Document HTTPS limitation for non-IIS Windows services in USM (#32723)

ddOfir · claude · cswatt · web-flow · commit a94685cbaa3f · 2025-11-10T12:26:11.000-08:00
* Clarify USM environment variable detection limitations Add documentation explaining that Universal Service Monitoring (USM) only detects environment variables set at process start time, not those set programmatically within application code. This clarifies that while APM instrumentation libraries can read DD_SERVICE and similar variables set via System.setProperty() (Java) or Environment.SetEnvironmentVariable() (.NET), USM cannot detect these as it reads from /proc/PID/environ (Linux) or system APIs (Windows) which only contain the initial process environment. Includes examples for properly setting environment variables in Docker, Kubernetes, and shell environments to ensure USM detection. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com> * Document HTTPS limitation for non-IIS Windows services in USM Add documentation clarifying that Universal Service Monitoring on Windows only supports HTTPS monitoring for IIS-based services. Non-IIS services (custom .NET apps, Node.js, Java, etc.) can only be monitored via HTTP. This limitation exists because USM on Windows uses Event Tracing for Windows (ETW) via the Microsoft-Windows-HttpService provider, which is only available for IIS services. Non-IIS services running HTTPS will not have their encrypted traffic monitored by USM. Includes a clear breakdown of what is and isn't supported: - IIS services: HTTP + HTTPS ✅ - Non-IIS services: HTTP only ✅, HTTPS ❌ 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com> * some reformatting * edits --------- Co-authored-by: Claude <noreply@anthropic.com> Co-authored-by: cecilia saixue watt <cecilia.watt@datadoghq.com>
diff --git a/content/en/universal_service_monitoring/setup.md b/content/en/universal_service_monitoring/setup.md
@@ -44,6 +44,52 @@ Additional protocols and traffic encryption methods are in <a href="/universal_s
 - Datadog Agent is installed alongside your service. Installing a tracing library is _not_ required.
 - The `env` tag for [Unified Service Tagging][1] has been applied to your deployment. The `service` and `version` tags are optional.
 
+## How USM detects service names
+
+<div class="alert alert-warning">
+Universal Service Monitoring detects service names from environment variables that exist when a process starts. USM reads these values from the operating system: from <code>/proc/PID/environ</code> on Linux, or through system APIs on Windows.
+</div>
+
+USM recognizes the following environment variables:
+- `DD_SERVICE`: Explicitly sets the service name
+- `DD_ENV`: Sets the environment tag
+- `DD_VERSION`: Sets the version tag
+- `DD_TAGS`: Additional tags; can include the `service:name` tag
+
+### Key limitation: USM and programmatically-set environment variables for APM
+
+If you set environment variables programmatically **inside your application code** (such as `System.setProperty("dd.service", "my-service")` in Java, or `Environment.SetEnvironmentVariable("DD_SERVICE", "my-service")` in .NET), these environment variables are **not** detected by USM, even though these values work for APM tracing instrumentation.
+
+This happens because USM runs in the Datadog Agent as a separate process and only sees the environment variables that were set when your process started. Conversely, APM instrumentation libraries run inside your application process and can read runtime environment changes.
+
+**To ensure USM detection, set environment variables before the application starts**:
+
+{{< tabs >}}
+{{% tab "Docker" %}}
+```yaml
+environment:
+  - DD_SERVICE=my-service
+  - DD_ENV=production
+```
+{{% /tab %}}
+{{% tab "Kubernetes" %}}
+```yaml
+env:
+  - name: DD_SERVICE
+    value: "my-service"
+  - name: DD_ENV
+    value: "production"
+```
+{{% /tab %}}
+{{% tab "Shell" %}}
+```bash
+export DD_SERVICE=my-service
+export DD_ENV=production
+java -jar myapp.jar
+```
+{{% /tab %}}
+{{< /tabs >}}
+
 ## Enabling Universal Service Monitoring
 
 Enable Universal Service Monitoring in your Agent by using one of the following methods depending on how your service is deployed and your Agent configured:
@@ -751,6 +797,18 @@ service_monitoring_config:
   process_service_inference:
     enabled: true
 ```
+
+<div class="alert alert-warning">
+<strong>Important limitation for non-IIS Windows services:</strong> Universal Service Monitoring on Windows uses Event Tracing for Windows (ETW) through the <code>Microsoft-Windows-HttpService</code> provider for HTTPS traffic monitoring. This ETW provider is only available for IIS-based services. Non-IIS services (such as custom .NET applications, Node.js servers, Java servers, or other HTTP servers running on Windows) <strong>do not support HTTPS monitoring</strong> through USM. Only plain HTTP traffic can be monitored for non-IIS Windows services.
+</div>
+
+### IIS and non-IIS service support
+
+| Service type     | HTTP traffic monitoring | HTTPS traffic monitoring |
+| ---  | ----------- | ----------- |
+| IIS services     | Supported | Supported               |
+| Non-IIS services | Supported | **Not supported** |
+
    
 [1]: /agent/basic_agent_usage/windows/?tab=commandline
 {{% /tab %}}
