Microsoft-Windows-SENSE
214 events across 1 channel
Event ID 1: Service is starting (Version parameter).
#Description
Service is starting (Version parameter).
Message #
Fields #
| Name | Description |
|---|---|
parameter UnicodeString |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-SENSE",
"guid": "FAE96D09-ADE1-5223-0098-AF7B67348531",
"event_source_name": "",
"event_id": 1,
"version": 0,
"level": 4,
"task": 0,
"opcode": 0,
"keywords": 9223372036854775808,
"time_created": "2026-03-11T06:27:26.283851+00:00",
"event_record_id": 3366,
"correlation": {},
"execution": {
"process_id": 3632,
"thread_id": 5016
},
"channel": "Microsoft-Windows-SENSE/Operational",
"computer": "LAB-WIN11",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"parameter": "10.8210.22621.457"
},
"message": ""
}
References #
Event ID 2: Service is shutting down.
#Event ID 3: Windows Defender Advanced Threat Protection service failed to start.
#Event ID 4: Contacted server UInt1 times, all succeeded, URI: Message1.
#Description
Contacted server UInt1 times, all succeeded, URI: Message1.
Message #
Fields #
| Name | Description |
|---|---|
UInt1 UInt64 | |
Message1 UnicodeString |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-SENSE",
"guid": "FAE96D09-ADE1-5223-0098-AF7B67348531",
"event_source_name": "",
"event_id": 4,
"version": 0,
"level": 4,
"task": 0,
"opcode": 0,
"keywords": 9223372036854775808,
"time_created": "2026-03-11T10:27:45.275327+00:00",
"event_record_id": 3527,
"correlation": {},
"execution": {
"process_id": 3632,
"thread_id": 3804
},
"channel": "Microsoft-Windows-SENSE/Operational",
"computer": "LAB-WIN11",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"UInt1": 1,
"Message1": "https://edr-cus3.us.endpoint.security.microsoft.com/edr/"
},
"message": ""
}
References #
Event ID 5: Contacted server UInt1 times, all failed, URI: Message1.
#Description
Contacted server UInt1 times, all failed, URI: Message1. Last HTTP error code: Int1.
Message #
Fields #
| Name | Description |
|---|---|
UInt1 UInt64 | |
Message1 UnicodeString | |
Int1 Int32 |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-SENSE",
"guid": "FAE96D09-ADE1-5223-0098-AF7B67348531",
"event_source_name": "",
"event_id": 5,
"version": 0,
"level": 2,
"task": 0,
"opcode": 0,
"keywords": 9223372036854775808,
"time_created": "2026-02-17T21:56:13.502771+00:00",
"event_record_id": 1840,
"correlation": {},
"execution": {
"process_id": 4668,
"thread_id": 9400
},
"channel": "Microsoft-Windows-SENSE/Operational",
"computer": "LAB-WIN11.ludus.domain",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"UInt1": 2,
"Message1": "https://edr-cus3.us.endpoint.security.microsoft.com/edr/",
"Int1": 0
},
"message": ""
}
References #
Event ID 6: Windows Defender Advanced Threat Protection service is not onboarded and no onboarding parameters were found.
#Event ID 7: Windows Defender Advanced Threat Protection service failed to read the onboarding parameters.
#Event ID 8: Service failed to clean configuration settings.
#Description
During onboarding: The service failed to clean its configuration during the onboarding. The onboarding process continues. During offboarding: The service failed to clean its configuration during the offboarding. The offboarding process finished but the service keeps running. Onboarding: No action required. Offboarding: Reboot the system. See Onboard client devices.
Message #
References #
Event ID 9: Windows Defender Advanced Threat Protection service failed to change its start type.
#Event ID 10: Windows Defender Advanced Threat Protection service failed to persist the onboarding information.
#Event ID 11: Onboarding or re-onboarding of Windows Defender Advanced Threat Protection service completed.
#Description
The device onboarded correctly. Normal operating notification; no action required. It might take several hours for the device to appear in the portal.
Message #
Example Event #
{
"system": {
"provider": "Microsoft-Windows-SENSE",
"guid": "FAE96D09-ADE1-5223-0098-AF7B67348531",
"event_source_name": "",
"event_id": 11,
"version": 0,
"level": 4,
"task": 0,
"opcode": 0,
"keywords": 9223372036854775808,
"time_created": "2026-02-10T04:30:03.610987+00:00",
"event_record_id": 4,
"correlation": {},
"execution": {
"process_id": 4668,
"thread_id": 10328
},
"channel": "Microsoft-Windows-SENSE/Operational",
"computer": "LAB-WIN11.ludus.domain",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {},
"message": ""
}
References #
Event ID 12: New cloud configuration failed to apply, version: parameter1.
#Event ID 13: Windows Defender Advanced Threat Protection machine ID calculated: parameter.
#Description
Windows Defender Advanced Threat Protection machine ID calculated: parameter.
Message #
Fields #
| Name | Description |
|---|---|
parameter UnicodeString |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-SENSE",
"guid": "FAE96D09-ADE1-5223-0098-AF7B67348531",
"event_source_name": "",
"event_id": 13,
"version": 0,
"level": 4,
"task": 0,
"opcode": 0,
"keywords": 9223372036854775808,
"time_created": "2026-03-11T06:27:32.581645+00:00",
"event_record_id": 3370,
"correlation": {},
"execution": {
"process_id": 3632,
"thread_id": 5040
},
"channel": "Microsoft-Windows-SENSE/Operational",
"computer": "LAB-WIN11",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"parameter": "56fa48c49fc36bc258ea812952082082ea2d7bf8"
},
"message": ""
}
References #
Event ID 14: Windows Defender Advanced Threat Protection cannot calculate machine ID.
#Event ID 15: Windows Defender Advanced Threat Protection cannot start command channel with URL: parameter.
#Event ID 17: Windows Defender Advanced Threat Protection service failed to change the Connected User Experiences and Telemetry service location.
#Event ID 18: OOBE (Windows Welcome) is completed.
#Event ID 19: OOBE (Windows Welcome) has not yet completed.
#Event ID 20: Cannot wait for OOBE (Windows Welcome) to complete.
#Event ID 25: Service failed to reset health status in the registry.
#Event ID 26: Windows Defender Advanced Threat Protection service failed to set the onboarding status in the registry.
#Event ID 27: Failed to enable Windows Defender Advanced Threat Protection mode in Windows Defender.
#Event ID 28: Connected User Experiences and Telemetry service registration failed with failure code: HRESULT.
#Description
Connected User Experiences and Telemetry service registration failed with failure code: HRESULT. Requested disk quota in MB: diskSizeQuotaValue, Requested daily upload quota in MB: dailyUploadQuotaValue.
Message #
Fields #
| Name | Description |
|---|---|
HRESULT HexInt32 | |
diskSizeQuotaValue Int32 | |
dailyUploadQuotaValue Int32 |
References #
Event ID 29: Failed to read the offboarding parameters.
#Event ID 30: Failed to disable Windows Defender Advanced Threat Protection mode in Windows Defender.
#Event ID 31: Windows Defender Advanced Threat Protection Connected User Experiences and Telemetry service unregistration failed.
#Event ID 32: Windows Defender Advanced Threat Protection service failed to request to stop itself after offboarding process.
#Event ID 33: Windows Defender Advanced Threat Protection service failed to persist SENSE GUID.
#Event ID 34: Microsoft Defender for Endpoint service failed to add itself as a dependency on the Connected User Experiences and Telemetry service, causing onboarding process to fail. Failure code: variable.
#Description
An error occurred with the Windows telemetry service. Ensure the diagnostic data service is enabled. Check that the onboarding settings and scripts were deployed properly. Try to redeploy the configuration packages. See Onboard client devices running Windows or macOS.
Message #
References #
Event ID 35: Communication quotas are updated.
#Description
Communication quotas are updated. Disk quota in MB: diskSizeQuotaValue, daily upload quota in MB: dailyUploadQuotaValue.
Message #
Fields #
| Name | Description |
|---|---|
diskSizeQuotaValue Int32 | |
dailyUploadQuotaValue Int32 |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-SENSE",
"guid": "FAE96D09-ADE1-5223-0098-AF7B67348531",
"event_source_name": "",
"event_id": 35,
"version": 0,
"level": 4,
"task": 0,
"opcode": 0,
"keywords": 9223372036854775808,
"time_created": "2026-03-11T06:27:32.579826+00:00",
"event_record_id": 3369,
"correlation": {},
"execution": {
"process_id": 3632,
"thread_id": 5040
},
"channel": "Microsoft-Windows-SENSE/Operational",
"computer": "LAB-WIN11",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"diskSizeQuotaValue": 99,
"dailyUploadQuotaValue": 99
},
"message": ""
}
References #
Event ID 36: Connected User Experiences and Telemetry service registration succeeded with completion code: HRESULT.
#Description
Connected User Experiences and Telemetry service registration succeeded with completion code: HRESULT. Requested disk quota in MB: diskSizeQuotaValue, requested daily upload quota in MB: dailyUploadQuotaValue.
Message #
Fields #
| Name | Description |
|---|---|
HRESULT HexInt32 | |
diskSizeQuotaValue Int32 | |
dailyUploadQuotaValue Int32 |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-SENSE",
"guid": "FAE96D09-ADE1-5223-0098-AF7B67348531",
"event_source_name": "",
"event_id": 36,
"version": 0,
"level": 4,
"task": 0,
"opcode": 0,
"keywords": 9223372036854775808,
"time_created": "2026-03-11T06:27:46.945960+00:00",
"event_record_id": 3381,
"correlation": {},
"execution": {
"process_id": 3632,
"thread_id": 4212
},
"channel": "Microsoft-Windows-SENSE/Operational",
"computer": "LAB-WIN11",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"HRESULT": "0x0",
"diskSizeQuotaValue": 99,
"dailyUploadQuotaValue": 99
},
"message": ""
}
References #
Event ID 37: Module: Module, Quota: {module} {quotaValue}, Percentage of quota utilization: quotaValueUnit.
#Event ID 38: Network connection is identified as low.
#Description
The device is using a metered/paid network and contacts the server less frequently. Normal operating notification; no action required.
Message #
Fields #
| Name | Description |
|---|---|
pollingInterval UInt16 | |
meteredConnectionState Boolean | |
internetAvailabilityState Boolean | |
freeNetworkAvailabilityState Boolean | |
proxyDefined Boolean |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-SENSE",
"guid": "FAE96D09-ADE1-5223-0098-AF7B67348531",
"event_source_name": "",
"event_id": 38,
"version": 0,
"level": 4,
"task": 0,
"opcode": 0,
"keywords": 9223372036854775808,
"time_created": "2026-03-15T05:29:07.821216+00:00",
"event_record_id": 3460,
"correlation": {},
"execution": {
"process_id": 3688,
"thread_id": 12520
},
"channel": "Microsoft-Windows-SENSE/Operational",
"computer": "LAB-WIN11.ludus.domain",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"pollingInterval": 120,
"meteredConnectionState": false,
"internetAvailabilityState": false,
"freeNetworkAvailabilityState": false,
"proxyDefined": false
},
"message": ""
}
References #
Event ID 39: Network connection is identified as normal.
#Description
The device isn't using a metered/paid connection and contacts the server as usual. Normal operating notification; no action required.
Message #
Fields #
| Name | Description |
|---|---|
pollingInterval UInt16 | |
meteredConnectionState Boolean | |
internetAvailabilityState Boolean | |
freeNetworkAvailabilityState Boolean | |
proxyDefined Boolean |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-SENSE",
"guid": "FAE96D09-ADE1-5223-0098-AF7B67348531",
"event_source_name": "",
"event_id": 39,
"version": 0,
"level": 4,
"task": 0,
"opcode": 0,
"keywords": 9223372036854775808,
"time_created": "2026-03-11T06:27:46.117651+00:00",
"event_record_id": 3378,
"correlation": {},
"execution": {
"process_id": 3632,
"thread_id": 5040
},
"channel": "Microsoft-Windows-SENSE/Operational",
"computer": "LAB-WIN11",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"pollingInterval": 120,
"meteredConnectionState": false,
"internetAvailabilityState": true,
"freeNetworkAvailabilityState": true,
"proxyDefined": false
},
"message": ""
}
References #
Event ID 40: Battery state is identified as low.
#Event ID 41: Battery state is identified as normal.
#Description
The device doesn't have low battery level and contacts the server as usual. Normal operating notification; no action required.
Message #
Fields #
| Name | Description |
|---|---|
pollingInterval UInt16 | |
acPowerState Boolean | |
batterySavingState Boolean | |
batteryLowState Boolean | |
batteryCriticalState Boolean |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-SENSE",
"guid": "FAE96D09-ADE1-5223-0098-AF7B67348531",
"event_source_name": "",
"event_id": 41,
"version": 0,
"level": 4,
"task": 0,
"opcode": 0,
"keywords": 9223372036854775808,
"time_created": "2026-03-11T06:27:46.117743+00:00",
"event_record_id": 3379,
"correlation": {},
"execution": {
"process_id": 3632,
"thread_id": 5040
},
"channel": "Microsoft-Windows-SENSE/Operational",
"computer": "LAB-WIN11",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"pollingInterval": 120,
"acPowerState": true,
"batterySavingState": false,
"batteryLowState": false,
"batteryCriticalState": false
},
"message": ""
}
References #
Event ID 42: Component failed to perform action.
#Description
Internal error. The service failed to start. If this error persists, contact Support.
Message #
Fields #
| Name | Description |
|---|---|
Component AnsiString | |
Operation UnicodeString | Known values
|
ExceptionType AnsiString | |
ExceptionMessage AnsiString |
References #
Event ID 43: Component failed to perform action.
#Description
Internal error. The service failed to start. If this error persists, contact Support.
Message #
Fields #
| Name | Description |
|---|---|
Component AnsiString | |
Operation UnicodeString | Known values
|
ExceptionType AnsiString | |
ExceptionErrorCode HexInt32 | |
ExceptionMessage AnsiString |
References #
Event ID 44: Offboarding of Windows Defender Advanced Threat Protection service completed.
#Event ID 45: Failed to register and to start the event trace session [TraceSessionName].
#Event ID 46: Failed to register and start the event trace session [TraceSessionName] due to lack of resources.
#Description
An error occurred on service startup while creating ETW session due to lack of resources. The service is running, but doesn't report sensor events until the ETW session starts. Normal operating notification; no action required. The service tries to start the session every minute.
Message #
Fields #
| Name | Description |
|---|---|
TraceSessionName UnicodeString | |
HRESULT HexInt32 |
References #
Event ID 47: Successfully registered and started the event trace session - recovered after previous failed attempts.
#Event ID 48: Failed to add a provider [ProviderId] to event trace session [TraceSessionName].
#Event ID 49: Invalid cloud configuration command received and ignored.
#Description
Invalid cloud configuration command received and ignored. Version: Version, status: Status, error code: HRESULT, message: ErrorMessage.
Message #
Fields #
| Name | Description |
|---|---|
Version UnicodeString | |
Status UInt16 | NTSTATUS reference |
HRESULT HexInt64 | |
ErrorMessage UnicodeString |
References #
Event ID 50: New cloud configuration applied successfully.
#Description
New cloud configuration applied successfully. Version: parameter.
Message #
Fields #
| Name | Description |
|---|---|
parameter UnicodeString |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-SENSE",
"guid": "FAE96D09-ADE1-5223-0098-AF7B67348531",
"event_source_name": "",
"event_id": 50,
"version": 0,
"level": 4,
"task": 0,
"opcode": 0,
"keywords": 9223372036854775808,
"time_created": "2026-02-18T21:51:39.113607+00:00",
"event_record_id": 2199,
"correlation": {},
"execution": {
"process_id": 3388,
"thread_id": 7692
},
"channel": "Microsoft-Windows-SENSE/Operational",
"computer": "LAB-WIN11.ludus.domain",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"parameter": "10.8824.icm.752524955.2026.02.25.02-b0f8150134e39fffb9644c0884629b7ceb6f95b6"
},
"message": ""
}
References #
Event ID 51: New cloud configuration failed to apply, version: parameter1.
#Event ID 52: New cloud configuration failed to apply, version: parameter1.
#Event ID 53: Cloud configuration loaded from persistent storage, version: parameter.
#Description
Cloud configuration loaded from persistent storage, version: parameter.
Message #
Fields #
| Name | Description |
|---|---|
parameter UnicodeString |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-SENSE",
"guid": "FAE96D09-ADE1-5223-0098-AF7B67348531",
"event_source_name": "",
"event_id": 53,
"version": 0,
"level": 4,
"task": 0,
"opcode": 0,
"keywords": 9223372036854775808,
"time_created": "2026-03-11T06:27:28.128009+00:00",
"event_record_id": 3368,
"correlation": {},
"execution": {
"process_id": 3632,
"thread_id": 5040
},
"channel": "Microsoft-Windows-SENSE/Operational",
"computer": "LAB-WIN11",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"parameter": "10.8824.icm.752524955.2026.02.25.02-b0f8150134e39fffb9644c0884629b7ceb6f95b6"
},
"message": ""
}
References #
Event ID 54: Global (per-pattern) state changed.
#Description
Global (per-pattern) state changed. State: Value1, pattern: Value2.
Message #
Fields #
| Name | Description |
|---|---|
Value1 HexInt32 | |
Value2 HexInt32 | |
Value3 UnicodeString |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-SENSE",
"guid": "FAE96D09-ADE1-5223-0098-AF7B67348531",
"event_source_name": "",
"event_id": 54,
"version": 0,
"level": 4,
"task": 0,
"opcode": 0,
"keywords": 9223372036854775808,
"time_created": "2026-03-11T06:32:01.371209+00:00",
"event_record_id": 3399,
"correlation": {},
"execution": {
"process_id": 3632,
"thread_id": 7148
},
"channel": "Microsoft-Windows-SENSE/Operational",
"computer": "LAB-WIN11",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"Value1": "0x1",
"Value2": "0x9",
"Value3": "{962D215C-F6D0-494D-BEEC-C71E8A2AC50E}"
},
"message": ""
}
Event ID 55: Failed to create the Secure ETW autologger.
#Event ID 56: Failed to remove the Secure ETW autologger.
#Event ID 57: Capturing a snapshot of the machine for troubleshooting purposes.
#Event ID 59: Starting command: parameter.
#Description
Starting command: parameter.
Message #
Fields #
| Name | Description |
|---|---|
parameter UnicodeString |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-SENSE",
"guid": "FAE96D09-ADE1-5223-0098-AF7B67348531",
"event_source_name": "",
"event_id": 59,
"version": 0,
"level": 4,
"task": 0,
"opcode": 0,
"keywords": 9223372036854775808,
"time_created": "2026-02-11T00:56:32.102827+00:00",
"event_record_id": 381,
"correlation": {},
"execution": {
"process_id": 4668,
"thread_id": 680
},
"channel": "Microsoft-Windows-SENSE/Operational",
"computer": "LAB-WIN11.ludus.domain",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"parameter": "incidentresponsecommand"
},
"message": ""
}
References #
Event ID 60: Failed to run command CommandName, error: HRESULT.
#Description
Failed to run command CommandName, error: HRESULT.
Message #
Fields #
| Name | Description |
|---|---|
CommandName UnicodeString | |
HRESULT HexInt64 |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-SENSE",
"guid": "FAE96D09-ADE1-5223-0098-AF7B67348531",
"event_source_name": "",
"event_id": 60,
"version": 0,
"level": 3,
"task": 0,
"opcode": 0,
"keywords": 9223372036854775808,
"time_created": "2026-03-13T22:40:08.797847+00:00",
"event_record_id": 2808,
"correlation": {},
"execution": {
"process_id": 3952,
"thread_id": 5916
},
"channel": "Microsoft-Windows-SENSE/Operational",
"computer": "LAB-WIN11.ludus.domain",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"CommandName": "incidentresponsecommand",
"HRESULT": "0xffffffff80192ee2"
},
"message": ""
}
References #
Event ID 61: Data collection command parameters are invalid: SasUri: SasUri, compressionLevel: CompressionLevel.
#Event ID 62: Failed to start Connected User Experiences and Telemetry service.
#Event ID 63: Updating the start type of external service.
#Description
Updating the start type of external service. Name: ServiceName, actual start type: ActualStartType, expected start type: ExpectedStartType, exit code: ErrorCode.
Message #
Fields #
| Name | Description |
|---|---|
ServiceName UnicodeString | |
ActualStartType Int16 | |
ExpectedStartType Int16 | |
ErrorCode HexInt32 |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-SENSE",
"guid": "FAE96D09-ADE1-5223-0098-AF7B67348531",
"event_source_name": "",
"event_id": 63,
"version": 0,
"level": 3,
"task": 0,
"opcode": 0,
"keywords": 9223372036854775808,
"time_created": "2026-02-10T04:35:06.343019+00:00",
"event_record_id": 45,
"correlation": {},
"execution": {
"process_id": 4668,
"thread_id": 4292
},
"channel": "Microsoft-Windows-SENSE/Operational",
"computer": "LAB-WIN11.ludus.domain",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"ServiceName": "wlidsvc",
"ActualStartType": 4,
"ExpectedStartType": 3,
"ErrorCode": "0x0"
},
"message": ""
}
References #
Event ID 64: Starting stopped external service.
#Event ID 65: Failed to load Microsoft Security Events Component Minifilter driver.
#Event ID 66: Policy update: Latency mode - parameter.
#Description
Policy update: Latency mode - parameter.
Message #
Fields #
| Name | Description |
|---|---|
parameter UnicodeString |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-SENSE",
"guid": "FAE96D09-ADE1-5223-0098-AF7B67348531",
"event_source_name": "",
"event_id": 66,
"version": 0,
"level": 4,
"task": 0,
"opcode": 0,
"keywords": 9223372036854775808,
"time_created": "2026-03-11T06:27:46.117193+00:00",
"event_record_id": 3377,
"correlation": {},
"execution": {
"process_id": 3632,
"thread_id": 5040
},
"channel": "Microsoft-Windows-SENSE/Operational",
"computer": "LAB-WIN11",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"parameter": "demo"
},
"message": ""
}
References #
Event ID 67: Contacted server Last_HTTP_error_code times, failed UInt1 times and succeeded UInt2 times.
#Description
Contacted server Last_HTTP_error_code times, failed UInt1 times and succeeded UInt2 times. URI: UInt3. Last HTTP error code: Message1.
Message #
Fields #
| Name | Description |
|---|---|
UInt1 UInt64 | |
UInt2 UInt64 | |
UInt3 UInt64 | |
Message1 UnicodeString | |
Int1 Int32 |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-SENSE",
"event_id": 67,
"level": "Warning",
"task": null,
"opcode": "Info",
"time_created": "2026-05-04T03:46:08.1992889+00:00",
"computer": "JD-DC01-2022.ludus.domain",
"channel": "Microsoft-Windows-SENSE/Operational"
},
"event_data": {
"UInt1": "5",
"UInt3": "4",
"Message1": "https://edr-cus3.us.endpoint.security.microsoft.com/edr/",
"Int1": "0",
"UInt2": "1"
}
}
Event ID 68: The start type of the service is unexpected.
#Description
The start type of the service is unexpected. Service name: ServiceName, actual start type: ActualStartType, expected start type: ExpectedStartType.
Message #
Fields #
| Name | Description |
|---|---|
ServiceName UnicodeString | |
ActualStartType Int16 | |
ExpectedStartType Int16 |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-SENSE",
"guid": "FAE96D09-ADE1-5223-0098-AF7B67348531",
"event_source_name": "",
"event_id": 68,
"version": 0,
"level": 3,
"task": 0,
"opcode": 0,
"keywords": 9223372036854775808,
"time_created": "2026-03-11T06:32:46.137351+00:00",
"event_record_id": 3409,
"correlation": {},
"execution": {
"process_id": 3632,
"thread_id": 2544
},
"channel": "Microsoft-Windows-SENSE/Operational",
"computer": "LAB-WIN11",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"ServiceName": "WpnService",
"ActualStartType": 4,
"ExpectedStartType": 2
},
"message": ""
}
References #
Event ID 69: The service is stopped.
#Description
The service is stopped. Service name: parameter.
Message #
Fields #
| Name | Description |
|---|---|
parameter UnicodeString |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-SENSE",
"guid": "FAE96D09-ADE1-5223-0098-AF7B67348531",
"event_source_name": "",
"event_id": 69,
"version": 0,
"level": 3,
"task": 0,
"opcode": 0,
"keywords": 9223372036854775808,
"time_created": "2026-03-11T06:32:46.137777+00:00",
"event_record_id": 3410,
"correlation": {},
"execution": {
"process_id": 3632,
"thread_id": 2544
},
"channel": "Microsoft-Windows-SENSE/Operational",
"computer": "LAB-WIN11",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"parameter": "WpnService"
},
"message": ""
}
References #
Event ID 70: Policy update: Allow sample collection - UInt1.
#Event ID 71: Succeeded to run command: parameter.
#Description
Succeeded to run command: parameter.
Message #
Fields #
| Name | Description |
|---|---|
parameter UnicodeString |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-SENSE",
"guid": "FAE96D09-ADE1-5223-0098-AF7B67348531",
"event_source_name": "",
"event_id": 71,
"version": 0,
"level": 4,
"task": 0,
"opcode": 0,
"keywords": 9223372036854775808,
"time_created": "2026-02-11T00:56:33.194261+00:00",
"event_record_id": 383,
"correlation": {},
"execution": {
"process_id": 4668,
"thread_id": 680
},
"channel": "Microsoft-Windows-SENSE/Operational",
"computer": "LAB-WIN11.ludus.domain",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"parameter": "incidentresponsecommand"
},
"message": ""
}
References #
Event ID 72: Tried to send first full machine profile report.
#Description
Tried to send first full machine profile report. Result code: HRESULT.
Message #
Fields #
| Name | Description |
|---|---|
HRESULT HexInt32 |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-SENSE",
"guid": "FAE96D09-ADE1-5223-0098-AF7B67348531",
"event_source_name": "",
"event_id": 72,
"version": 0,
"level": 4,
"task": 0,
"opcode": 0,
"keywords": 9223372036854775808,
"time_created": "2026-03-11T06:27:46.912867+00:00",
"event_record_id": 3380,
"correlation": {},
"execution": {
"process_id": 3632,
"thread_id": 7104
},
"channel": "Microsoft-Windows-SENSE/Operational",
"computer": "LAB-WIN11",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"HRESULT": "0x0"
},
"message": ""
}
References #
Event ID 73: Sense starting for platform: platformBitMask.
#Description
Sense starting for platform: platformBitMask.
Message #
Fields #
| Name | Description |
|---|---|
platformBitMask HexInt64 |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-SENSE",
"guid": "FAE96D09-ADE1-5223-0098-AF7B67348531",
"event_source_name": "",
"event_id": 73,
"version": 0,
"level": 4,
"task": 0,
"opcode": 0,
"keywords": 9223372036854775808,
"time_created": "2026-03-11T06:27:26.327796+00:00",
"event_record_id": 3367,
"correlation": {},
"execution": {
"process_id": 3632,
"thread_id": 5040
},
"channel": "Microsoft-Windows-SENSE/Operational",
"computer": "LAB-WIN11",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"platformBitMask": "0x1001"
},
"message": ""
}
References #
Event ID 74: Device tag in registry exceeds length limit.
#Event ID 75: Device tag name in registry exceeds length limit.
#Event ID 76: Number of customer tags in registry exceeds limit.
#Event ID 77: Successfully applied protection on Connected User Experiences and Telemetry service
#Description
Successfully applied protection on Connected User Experiences and Telemetry service.
Message #
Event ID 78: Successfully removed protection from Connected User Experiences and Telemetry service
#Description
Successfully removed protection from Connected User Experiences and Telemetry service.
Message #
Event ID 79: Failed to apply protection on Connected User Experiences and Telemetry service.
#Event ID 80: Failed to remove protection from Connected User Experiences and Telemetry service.
#Event ID 81: Failed to create Windows Defender Advanced Threat Protection ETW autologger.
#Event ID 82: Failed to remove Windows Defender Advanced Threat Protection ETW autologger.
#Event ID 83: Cyber event may be dropped because its size [RealValue bytes] exceeded max size [quotaValue bytes] or close to it.
#Event ID 84: Set Windows Defender Antivirus running mode.
#Description
Set Windows Defender Antivirus running mode. Force passive mode: forcePassiveMode, result code: HRESULT.
Message #
Fields #
| Name | Description |
|---|---|
forcePassiveMode Boolean | |
HRESULT HexInt32 |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-SENSE",
"guid": "FAE96D09-ADE1-5223-0098-AF7B67348531",
"event_source_name": "",
"event_id": 84,
"version": 0,
"level": 4,
"task": 0,
"opcode": 0,
"keywords": 9223372036854775808,
"time_created": "2026-03-15T23:43:22.434072+00:00",
"event_record_id": 6,
"correlation": {},
"execution": {
"process_id": 8176,
"thread_id": 10396
},
"channel": "Microsoft-Windows-SENSE/Operational",
"computer": "LAB-DC01.ludus.domain",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"forcePassiveMode": false,
"HRESULT": "0x0"
},
"message": ""
}
References #
Event ID 85: Failed to trigger Windows Defender Advanced Threat Protection Incident Response executable.
#Event ID 86: Starting again stopped external service that should be up.
#Event ID 87: Cannot start the external service.
#Event ID 88: Updating the start type of external service again.
#Description
Updating the start type of external service again. Name: ServiceName, actual start type: ActualStartType, expected start type: ExpectedStartType, exit code: ErrorCode.
Message #
Fields #
| Name | Description |
|---|---|
ServiceName UnicodeString | |
ActualStartType Int16 | |
ExpectedStartType Int16 | |
ErrorCode HexInt32 |
References #
Event ID 89: Cannot update the start type of external service.
#Event ID 90: Failed to configure System Guard Runtime Monitor to connect to cloud service in geo-region Message1.
#Event ID 91: Failed to remove System Guard Runtime Monitor geo-region information.
#Event ID 92: Stopping sending sensor cyber data quota because data quota is exceed.
#Event ID 93: Resuming sending sensor cyber data.
#Event ID 94: Windows Defender Advanced Threat Protection Classification Engine executable has started
#Description
The SenseCE executable has started. Normal operating notification; no action required.
Message #
Example Event #
{
"system": {
"provider": "Microsoft-Windows-SENSE",
"guid": "FAE96D09-ADE1-5223-0098-AF7B67348531",
"event_source_name": "",
"event_id": 94,
"version": 0,
"level": 4,
"task": 0,
"opcode": 0,
"keywords": 9223372036854775808,
"time_created": "2026-03-15T23:43:23.714880+00:00",
"event_record_id": 11,
"correlation": {},
"execution": {
"process_id": 8176,
"thread_id": 10396
},
"channel": "Microsoft-Windows-SENSE/Operational",
"computer": "LAB-DC01.ludus.domain",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {},
"message": ""
}
References #
Event ID 95: Windows Defender Advanced Threat Protection Classification Engine executable has ended
#Description
The SenseCE executable has ended. Normal operating notification; no action required.
Message #
Example Event #
{
"system": {
"provider": "Microsoft-Windows-SENSE",
"guid": "FAE96D09-ADE1-5223-0098-AF7B67348531",
"event_source_name": "",
"event_id": 95,
"version": 0,
"level": 4,
"task": 0,
"opcode": 0,
"keywords": 9223372036854775808,
"time_created": "2026-03-15T23:44:27.877746+00:00",
"event_record_id": 23,
"correlation": {},
"execution": {
"process_id": 8176,
"thread_id": 4048
},
"channel": "Microsoft-Windows-SENSE/Operational",
"computer": "LAB-DC01.ludus.domain",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {},
"message": ""
}
References #
Event ID 96: Windows Defender Advanced Threat Protection Classification Engine Init has called.
#Event ID 97: There are connectivity issues to the Cloud for the DLP scenario
#Event ID 98: The connectivity to the Cloud for the DLP scenario has been restored
#Event ID 99: Sense has encoutered the following error while communicating with server: (Message1).
#Event ID 100: Windows Defender Advanced Threat Protection Classification Engine executable failed to start.
#Event ID 101: Windows Defender Advanced Threat Protection Network Detection and Response executable failed to start.
#Description
Windows Defender Advanced Threat Protection Network Detection and Response executable failed to start. Failure code: HRESULT.
Message #
Fields #
| Name | Description |
|---|---|
HRESULT HexInt32 |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-SENSE",
"guid": "FAE96D09-ADE1-5223-0098-AF7B67348531",
"event_source_name": "",
"event_id": 101,
"version": 0,
"level": 2,
"task": 0,
"opcode": 0,
"keywords": 9223372036854775808,
"time_created": "2026-03-15T05:29:15.724352+00:00",
"event_record_id": 3466,
"correlation": {},
"execution": {
"process_id": 3688,
"thread_id": 3888
},
"channel": "Microsoft-Windows-SENSE/Operational",
"computer": "LAB-WIN11.ludus.domain",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"HRESULT": "0x80070020"
},
"message": ""
}
Event ID 102: Windows Defender Advanced Threat Protection Network Detection and Response executable has started
#Description
The SenseNdr executable has started. Normal operating notification; no action required.
Message #
Example Event #
{
"system": {
"provider": "Microsoft-Windows-SENSE",
"guid": "FAE96D09-ADE1-5223-0098-AF7B67348531",
"event_source_name": "",
"event_id": 102,
"version": 0,
"level": 4,
"task": 0,
"opcode": 0,
"keywords": 9223372036854775808,
"time_created": "2026-03-11T06:27:48.907221+00:00",
"event_record_id": 3383,
"correlation": {},
"execution": {
"process_id": 3632,
"thread_id": 5040
},
"channel": "Microsoft-Windows-SENSE/Operational",
"computer": "LAB-WIN11",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {},
"message": ""
}
References #
Event ID 103: Windows Defender Advanced Threat Protection Network Detection and Response executable has ended
#Description
The SenseNdr executable has ended. Normal operating notification; no action required.
Message #
Example Event #
{
"system": {
"provider": "Microsoft-Windows-SENSE",
"guid": "FAE96D09-ADE1-5223-0098-AF7B67348531",
"event_source_name": "",
"event_id": 103,
"version": 0,
"level": 4,
"task": 0,
"opcode": 0,
"keywords": 9223372036854775808,
"time_created": "2026-03-13T20:24:29.979924+00:00",
"event_record_id": 2598,
"correlation": {},
"execution": {
"process_id": 3952,
"thread_id": 11152
},
"channel": "Microsoft-Windows-SENSE/Operational",
"computer": "LAB-WIN11.ludus.domain",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {},
"message": ""
}
References #
Event ID 104: Failed to queue asynchronous driver unload.
#Event ID 105: Failed to wait for driver unload.
#Event ID 106: Windows Defender Advanced Threat Protection service failed to start.
#Event ID 107: Windows Defender Advanced Threat Protection service failed to start.
#Event ID 108: Update phase:Update_phase, new platform version: new_platform_version, message: message.
#Event ID 109: Update phase:Update_phase new platform version: new_platform_version, failure message: failure_message, error: error.
#Event ID 110: Failed to remove MDEContain WFP filters
#Event ID 111: Failed to Leave SecurityManagement.
#Event ID 112: MsSecFlt.
#Event ID 113: MsSecFlt.
#Description
MsSecFlt.sys kernel service has successfully started.
Message #
Example Event #
{
"system": {
"provider": "Microsoft-Windows-SENSE",
"guid": "{FAE96D09-ADE1-5223-0098-AF7B67348531}",
"event_source_name": "",
"event_id": 113,
"version": 0,
"level": 4,
"task": 0,
"opcode": 0,
"keywords": -9223372036854775808,
"time_created": "2026-03-20T18:58:58.6340112+00:00",
"event_record_id": 5852,
"correlation": {},
"execution": {
"process_id": 3828,
"thread_id": 5940
},
"channel": "Microsoft-Windows-SENSE/Operational",
"computer": "JD-WIN11-22H2-1.ludus.domain",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {},
"message": "MsSecFlt.sys kernel service has successfully started."
}
Event ID 115: MsSecWfp.
#Description
MsSecWfp.sys kernel service has successfully started.
Message #
Example Event #
{
"system": {
"provider": "Microsoft-Windows-SENSE",
"guid": "{FAE96D09-ADE1-5223-0098-AF7B67348531}",
"event_source_name": "",
"event_id": 115,
"version": 0,
"level": 4,
"task": 0,
"opcode": 0,
"keywords": -9223372036854775808,
"time_created": "2026-03-20T18:59:00.2887921+00:00",
"event_record_id": 5853,
"correlation": {},
"execution": {
"process_id": 3828,
"thread_id": 5940
},
"channel": "Microsoft-Windows-SENSE/Operational",
"computer": "JD-WIN11-22H2-1.ludus.domain",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {},
"message": "MsSecWfp.sys kernel service has successfully started."
}
Event ID 117: Message1: Failed to modify service object trust label.
#Event ID 118: Update phase:Update_phase, new platform version: new_platform_version, success message: success_message.
#Event ID 119: Windows Defender Advanced Threat Protection service failed to remove its failure actions.
#Event ID 120: EventTraker Event data: (parameter).
#Event ID 121: Info message: Info_message.
#Event ID 122: Update phase:Update_phase new platform version: new_platform_version, warning message: warning_message.
#Event ID 123: Update error message: message, Additional parameters: valueName1: value1, valueName2: value2, error message: HRESULT.
#Event ID 124: Windows Defender Advanced Threat Protection Trace Event Monitor executable has started
#Description
Windows Defender Advanced Threat Protection Trace Event Monitor executable has started.
Message #
Event ID 125: Windows Defender Advanced Threat Protection Trace Event Monitor executable has ended
#Description
Windows Defender Advanced Threat Protection Trace Event Monitor executable has ended.
Message #
Event ID 126: Windows Defender Advanced Threat Protection Trace Event Monitor executable failed to start.
#Event ID 127: Windows Defender Advanced Threat Protection Dlp Processor executable failed to start.
#Event ID 128: Windows Defender Advanced Threat Protection Dlp Processor executable has started
#Description
Windows Defender Advanced Threat Protection Dlp Processor executable has started.
Message #
Event ID 129: Windows Defender Advanced Threat Protection Dlp Processor executable has ended
#Description
Windows Defender Advanced Threat Protection Dlp Processor executable has ended.
Message #
Event ID 130: Received DLP policy type: Received_DLP_policy_type.
#Event ID 131: Completed processing DLP policy type: Completed_processing_DLP_policy_type.
#Event ID 132: Failed to process DLP policy type: CommandType.
#Event ID 133: Ignore DLP policy type: Ignore_DLP_policy_type at CommandType due to Data Loss Prevention feature currently disabled.
#Event ID 134: Offboarding blob is revoked via configuration.
#Event ID 135: Offboarding is blocked for blob with Epoch: BlobEpoch , BlobSha256: BlobSha256.
#Event ID 136: Windows Defender Advanced Threat Protection Dlp Classification Host executable failed to start
#Event ID 137: Windows Defender Advanced Threat Protection Dlp Classification Host executable has started
#Description
Windows Defender Advanced Threat Protection Dlp Classification Host executable has started
Message #
Event ID 138: Windows Defender Advanced Threat Protection Dlp Classification Host executable has ended
#Description
Windows Defender Advanced Threat Protection Dlp Classification Host executable has ended
Message #
Event ID 300: Windows Defender Advanced Threat Protection Session Recorder executable has started
#Description
Windows Defender Advanced Threat Protection Session Recorder executable has started.
Message #
Event ID 301: Windows Defender Advanced Threat Protection Session Recorder executable has ended
#Description
Windows Defender Advanced Threat Protection Session Recorder executable has ended.
Message #
Event ID 302: Windows Defender Advanced Threat Protection Session Recorder init has called from user session parameter.
#Event ID 303: Windows Defender Advanced Threat Protection Session Recorder executable failed to start from user session Message1.
#Event ID 304: Windows Defender Advanced Threat Protection Session Recorder user session logon event for session id: UInt1, session name: Message1.
#Event ID 305: Windows Defender Advanced Threat Protection Session Recorder user session logoff event for session id: UInt1.
#Event ID 306: Windows Defender Advanced Threat Protection Session Recorder user session unlock event for session id: UInt1.
#Event ID 307: Failed to update driver permissions Failure code: HRESULT.
#Event ID 308: Failed to ACL on Folder Message1 Failure code: HRESULT.
#Event ID 309: Windows Defender Advanced Threat Protection Network Detection and Response failed to subscribe to event id with_provider of event log channel: UInt1, with provid...
#Description
Windows Defender Advanced Threat Protection Network Detection and Response failed to subscribe to event id of event log channel: , with provider: . Event data will not be collected until next reboot.
Message #
Fields #
| Name | Description |
|---|---|
UInt1 UInt32 | |
Message1 UnicodeString | |
providerName UnicodeString |
Event ID 310: Failed to store cloud configuration.
#Event ID 400: Windows Defender Advanced Threat Protection service failed to create certificate.
#Event ID 401: Windows Defender Advanced Threat Protection service failed to generate key.
#Event ID 402: Windows Defender Advanced Threat Protection service failed to persist authentication state.
#Event ID 403: Registration of device by Windows Defender Advanced Threat Protection service completed.
#Description
Successful registration to authentication service. Normal operating notification; no action required.
Message #
Example Event #
{
"system": {
"provider": "Microsoft-Windows-SENSE",
"guid": "FAE96D09-ADE1-5223-0098-AF7B67348531",
"event_source_name": "",
"event_id": 403,
"version": 0,
"level": 4,
"task": 0,
"opcode": 0,
"keywords": 9223372036854775808,
"time_created": "2026-03-09T00:56:55.322831+00:00",
"event_record_id": 2414,
"correlation": {},
"execution": {
"process_id": 3492,
"thread_id": 3460
},
"channel": "Microsoft-Windows-SENSE/Operational",
"computer": "LAB-WIN11",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {},
"message": ""
}
References #
Event ID 404: Windows Defender Advanced Threat Protection service successfully generated a key.
#Description
Successful crypto key generation. Normal operating notification; no action required.
Message #
Example Event #
{
"system": {
"provider": "Microsoft-Windows-SENSE",
"guid": "FAE96D09-ADE1-5223-0098-AF7B67348531",
"event_source_name": "",
"event_id": 404,
"version": 0,
"level": 4,
"task": 0,
"opcode": 0,
"keywords": 9223372036854775808,
"time_created": "2026-02-10T04:30:06.058465+00:00",
"event_record_id": 7,
"correlation": {},
"execution": {
"process_id": 4668,
"thread_id": 10328
},
"channel": "Microsoft-Windows-SENSE/Operational",
"computer": "LAB-WIN11.ludus.domain",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {},
"message": ""
}
References #
Event ID 405: Failed to communicate with authentication service.
#Description
Failed to communicate with authentication service. requestType request failed, hresult: HRESULT, HTTP error code: errorCode .
Message #
Fields #
| Name | Description |
|---|---|
requestType UnicodeString | |
HRESULT HexInt32 | |
errorCode Int32 |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-SENSE",
"guid": "FAE96D09-ADE1-5223-0098-AF7B67348531",
"event_source_name": "",
"event_id": 405,
"version": 0,
"level": 4,
"task": 0,
"opcode": 0,
"keywords": 9223372036854775808,
"time_created": "2026-02-16T04:27:12.595342+00:00",
"event_record_id": 1601,
"correlation": {},
"execution": {
"process_id": 4668,
"thread_id": 6028
},
"channel": "Microsoft-Windows-SENSE/Operational",
"computer": "LAB-WIN11.ludus.domain",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"requestType": "GetNonce",
"HRESULT": "0x8000ffff",
"errorCode": 12007
},
"message": ""
}
References #
Event ID 406: Request for error_code rejected by authentication service.
#Event ID 407: Windows Defender Advanced Threat Protection service failed to sign message (authentication).
#Event ID 408: Windows Defender Advanced Threat Protection service failed to remove persist authentication state.
#Event ID 409: Windows Defender Advanced Threat Protection service failed to open key.
#Description
Windows Defender Advanced Threat Protection service failed to open key. Failure code: HRESULT.
Message #
Fields #
| Name | Description |
|---|---|
HRESULT HexInt32 |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-SENSE",
"event_id": 409,
"level": 2,
"task": 0,
"opcode": 0,
"time_created": "2026-04-23T08:41:05.9372942+00:00",
"computer": "JD-DC01-2022.ludus.domain",
"channel": "Microsoft-Windows-SENSE"
},
"event_data": {
"HRESULT": "0x80004005"
}
}
References #
Event ID 410: Registration is required as part of re-onboarding of Windows Defender Advanced Threat Protection service.
#Event ID 411: Cyber telemetry upload has been suspended for Windows Defender Advanced Threat Protection service due to invalid/expired token.
#Description
Cyber upload temporarily suspended. Normal operating notification; no action required.
Message #
Example Event #
{
"system": {
"provider": "Microsoft-Windows-SENSE",
"guid": "FAE96D09-ADE1-5223-0098-AF7B67348531",
"event_source_name": "",
"event_id": 411,
"version": 0,
"level": 4,
"task": 0,
"opcode": 0,
"keywords": 9223372036854775808,
"time_created": "2026-03-11T18:11:34.717119+00:00",
"event_record_id": 3551,
"correlation": {},
"execution": {
"process_id": 3632,
"thread_id": 10996
},
"channel": "Microsoft-Windows-SENSE/Operational",
"computer": "LAB-WIN11",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {},
"message": ""
}
References #
Event ID 412: Cyber telemetry upload been resumed for Windows Defender Advanced Threat Protection service due to newly refreshed token.
#Description
Cyber upload successfully resumed. Normal operating notification; no action required.
Message #
Example Event #
{
"system": {
"provider": "Microsoft-Windows-SENSE",
"guid": "FAE96D09-ADE1-5223-0098-AF7B67348531",
"event_source_name": "",
"event_id": 412,
"version": 0,
"level": 4,
"task": 0,
"opcode": 0,
"keywords": 9223372036854775808,
"time_created": "2026-03-12T03:05:04.739815+00:00",
"event_record_id": 3810,
"correlation": {},
"execution": {
"process_id": 3632,
"thread_id": 11628
},
"channel": "Microsoft-Windows-SENSE/Operational",
"computer": "LAB-WIN11",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {},
"message": ""
}
References #
Event ID 413: Windows Defender Advanced Threat Protection Network Detection and Response failed to subscribe to event id {UInt1} of event log channel: {Message1}.
#Event ID 414: Key rotation of device by Windows Defender Advanced Threat Protection service completed.
#Description
Key rotation of device by Windows Defender Advanced Threat Protection service completed.
Message #
Event ID 415: Authentication initialization for Windows Defender Advanced Threat Protection service completed successfully.
#Description
Authentication initialization for Windows Defender Advanced Threat Protection service completed successfully.
Message #
Event ID 416: EventTraker Event data: (parameter).
#Event ID 417: Windows Defender Advanced Threat Protection service opened key successfully.
#Description
Windows Defender Advanced Threat Protection service opened key successfully.
Message #
Example Event #
{
"system": {
"provider": "Microsoft-Windows-SENSE",
"event_id": 417,
"level": 4,
"task": 0,
"opcode": 0,
"time_created": "2026-04-23T08:41:05.9444149+00:00",
"computer": "JD-DC01-2022.ludus.domain",
"channel": "Microsoft-Windows-SENSE"
},
"event_data": {}
}
Event ID 418: Windows Defender Advanced Threat Protection service certificate creation completed successfully.
#Description
Windows Defender Advanced Threat Protection service certificate creation completed successfully.
Message #
Event ID 419: Windows Defender Advanced Threat Protection service authentication request signing completed successfully.
#Description
Windows Defender Advanced Threat Protection service authentication request signing completed successfully.
Message #
Example Event #
{
"system": {
"provider": "Microsoft-Windows-SENSE",
"event_id": 419,
"level": "Information",
"task": null,
"opcode": "Info",
"time_created": "2026-05-27T17:14:01.7133582+00:00",
"computer": "JD-DC01-2022.ludus.domain",
"channel": "Microsoft-Windows-SENSE/Operational"
},
"event_data": {}
}
Event ID 420: Rename of device by Windows Defender Advanced Threat Protection service completed.
#Description
Rename of device by Windows Defender Advanced Threat Protection service completed.
Message #
Event ID 500: Windows Defender Advanced Threat Protection orchestrator failed to perform: UInt1.
#Description
Windows Defender Advanced Threat Protection orchestrator failed to perform: UInt1. Identifier: Message1. HRESULT: HRESULT.
Message #
Fields #
| Name | Description |
|---|---|
UInt1 UInt32 | |
Message1 UnicodeString | |
HRESULT HexInt32 |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-SENSE",
"event_id": 500,
"level": "Error",
"task": null,
"opcode": "Info",
"time_created": "2026-05-24T12:55:32.1914386+00:00",
"computer": "JD-DC01-2022.ludus.domain",
"channel": "Microsoft-Windows-SENSE/Operational"
},
"event_data": {
"UInt1": "3",
"Message1": "SenseIdentity",
"HRESULT": "0x2"
}
}
Event ID 501: Windows Defender Advanced Threat Protection orchestrator performed: UInt1 successfully.
#Description
Windows Defender Advanced Threat Protection orchestrator performed: UInt1 successfully. Identifier: Message1.
Message #
Fields #
| Name | Description |
|---|---|
UInt1 UInt32 | |
Message1 UnicodeString |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-SENSE",
"event_id": 501,
"level": "Information",
"task": null,
"opcode": "Info",
"time_created": "2026-05-24T12:55:32.3561434+00:00",
"computer": "JD-DC01-2022.ludus.domain",
"channel": "Microsoft-Windows-SENSE/Operational"
},
"event_data": {
"UInt1": "2",
"Message1": "SenseIdentity"
}
}
Event ID 1800: CSP: Get Node's Value.
#Event ID 1801: CSP: Failed to Get Node's Value.
#Event ID 1802: CSP: Get Node's Value complete.
#Event ID 1803: CSP: Get Last Connected value complete.
#Event ID 1804: CSP: Get Org ID value complete.
#Event ID 1805: CSP: Get Sense Is Running value complete.
#Event ID 1806: CSP: Get Onboarding State value complete.
#Event ID 1807: CSP: Get Onboarding value complete.
#Description
CSP: Get Onboarding value complete. Onboarding Blob Hash: (onboardingBlobHash), IsDefault: (isDefaultOnboardingBlob), Onboarding State: (onboardingState), Onboarding State IsDefault: (isDefaultOnboardingState).
Message #
Fields #
| Name | Description |
|---|---|
onboardingBlobHash UInt64 | |
isDefaultOnboardingBlob Boolean | |
onboardingState UInt32 | |
isDefaultOnboardingState Boolean |
References #
Event ID 1808: CSP: Get Offboarding value complete.
#Event ID 1809: CSP: Get Sample Sharing value complete.
#Event ID 1810: CSP: Onboarding process.
#Event ID 1811: CSP: Onboarding process.
#Event ID 1812: CSP: Onboarding process.
#Event ID 1813: CSP: Onboarding process.
#Event ID 1814: CSP: Onboarding process.
#Event ID 1815: CSP: Set Sample Sharing value complete.
#Description
CSP: Set Sample Sharing value complete. Previous Value: (previousSampleCollectionValue), IsDefault: (IsDefault), New Value: (newSampleSharing), Result: (HRESULT).
Message #
Fields #
| Name | Description |
|---|---|
previousSampleCollectionValue UInt32 | |
IsDefault Boolean | |
newSampleSharing UInt32 | |
HRESULT HexInt32 |
References #
Event ID 1816: CSP: Offboarding process.
#Event ID 1817: CSP: Offboarding process.
#Event ID 1818: CSP: Set Node's Value started.
#Event ID 1819: CSP: Failed to Set Node's Value.
#Event ID 1820: CSP: Set Node's Value complete.
#Event ID 1821: CSP: Set Telemetry Reporting Frequency started.
#Event ID 1822: CSP: Set Telemetry Reporting Frequency complete.
#Description
CSP: Set Telemetry Reporting Frequency complete. Previous value: (previousLatencyMode), IsDefault: (IsDefault), New value: (newLatencyMode), Result: (HRESULT).
Message #
Fields #
| Name | Description |
|---|---|
previousLatencyMode UnicodeString | |
IsDefault Boolean | |
newLatencyMode UnicodeString | |
HRESULT HexInt32 |
References #
Event ID 1823: CSP: Get Telemetry Reporting Frequency complete.
#Event ID 1824: CSP: Get Group Ids complete.
#Event ID 1825: CSP: Set Group Ids exceeded allowed limit.
#Event ID 1826: CSP: Set Group Ids complete.
#Event ID 1827: CSP: Onboarding process.
#Description
Trace values as part of onboarding. Normal operating notification; no action required.
Message #
Fields #
| Name | Description |
|---|---|
isServiceRunningAlready Boolean | |
previousOnboardingBlobHash UInt64 | |
isDefaultOnboardingBlob Boolean | |
onboardingState UInt32 | |
isDefaultOnboardingState Boolean | |
newOnboardingBlobHash UInt64 |
References #
Event ID 1828: CSP: Onboarding process.
#Description
Trace values as part of offboarding. Normal operating notification; no action required.
Message #
Fields #
| Name | Description |
|---|---|
isServiceRunning Boolean | |
previousOffboardingBlobHash UInt64 | |
isDefaultOffboardingBlob Boolean | |
onboardingState UInt32 | |
isDefaultOnboardingState Boolean | |
newOffboardingBlobHash UInt64 |
References #
Event ID 1829: CSP: Failed to Set Sample Sharing Value.
#Event ID 1830: CSP: Failed to Set Telemetry Reporting Frequency Value.
#Event ID 1831: CSP: Get Sense is running.
#Event ID 1832: CSP: Get Device Tagging Group complete.
#Event ID 1833: CSP: Get Device Tagging Criticality value complete.
#Description
CSP: Get Device Tagging Criticality value complete. In Registry: (registryValue), IsDefault: (IsDefault), Conversion Succeeded: (conversionSucceeded), Result: (Result).
Message #
Fields #
| Name | Description |
|---|---|
registryValue UnicodeString | |
IsDefault Boolean | |
conversionSucceeded Boolean | |
Result UInt32 |
References #
Event ID 1834: CSP: Get Device Tagging Identification Method value complete.
#Description
CSP: Get Device Tagging Identification Method value complete. In Registry: (registryValue), IsDefault: (IsDefault), Conversion Succeeded: (conversionSucceeded), Result: (Result).
Message #
Fields #
| Name | Description |
|---|---|
registryValue UnicodeString | |
IsDefault Boolean | |
conversionSucceeded Boolean | |
Result UInt32 |
References #
Event ID 1835: CSP: Set Device Tagging Group complete.
#Event ID 1836: CSP: Set Device Tagging Group exceeded allowed limit.
#Event ID 1837: CSP: Set Device Tagging Criticality value complete.
#Description
CSP: Set Device Tagging Criticality value complete. Previous Value: (previousCriticalityValue), IsDefault: (IsDefault), New Value: (newCriticalityValue), Result: (HRESULT).
Message #
Fields #
| Name | Description |
|---|---|
previousCriticalityValue UnicodeString | |
IsDefault Boolean | |
newCriticalityValue UInt32 | |
HRESULT HexInt32 |
References #
Event ID 1838: CSP: Failed to Set Device Tagging Criticality Value.
#Event ID 1839: CSP: Set Device Tagging Identification Method value complete.
#Description
CSP: Set Device Tagging Identification Method value complete. Previous Value: (previousIdMethodValue), IsDefault: (IsDefault), New Value: (newIdMethodValue), Result: (HRESULT).
Message #
Fields #
| Name | Description |
|---|---|
previousIdMethodValue UnicodeString | |
IsDefault Boolean | |
newIdMethodValue UInt32 | |
HRESULT HexInt32 |
References #
Event ID 1840: CSP: Failed to Set Device Tagging Identification Method Value.
#Event ID 1841: CSP: Get AadDeviceId complete.
#Event ID 1842: CSP: Set AadDeviceId complete.
#Event ID 1843: CSP: Set AadDeviceId exceeded allowed limit.
#Provenance
Where this provider's schema came from, and which Windows build it was observed on. Windows can change a provider's event schema between builds, so use this to judge whether it matches the build you collect from.
ETW provider GUID fae96d09-ade1-5223-0098-af7b67348531
Defined in Program, which carries the event manifest.
Observed on:
- WS2022-20348.4893, schema read from the registered manifest, binary version 10.8821.27906.1000, captured 2026-06-02
- Win11-26200.6584, schema read from the registered manifest, binary version 10.8798.25857.1000, captured 2026-06-02