Description

Corporate connectivity check will be skipped. Reason: CorpCheckDisabledReason.

Message #

Corporate connectivity check will be skipped. Reason: %1

Fields #

Description

Corporate connectivity check is enabled.

Message #

Corporate connectivity check is enabled

Description

Corporate inside/outside location check will be skipped. Reason: CorpCheckDisabledReason.

Message #

Corporate inside/outside location check will be skipped. Reason: %1

Fields #

Description

Corporate inside/outside location check is enabled.

Message #

Corporate inside/outside location check is enabled

Description

Entered State: Interface_Luid Interface Luid: InterfaceGuid.

Message #

Entered State: %2 Interface Luid: %3

Fields #

Description

Transitioning to State: CurrentOrNextState Interface Luid: IfLuid.

Message #

Transitioning to State: %2 Interface Luid: %3

Fields #

Description

Entered State: Interface_Luid Interface Luid: InterfaceGuid.

Message #

Entered State: %2 Interface Luid: %3

Fields #

Description

Transitioning to State: CurrentOrNextState Interface Luid: IfLuid.

Message #

Transitioning to State: %2 Interface Luid: %3

Fields #

Description

Entered State: Interface_Luid Interface Luid: InterfaceGuid.

Message #

Entered State: %2 Interface Luid: %3

Fields #

Description

Transitioning to State: CurrentOrNextState Interface Luid: IfLuid.

Message #

Transitioning to State: %2 Interface Luid: %3

Fields #

Description

Entered State: Interface_Luid Interface Luid: InterfaceGuid.

Message #

Entered State: %2 Interface Luid: %3

Fields #

Description

Transitioning to State: CurrentOrNextState Interface Luid: IfLuid.

Message #

Transitioning to State: %2 Interface Luid: %3

Fields #

Description

Inside/Outside detection started for interface IfLuid.

Message #

Inside/Outside detection started for interface %3.

Fields #

Description

Inside/Outside detection finished for interface IfLuid (CorporateLocation).

Message #

Inside/Outside detection finished for interface %3 (%4).

Fields #

Description

Windows Firewall Group Policy settings have been updated. Triggering another inside/outside location detection.

Message #

Windows Firewall Group Policy settings have been updated. Triggering another inside/outside location detection

Description

Inside/Outside probe failed for interface Host.

Message #

Inside/Outside probe failed for interface %1.

Error: %6 (%5)
Host: %3/%4
Next retry: %7 second(s).

Fields #

Description

Active Internet Probe started on interface InterfaceGuid.

Message #

Active Internet Probe started on interface %1

Fields #

Description

Active Internet Probe finished on interface InterfaceGuid (Succeeded).

Message #

Active Internet Probe finished on interface %1 (%2)

Fields #

Description

Active Internet Probe (DNS) started on interface InterfaceGuid.

Message #

Active Internet Probe (DNS) started on interface %1

Fields #

Description

Active Internet Probe (DNS) finished on interface InterfaceGuid.

Message #

Active Internet Probe (DNS) finished on interface %1

Fields #

Description

Active Internet Probe (HTTP) started on interface InterfaceGuid.

Message #

Active Internet Probe (HTTP) started on interface %1

Fields #

Description

Active Internet Probe (HTTP) finished on interface InterfaceGuid.

Message #

Active Internet Probe (HTTP) finished on interface %1

Fields #

Description

Active Corp Probe started on interface InterfaceGuid.

Message #

Active Corp Probe started on interface %1

Fields #

Description

Active Corp Probe finished on interface InterfaceGuid (Succeeded).

Message #

Active Corp Probe finished on interface %1 (%2)

Fields #

Description

Active Corp Probe (DNS) started on interface InterfaceGuid.

Message #

Active Corp Probe (DNS) started on interface %1

Fields #

Description

Active Corp Probe (DNS) finished on interface InterfaceGuid.

Message #

Active Corp Probe (DNS) finished on interface %1

Fields #

Description

Active Corp Probe (HTTP) started on interface InterfaceGuid.

Message #

Active Corp Probe (HTTP) started on interface %1

Fields #

Description

Active Corp Probe (HTTP) finished on interface InterfaceGuid.

Message #

Active Corp Probe (HTTP) finished on interface %1

Fields #

Description

Proxy Detection started.

Message #

Proxy Detection started

Description

Proxy Detection stopped (HasProxy=ErrorCode).

Message #

Proxy Detection stopped (HasProxy=%1)

Fields #

Description

Opportunistic Internet flag on interface InterfaceGuid for family Family marked.

Message #

Opportunistic Internet flag on interface %1 for family %2 marked

Fields #

Description

Inside/Outside detection is suspect.

Message #

Inside/Outside detection is suspect

Description

Entered suspect state on interface InterfaceGuid (Family: IfLuid Reason: Family).

Message #

Entered suspect state on interface %2 (Family: %3 Reason: %4)

Fields #

Description

Suspect state cancelled on interface IfLuid (Family: Family).

Message #

Suspect state cancelled on interface %2 (Family: %3)

Fields #

Description

Suspect state expired on interface IfLuid (Family: Family).

Message #

Suspect state expired on interface %2 (Family: %3)

Fields #

Description

Entered corporate suspect state on interface IfLuid.

Message #

Entered corporate suspect state on interface %2

Fields #

Description

Corporate suspect state cancelled on interface IfLuid.

Message #

Corporate suspect state cancelled on interface %2

Fields #

Description

Corporate suspect state expired on interface IfLuid.

Message #

Corporate suspect state expired on interface %2

Fields #

Description

Cancelling hotspot detection scenario for interface InterfaceGuid.

Message #

Cancelling hotspot detection scenario for interface %1

Fields #

Fields #

Description

Starting hotspot detection for family Family on interface IfLuid.

Message #

Starting hotspot detection for family %2 on interface %1

Fields #

Description

Hotspot detected on interface IfLuid (Family: Family).

Message #

Hotspot detected on interface %1 (Family: %2)

Fields #

Description

Hotspot not detected on interface IfLuid (Family: Family).

Message #

Hotspot not detected on interface %1 (Family: %2)

Fields #

Description

Interface ConnectedInterfaceGuid (IfLuid) has been connected.

Message #

Interface %1 (%2) has been connected

Fields #

Description

Interface DisconnectedInterfaceGuid (IfLuid) has been disconnected.

Message #

Interface %1 (%2) has been disconnected

Fields #

Description

Capability change on InterfaceGuid (IfLuid Family: Family Capability: Capability ChangeReason: CapabilityChangeReason).

Message #

Capability change on %1 (%2 Family: %3 Capability: %4 ChangeReason: %5)

Fields #

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-NCSI",
    "guid": "314DE49F-CE63-4779-BA2B-D616F6963A88",
    "event_source_name": "",
    "event_id": 4042,
    "version": 0,
    "level": 4,
    "task": 0,
    "opcode": 0,
    "keywords": 4611686018427387936,
    "time_created": "2023-11-06T06:25:52.980589+00:00",
    "event_record_id": 19,
    "correlation": {
      "ActivityID": "F590C418-1079-0000-E6C4-90F57910DA01"
    },
    "execution": {
      "process_id": 1696,
      "thread_id": 3516
    },
    "channel": "Microsoft-Windows-NCSI/Operational",
    "computer": "WinDev2310Eval",
    "security": {
      "user_id": "S-1-5-20"
    }
  },
  "event_data": {
    "InterfaceGuid": "3D03B11E-98A0-4304-84E2-CD3AAE8EFE1D",
    "IfLuid": 1689399649632256,
    "Family": 0,
    "Capability": 2,
    "CapabilityChangeReason": 4,
    "PreviousCapability": 0
  },
  "message": ""
}

References #

• Example event sourced from https://github.com/NextronSystems/evtx-baseline

Description

Proxied capability change on ProxiedCapability (InterfaceGuid Family: IfLuid ProxiedCapability: Family).

Message #

Proxied capability change on %1 (%2 Family: %3 ProxiedCapability: %4)

Fields #

Message #

Passive Poll state change (ShouldPassivePollRun: %1 WasPassivePollRunning: %2 IsPassivePollAllowed: %3 ClientPresent: %4 UserPresent: %5 NetworkQuietMode: %6 DeadUserPollCount: %7 DeadNetPollCountV4: %8 DeadNetPollCountV6: %9)

Fields #

Description

NetReady update on NetReady (InterfaceGuid Family: IfLuid NetReady: Family).

Message #

NetReady update on %1 (%2 Family: %3 NetReady: %4)

Fields #

Description

Corporate connectivity change on HasCorporateConnectivity (InterfaceGuid Family: IfLuid HasCorporateConnectivity: Family).

Message #

Corporate connectivity change on %1 (%2 Family: %3 HasCorporateConnectivity: %4)

Fields #

Description

Default gateway is set on GatewayIP (GatewayMAC Family: KnownProxyless GatewayIP: KnownOppInternet GatewayMAC: InterfaceGuid KnownHotspot: IfLuid KnownOppInternet: Family KnownProxiedOppInternet: IpAddressLength).

Message #

Default gateway is set on %1 (%2 Family: %3 GatewayIP: %5 GatewayMAC: %7 KnownHotspot: %8 KnownOppInternet: %9 KnownProxiedOppInternet: %10)

Fields #

Description

Next hop to Internet has changed on HasNextHopToInternet (NextHopAddress Family: InterfaceGuid HasNextHopToInternet: IfLuid NextHopAddress: NextHopAddressLength).

Message #

Next hop to Internet has changed on %1 (%2 Family: %3 HasNextHopToInternet: %4 NextHopAddress: %6)

Fields #

Description

Preferred address change on HasPreferredAddress (AddressSuffixOrigins Family: InterfaceGuid HasPreferredAddress: IfLuid AddressSuffixOrigins: Family).

Message #

Preferred address change on %1 (%2 Family: %3 HasPreferredAddress: %4 AddressSuffixOrigins: %5)

Fields #

Description

Preferred global address change on HasPreferredGlobalAddress (AddressSuffixOrigins Family: InterfaceGuid HasPreferredGlobalAddress: IfLuid AddressSuffixOrigins: Family).

Message #

Preferred global address change on %1 (%2 Family: %3 HasPreferredGlobalAddress: %4 AddressSuffixOrigins: %5)

Fields #

Description

Active probe result code on interface InterfaceGuid (IfLuid Family: Family) = ActiveProbeResultCode.

Message #

Active probe result code on interface %1 (%2 Family: %3) = %4

Fields #

Description

Interface diagnostic for IPv6_address (IPv4_capability): IPv4 address: IPv6_capability, IPv6 address: IPv4_test_used, IPv4 capability: IPv6_test_used, IPv6 capability: InterfaceGuid, IPv4 test used: IfLuid, IPv6 test used: HasPreferredGlobalAddressIPv4.

Message #

Interface diagnostic for %1 (%2): IPv4 address: %3, IPv6 address: %4, IPv4 capability: %5, IPv6 capability: %6, IPv4 test used: %7, IPv6 test used: %8

Fields #

Fields #

Fields #