Microsoft-Windows-UniversalTelemetryClient

25 events across 1 channel

Event ID	Title	Channel
1	Tenant %2 has been registered for telemetry usage.	Operational
2	Tenant %2 has been unregistered for telemetry usage.	Operational
3	The daily upload quota for %2 has been updated to %3 bytes.	Operational
20	The upload URL has changed to %2 .	Operational
21	Upload failed with the following HRESULT.	Operational
22	The daily upload quota for SENSE has crossed into a new tier.	Operational
23	Storage capacity for the SENSE tenant has changed to a new tier.	Operational
24	An unknown and unconfigured dynamic Vortex region %2 was attempted to be set.	Operational
25	The event storage for SENSE has been throttled.	Operational
26	The upload for SENSE has been throttled.	Operational
27	Connection state - All connections have succeeded since the previous period.	Operational
28	Connection state - Some connections have failed since the previous period.	Operational
29	Connection state - Some connections have failed since the previous period.	Operational
50	The service has been started to the following state.	Operational
55	Is the Internet available.	Operational
56	Is a free network available.	Operational
60	Is device on battery power.	Operational
61	Is the Battery Saver state enabled.	Operational
62	Is the device in connected standby.	Operational
63	Has the service used more power than considered reasonable.	Operational
64	Diagnostic Data Collection Level	Operational
65	The agent has transitioned to or from an idle state.	Operational
66	The diagnostic and feedback permission level has changed.	Operational
67	You cannot enable a policy that causes your organization to manage all Windows …	Operational
68	Invalid Processor mode configuration.	Operational

Event ID 1 — Tenant %2 has been registered for telemetry usage.

Provider: Microsoft-Windows-UniversalTelemetryClient
Channel: Operational
Level: 4
Samples: 1

Message

Tenant %2 has been registered for telemetry usage.

Fields

Name	Description
`Environment`	—
`IKey`	—
`DiskSizeInBytes`	—
`DailyUploadQuotaInBytes`	—
`HRESULT`	—

Example Event

system:
  provider: Microsoft-Windows-UniversalTelemetryClient
  guid: 6489B27F-7C43-5886-1D00-0A61BB2A375B
  event_source_name: ''
  event_id: 1
  version: 0
  level: 4
  task: 1
  opcode: 0
  keywords: 9223372036854841344
  time_created: '2023-11-06T01:42:43.926263+00:00'
  event_record_id: 142
  correlation: {}
  execution:
    process_id: 3148
    thread_id: 12412
  channel: Microsoft-Windows-UniversalTelemetryClient/Operational
  computer: WinDev2310Eval
  security:
    user_id: S-1-5-18
event_data:
  Environment: ServiceHost
  IKey: P-ARIA-6660cc65b74b4291b30536aea7ed6ead-5a228f6e-723e-4098-8ed2-3554f184fd67-7451
  DiskSizeInBytes: 8388608
  DailyUploadQuotaInBytes: 0
  HRESULT: 2147943642
message: ''

References

Example event sourced from https://github.com/NextronSystems/evtx-baseline

Event ID 2 — Tenant %2 has been unregistered for telemetry usage.

Provider: Microsoft-Windows-UniversalTelemetryClient
Channel: Operational

Message

Tenant %2 has been unregistered for telemetry usage.

Fields

Name	Description
`Environment`	—
`IKey`	—
`HRESULT`	—

Event ID 3 — The daily upload quota for %2 has been updated to %3 bytes.

Provider: Microsoft-Windows-UniversalTelemetryClient
Channel: Operational

Message

The daily upload quota for %2 has been updated to %3 bytes.

Fields

Name	Description
`Environment`	—
`IKey`	—
`DailyUploadQuotaInBytes`	—
`HRESULT`	—

Event ID 20 — The upload URL has changed to %2 .

Provider: Microsoft-Windows-UniversalTelemetryClient
Channel: Operational

Message

The upload URL has changed to %2 .

Fields

Name	Description
`Environment`	—
`Url`	—

Event ID 21 — Upload failed with the following HRESULT.

Provider: Microsoft-Windows-UniversalTelemetryClient
Channel: Operational

Message

Upload failed with the following HRESULT: %2

Fields

Name	Description
`Environment`	—
`HRESULT`	—

Event ID 22 — The daily upload quota for SENSE has crossed into a new tier.

Provider: Microsoft-Windows-UniversalTelemetryClient
Channel: Operational

Message

The daily upload quota for SENSE has crossed into a new tier.

Fields

Name	Description
`Environment`	—
`BytesUploadedSoFar`	—
`BytesAllowed`	—
`PercentageUsed`	—
`NewTier`	—
`OldTier`	—

Event ID 23 — Storage capacity for the SENSE tenant has changed to a new tier.

Provider: Microsoft-Windows-UniversalTelemetryClient
Channel: Operational

Message

Storage capacity for the SENSE tenant has changed to a new tier.

Fields

Name	Description
`Environment`	—
`PercentageFullInEachRingBuffer`	—

Event ID 24 — An unknown and unconfigured dynamic Vortex region %2 was attempted to be set.

Provider: Microsoft-Windows-UniversalTelemetryClient
Channel: Operational

Message

An unknown and unconfigured dynamic Vortex region %2 was attempted to be set.

Fields

Name	Description
`Environment`	—
`Region`	—

Event ID 25 — The event storage for SENSE has been throttled.

Provider: Microsoft-Windows-UniversalTelemetryClient
Channel: Operational

Message

The event storage for SENSE has been throttled.

Fields

Name	Description
`Environment`	—
`UploadQuota`	—
`PercentageQuotaUsed`	—

Event ID 26 — The upload for SENSE has been throttled.

Provider: Microsoft-Windows-UniversalTelemetryClient
Channel: Operational

Message

The upload for SENSE has been throttled.

Fields

Name	Description
`Environment`	—
`UploadQuota`	—

Event ID 27 — Connection state - All connections have succeeded since the previous period.

Provider: Microsoft-Windows-UniversalTelemetryClient
Channel: Operational
Level: 4
Samples: 1

Message

Connection state - All connections have succeeded since the previous period.

Fields

Name	Description
`Environment`	—
`EventsUploaded`	—
`EventsDropped`	—
`LastEventlogWrittenTime`	—

Example Event

system:
  provider: Microsoft-Windows-UniversalTelemetryClient
  guid: 6489B27F-7C43-5886-1D00-0A61BB2A375B
  event_source_name: ''
  event_id: 27
  version: 0
  level: 4
  task: 27
  opcode: 0
  keywords: 9223372036854906880
  time_created: '2023-11-06T02:02:29.363296+00:00'
  event_record_id: 143
  correlation: {}
  execution:
    process_id: 3148
    thread_id: 17084
  channel: Microsoft-Windows-UniversalTelemetryClient/Operational
  computer: WinDev2310Eval
  security:
    user_id: S-1-5-18
event_data:
  Environment: ServiceHost
  EventsUploaded: 331
  EventsDropped: 16
  LastEventlogWrittenTime: 133437079485295621
message: ''

References

Example event sourced from https://github.com/NextronSystems/evtx-baseline

Event ID 28 — Connection state - Some connections have failed since the previous period.

Provider: Microsoft-Windows-UniversalTelemetryClient
Channel: Operational
Level: 3
Samples: 1

Message

Connection state - Some connections have failed since the previous period.

Fields

Name	Description
`Environment`	—
`EventsUploaded`	—
`EventsDropped`	—
`LastEventlogWrittenTime`	—
`SuccessfulConnections`	—
`FailedConnections`	—
`LastHttpError`	—

Example Event

system:
  provider: Microsoft-Windows-UniversalTelemetryClient
  guid: 6489B27F-7C43-5886-1D00-0A61BB2A375B
  event_source_name: ''
  event_id: 28
  version: 0
  level: 3
  task: 28
  opcode: 0
  keywords: 9223372036854906880
  time_created: '2023-11-06T01:32:28.542363+00:00'
  event_record_id: 141
  correlation: {}
  execution:
    process_id: 3148
    thread_id: 3756
  channel: Microsoft-Windows-UniversalTelemetryClient/Operational
  computer: WinDev2310Eval
  security:
    user_id: S-1-5-18
event_data:
  Environment: ServiceHost
  EventsUploaded: 573
  EventsDropped: 10
  LastEventlogWrittenTime: 133437061481643300
  SuccessfulConnections: 12
  FailedConnections: 1
  LastHttpError: 2147954430
message: ''

References

Example event sourced from https://github.com/NextronSystems/evtx-baseline

Event ID 29 — Connection state - Some connections have failed since the previous period.

Provider: Microsoft-Windows-UniversalTelemetryClient
Channel: Operational
Level: 2
Samples: 1

Message

Connection state - Some connections have failed since the previous period.

Fields

Name	Description
`Environment`	—
`EventsUploaded`	—
`EventsDropped`	—
`LastEventlogWrittenTime`	—
`FailedConnections`	—
`LastHttpError`	—
`ProxySettingDetected`	—
`SslCertValidationFailures`	—
`LastSslCertFailure`	—

Example Event

system:
  provider: Microsoft-Windows-UniversalTelemetryClient
  guid: 6489B27F-7C43-5886-1D00-0A61BB2A375B
  event_source_name: ''
  event_id: 29
  version: 0
  level: 2
  task: 29
  opcode: 0
  keywords: 9223372036854906880
  time_created: '2022-04-07T08:14:43.748987+00:00'
  event_record_id: 19
  correlation: {}
  execution:
    process_id: 2704
    thread_id: 3244
  channel: Microsoft-Windows-UniversalTelemetryClient/Operational
  computer: WIN-FPV0DSIC9O6.sigma.fr
  security:
    user_id: S-1-5-18
event_data:
  Environment: ServiceHost
  EventsUploaded: 0
  EventsDropped: 1674
  LastEventlogWrittenTime: 3545508526300415277
  FailedConnections: 7
  LastHttpError: 2147954407
  ProxySettingDetected: false
  SslCertValidationFailures: 0
  LastSslCertFailure: 0
message: ''

References

Example event sourced from https://github.com/NextronSystems/evtx-baseline

Event ID 50 — The service has been started to the following state.

Provider: Microsoft-Windows-UniversalTelemetryClient
Channel: Operational
Level: 4
Samples: 1

Message

The service has been started to the following state: %2.

Fields

Name	Description
`Environment`	—
`Status`	—

Example Event

system:
  provider: Microsoft-Windows-UniversalTelemetryClient
  guid: 6489B27F-7C43-5886-1D00-0A61BB2A375B
  event_source_name: ''
  event_id: 50
  version: 0
  level: 4
  task: 50
  opcode: 0
  keywords: 9223372036855037952
  time_created: '2023-11-06T06:25:43.921103+00:00'
  event_record_id: 91
  correlation: {}
  execution:
    process_id: 3712
    thread_id: 3932
  channel: Microsoft-Windows-UniversalTelemetryClient/Operational
  computer: WinDev2310Eval
  security:
    user_id: S-1-5-18
event_data:
  Environment: ServiceHost
  Status: 0
message: ''

References

Example event sourced from https://github.com/NextronSystems/evtx-baseline

Event ID 55 — Is the Internet available.

Provider: Microsoft-Windows-UniversalTelemetryClient
Channel: Operational
Level: 4
Samples: 1

Message

Is the Internet available: %2

Fields

Name	Description
`Environment`	—
`State`	—

Example Event

system:
  provider: Microsoft-Windows-UniversalTelemetryClient
  guid: 6489B27F-7C43-5886-1D00-0A61BB2A375B
  event_source_name: ''
  event_id: 55
  version: 0
  level: 4
  task: 55
  opcode: 0
  keywords: 9223372036855037952
  time_created: '2023-11-06T06:25:52.971889+00:00'
  event_record_id: 97
  correlation: {}
  execution:
    process_id: 3712
    thread_id: 4556
  channel: Microsoft-Windows-UniversalTelemetryClient/Operational
  computer: WinDev2310Eval
  security:
    user_id: S-1-5-18
event_data:
  Environment: ServiceHost
  State: true
message: ''

References

Example event sourced from https://github.com/NextronSystems/evtx-baseline

Event ID 56 — Is a free network available.

Provider: Microsoft-Windows-UniversalTelemetryClient
Channel: Operational
Level: 4
Samples: 1

Message

Is a free network available: %2

Fields

Name	Description
`Environment`	—
`State`	—

Example Event

system:
  provider: Microsoft-Windows-UniversalTelemetryClient
  guid: 6489B27F-7C43-5886-1D00-0A61BB2A375B
  event_source_name: ''
  event_id: 56
  version: 0
  level: 4
  task: 56
  opcode: 0
  keywords: 9223372036855037952
  time_created: '2023-11-06T06:25:52.972135+00:00'
  event_record_id: 98
  correlation: {}
  execution:
    process_id: 3712
    thread_id: 4556
  channel: Microsoft-Windows-UniversalTelemetryClient/Operational
  computer: WinDev2310Eval
  security:
    user_id: S-1-5-18
event_data:
  Environment: ServiceHost
  State: true
message: ''

References

Example event sourced from https://github.com/NextronSystems/evtx-baseline

Event ID 60 — Is device on battery power.

Provider: Microsoft-Windows-UniversalTelemetryClient
Channel: Operational

Message

Is device on battery power: %2

Fields

Name	Description
`Environment`	—
`State`	—

Event ID 61 — Is the Battery Saver state enabled.

Provider: Microsoft-Windows-UniversalTelemetryClient
Channel: Operational
Level: 4
Samples: 1

Message

Is the Battery Saver state enabled: %2

Fields

Name	Description
`Environment`	—
`State`	—

Example Event

system:
  provider: Microsoft-Windows-UniversalTelemetryClient
  guid: 6489B27F-7C43-5886-1D00-0A61BB2A375B
  event_source_name: ''
  event_id: 61
  version: 0
  level: 4
  task: 61
  opcode: 0
  keywords: 9223372036855037952
  time_created: '2023-11-06T06:25:45.397066+00:00'
  event_record_id: 93
  correlation: {}
  execution:
    process_id: 3712
    thread_id: 4556
  channel: Microsoft-Windows-UniversalTelemetryClient/Operational
  computer: WinDev2310Eval
  security:
    user_id: S-1-5-18
event_data:
  Environment: ServiceHost
  State: false
message: ''

References

Example event sourced from https://github.com/NextronSystems/evtx-baseline

Event ID 62 — Is the device in connected standby.

Provider: Microsoft-Windows-UniversalTelemetryClient
Channel: Operational
Level: 4
Samples: 1

Message

Is the device in connected standby: %2

Fields

Name	Description
`Environment`	—
`State`	—

Example Event

system:
  provider: Microsoft-Windows-UniversalTelemetryClient
  guid: 6489B27F-7C43-5886-1D00-0A61BB2A375B
  event_source_name: ''
  event_id: 62
  version: 0
  level: 4
  task: 62
  opcode: 0
  keywords: 9223372036855037952
  time_created: '2023-11-06T06:25:45.397324+00:00'
  event_record_id: 94
  correlation: {}
  execution:
    process_id: 3712
    thread_id: 4556
  channel: Microsoft-Windows-UniversalTelemetryClient/Operational
  computer: WinDev2310Eval
  security:
    user_id: S-1-5-18
event_data:
  Environment: ServiceHost
  State: false
message: ''

References

Example event sourced from https://github.com/NextronSystems/evtx-baseline

Event ID 63 — Has the service used more power than considered reasonable.

Provider: Microsoft-Windows-UniversalTelemetryClient
Channel: Operational

Message

Has the service used more power than considered reasonable: %2

Fields

Name	Description
`Environment`	—
`State`	—

Event ID 64 — Diagnostic Data Collection Level

Provider: Microsoft-Windows-UniversalTelemetryClient
Channel: Operational
Level: 4
Samples: 1

Message

Diagnostic Data Collection Level

Fields

Name	Description
`Environment`	—
`OldInfo`	—
`NewInfo`	—
`SettingAuthority`	—

Example Event

system:
  provider: Microsoft-Windows-UniversalTelemetryClient
  guid: 6489B27F-7C43-5886-1D00-0A61BB2A375B
  event_source_name: ''
  event_id: 64
  version: 0
  level: 4
  task: 64
  opcode: 0
  keywords: 9223372036855037952
  time_created: '2023-11-06T06:25:44.333797+00:00'
  event_record_id: 92
  correlation: {}
  execution:
    process_id: 3712
    thread_id: 3932
  channel: Microsoft-Windows-UniversalTelemetryClient/Operational
  computer: WinDev2310Eval
  security:
    user_id: S-1-5-18
event_data:
  Environment: ServiceHost
  OldInfo: 0
  NewInfo: 1
  SettingAuthority: 2
message: ''

References

Example event sourced from https://github.com/NextronSystems/evtx-baseline

Event ID 65 — The agent has transitioned to or from an idle state.

Provider: Microsoft-Windows-UniversalTelemetryClient
Channel: Operational

Message

The agent has transitioned to or from an idle state.

Fields

Name	Description
`Environment`	—
`AgentId`	—
`IsIdle`	—
`IdleDurationMillis`	—

Event ID 66 — The diagnostic and feedback permission level has changed.

Provider: Microsoft-Windows-UniversalTelemetryClient
Channel: Operational

Message

The diagnostic and feedback permission level has changed.

Fields

Name	Description
`OldLevel`	—
`NewLevel`	—
`Source`	—

Event ID 67 — You cannot enable a policy that causes your organization to manage all Windows diagnostic data without being AAD joined or setting a valid Commerci...

Provider: Microsoft-Windows-UniversalTelemetryClient
Channel: Operational

Message

You cannot enable a policy that causes your organization to manage all Windows diagnostic data without being AAD joined or setting a valid CommercialId on the device.

Event ID 68 — Invalid Processor mode configuration.

Provider: Microsoft-Windows-UniversalTelemetryClient
Channel: Operational

Message

Invalid Processor mode configuration.