drop system evtx csv and mft csv · detect delivery optimization logging disabled or gaps · identify windows update log files cleared · surface telemetry suppression in update and delivery optimization channels · runs locally
drop system evtx csv and mft csv · local only
heuristic screener · vendor schema varies · not definitive proof