PAX Purview Audit Log Processor v1.11.9
Version 1.11.9 is a resume-only reliability release that fixes a regression in which several run settings were silently not restored when an interrupted run was continued with -Resume. The affected settings were read back from the checkpoint with a presence check that does not work against the checkpoint's in-memory form, so on resume they reverted to their defaults. Most visibly, a -Resumed -AppendFile run stopped appending and wrote separate new output files instead of merging into the existing target; the same root cause also dropped -Deidentify (a resumed anonymized run could write raw, identifiable data), -FillerLabel / -FillerLabelText, and the per-stream -AppendUserInfo / -AppendAgent365Info and -OutputPathUserInfo / -OutputPathAgent365Info / -OutputPathLog destinations. It adds no parameters, changes no switch semantics, and makes no output-schema changes; any run that does not use -Resume — and any run that uses none of the affected switches — is byte-identical to v1.11.8.
Fixed in v1.11.9
-Resumenow restores append, deidentify, filler-label, and per-stream destination settings. On-Resume, PAX loads the checkpoint as an in-memory hashtable, but the v1.11.8 restore logic tested for each of the newer settings with a presence check that, against that hashtable form, enumerates the type's own members instead of the stored keys — so the check was always false and the value silently reverted to its default. Each affected check now uses the dictionary-correct key test, so a resumed run reproduces the original run's settings exactly: it union-merges into the existing append target on all tiers (Local, SharePoint, Fabric), re-applies anonymization (-Deidentify) and the hierarchy level-filler (-FillerLabel/-FillerLabelText), and routes each stream to its original-OutputPathUserInfo/-OutputPathAgent365Info/-OutputPathLogdestination. The standard (non-streaming) export path used for small datasets is additionally redirected to the restored-AppendFileseed. The change is resume-only — fresh (non-resume) runs are byte-for-byte unchanged — and checkpoints written by older versions resume exactly as before.- Resume console/log reporting now matches what the resumed run actually does. The post-interruption parameter snapshot now reports the restored
-Deidentify/-FillerLabel/-FillerLabelTextstate (it previously printed the pre-restore defaults even though both were applied to the output), and the graceful-exit "To resume later" hint now reflects the credential kind the original App Registration run used — a certificate thumbprint or PFX path rather than always-ClientSecret, and nothing beyond-Resumefor interactive and managed-identity runs. Both are display-only corrections and change no output data.
See the release notes and documentation for full details.