM or platform face detection
OEM or platform video stabilization and quality level
set
Advanced Camera Capture mode (HDR vs. LowLight),
OEM vs. platform implementation, HDR probability,
and Low Light probability
Device preferences and settings Information about the device settings and user preferences
such as:
User Settings – System, Device, Network & Internet,
Personalization, Cortana, Apps, Accounts, Time &
Language, Gaming, Ease of Access, Privacy, Update &
Security
User-provided device name
Whether device is domain-joined, or cloud-domain
joined (i.e. part of a company-managed network)
Hashed representation of the domain name
MDM (mobile device management) enrollment settings
and status
BitLocker, Secure Boot, encryption settings, and status
Windows Update settings and status
Developer Unlock settings and status
Default app choices
Default browser choice
Default language settings for app, input, keyboard,
speech, and display
App store update settings
Enterprise OrganizationID, Commercial ID
Device peripherals Information about the device peripherals such as:

Peripheral name, device model, class, manufacturer and
description
Peripheral device state, install state, and checksum
Driver name, package name, version, and manufacturer
HWID - A hardware vendor defined ID to match a
device to a driver INF file
Driver state, problem code, and checksum
Whether driver is kernel mode, signed, and image size
Device network info Information about the device network configuration such as:
Network system capabilities
Local or Internet connectivity status
Proxy, gateway, DHCP, DNS details and addresses
Paid or free network
Wireless driver is emulated or not
Access point mode capable
Access point manufacturer, model, and MAC address
WDI Version
Name of networking driver service
Wi-Fi Direct details
Wi-Fi device hardware ID and manufacturer
Wi-Fi scan attempt counts and item counts
Mac randomization is supported/enabled or not
Number of spatial streams and channel frequencies
supported
Manual or Auto Connect enabled
Time and result of each connection attempt
Airplane mode status and attempts
Interface description provided by the manufacturer
Data transfer rates
Cipher algorithm
Mobile Equipment ID (IMEI) and Mobile Country Code
(MCCO)
Mobile operator and service provider name
Available SSIDs and BSSIDs
IP Address type -- IPv4 or IPv6
Signal Quality percentage and changes
Hotspot presence detection and success rate
TCP connection performance
Miracast device names
Hashed IP address

This type of data includes details about the usage of the device, operating system, applications and services.
App usage Information about Windows and application usage such as:
OS component and app feature usage
User navigation and interaction with app and Windows
features. This could potentially include user input, such
as name of a new alarm set, user menu choices, or user
favorites.
Time of and count of app/component launches,
duration of use, session GUID, and process ID
App time in various states – running foreground or
background, sleeping, or receiving active user
interaction
User interaction method and duration – whether and
length of time user used the keyboard, mouse, pen,
touch, speech, or game controller
Cortana launch entry point/reason
Notification delivery requests and status
Apps used to edit images and videos
SMS, MMS, VCard, and broadcast message usage
statistics on primary or secondary line
Incoming and Outgoing calls and Voicemail usage
statistics on primary or secondary line
Emergency alerts are received or displayed statistics
Content searches within an app
Reading activity -- bookmarking used, print used,
layout changed
App or product state Information about Windows and application state such as:
Start Menu and Taskbar pins
Online/Offline status
App launch state –- with deep-link such as Groove
launched with an audio track to play, or share contract
such as MMS launched to share a picture.
Personalization impressions delivered
Whether the user clicked or hovered on UI controls or
hotspots
User feedback Like or Dislike or rating was provided
Caret location or position within documents and media
files -- how much of a book has been read in a single
session or how much of a song has been listened to.
Login properties Login success or failure

Login sessions and state

This type of data includes details about the health of the device, operating system, apps and drivers.
C AT EGO RY N A M E DESC RIP T IO N A N D EXA M P L ES

Device health and crash data Information about the device and software health such as:
Error codes and error messages, name and ID of the
app, and process reporting the error
DLL library predicted to be the source of the error --
xyz.dll
System generated files -- app or product logs and
trace files to help diagnose a crash or hang
System settings such as registry keys
User generated files – .doc, .ppt, .csv files where they
are indicated as a potential cause for a crash or hang
Details and counts of abnormal shutdowns, hangs, and
crashes
Crash failure data – OS, OS component, driver, device,
1st and 3rd party app data
Crash and Hang dumps
The recorded state of the working memory at
the point of the crash.
Memory in use by the kernel at the point of the
crash.
Memory in use by the application at the point
of the crash.
All the physical memory used by Windows at
the point of the crash.
Class and function name within the module
that failed.
Device performance and reliability data Information about the device and software performance such
as:
User Interface interaction durations -- Start Menu
display times, browser tab switch times, app launch
and switch times, and Cortana and search performance
and reliability.
Device on/off performance -- Device boot, shutdown,
power on/off, lock/unlock times, and user
authentication times (fingerprint and face recognition
durations).
In-app responsiveness -- time to set alarm, time to
fully render in-app navigation menus, time to sync
reading list, time to start GPS navigation, time to
attach picture MMS, and time to complete a Microsoft
Store transaction.
User input responsiveness – onscreen keyboard
invocation times for different languages, time to show
auto-complete words, pen or touch latencies, latency
for handwriting recognition to words, Narrator screen
reader responsiveness, and CPU score.
UI and media performance and glitches/smoothness --
video playback frame rate, audio glitches, animation
glitches (stutter when bringing up Start), graphics
score, time to first frame, play/pause/stop/seek
responsiveness, time to render PDF, dynamic streaming
of video from OneDrive performance
Disk footprint -- Free disk space, out of memory
conditions, and disk score.
Excessive resource utilization – components impacting
performance or battery life through high CPU usage
during different screen and power states
Background task performance -- download times,
Windows Update scan duration, Windows Defender
Antivirus scan times, disk defrag times, mail fetch
times, service startup and state transition times, and
time to index on-device files for search results
Peripheral and devices -- USB device connection times,
time to connect to a wireless display, printing times,
network availability and connection times (time to
connect to Wi-Fi, time to get an IP address from DHCP
etc.), smart card authentication times, automatic
brightness environmental response times
Device setup -- first setup experience times (time to
install updates, install apps, connect to network etc.),
time to recognize connected devices (printer and
monitor), and time to setup Microsoft Account.
Power and Battery life – power draw by component
(Process/CPU/GPU/Display), hours of screen off time,
sleep state transition details, temperature and thermal
throttling, battery drain in a power state (screen off or
screen on), processes and components requesting
power use during screen off, auto-brightness details,
time device is plugged into AC vs. battery, battery
state transitions
Service responsiveness - Service URI, operation,
latency, service success/error codes, and protocol.
Diagnostic heartbeat – regular signal to validate the
health of the diagnostics system
Movies Information about movie consumption functionality on the

device. This isn't intended to capture user viewing, listening or
habits.
Video Width, height, color pallet, encoding
(compression) type, and encryption type
Instructions for how to stream content for the user --
the smooth streaming manifest of chunks of content
files that must be pieced together to stream the
content based on screen resolution and bandwidth
URL for a specific two second chunk of content if there
is an error
Full screen viewing mode details
Music & TV Information about music and TV consumption on the device.

This isn't intended to capture user viewing, listening or habits.
Service URL for song being downloaded from the
music service – collected when an error occurs to
facilitate restoration of service
Content type (video, audio, surround audio)
Local media library collection statistics -- number of
purchased tracks, number of playlists
Region mismatch -- User OS Region, and Xbox Live
region
Reading Information about reading consumption functionality on the

device. This isn't intended to capture user viewing, listening or
habits.
App accessing content and status and options used to
open a Microsoft Store book
Language of the book
Time spent reading content
Content type and size details
Photos App Information about photos usage on the device. This isn't
intended to capture user viewing, listening or habits.
File source data -- local, SD card, network device, and
OneDrive
Image & video resolution, video length, file sizes types
and encoding
Collection view or full screen viewer use and duration
of view
On-device file query Information about local search activity on the device such as:
Kind of query issued and index type (ConstraintIndex,
SystemIndex)
Number of items requested and retrieved
File extension of search result user interacted with
Launched item kind, file extension, index of origin, and
the App ID of the opening app.
Name of process calling the indexer and time to service
the query.
A hash of the search scope (file, Outlook, OneNote, IE
history)
The state of the indices (fully optimized, partially
optimized, being built)
Purchasing Information about purchases made on the device such as:

Product ID, edition ID and product URI
Offer details -- price
Order requested date/time
Store client type -- web or native client
Purchase quantity and price
Payment type -- credit card type and PayPal
Entitlements Information about entitlements on the device such as:

Service subscription status and errors
DRM and license rights details -- Groove subscription
or OS volume license
Entitlement ID, lease ID, and package ID of the install
package
Entitlement revocation
License type (trial, offline vs online) and duration
License usage session

This type of data includes software installation and update information on the device.
C AT EGO RY N A M E DATA EXA M P L ES
Installed Applications and Install History Information about apps, drivers, update packages, or OS
components installed on the device such as:
App, driver, update package, or component’s Name, ID,
or Package Family Name
Product, SKU, availability, catalog, content, and Bundle
IDs
OS component, app or driver publisher, language,
version and type (Win32 or UWP)
Install date, method, and install directory, count of
install attempts
MSI package code and product code
Original OS version at install time
User or administrator or mandatory installation/update
Installation type – clean install, repair, restore, OEM,
retail, upgrade, and update
C AT EGO RY N A M E DATA EXA M P L ES
Device update information Information about Windows Update such as:

Update Readiness analysis of device hardware, OS
components, apps, and drivers (progress, status, and
results)
Number of applicable updates, importance, type
Update download size and source -- CDN or LAN
peers
Delay upgrade status and configuration
OS uninstall and rollback status and count
Windows Update server and service URL
Windows Update machine ID
Windows Insider build details

This type of data includes details about web browsing in the Microsoft browsers.
Microsoft browser data Information about Address bar and search box performance
on the device such as:
Text typed in address bar and search box
Text selected for Ask Cortana search
Service response time
Auto-completed text if there was an auto-complete
Navigation suggestions provided based on local
history and favorites
Browser ID
URLs (which may include search terms)
Page title
Inking Typing and Speech Utterance data

This type of data gathers details about the voice, inking, and typing input features on the device.

Voice, inking, and typing Information about voice, inking and typing features such as:
Type of pen used (highlighter, ball point, pencil), pen
color, stroke height and width, and how long it is used
Pen gestures (click, double click, pan, zoom, rotate)
Palm Touch x,y coordinates
Input latency, missed pen signals, number of frames,
strokes, first frame commit time, sample rate
Ink strokes written, text before and after the ink
insertion point, recognized text entered, Input
language - processed to remove identifiers, sequencing
information, and other data (such as email addresses
and numeric values) which could be used to
reconstruct the original content or associate the input
to the user.
Text input from Windows Mobile on-screen keyboards
except from password fields and private sessions -
processed to remove identifiers, sequencing
information, and other data (such as email addresses,
and numeric values) which could be used to
reconstruct the original content or associate the input
to the user.
Text of speech recognition results -- result codes and
recognized text
Language and model of the recognizer, System Speech
language
App ID using speech features
Whether user is known to be a child
Confidence and Success/Failure of speech recognition
Manage connections from Windows 10 operating system components to
Microsoft services
Applies to
Windows 10 Enterprise, version 1607 and newer
Windows Server 2016
Windows Server 2019
This article describes the network connections that Windows 10 components make to Microsoft and the Windows Settings, Group Policies and registry settings
available to IT Professionals to help manage the data shared with Microsoft. If you want to minimize connections from Windows to Microsoft services, or configure
privacy settings, there are a number of settings for consideration. For example, you can configure diagnostic data to the lowest level for your edition of Windows and
evaluate other connections Windows makes to Microsoft services you want to turn off using the instructions in this article. While it is possible to minimize network
connections to Microsoft, there are many reasons why these communications are enabled by default, such as updating malware definitions and maintaining current
certificate revocation lists. This data helps us deliver a secure, reliable, and up-to-date experience.
Microsoft provides a Windows Restricted Traffic Limited Functionality Baseline package that will allow your organization to quickly configure the settings covered in
this document to restrict connections from Windows 10 to Microsoft. The Windows Restricted Traffic Limited Baseline is based on Group Policy Administrative
Template functionality and the package you download contains further instructions on how to deploy to devices in your organization. Since some of the settings can
reduce the functionality and security configuration of your device, before deploying Windows Restricted Traffic Limited Functionality Baseline make sure
you choose the right settings configuration for your environment and ensure that Windows and Windows Defender are fully up to date . Failure to do
so may result in errors or unexpected behavior. You should not extract this package to the windows\system32 folder because it will not apply correctly.
IMPORTANT
The Allowed Traffic endpoints are listed here: Allowed Traffic
CRL (Certificate Revocation List) and OCSP (Online Certificate Status Protocol) network traffic cannot be disabled and will still show up in network traces. CRL and OCSP
checks are made to the issuing certificate authorities. Microsoft is one of these authorities. There are many others such as DigiCert, Thawte, Google, Symantec, and VeriSign.
For security reasons, it is important to take care in deciding which settings to configure as some of them may result in a less secure device. Examples of settings that can lead to a
less secure device configuration include: Windows Update, Automatic Root Certificates Update, and Windows Defender. Accordingly, we do not recommend disabling any of these
features.
It is recommended that you restart a device after making configuration changes to it.
The Get Help and Give us Feedback links no longer work after the Windows Restricted Traffic Limited Functionality Baseline is applied.
NOTE
Regarding the Windows Restricted Traffic Limited Functionality Baseline, the 1903 settings (folder) are applicable to 1909 Windows >Enterprise devices. There were no additional
settings required for the 1909 release.
WARNING
If a user executes the "Reset this PC" command (Settings -> Update & Security -> Recovery) with the "Keep my files" option (or the >"Remove Everything" option) the Windows
Restricted Traffic Limited Functionality Baseline settings will need to be re-applied in order >re-restrict the device. Egress traffic may occur prior to the re-application of the Restricted
Traffic Limited Functionality Baseline >settings.
To use Microsoft Intune cloud based device management for restricting traffic please refer to the Manage connections from Windows 10 operating system
components to Microsoft services using Microsoft Intune MDM Server
We are always striving to improve our documentation and welcome your feedback. You can provide feedback by contacting telmhelp @microsoft.com .
Management options for each setting

The following sections list the components that make network connections to Microsoft services by default. You can configure these settings to control the data that is
sent to Microsoft. To prevent Windows from sending any data to Microsoft, configure diagnostic data at the Security level, turn off Windows Defender diagnostic data
and MSRT reporting, and turn off all of these connections
Settings for Windows 10 Enterprise edition
The following table lists management options for each setting, beginning with Windows 10 Enterprise version 1607.
SET T IN G UI GRO UP P O L IC Y REGIST RY
1. Automatic Root Certificates Update
2. Cortana and Search
3. Date & Time
4. Device metadata retrieval

5. Find My Device
6. Font streaming
7. Insider Preview builds
8. Internet Explorer
9. License Manager
10. Live Tiles
11. Mail synchronization
12. Microsoft Account
13. Microsoft Edge
14. Network Connection Status Indicator
15. Offline maps
16. OneDrive
17. Preinstalled apps
18. Settings > Privacy
18.1 General
18.2 Location
18.3 Camera
18.4 Microphone
18.5 Notifications
18.6 Speech
18.7 Account info
18.8 Contacts
18.9 Calendar
18.10 Call history
18.11 Email
18.12 Messaging
18.13 Phone calls
18.14 Radios
18.15 Other devices

18.16 Feedback & diagnostics
18.17 Background apps
18.18 Motion
18.19 Tasks
18.20 App Diagnostics
18.21 Inking & Typing
18.22 Activity History
18.23 Voice Activation
19. Software Protection Platform
20. Storage Health
21. Sync your settings
22. Teredo
23. Wi-Fi Sense
24. Windows Defender
25. Windows Spotlight
26. Microsoft Store
27. Apps for websites
28. Windows Update Delivery Optimization
29. Windows Update
Settings for Windows Server 2016 with Desktop Experience

See the following table for a summary of the management settings for Windows Server 2016 with Desktop Experience.
3. Date & Time
6. Font streaming
10. Live Tiles

16. OneDrive
22. Teredo
26. Microsoft Store
29. Windows Update
Settings for Windows Server 2016 Server Core

See the following table for a summary of the management settings for Windows Server 2016 Server Core.
SET T IN G GRO UP P O L IC Y REGIST RY
3. Date & Time
6. Font streaming
22. Teredo
29. Windows Update
Settings for Windows Server 2016 Nano Server

See the following table for a summary of the management settings for Windows Server 2016 Nano Server.
SET T IN G REGIST RY
3. Date & Time
22. Teredo
29. Windows Update
Settings for Windows Server 2019

See the following table for a summary of the management settings for Windows Server 2019.

3. Date & Time
5. Find My Device
6. Font streaming
10. Live Tiles
13. Microsoft Edge
15. Offline maps
16. OneDrive
18.1 General
18.2 Location
18.3 Camera
18.4 Microphone
18.5 Notifications
18.6 Speech
18.7 Account info
18.8 Contacts
18.9 Calendar
18.10 Call history
18.11 Email
18.12 Messaging
18.13 Phone calls

18.14 Radios
18.15 Other devices
18.18 Motion
18.19 Tasks
20. Storage Health
22. Teredo
23. Wi-Fi Sense
26. Microsoft Store
29. Windows Update
How to configure each setting

Use the following sections for more information about how to configure each setting.
The Automatic Root Certificates Update component is designed to automatically check the list of trusted authorities on Windows Update to see if an update is
available. For more information, see Automatic Root Certificates Update Configuration. Although not recommended, you can turn off Automatic Root Certificates
Update, which also prevents updates to the disallowed certificate list and the pin rules list.
Cau t i on
By not automatically downloading the root certificates the device may not be able to connect to some websites.
For Windows 10, Windows Server 2016 with Desktop Experience, and Windows Server 2016 Server Core:
Enable the Group Policy: Computer Configuration > Administrative Templates > System > Internet Communication Management > Internet
Communication Settings > Turn off Automatic Root Cer tificates Update
-and-
1. Navigate to Computer Configuration > Windows Settings > Security Settings > Public Key Policies .
2. Double-click Cer tificate Path Validation Settings .
3. On the Network Retrieval tab, select the Define these policy settings check box.
4. Clear the Automatically update cer tificates in the Microsoft Root Cer tificate Program (recommended) check box, and then click OK .
-or-
Create the registry path HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SystemCer tificates\AuthRoot and then add a REG_DWORD registry
setting, named DisableRootAutoUpdate , with a value of 1.
-and-
1. Navigate to Computer Configuration > Windows Settings > Security Settings > Public Key Policies .
2. Double-click Cer tificate Path Validation Settings .
3. On the Network Retrieval tab, select the Define these policy settings check box.
4. Clear the Automatically update cer tificates in the Microsoft Root Cer tificate Program (recommended) check box, and then click OK .
On Windows Server 2016 Nano Server:
Create the registry path HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SystemCer tificates\AuthRoot and then add a REG_DWORD registry
setting, named DisableRootAutoUpdate , with a value of 1.
NOTE
CRL and OCSP network traffic is currently Allowed Traffic and will still show up in network traces. CRL and OCSP checks are made to the issuing certificate authorities. Microsoft is one
of them, but there are many others, such as DigiCert, Thawte, Google, Symantec, and VeriSign.

Use Group Policies to manage settings for Cortana. For more info, see Cortana, Search, and privacy: FAQ.
2.1 Cortana and Search Group Policies
Find the Cortana Group Policy objects under Computer Configuration > Administrative Templates > Windows Components > Search .
P O L IC Y DESC RIP T IO N
Allow Cortana Choose whether to let Cortana install and run on the device.
Disable this policy to turn off Cortana.
Allow search and Cortana to use location Choose whether Cortana and Search can provide location-aware search results.
Disable this policy to block access to location information for Cortana.
Do not allow web search Choose whether to search the web from Windows Desktop Search.
Enable this policy to remove the option to search the Internet from Cortana.
Don't search the web or display web results in Search Choose whether to search the web from Cortana.
Enable this policy to stop web queries and results from showing in Search.
You can also apply the Group Policies using the following registry keys:
P O L IC Y REGIST RY PAT H
Allow Cortana HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Search

REG_DWORD: AllowCortana
Value: 0
Allow search and Cortana to use location HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Search

REG_DWORD: AllowSearchToUseLocation
Value: 0
Do not allow web search HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Search

REG_DWORD: DisableWebSearch
Value: 1
Don't search the web or display web results in Search HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Search
REG_DWORD: ConnectedSearchUseWeb
Value: 0
IMPORTANT
Using the Group Policy editor these steps are required for all supported versions of Windows 10, however they are not required for devices running Windows 10, version 1607 or
Windows Server 2016.
1. Expand Computer Configuration > Windows Settings > Security Settings > Windows Defender Firewall with Advanced Security > Windows
Defender Firewall with Advanced Security - <LDAP name> , and then click Outbound Rules .
2. Right-click Outbound Rules , and then click New Rule . The New Outbound Rule Wizard starts.
3. On the Rule Type page, click Program , and then click Next .
4. On the Program page, click This program path , type %windir%\systemapps\Microsoft.Windows.Cor tana_cw5n1h2txyewy\SearchUI.exe , and then
click Next .
5. On the Action page, click Block the connection , and then click Next .
6. On the Profile page, ensure that the Domain , Private , and Public check boxes are selected, and then click Next .
7. On the Name page, type a name for the rule, such as Cor tana firewall configuration , and then click Finish.
8. Right-click the new rule, click Proper ties , and then click Protocols and Por ts .
9. Configure the Protocols and Por ts page with the following info, and then click OK .
For Protocol type , choose TCP .
For Local por t , choose All Por ts .
For Remote por t , choose All por ts .
-or-
Create a new REG_SZ registry setting named {0DE40C8E-C126-4A27-9371-A27DAB1039F7} in
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\FirewallRules and set it to a value of
v2.25|Action=Block|Active=TRUE|Dir=Out|Protocol=6|App=%windir%\SystemApps\Microsoft.Windows.Cor tana_cw5n1h2txyewy\searchUI.exe|Name=Block
outbound Cor tana|
If your organization tests network traffic, do not use a network proxy as Windows Firewall does not block proxy traffic. Instead, use a network traffic analyzer. Based on
your needs, there are many network traffic analyzers available at no cost.
3. Date & Time
You can prevent Windows from setting the time automatically.
To turn off the feature in the UI: Settings > Time & language > Date & time > Set time automatically
-or-
Create a REG_SZ registry setting in HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Ser vices\W32Time\Parameters\Type with a value of
NoSync .
After that, configure the following:
Disable the Group Policy: Computer Configuration > Administrative Templates > System > Windows Time Ser vice > Time Providers > Enable
Windows NTP Client
-or-
Create a new REG_DWORD registry setting named Enabled in
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\W32time\TimeProviders\NtpClient and set it to 0 (zero) .
To prevent Windows from retrieving device metadata from the Internet:
Enable the Group Policy: Computer Configuration > Administrative Templates > System > Device Installation > Prevent device metadata
retrieval from the Internet .
-or -
Create a new REG_DWORD registry setting named PreventDeviceMetadataFromNetwork in
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Device Metadata and set it to 1 (one).
5. Find My Device
To turn off Find My Device:
Turn Off the feature in the UI by going to Settings -> Update & Security -> Find My Device , click the Change button, and set the value to Off
-or-
Disable the Group Policy: Computer Configuration > Administrative Template > Windows Components > Find My Device > Turn On/Off Find My
Device
-or-
You can also create a new REG_DWORD registry setting HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FindMyDevice\AllowFindMyDevice
to 0 (zero) .
6. Font streaming
Fonts that are included in Windows but that are not stored on the local device can be downloaded on demand.
If you're running Windows 10, version 1607, Windows Server 2016, or later:
Disable the Group Policy: Computer Configuration > Administrative Templates > Network > Fonts > Enable Font Providers .
-or-
Create a new REG_DWORD registry setting HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System\EnableFontProviders to 0
(zero) .
NOTE
After you apply this policy, you must restart the device for it to take effect.

The Windows Insider Preview program lets you help shape the future of Windows, be part of the community, and get early access to releases of Windows 10. This
setting stops communication with the Windows Insider Preview service that checks for new builds. Windows Insider Preview builds only apply to Windows 10 and are
not available for Windows Server 2016.
NOTE
If you upgrade a device that is configured to minimize connections from Windows to Microsoft services (that is, a device configured for Restricted Traffic) to a Windows Insider Preview
build, the Feedback & Diagnostic setting will automatically be set to Full. Although the diagnostic data level may initially appear as Basic, a few hours after the UI is refreshed or the
machine is rebooted, the setting will become Full.
To turn off Insider Preview builds for a released version of Windows 10:
Disable the Group Policy: Computer Configuration > Administrative Templates > Windows Components > Data Collection and Preview Builds >
Toggle user control over Insider builds .
To turn off Insider Preview builds for Windows 10:
NOTE
If you're running a preview version of Windows 10, you must roll back to a released version before you can turn off Insider Preview builds.
Turn off the feature in the UI: Settings > Update & security > Windows Insider Program > Stop Insider Preview builds .
-or-
Enable the Group Policy Toggle user control over Insider builds under Computer Configuration > Administrative Templates > Windows
Components > Data Collection and Preview Builds
-or-
Create a new REG_DWORD registry setting named AllowBuildPreview in
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\PreviewBuilds with a value of 0 (zero)
NOTE
When attempting to use Internet Explorer on any edition of Windows Server be aware there are restrictions enforced by Enhanced Security Configuration (ESC). The following Group
Policies and Registry Keys are for user interactive scenarios rather than the typical idle traffic scenario. Find the Internet Explorer Group Policy objects under Computer
Configuration > Administrative Templates > Windows Components > Internet Explorer and make these settings:
Turn on Suggested Sites Choose whether an employee can configure Suggested Sites.
Set Value to: Disabled
You can also turn this off in the UI by clearing the Internet Options > Advanced >
Enable Suggested Sites check box.
Allow Microsoft services to provide enhanced suggestions as the user types in the Address Choose whether an employee can configure enhanced suggestions, which are presented to
Bar the employee as they type in the Address Bar.
Set Value to: Disabled
Turn off the auto-complete feature for web addresses Choose whether auto-complete suggests possible matches when employees are typing
web address in the Address Bar.
Set Value to: Enabled
You can also turn this off in the UI by clearing the Internet Options > Advanced > Use
inline AutoComplete in the Internet Explorer Address Bar and Open Dialog
check box.
Turn off browser geolocation Choose whether websites can request location data from Internet Explorer.
Set Value to: Enabled
Prevent managing Windows Defender SmartScreen Choose whether employees can manage the Windows Defender SmartScreen in Internet
Explorer.
Set Value to: Enabled and then set Select Windows Defender Smar tScreen mode
to Off .
REGIST RY K EY REGIST RY PAT H
Turn on Suggested Sites HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer\Suggested Sites

REG_DWORD: Enabled
Set Value to: 0
Allow Microsoft services to provide enhanced suggestions as the user types in the Address HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer
Bar REG_DWORD: AllowServicePoweredQSA
Set Value to: 0
Turn off the auto-complete feature for web addresses HKLM\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Explorer\AutoComplete

REG_SZ: AutoSuggest
Set Value to: no
Turn off browser geolocation HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer\Geolocation

REG_DWORD: PolicyDisableGeolocation
Set Value to: 1
Prevent managing Windows Defender SmartScreen HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer\PhishingFilter

REG_DWORD: EnabledV9
Set Value to: 0
There are more Group Policy objects that are used by Internet Explorer:
PAT H P O L IC Y DESC RIP T IO N
Computer Configuration > Administrative Choose whether employees can configure Compatibility Choose whether an employee can fix website display
Templates > Windows Components > Internet View. problems that he or she may encounter while browsing.
Explorer > Compatibility View > Turn off Set to: Enabled
Compatibility View
Computer Configuration > Administrative Turn off the flip ahead with page prediction feature Choose whether an employee can swipe across a screen or
Templates > Windows Components > Internet click forward to go to the next pre-loaded page of a
Explorer > Internet Control Panel > Advanced Page website.
Set to: Enabled
Computer Configuration > Administrative Turn off background synchronization for feeds and Web Choose whether to have background synchronization for
Templates > Windows Components > RSS Feeds Slices feeds and Web Slices.
Set to: Enabled
Computer Configuration > Administrative Allow Online Tips Enables or disables the retrieval of online tips and help for
Templates > Control Panel > Allow Online Tips the Settings app.
Set to: Disabled
You can also use Registry keys to set these policies.
Choose whether employees can configure Compatibility View. HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer\BrowserEmulation

REG_DWORD: DisableSiteListEditing
Set Value to 1
Turn off the flip ahead with page prediction feature HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer\FlipAhead
REG_DWORD: Enabled
Set Value to 0
Turn off background synchronization for feeds and Web Slices HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer\Feeds
REG_DWORD: BackgroundSyncStatus
Set Value to 0
Allow Online Tips HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer

REG_DWORD: AllowOnlineTips
Set Value to 0
To turn off the home page:

Enable the Group Policy: User Configuration > Administrative Templates > Windows Components > Internet Explorer > Disable changing home
page settings , and set it to about:blank
-or-
Create a new REG_SZ registry setting named Star t Page in HKEY_Current_User\SOFTWARE\Policies\Microsoft\Internet Explorer\Main with a
about:blank
-and -
Create a new REG_DWORD registry setting named HomePage in HKEY_Current_User\SOFTWARE\Policies\Microsoft\Internet Explorer\Control
Panel with a 1 (one)
To configure the First Run Wizard:
Enable the Group Policy: User Configuration > Administrative Templates > Windows Components > Internet Explorer > Prevent running First
Run wizard , and set it to Go directly to home page
-or-
Create a new REG_DWORD registry setting named DisableFirstRunCustomize in HKEY_Current_User\SOFTWARE\Policies\Microsoft\Internet
Explorer\Main with a 1 (one)
To configure the behavior for a new tab:
Enable the Group Policy: User Configuration > Administrative Templates > Windows Components > Internet Explorer > Specify default behavior
for a new tab , and set it to about:blank
-or-
Create a new REG_DWORD registry setting named NewTabPageShow in HKEY_Current_User\SOFTWARE\Policies\Microsoft\Internet
Explorer\TabbedBrowsing with a 0 (zero)
8.1 ActiveX control blocking
ActiveX control blocking periodically downloads a new list of out-of-date ActiveX controls that should be blocked.
You can turn this off by:
Enable the Group Policy: User Configuration > Administrative Templates > Windows Components > Internet Explorer > Security Features > Add-on
Management > Turn off Automatic download of the ActiveX VersionList
-or-
Changing the REG_DWORD registry setting HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\VersionManager\DownloadVersionList to 0
(zero) .
For more info, see Out-of-date ActiveX control blocking.
9. License Manager
You can turn off License Manager related traffic by setting the following registry entry:
Add a REG_DWORD value named Star t to HKEY_LOCAL_MACHINE\System\CurrentControlSet\Ser vices\LicenseManager and set the value to 4
The value 4 is to disable the service. Here are the available options to set the registry:
0x00000000 = Boot
0x00000001 = System
0x00000002 = Automatic
0x00000003 = Manual
0x00000004 = Disabled
10. Live Tiles
To turn off Live Tiles:
Enable the Group Policy: Computer Configuration > Administrative Templates > Star t Menu and Taskbar > Notifications > Turn Off notifications
network usage
-or-
Create a REG_DWORD registry setting named NoCloudApplicationNotification in
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\PushNotifications with a value of 1 (one)
In Windows 10 Mobile, you must also unpin all tiles that are pinned to Start.
To turn off mail synchronization for Microsoft Accounts that are configured on a device:
In Settings > Accounts > Your email and accounts , remove any connected Microsoft Accounts.
-or-
Remove any Microsoft Accounts from the Mail app.
To turn off the Windows Mail app:
Create a REG_DWORD registry setting named ManualLaunchAllowed in HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Mail with a
value of 0 (zero) .
Use the below setting to prevent communication to the Microsoft Account cloud authentication service. Many apps and system components that depend on Microsoft
Account authentication may lose functionality. Some of them could be in unexpected ways. For example, Windows Update will no longer offer feature updates to
devices running Windows 10 1709 or higher. See Feature updates are not being offered while other updates are.
To disable the Microsoft Account Sign-In Assistant:
Change the Star t REG_DWORD registry setting in HKEY_LOCAL_MACHINE\System\CurrentControlSet\Ser vices\wlidsvc to a value of 4 .
13. Microsoft Edge
Use Group Policies to manage settings for Microsoft Edge. For more info, see Microsoft Edge and privacy: FAQ.
13.1 Microsoft Edge Group Policies
Find the Microsoft Edge Group Policy objects under Computer Configuration > Administrative Templates > Windows Components > Microsoft Edge .
Allow Address bar drop-down list suggestions Choose whether to show the address bar drop-down list
Set to Disabled
Allow configuration updates for the Books Library Choose whether configuration updates are done for the Books Library.
Set to Disabled
Configure Autofill Choose whether employees can use autofill on websites.

Set to Disabled
Configure Do Not Track Choose whether employees can send Do Not Track headers.
Set to Enabled
Configure Password Manager Choose whether employees can save passwords locally on their devices.
Set to Disabled
Configure search suggestions in Address Bar Choose whether the Address Bar shows search suggestions.
Set to Disabled
Configure Windows Defender SmartScreen (Windows 10, version 1703) Choose whether Windows Defender SmartScreen is turned on or off.
Set to Disabled
Allow web content on New Tab page Choose whether a new tab page appears.
Set to Disabled
Configure Start pages Choose the Start page for domain-joined devices.
Enabled and Set this to < about:blank >
Prevent the First Run webpage from opening on Microsoft Edge Choose whether employees see the First Run webpage.
Set to: Enable
Allow Microsoft Compatibility List Choose whether to use the Microsoft Compatibility List in Microsoft Edge.
Set to: Disabled
Alternatively, you can configure the following Registry keys as described:
Allow Address Bar drop-down list suggestions HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\ServiceUI

REG_DWORD name: ShowOneBox
Set to 0
Allow configuration updates for the Books Library HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\BooksLibrary

REG_DWORD name: AllowConfigurationUpdateForBooksLibrary
Set to 0
Configure Autofill HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\Main

REG_SZ name: Use FormSuggest
Value : No
Configure Do Not Track HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\Main

REG_DWORD name: DoNotTrack
REG_DWORD: 1
Configure Password Manager HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\Main

REG_SZ name: FormSuggest Passwords
REG_SZ: No
Configure search suggestions in Address Bar HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\SearchScopes

REG_DWORD name: ShowSearchSuggestionsGlobal
Value: 0
Configure Windows Defender SmartScreen (Windows 10, version 1703) HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\PhishingFilter

REG_DWORD name: EnabledV9
Value: 0
Allow web content on New Tab page HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\ServiceUI

REG_DWORD name: AllowWebContentOnNewTabPage
Value: 0
Configure corporate Home pages HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\Internet Settings

REG_SZ name: ProvisionedHomePages
Value: < about:blank >
Prevent the First Run webpage from opening on Microsoft Edge HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\Main
REG_DWORD name: PreventFirstRunPage
Value: 1
Choose whether employees can configure Compatibility View. HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\BrowserEmulation

REG_DWORD: MSCompatibilityMode
Value: 0
For a complete list of the Microsoft Edge policies, see Available policies for Microsoft Edge.
Network Connection Status Indicator (NCSI) detects Internet connectivity and corporate network connectivity status. NCSI sends a DNS request and HTTP query to
http://www.msftconnecttest.com/connecttest.txt to determine if the device can communicate with the Internet. See the Microsoft Networking Blog to learn more.
In versions of Windows 10 prior to version 1607 and Windows Server 2016, the URL was http://www.msftncsi.com/ncsi.txt .
You can turn off NCSI by doing one of the following:
Enable the Group Policy: Computer Configuration > Administrative Templates > System > Internet Communication Management > Internet
Communication Settings > Turn off Windows Network Connectivity Status Indicator active tests
NOTE
After you apply this policy, you must restart the device for the policy setting to take effect.
-or-
Create a REG_DWORD registry setting named NoActiveProbe in
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\NetworkConnectivityStatusIndicator with a value of 1 (one).
15. Offline maps
You can turn off the ability to download and update offline maps.
Enable the Group Policy: Computer Configuration > Administrative Templates > Windows Components > Maps > Turn off Automatic Download
and Update of Map Data
-or-
Create a REG_DWORD registry setting named AutoDownloadAndUpdateMapData in
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Maps with a value of 0 (zero) .
-and-
In Windows 10, version 1607 and later, Enable the Group Policy: Computer Configuration > Administrative Templates > Windows Components >
Maps > Turn off unsolicited network traffic on the Offline Maps settings page
-or-
Create a REG_DWORD registry setting named AllowUntriggeredNetworkTrafficOnSettingsPage in
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Maps with a value of 0 (zero).
16. OneDrive
To turn off OneDrive in your organization:
Enable the Group Policy: Computer Configuration > Administrative Templates > Windows Components > OneDrive > Prevent the usage of
OneDrive for file storage
-or-
Create a REG_DWORD registry setting named DisableFileSyncNGSC in HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\OneDrive
with a value of 1 (one).
-and-
Enable the Group Policy: Computer Configuration > Administrative Templates > Windows Components > OneDrive > Prevent OneDrive from
generating network traffic until the user signs in to OneDrive (Enable)
-or-
Create a REG_DWORD registry setting named PreventNetworkTrafficPreUserSignIn in HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OneDrive
with a value of 1 (one)
Some preinstalled apps get content before they are opened to ensure a great experience. You can remove these using the steps in this section.
To remove the News app:
Right-click the app in Start, and then click Uninstall .
-or-
IMPORTANT
If you have any issues with these commands, restart the system and try the scripts again.
Remove the app for new user accounts. From an elevated command prompt, run the following Windows PowerShell command: Get-
AppxProvisionedPackage -Online | Where-Object {$_.PackageName -Like "Microsoft.BingNews"} | ForEach-Object { Remove-
AppxProvisionedPackage -Online -PackageName $_.PackageName}
-and-
Remove the app for the current user. From an elevated command prompt, run the following Windows PowerShell command: Get-AppxPackage
Microsoft.BingNews | Remove-AppxPackage
To remove the Weather app:
AppxProvisionedPackage -Online | Where-Object {$_.PackageName -Like "Microsoft.BingWeather"} | ForEach-Object { Remove-
-and-
Microsoft.BingWeather | Remove-AppxPackage
To remove the Money app:
-or-
AppxProvisionedPackage -Online | Where-Object {$_.PackageName -Like "Microsoft.BingFinance"} | ForEach-Object { Remove-
-and-
Microsoft.BingFinance | Remove-AppxPackage
To remove the Sports app:
-or-
AppxProvisionedPackage -Online | Where-Object {$_.PackageName -Like "Microsoft.BingSpor ts"} | ForEach-Object { Remove-
-and-
Microsoft.BingSpor ts | Remove-AppxPackage
To remove the Twitter app:
-or-
AppxProvisionedPackage -Online | Where-Object {$_.PackageName -Like "*.Twitter"} | ForEach-Object { Remove-AppxProvisionedPackage -
Online -PackageName $_.PackageName}
-and-
Remove the app for the current user. From an elevated command prompt, run the following Windows PowerShell command: Get-AppxPackage *.Twitter |
Remove-AppxPackage
To remove the XBOX app:
AppxProvisionedPackage -Online | Where-Object {$_.PackageName -Like "Microsoft.XboxApp"} | ForEach-Object { Remove-
-and-
Microsoft.XboxApp | Remove-AppxPackage
To remove the Sway app:
-or-
AppxProvisionedPackage -Online | Where-Object {$_.PackageName -Like "Microsoft.Office.Sway"} | ForEach-Object { Remove-
-and-
Microsoft.Office.Sway | Remove-AppxPackage
To remove the OneNote app:
AppxProvisionedPackage -Online | Where-Object {$_.PackageName -Like "Microsoft.Office.OneNote"} | ForEach-Object { Remove-
-and-
Microsoft.Office.OneNote | Remove-AppxPackage
To remove the Get Office app:
-or-
AppxProvisionedPackage -Online | Where-Object {$_.PackageName -Like "Microsoft.MicrosoftOfficeHub"} | ForEach-Object { Remove-
-and-
Microsoft.MicrosoftOfficeHub | Remove-AppxPackage
To remove the Get Skype app:
Right-click the Sports app in Start, and then click Uninstall .
-or-
AppxProvisionedPackage -Online | Where-Object {$_.PackageName -Like "Microsoft.SkypeApp"} | ForEach-Object { Remove-
-and-
Microsoft.SkypeApp | Remove-AppxPackage
To remove the Sticky notes app:
AppxProvisionedPackage -Online | Where-Object {$_.PackageName -Like "Microsoft.MicrosoftStickyNotes"} | ForEach-Object { Remove-
-and-
Microsoft.MicrosoftStickyNotes | Remove-AppxPackage
Use Settings > Privacy to configure some settings that may be important to your organization. Except for the Feedback & Diagnostics page, these settings must be
configured for every user account that signs into the PC.
18.1 General
18.2 Location
18.3 Camera
18.4 Microphone
18.5 Notifications
18.6 Speech
18.7 Account info
18.8 Contacts
18.9 Calendar
18.10 Call history
18.11 Email
18.12 Messaging
18.13 Phone Calls
18.14 Radios
18.15 Other devices
18.18 Motion
18.19 Tasks
18.1 General
General includes options that don't fall into other areas.
Windows 10, version 1703 options
To turn off Let apps use adver tising ID to make ads more interesting to you based on your app usage (turning this off will reset your ID) :
NOTE
When you turn this feature off in the UI, it turns off the advertising ID, not just resets it.
Turn off the feature in the UI.

-or-
Enable the Group Policy: Computer Configuration > Administrative Templates > System > User Profiles > Turn off the adver tising ID .
-or-
Create a REG_DWORD registry setting named Enabled in HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Adver tisingInfo
with a value of 0 (zero).
-and-
Create a REG_DWORD registry setting named DisabledByGroupPolicy in
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Adver tisingInfo with a value of 1 (one).
To turn off Let websites provide locally relevant content by accessing my language list :
-or-
Create a new REG_DWORD registry setting named HttpAcceptLanguageOptOut in HKEY_CURRENT_USER\Control Panel\International\User Profile
with a value of 1.
To turn off Let Windows track app launches to improve Star t and search results :
-or-
Create a REG_DWORD registry setting named Star t_TrackProgs in
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced with value of 0 (zero).
Windows Server 2016 and Windows 10, version 1607 and earlier options
To turn off Let apps use my adver tising ID for experiences across apps (turning this off will reset your ID) :
NOTE
When you turn this feature off in the UI, it turns off the advertising ID, not just resets it.

-or-
Enable the Group Policy: Computer Configuration > Administrative Templates > System > User Profiles > Turn off the adver tising ID .
-or-
Create a REG_DWORD registry setting named Enabled in HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Adver tisingInfo
with a value of 0 (zero).
-or-
Create a REG_DWORD registry setting named DisabledByGroupPolicy in
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Adver tisingInfo with a value of 1 (one).
To turn off Turn on Windows Defender Smar tScreen to check web content (URLs) that Microsoft Store apps use :
-or-
Create a REG_DWORD registry setting named EnableWebContentEvaluation in
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\AppHost with a value of 0 (zero).
To turn off Send Microsoft info about how I write to help us improve typing and writing in the future :
NOTE
If the diagnostic data level is set to either Basic or Security , this is turned off automatically.

To turn off Let websites provide locally relevant content by accessing my language list :
-or-
Create a new REG_DWORD registry setting named HttpAcceptLanguageOptOut in HKEY_CURRENT_USER\Control Panel\International\User Profile
with a value of 1.
To turn off Let apps on my other devices open apps and continue experiences on this device :
-or-
Disable the Group Policy: Computer Configuration > Administrative Templates > System > Group Policy > Continue experiences on this device .
-or-
Create a REG_DWORD registry setting named EnableCdp in HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\System with a value of 0
(zero).
To turn off Let apps on my other devices use Bluetooth to open apps and continue experiences on this device :
18.2 Location
In the Location area, you choose whether devices have access to location-specific sensors and which apps have access to the device's location.
To turn off Location for this device :
Click the Change button in the UI.
-or-
Enable the Group Policy: Computer Configuration > Administrative Templates > Windows Components > Location and Sensors > Turn off
location .
-or-
Create a REG_DWORD registry setting named LetAppsAccessLocation in
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\AppPrivacy with a value of 2 (two) .
To turn off Location :
-or-
Enable the Group Policy: Computer Configuration > Administrative Templates > Windows Components > App Privacy > Let Windows apps
access location and set the Select a setting box to Force Deny .
-or-
Create a REG_DWORD registry setting named DisableLocation in
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\LocationAndSensors with a value of 1 (one).
To turn off Location histor y :
Erase the history using the Clear button in the UI.
To turn off Choose apps that can use your location :
Turn off each app using the UI.
18.3 Camera
In the Camera area, you can choose which apps can access a device's camera.
To turn off Let apps use my camera :
-or-
Apply the Group Policy: Computer Configuration > Administrative Templates > Windows Components > App Privacy > Let Windows apps access
the camera
Set the Select a setting box to Force Deny .
-or-
Create a REG_DWORD registry setting named LetAppsAccessCamera in
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\AppPrivacy with a value of 2 (two).
To turn off Choose apps that can use your camera :
Turn off the feature in the UI for each app.
18.4 Microphone
In the Microphone area, you can choose which apps can access a device's microphone.
To turn off Let apps use my microphone :
-or-
the microphone
-or-
Create a REG_DWORD registry setting named LetAppsAccessMicrophone in
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\AppPrivacy with a value of 2 (two)
To turn off Choose apps that can use your microphone :
18.5 Notifications
To turn off notifications network usage:
Enable the Group Policy: Computer Configuration > Administrative Templates > Star t Menu and Taskbar > Notifications > Turn off Notifications
network usage
-or-
Create a REG_DWORD registry setting named NoCloudApplicationNotification in
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\PushNotifications with a value of 1 (one)
In the Notifications area, you can also choose which apps have access to notifications.
To turn off Let apps access my notifications :
-or-
notifications
-or-
Create a REG_DWORD registry setting named LetAppsAccessNotifications in
18.6 Speech
In the Speech area, you can configure the functionality as such:
To turn off dictation of your voice, speaking to Cortana and other apps, and to prevent sending your voice input to Microsoft Speech services:
Toggle the Settings -> Privacy -> Speech -> Online speech recognition switch to Off
-or-
Disable the Group Policy: Computer Configuration > Administrative Templates > Control Panel > Regional and Language Options > Allow
users to enable online speech recognition ser vices
-or-
Create a REG_DWORD registry setting named HasAccepted in
HKEY_CURRENT_USER\Software\Microsoft\Speech_OneCore\Settings\OnlineSpeechPrivacy with a value of 0 (zero)
If you're running at Windows 10, version 1703 up to and including Windows 10, version 1803, you can turn off updates to the speech recognition and speech
synthesis models:
Disable the Group Policy: Computer Configuration > Administrative Templates > Windows Components > Speech > Allow automatic update of
Speech Data
-or-
Create a REG_DWORD registry setting named AllowSpeechModelUpdate in HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Speech with a
value of 0 (zero)
18.7 Account info
In the Account Info area, you can choose which apps can access your name, picture, and other account info.
To turn off Let apps access my name, picture, and other account info :
-or-
account information
-or-
Create a REG_DWORD registry setting named LetAppsAccessAccountInfo in HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\AppPrivacy
with a value of 2 (two).
To turn off Choose the apps that can access your account info :
18.8 Contacts
In the Contacts area, you can choose which apps can access an employee's contacts list.
To turn off Choose apps that can access contacts :
-or-
contacts
-or-
Create a REG_DWORD registry setting named LetAppsAccessContacts in HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\AppPrivacy with
a value of 2 (two).
18.9 Calendar
In the Calendar area, you can choose which apps have access to an employee's calendar.
To turn off Let apps access my calendar :
-or-
the calendar . Set the Select a setting box to Force Deny .
-or-
Create a REG_DWORD registry setting named LetAppsAccessCalendar in HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\AppPrivacy with
a value of 2 (two).
To turn off Choose apps that can access calendar :
18.10 Call history
In the Call histor y area, you can choose which apps have access to an employee's call history.
To turn off Let apps access my call histor y :
-or-
call histor y
-or-
Create a REG_DWORD registry setting named LetAppsAccessCallHistor y in
18.11 Email
In the Email area, you can choose which apps have access and can send email.
To turn off Let apps access and send email :
-or-
email
-or-
Create a REG_DWORD registry setting named LetAppsAccessEmail in HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\AppPrivacy
18.12 Messaging
In the Messaging area, you can choose which apps can read or send messages.
To turn off Let apps read or send messages (text or MMS) :
-or-
messaging
-or-
Create a REG_DWORD registry setting named LetAppsAccessMessaging in
To turn off Choose apps that can read or send messages :
To turn off Message Sync
Create a REG_DWORD registry setting named AllowMessageSync in HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Messaging
and set the value to 0 (zero) .
-or-
Apply the Group Policy: Computer Configuration > Administrative Templates > Windows Components > Messaging
Set the Allow Message Ser vice Cloud Sync to Disable .
18.13 Phone calls
In the Phone calls area, you can choose which apps can make phone calls.
To turn off Let apps make phone calls :
-or-
Apply the Group Policy: Computer Configuration > Administrative Templates > Windows Components > App Privacy > Let Windows apps make
phone calls and set the Select a setting box to Force Deny .
-or-
Create a REG_DWORD registry setting named LetAppsAccessPhone in HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\AppPrivacy
To turn off Choose apps that can make phone calls :
18.14 Radios
In the Radios area, you can choose which apps can turn a device's radio on or off.
To turn off Let apps control radios :
-or-
Apply the Group Policy: Computer Configuration > Administrative Templates > Windows Components > App Privacy > Let Windows apps
control radios and set the Select a setting box to Force Deny .
-or-
Create a REG_DWORD registry setting named LetAppsAccessRadios in HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\AppPrivacy
To turn off Choose apps that can control radios :
18.15 Other devices
In the Other Devices area, you can choose whether devices that aren't paired to PCs, such as an Xbox One, can share and sync info.
To turn off Let apps automatically share and sync info with wireless devices that don't explicitly pair with your PC, tablet, or phone :
Turn off the feature in the UI by going to Settings > Privacy > Other devices > "Communicate with unpaired devices. Let apps automatically share and sync info
with wireless devices that don't explicitly pair with your PC, tablet, or phone" and Turn it OFF .
-or-
communicate with unpaired devices and set the Select a setting box to Force Deny .
-or-
Create a REG_DWORD registry setting named LetAppsSyncWithDevices in
To turn off Let your apps use your trusted devices (hardware you've already connected, or comes with your PC, tablet, or phone) :
-or-
access trusted devices and set the Select a setting box to Force Deny .
-or-
Create a REG_DWORD registry setting named LetAppsAccessTrustedDevices in
In the Feedback & Diagnostics area, you can choose how often you're asked for feedback and how much diagnostic and usage information is sent to Microsoft. If
you're looking for content on what each diagnostic data level means and how to configure it in your organization, see Configure Windows diagnostic data in your
organization.
To change how frequently Windows should ask for my feedback :
NOTE
Feedback frequency only applies to user-generated feedback, not diagnostic and usage data sent from the device.
To change from Automatically (Recommended) , use the drop-down list in the UI.
-or-
Enable the Group Policy: Computer Configuration > Administrative Templates > Windows Components > Data Collection and Preview Builds >
Do not show feedback notifications
-or-
Create a REG_DWORD registry setting named DoNotShowFeedbackNotifications in
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\DataCollection with a value of 1 (one).
-or-
Create the registry keys (REG_DWORD type):
HKEY_CURRENT_USER\Software\Microsoft\Siuf\Rules\PeriodInNanoSeconds
HKEY_CURRENT_USER\Software\Microsoft\Siuf\Rules\NumberOfSIUFInPeriod
Based on these settings:
SET T IN G P ERIO DIN N A N O SEC O N DS N UM B ERO F SIUF IN P ERIO D
Automatically Delete the registry setting Delete the registry setting
Never 0 0
Always 100000000 Delete the registry setting
Once a day 864000000000 1
Once a week 6048000000000 1
To change the level of diagnostic and usage data sent when you Send your device data to Microsoft :
Click either the Basic or Full options.
-or-
Enable the Group Policy: Computer Configuration\Administrative Templates\Windows Components\Data Collection And Preview Builds\Allow
Telemetr y and set it to a value of 0 .
-or-
Create a REG_DWORD registry setting in HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\DataCollection\AllowTelemetr y with a
value of 0 .
NOTE
If the Security option is configured by using Group Policy or the Registry, the value will not be reflected in the UI. The Security option is only available in Windows 10 Enterprise
edition.
To turn off tailored experiences with relevant tips and recommendations by using your diagnostics data:
-or-
Enable the Group Policy: Computer Configuration > Administrative Templates > Windows Components > Cloud Content > Turn off Microsoft
consumer experiences
-or-
Create a REG_DWORD registry setting named DisableWindowsConsumerFeatures in
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CloudContent with a value of 1
-and-
Enable the Group Policy: User Configuration > Administrative Templates > Windows Components > Cloud Content > Do not use diagnostic data
for tailored experiences
-or-
Create a REG_DWORD registry setting named DisableTailoredExperiencesWithDiagnosticData in
HKEY_Current_User\SOFTWARE\Policies\Microsoft\Windows\CloudContent with a value of 1
In the Background Apps area, you can choose which apps can run in the background.
To turn off Let apps run in the background :
In the Background apps settings page, set Let apps run in the background to Off .
-or-
In the Background apps settings page, turn off the feature for each app.
-or-
Enable the Group Policy (only applicable for Windows 10 version 1703 and above): Computer Configuration > Administrative Templates > Windows
Components > App Privacy > Let Windows apps run in the background and set the Select a setting box to Force Deny .
-or-
Create a REG_DWORD registry setting named LetAppsRunInBackground in
NOTE
Some apps, including Cortana and Search, might not function as expected if you set Let apps run in the background to Force Deny .
18.18 Motion
In the Motion area, you can choose which apps have access to your motion data.
To turn off Let Windows and your apps use your motion data and collect motion histor y :
-or-
access motion and set the Default for all apps to Force Deny
-or-
Create a REG_DWORD registry setting named LetAppsAccessMotion in HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\AppPrivacy
with a value of 2 (two) .
18.19 Tasks
In the Tasks area, you can choose which apps have access to your tasks.
To turn this off:
-or-
Tasks . Set the Select a setting box to Force Deny .
-or-
Create a REG_DWORD registry setting named LetAppsAccessTasks in HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\AppPrivacy
with a value of 2 (two) .
In the App diagnostics area, you can choose which apps have access to your diagnostic information.
To turn this off:
-or-
access diagnostic information about other apps
-or-
Create a REG_DWORD registry setting named LetAppsGetDiagnosticInfo in
In the Inking & Typing area you can configure the functionality as such:
To turn off Inking & Typing data collection (note: there is no Group Policy for this setting):
In the UI go to Settings -> Privacy -> Diagnostics & Feedback -> Inking and typing and turn Improve inking & typing to Off
-or-
Set RestrictImplicitTextCollection registry REG_DWORD setting in HKEY_CURRENT_USER\Software\Microsoft\InputPersonalization to a value of 1
(one)
-and-
Set RestrictImplicitInkCollection registry REG_DWORD setting in HKEY_CURRENT_USER\Software\Microsoft\InputPersonalization to a value of 1
(one)
In the Activity Histor y area, you can choose turn Off tracking of your Activity History.
To turn this Off in the UI:
Turn Off the feature in the UI by going to Settings -> Privacy -> Activity History and un-checking the Store my activity histor y on this device AND
unchecking the Send my activity Histor y to Microsoft checkboxes
-OR-
Disable the Group Policy: Computer Configuration > Administrative Templates > System > OS Policies named Enables Activity Feed
-and-
Disable the Group Policy: Computer Configuration > Administrative Templates > System > OS Policies named Allow publishing of User
Activities
-and-
Disable the Group Policy: Computer Configuration > Administrative Templates > System > OS Policies > named Allow upload of User Activities
-OR-
Create a REG_DWORD registry setting named EnableActivityFeed in HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\System with a
value of 2 (two)
-and-
Create a REG_DWORD registry setting named PublishUserActivities in HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\System with
a value of 2 (two)
-and-
Create a REG_DWORD registry setting named UploadUserActivities in HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\System with
a value of 2 (two)
In the Voice activation area, you can choose turn Off apps ability to listen for a Voice keyword.
To turn this Off in the UI:
Turn Off the feature in the UI by going to Settings -> Privacy -> Voice activation and toggle Off the Allow apps to use voice activation AND also toggle
Off the Allow apps to use voice activation when this device is locked
-OR-
Disable the Group Policy: Computer Configuration > Administrative Templates > Windows Components > App Privacy > named Let Windows
apps activate with voice
-and-
Disable the Group Policy: Computer Configuration > Administrative Templates > Windows Components > App Privacy > named Let Windows
apps activate with voice while the system is locked
-OR-
Create a REG_DWORD registry setting named LetAppsActivateWithVoice in
-and-
Create a REG_DWORD registry setting named LetAppsActivateWithVoiceAboveLock in
Enterprise customers can manage their Windows activation status with volume licensing using an on-premises Key Management Server. You can opt out of sending
KMS client activation data to Microsoft automatically by doing one of the following:
For Windows 10:
Enable the Group Policy: Computer Configuration > Administrative Templates > Windows Components > Software Protection Platform > Turn
off KMS Client Online AVS Validation
-or-
Create a REG_DWORD registry setting named NoGenTicket in HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows
NT\CurrentVersion\Software Protection Platform with a value of 1 (one) .
For Windows Ser ver 2019 or later :
Enable the Group Policy: Computer Configuration > Administrative Templates > Windows Components > Software Protection Platform > Turn
off KMS Client Online AVS Validation
-or-
Create a REG_DWORD registry setting named NoGenTicket in HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows
NT\CurrentVersion\Software Protection Platform with a value of 1 (one).
For Windows Ser ver 2016:
Create a REG_DWORD registry setting named NoAcquireGT in HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows
NT\CurrentVersion\Software Protection Platform with a value of 1 (one).
NOTE
Due to a known issue the Turn off KMS Client Online AVS Validation group policy does not work as intended on Windows Server 2016, the NoAcquireGT value needs to be set
instead. The Windows activation status will be valid for a rolling period of 180 days with weekly activation status checks to the KMS.
20. Storage health

Enterprise customers can manage updates to the Disk Failure Prediction Model.
For Windows 10:
Disable this Group Policy: Computer Configuration > Administrative Templates > System > Storage Health > Allow downloading updates to the
Disk Failure Prediction Model
-or-
Create a REG_DWORD registry setting named AllowDiskHealthModelUpdates in
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\StorageHealth with a value of 0 .
You can control if your settings are synchronized:
In the UI: Settings > Accounts > Sync your settings
-or-
Enable the Group Policy: Computer Configuration > Administrative Templates > Windows Components > Sync your settings > Do not sync .
Leave the "Allow users to turn syncing on" checkbox unchecked .
-or-
Create a REG_DWORD registry setting named DisableSettingSync in HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\SettingSync
with a value of 2 (two) and another named DisableSettingSyncUserOverride in
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\SettingSync with a value of 1 (one).
To turn off Messaging cloud sync:
Note: There is no Group Policy corresponding to this registry key.
-or-
Create a REG_DWORD registry setting named CloudSer viceSyncEnabled in HKEY_CURRENT_USER\SOFTWARE\Microsoft\Messaging and set to a value
of 0 (zero) .
22. Teredo
You can disable Teredo by using Group Policy or by using the netsh.exe command. For more info on Teredo, see Internet Protocol Version 6, Teredo, and Related
Technologies.
NOTE
If you disable Teredo, some XBOX gaming features and Windows Update Delivery Optimization will not work.
Enable the Group Policy: Computer Configuration > Administrative Templates > Network > TCPIP Settings > IPv6 Transition Technologies > Set
Teredo State and set it to Disabled State .
-or-
Create a new REG_SZ registry setting named Teredo_State in HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\TCPIP\v6Transition
with a value of Disabled .
23. Wi-Fi Sense
IMPORTANT
Beginning with Windows 10, version 1803, Wi-Fi Sense is no longer available. The following section only applies to Windows 10, version 1709 and prior. Please see Connecting to open
Wi-Fi hotspots in Windows 10 for more details.
Wi-Fi Sense automatically connects devices to known hotspots and to the wireless networks the person’s contacts have shared with them.
To turn off Connect to suggested open hotspots and Connect to networks shared by my contacts :
Turn off the feature in the UI in Settings > Network & Internet > Wi-Fi
-or-
Disable the Group Policy: Computer Configuration > Administrative Templates > Network > WL AN Ser vice > WL AN Settings > Allow Windows
to automatically connect to suggested open hotspots, to networks shared by contacts, and to hotspots offering paid ser vices .
-or-
Create a new REG_DWORD registry setting named AutoConnectAllowedOEM in
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WcmSvc\wifinetworkmanager\config with a value of 0 (zero) .
When turned off, the Wi-Fi Sense settings still appear on the Wi-Fi Settings screen, but they’re non-functional and they can’t be controlled by the employee.
You can disconnect from the Microsoft Antimalware Protection Service.
IMPORTANT
Required Steps BEFORE setting the Windows Defender Group Policy or RegKey on Windows 10 version 1903
1. Ensure Windows and Windows Defender are fully up to date.
2. Search the Start menu for "Tamper Protection" by clicking on the search icon next to the Windows Start button. Then scroll down to the Tamper Protection toggle and turn it Off .
This will allow you to modify the Registry key and allow the Group Policy to make the setting. Alternatively, you can go to Windows Security Settings -> Virus & threat
protection, click on Manage Settings link and then scroll down to the Tamper Protection toggle to set it to Off .
Enable the Group Policy Computer Configuration > Administrative Templates > Windows Components > Windows Defender Antivirus > MAPS >
Join Microsoft MAPS and then select Disabled from the drop-down box named Join Microsoft MAPS
-OR-
Use the registry to set the REG_DWORD value HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Spynet\SpyNetRepor ting
to 0 (zero) .
-and-
Delete the registry setting named in HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Updates .
You can stop sending file samples back to Microsoft.
Enable the Group Policy Computer Configuration > Administrative Templates > Windows Components > Windows Defender Antivirus > MAPS
> Send file samples when fur ther analysis is required to Never Send .
-or-
Use the registry to set the REG_DWORD value HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows
Defender\Spynet\SubmitSamplesConsent to 2 (two) for Never Send .
You can stop downloading Definition Updates :
Enable the Group Policy Computer Configuration > Administrative Templates > Windows Components > Windows Defender Antivirus >
Signature Updates > Define the order of sources for downloading definition updates and set it to FileShares .
-and-
Disable the Group Policy Computer Configuration > Administrative Templates > Windows Components > Windows Defender Antivirus >
Signature Updates > Define file shares for downloading definition updates and set it to Nothing .
-or-
Create a new REG_SZ registry setting named FallbackOrder in HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows
Defender\Signature Updates with a value of FileShares .
-and-
Remove the DefinitionUpdateFileSharesSources reg value if it exists under HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows
Defender\Signature Updates
You can turn off Malicious Software Repor ting Tool (MSRT) diagnostic data :
Set the REG_DWORD value HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\MRT\DontRepor tInfectionInformation to 1 .
Note: There is no Group Policy to turn off the Malicious Software Reporting Tool diagnostic data.
You can turn off Enhanced Notifications as follows:
Set in the UI: Settings -> Update & Security -> Windows Security -> Virus & Threat Protection -> Virus & Threat Protection Manage Settings -> scroll to
bottom for Notifications, click Change Notifications Settings -> Notifications -> click Manage Notifications -> Turn off General Notifications
-or-
Enable the Group Policy Turn off enhanced notifications under Computer Configuration > Administrative Templates > Windows Components >
Windows Defender Antivirus > Repor ting .
-or-
Create a new REG_SZ registry setting named DisableEnhancedNotifications in HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows
Defender\Repor ting to a value of 1 .
24.1 Windows Defender SmartScreen
To disable Windows Defender Smartscreen:
In Group Policy, configure:
Computer Configuration > Administrative Templates > Windows Components > Windows Defender Smar tScreen > Explorer > Configure
Windows Defender Smar tScreen to be Disabled
-and-
Computer Configuration > Administrative Templates > Windows Components > File Explorer > Configure Windows Defender Smar tScreen :
Disable
-and-
Computer Configuration > Administrative Templates > Windows Components > Windows Defender Smar tScreen > Explorer > Configure
app install control : Enable , and select Turn off app recommendations
-OR-
Create a REG_DWORD registry setting named EnableSmar tScreen in HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\System with a
value of 0 (zero) .
-and-
Create a REG_DWORD registry setting named ConfigureAppInstallControlEnabled in
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Smar tScreen with a value of 1 .
-and-
Create a SZ registry setting named ConfigureAppInstallControl in HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows
Defender\Smar tScreen with a value of Anywhere .
Windows Spotlight provides features such as different background images and text on the lock screen, suggested apps, Microsoft account notifications, and Windows
tips. You can control it by using the user interface or Group Policy.
If you're running Windows 10, version 1607 or later, you need to:
Enable the following Group Policy User Configuration > Administrative Templates > Windows Components > Cloud Content > Turn off all
Windows spotlight features
NOTE
This must be done within 15 minutes after Windows 10 is installed. Alternatively, you can create an image with this setting.
-or-
Create a new REG_DWORD registry setting named DisableWindowsSpotlightFeatures in
HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Windows\CloudContent with a value of 1 (one).
-AND-
Enable the following Group Policy Computer Configuration > Administrative Templates > Control Panel > Personalization > Do not display the
Lock Screen
-or-
Create a new REG_DWORD registry setting named NoLockScreen in HKEY_Local_Machine\SOFTWARE\Policies\Microsoft\Windows\Personalization
with a value of 1 (one)
-AND-
Configure the following in Settings UI:
Personalization > Lock screen > Background > Windows spotlight , select a different background, and turn off Get fun facts, tips, tricks and
more on your lock screen
Personalization > Star t > Occasionally show suggestions in Star t
System > Notifications & actions > Show me tips about Windows
-or-
Apply the Group Policies:
Enable the Computer Configuration > Administrative Templates > Control Panel > Personalization > Force a specific default lock screen
image and logon image Group Policy.
Add C:\windows\web\screen\lockscreen.jpg as the location in the Path to local lock screen image box.
Check the Turn off fun facts, tips, tricks, and more on lock screen check box.
NOTE
This will only take effect if the policy is applied before the first logon. If you cannot apply the Force a specific default lock screen image policy before the
first logon to the device, you can Enable the Do not display the lock screen policy under Computer Configuration > Administrative Templates >
Control Panel > Personalization
Alternatively, you can create a new REG_SZ registry setting named LockScreenImage in
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Personalization with a value of
C:\windows\web\screen\lockscreen.jpg and create a new REG_DWORD registry setting named LockScreenOverlaysDisabled in
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Personalization with a value of 1 (one) .
The Group Policy for the LockScreenOverlaysDisabled regkey is Force a specific default lock screen and logon image that is under
Control Panel Personalization .
-AND-
Set the Group Policy Computer Configuration > Administrative Templates > Windows Components > Cloud Content > Do not show
Windows tips to Enabled
-or-
Create a new REG_DWORD registry setting named DisableSoftLanding in
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CloudContent with a value of 1 (one)
-AND-
Set the Group Policy Computer Configuration > Administrative Templates > Windows Components > Cloud Content > Turn off Microsoft
consumer experiences to Enabled
-or-
Create a new REG_DWORD registry setting named DisableWindowsConsumerFeatures in
HKEY_LOCAL_MACHINE_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CloudContent with a value of 1 (one)
This policy setting controls whether the lock screen appears for users. The Do not display the lock screen Group Policy should be set to Enable to prevent the lock
screen from being displayed. The Group Computer Configuration\Administrative templates\Control Panel\Personalization!Do not display the lock screen.
If you enable this policy setting, users that are not required to press CTRL + ALT + DEL before signing in will see their selected tile after locking their PC.
If you disable or do not configure this policy setting, users that are not required to press CTRL + ALT + DEL before signing in will see a lock screen after locking their
PC. They must dismiss the lock screen using touch, the keyboard, or by dragging it with the mouse.
For more info, see Windows Spotlight on the lock screen.
26. Microsoft Store
You can turn off the ability to launch apps from the Microsoft Store that were preinstalled or downloaded. This will also turn off automatic app updates, and the
Microsoft Store will be disabled. In addition, new email accounts cannot be created by clicking Settings > Accounts > Email & app accounts > Add an account .
On Windows Server 2016, this will block Microsoft Store calls from Universal Windows Apps.
Disable the Group Policy: Computer Configuration > Administrative Templates > Windows Components > Store > Disable all apps from
Microsoft Store .
-or-
Create a new REG_DWORD registry setting named DisableStoreApps in HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsStore with
a value of 1 (one).
-AND-
Enable the Group Policy: Computer Configuration > Administrative Templates > Windows Components > Store > Turn off Automatic Download
and Install of updates .
-or-
Create a new REG_DWORD registry setting named AutoDownload in HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsStore with a
value of 2 (two).
You can turn off apps for websites, preventing customers who visit websites that are registered with their associated app from directly launching the app.
Disable the Group Policy: Computer Configuration > Administrative Templates > System > Group Policy > Configure web-to-app linking with
URI handlers
-or-
Create a new REG_DWORD registry setting named EnableAppUriHandlers in
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System with a value of 0 (zero) .
Windows Update Delivery Optimization lets you get Windows updates and Microsoft Store apps from sources in addition to Microsoft, which not only helps when you
have a limited or unreliable Internet connection, but can also help you reduce the amount of bandwidth needed to keep all of your organization's PCs up-to-date. If
you have Delivery Optimization turned on, PCs on your network may send and receive updates and apps to other PCs on your local network, if you choose, or to PCs
on the Internet.
By default, PCs running Windows 10 Enterprise and Windows 10 Education will only use Delivery Optimization to get and receive updates for PCs and apps on your
local network.
Use the UI, Group Policy, or Registry Keys to set up Delivery Optimization.
In Windows 10 version 1607 and above you can stop network traffic related to Windows Update Delivery Optimization by setting Download Mode to Bypass (100),
as described below.
28.1 Settings > Update & security
You can set up Delivery Optimization from the Settings UI.
Go to Settings > Update & security > Windows Update > Advanced options > Choose how updates are delivered .
28.2 Delivery Optimization Group Policies
You can find the Delivery Optimization Group Policy objects under Computer Configuration > Administrative Templates > Windows Components >
Deliver y Optimization .
Download Mode Lets you choose where Delivery Optimization gets or sends updates and apps, including
None . Turns off Delivery Optimization.
Group . Gets or sends updates and apps to PCs on the same local network
domain.
Internet . Gets or sends updates and apps to PCs on the Internet.
L AN. Gets or sends updates and apps to PCs on the same NAT only.
Simple . Simple download mode with no peering.
Bypass . Use BITS instead of Windows Update Delivery Optimization. Set to
Bypass to restrict traffic.
Group ID Lets you provide a Group ID that limits which PCs can share apps and updates.
Note: This ID must be a GUID.
Max Cache Age Lets you specify the maximum time (in seconds) that a file is held in the Delivery
Optimization cache.
The default value is 259200 seconds (3 days).
Max Cache Size Lets you specify the maximum cache size as a percentage of disk size.
The default value is 20, which represents 20% of the disk.
Max Upload Bandwidth Lets you specify the maximum upload bandwidth (in KB/second) that a device uses across
all concurrent upload activity.
The default value is 0, which means unlimited possible bandwidth.
28.3 Delivery Optimization

Enable the Download Mode Group Policy under Computer Configuration > Administrative Templates > Windows Components > Deliver y
Optimization and set the Download Mode to "Bypass" to prevent traffic.
-or-
Create a new REG_DWORD registry setting named DODownloadMode in
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Deliver yOptimization to a value of 100 (one hundred) .
For more info about Delivery Optimization in general, see Windows Update Delivery Optimization: FAQ.
29. Windows Update
You can turn off Windows Update by setting the following registry entries:
Add a REG_DWORD value named DoNotConnectToWindowsUpdateInternetLocations to
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WindowsUpdate and set the value to 1.
-and-
Add a REG_DWORD value named DisableWindowsUpdateAccess to
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WindowsUpdate and set the value to 1.
-and-
Add a REG_SZ value named WUSer ver to HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WindowsUpdate and ensure it is blank
with a space character " " .
-and-
Add a REG_SZ value named WUStatusSer ver to HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WindowsUpdate and ensure it is
blank with a space character " " .
-and-
Add a REG_SZ value named UpdateSer viceUrlAlternate to HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WindowsUpdate and
ensure it is blank with a space character " " .
-and-
Add a REG_DWORD value named UseWUSer ver to HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WindowsUpdate\AU and set
the value to 1.
-OR-
Set the Group Policy Computer Configuration > Administrative Templates > Windows Components > Windows Update > Do not connect to any
Windows Update Internet locations to Enabled
-and-
Set the Group Policy Computer Configuration > Administrative Templates > System > Internet Communication Management > Internet
Communication Settings > Turn off access to all Windows Update features to Enabled
-and-
Set the Group Policy Computer Configuration > Administrative Templates > Windows Components > Windows Update > Specify intranet
Microsoft update ser vice location to Enabled and ensure all Option settings (Intranet Update Service, Intranet Statistics Server, Alternate Download
Server) are set to " "
-and-
Set the Group Policy User Configuration > Administrative Templates > Windows Components > Windows Update > Remove access to use all
Windows Update features to Enabled and then set Computer Configurations to 0 (zero) .
You can turn off automatic updates by doing the following. This is not recommended.
Add a REG_DWORD value named AutoDownload to
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\WindowsStore\WindowsUpdate and set the value to 5.
For China releases of Windows 10 there is one additional Regkey to be set to prevent traffic:
Add a REG_DWORD value named HapDownloadEnabled to HKEY_LOCAL_MACHINE\Software\Microsoft\LexiconUpdate\loc_0804 and set the value to
0.
Allowed traffic list for Windows Restricted Traffic Limited Functionality Baseline
A L LO W ED T RA F F IC EN DP O IN T S
activation-v2.sls.microsoft.com/*
crl.microsoft.com/pki/crl/*
ocsp.digicert.com/*
www.microsoft.com/pkiops/*
To learn more, see Device update management and Configure Automatic Updates by using Group Policy.
Manage connections from Windows 10 operating system
components to Microsoft services using Microsoft Intune
MDM Server
Applies to
Windows 10 Enterprise 1903 version and newer
This article describes the network connections that Windows 10 components make to Microsoft and the Mobile Device
Management/Configuration Service Provider (MDM/CSP) and custom Open Mobile Alliance Uniform Resource Identifier (OMA
URI) policies available to IT Professionals using Microsoft Intune to help manage the data shared with Microsoft. If you want to
minimize connections from Windows to Microsoft services, or configure privacy settings, there are a number of settings for
consideration. For example, you can configure diagnostic data to the lowest level for your edition of Windows and evaluate
other connections Windows makes to Microsoft services you want to turn off using the instructions in this article. While it is
possible to minimize network connections to Microsoft, there are many reasons why these communications are enabled by
default, such as updating malware definitions and maintaining current certificate revocation lists. This data helps us deliver a
secure, reliable, and up-to-date experience.
IMPORTANT
The Allowed Traffic endpoints for an MDM configuration are here: Allowed Traffic
CRL (Certificate Revocation List) and OCSP (Online Certificate Status Protocol) network traffic cannot be disabled and will still
show up in network traces. CRL and OCSP checks are made to the issuing certificate authorities. Microsoft is one of these
authorities. There are many others such as DigiCert, Thawte, Google, Symantec, and VeriSign.
There is some traffic which is specifically required for the Microsoft Intune based management of Windows 10 devices. This
traffic includes Windows Notifications Service (WNS), Automatic Root Certificates Update (ARCU), and some Windows Update
related traffic. The aforementioned traffic comprises the Allowed Traffic for Microsoft Intune MDM Server to manage Windows
10 devices.
For security reasons, it is important to take care in deciding which settings to configure as some of them may result in a less secure
device. Examples of settings that can lead to a less secure device configuration include: disabling Windows Update, disabling Automatic
Root Certificates Update, and disabling Windows Defender. Accordingly, we do not recommend disabling any of these features.
To ensure CSPs take priority over Group Policies in case of conflicts, use the ControlPolicyConflict policy.
The Get Help and Give us Feedback links in Windows may no longer work after applying some or all of the MDM/CSP settings.
WARNING
If a user executes the "Reset this PC" command (Settings -> Update & Security -> Recovery) with the "Remove Everything" option the
>Windows Restricted Traffic Limited Functionality settings will need to be re-applied in order re-restrict the device's egress traffic. >To do
this the client must be re-enrolled to the Microsoft Intune service. Egress traffic may occur during the period prior to the re->application
of the Restricted Traffic Limited Functionality settings. If the user executes a "Reset this PC" with the "Keep my files" >option the Restricted
Traffic Limited Functionality settings are retained on the device, and therefore the client will remain in a >Restricted Traffic configuration
during and after the "Keep my files" reset, and no re-enrollment is required.
For more information on Microsoft Intune please see Transform IT service delivery for your modern workplace and Microsoft
Intune documentation.
For detailed information about managing network connections to Microsoft services using Windows Settings, Group Policies
and Registry settings see Manage connections from Windows 10 operating system components to Microsoft services.
We are always striving to improve our documentation and welcome your feedback. You can provide feedback by sending email
to telmhelp @microsoft.com .
Settings for Windows 10 Enterprise edition 1903 and newer
The following table lists management options for each setting.
For Windows 10, the following MDM policies are available in the Policy CSP.
1. Automatic Root Cer tificates Update
a. MDM Policy: There is intentionally no MDM available for Automatic Root Certificate Update. This MDM does not exist
since it would prevent the operation and management of MDM management of devices.
2. Cor tana and Search
a. MDM Policy: Experience/AllowCortana. Choose whether to let Cortana install and run on the device. Set to 0 (zero)
b. MDM Policy: Search/AllowSearchToUseLocation. Choose whether Cortana and Search can provide location-aware
search results. Set to 0 (zero)
3. Date & Time
a. MDM Policy: Settings/AllowDateTime. Allows the user to change date and time settings. Set to 0 (zero)
a. MDM Policy: DeviceInstallation/PreventDeviceMetadataFromNetwork. Choose whether to prevent Windows from
retrieving device metadata from the Internet. Set to Enabled
5. Find My Device
a. MDM Policy: Experience/AllowFindMyDevice. This policy turns on Find My Device. Set to 0 (zero)
6. Font streaming
a. MDM Policy: System/AllowFontProviders. Setting that determines whether Windows is allowed to download fonts
and font catalog data from an online font provider. Set to 0 (zero)
a. MDM Policy: System/AllowBuildPreview. This policy setting determines whether users can access the Insider build
controls in the Advanced Options for Windows Update. Set to 0 (zero)
8. Internet Explorer The following Microsoft Internet Explorer MDM policies are available in the Internet Explorer CSP
a. MDM Policy: InternetExplorer/AllowSuggestedSites. Recommends websites based on the user’s browsing activity. Set
to Disabled
b. MDM Policy: InternetExplorer/PreventManagingSmartScreenFilter. Prevents the user from managing Windows
Defender SmartScreen, which warns the user if the website being visited is known for fraudulent attempts to gather
personal information through "phishing," or is known to host malware. Set to String with Value:
a. <enabled/><data id=”IE9SafetyFilterOptions” value=”1”/>
c. MDM Policy: InternetExplorer/DisableFlipAheadFeature. Determines whether a user can swipe across a screen or click
Forward to go to the next pre-loaded page of a website. Set to Enabled
d. MDM Policy: InternetExplorer/DisableHomePageChange. Determines whether users can change the default Home
Page or not. Set to String with Value:
a. <enabled/><data id=”EnterHomePagePrompt” value=”Star t Page”/>
e. MDM Policy: InternetExplorer/DisableFirstRunWizard. Prevents Internet Explorer from running the First Run wizard
the first time a user starts the browser after installing Internet Explorer or Windows. Set to String with Value:
a. <enabled/><data id=”FirstRunOptions” value=”1”/>
9. Live Tiles
a. MDM Policy: Notifications/DisallowTileNotification. This policy setting turns off tile notifications. If you enable this
policy setting applications and system features will not be able to update their tiles and tile badges in the Start
screen. Integer value 1
a. MDM Policy: Accounts/AllowMicrosoftAccountConnection. Specifies whether the user is allowed to use an MSA
account for non-email related connection authentication and services. Set to 0 (zero)
a. MDM Policy: Accounts/AllowMicrosoftAccountSignInAssistant. Disable the Microsoft Account Sign-In Assistant. Set
to 0 (zero)
12. Microsoft Edge The following Microsoft Edge MDM policies are available in the Policy CSP. For a complete list of the
Microsoft Edge policies, see Available policies for Microsoft Edge.
a. MDM Policy: Browser/AllowAutoFill. Choose whether employees can use autofill on websites. Set to 0 (zero)
b. MDM Policy: Browser/AllowDoNotTrack. Choose whether employees can send Do Not Track headers. Set to 0 (zero)
c. MDM Policy: Browser/AllowMicrosoftCompatbilityList. Specify the Microsoft compatibility list in Microsoft Edge. Set
to 0 (zero)
d. MDM Policy: Browser/AllowPasswordManager. Choose whether employees can save passwords locally on their
devices. Set to 0 (zero)
e. MDM Policy: Browser/AllowSearchSuggestionsinAddressBar. Choose whether the Address Bar shows search
suggestions. Set to 0 (zero)
f. MDM Policy: Browser/AllowSmartScreen. Choose whether Windows Defender SmartScreen is turned on or off. Set
to 0 (zero)
a. Connectivity/DisallowNetworkConnectivityActiveTests. Note: After you apply this policy you must restart the device
for the policy setting to take effect. Set to 1 (one)
14. Offline maps
a. MDM Policy: AllowOfflineMapsDownloadOverMeteredConnection. Allows the download and update of map data
over metered connections.
Set to 0 (zero)
b. MDM Policy: EnableOfflineMapsAutoUpdate. Disables the automatic download and update of map data. Set to 0
(zero)
15. OneDrive
a. MDM Policy: DisableOneDriveFileSync. Allows IT Admins to prevent apps and features from working with files on
OneDrive. Set to 1 (one)
b. Ingest the ADMX - To get the latest OneDrive ADMX file you need an up-to-date Windows 10 client. The ADMX files
are located under the following path: %LocalAppData%\Microsoft\OneDrive\ there's a folder with the current
OneDrive build (e.g. "18.162.0812.0001"). There is a folder named "adm" which contains the admx and adml policy
definition files.
c. MDM Policy: Prevent Network Traffic before User SignIn. PreventNetworkTrafficPreUserSignIn . The OMA-URI
value is:
./Device/Vendor/MSFT/Policy/Config/OneDriveNGSC~Policy~OneDriveNGSC/PreventNetworkTrafficPreUserSignIn
Data type: String , Value: <enabled/>
16. Privacy settings Except for the Feedback & Diagnostics page, these settings must be configured for every user account
that signs into the PC.
a. General - TextInput/AllowLinguisticDataCollection. This policy setting controls the ability to send inking and typing
data to Microsoft. Set to 0 (zero)
b. Location - System/AllowLocation. Specifies whether to allow app access to the Location service. Set to 0 (zero)
c. Camera - Camera/AllowCamera. Disables or enables the camera. Set to 0 (zero)
d. Microphone - Privacy/LetAppsAccessMicrophone. Specifies whether Windows apps can access the microphone. Set
to 2 (two)
e. Notifications - Privacy/LetAppsAccessNotifications. Specifies whether Windows apps can access notifications. Set to
2 (two)
f. Notifications - Settings/AllowOnlineTips. Enables or disables the retrieval of online tips and help for the Settings app.
Integer value 0
g. Speech, Inking, & Typing - Privacy/AllowInputPersonalization. This policy specifies whether users on the device have
the option to enable online speech recognition. Set to 0 (zero)
h. Speech, Inking, & Typing - TextInput/AllowLinguisticDataCollection. This policy setting controls the ability to send
inking and typing data to Microsoft Set to 0 (zero)
i. Account info - Privacy/LetAppsAccessAccountInfo. Specifies whether Windows apps can access account information.
Set to 2 (two)
j. Contacts - Privacy/LetAppsAccessContacts. Specifies whether Windows apps can access contacts. Set to 2 (two)
k. Calendar - Privacy/LetAppsAccessCalendar. Specifies whether Windows apps can access the calendar. Set to 2 (two)
l. Call history - Privacy/LetAppsAccessCallHistory. Specifies whether Windows apps can access account information.
Set to 2 (two)
m. Email - Privacy/LetAppsAccessEmail. Specifies whether Windows apps can access email. Set to 2 (two)
n. Messaging - Privacy/LetAppsAccessMessaging. Specifies whether Windows apps can read or send messages (text or
MMS). Set to 2 (two)
o. Phone calls - Privacy/LetAppsAccessPhone. Specifies whether Windows apps can make phone calls. Set to 2 (two)
p. Radios - Privacy/LetAppsAccessRadios. Specifies whether Windows apps have access to control radios. Set to 2
(two)
q. Other devices - Privacy/LetAppsSyncWithDevices. Specifies whether Windows apps can sync with devices. Set to 2
(two)
r. Other devices - Privacy/LetAppsAccessTrustedDevices. Specifies whether Windows apps can access trusted devices.
Set to 2 (two)
s. Feedback & diagnostics - System/AllowTelemetry. Allow the device to send diagnostic and usage telemetry data,
such as Watson. Set to 0 (zero)
t. Feedback & diagnostics - Experience/DoNotShowFeedbackNotifications. Prevents devices from showing feedback
questions from Microsoft. Set to 1 (one)
u. Background apps - Privacy/LetAppsRunInBackground. Specifies whether Windows apps can run in the background.
Set to 2 (two)
v. Motion - Privacy/LetAppsAccessMotion. Specifies whether Windows apps can access motion data. Set to 2 (two)
w. Tasks - Privacy/LetAppsAccessTasks. Turn off the ability to choose which apps have access to tasks. Set to 2 (two)
x. App Diagnostics - Privacy/LetAppsGetDiagnosticInfo. Force allow, force deny or give user control of apps that can get
diagnostic information about other running apps. Set to 2 (two)
17. Software Protection Platform - Licensing/DisallowKMSClientOnlineAVSValidation. Opt out of sending KMS client
activation data to Microsoft automatically. Set to 1 (one)
18. Storage Health - Storage/AllowDiskHealthModelUpdates. Allows disk health model updates. Set to 0 (zero)
19. Sync your settings - Experience/AllowSyncMySettings. Control whether your settings are synchronized. Set to 0
(zero)
20. Teredo - No MDM needed. Teredo is Off by default . Delivery Optimization (DO) can turn on Teredo, but DO itself is
turned Off via MDM.
21. Wi-Fi Sense - No MDM needed. Wi-Fi Sense is no longer available from Windows 10 version 1803 and newer.
a. Defender/AllowCloudProtection. Disconnect from the Microsoft Antimalware Protection Service. Set to 0 (zero)
b. Defender/SubmitSamplesConsent. Stop sending file samples back to Microsoft. Set to 2 (two)
c. Defender/EnableSmartScreenInShell. Turns off SmartScreen in Windows for app and file execution. Set to 0 (zero)
d. Windows Defender SmartScreen - Browser/AllowSmartScreen. Disable Windows Defender SmartScreen. Set to 0
(zero)
e. Windows Defender SmartScreen EnableAppInstallControl - SmartScreen/EnableAppInstallControl. Controls whether
users are allowed to install apps from places other than the Microsoft Store. Set to 0 (zero)
f. Windows Defender Potentially Unwanted Applications(PUA) Protection - Defender/PUAProtection. Specifies the level
of detection for potentially unwanted applications (PUAs). Set to 1 (one)
g. Defender/SignatureUpdateFallbackOrder. Allows you to define the order in which different definition update sources
should be contacted. The OMA-URI for this is:
./Vendor/MSFT/Policy/Config/Defender/SignatureUpdateFallbackOrder , Data type: String , Value:
FileShares
23. Windows Spotlight - Experience/AllowWindowsSpotlight. Disable Windows Spotlight. Set to 0 (zero)
24. Microsoft Store
a. ApplicationManagement/DisableStoreOriginatedApps. Boolean value that disables the launch of all apps from
Microsoft Store that came pre-installed or were downloaded. Set to 1 (one)
b. ApplicationManagement/AllowAppStoreAutoUpdate. Specifies whether automatic update of apps from Microsoft
Store are allowed. Set to 0 (zero)
25. Apps for websites - ApplicationDefaults/EnableAppUriHandlers. This policy setting determines whether Windows
supports web-to-app linking with app URI handlers. Set to 0 (zero)
26. Windows Update Deliver y Optimization - The following Delivery Optimization MDM policies are available in the
Policy CSP.
a. DeliveryOptimization/DODownloadMode. Let’s you choose where Delivery Optimization gets or sends updates and
apps. Set to 100 (one hundred)
27. Windows Update
a. Update/AllowAutoUpdate. Control automatic updates. Set to 5 (five)
b. Windows Update Allow Update Service - Update/AllowUpdateService. Specifies whether the device could use
Microsoft Update, Windows Server Update Services (WSUS), or Microsoft Store. Set to 0 (zero)
c. Windows Update Service URL - Update/UpdateServiceUrl. Allows the device to check for updates from a WSUS
server instead of Microsoft Update. Set to String with the Value:
a. <Replace><CmdID>$CmdID$<Item><Meta><Format>chr<Type>text/plain</Meta><Target>
<LocURI>./Vendor/MSFT/Policy/Config/Update/UpdateSer viceUrl</Target><Data>http://abcd-
sr v:8530</Item></Replace>
Allowed traffic for Microsoft Intune / MDM configurations
A L LO W ED T RA F F IC EN DP O IN T S
activation-v2.sls.microsoft.com/*
cdn.onenote.net
client.wns.windows.com
crl.microsoft.com/pki/crl/*
ctldl.windowsupdate.com
*displaycatalog.mp.microsoft.com
dm3p.wns.windows.com
*microsoft.com/pkiops/*
ocsp.digicert.com/*
r.manage.microsoft.com
tile-service.weather.microsoft.com
settings-win.data.microsoft.com
Manage connection endpoints for Windows 10
Enterprise, version 1903
Applies to
Windows 10 Enterprise, version 1903
Some Windows components, app, and related services transfer data to Microsoft network endpoints. Some
examples include:
Connecting to Microsoft Office and Windows sites to download the latest app and security updates.
Connecting to email servers to send and receive email.
Connecting to the web for every day web browsing.
Connecting to the cloud to store and access backups.
Using your location to show a weather forecast.
This article lists different endpoints that are available on a clean installation of Windows 10, version 1709 and later.
Details about the different ways to control traffic to these endpoints are covered in Manage connections from
Windows operating system components to Microsoft services. Where applicable, each endpoint covered in this
topic includes a link to the specific details on how to control that traffic.
The following methodology was used to derive these network endpoints:
1. Set up the latest version of Windows 10 on a test virtual machine using the default settings.
2. Leave the device(s) running idle for a week ("idle" means a user is not interacting with the system/device).
3. Use globally accepted network protocol analyzer/capturing tools and log all background egress traffic.
4. Compile reports on traffic going to public IP addresses.
5. The test virtual machine(s) was logged into using a local account, and was not joined to a domain or Azure
Active Directory.
6. All traffic was captured in our lab using a IPV4 network. Therefore, no IPV6 traffic is reported here.
7. These tests were conducted in an approved Microsoft lab. It's possible your results may be different.
8. These tests were conducted for one week, but if you capture traffic for longer you may have different results.
NOTE
Microsoft uses global load balancers that can appear in network trace-routes. For example, an endpoint for *.akadns.net
might be used to load balance requests to an Azure datacenter, which can change over time.
Windows 10 1903 Enterprise connection endpoints

A REA DESC RIP T IO N P ROTO C O L DEST IN AT IO N
Apps Learn how to turn off traffic

to the following endpoint(s).
The following endpoints are HTTP blob.weather.microsoft.com

used to download updates
to the Weather app Live Tile.
If you turn off traffic to this
endpoint, no Live Tiles will
be updated.
HTTP tile-
service.weather.microsoft.co
m
HTTP tile-
service.weather.microsoft.co
m
The following endpoint is HTTPS cdn.onenote.net/livetile/?

used for OneNote Live Tile. Language=en-US
To turn off traffic for this
endpoint, either uninstall
OneNote or disable the
Microsoft Store. If you
disable the Microsoft store,
other Store apps cannot be
installed or updated.
Additionally, the Microsoft
Store won't be able to
revoke malicious Store apps
and users will still be able to
open them.
The following endpoint is HTTPS .twimg.com

used for Twitter updates. To
turn off traffic for these
endpoints, either uninstall
Twitter or disable the
Microsoft Store. If you
disable the Microsoft store,
other Store apps cannot be
installed or updated.
revoke malicious Store apps
and users will still be able to
open them.
The following endpoint is TLS v1.2 candycrushsoda.king.com

used for Candy Crush Saga
updates. To turn off traffic
for this endpoint, either
uninstall Candy Crush Saga
or disable the Microsoft
Store. If you disable the
Microsoft store, other Store
apps cannot be installed or
updated. Additionally, the
Microsoft Store won't be
able to revoke malicious
Store apps and users will still
be able to open them.
The following endpoint is HTTPS evoke-windowsservices-

used by the Photos app to tas.msedge.net
download configuration files,
and to connect to the Office
365 portal's shared
infrastructure, including
Office in a browser. To turn
off traffic for this endpoint,
either uninstall the Photos
app or disable the Microsoft
Store. If you disable the
Microsoft store, other Store
The following endpoint is HTTPS wallet.microsoft.com

used for by the Microsoft
Wallet app. To turn off traffic
for this endpoint, either
uninstall the Wallet app or
disable the Microsoft Store.
If you disable the Microsoft
store, other Store apps
cannot be installed or
The following endpoint is HTTPS mediaredirect.microsoft.com

used by the Groove Music
app for update HTTP handler
status. If you turn off traffic
for this endpoint, apps for
websites won't work and
customers who visit websites
(such as
mediaredirect.microsoft.com)
that are registered with their
associated app (such as
Groove Music) will stay at
the website and won't be
able to directly launch the
app.
The following endpoints are HTTPS int.whiteboard.microsoft.com

used when using the
Whiteboard app. To turn off
traffic for this endpoint
HTTPS wbd.ms
HTTPS whiteboard.microsoft.com
HTTP / HTTPS whiteboard.ms
Azure The following endpoints are HTTPS wd-

related to Azure. prod-fe.cloudapp.azure.com
HTTPS ris-prod-
atm.trafficmanager.net
HTTPS validation-
v2.sls.trafficmanager.net
Certificates The following endpoint is Learn how to turn off traffic

used by the Automatic Root to all of the following
Certificates Update endpoint(s).
component to automatically
check the list of trusted
authorities on Windows
Update to see if an update is
available. It is possible turn
off traffic to this endpoint,
but that is not
recommended because
when root certificates are
updated over time,
applications and websites
may stop working because
they did not receive an
updated root certificate the
application uses.
Additionally, it is used to
download certificates that
are publicly known to be
fraudulent. These settings
are critical for both Windows
security and the overall
security of the Internet. We
do not recommend blocking
this endpoint. If traffic to this
endpoint is turned off,
Windows no longer
automatically downloads
certificates known to be
fraudulent, which increases
the attack vector on the
device.
HTTP ctldl.windowsupdate.com
Cortana and Search Learn how to turn off traffic

to all of the following
endpoint(s).
The following endpoint is HTTPS store-images.*microsoft.com

used to get images that are
used for Microsoft Store
suggestions. If you turn off
traffic for this endpoint, you
will block images that are
used for Microsoft Store
suggestions.
The following endpoints are HTTPS www.bing.com/client

related to Cortana and Live
Tiles. If you turn off traffic for
this endpoint, you will block
updates to Cortana
greetings, tips, and Live Tiles.
HTTPS www.bing.com
HTTPS www.bing.com/proactive
HTTPS www.bing.com/threshold/xls.
aspx
HTTP exo-ring.msedge.net
HTTP fp.msedge.net
HTTP fp-vp.azureedge.net
HTTP odinvzc.azureedge.net
HTTP spo-ring.msedge.net
Device authentication Learn how to turn off traffic

endpoint(s).
The following endpoint is HTTPS login.live.com*

used to authenticate a
device. If you turn off traffic
for this endpoint, the device
will not be authenticated.
Device metadata Learn how to turn off traffic

endpoint(s).
The following endpoint is HTTP dmd.metaservices.microsoft.c

used to retrieve device om
metadata. If you turn off
traffic for this endpoint,
metadata will not be
updated for the device.
Diagnostic Data The following endpoints are Learn how to turn off traffic
used by the Connected User to all of the following
Experiences and Telemetry endpoint(s).
component and connects to
the Microsoft Data
Management service. If you
turn off traffic for this
endpoint, diagnostic and
usage information, which
helps Microsoft find and fix
problems and improve our
products and services, will
not be sent back to
Microsoft.
HTTP v10.events.data.microsoft.co
m
HTTPS v10.vortex-
win.data.microsoft.com/collec
t/v1
HTTP www.microsoft.com
The following endpoints are HTTPS co4.telecommand.telemetry.

used by Windows Error microsoft.com
Reporting. To turn off traffic
for these endpoints, enable
the following Group Policy:
Administrative Templates >
Windows Components >
Windows Error Reporting >
Disable Windows Error
Reporting. This means error
reporting information will
not be sent back to
Microsoft.
HTTP cs11.wpc.v0cdn.net
HTTPS cs1137.wpc.gammacdn.net
TLS v1.2 modern.watson.data.microso

ft.com*
HTTPS watson.telemetry.microsoft.c
om
Licensing The following endpoint is Learn how to turn off traffic

used for online activation to all of the following
and some app licensing. To endpoint(s).
endpoint, disable the
Windows License Manager
Service. This will also block
online activation and app
licensing may not work.
HTTPS licensing.mp.microsoft.com
Location The following endpoints are Learn how to turn off traffic
used for location data. If you to all of the following
turn off traffic for this endpoint(s).
endpoint, apps cannot use
location data.
HTTPS inference.location.live.net
HTTP location-inference-
westus.cloudapp.net
Maps Learn how to turn off traffic

endpoint(s).
The following endpoints are HTTPS *g.akamaiedge.net

used to check for updates to
maps that have been
downloaded for offline use. If
you turn off traffic for this
endpoint, offline maps will
not be updated.
HTTP maps.windows.com
Microsoft Account Learn how to turn off traffic

endpoint(s).
The following endpoints are HTTP login.msa.akadns6.net

used for Microsoft accounts
to sign in. If you turn off
traffic for these endpoints,
users cannot sign in with
Microsoft accounts.
HTTP us.configsvc1.live.com.akadn
s.net
Microsoft Edge This traffic is related to the HTTPS iecvlist.microsoft.com

Microsoft Edge browser.
Microsoft forward link The following endpoint is HTTPS go.microsoft.com

redirection service (FWLink) used by the Microsoft
forward link redirection
service (FWLink) to redirect
permanent web links to their
actual, sometimes transitory,
URL. FWlinks are similar to
URL shorteners, just longer.
If you disable this endpoint,
Windows Defender won't be
able to update its malware
definitions; links from
Windows and other
Microsoft products to the
Web won't work; and
PowerShell updateable Help
won't update. To disable the
traffic, instead disable the
traffic that's getting
forwarded.
Microsoft Store Learn how to turn off traffic

endpoint(s).
The following endpoint is HTTPS *.wns.windows.com

used for the Windows Push
Notification Services (WNS).
WNS enables third-party
developers to send toast,
tile, badge, and raw updates
from their own cloud service.
This provides a mechanism
to deliver new updates to
your users in a power-
efficient and dependable
way. If you turn off traffic for
this endpoint, push
notifications will no longer
work, including MDM device
management, mail
synchronization, settings
synchronization.
The following endpoint is HTTP storecatalogrevocation.store

used to revoke licenses for quality.microsoft.com
malicious apps in the
Microsoft Store. To turn off
traffic for this endpoint,
either uninstall the app or
Store, other Microsoft Store
apps and users will still be
able to open them.
The following endpoint is HTTPS img-prod-cms-rt-microsoft-

used to download image com*
files that are called when
applications run (Microsoft
Store or Inbox MSN Apps). If
you turn off traffic for these
endpoints, the image files
won't be downloaded, and
updated from the Microsoft
Store. Additionally, the
able to open them.
HTTPS store-images.microsoft.com
The following endpoints are TLS v1.2 .md.mp.microsoft.com

used to communicate with
Microsoft Store. If you turn
off traffic for these
endpoints, apps cannot be
installed or updated from
the Microsoft Store.
revoke malicious apps and
users will still be able to
open them.
HTTPS *displaycatalog.mp.microsoft.
com
HTTP \ HTTPS pti.store.microsoft.com
HTTP storeedgefd.dsx.mp.microsof
t.com
HTTP markets.books.microsoft.com
HTTP share.microsoft.com
Network Connection Status Learn how to turn off traffic

Indicator (NCSI) to all of the following
endpoint(s).
Network Connection Status HTTP www.msftconnecttest.com*

Indicator (NCSI) detects
Internet connectivity and
corporate network
connectivity status. NCSI
sends a DNS request and
HTTP query to this endpoint
to determine if the device
can communicate with the
Internet. If you turn off
traffic for this endpoint, NCSI
won't be able to determine if
the device is connected to
the Internet and the
network status tray icon will
show a warning.
Office The following endpoints are Learn how to turn off traffic
used to connect to the to all of the following
Office 365 portal's shared endpoint(s).
infrastructure, including
Office in a browser. For more
info, see Office 365 URLs
and IP address ranges. You
can turn this off by
removing all Microsoft Office
apps and the Mail and
Calendar apps. If you turn
off traffic for these
endpoints, users won't be
able to save documents to
the cloud or see their
recently used documents.
HTTP *.c-msedge.net
HTTPS *.e-msedge.net
HTTPS *.s-msedge.net
HTTPS nexusrules.officeapps.live.co
m
HTTPS ocos-office365-
s2s.msedge.net
HTTPS officeclient.microsoft.com
HTTPS outlook.office365.com
HTTPS client-office365-
tas.msedge.net
HTTPS www.office.com
HTTPS onecollector.cloudapp.aria
HTTP v10.events.data.microsoft.co
m/onecollector/1.0/
HTTPS self.events.data.microsoft.co
m
The following endpoint is HTTPS to-do.microsoft.com

used to connect the Office
To-Do app to its cloud
service. To turn off traffic for
this endpoint, either
uninstall the app or disable
the Microsoft Store.
OneDrive The following endpoints are Learn how to turn off traffic
related to OneDrive. If you to all of the following
turn off traffic for these endpoint(s).
endpoints, anything that
relies on g.live.com to get
updated URL information
will no longer work.
HTTP \ HTTPS g.live.com/1rewlive5skydrive/

*
HTTP msagfx.live.com
HTTPS oneclient.sfx.ms
Settings The following endpoint is Learn how to turn off traffic

used as a way for apps to to all of the following
dynamically update their endpoint(s).
configuration. Apps such as
System Initiated User
Feedback and the Xbox app
use it. If you turn off traffic
for this endpoint, an app
that uses this endpoint may
stop working.
HTTPS cy2.settings.data.microsoft.c
om.akadns.net
HTTPS settings.data.microsoft.com
HTTPS settings-
win.data.microsoft.com
Skype The following endpoint is Learn how to turn off traffic

used to retrieve Skype to all of the following
configuration values. To turn endpoint(s).
off traffic for this endpoint,
either uninstall the app or
store, other Microsoft Store
able to open them.
HTTPS browser.pipe.aria.microsoft.co
m
HTTP config.edge.skype.com
HTTP s2s.config.skype.com
HTTPS skypeecs-prod-usw-0-
b.cloudapp.net
Windows Defender The following endpoint is Learn how to turn off traffic
used for Windows Defender to all of the following
when Cloud-based endpoint(s).
Protection is enabled. If you
endpoint, the device will not
use Cloud-based Protection.
HTTPS wdcp.microsoft.com
HTTPS definitionupdates.microsoft.c
om
HTTPS go.microsoft.com
The following endpoints are HTTPS *smartscreen.microsoft.com

used for Windows Defender
Smartscreen reporting and
notifications. If you turn off
Smartscreen notifications will
not appear.
HTTPS smartscreen-
sn3p.smartscreen.microsoft.c
om
HTTPS unitedstates.smartscreen-
prod.microsoft.com
Windows Spotlight The following endpoints are Learn how to turn off traffic
used to retrieve Windows to all of the following
Spotlight metadata that endpoint(s).
describes content, such as
references to image
locations, as well as
suggested apps, Microsoft
account notifications, and
Windows tips. If you turn off
Windows Spotlight will still
try to deliver new lock
screen images and updated
content but it will fail;
suggested apps, Microsoft
account notifications, and
Windows tips will not be
downloaded. For more
information, see Windows
Spotlight.
TLS v1.2 *.search.msn.com
HTTPS arc.msn.com
HTTPS g.msn.com*
HTTPS query.prod.cms.rt.microsoft.c
om
HTTPS ris.api.iris.microsoft.com
Windows Update The following endpoint is Learn how to turn off traffic
used for Windows Update to all of the following
downloads of apps and OS endpoint(s).
updates, including HTTP
downloads or HTTP
downloads blended with
peers. If you turn off traffic
for this endpoint, Windows
Update downloads will not
be managed, as critical
metadata that is used to
make downloads more
resilient is blocked.
Downloads may be impacted
by corruption (resulting in
re-downloads of full files).
Additionally, downloads of
the same update by multiple
devices on the same local
network will not use peer
devices for bandwidth
reduction.
HTTPS *.prod.do.dsp.mp.microsoft.c
om
HTTP emdl.ws.microsoft.com
The following endpoints are HTTP *.dl.delivery.mp.microsoft.co

used to download operating m
system patches, updates,
and apps from Microsoft
Store. If you turn off traffic
for these endpoints, the
device will not be able to
download updates for the
operating system.
HTTP *.windowsupdate.com
The following endpoints HTTPS *.delivery.mp.microsoft.com

enable connections to
Windows Update, Microsoft
Update, and the online
services of the Store. If you
turn off traffic for these
endpoints, the device will
not be able to connect to
Windows Update and
Microsoft Update to help
keep the device secure. Also,
the device will not be able to
acquire and update apps
from the Store. These are
dependent on also enabling
"Device authentication" and
"Microsoft Account"
endpoints.
HTTPS *.update.microsoft.com
The following endpoint is HTTPS tsfe.trafficshaping.dsp.mp.mi

used for content regulation. crosoft.com
If you turn off traffic for this
endpoint, the Windows
Update Agent will be unable
to contact the endpoint and
fallback behavior will be
used. This may result in
content being either
incorrectly.
Other Windows 10 editions

To view endpoints for other versions of Windows 10 Enterprise, see:
Manage connection endpoints for Windows 10, version 1809
To view endpoints for non-Enterprise Windows 10 editions, see:
Windows 10, version 1809, connection endpoints for non-Enterprise editions
Related links
Office 365 URLs and IP address ranges
Network infrastructure requirements for Microsoft Intune
Applies to
examples include:
topic includes a link to specific details about how to control traffic to it.
We used the following methodology to derive these network endpoints:
2. Leave the devices running idle for a week (that is, a user is not interacting with the system/device).
5. The test virtual machine was logged in using a local account and was not joined to a domain or Azure Active
Directory.
6. All traffic was captured in our lab using a IPV4 network. Therefore no IPV6 traffic is reported here.
NOTE
Windows 10 Enterprise connection endpoints

Apps
The following endpoint is used to download updates to the Weather app Live Tile. If you turn off traffic to this
endpoint, no Live Tiles will be updated.
SO URC E P RO C ESS P ROTO C O L DEST IN AT IO N
explorer HTTP tile-service.weather.microsoft.com

HTTP blob.weather.microsoft.com
The following endpoint is used for OneNote Live Tile. To turn off traffic for this endpoint, either uninstall OneNote
or disable the Microsoft Store. If you disable the Microsoft store, other Store apps cannot be installed or updated.
Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open
them.
HTTPS cdn.onenote.net/livetile/?Language=en-
US
The following endpoints are used for Twitter updates. To turn off traffic for these endpoints, either uninstall Twitter
them.
HTTPS wildcard.twimg.com
svchost.exe oem.twimg.com/windows/tile.xml
The following endpoint is used for Facebook updates. To turn off traffic for this endpoint, either uninstall Facebook
them.
star-mini.c10r.facebook.com
The following endpoint is used by the Photos app to download configuration files, and to connect to the Office 365
portal's shared infrastructure, including Office. To turn off traffic for this endpoint, either uninstall the Photos app
them.
WindowsApps\Microsoft.Windows.Phot HTTPS evoke-windowsservices-tas.msedge.net

os
The following endpoint is used for Candy Crush Saga updates. To turn off traffic for this endpoint, either uninstall
Candy Crush Saga or disable the Microsoft Store. If you disable the Microsoft store, other Store apps cannot be
installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will
still be able to open them.
TLS v1.2 candycrushsoda.king.com

The following endpoint is used for by the Microsoft Wallet app. To turn off traffic for this endpoint, either uninstall
the Wallet app or disable the Microsoft Store. If you disable the Microsoft store, other Store apps cannot be
system32\AppHostRegistrationVerifier.e HTTPS wallet.microsoft.com

xe
The following endpoint is used by the Groove Music app for update HTTP handler status. If you turn off traffic for
this endpoint, apps for websites won't work and customers who visit websites (such as
mediaredirect.microsoft.com) that are registered with their associated app (such as Groove Music) will stay at the
website and won't be able to directly launch the app.
system32\AppHostRegistrationVerifier.e HTTPS mediaredirect.microsoft.com

xe
The following endpoints are used when using the Whiteboard app. To turn off traffic for this endpoint disable the
Microsoft Store.
HTTPS wbd.ms
HTTPS int.whiteboard.microsoft.com
HTTPS whiteboard.microsoft.com
HTTP / HTTPS whiteboard.ms
Cortana and Search

The following endpoint is used to get images that are used for Microsoft Store suggestions. If you turn off traffic
for this endpoint, you will block images that are used for Microsoft Store suggestions.
searchui HTTPS store-images.s-microsoft.com
The following endpoint is used to update Cortana greetings, tips, and Live Tiles. If you turn off traffic for this
endpoint, you will block updates to Cortana greetings, tips, and Live Tiles.
backgroundtaskhost HTTPS www.bing.com/client
The following endpoint is used to configure parameters, such as how often the Live Tile is updated. It's also used to
activate experiments. If you turn off traffic for this endpoint, parameters would not be updated and the device
would no longer participate in experiments.
backgroundtaskhost HTTPS www.bing.com/proactive
The following endpoint is used by Cortana to report diagnostic and diagnostic data information. If you turn off
traffic for this endpoint, Microsoft won't be aware of issues with Cortana and won't be able to fix them.
searchui HTTPS www.bing.com/threshold/xls.aspx

backgroundtaskhost
Certificates
The following endpoint is used by the Automatic Root Certificates Update component to automatically check the
list of trusted authorities on Windows Update to see if an update is available. It is possible to turn off traffic to this
endpoint, but that is not recommended because when root certificates are updated over time, applications and
websites may stop working because they did not receive an updated root certificate the application uses.
Additionally, it is used to download certificates that are publicly known to be fraudulent. These settings are critical
for both Windows security and the overall security of the Internet. We do not recommend blocking this endpoint. If
traffic to this endpoint is turned off, Windows no longer automatically downloads certificates known to be
fraudulent, which increases the attack vector on the device.
svchost HTTP ctldl.windowsupdate.com
Device authentication
The following endpoint is used to authenticate a device. If you turn off traffic for this endpoint, the device will not
be authenticated.
HTTPS login.live.com/ppsecure
Device metadata
The following endpoint is used to retrieve device metadata. If you turn off traffic for this endpoint, metadata will
not be updated for the device.
dmd.metaservices.microsoft.com.akadns
.net
HTTP dmd.metaservices.microsoft.com
Diagnostic Data
The following endpoint is used by the Connected User Experiences and Telemetry component and connects to the
Microsoft Data Management service. If you turn off traffic for this endpoint, diagnostic and usage information,
which helps Microsoft find and fix problems and improve our products and services, will not be sent back to
Microsoft.
svchost cy2.vortex.data.microsoft.com.akadns.n
et
Microsoft.
svchost HTTPS v10.vortex-

win.data.microsoft.com/collect/v1
The following endpoints are used by Windows Error Reporting. To turn off traffic for these endpoints, enable the
following Group Policy: Administrative Templates > Windows Components > Windows Error Reporting > Disable
Windows Error Reporting. This means error reporting information will not be sent back to Microsoft.
wermgr watson.telemetry.microsoft.com
TLS v1.2 modern.watson.data.microsoft.com.aka

dns.net
Font streaming
The following endpoints are used to download fonts on demand. If you turn off traffic for these endpoints, you will
not be able to download fonts on demand.
svchost fs.microsoft.com
fs.microsoft.com/fs/windows/config.json
Licensing
The following endpoint is used for online activation and some app licensing. To turn off traffic for this endpoint,
disable the Windows License Manager Service. This will also block online activation and app licensing may not
work.
licensemanager HTTPS licensing.mp.microsoft.com/v7.0/license

s/content
Location
The following endpoint is used for location data. If you turn off traffic for this endpoint, apps cannot use location
data.
HTTP location-inference-westus.cloudapp.net
HTTPS inference.location.live.net
Maps
The following endpoint is used to check for updates to maps that have been downloaded for offline use. If you turn
off traffic for this endpoint, offline maps will not be updated.
svchost HTTPS *g.akamaiedge.net
Microsoft account
The following endpoints are used for Microsoft accounts to sign in. If you turn off traffic for these endpoints, users
cannot sign in with Microsoft accounts.
login.msa.akadns6.net
login.live.com
account.live.com
system32\Auth.Host.exe HTTPS auth.gfx.ms
us.configsvc1.live.com.akadns.net
Microsoft Store
The following endpoint is used for the Windows Push Notification Services (WNS). WNS enables third-party
developers to send toast, tile, badge, and raw updates from their own cloud service. This provides a mechanism to
deliver new updates to your users in a power-efficient and dependable way. If you turn off traffic for this endpoint,
push notifications will no longer work, including MDM device management, mail synchronization, settings
synchronization.
HTTPS *.wns.windows.com
The following endpoint is used to revoke licenses for malicious apps in the Microsoft Store. To turn off traffic for
this endpoint, either uninstall the app or disable the Microsoft Store. If you disable the Microsoft store, other
Microsoft Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke
malicious apps and users will still be able to open them.
HTTP storecatalogrevocation.storequality.micr
osoft.com
The following endpoints are used to download image files that are called when applications run (Microsoft Store
or Inbox MSN Apps). If you turn off traffic for these endpoints, the image files won't be downloaded, and apps
cannot be installed or updated from the Microsoft Store. Additionally, the Microsoft Store won't be able to revoke
HTTPS img-prod-cms-rt-microsoft-
com.akamaized.net
backgroundtransferhost HTTPS store-images.microsoft.com
The following endpoints are used to communicate with Microsoft Store. If you turn off traffic for these endpoints,
apps cannot be installed or updated from the Microsoft Store. Additionally, the Microsoft Store won't be able to
revoke malicious apps and users will still be able to open them.
HTTP storeedgefd.dsx.mp.microsoft.com
HTTP \ HTTPS pti.store.microsoft.com
TLS v1.2 cy2.*.md.mp.microsoft.com.*.
svchost HTTPS displaycatalog.mp.microsoft.com
Network Connection Status Indicator (NCSI)

Network Connection Status Indicator (NCSI) detects Internet connectivity and corporate network connectivity
status. NCSI sends a DNS request and HTTP query to this endpoint to determine if the device can communicate
with the Internet. If you turn off traffic for this endpoint, NCSI won't be able to determine if the device is connected
to the Internet and the network status tray icon will show a warning.
HTTP www.msftconnecttest.com/connecttest.t
xt
Office
The following endpoints are used to connect to the Office 365 portal's shared infrastructure, including Office. For
more info, see Office 365 URLs and IP address ranges. You can turn this off by removing all Microsoft Office apps
and the Mail and Calendar apps. If you turn off traffic for these endpoints, users won't be able to save documents
to the cloud or see their recently used documents.
*.a-msedge.net
hxstr *.c-msedge.net
*.e-msedge.net
*.s-msedge.net
HTTPS ocos-office365-s2s.msedge.net
HTTPS nexusrules.officeapps.live.com
HTTPS officeclient.microsoft.com
The following endpoint is used to connect to the Office 365 portal's shared infrastructure, including Office. For
system32\Auth.Host.exe HTTPS outlook.office365.com
The following endpoint is OfficeHub traffic used to get the metadata of Office apps. To turn off traffic for this
endpoint, either uninstall the app or disable the Microsoft Store. If you disable the Microsoft store, other Microsoft
Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious apps
and users will still be able to open them.
Windows HTTPS client-office365-tas.msedge.net

Apps\Microsoft.Windows.Photos
The following endpoint is used to connect the Office To-Do app to it's cloud service. To turn off traffic for this
endpoint, either uninstall the app or disable the Microsoft Store.
HTTPS to-do.microsoft.com
OneDrive
The following endpoint is a redirection service that’s used to automatically update URLs. If you turn off traffic for
this endpoint, anything that relies on g.live.com to get updated URL information will no longer work.
onedrive HTTP \ HTTPS g.live.com/1rewlive5skydrive/ODSUPro

duction
The following endpoint is used by OneDrive for Business to download and verify app updates. For more info, see
Office 365 URLs and IP address ranges. To turn off traffic for this endpoint, uninstall OneDrive for Business. In this
case, your device will not able to get OneDrive for Business app updates.
onedrive HTTPS oneclient.sfx.ms
Settings
The following endpoint is used as a way for apps to dynamically update their configuration. Apps such as System
Initiated User Feedback and the Xbox app use it. If you turn off traffic for this endpoint, an app that uses this
endpoint may stop working.
dmclient cy2.settings.data.microsoft.com.akadns.
net
dmclient HTTPS settings.data.microsoft.com
The following endpoint is used as a way for apps to dynamically update their configuration. Apps such as
Windows Connected User Experiences and Telemetry component and Windows Insider Program use it. If you turn
off traffic for this endpoint, an app that uses this endpoint may stop working.
svchost HTTPS settings-win.data.microsoft.com
Skype
The following endpoint is used to retrieve Skype configuration values. To turn off traffic for this endpoint, either
uninstall the app or disable the Microsoft Store. If you disable the Microsoft store, other Microsoft Store apps
cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious apps and users
will still be able to open them.
microsoft.windowscommunicationsapps HTTPS config.edge.skype.com

.exe
HTTPS browser.pipe.aria.microsoft.com
skypeecs-prod-usw-0-b.cloudapp.net
Windows Defender
The following endpoint is used for Windows Defender when Cloud-based Protection is enabled. If you turn off
traffic for this endpoint, the device will not use Cloud-based Protection. For a detailed list of Windows Defender
Antivirus cloud service connections, see Allow connections to the Windows Defender Antivirus cloud service.
wdcp.microsoft.com
The following endpoints are used for Windows Defender definition updates. If you turn off traffic for these
endpoints, definitions will not be updated.
definitionupdates.microsoft.com
MpCmdRun.exe HTTPS go.microsoft.com
The following endpoints are used for Windows Defender Smartscreen reporting and notifications. If you turn off
traffic for these endpoints, Windows Defender Smartscreen notifications will no appear.
HTTPS ars.smartscreen.microsoft.com
HTTPS unitedstates.smartscreen-
prod.microsoft.com
smartscreen-
sn3p.smartscreen.microsoft.com
Windows Spotlight
The following endpoints are used to retrieve Windows Spotlight metadata that describes content, such as
references to image locations, as well as suggested apps, Microsoft account notifications, and Windows tips. If you
turn off traffic for these endpoints, Windows Spotlight will still try to deliver new lock screen images and updated
content but it will fail; suggested apps, Microsoft account notifications, and Windows tips will not be downloaded.
For more information, see Windows Spotlight.
backgroundtaskhost HTTPS arc.msn.com
backgroundtaskhost g.msn.com.nsatc.net
HTTPS query.prod.cms.rt.microsoft.com
Windows Update
The following endpoint is used for Windows Update downloads of apps and OS updates, including HTTP
downloads or HTTP downloads blended with peers. If you turn off traffic for this endpoint, Windows Update
downloads will not be managed, as critical metadata that is used to make downloads more resilient is blocked.
Downloads may be impacted by corruption (resulting in re-downloads of full files). Additionally, downloads of the
same update by multiple devices on the same local network will not use peer devices for bandwidth reduction.
svchost HTTPS *.prod.do.dsp.mp.microsoft.com
The following endpoints are used to download operating system patches, updates, and apps from Microsoft Store.
If you turn off traffic for these endpoints, the device will not be able to download updates for the operating system.
svchost HTTP *.windowsupdate.com
svchost HTTP *.dl.delivery.mp.microsoft.com
The following endpoints enable connections to Windows Update, Microsoft Update, and the online services of the
Store. If you turn off traffic for these endpoints, the device will not be able to connect to Windows Update and
Microsoft Update to help keep the device secure. Also, the device will not be able to acquire and update apps from
the Store.
svchost HTTPS *.update.microsoft.com
svchost HTTPS *.delivery.mp.microsoft.com
These are dependent on enabling:

Microsoft account
The following endpoint is used for content regulation. If you turn off traffic for this endpoint, the Windows Update
Agent will be unable to contact the endpoint and fallback behavior will be used. This may result in content being
either incorrectly downloaded or not downloaded at all.
svchost HTTPS tsfe.trafficshaping.dsp.mp.microsoft.com
Microsoft forward link redirection service (FWLink)

The following endpoint is used by the Microsoft forward link redirection service (FWLink) to redirect permanent
web links to their actual, sometimes transitory, URL. FWlinks are similar to URL shorteners, just longer.
If you disable this endpoint, Windows Defender won't be able to update its malware definitions; links from
Windows and other Microsoft products to the Web won't work; and PowerShell updateable Help won't update. To
disable the traffic, instead disable the traffic that's getting forwarded.
Various HTTPS go.microsoft.com

To view endpoints for other versions of Windows 10 Enterprise, see:
Related links
Applies to
examples include:
Directory.
NOTE

Apps

HTTP blob.weather.microsoft.com
them.
US
them.
them.
them.

os


xe

xe
Cortana and Search


backgroundtaskhost
Certificates
be authenticated.
Device metadata
.net
HTTP dmd.metaservices.microsoft.com
Diagnostic Data
Microsoft.
svchost cy2.vortex.data.microsoft.com.akadns.ne
t
Microsoft.
svchost v10.vortex-

dns.net
Font streaming
Licensing
work.

s/content
Location
data.
Maps
Microsoft account
Microsoft Store
synchronization.
*.wns.windows.com
osoft.com
The following endpoints are used to download image files that are called when applications run (Microsoft Store or
Inbox MSN Apps). If you turn off traffic for these endpoints, the image files won't be downloaded, and apps cannot
be installed or updated from the Microsoft Store. Additionally, the Microsoft Store won't be able to revoke
com.akamaized.net
backgroundtransferhost HTTPS store-images.microsoft.com
HTTP pti.store.microsoft.com
svchost HTTPS displaycatalog.mp.microsoft.com

xt
Office
*.a-msedge.net
*.e-msedge.net
*.s-msedge.net
HTTPS ocos-office365-s2s.msedge.net

OneDrive
onedrive HTTP \ HTTPS g.live.com/1rewlive5skydrive/ODSUProd

uction
Settings
net
The following endpoint is used as a way for apps to dynamically update their configuration. Apps such as Windows
Connected User Experiences and Telemetry component and Windows Insider Program use it. If you turn off traffic
for this endpoint, an app that uses this endpoint may stop working.

Skype

.exe
Windows Defender
traffic for this endpoint, the device will not use Cloud-based Protection.
wdcp.microsoft.com
Windows Spotlight
Windows Update
the Store.

Microsoft account


To view endpoints for other versions of Windows 10 enterprise, see:
Related links
Applies to
examples include:
Directory.
NOTE

Apps
them.
US
them.
them.
them.

os

xe

xe
Cortana and Search


backgroundtaskhost
Certificates
be authenticated.
Device metadata
.net
Diagnostic Data
Microsoft.
svchost cy2.vortex.data.microsoft.com.akadns.n
et
Microsoft.
svchost v10.vortex-

dns.net
Font streaming
Licensing
work.

s/content
Location
data.
Maps
Microsoft account
Microsoft Store
synchronization.
*.wns.windows.com
osoft.com
The following endpoints are used to download image files that are called when applications run (Microsoft Store
or Inbox MSN Apps). If you turn off traffic for these endpoints, the image files won't be downloaded, and apps
cannot be installed or updated from the Microsoft Store. Additionally, the Microsoft Store won't be able to revoke
com.akamaized.net
HTTP pti.store.microsoft.com

xt
Office
*.a-msedge.net
*.e-msedge.net
*.s-msedge.net

OneDrive
onedrive HTTP \ HTTPS g.live.com/1rewlive5skydrive/ODSUPro

duction
Settings
net
The following endpoint is used as a way for apps to dynamically update their configuration. Apps such as
Windows Connected User Experiences and Telemetry component and Windows Insider Program use it. If you turn
off traffic for this endpoint, an app that uses this endpoint may stop working.
Skype

.exe
Windows Defender
traffic for this endpoint, the device will not use Cloud-based Protection.
wdcp.microsoft.com
Windows Spotlight
Windows Update
the Store.

Microsoft account

Other Windows 10 versions and editions

To view endpoints for other versions of Windows 10 enterprise, see:
Related links
Windows 10, version 1903, connection endpoints for
non-Enterprise editions
Applies to
Windows 10 Home, version 1903
Windows 10 Professional, version 1903
Windows 10 Education, version 1903
In addition to the endpoints listed for Windows 10 Enterprise, the following endpoints are available on other non-
Enterprise editions of Windows 10, version 1903.
The following methodology was used to derive the network endpoints:
2. Leave the device(s) running idle for a week ("idle" means a user is not interacting with the system/device).
5. The test virtual machine(s) was logged into using a local account, and was not joined to a domain or Azure
Active Directory.
6. All traffic was captured in our lab using a IPV4 network. Therefore, no IPV6 traffic is reported here.
7. These tests were conducted in an approved Microsoft lab. It's possible your results may be different.
8. These tests were conducted for one week, but if you capture traffic for longer you may have different results.
NOTE
Windows 10 Family
DEST IN AT IO N P ROTO C O L DESC RIP T IO N
*.aria.microsoft.com* HTTPS Microsoft Office Telemetry
*.b.akamai*.net HTTPS Used to check for updates to Maps that

have been downloaded for offline use
*.c-msedge.net HTTP Microsoft Office
*.dl.delivery.mp.microsoft.com* HTTP Enables connections to Windows

Update
*.download.windowsupdate.com* HTTP Used to download operating system

patches and updates
*.g.akamai*.net HTTPS Used to check for updates to Maps that

*.login.msa.*.net HTTPS Microsoft Account related
*.msn.com* TLSv1.2/HTTPS Windows Spotlight
*.skype.com HTTP/HTTPS Skype
*.smartscreen.microsoft.com* HTTPS Windows Defender Smartscreen
*.telecommand.telemetry.microsoft.com HTTPS Used by Windows Error Reporting

*
cdn.onenote.net HTTP OneNote
*displaycatalog.mp.microsoft.com HTTPS Used to communicate with Microsoft

Store
emdl.ws.microsoft.com HTTP Windows Update
geo-prod.do.dsp.mp.microsoft.com TLSv1.2/HTTPS Enables connections to Windows

Update
hwcdn.net HTTP Highwinds Content Delivery Network /

Windows updates
img-prod-cms-rt-microsoft-com HTTPS Microsoft Store or Inbox MSN Apps

image download
*licensing.mp.microsoft.com HTTPS Licensing
maps.windows.com HTTPS Related to Maps application
msedge.net HTTPS Used by Microsoft OfficeHub to get the

metadata of Microsoft Office apps
nexusrules.officeapps.live.com HTTPS Microsoft Office Telemetry
photos.microsoft.com HTTPS Photos App
prod.do.dsp.mp.microsoft.com TLSv1.2/HTTPS Used for Windows Update downloads

of apps and OS updates
*purchase.md.mp.microsoft.com.akadns. HTTPS Used to communicate with Microsoft

net Store
*settings.data.microsoft.com.akadns.net HTTPS Used for Windows apps to dynamically

update their configuration
wac.phicdn.net HTTP Windows Update

windowsupdate.com HTTP Windows Update
*wns.windows.com TLSv1.2/HTTPS Used for the Windows Push Notification

Services (WNS)
wpc.v0cdn.net HTTP Windows Telemetry
arc.msn.com HTTPS Spotlight
auth.gfx.ms* HTTPS MSA related
cdn.onenote.net HTTPS OneNote Live Tile
dmd.metaservices.microsoft.com* HTTP Device Authentication
e-0009.e-msedge.net HTTPS Microsoft Office
e10198.b.akamaiedge.net HTTPS Maps application
evoke-windowsservices-tas.msedge* HTTPS Photos app
fe2.update.microsoft.com* TLSv1.2/HTTPS Enables connections to Windows

Update, Microsoft Update, and the
online services of Microsoft Store
fe3..mp.microsoft.com. TLSv1.2/HTTPS Windows Update, Microsoft Update,

and Microsoft Store services
g.live.com* HTTPS OneDrive
go.microsoft.com HTTP Windows Defender
iriscoremetadataprod.blob.core.windows HTTPS Windows Telemetry

.net
login.live.com HTTPS Device Authentication
msagfx.live.com HTTP OneDrive
ocsp.digicert.com* HTTP CRL and OCSP checks to the issuing

certificate authorities
officeclient.microsoft.com HTTPS Microsoft Office
oneclient.sfx.ms* HTTPS Used by OneDrive for Business to

download and verify app updates
onecollector.cloudapp.aria.akadns.net HTTPS Microsoft Office
ow1.res.office365.com HTTP Microsoft Office

pti.store.microsoft.com HTTPS Microsoft Store
purchase.mp.microsoft.com* HTTPS Used to communicate with Microsoft

Store
query.prod.cms.rt.microsoft.com* HTTPS Used to retrieve Windows Spotlight

metadata
ris.api.iris.microsoft.com* TLSv1.2/HTTPS Used to retrieve Windows Spotlight

metadata
ris-prod-atm.trafficmanager.net HTTPS Azure traffic manager
s-0001.s-msedge.net HTTPS Microsoft Office
self.events.data.microsoft.com HTTPS Microsoft Office
settings.data.microsoft.com* HTTPS Used for Windows apps to dynamically

settings-win.data.microsoft.com* HTTPS Used for Windows apps to dynamically

share.microsoft.com HTTPS Microsoft Store
skypeecs-prod-usw-0.cloudapp.net HTTPS Microsoft Store
sls.update.microsoft.com* TLSv1.2/HTTPS Enables connections to Windows

Update
slscr.update.microsoft.com* HTTPS Enables connections to Windows

Update
store*.dsx.mp.microsoft.com* HTTPS Used to communicate with Microsoft

Store
storecatalogrevocation.storequality.micr HTTPS Microsoft Store

osoft.com
storecatalogrevocation.storequality.micr HTTPS Used to revoke licenses for malicious

osoft.com* apps on the Microsoft Store
store-images.microsoft.com HTTP Used to get images that are used for

Microsoft Store suggestions
storesdk.dsx.mp.microsoft.com HTTP Microsoft Store
tile-service.weather.microsoft.com* HTTP Used to download updates to the

Weather app Live Tile
time.windows.com HTTP Microsoft Windows Time related

tsfe.trafficshaping.dsp.mp.microsoft.com TLSv1.2/HTTPS Used for content regulation

*
v10.events.data.microsoft.com HTTPS Diagnostic Data
watson.telemetry.microsoft.com HTTPS Diagnostic Data
wdcp.microsoft.* TLSv1.2, HTTPS Used for Windows Defender when

Cloud-based Protection is enabled
wd-prod-cp-us-west-1- HTTPS Windows Defender

fe.westus.cloudapp.azure.com
wusofficehome.msocdn.com HTTPS Microsoft Office
www.bing.com* HTTP Used for updates for Cortana, apps, and

Live Tiles
www.msftconnecttest.com HTTP Network Connection (NCSI)
www.office.com HTTPS Microsoft Office
Windows 10 Pro
*.cloudapp.azure.com HTTPS Azure
*.delivery.dsp.mp.microsoft.com.nsatc.ne HTTPS Windows Update, Microsoft Update,

t and Microsoft Store services
*.displaycatalog.md.mp.microsoft.com.a HTTPS Microsoft Store

kadns.net

Update
*.e-msedge.net HTTPS Used by OfficeHub to get the metadata

of Office apps
*.g.akamaiedge.net HTTPS Used to check for updates to maps that

*.s-msedge.net HTTPS Used by OfficeHub to get the metadata

of Office apps
*.windowsupdate.com* HTTP Enables connections to Windows

Update
*.wns.notify.windows.com.akadns.net HTTPS Used for the Windows Push Notification

Services (WNS)
*dsp.mp.microsoft.com.nsatc.net HTTPS Enables connections to Windows

Update
*c-msedge.net HTTP Office
a1158.g.akamai.net HTTP Maps application
arc.msn.com* HTTP / HTTPS Used to retrieve Windows Spotlight

metadata
blob.mwh01prdstr06a.store.core.windo HTTPS Microsoft Store

ws.net
browser.pipe.aria.microsoft.com HTTPS Microsoft Office
bubblewitch3mobile.king.com HTTPS Bubble Witch application
candycrush.king.com HTTPS Candy Crush application
cdn.onenote.net HTTP Microsoft OneNote
cds.p9u4n2q3.hwcdn.net HTTP Highwinds Content Delivery Network

traffic for Windows updates
client.wns.windows.com HTTPS Winddows Notification System
co4.telecommand.telemetry.microsoft.co HTTPS Windows Error Reporting

m.akadns.net
config.edge.skype.com HTTPS Microsoft Skype
cs11.wpc.v0cdn.net HTTP Windows Telemetry
cs9.wac.phicdn.net HTTP Windows Update
cy2.licensing.md.mp.microsoft.com.akad HTTPS Used to communicate with Microsoft

ns.net Store
cy2.purchase.md.mp.microsoft.com.akad HTTPS Used to communicate with Microsoft

ns.net Store
cy2.settings.data.microsoft.com.akadns. HTTPS Used to communicate with Microsoft

net Store
dmd.metaservices.microsoft.com.akadns HTTP Device Authentication

.net
e-0009.e-msedge.net HTTPS Microsoft Office
e10198.b.akamaiedge.net HTTPS Maps application
fe3.update.microsoft.com HTTPS Windows Update

g.live.com HTTPS Microsoft OneDrive
g.msn.com.nsatc.net HTTPS Used to retrieve Windows Spotlight

metadata
geo-prod.do.dsp.mp.microsoft.com HTTPS Windows Update
iecvlist.microsoft.com HTTPS Microsoft Edge
img-prod-cms-rt-microsoft- HTTP / HTTPS Microsoft Store

com.akamaized.net
ipv4.login.msa.akadns6.net HTTPS Used for Microsoft accounts to sign in
licensing.mp.microsoft.com HTTP Licensing
location-inference-westus.cloudapp.net HTTPS Used for location data
login.live.com HTTP Device Authentication
maps.windows.com HTTP Maps application
modern.watson.data.microsoft.com.akad HTTPS Used by Windows Error Reporting

ns.net
msagfx.live.com HTTP OneDrive
nav.smartscreen.microsoft.com HTTPS Windows Defender

oneclient.sfx.ms HTTP OneDrive
ris.api.iris.microsoft.com.akadns.net HTTPS Used to retrieve Windows Spotlight

metadata
ris-prod-atm.trafficmanager.net HTTPS Azure
s2s.config.skype.com HTTP Microsoft Skype
settings-win.data.microsoft.com HTTPS Application settings
skypeecs-prod-usw-0.cloudapp.net HTTPS Microsoft Skype

slscr.update.microsoft.com HTTPS Windows Update
storecatalogrevocation.storequality.micr HTTPS Microsoft Store

osoft.com
store-images.microsoft.com HTTPS Microsoft Store
tile-service.weather.microsoft.com/* HTTP Used to download updates to the

time.windows.com HTTP Windows time
tsfe.trafficshaping.dsp.mp.microsoft.com HTTPS Used for content regulation
v10.events.data.microsoft.com* HTTPS Microsoft Office
vip5.afdorigin-prod-am02.afdogw.com HTTPS Used to serve office 365

experimentation traffic
watson.telemetry.microsoft.com HTTPS Telemetry
wdcp.microsoft.com HTTPS Windows Defender
www.bing.com HTTPS Cortana and Search
www.microsoft.com HTTP Diagnostic
www.msftconnecttest.com HTTP Network connection
Windows 10 Education
*.b.akamaiedge.net HTTPS Used to check for updates to maps that

*.c-msedge.net HTTP Used by OfficeHub to get the metadata

of Office apps
*.dl.delivery.mp.microsoft.com* HTTP Windows Update

of Office apps
*.g.akamaiedge.net HTTPS Used to check for updates to Maps that

*.licensing.md.mp.microsoft.com.akadns. HTTPS Microsoft Store

net
*.settings.data.microsoft.com.akadns.net HTTPS Microsoft Store
*.skype.com* HTTPS Used to retrieve Skype configuration

values
*.smartscreen*.microsoft.com HTTPS Windows Defender

of Office apps
*.telecommand.telemetry.microsoft.com HTTPS Used by Windows Error Reporting

*
*.wac.phicdn.net HTTP Windows Update
*.windowsupdate.com* HTTP Windows Update
*.wns.windows.com HTTPS Windows Notifications Service
*.wpc.*.net HTTP Diagnostic Data
*displaycatalog.md.mp.microsoft.com.ak HTTPS Microsoft Store

adns.net
*dsp.mp.microsoft.com HTTPS Windows Update
a1158.g.akamai.net HTTP Maps
a122.dscg3.akamai.net HTTP Maps
a767.dscg3.akamai.net HTTP Maps
au.download.windowsupdate.com* HTTP Windows Update
bing.com/* HTTPS Used for updates for Cortana, apps, and

Live Tiles
blob.dz5prdstr01a.store.core.windows.n HTTPS Microsoft Store

et
browser.pipe.aria.microsoft.com HTTP Used by OfficeHub to get the metadata

of Office apps
cdn.onenote.net/livetile/* HTTPS Used for OneNote Live Tile
cds.p9u4n2q3.hwcdn.net HTTP Used by the Highwinds Content

Delivery Network to perform Windows
updates
client-office365-tas.msedge.net/* HTTPS Office 365 portal and Office in a

browser
ctldl.windowsupdate.com* HTTP Used to download certificates that are

publicly known to be fraudulent
displaycatalog.mp.microsoft.com/* HTTPS Microsoft Store
dmd.metaservices.microsoft.com* HTTP Device Authentication
download.windowsupdate.com* HTTPS Windows Update
emdl.ws.microsoft.com/* HTTP Used to download apps from the

Microsoft Store
evoke-windowsservices-tas.msedge.net HTTPS Photo app
fe2.update.microsoft.com* HTTPS Windows Update, Microsoft Update,

Microsoft Store services
fe3.delivery.dsp.mp.microsoft.com.nsatc. HTTPS Windows Update, Microsoft Update,

net Microsoft Store services
fe3.delivery.mp.microsoft.com* HTTPS Windows Update, Microsoft Update,

Microsoft Store services
g.live.com* HTTPS Used by OneDrive for Business to


metadata
iecvlist.microsoft.com HTTPS Microsoft Edge browser
ipv4.login.msa.akadns6.net HTTPS Used for Microsoft accounts to sign in
licensing.mp.microsoft.com* HTTPS Used for online activation and some

app licensing
login.live.com HTTPS Device Authentication
maps.windows.com/windows-app-web- HTTPS Maps application

link
modern.watson.data.microsoft.com.akad HTTPS Used by Windows Error Reporting

ns.net
msagfx.live.com HTTPS OneDrive

ocos-office365-s2s.msedge.net/* HTTPS Used to connect to the Office 365

portal's shared infrastructure

oneclient.sfx.ms/* HTTPS Used by OneDrive for Business to

onecollector.cloudapp.aria.akadns.net HTTPS Microsoft Office
settings- HTTPS Used as a way for apps to dynamically

win.data.microsoft.com/settings/* update their configuration
skypeecs-prod-usw-0.cloudapp.net HTTPS Skype
sls.update.microsoft.com* HTTPS Windows Update

osoft.com* apps on the Microsoft Store

tsfe.trafficshaping.dsp.mp.microsoft.com HTTPS Windows Update
v10.events.data.microsoft.com* HTTPS Diagnostic Data
vip5.afdorigin-prod-ch02.afdogw.com HTTPS Used to serve Office 365

watson.telemetry.microsoft.com* HTTPS Used by Windows Error Reporting
wdcp.microsoft.com HTTPS Windows Defender
wd-prod-cp-us-east-1- HTTPS Azure

fe.eastus.cloudapp.azure.com
www.bing.com HTTPS Cortana and Search
www.microsoft.com HTTP Diagnostic Data
www.microsoft.com/pkiops/certs/* HTTP CRL and OCSP checks to the issuing

www.msftconnecttest.com HTTP Network Connection


Applies to
In addition to the endpoints listed for Windows 10 Enterprise, the following endpoints are available on other
editions of Windows 10, version 1809.
Directory.
NOTE
Windows 10 Family
*.aria.microsoft.com* HTTPS Office Telemetry

Update.
*.download.windowsupdate.com* HTTP Used to download operating system

patches and updates.
*.g.akamai.net HTTPS Used to check for updates to maps that

have been downloaded for offline use.
*.msn.com* TLSv1.2/HTTPS Windows Spotlight related traffic
*.Skype.com HTTP/HTTPS Skype related traffic

*.smartscreen.microsoft.com* HTTPS Windows Defender Smartscreen related

traffic
*.telecommand.telemetry.microsoft.com HTTPS Used by Windows Error Reporting.

*
*cdn.onenote.net* HTTP OneNote related traffic
*displaycatalog.mp.microsoft.com* HTTPS Used to communicate with Microsoft

Store.
*emdl.ws.microsoft.com* HTTP Windows Update related traffic
*geo-prod.do.dsp.mp.microsoft.com* TLSv1.2/HTTPS Enables connections to Windows

Update.
*hwcdn.net* HTTP Used by the Highwinds Content

updates.
*img-prod-cms-rt-microsoft- HTTPS Used to download image files that are

com.akamaized.net* called when applications run (Microsoft
Store or Inbox MSN Apps).
*maps.windows.com* HTTPS Related to Maps application.
*msedge.net* HTTPS Used by OfficeHub to get the metadata

of Office apps.
*nexusrules.officeapps.live.com* HTTPS Office Telemetry
*photos.microsoft.com* HTTPS Photos App related traffic
*prod.do.dsp.mp.microsoft.com* TLSv1.2/HTTPS Used for Windows Update downloads

of apps and OS updates.
*wac.phicdn.net* HTTP Windows Update related traffic
*windowsupdate.com* HTTP Windows Update related traffic
*wns.windows.com* HTTPS, TLSv1.2 Used for the Windows Push Notification

Services (WNS).
*wpc.v0cdn.net* Windows Telemetry related traffic
auth.gfx.ms/16.000.27934.1/OldConver MSA related

gedLogin_PCore.js
evoke-windowsservices-tas.msedge* HTTPS The following endpoint is used by the

Photos app to download configuration
files, and to connect to the Office 365
portal's shared infrastructure, including
Office. To turn off traffic for this
endpoint, either uninstall the Photos
app or disable the Microsoft Store. If
you disable the Microsoft store, other
Store apps cannot be installed or
updated. Additionally, the Microsoft
Store won't be able to revoke malicious
Store apps and users will still be able to
open them.
fe2.update.microsoft.com* TLSv1.2/HTTPS Enables connections to Windows

online services of Microsoft Store.
fe3.*.mp.microsoft.com.* TLSv1.2/HTTPS Enables connections to Windows

fs.microsoft.com Font Streaming (in ENT traffic)
g.live.com* HTTPS Used by OneDrive
iriscoremetadataprod.blob.core.window HTTPS Windows Telemetry

s.net
mscrl.microsoft.com Certificate Revocation List related traffic.

certificate authorities.
officeclient.microsoft.com HTTPS Office related traffic.

download and verify app updates.
purchase.mp.microsoft.com* HTTPS Used to communicate with Microsoft

Store.

metadata.
ris.api.iris.microsoft.com* TLSv1.2/HTTPS Used to retrieve Windows Spotlight

metadata.
ris-prod-atm.trafficmanager.net HTTPS Azure traffic manager
settings.data.microsoft.com* HTTPS Used for Windows apps to dynamically

update their configuration.
settings-win.data.microsoft.com* HTTPS Used for Windows apps to dynamically

sls.update.microsoft.com* TLSv1.2/HTTPS Enables connections to Windows

Update.
store*.dsx.mp.microsoft.com* HTTPS Used to communicate with Microsoft

Store.

osoft.com* apps on the Microsoft Store.
store-images.s-microsoft.com* HTTP Used to get images that are used for

Microsoft Store suggestions.

Weather app Live Tile.
tsfe.trafficshaping.dsp.mp.microsoft.com TLSv1.2 Used for content regulation.

*
v10.events.data.microsoft.com HTTPS Diagnostic Data
wdcp.microsoft.* TLSv1.2 Used for Windows Defender when

Cloud-based Protection is enabled.
wd-prod-cp-us-west-1- HTTPS Windows Defender related traffic.

www.bing.com* HTTP Used for updates for Cortana, apps,

and Live Tiles.
Windows 10 Pro

of Office apps.


of Office apps.
*.tlu.dl.delivery.mp.microsoft.com/* HTTP Enables connections to Windows

Update.
*geo- HTTPS Enables connections to Windows

prod.dodsp.mp.microsoft.com.nsatc.net Update.
arc.msn.com.nsatc.net HTTPS Used to retrieve Windows Spotlight

metadata.
au.download.windowsupdate.com/* HTTP Enables connections to Windows

Update.
ctldl.windowsupdate.com/msdownload/ HTTP Used to download certificates that are

update/* publicly known to be fraudulent.

ns.net Store.

net Store.
dm3p.wns.notify.windows.com.akadns.n HTTPS Used for the Windows Push Notification

et Services (WNS)
fe3.delivery.dsp.mp.microsoft.com.nsatc. HTTPS Enables connections to Windows

net Update, Microsoft Update, and the

metadata.
ipv4.login.msa.akadns6.net HTTPS Used for Microsoft accounts to sign in.
location-inference-westus.cloudapp.net HTTPS Used for location data.
modern.watson.data.microsoft.com.aka HTTPS Used by Windows Error Reporting.

dns.net


metadata.

tsfe.trafficshaping.dsp.mp.microsoft.com HTTPS Used for content regulation.



of Office apps.


of Office apps.

.akadns.net
*.tlu.dl.delivery.mp.microsoft.com* HTTP Enables connections to Windows

Update.
*.windowsupdate.com* HTTP Enables connections to Windows

Update.
*geo-prod.do.dsp.mp.microsoft.com HTTPS Enables connections to Windows

Update.
au.download.windowsupdate.com* HTTP Enables connections to Windows

Update.
cdn.onenote.net/livetile/* HTTPS Used for OneNote Live Tile.
client-office365-tas.msedge.net/* HTTPS Used to connect to the Office 365

portal’s shared infrastructure, including
Office.
config.edge.skype.com/* HTTPS Used to retrieve Skype configuration

values.
ctldl.windowsupdate.com/* HTTP Used to download certificates that are

publicly known to be fraudulent.
cy2.displaycatalog.md.mp.microsoft.co HTTPS Used to communicate with Microsoft

m.akadns.net Store.

ns.net Store.

net Store.
displaycatalog.mp.microsoft.com/* HTTPS Used to communicate with Microsoft

Store.
download.windowsupdate.com/* HTTPS Enables connections to Windows

Update.

Microsoft Store.
fe2.update.microsoft.com/* HTTPS Enables connections to Windows

fe3.delivery.dsp.mp.microsoft.com.nsatc. HTTPS Enables connections to Windows

net Update, Microsoft Update, and the
fe3.delivery.mp.microsoft.com/* HTTPS Enables connections to Windows

g.live.com/odclientsettings/* HTTPS Used by OneDrive for Business to


metadata.
licensing.mp.microsoft.com/* HTTPS Used for online activation and some

app licensing.
maps.windows.com/windows-app-web- HTTPS Link to Maps application

link

dns.net

portal's shared infrastructure.



win.data.microsoft.com/settings/* update their configuration.
sls.update.microsoft.com/* HTTPS Enables connections to Windows

Update.

osoft.com/* apps on the Microsoft Store.

tsfe.trafficshaping.dsp.mp.microsoft.com HTTPS Used for content regulation.
vip5.afdorigin-prod-ch02.afdogw.com HTTPS Used to serve office 365

experimentation traffic.
watson.telemetry.microsoft.com/Teleme HTTPS Used by Windows Error Reporting.

try.Request
bing.com/* HTTPS Used for updates for Cortana, apps,

and Live Tiles.
Applies to
Directory.
NOTE
Windows 10 Family

of Office apps.


of Office apps.
*.tlu.dl.delivery.mp.microsoft.com/filestr HTTP Enables connections to Windows

eamingservice/files/ Update.

metadata.
arc.msn.com/v3/Delivery/Placement HTTPS Used to retrieve Windows Spotlight

metadata.
client-office365-tas.msedge.net* HTTPS Used to connect to the Office 365

Office.
config.edge.skype.com/config/* HTTPS Used to retrieve Skype configuration

values.

update* publicly known to be fraudulent.

m.akadns.net Store.

ns.net Store.

net Store.
displaycatalog.mp.microsoft.com* HTTPS Used to communicate with Microsoft

Store.

et Services (WNS).
fe2.update.microsoft.com* HTTPS Enables connections to Windows

fe3.delivery.dsp.mp.microsoft.com.nsatc HTTPS Enables connections to Windows

.net Update, Microsoft Update, and the
fe3.delivery.mp.microsoft.com HTTPS Enables connections to Windows

g.live.com/odclientsettings/Prod HTTPS Used by OneDrive for Business to


metadata.
geo- HTTPS Enables connections to Windows

ip5.afdorigin-prod-am02.afdogw.com HTTPS Used to serve office 365

licensing.mp.microsoft.com/v7.0/license HTTPS Used for online activation and some

s/content app licensing.
maps.windows.com/windows-app-web- HTTPS Link to Maps application.

link

dns.net
ocos-office365-s2s.msedge.net* HTTPS Used to connect to the Office 365



onecollector.cloudapp.aria.akadns.net HTTPS Office Telemetry
prod.nexusrules.live.com.akadns.net HTTPS Office Telemetry

metadata.
ris.api.iris.microsoft.com* HTTPS Used to retrieve Windows Spotlight

metadata.
settings.data.microsoft.com/settings/v2. HTTPS Used for Windows apps to dynamically

0/* update their configuration.

share.microsoft.com/windows-app- HTTPS Traffic related to Books app

web-link
sls.update.microsoft.com* HTTPS Enables connections to Windows

Update.

osoft.com* apps on the Microsoft Store.
storeedgefd.dsx.mp.microsoft.com* HTTPS Used to communicate with Microsoft

Store.

tsfe.trafficshaping.dsp.mp.microsoft.co HTTPS Used for content regulation.

m
us.configsvc1.live.com.akadns.net HTTPS Microsoft Office configuration related

traffic

try.Request
wd-prod-cp-us-east-2- HTTPS Azure front end traffic

fe.eastus.cloudapp.azure.com
Windows 10 Pro

of Office apps.


of Office apps.
.tlu.dl.delivery.mp.microsoft.com/ HTTP Enables connections to Windows

Update.
*geo- HTTPS Enables connections to Windows


metadata.
au.download.windowsupdate.com/* HTTP Enables connections to Windows

Update.

update/* publicly known to be fraudulent.

ns.net Store.

net Store.

et Services (WNS)

flightingservicewus.cloudapp.net HTTPS Insider Program

metadata.

dns.net

onecollector.cloudapp.aria.akadns.net HTTPS Office Telemetry

metadata.


m



of Office apps.


of Office apps.

.akadns.net
.tlu.dl.delivery.mp.microsoft.com HTTP Enables connections to Windows

Update.
.windowsupdate.com HTTP Enables connections to Windows

Update.
*geo-prod.do.dsp.mp.microsoft.com HTTPS Enables connections to Windows

Update.
au.download.windowsupdate.com* HTTP Enables connections to Windows

Update.
cdn.onenote.net/livetile/* HTTPS Used for OneNote Live Tile.
client-office365-tas.msedge.net/* HTTPS Used to connect to the Office 365

Office.
cloudtile.photos.microsoft.com.akadns.n HTTPS Photos App in MS Store

et
config.edge.skype.com/* HTTPS Used to retrieve Skype configuration

values.
ctldl.windowsupdate.com/* HTTP Used to download certificates that are


m.akadns.net Store.

ns.net Store.

net Store.
displaycatalog.mp.microsoft.com/* HTTPS Used to communicate with Microsoft

Store.
download.windowsupdate.com/* HTTPS Enables connections to Windows

Update.

Microsoft Store.
fe2.update.microsoft.com/* HTTPS Enables connections to Windows


fe3.delivery.mp.microsoft.com/* HTTPS Enables connections to Windows

flightingservicewus.cloudapp.net HTTPS Insider Program
g.live.com/odclientsettings/* HTTPS Used by OneDrive for Business to


metadata.
licensing.mp.microsoft.com/* HTTPS Used for online activation and some

app licensing.
maps.windows.com/windows-app-web- HTTPS Link to Maps application

link

dns.net



onecollector.cloudapp.aria.akadns.net HTTPS Office telemetry

share.microsoft.com/windows-app- HTTPS Traffic related to Books app

web-link
sls.update.microsoft.com/* HTTPS Enables connections to Windows

Update.

osoft.com/* apps on the Microsoft Store.


m
vip5.afdorigin-prod-ch02.afdogw.com HTTPS Used to serve office 365


try.Request
wd-prod-cp-us-west-3- HTTPS Azure front end traffic

www.bing.com/* HTTPS Used for updates for Cortana, apps,

and Live Tiles.
Applies to
Directory.
NOTE
Windows 10 Home
*.tlu.dl.delivery.mp.microsoft.com.c.foot HTTP Enables connections to Windows

print.net Update.
*.wac.phicdn.net HTTP Used by the Verizon Content Delivery

Network to perform Windows updates.
*.1.msftsrvcs.vo.llnwi.net HTTP Used for Windows Update downloads


of Office apps.
*.delivery.dsp.mp.microsoft.com.nsatc.n TLSv1.2 Enables connections to Windows

et Update.
*.dscd.akamai.net HTTP Used to download content.

*.dspg.akamaiedge.net HTTP Used to check for updates to maps that

*.hwcdn.net HTTP Used by the Highwinds Content

updates.
*.m1-msedge.net TLSv1.2 Used by OfficeHub to get the metadata

of Office apps.
*.search.msn.com TLSv1.2 Used to retrieve Windows Spotlight

metadata.
*.wac.edgecastcdn.net TLSv1.2 Used by the Verizon Content Delivery

*.wns.windows.com TLSv1.2 Used for the Windows Push Notification

Services (WNS).
*prod.do.dsp.mp.microsoft.com TLSv1.2/HTTPS Used for Windows Update downloads

.g.akamaiedge.net HTTP Used to check for updates to maps that

2.dl.delivery.mp.microsoft.com HTTP Enables connections to Windows

Update.
2.tlu.dl.delivery.mp.microsoft.com HTTP Enables connections to Windows

Update.
arc.msn.com HTTPS Used to retrieve Windows Spotlight

metadata.
arc.msn.com.nsatc.net TLSv1.2 Used to retrieve Windows Spotlight

metadata.
a-ring.msedge.net HTTPS Used by OfficeHub to get the metadata

of Office apps.
au.download.windowsupdate.com HTTP Used to download operating system

b-ring.msedge.net HTTPS Used by OfficeHub to get the metadata

of Office apps.
candycrushsoda.king.com TLSv1.2 Used for Candy Crush Saga updates.
cdn.content.prod.cms.msn.com HTTP Used to retrieve Windows Spotlight

metadata.
cdn.onenote.net HTTP Used for OneNote Live Tile.

client-office365-tas.msedge.net HTTP Used to connect to the Office 365

Office.
config.edge.skype.com HTTP Used to retrieve Skype configuration

values.
ctldl.windowsupdate.com HTTP Used to download certificates that are

cy2.displaycatalog.md.mp.microsoft.co TLSv1.2 Used to communicate with Microsoft

m.akadns.net Store.
cy2.licensing.md.mp.microsoft.com.akad TLSv1.2 Used to communicate with Microsoft

ns.net Store.
cy2.purchase.md.mp.microsoft.com.aka TLSv1.2 Used to communicate with Microsoft

dns.net Store.
cy2.settings.data.microsoft.com.akadns. TLSv1.2 Used as a way for apps to dynamically

net update their configuration.
cy2.vortex.data.microsoft.com.akadns.n TLSv1.2 Used to retrieve Windows Insider

et Preview builds.
definitionupdates.microsoft.com HTTPS Used for Windows Defender definition

updates.
displaycatalog.mp.microsoft.com HTTPS Used to communicate with Microsoft

Store.
dl.delivery.mp.microsoft.com HTTPS Enables connections to Windows

Update.
dual-a-0001.a-msedge.net TLSv1.2 Used by OfficeHub to get the metadata

of Office apps.
fe2.update.microsoft.com HTTPS Enables connections to Windows

fe2.update.microsoft.com.nsatc.net TLSv1.2 Enables connections to Windows

fe3.delivery.dsp.mp.microsoft.com.nsatc TLSv1.2/HTTPS Enables connections to Windows

fg.download.windowsupdate.com.c.foot HTTP Used to download operating system

print.net patches and updates.
fp.msedge.net HTTPS Used by OfficeHub to get the metadata

of Office apps.
g.live.com/1rewlive5skydrive/ HTTPS Used by a redirection service to

automatically update URLs.
g.msn.com.nsatc.net HTTP Used to retrieve Windows Spotlight

metadata.
geo- TLSv1.2 Enables connections to Windows

prod.do.dsp.mp.microsoft.com.nsatc.net Update.
go.microsoft.com HTTPS Used by a redirection service to

img-prod-cms-rt-microsoft- HTTPS Used to download image files that are

com.akamaized.net called when applications run (Microsoft
*.login.msa.akadns6.net TLSv1.2 Used for Microsoft accounts to sign in.
licensing.mp.microsoft.com HTTPS Used for online activation and some

app licensing.
location-inference-westus.cloudapp.net TLSv1.2 Used for location data.
login.live.com HTTPS Used to authenticate a device.
mediaredirect.microsoft.com HTTPS Used by the Groove Music app to

update HTTP handler status.
modern.watson.data.microsoft.com.aka TLSv1.2 Used by Windows Error Reporting.

dns.net
msftsrvcs.vo.llnwd.net HTTP Enables connections to Windows

Update.
msnbot-*.search.msn.com TLSv1.2 Used to retrieve Windows Spotlight

metadata.
oem.twimg.com HTTPS Used for the Twitter Live Tile.
oneclient.sfx.ms HTTPS Used by OneDrive for Business to

peer4-wst.msedge.net HTTPS Used by OfficeHub to get the metadata

of Office apps.
pti.store.microsoft.com HTTPS Used to communicate with Microsoft

Store.
pti.store.microsoft.com.unistore.akadns. TLSv1.2 Used to communicate with Microsoft

net Store.
purchase.mp.microsoft.com HTTPS Used to communicate with Microsoft

Store.
ris.api.iris.microsoft.com.akadns.net TLSv1.2/HTTPS Used to retrieve Windows Spotlight

metadata.
settings-win.data.microsoft.com HTTPS Used for Windows apps to dynamically

sls.update.microsoft.com.nsatc.net TLSv1.2/HTTPS Enables connections to Windows

Update.
star-mini.c10r.facebook.com TLSv1.2 Used for the Facebook Live Tile.

osoft.com apps on the Microsoft Store.
storeedgefd.dsx.mp.microsoft.com HTTPS Used to communicate with Microsoft

Store.
store-images.s-microsoft.com HTTP Used to get images that are used for

tile-service.weather.microsoft.com HTTP Used to download updates to the

tsfe.trafficshaping.dsp.mp.microsoft.co TLSv1.2 Used for content regulation.

m
v10.vortex-win.data.microsoft.com HTTPS Used to retrieve Windows Insider

Preview builds.
wallet.microsoft.com HTTPS Used by the Microsoft Wallet app.
wallet-frontend-prod- TLSv1.2 Used by the Microsoft Wallet app.

westus.cloudapp.net
*.telemetry.microsoft.com HTTPS Used by Windows Error Reporting.
ceuswatcab01.blob.core.windows.net HTTPS Used by Windows Error Reporting.
eaus2watcab01.blob.core.windows.net HTTPS Used by Windows Error Reporting.
weus2watcab01.blob.core.windows.net HTTPS Used by Windows Error Reporting.
wdcp.microsoft.akadns.net TLSv1.2 Used for Windows Defender when

wildcard.twimg.com TLSv1.2 Used for the Twitter Live Tile.

www.bing.com HTTP Used for updates for Cortana, apps,

and Live Tiles.
www.facebook.com HTTPS Used for the Facebook Live Tile.
www.microsoft.com HTTPS Used for updates for Cortana, apps,

and Live Tiles.
Windows 10 Pro
..akamai.net HTTP Used to download content.
..akamaiedge.net TLSv1.2/HTTP Used to check for updates to maps that

*.a-msedge.net TLSv1.2 Used by OfficeHub to get the metadata

of Office apps.
*.blob.core.windows.net HTTPS Used by Windows Update to update

words used for language input
methods.

of Office apps.
*.dl.delivery.mp.microsoft.com HTTP Enables connections to Windows

Update.
*.dspb.akamaiedge.net TLSv1.2 Used to check for updates to maps that

*.dspg.akamaiedge.net TLSv1.2 Used to check for updates to maps that

*.e-msedge.net TLSv1.2 Used by OfficeHub to get the metadata

of Office apps.
*.login.msa.akadns6.net TLSv1.2 Used for Microsoft accounts to sign in.
*.s-msedge.net TLSv1.2 Used by OfficeHub to get the metadata

of Office apps.
*.telecommand.telemetry.microsoft.com TLSv1.2 Used by Windows Error Reporting.

.akadns.net
*.wac.edgecastcdn.net TLSv1.2 Used by the Verizon Content Delivery



Services (WNS).
*prod.do.dsp.mp.microsoft.com TLSv1.2/HTTPS Used for Windows Update downloads

3.dl.delivery.mp.microsoft.com HTTPS Enables connections to Windows

Update.
3.dl.delivery.mp.microsoft.com.c.footpri HTTP Enables connections to Windows

nt.net Update.
3.tlu.dl.delivery.mp.microsoft.com HTTP Enables connections to Windows

Update.
3.tlu.dl.delivery.mp.microsoft.com.c.foot HTTP Enables connections to Windows

print.net Update.
arc.msn.com HTTPS Used to retrieve Windows Spotlight

metadata.
arc.msn.com.nsatc.net TLSv1.3 Used to retrieve Windows Spotlight

metadata.
au.download.windowsupdate.com HTTPS Used to download operating system

b-ring.msedge.net HTTPS Used by OfficeHub to get the metadata

of Office apps.
candycrushsoda.king.com HTTPS Used for Candy Crush Saga updates.
cdn.content.prod.cms.msn.com HTTP Used to retrieve Windows Spotlight

metadata.
cdn.onenote.net HTTPS Used for OneNote Live Tile.
client-office365-tas.msedge.net HTTPS Used to connect to the Office 365

Office.
config.edge.skype.com HTTPS Used to retrieve Skype configuration

values.

cs12.wpc.v0cdn.net HTTP Used by the Verizon Content Delivery

Network to download content for
Windows upgrades with Wireless
Planning and Coordination (WPC).

m.akadns.net Store.


et Preview builds.
definitionupdates.microsoft.com HTTPS Used for Windows Defender definition

updates.
displaycatalog.mp.microsoft.com HTTPS Used to communicate with Microsoft

Store.
download.windowsupdate.com HTTP Enables connections to Windows

Update.
evoke-windowsservices-tas.msedge.net HTTPS Used by the Photos app to download

configuration files, and to connect to
the Office 365 portal’s shared
infrastructure, including Office.
fe2.update.microsoft.com HTTPS Enables connections to Windows


fe3.delivery.dsp.mp.microsoft.com.nsatc TLSv1.2/HTTPS Enables connections to Windows

fe3.delivery.mp.microsoft.com HTTPS Enables connections to Windows



of Office apps.
fs.microsoft.com HTTPS Used to download fonts on demand
g.live.com HTTP Used by a redirection service to

g.msn.com HTTPS Used to retrieve Windows Spotlight

metadata.
g.msn.com.nsatc.net TLSv1.2 Used to retrieve Windows Spotlight

metadata.
geo-prod.do.dsp.mp.microsoft.com HTTPS Enables connections to Windows

Update.
geover-prod.do.dsp.mp.microsoft.com HTTPS Enables connections to Windows

Update.

gpla1.wac.v2cdn.net HTTP Used for Baltimore CyberTrust Root

traffic. .
img-prod-cms-rt-microsoft- HTTPS Used to download image files that are

com.akamaized.net called when applications run (Microsoft

app licensing.
login.live.com HTTPS Used to authenticate a device.
l-ring.msedge.net HTTPS Used by OfficeHub to get the metadata

of Office apps.


dns.net
msnbot-*.search.msn.com TLSv1.2 Used to retrieve Windows Spotlight

metadata.
oem.twimg.com HTTP Used for the Twitter Live Tile.
oneclient.sfx.ms HTTP Used by OneDrive for Business to

peer1-wst.msedge.net HTTP Used by OfficeHub to get the metadata

of Office apps.
pti.store.microsoft.com HTTPS Used to communicate with Microsoft

Store.
pti.store.microsoft.com.unistore.akadns. HTTPS Used to communicate with Microsoft

net Store.
purchase.mp.microsoft.com HTTPS Used to communicate with Microsoft

Store.
ris.api.iris.microsoft.com HTTPS Used to retrieve Windows Spotlight

metadata.

sls.update.microsoft.com HTTPS Enables connections to Windows

Update.

osoft.com apps on the Microsoft Store.
storeedgefd.dsx.mp.microsoft.com HTTPS Used to communicate with Microsoft

Store.
store-images.s-microsoft.com HTTPS Used to get images that are used for




m
v10.vortex-win.data.microsoft.com HTTPS Used to retrieve Windows Insider

Preview builds.
wdcp.microsoft.akadns.net HTTPS Used for Windows Defender when

wildcard.twimg.com TLSv1.2 Used for the Twitter Live Tile.

www.bing.com TLSv1.2 Used for updates for Cortana, apps,

and Live Tiles.
www.facebook.com HTTPS Used for the Facebook Live Tile.
www.microsoft.com HTTPS Used for updates for Cortana, apps,

and Live Tiles.
*.a-msedge.net TLSv1.2 Used by OfficeHub to get the metadata

of Office apps.
*.b.akamaiedge.net TLSv1.2 Used to check for updates to maps that


of Office apps.
*.dscb1.akamaiedge.net HTTP Used to check for updates to maps that

*.dscd.akamai.net HTTP Used to download content.
*.dspb.akamaiedge.net TLSv1.2 Used to check for updates to maps that

*.dspw65.akamai.net HTTP Used to download content.
*.e-msedge.net TLSv1.2 Used by OfficeHub to get the metadata

of Office apps.
*.g.akamai.net HTTP Used to download content.
*.g.akamaiedge.net TLSv1.2 Used to check for updates to maps that

*.l.windowsupdate.com HTTP Enables connections to Windows

Update.
*.s-msedge.net TLSv1.2 Used by OfficeHub to get the metadata

of Office apps.

Network to perform Windows updates

Services (WNS).
*prod.do.dsp.mp.microsoft.com TLSv1.2 Used for Windows Update downloads

*prod.do.dsp.mp.microsoft.com.nsatc.n TLSv1.2 Used for Windows Update downloads

et of apps and OS updates.
3.dl.delivery.mp.microsoft.com.c.footpri HTTP Enables connections to Windows

nt.net Update.
3.tlu.dl.delivery.mp.microsoft.com.c.foot HTTP Enables connections to Windows

print.net Update.
a-ring.msedge.net HTTPS Used by OfficeHub to get the metadata

of Office apps.
au.download.windowsupdate.com HTTP Used to download operating system

cdn.onenote.net HTTPS Used for OneNote Live Tile.
cds.*.hwcdn.net HTTP Used by the Highwinds Content

updates.
co4.telecommand.telemetry.microsoft.c TLSv1.2 Used by Windows Error Reporting.

om.akadns.net
config.edge.skype.com HTTPS Used to retrieve Skype configuration

values.

cs12.wpc.v0cdn.net HTTP Used by the Verizon Content Delivery

Network to download content for
Windows upgrades with Wireless
Planning and Coordination (WPC).

m.akadns.net Store.


et Preview builds.
dl.delivery.mp.microsoft.com HTTPS Enables connections to Windows

Update.
download.windowsupdate.com HTTP Enables connections to Windows

Update.
evoke-windowsservices- HTTPS Used by the Photos app to download

tas.msedge.net/ab configuration files, and to connect to
the Office 365 portal’s shared
infrastructure, including Office.

fe3.delivery.dsp.mp.microsoft.com.nsatc TLSv1.2 Enables connections to Windows

.net Update.


of Office apps.
g.msn.com.nsatc.net TLSv1.2/HTTP Used to retrieve Windows Spotlight

metadata.
geo- TLSv1.2 Enables connections to Windows

prod.do.dsp.mp.microsoft.com.nsatc.net Update.
geover-prod.do.dsp.mp.microsoft.com HTTPS Enables connections to Windows

Update.

gpla1.wac.v2cdn.net HTTP Used for Baltimore CyberTrust Root

traffic. .
ipv4.login.msa.akadns6.net TLSv1.2 Used for Microsoft accounts to sign in.

app licensing.
login.live.com/* HTTPS Used to authenticate a device.
l-ring.msedge.net HTTPS Used by OfficeHub to get the metadata

of Office apps.


dns.net
msftconnecttest.com/* HTTP Used by Network Connection Status

Indicator (NCSI) to detect Internet
connectivity and corporate network
connectivity status.
msnbot-65-52-108- TLSv1.2 Used to retrieve Windows Spotlight

198.search.msn.com metadata.
oneclient.sfx.ms HTTP Used by OneDrive for Business to

peer1-wst.msedge.net HTTPS Used by OfficeHub to get the metadata

of Office apps.
pti.store.microsoft.com.unistore.akadns. TLSv1.2 Used to communicate with Microsoft

net Store.

sls.update.microsoft.com.nsatc.net TLSv1.2 Enables connections to Windows

Update.


tsfe.trafficshaping.dsp.mp.microsoft.co TLSv1.2 Used for content regulation.

m
| wdcp.microsoft.akadns.net | TLSv1.2 | Used for Windows Defender when Cloud-based Protection is enabled. | |
www.bing.com | HTTPS | Used for updates for Cortana, apps, and Live Tiles. |

General Data Protection Regulation (GDPR) For Windows 10

Caricato da

Informazioni sul documento

Titolo originale

Copyright

Formati disponibili

Condividi questo documento

Condividi o incorpora il documento

Opzioni di condivisione

Hai trovato utile questo documento?

Questo contenuto è inappropriato?

Copyright:

Formati disponibili

General Data Protection Regulation (GDPR) For Windows 10

Caricato da

Copyright:

Formati disponibili

Contents

GDPR and its implications

Personal and sensitive data

Getting started on the journey towards GDPR compliance

Windows 10 security and privacy

Encryption for lost or stolen devices

Related content for associated Windows 10 solutions

GDPR relationship between a Windows 10 user and Microsoft

Windows services where Microsoft is the processor under the GDPR

Windows Defender ATP

At a glance – Windows 10 services GDPR mode of operations

SERVIC E M IC RO SO F T GDP R M O DE O F O P ERAT IO N

Windows Functional data Controller or Processor*

Windows Diagnostic data Controller

Desktop Analytics Processor

Windows Defender Advanced Threat Detection (ATP) Processor

Table 1: Windows 10 GDPR modes of operations for different Windows 10 services

Windows diagnostic data and Windows 10

Additional information for Desktop Analytics

Controlling Windows 10 data collection and notification about it

Windows 10 Team Edition, Version 1703 for Surface Hub

Windows Security Baselines

Microsoft Trust Center and Service Trust Portal

1. Windows 10 data collection transparency

F EAT URE/ SET T IN G DESC RIP T IO N SUP P O RT IN G C O N T EN T P RIVA C Y STAT EM EN T

Diagnostic Data Microsoft uses Learn more Privacy Statement

Location Get location-based Learn more Privacy Statement

Advertising Id Apps can use advertising ID Learn more Privacy statement

Cortana Cortana is Microsoft’s Learn more Privacy statement

Cortana has powerful

1.2 Data collection monitoring

2. Windows 10 data collection management

DEFA ULT STAT E IF T H E

Speech Group Policy: Off Off

Location Group Policy: Off (Windows 10, version Off

Find my device Group Policy: Off Off

Tailored Experiences Group Policy: Off Off

MDM: Link TBD

Advertising ID Group Policy: Off Off

Activity History/Timeline – Group Policy: Off Off

Cortana Group Policy: Off Off

2.3 Guidance for configuration options

3. The process for exercising data subject rights

4. Cross-border data transfers

5. Related Windows product considerations

Windows diagnostic data

Policy Name Allow Telemetry

Default setting 2 - Enhanced

Group Policy User Configuration\Administrative Templates\Windows

Policy Name Allow Telemetry

Default setting 2 - Enhanced

Registr y key HKLM\Software\Policies\Microsoft\Windows\DataCollection

Registr y key HKCU\Software\Policies\Microsoft\Windows\DataCollection

MDM CSP System

Policy AllowTelemetry (scope: device and user)

Diagnostic opt-in change notifications

Group Policy Computer Configuration\Administrative Templates\Windows

Policy Name Configure telemetry opt-in change notifications

Default setting Enabled

Registr y key HKLM\Software\Policies\Microsoft\Windows\DataCollection

MDM CSP System

Default setting 0 – Enabled

Configure telemetry opt-in setting user interface