Microsoft-Windows-SENSE

211 events across 1 channel

Event ID	Title	Channel
1	Service is starting (Version parameter).	Operational
2	Service is shutting down.	Operational
3	Windows Defender Advanced Threat Protection service failed to start.	Operational
4	Contacted server UInt1 times, all succeeded, URI: Message1.	Operational
5	Contacted server UInt1 times, all failed, URI: Message1.	Operational
6	Windows Defender Advanced Threat Protection service is not onboarded and no …	Operational
7	Windows Defender Advanced Threat Protection service failed to read the …	Operational
8	Service failed to clean configuration settings.	Operational
9	Windows Defender Advanced Threat Protection service failed to change its start …	Operational
10	Windows Defender Advanced Threat Protection service failed to persist the …	Operational
11	Onboarding or re-onboarding of Windows Defender Advanced Threat Protection …	Operational
12	New cloud configuration failed to apply, version: parameter1.	Operational
13	Windows Defender Advanced Threat Protection machine ID calculated: parameter.	Operational
14	Windows Defender Advanced Threat Protection cannot calculate machine ID.	Operational
15	Windows Defender Advanced Threat Protection cannot start command channel with …	Operational
17	Windows Defender Advanced Threat Protection service failed to change the …	Operational
18	OOBE (Windows Welcome) is completed.	Operational
19	OOBE (Windows Welcome) has not yet completed.	Operational
20	Cannot wait for OOBE (Windows Welcome) to complete.	Operational
25	Service failed to reset health status in the registry.	Operational
26	Windows Defender Advanced Threat Protection service failed to set the onboarding …	Operational
27	Failed to enable Windows Defender Advanced Threat Protection mode in Windows …	Operational
28	Connected User Experiences and Telemetry service registration failed with …	Operational
29	Failed to read the offboarding parameters.	Operational
30	Failed to disable Windows Defender Advanced Threat Protection mode in Windows …	Operational
31	Windows Defender Advanced Threat Protection Connected User Experiences and …	Operational
32	Windows Defender Advanced Threat Protection service failed to request to stop …	Operational
33	Windows Defender Advanced Threat Protection service failed to persist SENSE …	Operational
34	Microsoft Defender for Endpoint service failed to add itself as a dependency on …	Operational
35	Communication quotas are updated.	Operational
36	Connected User Experiences and Telemetry service registration succeeded with …	Operational
37	Module: Module, Quota: {module} {quotaValue}, Percentage of quota utilization: …	Operational
38	Network connection is identified as low.	Operational
39	Network connection is identified as normal.	Operational
40	Battery state is identified as low.	Operational
41	Battery state is identified as normal.	Operational
42	Component failed to perform action.	Operational
43	Component failed to perform action.	Operational
44	Offboarding of Windows Defender Advanced Threat Protection service completed.	Operational
45	Failed to register and to start the event trace session [TraceSessionName].	Operational
46	Failed to register and start the event trace session [TraceSessionName] due to …	Operational
47	Successfully registered and started the event trace session - recovered after …	Operational
48	Failed to add a provider [ProviderId] to event trace session [TraceSessionName].	Operational
49	Invalid cloud configuration command received and ignored.	Operational
50	New cloud configuration applied successfully.	Operational
51	New cloud configuration failed to apply, version: parameter1.	Operational
52	New cloud configuration failed to apply, version: parameter1.	Operational
53	Cloud configuration loaded from persistent storage, version: parameter.	Operational
54	Global (per-pattern) state changed.	Operational
55	Failed to create the Secure ETW autologger.	Operational
56	Failed to remove the Secure ETW autologger.	Operational
57	Capturing a snapshot of the machine for troubleshooting purposes.	Operational
59	Starting command: parameter.	Operational
60	Failed to run command CommandName, error: HRESULT.	Operational
61	Data collection command parameters are invalid: SasUri: SasUri, …	Operational
62	Failed to start Connected User Experiences and Telemetry service.	Operational
63	Updating the start type of external service.	Operational
64	Starting stopped external service.	Operational
65	Failed to load Microsoft Security Events Component Minifilter driver.	Operational
66	Policy update: Latency mode - parameter.	Operational
67	Contacted server Last_HTTP_error_code times, failed UInt1 times and succeeded …	Operational
68	The start type of the service is unexpected.	Operational
69	The service is stopped.	Operational
70	Policy update: Allow sample collection - UInt1.	Operational
71	Succeeded to run command: parameter.	Operational
72	Tried to send first full machine profile report.	Operational
73	Sense starting for platform: platformBitMask.	Operational
74	Device tag in registry exceeds length limit.	Operational
75	Device tag name in registry exceeds length limit.	Operational
76	Number of customer tags in registry exceeds limit.	Operational
77	Successfully applied protection on Connected User Experiences and Telemetry …	Operational
78	Successfully removed protection from Connected User Experiences and Telemetry …	Operational
79	Failed to apply protection on Connected User Experiences and Telemetry service.	Operational
80	Failed to remove protection from Connected User Experiences and Telemetry …	Operational
81	Failed to create Windows Defender Advanced Threat Protection ETW autologger.	Operational
82	Failed to remove Windows Defender Advanced Threat Protection ETW autologger.	Operational
83	Cyber event may be dropped because its size [RealValue bytes] exceeded max size …	Operational
84	Set Windows Defender Antivirus running mode.	Operational
85	Failed to trigger Windows Defender Advanced Threat Protection Incident Response …	Operational
86	Starting again stopped external service that should be up.	Operational
87	Cannot start the external service.	Operational
88	Updating the start type of external service again.	Operational
89	Cannot update the start type of external service.	Operational
90	Failed to configure System Guard Runtime Monitor to connect to cloud service in …	Operational
91	Failed to remove System Guard Runtime Monitor geo-region information.	Operational
92	Stopping sending sensor cyber data quota because data quota is exceed.	Operational
93	Resuming sending sensor cyber data.	Operational
94	Windows Defender Advanced Threat Protection Classification Engine executable has …	Operational
95	Windows Defender Advanced Threat Protection Classification Engine executable has …	Operational
96	Windows Defender Advanced Threat Protection Classification Engine Init has …	Operational
97	There are connectivity issues to the Cloud for the DLP scenario	Operational
98	The connectivity to the Cloud for the DLP scenario has been restored	Operational
99	Sense has encoutered the following error while communicating with server: …	Operational
100	Windows Defender Advanced Threat Protection Classification Engine executable …	Operational
101	Windows Defender Advanced Threat Protection Network Detection and Response …	Operational
102	Windows Defender Advanced Threat Protection Network Detection and Response …	Operational
103	Windows Defender Advanced Threat Protection Network Detection and Response …	Operational
104	Failed to queue asynchronous driver unload.	Operational
105	Failed to wait for driver unload.	Operational
106	Windows Defender Advanced Threat Protection service failed to start.	Operational
107	Windows Defender Advanced Threat Protection service failed to start.	Operational
108	Update phase:Update_phase, new platform version: new_platform_version, message: …	Operational
109	Update phase:Update_phase new platform version: new_platform_version, failure …	Operational
110	Failed to remove MDEContain WFP filters	Operational
111	Failed to Leave SecurityManagement.	Operational
112	MsSecFlt.	Operational
113	MsSecFlt.	Operational
114	MsSecFlt.	Operational
115	MsSecWfp.	Operational
116	MsSecWfp.	Operational
117	Message1: Failed to modify service object trust label.	Operational
118	Update phase:Update_phase, new platform version: new_platform_version, success …	Operational
119	Windows Defender Advanced Threat Protection service failed to remove its failure …	Operational
120	EventTraker Event data: (parameter).	Operational
121	Info message: Info_message.	Operational
122	Update phase:Update_phase new platform version: new_platform_version, warning …	Operational
123	Update error message: message, Additional parameters: valueName1: value1, …	Operational
124	Windows Defender Advanced Threat Protection Trace Event Monitor executable has …	Operational
125	Windows Defender Advanced Threat Protection Trace Event Monitor executable has …	Operational
126	Windows Defender Advanced Threat Protection Trace Event Monitor executable …	Operational
127	Windows Defender Advanced Threat Protection Dlp Processor executable failed to …	Operational
128	Windows Defender Advanced Threat Protection Dlp Processor executable has started	Operational
129	Windows Defender Advanced Threat Protection Dlp Processor executable has ended	Operational
130	Received DLP policy type: Received_DLP_policy_type.	Operational
131	Completed processing DLP policy type: Completed_processing_DLP_policy_type.	Operational
132	Failed to process DLP policy type: CommandType.	Operational
133	Ignore DLP policy type: Ignore_DLP_policy_type at CommandType due to Data Loss …	Operational
134	Offboarding blob is revoked via configuration.	Operational
135	Offboarding is blocked for blob with Epoch: BlobEpoch , BlobSha256: BlobSha256.	Operational
300	Windows Defender Advanced Threat Protection Session Recorder executable has …	Operational
301	Windows Defender Advanced Threat Protection Session Recorder executable has …	Operational
302	Windows Defender Advanced Threat Protection Session Recorder init has called …	Operational
303	Windows Defender Advanced Threat Protection Session Recorder executable failed …	Operational
304	Windows Defender Advanced Threat Protection Session Recorder user session logon …	Operational
305	Windows Defender Advanced Threat Protection Session Recorder user session logoff …	Operational
306	Windows Defender Advanced Threat Protection Session Recorder user session unlock …	Operational
307	Failed to update driver permissions Failure code: HRESULT.	Operational
308	Failed to ACL on Folder Message1 Failure code: HRESULT.	Operational
309	Windows Defender Advanced Threat Protection Network Detection and Response …	Operational
310	Failed to store cloud configuration.	Operational
400	Windows Defender Advanced Threat Protection service failed to create …	Operational
401	Windows Defender Advanced Threat Protection service failed to generate key.	Operational
402	Windows Defender Advanced Threat Protection service failed to persist …	Operational
403	Registration of device by Windows Defender Advanced Threat Protection service …	Operational
404	Windows Defender Advanced Threat Protection service successfully generated a …	Operational
405	Failed to communicate with authentication service.	Operational
406	Request for error_code rejected by authentication service.	Operational
407	Windows Defender Advanced Threat Protection service failed to sign message …	Operational
408	Windows Defender Advanced Threat Protection service failed to remove persist …	Operational
409	Windows Defender Advanced Threat Protection service failed to open key.	Operational
410	Registration is required as part of re-onboarding of Windows Defender Advanced …	Operational
411	Cyber telemetry upload has been suspended for Windows Defender Advanced Threat …	Operational
412	Cyber telemetry upload been resumed for Windows Defender Advanced Threat …	Operational
413	Windows Defender Advanced Threat Protection Network Detection and Response …	Operational
414	Key rotation of device by Windows Defender Advanced Threat Protection service …	Operational
415	Authentication initialization for Windows Defender Advanced Threat Protection …	Operational
416	EventTraker Event data: (parameter).	Operational
417	Windows Defender Advanced Threat Protection service opened key successfully.	Operational
418	Windows Defender Advanced Threat Protection service certificate creation …	Operational
419	Windows Defender Advanced Threat Protection service authentication request …	Operational
420	Rename of device by Windows Defender Advanced Threat Protection service …	Operational
500	Windows Defender Advanced Threat Protection orchestrator failed to perform: …	Operational
501	Windows Defender Advanced Threat Protection orchestrator performed: UInt1 …	Operational
1800	CSP: Get Node's Value.	Operational
1801	CSP: Failed to Get Node's Value.	Operational
1802	CSP: Get Node's Value complete.	Operational
1803	CSP: Get Last Connected value complete.	Operational
1804	CSP: Get Org ID value complete.	Operational
1805	CSP: Get Sense Is Running value complete.	Operational
1806	CSP: Get Onboarding State value complete.	Operational
1807	CSP: Get Onboarding value complete.	Operational
1808	CSP: Get Offboarding value complete.	Operational
1809	CSP: Get Sample Sharing value complete.	Operational
1810	CSP: Onboarding process.	Operational
1811	CSP: Onboarding process.	Operational
1812	CSP: Onboarding process.	Operational
1813	CSP: Onboarding process.	Operational
1814	CSP: Onboarding process.	Operational
1815	CSP: Set Sample Sharing value complete.	Operational
1816	CSP: Offboarding process.	Operational
1817	CSP: Offboarding process.	Operational
1818	CSP: Set Node's Value started.	Operational
1819	CSP: Failed to Set Node's Value.	Operational
1820	CSP: Set Node's Value complete.	Operational
1821	CSP: Set Telemetry Reporting Frequency started.	Operational
1822	CSP: Set Telemetry Reporting Frequency complete.	Operational
1823	CSP: Get Telemetry Reporting Frequency complete.	Operational
1824	CSP: Get Group Ids complete.	Operational
1825	CSP: Set Group Ids exceeded allowed limit.	Operational
1826	CSP: Set Group Ids complete.	Operational
1827	CSP: Onboarding process.	Operational
1828	CSP: Onboarding process.	Operational
1829	CSP: Failed to Set Sample Sharing Value.	Operational
1830	CSP: Failed to Set Telemetry Reporting Frequency Value.	Operational
1831	CSP: Get Sense is running.	Operational
1832	CSP: Get Device Tagging Group complete.	Operational
1833	CSP: Get Device Tagging Criticality value complete.	Operational
1834	CSP: Get Device Tagging Identification Method value complete.	Operational
1835	CSP: Set Device Tagging Group complete.	Operational
1836	CSP: Set Device Tagging Group exceeded allowed limit.	Operational
1837	CSP: Set Device Tagging Criticality value complete.	Operational
1838	CSP: Failed to Set Device Tagging Criticality Value.	Operational
1839	CSP: Set Device Tagging Identification Method value complete.	Operational
1840	CSP: Failed to Set Device Tagging Identification Method Value.	Operational
1841	CSP: Get AadDeviceId complete.	Operational
1842	CSP: Set AadDeviceId complete.	Operational
1843	CSP: Set AadDeviceId exceeded allowed limit.	Operational
2001	SenseCM.	Operational
2002	Info.	Operational
2003	Warning.	Operational
2004	Error.	Operational

Event ID 1 — Service is starting (Version parameter).

Provider: Microsoft-Windows-SENSE
Channel: Operational
Level: Informational
Opcode: Info

Description

Service is starting (Version parameter).

Message #

Service is starting (Version %1).

Fields #

Name	Description
`parameter` UnicodeString	—

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-SENSE",
    "guid": "FAE96D09-ADE1-5223-0098-AF7B67348531",
    "event_source_name": "",
    "event_id": 1,
    "version": 0,
    "level": 4,
    "task": 0,
    "opcode": 0,
    "keywords": 9223372036854775808,
    "time_created": "2026-03-11T06:27:26.283851+00:00",
    "event_record_id": 3366,
    "correlation": {},
    "execution": {
      "process_id": 3632,
      "thread_id": 5016
    },
    "channel": "Microsoft-Windows-SENSE/Operational",
    "computer": "LAB-WIN11",
    "security": {
      "user_id": "S-1-5-18"
    }
  },
  "event_data": {
    "parameter": "10.8210.22621.457"
  },
  "message": ""
}

References #

Microsoft Learn https://learn.microsoft.com/en-us/defender-endpoint/event-error-codes

Event ID 2 — Service is shutting down.

Provider: Microsoft-Windows-SENSE
Channel: Operational
Opcode: Info

Description

Occurs when the device is shut down or offboarded. Normal operating notification; no action required.

Message #

Service is shutting down.

References #

Microsoft Learn https://learn.microsoft.com/en-us/defender-endpoint/event-error-codes

Event ID 3 — Windows Defender Advanced Threat Protection service failed to start.

Provider: Microsoft-Windows-SENSE
Channel: Operational
Opcode: Info

Description

Windows Defender Advanced Threat Protection service failed to start. Failure code: HRESULT.

Message #

Windows Defender Advanced Threat Protection service failed to start. Failure code: %1

Fields #

Name	Description
`HRESULT` HexInt32	—

References #

Microsoft Learn https://learn.microsoft.com/en-us/defender-endpoint/event-error-codes

Event ID 4 — Contacted server UInt1 times, all succeeded, URI: Message1.

Provider: Microsoft-Windows-SENSE
Channel: Operational
Level: Informational
Opcode: Info

Description

Contacted server UInt1 times, all succeeded, URI: Message1.

Message #

Contacted server %1 times, all succeeded, URI: %2.

Fields #

Name	Description
`UInt1` UInt64	—
`Message1` UnicodeString	—

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-SENSE",
    "guid": "FAE96D09-ADE1-5223-0098-AF7B67348531",
    "event_source_name": "",
    "event_id": 4,
    "version": 0,
    "level": 4,
    "task": 0,
    "opcode": 0,
    "keywords": 9223372036854775808,
    "time_created": "2026-03-11T10:27:45.275327+00:00",
    "event_record_id": 3527,
    "correlation": {},
    "execution": {
      "process_id": 3632,
      "thread_id": 3804
    },
    "channel": "Microsoft-Windows-SENSE/Operational",
    "computer": "LAB-WIN11",
    "security": {
      "user_id": "S-1-5-18"
    }
  },
  "event_data": {
    "UInt1": 1,
    "Message1": "https://edr-cus3.us.endpoint.security.microsoft.com/edr/"
  },
  "message": ""
}

References #

Microsoft Learn https://learn.microsoft.com/en-us/defender-endpoint/event-error-codes

Event ID 5 — Contacted server UInt1 times, all failed, URI: Message1.

Provider: Microsoft-Windows-SENSE
Channel: Operational
Level: Error
Opcode: Info

Description

Contacted server UInt1 times, all failed, URI: Message1. Last HTTP error code: Int1.

Message #

Contacted server %1 times, all failed, URI: %2. Last HTTP error code: %3

Fields #

Name	Description
`UInt1` UInt64	—
`Message1` UnicodeString	—
`Int1` Int32	—
`Last_HTTP_error_code`	1 times, all failed, URI.

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-SENSE",
    "guid": "FAE96D09-ADE1-5223-0098-AF7B67348531",
    "event_source_name": "",
    "event_id": 5,
    "version": 0,
    "level": 2,
    "task": 0,
    "opcode": 0,
    "keywords": 9223372036854775808,
    "time_created": "2026-02-17T21:56:13.502771+00:00",
    "event_record_id": 1840,
    "correlation": {},
    "execution": {
      "process_id": 4668,
      "thread_id": 9400
    },
    "channel": "Microsoft-Windows-SENSE/Operational",
    "computer": "LAB-WIN11.ludus.domain",
    "security": {
      "user_id": "S-1-5-18"
    }
  },
  "event_data": {
    "UInt1": 2,
    "Message1": "https://edr-cus3.us.endpoint.security.microsoft.com/edr/",
    "Int1": 0
  },
  "message": ""
}

References #

Microsoft Learn https://learn.microsoft.com/en-us/defender-endpoint/event-error-codes

Event ID 6 — Windows Defender Advanced Threat Protection service is not onboarded and no onboarding parameters were found.

Provider: Microsoft-Windows-SENSE
Channel: Operational
Opcode: Info

Description

The device didn't onboard correctly and isn't reporting to the portal. Onboarding must be run before starting the service. Check that the onboarding settings and scripts were deployed properly. Try to redeploy the configuration packages. See Onboard client devices.

Message #

Windows Defender Advanced Threat Protection service is not onboarded and no onboarding parameters were found.

References #

Microsoft Learn https://learn.microsoft.com/en-us/defender-endpoint/event-error-codes

Event ID 7 — Windows Defender Advanced Threat Protection service failed to read the onboarding parameters.

Provider: Microsoft-Windows-SENSE
Channel: Operational
Opcode: Info

Description

Windows Defender Advanced Threat Protection service failed to read the onboarding parameters. Failure: parameter.

Message #

Windows Defender Advanced Threat Protection service failed to read the onboarding parameters. Failure: %1

Fields #

Name	Description
`parameter` UnicodeString	—

References #

Microsoft Learn https://learn.microsoft.com/en-us/defender-endpoint/event-error-codes

Event ID 8 — Service failed to clean configuration settings.

Provider: Microsoft-Windows-SENSE
Channel: Operational
Opcode: Info

Description

During onboarding: The service failed to clean its configuration during the onboarding. The onboarding process continues. During offboarding: The service failed to clean its configuration during the offboarding. The offboarding process finished but the service keeps running. Onboarding: No action required. Offboarding: Reboot the system. See Onboard client devices.

Message #

Service failed to clean configuration settings.

References #

Microsoft Learn https://learn.microsoft.com/en-us/defender-endpoint/event-error-codes

Event ID 9 — Windows Defender Advanced Threat Protection service failed to change its start type.

Provider: Microsoft-Windows-SENSE
Channel: Operational
Opcode: Info

Description

Windows Defender Advanced Threat Protection service failed to change its start type. Failure code: HRESULT.

Message #

Windows Defender Advanced Threat Protection service failed to change its start type. Failure code: %1

Fields #

Name	Description
`HRESULT` HexInt32	—

References #

Microsoft Learn https://learn.microsoft.com/en-us/defender-endpoint/event-error-codes

Event ID 10 — Windows Defender Advanced Threat Protection service failed to persist the onboarding information.

Provider: Microsoft-Windows-SENSE
Channel: Operational
Opcode: Info

Description

Windows Defender Advanced Threat Protection service failed to persist the onboarding information. Failure code: HRESULT.

Message #

Windows Defender Advanced Threat Protection service failed to persist the onboarding information. Failure code: %1

Fields #

Name	Description
`HRESULT` HexInt32	—

References #

Microsoft Learn https://learn.microsoft.com/en-us/defender-endpoint/event-error-codes

Event ID 11 — Onboarding or re-onboarding of Windows Defender Advanced Threat Protection service completed.

Provider: Microsoft-Windows-SENSE
Channel: Operational
Level: Informational
Opcode: Info

Description

The device onboarded correctly. Normal operating notification; no action required. It might take several hours for the device to appear in the portal.

Message #

Onboarding or re-onboarding of Windows Defender Advanced Threat Protection service completed.

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-SENSE",
    "guid": "FAE96D09-ADE1-5223-0098-AF7B67348531",
    "event_source_name": "",
    "event_id": 11,
    "version": 0,
    "level": 4,
    "task": 0,
    "opcode": 0,
    "keywords": 9223372036854775808,
    "time_created": "2026-02-10T04:30:03.610987+00:00",
    "event_record_id": 4,
    "correlation": {},
    "execution": {
      "process_id": 4668,
      "thread_id": 10328
    },
    "channel": "Microsoft-Windows-SENSE/Operational",
    "computer": "LAB-WIN11.ludus.domain",
    "security": {
      "user_id": "S-1-5-18"
    }
  },
  "event_data": {},
  "message": ""
}

References #

Microsoft Learn https://learn.microsoft.com/en-us/defender-endpoint/event-error-codes

Event ID 12 — New cloud configuration failed to apply, version: parameter1.

Provider: Microsoft-Windows-SENSE
Channel: Operational
Opcode: Info

Description

New cloud configuration failed to apply, version: parameter1. Also failed to apply last known good configuration, version parameter2. Also failed to apply the default configuration.

Message #

New cloud configuration failed to apply, version: %1. Also failed to apply last known good configuration, version %2. Also failed to apply the default configuration.

Fields #

Name	Description
`parameter1` UnicodeString	—
`parameter2` UnicodeString	—

References #

Microsoft Learn https://learn.microsoft.com/en-us/defender-endpoint/event-error-codes

Event ID 13 — Windows Defender Advanced Threat Protection machine ID calculated: parameter.

Provider: Microsoft-Windows-SENSE
Channel: Operational
Level: Informational
Opcode: Info

Description

Windows Defender Advanced Threat Protection machine ID calculated: parameter.

Message #

Windows Defender Advanced Threat Protection machine ID calculated: %1

Fields #

Name	Description
`parameter` UnicodeString	—

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-SENSE",
    "guid": "FAE96D09-ADE1-5223-0098-AF7B67348531",
    "event_source_name": "",
    "event_id": 13,
    "version": 0,
    "level": 4,
    "task": 0,
    "opcode": 0,
    "keywords": 9223372036854775808,
    "time_created": "2026-03-11T06:27:32.581645+00:00",
    "event_record_id": 3370,
    "correlation": {},
    "execution": {
      "process_id": 3632,
      "thread_id": 5040
    },
    "channel": "Microsoft-Windows-SENSE/Operational",
    "computer": "LAB-WIN11",
    "security": {
      "user_id": "S-1-5-18"
    }
  },
  "event_data": {
    "parameter": "56fa48c49fc36bc258ea812952082082ea2d7bf8"
  },
  "message": ""
}

References #

Microsoft Learn https://learn.microsoft.com/en-us/defender-endpoint/event-error-codes

Event ID 14 — Windows Defender Advanced Threat Protection cannot calculate machine ID.

Provider: Microsoft-Windows-SENSE
Channel: Operational
Opcode: Info

Description

Windows Defender Advanced Threat Protection cannot calculate machine ID. Failure code: HRESULT.

Message #

Windows Defender Advanced Threat Protection cannot calculate machine ID. Failure code: %1

Fields #

Name	Description
`HRESULT` HexInt32	—

Event ID 15 — Windows Defender Advanced Threat Protection cannot start command channel with URL: parameter.

Provider: Microsoft-Windows-SENSE
Channel: Operational
Opcode: Info

Description

Windows Defender Advanced Threat Protection cannot start command channel with URL: parameter.

Message #

Windows Defender Advanced Threat Protection cannot start command channel with URL: %1

Fields #

Name	Description
`parameter` UnicodeString	—

References #

Microsoft Learn https://learn.microsoft.com/en-us/defender-endpoint/event-error-codes

Event ID 17 — Windows Defender Advanced Threat Protection service failed to change the Connected User Experiences and Telemetry service location.

Provider: Microsoft-Windows-SENSE
Channel: Operational
Opcode: Info

Description

Windows Defender Advanced Threat Protection service failed to change the Connected User Experiences and Telemetry service location. Failure code: HRESULT.

Message #

Windows Defender Advanced Threat Protection service failed to change the Connected User Experiences and Telemetry service location. Failure code: %1

Fields #

Name	Description
`HRESULT` HexInt32	—

References #

Microsoft Learn https://learn.microsoft.com/en-us/defender-endpoint/event-error-codes

Event ID 18 — OOBE (Windows Welcome) is completed.

Provider: Microsoft-Windows-SENSE
Channel: Operational
Opcode: Info

Description

Service will only start after any Windows updates have finished installing. Normal operating notification; no action required.

Message #

OOBE (Windows Welcome) is completed.

References #

Microsoft Learn https://learn.microsoft.com/en-us/defender-endpoint/event-error-codes

Event ID 19 — OOBE (Windows Welcome) has not yet completed.

Provider: Microsoft-Windows-SENSE
Channel: Operational
Opcode: Info

Description

Service will only start after any Windows updates finish installing. Normal operating notification; no action required. If this error persists after a system restart, ensure all Windows updates have full installed.

Message #

OOBE (Windows Welcome) has not yet completed.

References #

Microsoft Learn https://learn.microsoft.com/en-us/defender-endpoint/event-error-codes

Event ID 20 — Cannot wait for OOBE (Windows Welcome) to complete.

Provider: Microsoft-Windows-SENSE
Channel: Operational
Opcode: Info

Description

Cannot wait for OOBE (Windows Welcome) to complete. Failure code: HRESULT.

Message #

Cannot wait for OOBE (Windows Welcome) to complete. Failure code: %1

Fields #

Name	Description
`HRESULT` HexInt32	—

References #

Microsoft Learn https://learn.microsoft.com/en-us/defender-endpoint/event-error-codes

Event ID 25 — Service failed to reset health status in the registry.

Provider: Microsoft-Windows-SENSE
Channel: Operational
Opcode: Info

Description

Service failed to reset health status in the registry. Failure code: HRESULT.

Message #

Service failed to reset health status in the registry. Failure code: %1

Fields #

Name	Description
`HRESULT` HexInt32	—

References #

Microsoft Learn https://learn.microsoft.com/en-us/defender-endpoint/event-error-codes

Event ID 26 — Windows Defender Advanced Threat Protection service failed to set the onboarding status in the registry.

Provider: Microsoft-Windows-SENSE
Channel: Operational
Opcode: Info

Description

Windows Defender Advanced Threat Protection service failed to set the onboarding status in the registry. Failure code: HRESULT.

Message #

Windows Defender Advanced Threat Protection service failed to set the onboarding status in the registry. Failure code: %1

Fields #

Name	Description
`HRESULT` HexInt32	—

References #

Microsoft Learn https://learn.microsoft.com/en-us/defender-endpoint/event-error-codes

Event ID 27 — Failed to enable Windows Defender Advanced Threat Protection mode in Windows Defender.

Provider: Microsoft-Windows-SENSE
Channel: Operational
Opcode: Info

Description

Failed to enable Windows Defender Advanced Threat Protection mode in Windows Defender. Onboarding process failed. Failure code: HRESULT.

Message #

Failed to enable Windows Defender Advanced Threat Protection mode in Windows Defender. Onboarding process failed. Failure code: %1

Fields #

Name	Description
`HRESULT` HexInt32	—

References #

Microsoft Learn https://learn.microsoft.com/en-us/defender-endpoint/event-error-codes

Event ID 28 — Connected User Experiences and Telemetry service registration failed with failure code: HRESULT.

Provider: Microsoft-Windows-SENSE
Channel: Operational
Opcode: Info

Description

Connected User Experiences and Telemetry service registration failed with failure code: HRESULT. Requested disk quota in MB: diskSizeQuotaValue, Requested daily upload quota in MB: dailyUploadQuotaValue.

Message #

Connected User Experiences and Telemetry service registration failed with failure code: %1. Requested disk quota in MB: %2, Requested daily upload quota in MB: %3

Fields #

Name	Description
`HRESULT` HexInt32	—
`diskSizeQuotaValue` Int32	—
`dailyUploadQuotaValue` Int32	—

References #

Microsoft Learn https://learn.microsoft.com/en-us/defender-endpoint/event-error-codes

Event ID 29 — Failed to read the offboarding parameters.

Provider: Microsoft-Windows-SENSE
Channel: Operational
Opcode: Info

Description

Failed to read the offboarding parameters. Error type: errorType, Error code: HRESULT, Description: description.

Message #

Failed to read the offboarding parameters. Error type: %1, Error code: %2, Description: %3

Fields #

Name	Description
`errorType` Int32	—
`HRESULT` HexInt32	—
`description` UnicodeString	—

References #

Microsoft Learn https://learn.microsoft.com/en-us/defender-endpoint/event-error-codes

Event ID 30 — Failed to disable Windows Defender Advanced Threat Protection mode in Windows Defender.

Provider: Microsoft-Windows-SENSE
Channel: Operational
Opcode: Info

Description

Failed to disable Windows Defender Advanced Threat Protection mode in Windows Defender. Failure code: HRESULT.

Message #

Failed to disable Windows Defender Advanced Threat Protection mode in Windows Defender. Failure code: %1

Fields #

Name	Description
`HRESULT` HexInt32	—

References #

Microsoft Learn https://learn.microsoft.com/en-us/defender-endpoint/event-error-codes

Event ID 31 — Windows Defender Advanced Threat Protection Connected User Experiences and Telemetry service unregistration failed.

Provider: Microsoft-Windows-SENSE
Channel: Operational
Opcode: Info

Description

Windows Defender Advanced Threat Protection Connected User Experiences and Telemetry service unregistration failed. Failure code: HRESULT.

Message #

Windows Defender Advanced Threat Protection Connected User Experiences and Telemetry service unregistration failed. Failure code: %1

Fields #

Name	Description
`HRESULT` HexInt32	—

References #

Microsoft Learn https://learn.microsoft.com/en-us/defender-endpoint/event-error-codes

Event ID 32 — Windows Defender Advanced Threat Protection service failed to request to stop itself after offboarding process.

Provider: Microsoft-Windows-SENSE
Channel: Operational
Opcode: Info

Description

Windows Defender Advanced Threat Protection service failed to request to stop itself after offboarding process. Failure code: HRESULT.

Message #

Windows Defender Advanced Threat Protection service failed to request to stop itself after offboarding process. Failure code: %1

Fields #

Name	Description
`HRESULT` HexInt32	—

References #

Microsoft Learn https://learn.microsoft.com/en-us/defender-endpoint/event-error-codes

Event ID 33 — Windows Defender Advanced Threat Protection service failed to persist SENSE GUID.

Provider: Microsoft-Windows-SENSE
Channel: Operational
Opcode: Info

Description

Windows Defender Advanced Threat Protection service failed to persist SENSE GUID. Failure code: HRESULT.

Message #

Windows Defender Advanced Threat Protection service failed to persist SENSE GUID. Failure code: %1

Fields #

Name	Description
`HRESULT` HexInt32	—

References #

Microsoft Learn https://learn.microsoft.com/en-us/defender-endpoint/event-error-codes

Event ID 34 — Microsoft Defender for Endpoint service failed to add itself as a dependency on the Connected User Experiences and Telemetry service, causing onboarding process to fail. Failure code: variable.

Provider: Microsoft-Windows-SENSE
Channel: Operational

Description

An error occurred with the Windows telemetry service. Ensure the diagnostic data service is enabled. Check that the onboarding settings and scripts were deployed properly. Try to redeploy the configuration packages. See Onboard client devices running Windows or macOS.

Message #

An error occurred with the Windows telemetry service. Ensure the diagnostic data service is enabled. Check that the onboarding settings and scripts were deployed properly. Try to redeploy the configuration packages. See Onboard client devices running Windows or macOS.

References #

Microsoft Learn https://learn.microsoft.com/en-us/defender-endpoint/event-error-codes

Event ID 35 — Communication quotas are updated.

Provider: Microsoft-Windows-SENSE
Channel: Operational
Level: Informational
Opcode: Info

Description

Communication quotas are updated. Disk quota in MB: diskSizeQuotaValue, daily upload quota in MB: dailyUploadQuotaValue.

Message #

Communication quotas are updated. Disk quota in MB: %1, daily upload quota in MB: %2

Fields #

Name	Description
`diskSizeQuotaValue` Int32	—
`dailyUploadQuotaValue` Int32	—

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-SENSE",
    "guid": "FAE96D09-ADE1-5223-0098-AF7B67348531",
    "event_source_name": "",
    "event_id": 35,
    "version": 0,
    "level": 4,
    "task": 0,
    "opcode": 0,
    "keywords": 9223372036854775808,
    "time_created": "2026-03-11T06:27:32.579826+00:00",
    "event_record_id": 3369,
    "correlation": {},
    "execution": {
      "process_id": 3632,
      "thread_id": 5040
    },
    "channel": "Microsoft-Windows-SENSE/Operational",
    "computer": "LAB-WIN11",
    "security": {
      "user_id": "S-1-5-18"
    }
  },
  "event_data": {
    "diskSizeQuotaValue": 99,
    "dailyUploadQuotaValue": 99
  },
  "message": ""
}

References #

Microsoft Learn https://learn.microsoft.com/en-us/defender-endpoint/event-error-codes

Event ID 36 — Connected User Experiences and Telemetry service registration succeeded with completion code: HRESULT.

Provider: Microsoft-Windows-SENSE
Channel: Operational
Level: Informational
Opcode: Info

Description

Connected User Experiences and Telemetry service registration succeeded with completion code: HRESULT. Requested disk quota in MB: diskSizeQuotaValue, requested daily upload quota in MB: dailyUploadQuotaValue.

Message #

Connected User Experiences and Telemetry service registration succeeded with completion code: %1. Requested disk quota in MB: %2, requested daily upload quota in MB: %3

Fields #

Name	Description
`HRESULT` HexInt32	—
`diskSizeQuotaValue` Int32	—
`dailyUploadQuotaValue` Int32	—

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-SENSE",
    "guid": "FAE96D09-ADE1-5223-0098-AF7B67348531",
    "event_source_name": "",
    "event_id": 36,
    "version": 0,
    "level": 4,
    "task": 0,
    "opcode": 0,
    "keywords": 9223372036854775808,
    "time_created": "2026-03-11T06:27:46.945960+00:00",
    "event_record_id": 3381,
    "correlation": {},
    "execution": {
      "process_id": 3632,
      "thread_id": 4212
    },
    "channel": "Microsoft-Windows-SENSE/Operational",
    "computer": "LAB-WIN11",
    "security": {
      "user_id": "S-1-5-18"
    }
  },
  "event_data": {
    "HRESULT": "0x0",
    "diskSizeQuotaValue": 99,
    "dailyUploadQuotaValue": 99
  },
  "message": ""
}

References #

Microsoft Learn https://learn.microsoft.com/en-us/defender-endpoint/event-error-codes

Event ID 37 — Module: Module, Quota: {module} {quotaValue}, Percentage of quota utilization: quotaValueUnit.

Provider: Microsoft-Windows-SENSE
Channel: Operational
Opcode: Info

Description

Module: Module, Quota: {module} {quotaValue}, Percentage of quota utilization: quotaValueUnit.

Message #

Module: %1, Quota: {%2} {%3}, Percentage of quota utilization: %4.

Fields #

Name	Description
`Module`	—
`module` UnicodeString	—
`quotaValue` Int32	—
`quotaValueUnit` UnicodeString	—
`percentageValue` Int32	—

References #

Microsoft Learn https://learn.microsoft.com/en-us/defender-endpoint/event-error-codes

Event ID 38 — Network connection is identified as low.

Provider: Microsoft-Windows-SENSE
Channel: Operational
Level: Informational
Opcode: Info

Description

The device is using a metered/paid network and contacts the server less frequently. Normal operating notification; no action required.

Message #

Network connection is identified as low. Windows Defender Advanced Threat Protection will contact the server every %1 seconds. Metered connection: %2, internet available: %3, free network available: %4, proxy is defined by GP: %5.

Fields #

Name	Description
`pollingInterval` UInt16	—
`meteredConnectionState` Boolean	—
`internetAvailabilityState` Boolean	—
`freeNetworkAvailabilityState` Boolean	—
`proxyDefined` Boolean	—

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-SENSE",
    "guid": "FAE96D09-ADE1-5223-0098-AF7B67348531",
    "event_source_name": "",
    "event_id": 38,
    "version": 0,
    "level": 4,
    "task": 0,
    "opcode": 0,
    "keywords": 9223372036854775808,
    "time_created": "2026-03-15T05:29:07.821216+00:00",
    "event_record_id": 3460,
    "correlation": {},
    "execution": {
      "process_id": 3688,
      "thread_id": 12520
    },
    "channel": "Microsoft-Windows-SENSE/Operational",
    "computer": "LAB-WIN11.ludus.domain",
    "security": {
      "user_id": "S-1-5-18"
    }
  },
  "event_data": {
    "pollingInterval": 120,
    "meteredConnectionState": false,
    "internetAvailabilityState": false,
    "freeNetworkAvailabilityState": false,
    "proxyDefined": false
  },
  "message": ""
}

References #

Microsoft Learn https://learn.microsoft.com/en-us/defender-endpoint/event-error-codes

Event ID 39 — Network connection is identified as normal.

Provider: Microsoft-Windows-SENSE
Channel: Operational
Level: Informational
Opcode: Info

Description

The device isn't using a metered/paid connection and contacts the server as usual. Normal operating notification; no action required.

Message #

Network connection is identified as normal. Windows Defender Advanced Threat Protection will contact the server every %1 seconds. Metered connection: %2, internet available: %3, free network available: %4, proxy is defined by GP: %5.

Fields #

Name	Description
`pollingInterval` UInt16	—
`meteredConnectionState` Boolean	—
`internetAvailabilityState` Boolean	—
`freeNetworkAvailabilityState` Boolean	—
`proxyDefined` Boolean	—

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-SENSE",
    "guid": "FAE96D09-ADE1-5223-0098-AF7B67348531",
    "event_source_name": "",
    "event_id": 39,
    "version": 0,
    "level": 4,
    "task": 0,
    "opcode": 0,
    "keywords": 9223372036854775808,
    "time_created": "2026-03-11T06:27:46.117651+00:00",
    "event_record_id": 3378,
    "correlation": {},
    "execution": {
      "process_id": 3632,
      "thread_id": 5040
    },
    "channel": "Microsoft-Windows-SENSE/Operational",
    "computer": "LAB-WIN11",
    "security": {
      "user_id": "S-1-5-18"
    }
  },
  "event_data": {
    "pollingInterval": 120,
    "meteredConnectionState": false,
    "internetAvailabilityState": true,
    "freeNetworkAvailabilityState": true,
    "proxyDefined": false
  },
  "message": ""
}

References #

Microsoft Learn https://learn.microsoft.com/en-us/defender-endpoint/event-error-codes

Event ID 40 — Battery state is identified as low.

Provider: Microsoft-Windows-SENSE
Channel: Operational
Opcode: Info

Description

The device has low battery level and contacts the server less frequently. Normal operating notification; no action required.

Message #

Battery state is identified as low. Windows Defender Advanced Threat Protection will contact the server every %1 seconds. AC state: %2, battery saver mode : %3, battery low state: %4, battery critical state: %5

Fields #

Name	Description
`battery_saver_mode`	1 seconds. AC state.
`battery_low_state`	—
`battery_critical_state`	—
`pollingInterval` UInt16	—
`acPowerState` Boolean	—
`batterySavingState` Boolean	—
`batteryLowState` Boolean	—
`batteryCriticalState` Boolean	—

References #

Microsoft Learn https://learn.microsoft.com/en-us/defender-endpoint/event-error-codes

Event ID 41 — Battery state is identified as normal.

Provider: Microsoft-Windows-SENSE
Channel: Operational
Level: Informational
Opcode: Info

Description

The device doesn't have low battery level and contacts the server as usual. Normal operating notification; no action required.

Message #

Battery state is identified as normal. Windows Defender Advanced Threat Protection will contact the server every %1 seconds. AC state: %2, battery saver mode : %3, battery low state: %4, battery critical state: %5

Fields #

Name	Description
`pollingInterval` UInt16	—
`acPowerState` Boolean	—
`batterySavingState` Boolean	—
`batteryLowState` Boolean	—
`batteryCriticalState` Boolean	—
`battery_saver_mode`	1 seconds. AC state.
`battery_low_state`	—
`battery_critical_state`	—

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-SENSE",
    "guid": "FAE96D09-ADE1-5223-0098-AF7B67348531",
    "event_source_name": "",
    "event_id": 41,
    "version": 0,
    "level": 4,
    "task": 0,
    "opcode": 0,
    "keywords": 9223372036854775808,
    "time_created": "2026-03-11T06:27:46.117743+00:00",
    "event_record_id": 3379,
    "correlation": {},
    "execution": {
      "process_id": 3632,
      "thread_id": 5040
    },
    "channel": "Microsoft-Windows-SENSE/Operational",
    "computer": "LAB-WIN11",
    "security": {
      "user_id": "S-1-5-18"
    }
  },
  "event_data": {
    "pollingInterval": 120,
    "acPowerState": true,
    "batterySavingState": false,
    "batteryLowState": false,
    "batteryCriticalState": false
  },
  "message": ""
}

References #

Microsoft Learn https://learn.microsoft.com/en-us/defender-endpoint/event-error-codes

Event ID 42 — Component failed to perform action.

Provider: Microsoft-Windows-SENSE
Channel: Operational
Opcode: Info

Description

Internal error. The service failed to start. If this error persists, contact Support.

Message #

Component failed to perform action. Component: %1, Action: %2, Exception Type: %3, Exception message: %4

Fields #

Name	Description
`Component` AnsiString	—
`Operation` UnicodeString	— Known values `%%2456` Open key file. `%%2457` Delete key file. `%%2458` Read persisted key from file. `%%2459` Write persisted key to file. `%%2464` Export of persistent cryptographic key. `%%2465` Import of persistent cryptographic key. `%%2480` Open Key. `%%2481` Create Key. `%%2482` Delete Key. `%%2483` Encrypt. `%%2484` Decrypt. `%%2485` Sign hash. `%%2486` Secret agreement. `%%2487` Domain settings. `%%2488` Local settings. `%%2489` Add provider. `%%2490` Remove provider. `%%2491` Add context. `%%2492` Remove context. `%%2493` Add function. `%%2494` Remove function. `%%2495` Add function provider. `%%2496` Remove function provider. `%%2497` Add function property. `%%2498` Remove function property. `%%2499` Machine key. `%%2500` User key. `%%2501` Key Derivation. `%%2502` Claim Creation. `%%2503` Claim Verification.
`ExceptionType` AnsiString	—
`ExceptionMessage` AnsiString	—

References #

Microsoft Learn https://learn.microsoft.com/en-us/defender-endpoint/event-error-codes

Event ID 43 — Component failed to perform action.

Provider: Microsoft-Windows-SENSE
Channel: Operational
Opcode: Info

Description

Internal error. The service failed to start. If this error persists, contact Support.

Message #

Component failed to perform action. Component: %1, Action: %2, Exception Type: %3, Exception Error: %4, Exception message: %5

Fields #

Name	Description
`Component` AnsiString	—
`Operation` UnicodeString	— Known values `%%2456` Open key file. `%%2457` Delete key file. `%%2458` Read persisted key from file. `%%2459` Write persisted key to file. `%%2464` Export of persistent cryptographic key. `%%2465` Import of persistent cryptographic key. `%%2480` Open Key. `%%2481` Create Key. `%%2482` Delete Key. `%%2483` Encrypt. `%%2484` Decrypt. `%%2485` Sign hash. `%%2486` Secret agreement. `%%2487` Domain settings. `%%2488` Local settings. `%%2489` Add provider. `%%2490` Remove provider. `%%2491` Add context. `%%2492` Remove context. `%%2493` Add function. `%%2494` Remove function. `%%2495` Add function provider. `%%2496` Remove function provider. `%%2497` Add function property. `%%2498` Remove function property. `%%2499` Machine key. `%%2500` User key. `%%2501` Key Derivation. `%%2502` Claim Creation. `%%2503` Claim Verification.
`ExceptionType` AnsiString	—
`ExceptionErrorCode` HexInt32	—
`ExceptionMessage` AnsiString	—

References #

Microsoft Learn https://learn.microsoft.com/en-us/defender-endpoint/event-error-codes

Event ID 44 — Offboarding of Windows Defender Advanced Threat Protection service completed.

Provider: Microsoft-Windows-SENSE
Channel: Operational
Opcode: Info

Description

The service was offboarded. Normal operating notification; no action required.

Message #

Offboarding of Windows Defender Advanced Threat Protection service completed.

References #

Microsoft Learn https://learn.microsoft.com/en-us/defender-endpoint/event-error-codes

Event ID 45 — Failed to register and to start the event trace session [TraceSessionName].

Provider: Microsoft-Windows-SENSE
Channel: Operational
Opcode: Info

Description

Failed to register and to start the event trace session [TraceSessionName]. Error code: HRESULT.

Message #

Failed to register and to start the event trace session [%1]. Error code: %2

Fields #

Name	Description
`TraceSessionName` UnicodeString	—
`HRESULT` HexInt32	—

References #

Microsoft Learn https://learn.microsoft.com/en-us/defender-endpoint/event-error-codes

Event ID 46 — Failed to register and start the event trace session [TraceSessionName] due to lack of resources.

Provider: Microsoft-Windows-SENSE
Channel: Operational
Opcode: Info

Description

An error occurred on service startup while creating ETW session due to lack of resources. The service is running, but doesn't report sensor events until the ETW session starts. Normal operating notification; no action required. The service tries to start the session every minute.

Message #

Failed to register and start the event trace session [%1] due to lack of resources. Error code: %2. This is most likely because there are too many active event trace sessions. The service will retry in 1 minute.

Fields #

Name	Description
`TraceSessionName` UnicodeString	—
`HRESULT` HexInt32	—

References #

Microsoft Learn https://learn.microsoft.com/en-us/defender-endpoint/event-error-codes

Event ID 47 — Successfully registered and started the event trace session - recovered after previous failed attempts.

Provider: Microsoft-Windows-SENSE
Channel: Operational
Opcode: Info

Description

This event follows the previous event after successfully starting of the ETW session. Normal operating notification; no action required.

Message #

Successfully registered and started the event trace session - recovered after previous failed attempts.

References #

Microsoft Learn https://learn.microsoft.com/en-us/defender-endpoint/event-error-codes

Event ID 48 — Failed to add a provider [ProviderId] to event trace session [TraceSessionName].

Provider: Microsoft-Windows-SENSE
Channel: Operational
Opcode: Info

Description

Failed to add a provider [ProviderId] to event trace session [TraceSessionName]. Error code: ErrorCode. This means that events from this provider will not be reported.

Message #

Failed to add a provider [%1] to event trace session [%2]. Error code: %3. This means that events from this provider will not be reported.

Fields #

Name	Description
`ProviderId` UnicodeString	—
`TraceSessionName` UnicodeString	—
`ErrorCode` HexInt32	—

References #

Microsoft Learn https://learn.microsoft.com/en-us/defender-endpoint/event-error-codes

Event ID 49 — Invalid cloud configuration command received and ignored.

Provider: Microsoft-Windows-SENSE
Channel: Operational
Opcode: Info

Description

Invalid cloud configuration command received and ignored. Version: Version, status: Status, error code: HRESULT, message: ErrorMessage.

Message #

Invalid cloud configuration command received and ignored. Version: %1, status: %2, error code: %3, message: %4

Fields #

Name	Description
`Version` UnicodeString	—
`Status` UInt16	— NTSTATUS reference
`HRESULT` HexInt64	—
`ErrorMessage` UnicodeString	—

References #

Microsoft Learn https://learn.microsoft.com/en-us/defender-endpoint/event-error-codes

Event ID 50 — New cloud configuration applied successfully.

Provider: Microsoft-Windows-SENSE
Channel: Operational
Level: Informational
Opcode: Info

Description

New cloud configuration applied successfully. Version: parameter.

Message #

New cloud configuration applied successfully. Version: %1.

Fields #

Name	Description
`parameter` UnicodeString	—

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-SENSE",
    "guid": "FAE96D09-ADE1-5223-0098-AF7B67348531",
    "event_source_name": "",
    "event_id": 50,
    "version": 0,
    "level": 4,
    "task": 0,
    "opcode": 0,
    "keywords": 9223372036854775808,
    "time_created": "2026-02-18T21:51:39.113607+00:00",
    "event_record_id": 2199,
    "correlation": {},
    "execution": {
      "process_id": 3388,
      "thread_id": 7692
    },
    "channel": "Microsoft-Windows-SENSE/Operational",
    "computer": "LAB-WIN11.ludus.domain",
    "security": {
      "user_id": "S-1-5-18"
    }
  },
  "event_data": {
    "parameter": "10.8824.icm.752524955.2026.02.25.02-b0f8150134e39fffb9644c0884629b7ceb6f95b6"
  },
  "message": ""
}

References #

Microsoft Learn https://learn.microsoft.com/en-us/defender-endpoint/event-error-codes

Event ID 51 — New cloud configuration failed to apply, version: parameter1.

Provider: Microsoft-Windows-SENSE
Channel: Operational
Opcode: Info

Description

New cloud configuration failed to apply, version: parameter1. Successfully applied the last known good configuration, version parameter2.

Message #

New cloud configuration failed to apply, version: %1. Successfully applied the last known good configuration, version %2.

Fields #

Name	Description
`parameter1` UnicodeString	—
`parameter2` UnicodeString	—

References #

Microsoft Learn https://learn.microsoft.com/en-us/defender-endpoint/event-error-codes

Event ID 52 — New cloud configuration failed to apply, version: parameter1.

Provider: Microsoft-Windows-SENSE
Channel: Operational
Opcode: Info

Description

New cloud configuration failed to apply, version: parameter1. Also failed to apply last known good configuration, version parameter2. Successfully applied the default configuration.

Message #

New cloud configuration failed to apply, version: %1. Also failed to apply last known good configuration, version %2. Successfully applied the default configuration.

Fields #

Name	Description
`parameter1` UnicodeString	—
`parameter2` UnicodeString	—

References #

Microsoft Learn https://learn.microsoft.com/en-us/defender-endpoint/event-error-codes

Event ID 53 — Cloud configuration loaded from persistent storage, version: parameter.

Provider: Microsoft-Windows-SENSE
Channel: Operational
Level: Informational
Opcode: Info

Description

Cloud configuration loaded from persistent storage, version: parameter.

Message #

Cloud configuration loaded from persistent storage, version: %1.

Fields #

Name	Description
`parameter` UnicodeString	—

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-SENSE",
    "guid": "FAE96D09-ADE1-5223-0098-AF7B67348531",
    "event_source_name": "",
    "event_id": 53,
    "version": 0,
    "level": 4,
    "task": 0,
    "opcode": 0,
    "keywords": 9223372036854775808,
    "time_created": "2026-03-11T06:27:28.128009+00:00",
    "event_record_id": 3368,
    "correlation": {},
    "execution": {
      "process_id": 3632,
      "thread_id": 5040
    },
    "channel": "Microsoft-Windows-SENSE/Operational",
    "computer": "LAB-WIN11",
    "security": {
      "user_id": "S-1-5-18"
    }
  },
  "event_data": {
    "parameter": "10.8824.icm.752524955.2026.02.25.02-b0f8150134e39fffb9644c0884629b7ceb6f95b6"
  },
  "message": ""
}

References #

Microsoft Learn https://learn.microsoft.com/en-us/defender-endpoint/event-error-codes

Event ID 54 — Global (per-pattern) state changed.

Provider: Microsoft-Windows-SENSE
Channel: Operational
Level: Informational
Opcode: Info

Description

Global (per-pattern) state changed. State: Value1, pattern: Value2.

Message #

Global (per-pattern) state changed. State: %1, pattern: %2

Fields #

Name	Description
`Value1` HexInt32	—
`Value2` HexInt32	—
`Value3` UnicodeString	—
`Global_perpattern_state_changed_State`	Global (per-pattern) state changed. State.
`pattern`	—

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-SENSE",
    "guid": "FAE96D09-ADE1-5223-0098-AF7B67348531",
    "event_source_name": "",
    "event_id": 54,
    "version": 0,
    "level": 4,
    "task": 0,
    "opcode": 0,
    "keywords": 9223372036854775808,
    "time_created": "2026-03-11T06:32:01.371209+00:00",
    "event_record_id": 3399,
    "correlation": {},
    "execution": {
      "process_id": 3632,
      "thread_id": 7148
    },
    "channel": "Microsoft-Windows-SENSE/Operational",
    "computer": "LAB-WIN11",
    "security": {
      "user_id": "S-1-5-18"
    }
  },
  "event_data": {
    "Value1": "0x1",
    "Value2": "0x9",
    "Value3": "{962D215C-F6D0-494D-BEEC-C71E8A2AC50E}"
  },
  "message": ""
}

Event ID 55 — Failed to create the Secure ETW autologger.

Provider: Microsoft-Windows-SENSE
Channel: Operational
Opcode: Info

Description

Failed to create the Secure ETW autologger. Failure code: HRESULT.

Message #

Failed to create the Secure ETW autologger. Failure code: %1

Fields #

Name	Description
`HRESULT` HexInt32	—

References #

Microsoft Learn https://learn.microsoft.com/en-us/defender-endpoint/event-error-codes

Event ID 56 — Failed to remove the Secure ETW autologger.

Provider: Microsoft-Windows-SENSE
Channel: Operational
Opcode: Info

Description

Failed to remove the Secure ETW autologger. Failure code: HRESULT.

Message #

Failed to remove the Secure ETW autologger. Failure code: %1

Fields #

Name	Description
`HRESULT` HexInt32	—

References #

Microsoft Learn https://learn.microsoft.com/en-us/defender-endpoint/event-error-codes

Event ID 57 — Capturing a snapshot of the machine for troubleshooting purposes.

Provider: Microsoft-Windows-SENSE
Channel: Operational
Opcode: Info

Description

An investigation package, also known as forensics package, is being collected. Normal operating notification; no action required.

Message #

Capturing a snapshot of the machine for troubleshooting purposes.

References #

Microsoft Learn https://learn.microsoft.com/en-us/defender-endpoint/event-error-codes

Event ID 59 — Starting command: parameter.

Provider: Microsoft-Windows-SENSE
Channel: Operational
Level: Informational
Opcode: Info

Description

Starting command: parameter.

Message #

Starting command: %1

Fields #

Name	Description
`parameter` UnicodeString	—
`Starting_command` UnicodeString	—

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-SENSE",
    "guid": "FAE96D09-ADE1-5223-0098-AF7B67348531",
    "event_source_name": "",
    "event_id": 59,
    "version": 0,
    "level": 4,
    "task": 0,
    "opcode": 0,
    "keywords": 9223372036854775808,
    "time_created": "2026-02-11T00:56:32.102827+00:00",
    "event_record_id": 381,
    "correlation": {},
    "execution": {
      "process_id": 4668,
      "thread_id": 680
    },
    "channel": "Microsoft-Windows-SENSE/Operational",
    "computer": "LAB-WIN11.ludus.domain",
    "security": {
      "user_id": "S-1-5-18"
    }
  },
  "event_data": {
    "parameter": "incidentresponsecommand"
  },
  "message": ""
}

References #

Microsoft Learn https://learn.microsoft.com/en-us/defender-endpoint/event-error-codes

Event ID 60 — Failed to run command CommandName, error: HRESULT.

Provider: Microsoft-Windows-SENSE
Channel: Operational
Level: Warning
Opcode: Info

Description

Failed to run command CommandName, error: HRESULT.

Message #

Failed to run command %1, error: %2.

Fields #

Name	Description
`CommandName` UnicodeString	—
`HRESULT` HexInt64	—

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-SENSE",
    "guid": "FAE96D09-ADE1-5223-0098-AF7B67348531",
    "event_source_name": "",
    "event_id": 60,
    "version": 0,
    "level": 3,
    "task": 0,
    "opcode": 0,
    "keywords": 9223372036854775808,
    "time_created": "2026-03-13T22:40:08.797847+00:00",
    "event_record_id": 2808,
    "correlation": {},
    "execution": {
      "process_id": 3952,
      "thread_id": 5916
    },
    "channel": "Microsoft-Windows-SENSE/Operational",
    "computer": "LAB-WIN11.ludus.domain",
    "security": {
      "user_id": "S-1-5-18"
    }
  },
  "event_data": {
    "CommandName": "incidentresponsecommand",
    "HRESULT": "0xffffffff80192ee2"
  },
  "message": ""
}

References #

Microsoft Learn https://learn.microsoft.com/en-us/defender-endpoint/event-error-codes

Event ID 61 — Data collection command parameters are invalid: SasUri: SasUri, compressionLevel: CompressionLevel.

Provider: Microsoft-Windows-SENSE
Channel: Operational
Opcode: Info

Description

Data collection command parameters are invalid: SasUri: SasUri, compressionLevel: CompressionLevel.

Message #

Data collection command parameters are invalid: SasUri: %1, compressionLevel: %2.

Fields #

Name	Description
`SasUri` UnicodeString	—
`CompressionLevel` Int16	—

References #

Microsoft Learn https://learn.microsoft.com/en-us/defender-endpoint/event-error-codes

Event ID 62 — Failed to start Connected User Experiences and Telemetry service.

Provider: Microsoft-Windows-SENSE
Channel: Operational
Opcode: Info

Description

Failed to start Connected User Experiences and Telemetry service. Failure code: HRESULT.

Message #

Failed to start Connected User Experiences and Telemetry service. Failure code: %1

Fields #

Name	Description
`HRESULT` HexInt32	—

References #

Microsoft Learn https://learn.microsoft.com/en-us/defender-endpoint/event-error-codes

Event ID 63 — Updating the start type of external service.

Provider: Microsoft-Windows-SENSE
Channel: Operational
Level: Warning
Opcode: Info

Description

Updating the start type of external service. Name: ServiceName, actual start type: ActualStartType, expected start type: ExpectedStartType, exit code: ErrorCode.

Message #

Updating the start type of external service. Name: %1, actual start type: %2, expected start type: %3, exit code: %4

Fields #

Name	Description
`ServiceName` UnicodeString	—
`ActualStartType` Int16	—
`ExpectedStartType` Int16	—
`ErrorCode` HexInt32	—

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-SENSE",
    "guid": "FAE96D09-ADE1-5223-0098-AF7B67348531",
    "event_source_name": "",
    "event_id": 63,
    "version": 0,
    "level": 3,
    "task": 0,
    "opcode": 0,
    "keywords": 9223372036854775808,
    "time_created": "2026-02-10T04:35:06.343019+00:00",
    "event_record_id": 45,
    "correlation": {},
    "execution": {
      "process_id": 4668,
      "thread_id": 4292
    },
    "channel": "Microsoft-Windows-SENSE/Operational",
    "computer": "LAB-WIN11.ludus.domain",
    "security": {
      "user_id": "S-1-5-18"
    }
  },
  "event_data": {
    "ServiceName": "wlidsvc",
    "ActualStartType": 4,
    "ExpectedStartType": 3,
    "ErrorCode": "0x0"
  },
  "message": ""
}

References #

Microsoft Learn https://learn.microsoft.com/en-us/defender-endpoint/event-error-codes

Event ID 64 — Starting stopped external service.

Provider: Microsoft-Windows-SENSE
Channel: Operational
Opcode: Info

Description

Starting stopped external service. Name: Starting_stopped_external_service_Name, exit code: exit_code.

Message #

Starting stopped external service. Name: %1, exit code: %2

Fields #

Name	Description
`Starting_stopped_external_service_Name` UnicodeString	Starting stopped external service. Name.
`exit_code` HexInt32	—
`ServiceName` UnicodeString	—
`ErrorCode` HexInt32	—

References #

Microsoft Learn https://learn.microsoft.com/en-us/defender-endpoint/event-error-codes

Event ID 65 — Failed to load Microsoft Security Events Component Minifilter driver.

Provider: Microsoft-Windows-SENSE
Channel: Operational
Opcode: Info

Description

Failed to load Microsoft Security Events Component Minifilter driver. Failure code: HRESULT.

Message #

Failed to load Microsoft Security Events Component Minifilter driver. Failure code: %1

Fields #

Name	Description
`HRESULT` HexInt32	—

References #

Microsoft Learn https://learn.microsoft.com/en-us/defender-endpoint/event-error-codes

Event ID 66 — Policy update: Latency mode - parameter.

Provider: Microsoft-Windows-SENSE
Channel: Operational
Level: Informational
Opcode: Info

Description

Policy update: Latency mode - parameter.

Message #

Policy update: Latency mode - %1

Fields #

Name	Description
`parameter` UnicodeString	—

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-SENSE",
    "guid": "FAE96D09-ADE1-5223-0098-AF7B67348531",
    "event_source_name": "",
    "event_id": 66,
    "version": 0,
    "level": 4,
    "task": 0,
    "opcode": 0,
    "keywords": 9223372036854775808,
    "time_created": "2026-03-11T06:27:46.117193+00:00",
    "event_record_id": 3377,
    "correlation": {},
    "execution": {
      "process_id": 3632,
      "thread_id": 5040
    },
    "channel": "Microsoft-Windows-SENSE/Operational",
    "computer": "LAB-WIN11",
    "security": {
      "user_id": "S-1-5-18"
    }
  },
  "event_data": {
    "parameter": "demo"
  },
  "message": ""
}

References #

Microsoft Learn https://learn.microsoft.com/en-us/defender-endpoint/event-error-codes

Event ID 67 — Contacted server Last_HTTP_error_code times, failed UInt1 times and succeeded UInt2 times.

Provider: Microsoft-Windows-SENSE
Channel: Operational
Opcode: Info

Description

Contacted server Last_HTTP_error_code times, failed UInt1 times and succeeded UInt2 times. URI: UInt3. Last HTTP error code: Message1.

Message #

Contacted server %1 times, failed %2 times and succeeded %3 times. URI: %4. Last HTTP error code: %5

Fields #

Name	Description
`Last_HTTP_error_code`	—
`UInt1` UInt64	—
`UInt2` UInt64	—
`UInt3` UInt64	—
`Message1` UnicodeString	—
`Int1` Int32	—

Event ID 68 — The start type of the service is unexpected.

Provider: Microsoft-Windows-SENSE
Channel: Operational
Level: Warning
Opcode: Info

Description

The start type of the service is unexpected. Service name: ServiceName, actual start type: ActualStartType, expected start type: ExpectedStartType.

Message #

The start type of the service is unexpected. Service name: %1, actual start type: %2, expected start type: %3

Fields #

Name	Description
`ServiceName` UnicodeString	—
`ActualStartType` Int16	—
`ExpectedStartType` Int16	—

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-SENSE",
    "guid": "FAE96D09-ADE1-5223-0098-AF7B67348531",
    "event_source_name": "",
    "event_id": 68,
    "version": 0,
    "level": 3,
    "task": 0,
    "opcode": 0,
    "keywords": 9223372036854775808,
    "time_created": "2026-03-11T06:32:46.137351+00:00",
    "event_record_id": 3409,
    "correlation": {},
    "execution": {
      "process_id": 3632,
      "thread_id": 2544
    },
    "channel": "Microsoft-Windows-SENSE/Operational",
    "computer": "LAB-WIN11",
    "security": {
      "user_id": "S-1-5-18"
    }
  },
  "event_data": {
    "ServiceName": "WpnService",
    "ActualStartType": 4,
    "ExpectedStartType": 2
  },
  "message": ""
}

References #

Microsoft Learn https://learn.microsoft.com/en-us/defender-endpoint/event-error-codes

Event ID 69 — The service is stopped.

Provider: Microsoft-Windows-SENSE
Channel: Operational
Level: Warning
Opcode: Info

Description

The service is stopped. Service name: parameter.

Message #

The service is stopped. Service name: %1

Fields #

Name	Description
`parameter` UnicodeString	—

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-SENSE",
    "guid": "FAE96D09-ADE1-5223-0098-AF7B67348531",
    "event_source_name": "",
    "event_id": 69,
    "version": 0,
    "level": 3,
    "task": 0,
    "opcode": 0,
    "keywords": 9223372036854775808,
    "time_created": "2026-03-11T06:32:46.137777+00:00",
    "event_record_id": 3410,
    "correlation": {},
    "execution": {
      "process_id": 3632,
      "thread_id": 2544
    },
    "channel": "Microsoft-Windows-SENSE/Operational",
    "computer": "LAB-WIN11",
    "security": {
      "user_id": "S-1-5-18"
    }
  },
  "event_data": {
    "parameter": "WpnService"
  },
  "message": ""
}

References #

Microsoft Learn https://learn.microsoft.com/en-us/defender-endpoint/event-error-codes

Event ID 70 — Policy update: Allow sample collection - UInt1.

Provider: Microsoft-Windows-SENSE
Channel: Operational
Opcode: Info

Description

Policy update: Allow sample collection - UInt1.

Message #

Policy update: Allow sample collection - %1

Fields #

Name	Description
`UInt1` UInt32	—

References #

Microsoft Learn https://learn.microsoft.com/en-us/defender-endpoint/event-error-codes

Event ID 71 — Succeeded to run command: parameter.

Provider: Microsoft-Windows-SENSE
Channel: Operational
Level: Informational
Opcode: Info

Description

Succeeded to run command: parameter.

Message #

Succeeded to run command: %1

Fields #

Name	Description
`parameter` UnicodeString	—

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-SENSE",
    "guid": "FAE96D09-ADE1-5223-0098-AF7B67348531",
    "event_source_name": "",
    "event_id": 71,
    "version": 0,
    "level": 4,
    "task": 0,
    "opcode": 0,
    "keywords": 9223372036854775808,
    "time_created": "2026-02-11T00:56:33.194261+00:00",
    "event_record_id": 383,
    "correlation": {},
    "execution": {
      "process_id": 4668,
      "thread_id": 680
    },
    "channel": "Microsoft-Windows-SENSE/Operational",
    "computer": "LAB-WIN11.ludus.domain",
    "security": {
      "user_id": "S-1-5-18"
    }
  },
  "event_data": {
    "parameter": "incidentresponsecommand"
  },
  "message": ""
}

References #

Microsoft Learn https://learn.microsoft.com/en-us/defender-endpoint/event-error-codes

Event ID 72 — Tried to send first full machine profile report.

Provider: Microsoft-Windows-SENSE
Channel: Operational
Level: Informational
Opcode: Info

Description

Tried to send first full machine profile report. Result code: HRESULT.

Message #

Tried to send first full machine profile report. Result code: %1

Fields #

Name	Description
`HRESULT` HexInt32	—

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-SENSE",
    "guid": "FAE96D09-ADE1-5223-0098-AF7B67348531",
    "event_source_name": "",
    "event_id": 72,
    "version": 0,
    "level": 4,
    "task": 0,
    "opcode": 0,
    "keywords": 9223372036854775808,
    "time_created": "2026-03-11T06:27:46.912867+00:00",
    "event_record_id": 3380,
    "correlation": {},
    "execution": {
      "process_id": 3632,
      "thread_id": 7104
    },
    "channel": "Microsoft-Windows-SENSE/Operational",
    "computer": "LAB-WIN11",
    "security": {
      "user_id": "S-1-5-18"
    }
  },
  "event_data": {
    "HRESULT": "0x0"
  },
  "message": ""
}

References #

Microsoft Learn https://learn.microsoft.com/en-us/defender-endpoint/event-error-codes

Event ID 73 — Sense starting for platform: platformBitMask.

Provider: Microsoft-Windows-SENSE
Channel: Operational
Level: Informational
Opcode: Info

Description

Sense starting for platform: platformBitMask.

Message #

Sense starting for platform: %1

Fields #

Name	Description
`platformBitMask` HexInt64	—

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-SENSE",
    "guid": "FAE96D09-ADE1-5223-0098-AF7B67348531",
    "event_source_name": "",
    "event_id": 73,
    "version": 0,
    "level": 4,
    "task": 0,
    "opcode": 0,
    "keywords": 9223372036854775808,
    "time_created": "2026-03-11T06:27:26.327796+00:00",
    "event_record_id": 3367,
    "correlation": {},
    "execution": {
      "process_id": 3632,
      "thread_id": 5040
    },
    "channel": "Microsoft-Windows-SENSE/Operational",
    "computer": "LAB-WIN11",
    "security": {
      "user_id": "S-1-5-18"
    }
  },
  "event_data": {
    "platformBitMask": "0x1001"
  },
  "message": ""
}

References #

Microsoft Learn https://learn.microsoft.com/en-us/defender-endpoint/event-error-codes

Event ID 74 — Device tag in registry exceeds length limit.

Provider: Microsoft-Windows-SENSE
Channel: Operational
Opcode: Info

Description

Device tag in registry exceeds length limit. Tag name: Message1. Length limit: UInt1.

Message #

Device tag in registry exceeds length limit. Tag name: %2. Length limit: %1.

Fields #

Name	Description
`UInt1` UInt32	—
`Message1` UnicodeString	—

References #

Microsoft Learn https://learn.microsoft.com/en-us/defender-endpoint/event-error-codes

Event ID 75 — Device tag name in registry exceeds length limit.

Provider: Microsoft-Windows-SENSE
Channel: Operational
Opcode: Info

Description

Device tag name in registry exceeds length limit. Tag name: Message1. Length limit: UInt1.

Message #

Device tag name in registry exceeds length limit. Tag name: %2. Length limit: %1.

Fields #

Name	Description
`UInt1` UInt32	—
`Message1` UnicodeString	—

Event ID 76 — Number of customer tags in registry exceeds limit.

Provider: Microsoft-Windows-SENSE
Channel: Operational
Opcode: Info

Description

Number of customer tags in registry exceeds limit. Limit: UInt1 tags.

Message #

Number of customer tags in registry exceeds limit. Limit: %1 tags.

Fields #

Name	Description
`UInt1` UInt32	—

Event ID 77 — Successfully applied protection on Connected User Experiences and Telemetry service

Provider: Microsoft-Windows-SENSE
Channel: Operational
Opcode: Info

Description

Successfully applied protection on Connected User Experiences and Telemetry service.

Message #

Successfully applied protection on Connected User Experiences and Telemetry service

Event ID 78 — Successfully removed protection from Connected User Experiences and Telemetry service

Provider: Microsoft-Windows-SENSE
Channel: Operational
Opcode: Info

Description

Successfully removed protection from Connected User Experiences and Telemetry service.

Message #

Successfully removed protection from Connected User Experiences and Telemetry service

Event ID 79 — Failed to apply protection on Connected User Experiences and Telemetry service.

Provider: Microsoft-Windows-SENSE
Channel: Operational
Opcode: Info

Description

Failed to apply protection on Connected User Experiences and Telemetry service. Failure code: HRESULT.

Message #

Failed to apply protection on Connected User Experiences and Telemetry service. Failure code: %1

Fields #

Name	Description
`HRESULT` HexInt32	—

Event ID 80 — Failed to remove protection from Connected User Experiences and Telemetry service.

Provider: Microsoft-Windows-SENSE
Channel: Operational
Opcode: Info

Description

Failed to remove protection from Connected User Experiences and Telemetry service. Failure code: HRESULT.

Message #

Failed to remove protection from Connected User Experiences and Telemetry service. Failure code: %1

Fields #

Name	Description
`HRESULT` HexInt32	—

Event ID 81 — Failed to create Windows Defender Advanced Threat Protection ETW autologger.

Provider: Microsoft-Windows-SENSE
Channel: Operational
Opcode: Info

Description

Failed to create Windows Defender Advanced Threat Protection ETW autologger. Failure code: HRESULT.

Message #

Failed to create Windows Defender Advanced Threat Protection ETW autologger. Failure code: %1

Fields #

Name	Description
`HRESULT` HexInt32	—

References #

Microsoft Learn https://learn.microsoft.com/en-us/defender-endpoint/event-error-codes

Event ID 82 — Failed to remove Windows Defender Advanced Threat Protection ETW autologger.

Provider: Microsoft-Windows-SENSE
Channel: Operational
Opcode: Info

Description

Failed to remove Windows Defender Advanced Threat Protection ETW autologger. Failure code: HRESULT.

Message #

Failed to remove Windows Defender Advanced Threat Protection ETW autologger. Failure code: %1

Fields #

Name	Description
`HRESULT` HexInt32	—

References #

Microsoft Learn https://learn.microsoft.com/en-us/defender-endpoint/event-error-codes

Event ID 83 — Cyber event may be dropped because its size [RealValue bytes] exceeded max size [quotaValue bytes] or close to it.

Provider: Microsoft-Windows-SENSE
Channel: Operational
Opcode: Info

Description

Cyber event may be dropped because its size [RealValue bytes] exceeded max size [quotaValue bytes] or close to it.

Message #

Cyber event may be dropped because its size [%1 bytes] exceeded max size [%2 bytes] or close to it.

Fields #

Name	Description
`RealValue` Int32	—
`quotaValue` Int32	—

Event ID 84 — Set Windows Defender Antivirus running mode.

Provider: Microsoft-Windows-SENSE
Channel: Operational
Level: Informational
Opcode: Info

Description

Set Windows Defender Antivirus running mode. Force passive mode: forcePassiveMode, result code: HRESULT.

Message #

Set Windows Defender Antivirus running mode. Force passive mode: %1, result code: %2.

Fields #

Name	Description
`forcePassiveMode` Boolean	—
`HRESULT` HexInt32	—

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-SENSE",
    "guid": "FAE96D09-ADE1-5223-0098-AF7B67348531",
    "event_source_name": "",
    "event_id": 84,
    "version": 0,
    "level": 4,
    "task": 0,
    "opcode": 0,
    "keywords": 9223372036854775808,
    "time_created": "2026-03-15T23:43:22.434072+00:00",
    "event_record_id": 6,
    "correlation": {},
    "execution": {
      "process_id": 8176,
      "thread_id": 10396
    },
    "channel": "Microsoft-Windows-SENSE/Operational",
    "computer": "LAB-DC01.ludus.domain",
    "security": {
      "user_id": "S-1-5-18"
    }
  },
  "event_data": {
    "forcePassiveMode": false,
    "HRESULT": "0x0"
  },
  "message": ""
}

References #

Microsoft Learn https://learn.microsoft.com/en-us/defender-endpoint/event-error-codes

Event ID 85 — Failed to trigger Windows Defender Advanced Threat Protection Incident Response executable.

Provider: Microsoft-Windows-SENSE
Channel: Operational
Opcode: Info

Description

Failed to trigger Windows Defender Advanced Threat Protection Incident Response executable. Failure code: HRESULT.

Message #

Failed to trigger Windows Defender Advanced Threat Protection Incident Response executable. Failure code: %1

Fields #

Name	Description
`HRESULT` HexInt32	—

References #

Microsoft Learn https://learn.microsoft.com/en-us/defender-endpoint/event-error-codes

Event ID 86 — Starting again stopped external service that should be up.

Provider: Microsoft-Windows-SENSE
Channel: Operational
Opcode: Info

Description

Starting again stopped external service that should be up. Name: ServiceName, exit code: ErrorCode.

Message #

Starting again stopped external service that should be up. Name: %1, exit code: %2

Fields #

Name	Description
`ServiceName` UnicodeString	—
`ErrorCode` HexInt32	—

References #

Microsoft Learn https://learn.microsoft.com/en-us/defender-endpoint/event-error-codes

Event ID 87 — Cannot start the external service.

Provider: Microsoft-Windows-SENSE
Channel: Operational
Opcode: Info

Description

Cannot start the external service. Name: ServiceName.

Message #

Cannot start the external service. Name: %1

Fields #

Name	Description
`ServiceName` UnicodeString	—

References #

Microsoft Learn https://learn.microsoft.com/en-us/defender-endpoint/event-error-codes

Event ID 88 — Updating the start type of external service again.

Provider: Microsoft-Windows-SENSE
Channel: Operational
Opcode: Info

Description

Updating the start type of external service again. Name: ServiceName, actual start type: ActualStartType, expected start type: ExpectedStartType, exit code: ErrorCode.

Message #

Updating the start type of external service again. Name: %1, actual start type: %2, expected start type: %3, exit code: %4

Fields #

Name	Description
`ServiceName` UnicodeString	—
`ActualStartType` Int16	—
`ExpectedStartType` Int16	—
`ErrorCode` HexInt32	—

References #

Microsoft Learn https://learn.microsoft.com/en-us/defender-endpoint/event-error-codes

Event ID 89 — Cannot update the start type of external service.

Provider: Microsoft-Windows-SENSE
Channel: Operational
Opcode: Info

Description

Cannot update the start type of external service. Name: ServiceName, actual start type: ActualStartType, expected start type: ExpectedStartType.

Message #

Cannot update the start type of external service. Name: %1, actual start type: %2, expected start type: %3

Fields #

Name	Description
`ServiceName` UnicodeString	—
`ActualStartType` Int16	—
`ExpectedStartType` Int16	—

References #

Microsoft Learn https://learn.microsoft.com/en-us/defender-endpoint/event-error-codes

Event ID 90 — Failed to configure System Guard Runtime Monitor to connect to cloud service in geo-region Message1.

Provider: Microsoft-Windows-SENSE
Channel: Operational
Opcode: Info

Description

Failed to configure System Guard Runtime Monitor to connect to cloud service in geo-region Message1. Failure code: HRESULT.

Message #

Failed to configure System Guard Runtime Monitor to connect to cloud service in geo-region %1. Failure code: %2

Fields #

Name	Description
`Message1` UnicodeString	—
`HRESULT` HexInt32	—

References #

Microsoft Learn https://learn.microsoft.com/en-us/defender-endpoint/event-error-codes

Event ID 91 — Failed to remove System Guard Runtime Monitor geo-region information.

Provider: Microsoft-Windows-SENSE
Channel: Operational
Opcode: Info

Description

Failed to remove System Guard Runtime Monitor geo-region information. Failure code: HRESULT.

Message #

Failed to remove System Guard Runtime Monitor geo-region information. Failure code: %1

Fields #

Name	Description
`HRESULT` HexInt32	—

References #

Microsoft Learn https://learn.microsoft.com/en-us/defender-endpoint/event-error-codes

Event ID 92 — Stopping sending sensor cyber data quota because data quota is exceed.

Provider: Microsoft-Windows-SENSE
Channel: Operational
Opcode: Info

Description

Stopping sending sensor cyber data quota because data quota is exceed. Will resume sending once quota period passes. State Mask: UInt2.

Message #

Stopping sending sensor cyber data quota because data quota is exceed. Will resume sending once quota period passes. State Mask: %1

Fields #

Name	Description
`UInt2` UInt64	—

References #

Microsoft Learn https://learn.microsoft.com/en-us/defender-endpoint/event-error-codes

Event ID 93 — Resuming sending sensor cyber data.

Provider: Microsoft-Windows-SENSE
Channel: Operational
Opcode: Info

Description

Resuming sending sensor cyber data. State Mask: UInt2.

Message #

Resuming sending sensor cyber data. State Mask: %1

Fields #

Name	Description
`UInt2` UInt64	—

References #

Microsoft Learn https://learn.microsoft.com/en-us/defender-endpoint/event-error-codes

Event ID 94 — Windows Defender Advanced Threat Protection Classification Engine executable has started

Provider: Microsoft-Windows-SENSE
Channel: Operational
Level: Informational
Opcode: Info

Description

The SenseCE executable has started. Normal operating notification; no action required.

Message #

Windows Defender Advanced Threat Protection Classification Engine executable has started

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-SENSE",
    "guid": "FAE96D09-ADE1-5223-0098-AF7B67348531",
    "event_source_name": "",
    "event_id": 94,
    "version": 0,
    "level": 4,
    "task": 0,
    "opcode": 0,
    "keywords": 9223372036854775808,
    "time_created": "2026-03-15T23:43:23.714880+00:00",
    "event_record_id": 11,
    "correlation": {},
    "execution": {
      "process_id": 8176,
      "thread_id": 10396
    },
    "channel": "Microsoft-Windows-SENSE/Operational",
    "computer": "LAB-DC01.ludus.domain",
    "security": {
      "user_id": "S-1-5-18"
    }
  },
  "event_data": {},
  "message": ""
}

References #

Microsoft Learn https://learn.microsoft.com/en-us/defender-endpoint/event-error-codes

Event ID 95 — Windows Defender Advanced Threat Protection Classification Engine executable has ended

Provider: Microsoft-Windows-SENSE
Channel: Operational
Level: Informational
Opcode: Info

Description

The SenseCE executable has ended. Normal operating notification; no action required.

Message #

Windows Defender Advanced Threat Protection Classification Engine executable has ended

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-SENSE",
    "guid": "FAE96D09-ADE1-5223-0098-AF7B67348531",
    "event_source_name": "",
    "event_id": 95,
    "version": 0,
    "level": 4,
    "task": 0,
    "opcode": 0,
    "keywords": 9223372036854775808,
    "time_created": "2026-03-15T23:44:27.877746+00:00",
    "event_record_id": 23,
    "correlation": {},
    "execution": {
      "process_id": 8176,
      "thread_id": 4048
    },
    "channel": "Microsoft-Windows-SENSE/Operational",
    "computer": "LAB-DC01.ludus.domain",
    "security": {
      "user_id": "S-1-5-18"
    }
  },
  "event_data": {},
  "message": ""
}

References #

Microsoft Learn https://learn.microsoft.com/en-us/defender-endpoint/event-error-codes

Event ID 96 — Windows Defender Advanced Threat Protection Classification Engine Init has called.

Provider: Microsoft-Windows-SENSE
Channel: Operational
Opcode: Info

Description

Windows Defender Advanced Threat Protection Classification Engine Init has called. Result code: HRESULT.

Message #

Windows Defender Advanced Threat Protection Classification Engine Init has called. Result code: %1

Fields #

Name	Description
`HRESULT` HexInt32	—

References #

Microsoft Learn https://learn.microsoft.com/en-us/defender-endpoint/event-error-codes

Event ID 97 — There are connectivity issues to the Cloud for the DLP scenario

Provider: Microsoft-Windows-SENSE
Channel: Operational
Opcode: Info

Description

There are network connectivity issues that affect the DLP classification flow. Check the network connectivity.

Message #

There are connectivity issues to the Cloud for the DLP scenario

References #

Microsoft Learn https://learn.microsoft.com/en-us/defender-endpoint/event-error-codes

Event ID 98 — The connectivity to the Cloud for the DLP scenario has been restored

Provider: Microsoft-Windows-SENSE
Channel: Operational
Opcode: Info

Description

The connectivity to the network was restored and the DLP classification flow can continue. Normal operating notification; no action required.

Message #

The connectivity to the Cloud for the DLP scenario has been restored

References #

Microsoft Learn https://learn.microsoft.com/en-us/defender-endpoint/event-error-codes

Event ID 99 — Sense has encoutered the following error while communicating with server: (Message1).

Provider: Microsoft-Windows-SENSE
Channel: Operational
Opcode: Info

Description

Sense has encoutered the following error while communicating with server: (Message1). Result: (HRESULT).

Message #

Sense has encoutered the following error while communicating with server: (%1). Result: (%2)

Fields #

Name	Description
`Message1` UnicodeString	—
`HRESULT` HexInt32	—

References #

Microsoft Learn https://learn.microsoft.com/en-us/defender-endpoint/event-error-codes

Event ID 100 — Windows Defender Advanced Threat Protection Classification Engine executable failed to start.

Provider: Microsoft-Windows-SENSE
Channel: Operational
Opcode: Info

Description

Windows Defender Advanced Threat Protection Classification Engine executable failed to start. Failure code: HRESULT.

Message #

Windows Defender Advanced Threat Protection Classification Engine executable failed to start. Failure code: %1

Fields #

Name	Description
`HRESULT` HexInt32	—

References #

Microsoft Learn https://learn.microsoft.com/en-us/defender-endpoint/event-error-codes

Event ID 101 — Windows Defender Advanced Threat Protection Network Detection and Response executable failed to start.

Provider: Microsoft-Windows-SENSE
Channel: Operational
Level: Error
Opcode: Info

Description

Windows Defender Advanced Threat Protection Network Detection and Response executable failed to start. Failure code: HRESULT.

Message #

Windows Defender Advanced Threat Protection Network Detection and Response executable failed to start. Failure code: %1

Fields #

Name	Description
`HRESULT` HexInt32	—

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-SENSE",
    "guid": "FAE96D09-ADE1-5223-0098-AF7B67348531",
    "event_source_name": "",
    "event_id": 101,
    "version": 0,
    "level": 2,
    "task": 0,
    "opcode": 0,
    "keywords": 9223372036854775808,
    "time_created": "2026-03-15T05:29:15.724352+00:00",
    "event_record_id": 3466,
    "correlation": {},
    "execution": {
      "process_id": 3688,
      "thread_id": 3888
    },
    "channel": "Microsoft-Windows-SENSE/Operational",
    "computer": "LAB-WIN11.ludus.domain",
    "security": {
      "user_id": "S-1-5-18"
    }
  },
  "event_data": {
    "HRESULT": "0x80070020"
  },
  "message": ""
}

Event ID 102 — Windows Defender Advanced Threat Protection Network Detection and Response executable has started

Provider: Microsoft-Windows-SENSE
Channel: Operational
Level: Informational
Opcode: Info

Description

The SenseNdr executable has started. Normal operating notification; no action required.

Message #

Windows Defender Advanced Threat Protection Network Detection and Response executable has started

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-SENSE",
    "guid": "FAE96D09-ADE1-5223-0098-AF7B67348531",
    "event_source_name": "",
    "event_id": 102,
    "version": 0,
    "level": 4,
    "task": 0,
    "opcode": 0,
    "keywords": 9223372036854775808,
    "time_created": "2026-03-11T06:27:48.907221+00:00",
    "event_record_id": 3383,
    "correlation": {},
    "execution": {
      "process_id": 3632,
      "thread_id": 5040
    },
    "channel": "Microsoft-Windows-SENSE/Operational",
    "computer": "LAB-WIN11",
    "security": {
      "user_id": "S-1-5-18"
    }
  },
  "event_data": {},
  "message": ""
}

References #

Microsoft Learn https://learn.microsoft.com/en-us/defender-endpoint/event-error-codes

Event ID 103 — Windows Defender Advanced Threat Protection Network Detection and Response executable has ended

Provider: Microsoft-Windows-SENSE
Channel: Operational
Level: Informational
Opcode: Info

Description

The SenseNdr executable has ended. Normal operating notification; no action required.

Message #

Windows Defender Advanced Threat Protection Network Detection and Response executable has ended

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-SENSE",
    "guid": "FAE96D09-ADE1-5223-0098-AF7B67348531",
    "event_source_name": "",
    "event_id": 103,
    "version": 0,
    "level": 4,
    "task": 0,
    "opcode": 0,
    "keywords": 9223372036854775808,
    "time_created": "2026-03-13T20:24:29.979924+00:00",
    "event_record_id": 2598,
    "correlation": {},
    "execution": {
      "process_id": 3952,
      "thread_id": 11152
    },
    "channel": "Microsoft-Windows-SENSE/Operational",
    "computer": "LAB-WIN11.ludus.domain",
    "security": {
      "user_id": "S-1-5-18"
    }
  },
  "event_data": {},
  "message": ""
}

References #

Microsoft Learn https://learn.microsoft.com/en-us/defender-endpoint/event-error-codes

Event ID 104 — Failed to queue asynchronous driver unload.

Provider: Microsoft-Windows-SENSE
Channel: Operational
Opcode: Info

Description

Failed to queue asynchronous driver unload. Failure code: HRESULT.

Message #

Failed to queue asynchronous driver unload. Failure code: %1

Fields #

Name	Description
`HRESULT` HexInt32	—

References #

Microsoft Learn https://learn.microsoft.com/en-us/defender-endpoint/event-error-codes

Event ID 105 — Failed to wait for driver unload.

Provider: Microsoft-Windows-SENSE
Channel: Operational
Opcode: Info

Description

Occurs during offboarding. Normal operating notification; no action required.

Message #

Failed to wait for driver unload.

References #

Microsoft Learn https://learn.microsoft.com/en-us/defender-endpoint/event-error-codes

Event ID 106 — Windows Defender Advanced Threat Protection service failed to start.

Provider: Microsoft-Windows-SENSE
Channel: Operational
Opcode: Info

Description

Windows Defender Advanced Threat Protection service failed to start. Failure code HRESULT ; Failed to load MsSense DLL Module.

Message #

Windows Defender Advanced Threat Protection service failed to start. Failure code %1 ; Failed to load MsSense DLL Module

Fields #

Name	Description
`HRESULT` HexInt32	—

References #

Microsoft Learn https://learn.microsoft.com/en-us/defender-endpoint/event-error-codes

Event ID 107 — Windows Defender Advanced Threat Protection service failed to start.

Provider: Microsoft-Windows-SENSE
Channel: Operational
Opcode: Info

Description

Windows Defender Advanced Threat Protection service failed to start. Failure code UInt2 ; Issue with MsSense DLL Module.

Message #

Windows Defender Advanced Threat Protection service failed to start. Failure code %1 ; Issue with MsSense DLL Module

Fields #

Name	Description
`UInt2` UInt64	—

References #

Microsoft Learn https://learn.microsoft.com/en-us/defender-endpoint/event-error-codes

Event ID 108 — Update phase:Update_phase, new platform version: new_platform_version, message: message.

Provider: Microsoft-Windows-SENSE
Channel: Operational
Opcode: Info

Description

Update phase:Update_phase, new platform version: new_platform_version, message: message.

Message #

Update phase:%1, new platform version: %2, message: %3

Fields #

Name	Description
`Update_phase` Int32	—
`new_platform_version` UnicodeString	—
`message` UnicodeString	—
`phase` Int32	—
`newVersion` UnicodeString	—

References #

Microsoft Learn https://learn.microsoft.com/en-us/defender-endpoint/event-error-codes

Event ID 109 — Update phase:Update_phase new platform version: new_platform_version, failure message: failure_message, error: error.

Provider: Microsoft-Windows-SENSE
Channel: Operational
Opcode: Info

Description

Update phase:Update_phase new platform version: new_platform_version, failure message: failure_message, error: error.

Message #

Update phase:%1 new platform version: %2, failure message: %3, error: %4

Fields #

Name	Description
`Update_phase` Int32	—
`new_platform_version` UnicodeString	—
`failure_message` UnicodeString	—
`error` HexInt32	—
`phase` Int32	—
`newVersion` UnicodeString	—
`message` UnicodeString	—
`HRESULT` HexInt32	—

References #

Microsoft Learn https://learn.microsoft.com/en-us/defender-endpoint/event-error-codes

Event ID 110 — Failed to remove MDEContain WFP filters

Provider: Microsoft-Windows-SENSE
Channel: Operational
Opcode: Info

Description

Occurs during offboarding. Contact support.

Message #

Failed to remove MDEContain WFP filters

References #

Microsoft Learn https://learn.microsoft.com/en-us/defender-endpoint/event-error-codes

Event ID 111 — Failed to Leave SecurityManagement.

Provider: Microsoft-Windows-SENSE
Channel: Operational

Description

Failed to Leave SecurityManagement. Failure code: HRESULT.

Message #

Failed to Leave SecurityManagement. Failure code: %1

Fields #

Name	Description
`HRESULT` HexInt32	—

Event ID 112 — MsSecFlt.

Provider: Microsoft-Windows-SENSE
Channel: Operational

Description

MsSecFlt.sys kernel service failed to request to stop itself after offboarding process. Failure code: HRESULT.

Message #

MsSecFlt.sys kernel service failed to request to stop itself after offboarding process. Failure code: %1

Fields #

Name	Description
`HRESULT` HexInt32	—

Event ID 113 — MsSecFlt.

Provider: Microsoft-Windows-SENSE
Channel: Operational

Description

MsSecFlt.sys kernel service has successfully started.

Message #

MsSecFlt.sys kernel service has successfully started.

Event ID 114 — MsSecFlt.

Provider: Microsoft-Windows-SENSE
Channel: Operational

Description

MsSecFlt.sys kernel service failed to start.

Message #

MsSecFlt.sys kernel service failed to start.

Event ID 115 — MsSecWfp.

Provider: Microsoft-Windows-SENSE
Channel: Operational

Description

MsSecWfp.sys kernel service has successfully started.

Message #

MsSecWfp.sys kernel service has successfully started.

Event ID 116 — MsSecWfp.

Provider: Microsoft-Windows-SENSE
Channel: Operational

Description

MsSecWfp.sys kernel service failed to start.

Message #

MsSecWfp.sys kernel service failed to start.

Event ID 117 — Message1: Failed to modify service object trust label.

Provider: Microsoft-Windows-SENSE
Channel: Operational

Description

Message1: Failed to modify service object trust label. Failure code: HRESULT.

Message #

%1: Failed to modify service object trust label. Failure code: %2

Fields #

Name	Description
`Message1` UnicodeString	—
`HRESULT` HexInt32	—

Event ID 118 — Update phase:Update_phase, new platform version: new_platform_version, success message: success_message.

Provider: Microsoft-Windows-SENSE
Channel: Operational

Description

Update phase:Update_phase, new platform version: new_platform_version, success message: success_message.

Message #

Update phase:%1, new platform version: %2, success message: %3

Fields #

Name	Description
`Update_phase` Int32	—
`new_platform_version` UnicodeString	—
`success_message` UnicodeString	—
`phase` Int32	—
`newVersion` UnicodeString	—
`message` UnicodeString	—

Event ID 119 — Windows Defender Advanced Threat Protection service failed to remove its failure actions.

Provider: Microsoft-Windows-SENSE
Channel: Operational

Description

Windows Defender Advanced Threat Protection service failed to remove its failure actions. Failure code: HRESULT.

Message #

Windows Defender Advanced Threat Protection service failed to remove its failure actions. Failure code: %1

Fields #

Name	Description
`HRESULT` HexInt32	—

Event ID 120 — EventTraker Event data: (parameter).

Provider: Microsoft-Windows-SENSE
Channel: Operational

Description

EventTraker Event data: (parameter).

Message #

EventTraker Event data: (%1)

Fields #

Name	Description
`parameter` UnicodeString	—

Event ID 121 — Info message: Info_message.

Provider: Microsoft-Windows-SENSE
Channel: Operational

Description

Info message: Info_message.

Message #

Info message: %1

Fields #

Name	Description
`Info_message`	—
`message` UnicodeString	—

Event ID 122 — Update phase:Update_phase new platform version: new_platform_version, warning message: warning_message.

Provider: Microsoft-Windows-SENSE
Channel: Operational

Description

Update phase:Update_phase new platform version: new_platform_version, warning message: warning_message.

Message #

Update phase:%1 new platform version: %2, warning message: %3

Fields #

Name	Description
`Update_phase`	—
`new_platform_version`	—
`warning_message`	—
`phase` Int32	—
`newVersion` UnicodeString	—
`message` UnicodeString	—
`HRESULT` HexInt32	—

Event ID 123 — Update error message: message, Additional parameters: valueName1: value1, valueName2: value2, error message: HRESULT.

Provider: Microsoft-Windows-SENSE
Channel: Operational

Description

Update error message: message, Additional parameters: valueName1: value1, valueName2: value2, error message: HRESULT.

Message #

Update error message: %5, Additional parameters: %1: %2, %3: %4, error message: %6

Fields #

Name	Description
`valueName1` UnicodeString	—
`value1` UnicodeString	—
`valueName2` UnicodeString	—
`value2` UnicodeString	—
`message` UnicodeString	—
`HRESULT` HexInt32	—

Event ID 124 — Windows Defender Advanced Threat Protection Trace Event Monitor executable has started

Provider: Microsoft-Windows-SENSE
Channel: Operational

Description

Windows Defender Advanced Threat Protection Trace Event Monitor executable has started.

Message #

Windows Defender Advanced Threat Protection Trace Event Monitor executable has started

Event ID 125 — Windows Defender Advanced Threat Protection Trace Event Monitor executable has ended

Provider: Microsoft-Windows-SENSE
Channel: Operational

Description

Windows Defender Advanced Threat Protection Trace Event Monitor executable has ended.

Message #

Windows Defender Advanced Threat Protection Trace Event Monitor executable has ended

Event ID 126 — Windows Defender Advanced Threat Protection Trace Event Monitor executable failed to start.

Provider: Microsoft-Windows-SENSE
Channel: Operational

Description

Windows Defender Advanced Threat Protection Trace Event Monitor executable failed to start. Failure code: HRESULT.

Message #

Windows Defender Advanced Threat Protection Trace Event Monitor executable failed to start. Failure code: %1

Fields #

Name	Description
`HRESULT` HexInt32	—

Event ID 127 — Windows Defender Advanced Threat Protection Dlp Processor executable failed to start.

Provider: Microsoft-Windows-SENSE
Channel: Operational

Description

Windows Defender Advanced Threat Protection Dlp Processor executable failed to start. Failure code: HRESULT.

Message #

Windows Defender Advanced Threat Protection Dlp Processor executable failed to start. Failure code: %1

Fields #

Name	Description
`HRESULT` HexInt32	—

Event ID 128 — Windows Defender Advanced Threat Protection Dlp Processor executable has started

Provider: Microsoft-Windows-SENSE
Channel: Operational

Description

Windows Defender Advanced Threat Protection Dlp Processor executable has started.

Message #

Windows Defender Advanced Threat Protection Dlp Processor executable has started

Event ID 129 — Windows Defender Advanced Threat Protection Dlp Processor executable has ended

Provider: Microsoft-Windows-SENSE
Channel: Operational

Description

Windows Defender Advanced Threat Protection Dlp Processor executable has ended.

Message #

Windows Defender Advanced Threat Protection Dlp Processor executable has ended

Event ID 130 — Received DLP policy type: Received_DLP_policy_type.

Provider: Microsoft-Windows-SENSE
Channel: Operational

Description

Received DLP policy type: Received_DLP_policy_type. Policy Hash: Policy_Hash, Timestamp: Timestamp.

Message #

Received DLP policy type: %1. Policy Hash: %2, Timestamp: %3

Fields #

Name	Description
`Received_DLP_policy_type`	—
`Policy_Hash`	—
`Timestamp`	—
`CommandType` UnicodeString	—
`PolicyHash` UnicodeString	—
`TimeStamp` UInt64	—

Event ID 131 — Completed processing DLP policy type: Completed_processing_DLP_policy_type.

Provider: Microsoft-Windows-SENSE
Channel: Operational

Description

Completed processing DLP policy type: Completed_processing_DLP_policy_type. Policy Hash: Policy_Hash, Timestamp: Timestamp.

Message #

Completed processing DLP policy type: %1. Policy Hash: %2, Timestamp: %3

Fields #

Name	Description
`Completed_processing_DLP_policy_type`	—
`Policy_Hash`	—
`Timestamp`	—
`CommandType` UnicodeString	—
`PolicyHash` UnicodeString	—
`TimeStamp` UInt64	—

Event ID 132 — Failed to process DLP policy type: CommandType.

Provider: Microsoft-Windows-SENSE
Channel: Operational

Description

Failed to process DLP policy type: CommandType. Policy Hash: PolicyHash, Timestamp: TimeStamp. Exception: HRESULT [ErrorMessage].

Message #

Failed to process DLP policy type: %1. Policy Hash: %2, Timestamp: %3. Exception: %4 [%5]

Fields #

Name	Description
`CommandType` UnicodeString	—
`PolicyHash` UnicodeString	—
`TimeStamp` UInt64	—
`HRESULT` HexInt32	—
`ErrorMessage` UnicodeString	—

Event ID 133 — Ignore DLP policy type: Ignore_DLP_policy_type at CommandType due to Data Loss Prevention feature currently disabled.

Provider: Microsoft-Windows-SENSE
Channel: Operational

Description

Ignore DLP policy type: Ignore_DLP_policy_type at CommandType due to Data Loss Prevention feature currently disabled.

Message #

Ignore DLP policy type: %1 at %2 due to Data Loss Prevention feature currently disabled.

Fields #

Name	Description
`Ignore_DLP_policy_type`	—
`CommandType` UnicodeString	—
`TimeStamp` UInt64	—

Event ID 134 — Offboarding blob is revoked via configuration.

Provider: Microsoft-Windows-SENSE
Channel: Operational

Description

Offboarding blob is revoked via configuration. Blob Sha 256: BlobSha256.

Message #

Offboarding blob is revoked via configuration. Blob Sha 256: %1.

Fields #

Name	Description
`BlobSha256` UnicodeString	—

Event ID 135 — Offboarding is blocked for blob with Epoch: BlobEpoch , BlobSha256: BlobSha256.

Provider: Microsoft-Windows-SENSE
Channel: Operational

Description

Offboarding is blocked for blob with Epoch: BlobEpoch , BlobSha256: BlobSha256.

Message #

Offboarding is blocked for blob with Epoch: %1 , BlobSha256: %2.

Fields #

Name	Description
`BlobEpoch` UnicodeString	—
`BlobSha256` UnicodeString	—

Event ID 300 — Windows Defender Advanced Threat Protection Session Recorder executable has started

Provider: Microsoft-Windows-SENSE
Channel: Operational
Opcode: Info

Description

Windows Defender Advanced Threat Protection Session Recorder executable has started.

Message #

Windows Defender Advanced Threat Protection Session Recorder executable has started

Event ID 301 — Windows Defender Advanced Threat Protection Session Recorder executable has ended

Provider: Microsoft-Windows-SENSE
Channel: Operational
Opcode: Info

Description

Windows Defender Advanced Threat Protection Session Recorder executable has ended.

Message #

Windows Defender Advanced Threat Protection Session Recorder executable has ended

Event ID 302 — Windows Defender Advanced Threat Protection Session Recorder init has called from user session parameter.

Provider: Microsoft-Windows-SENSE
Channel: Operational
Opcode: Info

Description

Windows Defender Advanced Threat Protection Session Recorder init has called from user session parameter.

Message #

Windows Defender Advanced Threat Protection Session Recorder init has called from user session %1

Fields #

Name	Description
`parameter` UnicodeString	—

Event ID 303 — Windows Defender Advanced Threat Protection Session Recorder executable failed to start from user session Message1.

Provider: Microsoft-Windows-SENSE
Channel: Operational
Opcode: Info

Description

Windows Defender Advanced Threat Protection Session Recorder executable failed to start from user session Message1. Failure code: HRESULT.

Message #

Windows Defender Advanced Threat Protection Session Recorder executable failed to start from user session %1. Failure code: %2

Fields #

Name	Description
`Message1` UnicodeString	—
`HRESULT` HexInt32	—

Event ID 304 — Windows Defender Advanced Threat Protection Session Recorder user session logon event for session id: UInt1, session name: Message1.

Provider: Microsoft-Windows-SENSE
Channel: Operational
Opcode: Info

Description

Windows Defender Advanced Threat Protection Session Recorder user session logon event for session id: UInt1, session name: Message1.

Message #

Windows Defender Advanced Threat Protection Session Recorder user session logon event for session id: %1, session name: %2

Fields #

Name	Description
`UInt1` UInt32	—
`Message1` UnicodeString	—

Event ID 305 — Windows Defender Advanced Threat Protection Session Recorder user session logoff event for session id: UInt1.

Provider: Microsoft-Windows-SENSE
Channel: Operational
Opcode: Info

Description

Windows Defender Advanced Threat Protection Session Recorder user session logoff event for session id: UInt1.

Message #

Windows Defender Advanced Threat Protection Session Recorder user session logoff event for session id: %1

Fields #

Name	Description
`UInt1` UInt32	—

Event ID 306 — Windows Defender Advanced Threat Protection Session Recorder user session unlock event for session id: UInt1.

Provider: Microsoft-Windows-SENSE
Channel: Operational
Opcode: Info

Description

Windows Defender Advanced Threat Protection Session Recorder user session unlock event for session id: UInt1.

Message #

Windows Defender Advanced Threat Protection Session Recorder user session unlock event for session id: %1

Fields #

Name	Description
`UInt1` UInt32	—
`Message1` UnicodeString	—

Event ID 307 — Failed to update driver permissions Failure code: HRESULT.

Provider: Microsoft-Windows-SENSE
Channel: Operational
Opcode: Info

Description

Failed to update driver permissions Failure code: HRESULT.

Message #

Failed to update driver permissions Failure code: %1

Fields #

Name	Description
`HRESULT` HexInt32	—

References #

Microsoft Learn https://learn.microsoft.com/en-us/defender-endpoint/event-error-codes

Event ID 308 — Failed to ACL on Folder Message1 Failure code: HRESULT.

Provider: Microsoft-Windows-SENSE
Channel: Operational
Opcode: Info

Description

Failed to ACL on Folder Message1 Failure code: HRESULT.

Message #

Failed to ACL on Folder %1 Failure code: %2

Fields #

Name	Description
`Message1` UnicodeString	—
`HRESULT` HexInt32	—

References #

Microsoft Learn https://learn.microsoft.com/en-us/defender-endpoint/event-error-codes

Event ID 309 — Windows Defender Advanced Threat Protection Network Detection and Response failed to subscribe to event id with_provider of event log channel: UInt1, with provid...

Provider: Microsoft-Windows-SENSE
Channel: Operational

Description

Windows Defender Advanced Threat Protection Network Detection and Response failed to subscribe to event id of event log channel: , with provider: . Event data will not be collected until next reboot.

Message #

Windows Defender Advanced Threat Protection Network Detection and Response failed to subscribe to event id %1 of event log channel: %2, with provider: %3. Event data will not be collected until next reboot.

Fields #

Name	Description
`with_provider`	1 of event log channel.
`UInt1` UInt32	—
`Message1` UnicodeString	—
`providerName` UnicodeString	—

Event ID 310 — Failed to store cloud configuration.

Provider: Microsoft-Windows-SENSE
Channel: Operational

Description

Failed to store cloud configuration. Failure code: HRESULT.

Message #

Failed to store cloud configuration. Failure code: %1

Fields #

Name	Description
`HRESULT` HexInt32	—

Event ID 400 — Windows Defender Advanced Threat Protection service failed to create certificate.

Provider: Microsoft-Windows-SENSE
Channel: Operational
Opcode: Info

Description

Windows Defender Advanced Threat Protection service failed to create certificate. Failure code: HRESULT.

Message #

Windows Defender Advanced Threat Protection service failed to create certificate. Failure code: %1

Fields #

Name	Description
`HRESULT` HexInt32	—

Event ID 401 — Windows Defender Advanced Threat Protection service failed to generate key.

Provider: Microsoft-Windows-SENSE
Channel: Operational
Opcode: Info

Description

Windows Defender Advanced Threat Protection service failed to generate key. Failure code: HRESULT.

Message #

Windows Defender Advanced Threat Protection service failed to generate key. Failure code: %1

Fields #

Name	Description
`HRESULT` HexInt32	—

References #

Microsoft Learn https://learn.microsoft.com/en-us/defender-endpoint/event-error-codes

Event ID 402 — Windows Defender Advanced Threat Protection service failed to persist authentication state.

Provider: Microsoft-Windows-SENSE
Channel: Operational
Opcode: Info

Description

Windows Defender Advanced Threat Protection service failed to persist authentication state. State: Message1, Failure code: HRESULT.

Message #

Windows Defender Advanced Threat Protection service failed to persist authentication state. State: %1, Failure code: %2

Fields #

Name	Description
`Message1` UnicodeString	—
`HRESULT` HexInt32	—

References #

Microsoft Learn https://learn.microsoft.com/en-us/defender-endpoint/event-error-codes

Event ID 403 — Registration of device by Windows Defender Advanced Threat Protection service completed.

Provider: Microsoft-Windows-SENSE
Channel: Operational
Level: Informational
Opcode: Info

Description

Successful registration to authentication service. Normal operating notification; no action required.

Message #

Registration of device by Windows Defender Advanced Threat Protection service completed.

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-SENSE",
    "guid": "FAE96D09-ADE1-5223-0098-AF7B67348531",
    "event_source_name": "",
    "event_id": 403,
    "version": 0,
    "level": 4,
    "task": 0,
    "opcode": 0,
    "keywords": 9223372036854775808,
    "time_created": "2026-03-09T00:56:55.322831+00:00",
    "event_record_id": 2414,
    "correlation": {},
    "execution": {
      "process_id": 3492,
      "thread_id": 3460
    },
    "channel": "Microsoft-Windows-SENSE/Operational",
    "computer": "LAB-WIN11",
    "security": {
      "user_id": "S-1-5-18"
    }
  },
  "event_data": {},
  "message": ""
}

References #

Microsoft Learn https://learn.microsoft.com/en-us/defender-endpoint/event-error-codes

Event ID 404 — Windows Defender Advanced Threat Protection service successfully generated a key.

Provider: Microsoft-Windows-SENSE
Channel: Operational
Level: Informational
Opcode: Info

Description

Successful crypto key generation. Normal operating notification; no action required.

Message #

Windows Defender Advanced Threat Protection service successfully generated a key.

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-SENSE",
    "guid": "FAE96D09-ADE1-5223-0098-AF7B67348531",
    "event_source_name": "",
    "event_id": 404,
    "version": 0,
    "level": 4,
    "task": 0,
    "opcode": 0,
    "keywords": 9223372036854775808,
    "time_created": "2026-02-10T04:30:06.058465+00:00",
    "event_record_id": 7,
    "correlation": {},
    "execution": {
      "process_id": 4668,
      "thread_id": 10328
    },
    "channel": "Microsoft-Windows-SENSE/Operational",
    "computer": "LAB-WIN11.ludus.domain",
    "security": {
      "user_id": "S-1-5-18"
    }
  },
  "event_data": {},
  "message": ""
}

References #

Microsoft Learn https://learn.microsoft.com/en-us/defender-endpoint/event-error-codes

Event ID 405 — Failed to communicate with authentication service.

Provider: Microsoft-Windows-SENSE
Channel: Operational
Level: Informational
Opcode: Info

Description

Failed to communicate with authentication service. requestType request failed, hresult: HRESULT, HTTP error code: errorCode .

Message #

Failed to communicate with authentication service. %1 request failed, hresult: %2,  HTTP error code: %3 .

Fields #

Name	Description
`requestType` UnicodeString	—
`HRESULT` HexInt32	—
`errorCode` Int32	—
`HTTP_error_code`	1 request failed, hresult.

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-SENSE",
    "guid": "FAE96D09-ADE1-5223-0098-AF7B67348531",
    "event_source_name": "",
    "event_id": 405,
    "version": 0,
    "level": 4,
    "task": 0,
    "opcode": 0,
    "keywords": 9223372036854775808,
    "time_created": "2026-02-16T04:27:12.595342+00:00",
    "event_record_id": 1601,
    "correlation": {},
    "execution": {
      "process_id": 4668,
      "thread_id": 6028
    },
    "channel": "Microsoft-Windows-SENSE/Operational",
    "computer": "LAB-WIN11.ludus.domain",
    "security": {
      "user_id": "S-1-5-18"
    }
  },
  "event_data": {
    "requestType": "GetNonce",
    "HRESULT": "0x8000ffff",
    "errorCode": 12007
  },
  "message": ""
}

References #

Microsoft Learn https://learn.microsoft.com/en-us/defender-endpoint/event-error-codes

Event ID 406 — Request for error_code rejected by authentication service.

Provider: Microsoft-Windows-SENSE
Channel: Operational
Opcode: Info

Description

Request for error_code rejected by authentication service. Hresult: requestType, error code: HRESULT .

Message #

Request for %1 rejected by authentication service. Hresult: %2, error code: %3 .

Fields #

Name	Description
`error_code`	1 rejected by authentication service. Hresult.
`requestType` UnicodeString	—
`HRESULT` HexInt32	—
`errorCode` Int32	—

References #

Microsoft Learn https://learn.microsoft.com/en-us/defender-endpoint/event-error-codes

Event ID 407 — Windows Defender Advanced Threat Protection service failed to sign message (authentication).

Provider: Microsoft-Windows-SENSE
Channel: Operational
Opcode: Info

Description

Windows Defender Advanced Threat Protection service failed to sign message (authentication). Failure code: HRESULT.

Message #

Windows Defender Advanced Threat Protection service failed to sign message (authentication). Failure code: %1

Fields #

Name	Description
`HRESULT` HexInt32	—

References #

Microsoft Learn https://learn.microsoft.com/en-us/defender-endpoint/event-error-codes

Event ID 408 — Windows Defender Advanced Threat Protection service failed to remove persist authentication state.

Provider: Microsoft-Windows-SENSE
Channel: Operational
Opcode: Info

Description

Windows Defender Advanced Threat Protection service failed to remove persist authentication state. State: Message1, Failure code: HRESULT.

Message #

Windows Defender Advanced Threat Protection service failed to remove persist authentication state. State: %1, Failure code: %2

Fields #

Name	Description
`Message1` UnicodeString	—
`HRESULT` HexInt32	—

References #

Microsoft Learn https://learn.microsoft.com/en-us/defender-endpoint/event-error-codes

Event ID 409 — Windows Defender Advanced Threat Protection service failed to open key.

Provider: Microsoft-Windows-SENSE
Channel: Operational
Opcode: Info

Description

Windows Defender Advanced Threat Protection service failed to open key. Failure code: HRESULT.

Message #

Windows Defender Advanced Threat Protection service failed to open key. Failure code: %1

Fields #

Name	Description
`HRESULT` HexInt32	—

References #

Microsoft Learn https://learn.microsoft.com/en-us/defender-endpoint/event-error-codes

Event ID 410 — Registration is required as part of re-onboarding of Windows Defender Advanced Threat Protection service.

Provider: Microsoft-Windows-SENSE
Channel: Operational
Opcode: Info

Description

Occurs during reonboarding. Normal operating notification; no action required.

Message #

Registration is required as part of re-onboarding of Windows Defender Advanced Threat Protection service.

References #

Microsoft Learn https://learn.microsoft.com/en-us/defender-endpoint/event-error-codes

Event ID 411 — Cyber telemetry upload has been suspended for Windows Defender Advanced Threat Protection service due to invalid/expired token.

Provider: Microsoft-Windows-SENSE
Channel: Operational
Level: Informational
Opcode: Info

Description

Cyber upload temporarily suspended. Normal operating notification; no action required.

Message #

Cyber telemetry upload has been suspended for Windows Defender Advanced Threat Protection service due to invalid/expired token.

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-SENSE",
    "guid": "FAE96D09-ADE1-5223-0098-AF7B67348531",
    "event_source_name": "",
    "event_id": 411,
    "version": 0,
    "level": 4,
    "task": 0,
    "opcode": 0,
    "keywords": 9223372036854775808,
    "time_created": "2026-03-11T18:11:34.717119+00:00",
    "event_record_id": 3551,
    "correlation": {},
    "execution": {
      "process_id": 3632,
      "thread_id": 10996
    },
    "channel": "Microsoft-Windows-SENSE/Operational",
    "computer": "LAB-WIN11",
    "security": {
      "user_id": "S-1-5-18"
    }
  },
  "event_data": {},
  "message": ""
}

References #

Microsoft Learn https://learn.microsoft.com/en-us/defender-endpoint/event-error-codes

Event ID 412 — Cyber telemetry upload been resumed for Windows Defender Advanced Threat Protection service due to newly refreshed token.

Provider: Microsoft-Windows-SENSE
Channel: Operational
Level: Informational
Opcode: Info

Description

Cyber upload successfully resumed. Normal operating notification; no action required.

Message #

Cyber telemetry upload been resumed for Windows Defender Advanced Threat Protection service due to newly refreshed token.

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-SENSE",
    "guid": "FAE96D09-ADE1-5223-0098-AF7B67348531",
    "event_source_name": "",
    "event_id": 412,
    "version": 0,
    "level": 4,
    "task": 0,
    "opcode": 0,
    "keywords": 9223372036854775808,
    "time_created": "2026-03-12T03:05:04.739815+00:00",
    "event_record_id": 3810,
    "correlation": {},
    "execution": {
      "process_id": 3632,
      "thread_id": 11628
    },
    "channel": "Microsoft-Windows-SENSE/Operational",
    "computer": "LAB-WIN11",
    "security": {
      "user_id": "S-1-5-18"
    }
  },
  "event_data": {},
  "message": ""
}

References #

Microsoft Learn https://learn.microsoft.com/en-us/defender-endpoint/event-error-codes

Event ID 413 — Windows Defender Advanced Threat Protection Network Detection and Response failed to subscribe to event id {UInt1} of event log channel: {Message1}.

Provider: Microsoft-Windows-SENSE
Channel: Operational

Description

Windows Defender Advanced Threat Protection Network Detection and Response failed to subscribe to event id {UInt1} of event log channel: {Message1}. Event data will not be collected until next reboot.

Message #

Windows Defender Advanced Threat Protection Network Detection and Response failed to subscribe to event id {UInt1} of event log channel: {Message1}. Event data will not be collected until next reboot.

Fields #

Name	Description
`UInt1`	—
`Message1`	—

Event ID 414 — Key rotation of device by Windows Defender Advanced Threat Protection service completed.

Provider: Microsoft-Windows-SENSE
Channel: Operational

Description

Key rotation of device by Windows Defender Advanced Threat Protection service completed.

Message #

Key rotation of device by Windows Defender Advanced Threat Protection service completed.

Event ID 415 — Authentication initialization for Windows Defender Advanced Threat Protection service completed successfully.

Provider: Microsoft-Windows-SENSE
Channel: Operational

Description

Authentication initialization for Windows Defender Advanced Threat Protection service completed successfully.

Message #

Authentication initialization for Windows Defender Advanced Threat Protection service completed successfully.

Event ID 416 — EventTraker Event data: (parameter).

Provider: Microsoft-Windows-SENSE
Channel: Operational

Description

EventTraker Event data: (parameter).

Message #

EventTraker Event data: (%1)

Fields #

Name	Description
`parameter` UnicodeString	—

Event ID 417 — Windows Defender Advanced Threat Protection service opened key successfully.

Provider: Microsoft-Windows-SENSE
Channel: Operational

Description

Windows Defender Advanced Threat Protection service opened key successfully.

Message #

Windows Defender Advanced Threat Protection service opened key successfully.

Event ID 418 — Windows Defender Advanced Threat Protection service certificate creation completed successfully.

Provider: Microsoft-Windows-SENSE
Channel: Operational

Description

Windows Defender Advanced Threat Protection service certificate creation completed successfully.

Message #

Windows Defender Advanced Threat Protection service certificate creation completed successfully.

Event ID 419 — Windows Defender Advanced Threat Protection service authentication request signing completed successfully.

Provider: Microsoft-Windows-SENSE
Channel: Operational

Description

Windows Defender Advanced Threat Protection service authentication request signing completed successfully.

Message #

Windows Defender Advanced Threat Protection service authentication request signing completed successfully.

Event ID 420 — Rename of device by Windows Defender Advanced Threat Protection service completed.

Provider: Microsoft-Windows-SENSE
Channel: Operational

Description

Rename of device by Windows Defender Advanced Threat Protection service completed.

Message #

Rename of device by Windows Defender Advanced Threat Protection service completed.

Event ID 500 — Windows Defender Advanced Threat Protection orchestrator failed to perform: UInt1.

Provider: Microsoft-Windows-SENSE
Channel: Operational

Description

Windows Defender Advanced Threat Protection orchestrator failed to perform: UInt1. Identifier: Message1. HRESULT: HRESULT.

Message #

Windows Defender Advanced Threat Protection orchestrator failed to perform: %1. Identifier: %2. HRESULT: %3.

Fields #

Name	Description
`UInt1` UInt32	—
`Message1` UnicodeString	—
`HRESULT` HexInt32	—

Event ID 501 — Windows Defender Advanced Threat Protection orchestrator performed: UInt1 successfully.

Provider: Microsoft-Windows-SENSE
Channel: Operational

Description

Windows Defender Advanced Threat Protection orchestrator performed: UInt1 successfully. Identifier: Message1.

Message #

Windows Defender Advanced Threat Protection orchestrator performed: %1 successfully. Identifier: %2.

Fields #

Name	Description
`UInt1` UInt32	—
`Message1` UnicodeString	—

Event ID 1800 — CSP: Get Node's Value.

Provider: Microsoft-Windows-SENSE
Channel: Operational
Opcode: Info

Description

CSP: Get Node's Value. NodeId: (UInt1), TokenName: (Message1).

Message #

CSP: Get Node's Value. NodeId: (%1), TokenName: (%2).

Fields #

Name	Description
`UInt1` UInt32	—
`Message1` UnicodeString	—

References #

Microsoft Learn https://learn.microsoft.com/en-us/defender-endpoint/event-error-codes

Event ID 1801 — CSP: Failed to Get Node's Value.

Provider: Microsoft-Windows-SENSE
Channel: Operational
Opcode: Info

Description

CSP: Failed to Get Node's Value. NodeId: (UInt1), TokenName: (Message1), Result: (HRESULT).

Message #

CSP: Failed to Get Node's Value. NodeId: (%1), TokenName: (%2), Result: (%3).

Fields #

Name	Description
`UInt1` UInt32	—
`Message1` UnicodeString	—
`HRESULT` HexInt32	—

References #

Microsoft Learn https://learn.microsoft.com/en-us/defender-endpoint/event-error-codes

Event ID 1802 — CSP: Get Node's Value complete.

Provider: Microsoft-Windows-SENSE
Channel: Operational
Opcode: Info

Description

CSP: Get Node's Value complete. NodeId: (UInt1), TokenName: (Message1), Result: (HRESULT).

Message #

CSP: Get Node's Value complete. NodeId: (%1), TokenName: (%2), Result: (%3).

Fields #

Name	Description
`UInt1` UInt32	—
`Message1` UnicodeString	—
`HRESULT` HexInt32	—

References #

Microsoft Learn https://learn.microsoft.com/en-us/defender-endpoint/event-error-codes

Event ID 1803 — CSP: Get Last Connected value complete.

Provider: Microsoft-Windows-SENSE
Channel: Operational
Opcode: Info

Description

CSP: Get Last Connected value complete. Result (Message1), IsDefault: (Boolean1).

Message #

CSP: Get Last Connected value complete. Result (%1), IsDefault: (%2).

Fields #

Name	Description
`Message1` UnicodeString	—
`Boolean1` Boolean	—

References #

Microsoft Learn https://learn.microsoft.com/en-us/defender-endpoint/event-error-codes

Event ID 1804 — CSP: Get Org ID value complete.

Provider: Microsoft-Windows-SENSE
Channel: Operational
Opcode: Info

Description

CSP: Get Org ID value complete. Result: (Message1), IsDefault: (Boolean1).

Message #

CSP: Get Org ID value complete. Result: (%1), IsDefault: (%2).

Fields #

Name	Description
`Message1` UnicodeString	—
`Boolean1` Boolean	—

References #

Microsoft Learn https://learn.microsoft.com/en-us/defender-endpoint/event-error-codes

Event ID 1805 — CSP: Get Sense Is Running value complete.

Provider: Microsoft-Windows-SENSE
Channel: Operational
Opcode: Info

Description

CSP: Get Sense Is Running value complete. Result: (UInt1).

Message #

CSP: Get Sense Is Running value complete. Result: (%1).

Fields #

Name	Description
`UInt1` UInt32	—

References #

Microsoft Learn https://learn.microsoft.com/en-us/defender-endpoint/event-error-codes

Event ID 1806 — CSP: Get Onboarding State value complete.

Provider: Microsoft-Windows-SENSE
Channel: Operational
Opcode: Info

Description

CSP: Get Onboarding State value complete. Result: (UInt1), IsDefault: (Boolean1).

Message #

CSP: Get Onboarding State value complete. Result: (%1), IsDefault: (%2).

Fields #

Name	Description
`UInt1` UInt32	—
`Boolean1` Boolean	—

References #

Microsoft Learn https://learn.microsoft.com/en-us/defender-endpoint/event-error-codes

Event ID 1807 — CSP: Get Onboarding value complete.

Provider: Microsoft-Windows-SENSE
Channel: Operational
Opcode: Info

Description

CSP: Get Onboarding value complete. Onboarding Blob Hash: (onboardingBlobHash), IsDefault: (isDefaultOnboardingBlob), Onboarding State: (onboardingState), Onboarding State IsDefault: (isDefaultOnboardingState).

Message #

CSP: Get Onboarding value complete. Onboarding Blob Hash: (%1), IsDefault: (%2), Onboarding State: (%3), Onboarding State IsDefault: (%4)

Fields #

Name	Description
`onboardingBlobHash` UInt64	—
`isDefaultOnboardingBlob` Boolean	—
`onboardingState` UInt32	—
`isDefaultOnboardingState` Boolean	—

References #

Microsoft Learn https://learn.microsoft.com/en-us/defender-endpoint/event-error-codes

Event ID 1808 — CSP: Get Offboarding value complete.

Provider: Microsoft-Windows-SENSE
Channel: Operational
Opcode: Info

Description

CSP: Get Offboarding value complete. Offboarding Blob Hash: (offboardingBlobHash), IsDefault: (isDefaultOffboardingBlob).

Message #

CSP: Get Offboarding value complete. Offboarding Blob Hash: (%1), IsDefault: (%2).

Fields #

Name	Description
`offboardingBlobHash` UInt64	—
`isDefaultOffboardingBlob` Boolean	—

References #

Microsoft Learn https://learn.microsoft.com/en-us/defender-endpoint/event-error-codes

Event ID 1809 — CSP: Get Sample Sharing value complete.

Provider: Microsoft-Windows-SENSE
Channel: Operational
Opcode: Info

Description

CSP: Get Sample Sharing value complete. Result: (UInt1), IsDefault: (Boolean1).

Message #

CSP: Get Sample Sharing value complete. Result: (%1), IsDefault: (%2).

Fields #

Name	Description
`UInt1` UInt32	—
`Boolean1` Boolean	—

References #

Microsoft Learn https://learn.microsoft.com/en-us/defender-endpoint/event-error-codes

Event ID 1810 — CSP: Onboarding process.

Provider: Microsoft-Windows-SENSE
Channel: Operational
Opcode: Info

Description

Started onboarding flow. Normal operating notification; no action required.

Message #

CSP: Onboarding process. Started.

References #

Microsoft Learn https://learn.microsoft.com/en-us/defender-endpoint/event-error-codes

Event ID 1811 — CSP: Onboarding process.

Provider: Microsoft-Windows-SENSE
Channel: Operational
Opcode: Info

Description

CSP: Onboarding process. Delete Offboarding blob complete. Result: (HRESULT).

Message #

CSP: Onboarding process. Delete Offboarding blob complete. Result: (%1).

Fields #

Name	Description
`HRESULT` HexInt32	—

References #

Microsoft Learn https://learn.microsoft.com/en-us/defender-endpoint/event-error-codes

Event ID 1812 — CSP: Onboarding process.

Provider: Microsoft-Windows-SENSE
Channel: Operational
Opcode: Info

Description

CSP: Onboarding process. Write Onboarding blob complete. Result: (HRESULT).

Message #

CSP: Onboarding process. Write Onboarding blob complete. Result: (%1)

Fields #

Name	Description
`HRESULT` HexInt32	—

References #

Microsoft Learn https://learn.microsoft.com/en-us/defender-endpoint/event-error-codes

Event ID 1813 — CSP: Onboarding process.

Provider: Microsoft-Windows-SENSE
Channel: Operational
Opcode: Info

Description

Started Sense service as part of onboarding flow. Normal operating notification; no action required.

Message #

CSP: Onboarding process. The service started successfully.

References #

Microsoft Learn https://learn.microsoft.com/en-us/defender-endpoint/event-error-codes

Event ID 1814 — CSP: Onboarding process.

Provider: Microsoft-Windows-SENSE
Channel: Operational
Opcode: Info

Description

CSP: Onboarding process. Pending service running state complete. Result: (HRESULT).

Message #

CSP: Onboarding process. Pending service running state complete. Result: (%1).

Fields #

Name	Description
`HRESULT` HexInt32	—

References #

Microsoft Learn https://learn.microsoft.com/en-us/defender-endpoint/event-error-codes

Event ID 1815 — CSP: Set Sample Sharing value complete.

Provider: Microsoft-Windows-SENSE
Channel: Operational
Opcode: Info

Description

CSP: Set Sample Sharing value complete. Previous Value: (previousSampleCollectionValue), IsDefault: (IsDefault), New Value: (newSampleSharing), Result: (HRESULT).

Message #

CSP: Set Sample Sharing value complete. Previous Value: (%1), IsDefault: (%2), New Value: (%3), Result: (%4).

Fields #

Name	Description
`previousSampleCollectionValue` UInt32	—
`IsDefault` Boolean	—
`newSampleSharing` UInt32	—
`HRESULT` HexInt32	—

References #

Microsoft Learn https://learn.microsoft.com/en-us/defender-endpoint/event-error-codes

Event ID 1816 — CSP: Offboarding process.

Provider: Microsoft-Windows-SENSE
Channel: Operational
Opcode: Info

Description

CSP: Offboarding process. Delete Onboarding blob complete. Result (HRESULT).

Message #

CSP: Offboarding process. Delete Onboarding blob complete. Result (%1).

Fields #

Name	Description
`HRESULT` HexInt32	—

References #

Microsoft Learn https://learn.microsoft.com/en-us/defender-endpoint/event-error-codes

Event ID 1817 — CSP: Offboarding process.

Provider: Microsoft-Windows-SENSE
Channel: Operational
Opcode: Info

Description

CSP: Offboarding process. Write Offboarding blob complete. Result (HRESULT).

Message #

CSP: Offboarding process. Write Offboarding blob complete. Result (%1).

Fields #

Name	Description
`HRESULT` HexInt32	—

References #

Microsoft Learn https://learn.microsoft.com/en-us/defender-endpoint/event-error-codes

Event ID 1818 — CSP: Set Node's Value started.

Provider: Microsoft-Windows-SENSE
Channel: Operational
Opcode: Info

Description

CSP: Set Node's Value started. NodeId: (UInt1), TokenName: (Message1).

Message #

CSP: Set Node's Value started. NodeId: (%1), TokenName: (%2).

Fields #

Name	Description
`UInt1` UInt32	—
`Message1` UnicodeString	—

References #

Microsoft Learn https://learn.microsoft.com/en-us/defender-endpoint/event-error-codes

Event ID 1819 — CSP: Failed to Set Node's Value.

Provider: Microsoft-Windows-SENSE
Channel: Operational
Opcode: Info

Description

CSP: Failed to Set Node's Value. NodeId: (UInt1), TokenName: (Message1), Result: (HRESULT).

Message #

CSP: Failed to Set Node's Value. NodeId: (%1), TokenName: (%2), Result: (%3).

Fields #

Name	Description
`UInt1` UInt32	—
`Message1` UnicodeString	—
`HRESULT` HexInt32	—

References #

Microsoft Learn https://learn.microsoft.com/en-us/defender-endpoint/event-error-codes

Event ID 1820 — CSP: Set Node's Value complete.

Provider: Microsoft-Windows-SENSE
Channel: Operational
Opcode: Info

Description

CSP: Set Node's Value complete. NodeId: (UInt1), TokenName: (Message1), Result: (HRESULT).

Message #

CSP: Set Node's Value complete. NodeId: (%1), TokenName: (%2), Result: (%3).

Fields #

Name	Description
`UInt1` UInt32	—
`Message1` UnicodeString	—
`HRESULT` HexInt32	—

References #

Microsoft Learn https://learn.microsoft.com/en-us/defender-endpoint/event-error-codes

Event ID 1821 — CSP: Set Telemetry Reporting Frequency started.

Provider: Microsoft-Windows-SENSE
Channel: Operational
Opcode: Info

Description

CSP: Set Telemetry Reporting Frequency started. New value: (UInt1).

Message #

CSP: Set Telemetry Reporting Frequency started. New value: (%1).

Fields #

Name	Description
`UInt1` UInt32	—

References #

Microsoft Learn https://learn.microsoft.com/en-us/defender-endpoint/event-error-codes

Event ID 1822 — CSP: Set Telemetry Reporting Frequency complete.

Provider: Microsoft-Windows-SENSE
Channel: Operational
Opcode: Info

Description

CSP: Set Telemetry Reporting Frequency complete. Previous value: (previousLatencyMode), IsDefault: (IsDefault), New value: (newLatencyMode), Result: (HRESULT).

Message #

CSP: Set Telemetry Reporting Frequency complete. Previous value: (%1), IsDefault: (%2), New value: (%3), Result: (%4).

Fields #

Name	Description
`previousLatencyMode` UnicodeString	—
`IsDefault` Boolean	—
`newLatencyMode` UnicodeString	—
`HRESULT` HexInt32	—

References #

Microsoft Learn https://learn.microsoft.com/en-us/defender-endpoint/event-error-codes

Event ID 1823 — CSP: Get Telemetry Reporting Frequency complete.

Provider: Microsoft-Windows-SENSE
Channel: Operational
Opcode: Info

Description

CSP: Get Telemetry Reporting Frequency complete. Value: (UInt1), Registry Value: (Message1), IsDefault: (Boolean1).

Message #

CSP: Get Telemetry Reporting Frequency complete. Value: (%1), Registry Value: (%2), IsDefault: (%3).

Fields #

Name	Description
`UInt1` UInt32	—
`Message1` UnicodeString	—
`Boolean1` Boolean	—

References #

Microsoft Learn https://learn.microsoft.com/en-us/defender-endpoint/event-error-codes

Event ID 1824 — CSP: Get Group Ids complete.

Provider: Microsoft-Windows-SENSE
Channel: Operational
Opcode: Info

Description

CSP: Get Group Ids complete. Value: (Message1), IsDefault: (Boolean1).

Message #

CSP: Get Group Ids complete. Value: (%1), IsDefault: (%2).

Fields #

Name	Description
`Message1` UnicodeString	—
`Boolean1` Boolean	—

References #

Microsoft Learn https://learn.microsoft.com/en-us/defender-endpoint/event-error-codes

Event ID 1825 — CSP: Set Group Ids exceeded allowed limit.

Provider: Microsoft-Windows-SENSE
Channel: Operational
Opcode: Info

Description

CSP: Set Group Ids exceeded allowed limit. Allowed: (UInt1), Actual: (UInt2).

Message #

CSP: Set Group Ids exceeded allowed limit. Allowed: (%1), Actual: (%2).

Fields #

Name	Description
`UInt1` UInt32	—
`UInt2` UInt32	—

References #

Microsoft Learn https://learn.microsoft.com/en-us/defender-endpoint/event-error-codes

Event ID 1826 — CSP: Set Group Ids complete.

Provider: Microsoft-Windows-SENSE
Channel: Operational
Opcode: Info

Description

CSP: Set Group Ids complete. Value: (Message1), Result: (HRESULT).

Message #

CSP: Set Group Ids complete. Value: (%1), Result: (%2).

Fields #

Name	Description
`Message1` UnicodeString	—
`HRESULT` HexInt32	—

References #

Microsoft Learn https://learn.microsoft.com/en-us/defender-endpoint/event-error-codes

Event ID 1827 — CSP: Onboarding process.

Provider: Microsoft-Windows-SENSE
Channel: Operational
Opcode: Info

Description

Trace values as part of onboarding. Normal operating notification; no action required.

Message #

CSP: Onboarding process. Service is running: (%1), Previous Onboarding Blob Hash: (%2), IsDefault: (%3), Onboarding State: (%4), Onboarding State IsDefault: (%5), New Onboarding Blob Hash: (%6)

Fields #

Name	Description
`isServiceRunningAlready` Boolean	—
`previousOnboardingBlobHash` UInt64	—
`isDefaultOnboardingBlob` Boolean	—
`onboardingState` UInt32	—
`isDefaultOnboardingState` Boolean	—
`newOnboardingBlobHash` UInt64	—

References #

Microsoft Learn https://learn.microsoft.com/en-us/defender-endpoint/event-error-codes

Event ID 1828 — CSP: Onboarding process.

Provider: Microsoft-Windows-SENSE
Channel: Operational
Opcode: Info

Description

Trace values as part of offboarding. Normal operating notification; no action required.

Message #

CSP: Onboarding process. Service is running: (%1), Previous Offboarding Blob Hash: (%2), IsDefault: (%3), Onboarding State: (%4), Onboarding State IsDefault: (%5), New Offboarding Blob Hash: (%6)

Fields #

Name	Description
`isServiceRunning` Boolean	—
`previousOffboardingBlobHash` UInt64	—
`isDefaultOffboardingBlob` Boolean	—
`onboardingState` UInt32	—
`isDefaultOnboardingState` Boolean	—
`newOffboardingBlobHash` UInt64	—

References #

Microsoft Learn https://learn.microsoft.com/en-us/defender-endpoint/event-error-codes

Event ID 1829 — CSP: Failed to Set Sample Sharing Value.

Provider: Microsoft-Windows-SENSE
Channel: Operational
Opcode: Info

Description

CSP: Failed to Set Sample Sharing Value. Requested Value: (requestedValue), Allowed Values between (minimumAllowedValue) and (maximumAllowedValue).

Message #

CSP: Failed to Set Sample Sharing Value. Requested Value: (%1), Allowed Values between (%2) and (%3).

Fields #

Name	Description
`requestedValue` UInt32	—
`minimumAllowedValue` UInt32	—
`maximumAllowedValue` UInt32	—

References #

Microsoft Learn https://learn.microsoft.com/en-us/defender-endpoint/event-error-codes

Event ID 1830 — CSP: Failed to Set Telemetry Reporting Frequency Value.

Provider: Microsoft-Windows-SENSE
Channel: Operational
Opcode: Info

Description

CSP: Failed to Set Telemetry Reporting Frequency Value. Requested Value: (UInt1).

Message #

CSP: Failed to Set Telemetry Reporting Frequency Value. Requested Value: (%1)

Fields #

Name	Description
`UInt1` UInt32	—

References #

Microsoft Learn https://learn.microsoft.com/en-us/defender-endpoint/event-error-codes

Event ID 1831 — CSP: Get Sense is running.

Provider: Microsoft-Windows-SENSE
Channel: Operational
Opcode: Info

Description

Get SenseIsRunning result. Normal operating notification; no action required.

Message #

CSP: Get Sense is running. Service is configured as delay-start, and hasn't started yet.

References #

Microsoft Learn https://learn.microsoft.com/en-us/defender-endpoint/event-error-codes

Event ID 1832 — CSP: Get Device Tagging Group complete.

Provider: Microsoft-Windows-SENSE
Channel: Operational
Opcode: Info

Description

CSP: Get Device Tagging Group complete. Value: (Message1), IsDefault: (Boolean1).

Message #

CSP: Get Device Tagging Group complete. Value: (%1), IsDefault: (%2).

Fields #

Name	Description
`Message1` UnicodeString	—
`Boolean1` Boolean	—

References #

Microsoft Learn https://learn.microsoft.com/en-us/defender-endpoint/event-error-codes

Event ID 1833 — CSP: Get Device Tagging Criticality value complete.

Provider: Microsoft-Windows-SENSE
Channel: Operational
Opcode: Info

Description

CSP: Get Device Tagging Criticality value complete. In Registry: (registryValue), IsDefault: (IsDefault), Conversion Succeeded: (conversionSucceeded), Result: (Result).

Message #

CSP: Get Device Tagging Criticality value complete. In Registry: (%1), IsDefault: (%2), Conversion Succeeded: (%3), Result: (%4).

Fields #

Name	Description
`registryValue` UnicodeString	—
`IsDefault` Boolean	—
`conversionSucceeded` Boolean	—
`Result` UInt32	—

References #

Microsoft Learn https://learn.microsoft.com/en-us/defender-endpoint/event-error-codes

Event ID 1834 — CSP: Get Device Tagging Identification Method value complete.

Provider: Microsoft-Windows-SENSE
Channel: Operational
Opcode: Info

Description

CSP: Get Device Tagging Identification Method value complete. In Registry: (registryValue), IsDefault: (IsDefault), Conversion Succeeded: (conversionSucceeded), Result: (Result).

Message #

CSP: Get Device Tagging Identification Method value complete. In Registry: (%1), IsDefault: (%2), Conversion Succeeded: (%3), Result: (%4).

Fields #

Name	Description
`registryValue` UnicodeString	—
`IsDefault` Boolean	—
`conversionSucceeded` Boolean	—
`Result` UInt32	—

References #

Microsoft Learn https://learn.microsoft.com/en-us/defender-endpoint/event-error-codes

Event ID 1835 — CSP: Set Device Tagging Group complete.

Provider: Microsoft-Windows-SENSE
Channel: Operational
Opcode: Info

Description

CSP: Set Device Tagging Group complete. Value: (Message1), Result: (HRESULT).

Message #

CSP: Set Device Tagging Group complete. Value: (%1), Result: (%2).

Fields #

Name	Description
`Message1` UnicodeString	—
`HRESULT` HexInt32	—

References #

Microsoft Learn https://learn.microsoft.com/en-us/defender-endpoint/event-error-codes

Event ID 1836 — CSP: Set Device Tagging Group exceeded allowed limit.

Provider: Microsoft-Windows-SENSE
Channel: Operational
Opcode: Info

Description

CSP: Set Device Tagging Group exceeded allowed limit. Allowed: (UInt1), Actual: (UInt2).

Message #

CSP: Set Device Tagging Group exceeded allowed limit. Allowed: (%1), Actual: (%2).

Fields #

Name	Description
`UInt1` UInt32	—
`UInt2` UInt32	—

References #

Microsoft Learn https://learn.microsoft.com/en-us/defender-endpoint/event-error-codes

Event ID 1837 — CSP: Set Device Tagging Criticality value complete.

Provider: Microsoft-Windows-SENSE
Channel: Operational
Opcode: Info

Description

CSP: Set Device Tagging Criticality value complete. Previous Value: (previousCriticalityValue), IsDefault: (IsDefault), New Value: (newCriticalityValue), Result: (HRESULT).

Message #

CSP: Set Device Tagging Criticality value complete. Previous Value: (%1), IsDefault: (%2), New Value: (%3), Result: (%4).

Fields #

Name	Description
`previousCriticalityValue` UnicodeString	—
`IsDefault` Boolean	—
`newCriticalityValue` UInt32	—
`HRESULT` HexInt32	—

References #

Microsoft Learn https://learn.microsoft.com/en-us/defender-endpoint/event-error-codes

Event ID 1838 — CSP: Failed to Set Device Tagging Criticality Value.

Provider: Microsoft-Windows-SENSE
Channel: Operational
Opcode: Info

Description

CSP: Failed to Set Device Tagging Criticality Value. Requested Value: (requestedValue), Allowed Values between (minimumAllowedValue) and (maximumAllowedValue).

Message #

CSP: Failed to Set Device Tagging Criticality Value. Requested Value: (%1), Allowed Values between (%2) and (%3).

Fields #

Name	Description
`requestedValue` UInt32	—
`minimumAllowedValue` UInt32	—
`maximumAllowedValue` UInt32	—

References #

Microsoft Learn https://learn.microsoft.com/en-us/defender-endpoint/event-error-codes

Event ID 1839 — CSP: Set Device Tagging Identification Method value complete.

Provider: Microsoft-Windows-SENSE
Channel: Operational
Opcode: Info

Description

CSP: Set Device Tagging Identification Method value complete. Previous Value: (previousIdMethodValue), IsDefault: (IsDefault), New Value: (newIdMethodValue), Result: (HRESULT).

Message #

CSP: Set Device Tagging Identification Method value complete. Previous Value: (%1), IsDefault: (%2), New Value: (%3), Result: (%4).

Fields #

Name	Description
`previousIdMethodValue` UnicodeString	—
`IsDefault` Boolean	—
`newIdMethodValue` UInt32	—
`HRESULT` HexInt32	—

References #

Microsoft Learn https://learn.microsoft.com/en-us/defender-endpoint/event-error-codes

Event ID 1840 — CSP: Failed to Set Device Tagging Identification Method Value.

Provider: Microsoft-Windows-SENSE
Channel: Operational
Opcode: Info

Description

CSP: Failed to Set Device Tagging Identification Method Value. Requested Value: (requestedValue), Allowed Values between (minimumAllowedValue) and (maximumAllowedValue).

Message #

CSP: Failed to Set Device Tagging Identification Method Value. Requested Value: (%1), Allowed Values between (%2) and (%3).

Fields #

Name	Description
`requestedValue` UInt32	—
`minimumAllowedValue` UInt32	—
`maximumAllowedValue` UInt32	—

References #

Microsoft Learn https://learn.microsoft.com/en-us/defender-endpoint/event-error-codes

Event ID 1841 — CSP: Get AadDeviceId complete.

Provider: Microsoft-Windows-SENSE
Channel: Operational

Description

CSP: Get AadDeviceId complete. Value: (Message1), IsDefault: (Boolean1).

Message #

CSP: Get AadDeviceId complete. Value: (%1), IsDefault: (%2).

Fields #

Name	Description
`Message1` UnicodeString	—
`Boolean1` Boolean	—

Event ID 1842 — CSP: Set AadDeviceId complete.

Provider: Microsoft-Windows-SENSE
Channel: Operational

Description

CSP: Set AadDeviceId complete. Value: (Message1), Result: (HRESULT).

Message #

CSP: Set AadDeviceId complete. Value: (%1), Result: (%2).

Fields #

Name	Description
`Message1` UnicodeString	—
`HRESULT` HexInt32	—

Event ID 1843 — CSP: Set AadDeviceId exceeded allowed limit.

Provider: Microsoft-Windows-SENSE
Channel: Operational

Description

CSP: Set AadDeviceId exceeded allowed limit. Allowed: (UInt1), Actual: (UInt2).

Message #

CSP: Set AadDeviceId exceeded allowed limit. Allowed: (%1), Actual: (%2).

Fields #

Name	Description
`UInt1` UInt32	—
`UInt2` UInt32	—

Event ID 2001 — SenseCM.

Provider: Microsoft-Windows-SENSE
Channel: Operational

Message #

SenseCM: %1

Fields #

Name	Description
`SenseCM`	—
`parameter` UnicodeString	—

Event ID 2002 — Info.

Provider: Microsoft-Windows-SENSE
Channel: Operational

Message #

Info: %1

Fields #

Name	Description
`Info`	—
`parameter` UnicodeString	—

Event ID 2003 — Warning.

Provider: Microsoft-Windows-SENSE
Channel: Operational

Message #

Warning: %1

Fields #

Name	Description
`Warning`	—
`parameter` UnicodeString	—

Event ID 2004 — Error.

Provider: Microsoft-Windows-SENSE
Channel: Operational

Message #

Error: %1

Fields #

Name	Description
`Error`	—
`parameter` UnicodeString	—