Description

Occurs during system startup, shut down, and during onboarding. Normal operating notification; no action required.

Message

Service is starting (Version %1).

Fields

References

• Microsoft Learn https://learn.microsoft.com/en-us/defender-endpoint/event-error-codes

Description

Occurs when the device is shut down or offboarded. Normal operating notification; no action required.

Message

Service is shutting down.

References

• Microsoft Learn https://learn.microsoft.com/en-us/defender-endpoint/event-error-codes

Description

Service didn't start. Review other messages to determine possible cause and troubleshooting steps.

Message

Windows Defender Advanced Threat Protection service failed to start. Failure code: %1

Fields

References

• Microsoft Learn https://learn.microsoft.com/en-us/defender-endpoint/event-error-codes

Description

Variable = URL of the Defender for Endpoint processing servers. This URL matches that seen in the Firewall or network activity. Normal operating notification; no action required.

Message

Contacted server %1 times, all succeeded, URI: %2.

Fields

References

• Microsoft Learn https://learn.microsoft.com/en-us/defender-endpoint/event-error-codes

Description

Variable = URL of the Defender for Endpoint processing servers. The service couldn't contact the external processing servers at that URL. Check the connection to the URL. See Configure proxy and Internet connectivity.

Message

Contacted server %1 times, all failed, URI: %2. Last HTTP error code: %3

Fields

References

• Microsoft Learn https://learn.microsoft.com/en-us/defender-endpoint/event-error-codes

Description

The device didn't onboard correctly and isn't reporting to the portal. Onboarding must be run before starting the service. Check that the onboarding settings and scripts were deployed properly. Try to redeploy the configuration packages. See Onboard client devices.

Message

Windows Defender Advanced Threat Protection service is not onboarded and no onboarding parameters were found.

References

• Microsoft Learn https://learn.microsoft.com/en-us/defender-endpoint/event-error-codes

Description

Variable = detailed error description. The device didn't onboard correctly and isn't reporting to the portal. Check that the onboarding settings and scripts were deployed properly. Try to redeploy the configuration packages. See Onboard client devices.

Message

Windows Defender Advanced Threat Protection service failed to read the onboarding parameters. Failure: %1

Fields

References

• Microsoft Learn https://learn.microsoft.com/en-us/defender-endpoint/event-error-codes

Description

During onboarding: The service failed to clean its configuration during the onboarding. The onboarding process continues. During offboarding: The service failed to clean its configuration during the offboarding. The offboarding process finished but the service keeps running. Onboarding: No action required. Offboarding: Reboot the system. See Onboard client devices.

Message

Service failed to clean configuration settings.

References

• Microsoft Learn https://learn.microsoft.com/en-us/defender-endpoint/event-error-codes

Description

During onboarding: The device didn't onboard correctly and isn't reporting to the portal. During offboarding: Failed to change the service start type. The offboarding process continues. Check that the onboarding settings and scripts were deployed properly. Try to redeploy the configuration packages. See Onboard client devices.

Message

Windows Defender Advanced Threat Protection service failed to change its start type. Failure code: %1

Fields

References

• Microsoft Learn https://learn.microsoft.com/en-us/defender-endpoint/event-error-codes

Description

The device didn't onboard correctly and isn't reporting to the portal. Check that the onboarding settings and scripts were deployed properly. Try to redeploy the configuration packages. See Onboard client devices running Windows or macOS.

Message

Windows Defender Advanced Threat Protection service failed to persist the onboarding information. Failure code: %1

Fields

References

• Microsoft Learn https://learn.microsoft.com/en-us/defender-endpoint/event-error-codes

Description

The device onboarded correctly. Normal operating notification; no action required. It might take several hours for the device to appear in the portal.

Message

Onboarding or re-onboarding of Windows Defender Advanced Threat Protection service completed.

References

• Microsoft Learn https://learn.microsoft.com/en-us/defender-endpoint/event-error-codes

Description

Service was unable to apply the default configuration. This error should resolve after a short period of time.

Message

New cloud configuration failed to apply, version: %1. Also failed to apply last known good configuration, version %2. Also failed to apply the default configuration.

Fields

References

• Microsoft Learn https://learn.microsoft.com/en-us/defender-endpoint/event-error-codes

Description

Normal operating process. Normal operating notification; no action required.

Message

Windows Defender Advanced Threat Protection machine ID calculated: %1

Fields

References

• Microsoft Learn https://learn.microsoft.com/en-us/defender-endpoint/event-error-codes

Message

Windows Defender Advanced Threat Protection cannot calculate machine ID. Failure code: %1

Fields

Description

Variable = URL of the Defender for Endpoint processing servers. The service couldn't contact the external processing servers at that URL. Check the connection to the URL. See Configure proxy and Internet connectivity.

Message

Windows Defender Advanced Threat Protection cannot start command channel with URL: %1

Fields

References

• Microsoft Learn https://learn.microsoft.com/en-us/defender-endpoint/event-error-codes

Description

An error occurred with the Windows telemetry service. Ensure the diagnostic data service is enabled. Check that the onboarding settings and scripts were deployed properly. Try to redeploy the configuration packages. See Onboard client devices running Windows or macOS.

Message

Windows Defender Advanced Threat Protection service failed to change the Connected User Experiences and Telemetry service location. Failure code: %1

Fields

References

• Microsoft Learn https://learn.microsoft.com/en-us/defender-endpoint/event-error-codes

Description

Service will only start after any Windows updates have finished installing. Normal operating notification; no action required.

Message

OOBE (Windows Welcome) is completed.

References

• Microsoft Learn https://learn.microsoft.com/en-us/defender-endpoint/event-error-codes

Description

Service will only start after any Windows updates finish installing. Normal operating notification; no action required. If this error persists after a system restart, ensure all Windows updates have full installed.

Message

OOBE (Windows Welcome) has not yet completed.

References

• Microsoft Learn https://learn.microsoft.com/en-us/defender-endpoint/event-error-codes

Description

Internal error. If this error persists after a system restart, ensure all Windows updates are installed.

Message

Cannot wait for OOBE (Windows Welcome) to complete. Failure code: %1

Fields

References

• Microsoft Learn https://learn.microsoft.com/en-us/defender-endpoint/event-error-codes

Description

The device didn't onboard correctly. It reports to the portal; however, the service might not appear as registered in SCCM or the registry. Check that the onboarding settings and scripts were deployed properly. Try to redeploy the configuration packages. See Onboard client devices running Windows or macOS.

Message

Service failed to reset health status in the registry. Failure code: %1

Fields

References

• Microsoft Learn https://learn.microsoft.com/en-us/defender-endpoint/event-error-codes

Description

The device didn't onboard correctly. It reports to the portal; however the service may not appear as registered in SCCM or the registry. Check that the onboarding settings and scripts were deployed properly. Try to redeploy the configuration packages. See Onboard client devices running Windows or macOS.

Message

Windows Defender Advanced Threat Protection service failed to set the onboarding status in the registry. Failure code: %1

Fields

References

• Microsoft Learn https://learn.microsoft.com/en-us/defender-endpoint/event-error-codes

Description

Normally, Microsoft Defender Antivirus enters a special passive state if another real-time antimalware product is running properly on the device, and the device is reporting to Defender for Endpoint. Check that the onboarding settings and scripts were deployed properly. Try to redeploy the configuration packages. See Onboard client devices running Windows or macOS. Ensure real-time antimalware protection is running properly.

Message

Failed to enable Windows Defender Advanced Threat Protection mode in Windows Defender. Onboarding process failed. Failure code: %1

Fields

References

• Microsoft Learn https://learn.microsoft.com/en-us/defender-endpoint/event-error-codes

Description

An error occurred with the Windows telemetry service. Ensure the diagnostic data service is enabled. Check that the onboarding settings and scripts were deployed properly. Try to redeploy the configuration packages. See Onboard client devices running Windows or macOS.

Message

Connected User Experiences and Telemetry service registration failed with failure code: %1. Requested disk quota in MB: %2, Requested daily upload quota in MB: %3

Fields

References

• Microsoft Learn https://learn.microsoft.com/en-us/defender-endpoint/event-error-codes

Description

This event occurs when the system can't read the offboarding parameters. Ensure the device has Internet access, then run the entire offboarding process again. Ensure the offboarding package isn't expired.

Message

Failed to read the offboarding parameters. Error type: %1, Error code: %2, Description: %3

Fields

References

• Microsoft Learn https://learn.microsoft.com/en-us/defender-endpoint/event-error-codes

Description

Normally, Microsoft Defender Antivirus enters a special passive state if another real-time antimalware product is running properly on the device, and the device is reporting to Defender for Endpoint. Check that the onboarding settings and scripts were deployed properly. Try to redeploy the configuration packages. See Onboard client devices running Windows or macOS. Ensure real-time antimalware protection is running properly.

Message

Failed to disable Windows Defender Advanced Threat Protection mode in Windows Defender. Failure code: %1

Fields

References

• Microsoft Learn https://learn.microsoft.com/en-us/defender-endpoint/event-error-codes

Description

An error occurred with the Windows telemetry service during onboarding. The offboarding process continues. Check for errors with the Windows telemetry service.

Message

Windows Defender Advanced Threat Protection Connected User Experiences and Telemetry service unregistration failed. Failure code: %1

Fields

References

• Microsoft Learn https://learn.microsoft.com/en-us/defender-endpoint/event-error-codes

Description

An error occurred during offboarding. Reboot the device.

Message

Windows Defender Advanced Threat Protection service failed to request to stop itself after offboarding process. Failure code: %1

Fields

References

• Microsoft Learn https://learn.microsoft.com/en-us/defender-endpoint/event-error-codes

Description

A unique identifier is used to represent each device that is reporting to the portal. If the identifier doesn't persist, the same device might appear twice in the portal. Check registry permissions on the device to ensure the service can update the registry.

Message

Windows Defender Advanced Threat Protection service failed to persist SENSE GUID. Failure code: %1

Fields

References

• Microsoft Learn https://learn.microsoft.com/en-us/defender-endpoint/event-error-codes

Description

An error occurred with the Windows telemetry service. Ensure the diagnostic data service is enabled. Check that the onboarding settings and scripts were deployed properly. Try to redeploy the configuration packages. See Onboard client devices running Windows or macOS.

Message

An error occurred with the Windows telemetry service. Ensure the diagnostic data service is enabled. Check that the onboarding settings and scripts were deployed properly. Try to redeploy the configuration packages. See Onboard client devices running Windows or macOS.

References

• Microsoft Learn https://learn.microsoft.com/en-us/defender-endpoint/event-error-codes

Description

Variable = disk quota in MB. Normal operating notification; no action required.

Message

Communication quotas are updated. Disk quota in MB: %1, daily upload quota in MB: %2

Fields

References

• Microsoft Learn https://learn.microsoft.com/en-us/defender-endpoint/event-error-codes

Description

Registering Defender for Endpoint with the Connected User Experiences and Telemetry service completed successfully. Normal operating notification; no action required.

Message

Connected User Experiences and Telemetry service registration succeeded with completion code: %1. Requested disk quota in MB: %2, requested daily upload quota in MB: %3

Fields

References

• Microsoft Learn https://learn.microsoft.com/en-us/defender-endpoint/event-error-codes

Description

The device is near its allocated quota of the current 24-hour window. It's about to be throttled. Normal operating notification; no action required.

Message

Module: %1, Quota: {%2} {%3}, Percentage of quota utilization: %4.

Fields

References

• Microsoft Learn https://learn.microsoft.com/en-us/defender-endpoint/event-error-codes

Description

The device is using a metered/paid network and contacts the server less frequently. Normal operating notification; no action required.

Message

Network connection is identified as low. Windows Defender Advanced Threat Protection will contact the server every %1 seconds. Metered connection: %2, internet available: %3, free network available: %4, proxy is defined by GP: %5.

Fields

References

• Microsoft Learn https://learn.microsoft.com/en-us/defender-endpoint/event-error-codes

Description

The device isn't using a metered/paid connection and contacts the server as usual. Normal operating notification; no action required.

Message

Network connection is identified as normal. Windows Defender Advanced Threat Protection will contact the server every %1 seconds. Metered connection: %2, internet available: %3, free network available: %4, proxy is defined by GP: %5.

Fields

References

• Microsoft Learn https://learn.microsoft.com/en-us/defender-endpoint/event-error-codes

Description

The device has low battery level and contacts the server less frequently. Normal operating notification; no action required.

Message

Battery state is identified as low. Windows Defender Advanced Threat Protection will contact the server every %1 seconds. AC state: %2, battery saver mode : %3, battery low state: %4, battery critical state: %5

Fields

References

• Microsoft Learn https://learn.microsoft.com/en-us/defender-endpoint/event-error-codes

Description

The device doesn't have low battery level and contacts the server as usual. Normal operating notification; no action required.

Message

Battery state is identified as normal. Windows Defender Advanced Threat Protection will contact the server every %1 seconds. AC state: %2, battery saver mode : %3, battery low state: %4, battery critical state: %5

Fields

References

• Microsoft Learn https://learn.microsoft.com/en-us/defender-endpoint/event-error-codes

Description

Internal error. The service failed to start. If this error persists, contact Support.

Message

Component failed to perform action. Component: %1, Action: %2, Exception Type: %3, Exception message: %4

Fields

References

• Microsoft Learn https://learn.microsoft.com/en-us/defender-endpoint/event-error-codes

Description

Internal error. The service failed to start. If this error persists, contact Support.

Message

Component failed to perform action. Component: %1, Action: %2, Exception Type: %3, Exception Error: %4, Exception message: %5

Fields

References

• Microsoft Learn https://learn.microsoft.com/en-us/defender-endpoint/event-error-codes

Description

The service was offboarded. Normal operating notification; no action required.

Message

Offboarding of Windows Defender Advanced Threat Protection service completed.

References

• Microsoft Learn https://learn.microsoft.com/en-us/defender-endpoint/event-error-codes

Description

An error occurred on service startup while creating ETW session. This caused service start-up failure. If this error persists, contact Support.

Message

Failed to register and to start the event trace session [%1]. Error code: %2

Fields

References

• Microsoft Learn https://learn.microsoft.com/en-us/defender-endpoint/event-error-codes

Description

An error occurred on service startup while creating ETW session due to lack of resources. The service is running, but doesn't report sensor events until the ETW session starts. Normal operating notification; no action required. The service tries to start the session every minute.

Message

Failed to register and start the event trace session [%1] due to lack of resources. Error code: %2. This is most likely because there are too many active event trace sessions. The service will retry in 1 minute.

Fields

References

• Microsoft Learn https://learn.microsoft.com/en-us/defender-endpoint/event-error-codes

Description

This event follows the previous event after successfully starting of the ETW session. Normal operating notification; no action required.

Message

Successfully registered and started the event trace session - recovered after previous failed attempts.

References

• Microsoft Learn https://learn.microsoft.com/en-us/defender-endpoint/event-error-codes

Description

Failed to add a provider to ETW session. As a result, the provider events aren't reported. Check the error code. If the error persists contact Support.

Message

Failed to add a provider [%1] to event trace session [%2]. Error code: %3. This means that events from this provider will not be reported.

Fields

References

• Microsoft Learn https://learn.microsoft.com/en-us/defender-endpoint/event-error-codes

Description

Received an invalid configuration file from the cloud service that was ignored. If this error persists, contact Support.

Message

Invalid cloud configuration command received and ignored. Version: %1, status: %2, error code: %3, message: %4

Fields

References

• Microsoft Learn https://learn.microsoft.com/en-us/defender-endpoint/event-error-codes

Description

Successfully applied a new configuration from the cloud service. Normal operating notification; no action required.

Message

New cloud configuration applied successfully. Version: %1.

Fields

References

• Microsoft Learn https://learn.microsoft.com/en-us/defender-endpoint/event-error-codes

Description

Received a bad configuration file from the cloud service. Last known good configuration was applied successfully. If this error persists, contact Support.

Message

New cloud configuration failed to apply, version: %1. Successfully applied the last known good configuration, version %2.

Fields

References

• Microsoft Learn https://learn.microsoft.com/en-us/defender-endpoint/event-error-codes

Description

Received a bad configuration file from the cloud service. Failed to apply the last known good configuration - and the default configuration was applied. The service will attempt to download a new configuration file within 5 minutes. If you don't see event #50 - contact Support.

Message

New cloud configuration failed to apply, version: %1. Also failed to apply last known good configuration, version %2. Successfully applied the default configuration.

Fields

References

• Microsoft Learn https://learn.microsoft.com/en-us/defender-endpoint/event-error-codes

Description

The configuration was loaded from persistent storage on service startup. Normal operating notification; no action required.

Message

Cloud configuration loaded from persistent storage, version: %1.

Fields

References

• Microsoft Learn https://learn.microsoft.com/en-us/defender-endpoint/event-error-codes

Message

Global (per-pattern) state changed. State: %1, pattern: %2

Fields

Description

Failed to create the secure ETW logger. Reboot the device. If this error persists, contact Support.

Message

Failed to create the Secure ETW autologger. Failure code: %1

Fields

References

• Microsoft Learn https://learn.microsoft.com/en-us/defender-endpoint/event-error-codes

Description

Failed to remove the secure ETW session on offboarding. Contact Support.

Message

Failed to remove the Secure ETW autologger. Failure code: %1

Fields

References

• Microsoft Learn https://learn.microsoft.com/en-us/defender-endpoint/event-error-codes

Description

An investigation package, also known as forensics package, is being collected. Normal operating notification; no action required.

Message

Capturing a snapshot of the machine for troubleshooting purposes.

References

• Microsoft Learn https://learn.microsoft.com/en-us/defender-endpoint/event-error-codes

Description

Starting response command execution. Normal operating notification; no action required.

Message

Starting command: %1

Fields

References

• Microsoft Learn https://learn.microsoft.com/en-us/defender-endpoint/event-error-codes

Description

Failed to execute response command. If this error persists, contact Support.

Message

Failed to run command %1, error: %2.

Fields

References

• Microsoft Learn https://learn.microsoft.com/en-us/defender-endpoint/event-error-codes

Description

Failed to read or parse the data collection command arguments (invalid arguments). If this error persists, contact Support.

Message

Data collection command parameters are invalid: SasUri: %1, compressionLevel: %2.

Fields

References

• Microsoft Learn https://learn.microsoft.com/en-us/defender-endpoint/event-error-codes

Description

Connected User Experiences and Telemetry (diagtrack) service failed to start. Non-Microsoft Defender for Endpoint telemetry isn't sent from this machine. Look for more troubleshooting hints in the event log: Microsoft-Windows-UniversalTelemetryClient/Operational.

Message

Failed to start Connected User Experiences and Telemetry service. Failure code: %1

Fields

References

• Microsoft Learn https://learn.microsoft.com/en-us/defender-endpoint/event-error-codes

Description

Updated start type of the external service. Normal operating notification; no action required.

Message

Updating the start type of external service. Name: %1, actual start type: %2, expected start type: %3, exit code: %4

Fields

References

• Microsoft Learn https://learn.microsoft.com/en-us/defender-endpoint/event-error-codes

Description

Starting an external service. Normal operating notification; no action required.

Message

Starting stopped external service. Name: %1, exit code: %2

Fields

References

• Microsoft Learn https://learn.microsoft.com/en-us/defender-endpoint/event-error-codes

Description

Failed to load MsSecFlt.sys filesystem minifilter. Reboot the device. If this error persists, contact Support.

Message

Failed to load Microsoft Security Events Component Minifilter driver. Failure code: %1

Fields

References

• Microsoft Learn https://learn.microsoft.com/en-us/defender-endpoint/event-error-codes

Description

The C&C connection frequency policy was updated. Normal operating notification; no action required.

Message

Policy update: Latency mode - %1

Fields

References

• Microsoft Learn https://learn.microsoft.com/en-us/defender-endpoint/event-error-codes

Message

Contacted server %1 times, failed %2 times and succeeded %3 times. URI: %4. Last HTTP error code: %5

Fields

Description

Unexpected external service start type. Fix the external service start type.

Message

The start type of the service is unexpected. Service name: %1, actual start type: %2, expected start type: %3

Fields

References

• Microsoft Learn https://learn.microsoft.com/en-us/defender-endpoint/event-error-codes

Description

The external service is stopped. Start the external service.

Message

The service is stopped. Service name: %1

Fields

References

• Microsoft Learn https://learn.microsoft.com/en-us/defender-endpoint/event-error-codes

Description

The sample collection policy was updated. Normal operating notification; no action required.

Message

Policy update: Allow sample collection - %1

Fields

References

• Microsoft Learn https://learn.microsoft.com/en-us/defender-endpoint/event-error-codes

Description

The command was executed successfully. Normal operating notification; no action required.

Message

Succeeded to run command: %1

Fields

References

• Microsoft Learn https://learn.microsoft.com/en-us/defender-endpoint/event-error-codes

Description

Informational only. Normal operating notification; no action required.

Message

Tried to send first full machine profile report. Result code: %1

Fields

References

• Microsoft Learn https://learn.microsoft.com/en-us/defender-endpoint/event-error-codes

Description

Informational only. Normal operating notification; no action required.

Message

Sense starting for platform: %1

Fields

References

• Microsoft Learn https://learn.microsoft.com/en-us/defender-endpoint/event-error-codes

Description

The device tag exceeds the length limit. Use a shorter device tag.

Message

Device tag in registry exceeds length limit. Tag name: %2. Length limit: %1.

Fields

References

• Microsoft Learn https://learn.microsoft.com/en-us/defender-endpoint/event-error-codes

Message

Device tag name in registry exceeds length limit. Tag name: %2. Length limit: %1.

Fields

Message

Number of customer tags in registry exceeds limit. Limit: %1 tags.

Fields

Message

Successfully applied protection on Connected User Experiences and Telemetry service

Message

Successfully removed protection from Connected User Experiences and Telemetry service

Message

Failed to apply protection on Connected User Experiences and Telemetry service. Failure code: %1

Fields

Message

Failed to remove protection from Connected User Experiences and Telemetry service. Failure code: %1

Fields

Description

Failed to create the ETW session. Reboot the device. If this error persists, contact Support.

Message

Failed to create Windows Defender Advanced Threat Protection ETW autologger. Failure code: %1

Fields

References

• Microsoft Learn https://learn.microsoft.com/en-us/defender-endpoint/event-error-codes

Description

Failed to delete the ETW session. Contact Support.

Message

Failed to remove Windows Defender Advanced Threat Protection ETW autologger. Failure code: %1

Fields

References

• Microsoft Learn https://learn.microsoft.com/en-us/defender-endpoint/event-error-codes

Message

Cyber event may be dropped because its size [%1 bytes] exceeded max size [%2 bytes] or close to it.

Fields

Description

Set defender running mode (active or passive). Normal operating notification; no action required.

Message

Set Windows Defender Antivirus running mode. Force passive mode: %1, result code: %2.

Fields

References

• Microsoft Learn https://learn.microsoft.com/en-us/defender-endpoint/event-error-codes

Description

Starring SenseIR executable failed. Reboot the device. If this error persists, contact Support.

Message

Failed to trigger Windows Defender Advanced Threat Protection Incident Response executable. Failure code: %1

Fields

References

• Microsoft Learn https://learn.microsoft.com/en-us/defender-endpoint/event-error-codes

Description

Starting the external service again. Normal operating notification; no action required.

Message

Starting again stopped external service that should be up. Name: %1, exit code: %2

Fields

References

• Microsoft Learn https://learn.microsoft.com/en-us/defender-endpoint/event-error-codes

Description

Failed to start the external service. Contact Support.

Message

Cannot start the external service. Name: %1

Fields

References

• Microsoft Learn https://learn.microsoft.com/en-us/defender-endpoint/event-error-codes

Description

Updated the start type of the external service. Normal operating notification; no action required.

Message

Updating the start type of external service again. Name: %1, actual start type: %2, expected start type: %3, exit code: %4

Fields

References

• Microsoft Learn https://learn.microsoft.com/en-us/defender-endpoint/event-error-codes

Description

Can't update the start type of the external service. Contact Support.

Message

Cannot update the start type of external service. Name: %1, actual start type: %2, expected start type: %3

Fields

References

• Microsoft Learn https://learn.microsoft.com/en-us/defender-endpoint/event-error-codes

Description

System Guard Runtime Monitor doesn't send attestation data to the cloud service. Check the permissions on register path: "HKLM\Software\Microsoft\Windows\CurrentVersion\Sgrm". If no issues spotted, contact Support.

Message

Failed to configure System Guard Runtime Monitor to connect to cloud service in geo-region %1. Failure code: %2

Fields

References

• Microsoft Learn https://learn.microsoft.com/en-us/defender-endpoint/event-error-codes

Description

System Guard Runtime Monitor doesn't send attestation data to the cloud service. Check the permissions on register path: "HKLM\Software\Microsoft\Windows\CurrentVersion\Sgrm". If no issues spotted, contact Support.

Message

Failed to remove System Guard Runtime Monitor geo-region information. Failure code: %1

Fields

References

• Microsoft Learn https://learn.microsoft.com/en-us/defender-endpoint/event-error-codes

Description

Exceed throttling limit. Normal operating notification; no action required.

Message

Stopping sending sensor cyber data quota because data quota is exceed. Will resume sending once quota period passes. State Mask: %1

Fields

References

• Microsoft Learn https://learn.microsoft.com/en-us/defender-endpoint/event-error-codes

Description

Resume cyber data submission. Normal operating notification; no action required.

Message

Resuming sending sensor cyber data. State Mask: %1

Fields

References

• Microsoft Learn https://learn.microsoft.com/en-us/defender-endpoint/event-error-codes

Description

The SenseCE executable has started. Normal operating notification; no action required.

Message

Windows Defender Advanced Threat Protection Classification Engine executable has started

References

• Microsoft Learn https://learn.microsoft.com/en-us/defender-endpoint/event-error-codes

Description

The SenseCE executable has ended. Normal operating notification; no action required.

Message

Windows Defender Advanced Threat Protection Classification Engine executable has ended

References

• Microsoft Learn https://learn.microsoft.com/en-us/defender-endpoint/event-error-codes

Description

The SenseCE executable has called MCE initialization. Normal operating notification; no action required.

Message

Windows Defender Advanced Threat Protection Classification Engine Init has called. Result code: %1

Fields

References

• Microsoft Learn https://learn.microsoft.com/en-us/defender-endpoint/event-error-codes

Description

There are network connectivity issues that affect the DLP classification flow. Check the network connectivity.

Message

There are connectivity issues to the Cloud for the DLP scenario

References

• Microsoft Learn https://learn.microsoft.com/en-us/defender-endpoint/event-error-codes

Description

The connectivity to the network was restored and the DLP classification flow can continue. Normal operating notification; no action required.

Message

The connectivity to the Cloud for the DLP scenario has been restored

References

• Microsoft Learn https://learn.microsoft.com/en-us/defender-endpoint/event-error-codes

Description

A communication error occurred. Check the following events in the event log for further details.

Message

Sense has encoutered the following error while communicating with server: (%1). Result: (%2)

Fields

References

• Microsoft Learn https://learn.microsoft.com/en-us/defender-endpoint/event-error-codes

Description

The SenseCE executable has failed to start. Reboot the device. If this error persists, contact Support.

Message

Windows Defender Advanced Threat Protection Classification Engine executable failed to start. Failure code: %1

Fields

References

• Microsoft Learn https://learn.microsoft.com/en-us/defender-endpoint/event-error-codes

Message

Windows Defender Advanced Threat Protection Network Detection and Response executable failed to start. Failure code: %1

Fields

Description

The SenseNdr executable has started. Normal operating notification; no action required.

Message

Windows Defender Advanced Threat Protection Network Detection and Response executable has started

References

• Microsoft Learn https://learn.microsoft.com/en-us/defender-endpoint/event-error-codes

Description

The SenseNdr executable has ended. Normal operating notification; no action required.

Message

Windows Defender Advanced Threat Protection Network Detection and Response executable has ended

References

• Microsoft Learn https://learn.microsoft.com/en-us/defender-endpoint/event-error-codes

Description

Occurs during offboarding. Normal operating notification; no action required.

Message

Failed to queue asynchronous driver unload. Failure code: %1

Fields

References

• Microsoft Learn https://learn.microsoft.com/en-us/defender-endpoint/event-error-codes

Description

Occurs during offboarding. Normal operating notification; no action required.

Message

Failed to wait for driver unload.

References

• Microsoft Learn https://learn.microsoft.com/en-us/defender-endpoint/event-error-codes

Description

Occurs during startup. Contact support.

Message

Windows Defender Advanced Threat Protection service failed to start. Failure code %1 ; Failed to load MsSense DLL Module

Fields

References

• Microsoft Learn https://learn.microsoft.com/en-us/defender-endpoint/event-error-codes

Description

Occurs during startup. Contact support.

Message

Windows Defender Advanced Threat Protection service failed to start. Failure code %1 ; Issue with MsSense DLL Module

Fields

References

• Microsoft Learn https://learn.microsoft.com/en-us/defender-endpoint/event-error-codes

Description

Occurs during update. Normal operating notification; no action required.

Message

Update phase:%1, new platform version: %2, message: %3

Fields

References

• Microsoft Learn https://learn.microsoft.com/en-us/defender-endpoint/event-error-codes

Description

Occurs during update. Contact support.

Message

Update phase:%1 new platform version: %2, failure message: %3, error: %4

Fields

References

• Microsoft Learn https://learn.microsoft.com/en-us/defender-endpoint/event-error-codes

Description

Occurs during offboarding. Contact support.

Message

Failed to remove MDEContain WFP filters

References

• Microsoft Learn https://learn.microsoft.com/en-us/defender-endpoint/event-error-codes

Message

Failed to Leave SecurityManagement. Failure code: %1

Fields

Message

MsSecFlt.sys kernel service failed to request to stop itself after offboarding process. Failure code: %1

Fields

Message

MsSecFlt.sys kernel service has successfully started.

Message

MsSecFlt.sys kernel service failed to start.

Message

MsSecWfp.sys kernel service has successfully started.

Message

MsSecWfp.sys kernel service failed to start.

Message

%1: Failed to modify service object trust label. Failure code: %2

Fields

Message

Update phase:%1, new platform version: %2, success message: %3

Fields

Message

Windows Defender Advanced Threat Protection service failed to remove its failure actions. Failure code: %1

Fields

Message

EventTraker Event data: (%1)

Fields

Message

Info message: %1

Fields

Message

Update phase:%1 new platform version: %2, warning message: %3

Fields

Message

Update error message: %5, Additional parameters: %1: %2, %3: %4, error message: %6

Fields

Message

Windows Defender Advanced Threat Protection Trace Event Monitor executable has started

Message

Windows Defender Advanced Threat Protection Trace Event Monitor executable has ended

Message

Windows Defender Advanced Threat Protection Trace Event Monitor executable failed to start. Failure code: %1

Fields

Message

Windows Defender Advanced Threat Protection Dlp Processor executable failed to start. Failure code: %1

Fields

Message

Windows Defender Advanced Threat Protection Dlp Processor executable has started

Message

Windows Defender Advanced Threat Protection Dlp Processor executable has ended

Message

Received DLP policy type: %1. Policy Hash: %2, Timestamp: %3

Fields

Message

Completed processing DLP policy type: %1. Policy Hash: %2, Timestamp: %3

Fields

Message

Failed to process DLP policy type: %1. Policy Hash: %2, Timestamp: %3. Exception: %4 [%5]

Fields

Message

Ignore DLP policy type: %1 at %2 due to Data Loss Prevention feature currently disabled.

Fields

Message

Offboarding blob is revoked via configuration. Blob Sha 256: %1.

Fields

Message

Offboarding is blocked for blob with Epoch: %1 , BlobSha256: %2.

Fields

Message

Windows Defender Advanced Threat Protection Session Recorder executable has started

Message

Windows Defender Advanced Threat Protection Session Recorder executable has ended

Message

Windows Defender Advanced Threat Protection Session Recorder init has called from user session %1

Fields

Message

Windows Defender Advanced Threat Protection Session Recorder executable failed to start from user session %1. Failure code: %2

Fields

Message

Windows Defender Advanced Threat Protection Session Recorder user session logon event for session id: %1, session name: %2

Fields

Message

Windows Defender Advanced Threat Protection Session Recorder user session logoff event for session id: %1

Fields

Message

Windows Defender Advanced Threat Protection Session Recorder user session unlock event for session id: %1

Fields

Description

Occurs during onboarding. Contact support.

Message

Failed to update driver permissions Failure code: %1

Fields

References

• Microsoft Learn https://learn.microsoft.com/en-us/defender-endpoint/event-error-codes

Description

Occurs during onboarding. Contact support.

Message

Failed to ACL on Folder %1 Failure code: %2

Fields

References

• Microsoft Learn https://learn.microsoft.com/en-us/defender-endpoint/event-error-codes

Message

Windows Defender Advanced Threat Protection Network Detection and Response failed to subscribe to event id %1 of event log channel: %2, with provider: %3. Event data will not be collected until next reboot.

Fields

Message

Failed to store cloud configuration. Failure code: %1

Fields

Message

Windows Defender Advanced Threat Protection service failed to create certificate. Failure code: %1

Fields

Description

Failed to create crypto key. If machine isn't reporting, contact support. Otherwise, no action required.

Message

Windows Defender Advanced Threat Protection service failed to generate key. Failure code: %1

Fields

References

• Microsoft Learn https://learn.microsoft.com/en-us/defender-endpoint/event-error-codes

Description

Failed to persist authentication state. If a device isn't reporting, contact support. Otherwise, no action required.

Message

Windows Defender Advanced Threat Protection service failed to persist authentication state. State: %1, Failure code: %2

Fields

References

• Microsoft Learn https://learn.microsoft.com/en-us/defender-endpoint/event-error-codes

Description

Successful registration to authentication service. Normal operating notification; no action required.

Message

Registration of device by Windows Defender Advanced Threat Protection service completed.

References

• Microsoft Learn https://learn.microsoft.com/en-us/defender-endpoint/event-error-codes

Description

Successful crypto key generation. Normal operating notification; no action required.

Message

Windows Defender Advanced Threat Protection service successfully generated a key.

References

• Microsoft Learn https://learn.microsoft.com/en-us/defender-endpoint/event-error-codes

Description

Failed to send request to authentication service. Normal operating notification; no action required.

Message

Failed to communicate with authentication service. %1 request failed, hresult: %2,  HTTP error code: %3 .

Fields

References

• Microsoft Learn https://learn.microsoft.com/en-us/defender-endpoint/event-error-codes

Description

Request returned undesired response. Normal operating notification; no action required.

Message

Request for %1 rejected by authentication service. Hresult: %2, error code: %3 .

Fields

References

• Microsoft Learn https://learn.microsoft.com/en-us/defender-endpoint/event-error-codes

Description

Failed to sign request. Normal operating notification; no action required.

Message

Windows Defender Advanced Threat Protection service failed to sign message (authentication). Failure code: %1

Fields

References

• Microsoft Learn https://learn.microsoft.com/en-us/defender-endpoint/event-error-codes

Description

Failed to persist authentication state. If a device isn't reporting, contact support. Otherwise, no action required.

Message

Windows Defender Advanced Threat Protection service failed to remove persist authentication state. State: %1, Failure code: %2

Fields

References

• Microsoft Learn https://learn.microsoft.com/en-us/defender-endpoint/event-error-codes

Description

Failed to open crypto key. If a device isn't reporting, contact support. Otherwise, no action required.

Message

Windows Defender Advanced Threat Protection service failed to open key. Failure code: %1

Fields

References

• Microsoft Learn https://learn.microsoft.com/en-us/defender-endpoint/event-error-codes

Description

Occurs during reonboarding. Normal operating notification; no action required.

Message

Registration is required as part of re-onboarding of Windows Defender Advanced Threat Protection service.

References

• Microsoft Learn https://learn.microsoft.com/en-us/defender-endpoint/event-error-codes

Description

Cyber upload temporarily suspended. Normal operating notification; no action required.

Message

Cyber telemetry upload has been suspended for Windows Defender Advanced Threat Protection service due to invalid/expired token.

References

• Microsoft Learn https://learn.microsoft.com/en-us/defender-endpoint/event-error-codes

Description

Cyber upload successfully resumed. Normal operating notification; no action required.

Message

Cyber telemetry upload been resumed for Windows Defender Advanced Threat Protection service due to newly refreshed token.

References

• Microsoft Learn https://learn.microsoft.com/en-us/defender-endpoint/event-error-codes

Message

Windows Defender Advanced Threat Protection Network Detection and Response failed to subscribe to event id {UInt1} of event log channel: {Message1}. Event data will not be collected until next reboot.

Fields

Message

Key rotation of device by Windows Defender Advanced Threat Protection service completed.

Message

Authentication initialization for Windows Defender Advanced Threat Protection service completed successfully.

Message

EventTraker Event data: (%1)

Fields

Message

Windows Defender Advanced Threat Protection service opened key successfully.

Message

Windows Defender Advanced Threat Protection service certificate creation completed successfully.

Message

Windows Defender Advanced Threat Protection service authentication request signing completed successfully.

Message

Rename of device by Windows Defender Advanced Threat Protection service completed.

Message

Windows Defender Advanced Threat Protection orchestrator failed to perform: %1. Identifier: %2. HRESULT: %3.

Fields

Message

Windows Defender Advanced Threat Protection orchestrator performed: %1 successfully. Identifier: %2.

Fields

Description

An operation of Get is about to start. Contact support.

Message

CSP: Get Node's Value. NodeId: (%1), TokenName: (%2).

Fields

References

• Microsoft Learn https://learn.microsoft.com/en-us/defender-endpoint/event-error-codes

Description

An operation of Get has failed. Contact support.

Message

CSP: Failed to Get Node's Value. NodeId: (%1), TokenName: (%2), Result: (%3).

Fields

References

• Microsoft Learn https://learn.microsoft.com/en-us/defender-endpoint/event-error-codes

Description

An operation of Get has succeeded. Contact support.

Message

CSP: Get Node's Value complete. NodeId: (%1), TokenName: (%2), Result: (%3).

Fields

References

• Microsoft Learn https://learn.microsoft.com/en-us/defender-endpoint/event-error-codes

Description

Last time the device communicated with CNC. Normal operating notification; no action required.

Message

CSP: Get Last Connected value complete. Result (%1), IsDefault: (%2).

Fields

References

• Microsoft Learn https://learn.microsoft.com/en-us/defender-endpoint/event-error-codes

Description

The org ID device get during onboarding. Normal operating notification; no action required.

Message

CSP: Get Org ID value complete. Result: (%1), IsDefault: (%2).

Fields

References

• Microsoft Learn https://learn.microsoft.com/en-us/defender-endpoint/event-error-codes

Description

Sense running message after onboarding. Normal operating notification; no action required.

Message

CSP: Get Sense Is Running value complete. Result: (%1).

Fields

References

• Microsoft Learn https://learn.microsoft.com/en-us/defender-endpoint/event-error-codes

Description

Get is Sense onboarded. Normal operating notification; no action required.

Message

CSP: Get Onboarding State value complete. Result: (%1), IsDefault: (%2).

Fields

References

• Microsoft Learn https://learn.microsoft.com/en-us/defender-endpoint/event-error-codes

Description

Get is Sense onboarded and onboarding blob hash. Normal operating notification; no action required.

Message

CSP: Get Onboarding value complete. Onboarding Blob Hash: (%1), IsDefault: (%2), Onboarding State: (%3), Onboarding State IsDefault: (%4)

Fields

References

• Microsoft Learn https://learn.microsoft.com/en-us/defender-endpoint/event-error-codes

Description

Get offboarding blob hash. Normal operating notification; no action required.

Message

CSP: Get Offboarding value complete. Offboarding Blob Hash: (%1), IsDefault: (%2).

Fields

References

• Microsoft Learn https://learn.microsoft.com/en-us/defender-endpoint/event-error-codes

Description

Get is sample upload is allowed. Normal operating notification; no action required.

Message

CSP: Get Sample Sharing value complete. Result: (%1), IsDefault: (%2).

Fields

References

• Microsoft Learn https://learn.microsoft.com/en-us/defender-endpoint/event-error-codes

Description

Started onboarding flow. Normal operating notification; no action required.

Message

CSP: Onboarding process. Started.

References

• Microsoft Learn https://learn.microsoft.com/en-us/defender-endpoint/event-error-codes

Description

Deleted offboarding blob as part of onboarding flow. Normal operating notification; no action required.

Message

CSP: Onboarding process. Delete Offboarding blob complete. Result: (%1).

Fields

References

• Microsoft Learn https://learn.microsoft.com/en-us/defender-endpoint/event-error-codes

Description

Wrote onboarding blob to registry as part of onboarding flow. Normal operating notification; no action required.

Message

CSP: Onboarding process. Write Onboarding blob complete. Result: (%1)

Fields

References

• Microsoft Learn https://learn.microsoft.com/en-us/defender-endpoint/event-error-codes

Description

Started Sense service as part of onboarding flow. Normal operating notification; no action required.

Message

CSP: Onboarding process. The service started successfully.

References

• Microsoft Learn https://learn.microsoft.com/en-us/defender-endpoint/event-error-codes

Description

Finished waiting for Sense to start as part of onboarding flow. Normal operating notification; no action required.

Message

CSP: Onboarding process. Pending service running state complete. Result: (%1).

Fields

References

• Microsoft Learn https://learn.microsoft.com/en-us/defender-endpoint/event-error-codes

Description

Set sample sharing value. Normal operating notification; no action required.

Message

CSP: Set Sample Sharing value complete. Previous Value: (%1), IsDefault: (%2), New Value: (%3), Result: (%4).

Fields

References

• Microsoft Learn https://learn.microsoft.com/en-us/defender-endpoint/event-error-codes

Description

Deleted onboarding blob as part of offboarding flow. Normal operating notification; no action required.

Message

CSP: Offboarding process. Delete Onboarding blob complete. Result (%1).

Fields

References

• Microsoft Learn https://learn.microsoft.com/en-us/defender-endpoint/event-error-codes

Description

Wrote offboarding blob to registry as part of offboarding flow. Normal operating notification; no action required.

Message

CSP: Offboarding process. Write Offboarding blob complete. Result (%1).

Fields

References

• Microsoft Learn https://learn.microsoft.com/en-us/defender-endpoint/event-error-codes

Description

An operation of Set is about to start. Normal operating notification; no action required.

Message

CSP: Set Node's Value started. NodeId: (%1), TokenName: (%2).

Fields

References

• Microsoft Learn https://learn.microsoft.com/en-us/defender-endpoint/event-error-codes

Description

An operation of Set has failed. Contact support.

Message

CSP: Failed to Set Node's Value. NodeId: (%1), TokenName: (%2), Result: (%3).

Fields

References

• Microsoft Learn https://learn.microsoft.com/en-us/defender-endpoint/event-error-codes

Description

An operation of Set has succeeded. Normal operating notification; no action required.

Message

CSP: Set Node's Value complete. NodeId: (%1), TokenName: (%2), Result: (%3).

Fields

References

• Microsoft Learn https://learn.microsoft.com/en-us/defender-endpoint/event-error-codes

Description

Start setting the value of TelemetryReportingFrequency. Normal operating notification; no action required.

Message

CSP: Set Telemetry Reporting Frequency started. New value: (%1).

Fields

References

• Microsoft Learn https://learn.microsoft.com/en-us/defender-endpoint/event-error-codes

Description

Finish setting the value of TelemetryReportingFrequency. Normal operating notification; no action required.

Message

CSP: Set Telemetry Reporting Frequency complete. Previous value: (%1), IsDefault: (%2), New value: (%3), Result: (%4).

Fields

References

• Microsoft Learn https://learn.microsoft.com/en-us/defender-endpoint/event-error-codes

Description

Gets the value of TelemetryReportingFrequency. Normal operating notification; no action required.

Message

CSP: Get Telemetry Reporting Frequency complete. Value: (%1), Registry Value: (%2), IsDefault: (%3).

Fields

References

• Microsoft Learn https://learn.microsoft.com/en-us/defender-endpoint/event-error-codes

Description

Got groupIds from registry. Normal operating notification; no action required.

Message

CSP: Get Group Ids complete. Value: (%1), IsDefault: (%2).

Fields

References

• Microsoft Learn https://learn.microsoft.com/en-us/defender-endpoint/event-error-codes

Description

Failed to set groupIds due to length. Normal operating notification; no action required.

Message

CSP: Set Group Ids exceeded allowed limit. Allowed: (%1), Actual: (%2).

Fields

References

• Microsoft Learn https://learn.microsoft.com/en-us/defender-endpoint/event-error-codes

Description

Set groupIds. Normal operating notification; no action required.

Message

CSP: Set Group Ids complete. Value: (%1), Result: (%2).

Fields

References

• Microsoft Learn https://learn.microsoft.com/en-us/defender-endpoint/event-error-codes

Description

Trace values as part of onboarding. Normal operating notification; no action required.

Message

CSP: Onboarding process. Service is running: (%1), Previous Onboarding Blob Hash: (%2), IsDefault: (%3), Onboarding State: (%4), Onboarding State IsDefault: (%5), New Onboarding Blob Hash: (%6)

Fields

References

• Microsoft Learn https://learn.microsoft.com/en-us/defender-endpoint/event-error-codes

Description

Trace values as part of offboarding. Normal operating notification; no action required.

Message

CSP: Onboarding process. Service is running: (%1), Previous Offboarding Blob Hash: (%2), IsDefault: (%3), Onboarding State: (%4), Onboarding State IsDefault: (%5), New Offboarding Blob Hash: (%6)

Fields

References

• Microsoft Learn https://learn.microsoft.com/en-us/defender-endpoint/event-error-codes

Description

Invalid value for SampleSharing operation. Contact support.

Message

CSP: Failed to Set Sample Sharing Value. Requested Value: (%1), Allowed Values between (%2) and (%3).

Fields

References

• Microsoft Learn https://learn.microsoft.com/en-us/defender-endpoint/event-error-codes

Description

Setting the value of TelemetryReportingFrequency failed. Contact support if problem persists.

Message

CSP: Failed to Set Telemetry Reporting Frequency Value. Requested Value: (%1)

Fields

References

• Microsoft Learn https://learn.microsoft.com/en-us/defender-endpoint/event-error-codes

Description

Get SenseIsRunning result. Normal operating notification; no action required.

Message

CSP: Get Sense is running. Service is configured as delay-start, and hasn't started yet.

References

• Microsoft Learn https://learn.microsoft.com/en-us/defender-endpoint/event-error-codes

Description

Get DeviceTagging Group from registry completed. Normal operating notification; no action required.

Message

CSP: Get Device Tagging Group complete. Value: (%1), IsDefault: (%2).

Fields

References

• Microsoft Learn https://learn.microsoft.com/en-us/defender-endpoint/event-error-codes

Description

Get DeviceTagging Criticality from registry completed. Normal operating notification; no action required.

Message

CSP: Get Device Tagging Criticality value complete. In Registry: (%1), IsDefault: (%2), Conversion Succeeded: (%3), Result: (%4).

Fields

References

• Microsoft Learn https://learn.microsoft.com/en-us/defender-endpoint/event-error-codes

Description

Get DeviceTagging Id Method from registry completed. Normal operating notification; no action required.

Message

CSP: Get Device Tagging Identification Method value complete. In Registry: (%1), IsDefault: (%2), Conversion Succeeded: (%3), Result: (%4).

Fields

References

• Microsoft Learn https://learn.microsoft.com/en-us/defender-endpoint/event-error-codes

Description

Set DeviceTagging Group in registry completed. Normal operating notification; no action required.

Message