Microsoft-Windows-UniversalTelemetryClient
25 events across 1 channel
Event ID 1 — Tenant IKey has been registered for telemetry usage.
#Description
Tenant IKey has been registered for telemetry usage.
Message #
Fields #
| Name | Description |
|---|---|
Environment UnicodeString | — |
IKey UnicodeString | — |
DiskSizeInBytes UInt32 | — |
DailyUploadQuotaInBytes UInt32 | — |
HRESULT UInt32 | — |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-UniversalTelemetryClient",
"guid": "6489B27F-7C43-5886-1D00-0A61BB2A375B",
"event_source_name": "",
"event_id": 1,
"version": 0,
"level": 4,
"task": 1,
"opcode": 0,
"keywords": 9223372036854841344,
"time_created": "2023-11-06T01:42:43.926263+00:00",
"event_record_id": 142,
"correlation": {},
"execution": {
"process_id": 3148,
"thread_id": 12412
},
"channel": "Microsoft-Windows-UniversalTelemetryClient/Operational",
"computer": "WinDev2310Eval",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"Environment": "ServiceHost",
"IKey": "P-ARIA-6660cc65b74b4291b30536aea7ed6ead-5a228f6e-723e-4098-8ed2-3554f184fd67-7451",
"DiskSizeInBytes": 8388608,
"DailyUploadQuotaInBytes": 0,
"HRESULT": 2147943642
},
"message": ""
}
References #
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 2 — Tenant IKey has been unregistered for telemetry usage.
Description
Tenant IKey has been unregistered for telemetry usage.
Message #
Fields #
| Name | Description |
|---|---|
Environment UnicodeString | — |
IKey UnicodeString | — |
HRESULT UInt32 | — |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-UniversalTelemetryClient",
"guid": "6489B27F-7C43-5886-1D00-0A61BB2A375B",
"event_source_name": "",
"event_id": 2,
"version": 0,
"level": 4,
"task": 2,
"opcode": 0,
"keywords": 9223372036854841344,
"time_created": "2026-03-11T06:27:46.715428+00:00",
"event_record_id": 427,
"correlation": {
"ActivityID": "17404B55-CA54-4D65-932C-664EDEF08F62"
},
"execution": {
"process_id": 3532,
"thread_id": 5236
},
"channel": "Microsoft-Windows-UniversalTelemetryClient/Operational",
"computer": "LAB-WIN11",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"Environment": "ServiceHost",
"IKey": "P-WDATP",
"HRESULT": 2147943568
},
"message": ""
}
Event ID 3 — The daily upload quota for IKey has been updated to DailyUploadQuotaInBytes bytes.
Event ID 20 — The upload URL has changed to Url .
Event ID 21 — Upload failed with the following HRESULT: HRESULT.
Event ID 22 — The daily upload quota for SENSE has crossed into a new tier.
Description
The daily upload quota for SENSE has crossed into a new tier.
Message #
Fields #
| Name | Description |
|---|---|
Environment UnicodeString | — |
BytesUploadedSoFar UInt64 | — |
BytesAllowed UInt64 | — |
PercentageUsed UInt32 | — |
NewTier UInt32 | — |
OldTier UInt32 | — |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-UniversalTelemetryClient",
"guid": "6489B27F-7C43-5886-1D00-0A61BB2A375B",
"event_source_name": "",
"event_id": 22,
"version": 0,
"level": 4,
"task": 22,
"opcode": 0,
"keywords": 9223372036854906880,
"time_created": "2026-03-11T08:57:50.434811+00:00",
"event_record_id": 450,
"correlation": {},
"execution": {
"process_id": 3632,
"thread_id": 8160
},
"channel": "Microsoft-Windows-UniversalTelemetryClient/Operational",
"computer": "LAB-WIN11",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"Environment": "InProcHost",
"BytesUploadedSoFar": 5198198,
"BytesAllowed": 103809024,
"PercentageUsed": 5,
"NewTier": 1,
"OldTier": 0
},
"message": ""
}
Event ID 23 — Storage capacity for the SENSE tenant has changed to a new tier.
Event ID 24 — An unknown and unconfigured dynamic Vortex region Region was attempted to be set.
Event ID 25 — The event storage for SENSE has been throttled.
Event ID 26 — The upload for SENSE has been throttled.
Event ID 27 — Connection state - All connections have succeeded since the previous period.
#Description
Connection state - All connections have succeeded since the previous period.
Message #
Fields #
| Name | Description |
|---|---|
Environment UnicodeString | — |
EventsUploaded UInt32 | — |
EventsDropped UInt32 | — |
LastEventlogWrittenTime UInt64 | — |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-UniversalTelemetryClient",
"guid": "6489B27F-7C43-5886-1D00-0A61BB2A375B",
"event_source_name": "",
"event_id": 27,
"version": 0,
"level": 4,
"task": 27,
"opcode": 0,
"keywords": 9223372036854906880,
"time_created": "2023-11-06T02:02:29.363296+00:00",
"event_record_id": 143,
"correlation": {},
"execution": {
"process_id": 3148,
"thread_id": 17084
},
"channel": "Microsoft-Windows-UniversalTelemetryClient/Operational",
"computer": "WinDev2310Eval",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"Environment": "ServiceHost",
"EventsUploaded": 331,
"EventsDropped": 16,
"LastEventlogWrittenTime": 133437079485295621
},
"message": ""
}
References #
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 28 — Connection state - Some connections have failed since the previous period.
#Description
Connection state - Some connections have failed since the previous period.
Message #
Fields #
| Name | Description |
|---|---|
Environment UnicodeString | — |
EventsUploaded UInt32 | — |
EventsDropped UInt32 | — |
LastEventlogWrittenTime UInt64 | — |
SuccessfulConnections UInt32 | — |
FailedConnections UInt32 | — |
LastHttpError UInt32 | — |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-UniversalTelemetryClient",
"guid": "6489B27F-7C43-5886-1D00-0A61BB2A375B",
"event_source_name": "",
"event_id": 28,
"version": 0,
"level": 3,
"task": 28,
"opcode": 0,
"keywords": 9223372036854906880,
"time_created": "2023-11-06T01:32:28.542363+00:00",
"event_record_id": 141,
"correlation": {},
"execution": {
"process_id": 3148,
"thread_id": 3756
},
"channel": "Microsoft-Windows-UniversalTelemetryClient/Operational",
"computer": "WinDev2310Eval",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"Environment": "ServiceHost",
"EventsUploaded": 573,
"EventsDropped": 10,
"LastEventlogWrittenTime": 133437061481643300,
"SuccessfulConnections": 12,
"FailedConnections": 1,
"LastHttpError": 2147954430
},
"message": ""
}
References #
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 29 — Connection state - Some connections have failed since the previous period.
#Description
Connection state - Some connections have failed since the previous period.
Message #
Fields #
| Name | Description |
|---|---|
Environment UnicodeString | — |
EventsUploaded UInt32 | — |
EventsDropped UInt32 | — |
LastEventlogWrittenTime UInt64 | — |
FailedConnections UInt32 | — |
LastHttpError UInt32 | — |
ProxySettingDetected Boolean | — |
SslCertValidationFailures UInt32 | — |
LastSslCertFailure UInt32 | — |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-UniversalTelemetryClient",
"guid": "6489B27F-7C43-5886-1D00-0A61BB2A375B",
"event_source_name": "",
"event_id": 29,
"version": 0,
"level": 2,
"task": 29,
"opcode": 0,
"keywords": 9223372036854906880,
"time_created": "2022-04-07T08:14:43.748987+00:00",
"event_record_id": 19,
"correlation": {},
"execution": {
"process_id": 2704,
"thread_id": 3244
},
"channel": "Microsoft-Windows-UniversalTelemetryClient/Operational",
"computer": "WIN-FPV0DSIC9O6.lab.local",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"Environment": "ServiceHost",
"EventsUploaded": 0,
"EventsDropped": 1674,
"LastEventlogWrittenTime": 3545508526300415277,
"FailedConnections": 7,
"LastHttpError": 2147954407,
"ProxySettingDetected": false,
"SslCertValidationFailures": 0,
"LastSslCertFailure": 0
},
"message": ""
}
References #
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 50 — The service has been started to the following state: Status.
#Description
The service has been started to the following state: Status.
Message #
Fields #
| Name | Description |
|---|---|
Environment UnicodeString | — |
Status UInt32 | — NTSTATUS reference |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-UniversalTelemetryClient",
"guid": "6489B27F-7C43-5886-1D00-0A61BB2A375B",
"event_source_name": "",
"event_id": 50,
"version": 0,
"level": 4,
"task": 50,
"opcode": 0,
"keywords": 9223372036855037952,
"time_created": "2023-11-06T06:25:43.921103+00:00",
"event_record_id": 91,
"correlation": {},
"execution": {
"process_id": 3712,
"thread_id": 3932
},
"channel": "Microsoft-Windows-UniversalTelemetryClient/Operational",
"computer": "WinDev2310Eval",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"Environment": "ServiceHost",
"Status": 0
},
"message": ""
}
References #
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 55 — Is the Internet available: State.
#Description
Is the Internet available: State.
Message #
Fields #
| Name | Description |
|---|---|
Environment UnicodeString | — |
State Boolean | — |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-UniversalTelemetryClient",
"guid": "6489B27F-7C43-5886-1D00-0A61BB2A375B",
"event_source_name": "",
"event_id": 55,
"version": 0,
"level": 4,
"task": 55,
"opcode": 0,
"keywords": 9223372036855037952,
"time_created": "2023-11-06T06:25:52.971889+00:00",
"event_record_id": 97,
"correlation": {},
"execution": {
"process_id": 3712,
"thread_id": 4556
},
"channel": "Microsoft-Windows-UniversalTelemetryClient/Operational",
"computer": "WinDev2310Eval",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"Environment": "ServiceHost",
"State": true
},
"message": ""
}
References #
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 56 — Is a free network available: State.
#Description
Is a free network available: State.
Message #
Fields #
| Name | Description |
|---|---|
Environment UnicodeString | — |
State Boolean | — |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-UniversalTelemetryClient",
"guid": "6489B27F-7C43-5886-1D00-0A61BB2A375B",
"event_source_name": "",
"event_id": 56,
"version": 0,
"level": 4,
"task": 56,
"opcode": 0,
"keywords": 9223372036855037952,
"time_created": "2023-11-06T06:25:52.972135+00:00",
"event_record_id": 98,
"correlation": {},
"execution": {
"process_id": 3712,
"thread_id": 4556
},
"channel": "Microsoft-Windows-UniversalTelemetryClient/Operational",
"computer": "WinDev2310Eval",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"Environment": "ServiceHost",
"State": true
},
"message": ""
}
References #
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 60 — Is device on battery power: State.
Description
Is device on battery power: State.
Message #
Fields #
| Name | Description |
|---|---|
Environment UnicodeString | — |
State Boolean | — |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-UniversalTelemetryClient",
"guid": "6489B27F-7C43-5886-1D00-0A61BB2A375B",
"event_source_name": "",
"event_id": 60,
"version": 0,
"level": 4,
"task": 60,
"opcode": 0,
"keywords": 9223372036855037952,
"time_created": "2026-03-11T06:27:46.945847+00:00",
"event_record_id": 428,
"correlation": {},
"execution": {
"process_id": 3632,
"thread_id": 4212
},
"channel": "Microsoft-Windows-UniversalTelemetryClient/Operational",
"computer": "LAB-WIN11",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"Environment": "InProcHost",
"State": false
},
"message": ""
}
Event ID 61 — Is the Battery Saver state enabled: State.
#Description
Is the Battery Saver state enabled: State.
Message #
Fields #
| Name | Description |
|---|---|
Environment UnicodeString | — |
State Boolean | — |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-UniversalTelemetryClient",
"guid": "6489B27F-7C43-5886-1D00-0A61BB2A375B",
"event_source_name": "",
"event_id": 61,
"version": 0,
"level": 4,
"task": 61,
"opcode": 0,
"keywords": 9223372036855037952,
"time_created": "2023-11-06T06:25:45.397066+00:00",
"event_record_id": 93,
"correlation": {},
"execution": {
"process_id": 3712,
"thread_id": 4556
},
"channel": "Microsoft-Windows-UniversalTelemetryClient/Operational",
"computer": "WinDev2310Eval",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"Environment": "ServiceHost",
"State": false
},
"message": ""
}
References #
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 62 — Is the device in connected standby: State.
#Description
Is the device in connected standby: State.
Message #
Fields #
| Name | Description |
|---|---|
Environment UnicodeString | — |
State Boolean | — |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-UniversalTelemetryClient",
"guid": "6489B27F-7C43-5886-1D00-0A61BB2A375B",
"event_source_name": "",
"event_id": 62,
"version": 0,
"level": 4,
"task": 62,
"opcode": 0,
"keywords": 9223372036855037952,
"time_created": "2023-11-06T06:25:45.397324+00:00",
"event_record_id": 94,
"correlation": {},
"execution": {
"process_id": 3712,
"thread_id": 4556
},
"channel": "Microsoft-Windows-UniversalTelemetryClient/Operational",
"computer": "WinDev2310Eval",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"Environment": "ServiceHost",
"State": false
},
"message": ""
}
References #
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 63 — Has the service used more power than considered reasonable: State.
Event ID 64 — Diagnostic Data Collection Level
#Description
Diagnostic Data Collection Level.
Message #
Fields #
| Name | Description |
|---|---|
Environment UnicodeString | — |
OldInfo UInt32 | — |
NewInfo UInt32 | — |
SettingAuthority Int32 | — |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-UniversalTelemetryClient",
"guid": "6489B27F-7C43-5886-1D00-0A61BB2A375B",
"event_source_name": "",
"event_id": 64,
"version": 0,
"level": 4,
"task": 64,
"opcode": 0,
"keywords": 9223372036855037952,
"time_created": "2023-11-06T06:25:44.333797+00:00",
"event_record_id": 92,
"correlation": {},
"execution": {
"process_id": 3712,
"thread_id": 3932
},
"channel": "Microsoft-Windows-UniversalTelemetryClient/Operational",
"computer": "WinDev2310Eval",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"Environment": "ServiceHost",
"OldInfo": 0,
"NewInfo": 1,
"SettingAuthority": 2
},
"message": ""
}
References #
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 65 — The agent has transitioned to or from an idle state.
Event ID 66 — The diagnostic and feedback permission level has changed.
Description
The diagnostic and feedback permission level has changed.
Message #
Fields #
| Name | Description |
|---|---|
OldLevel UInt32 | — |
NewLevel UInt32 | — |
Source UnicodeString | — |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-UniversalTelemetryClient",
"guid": "6489B27F-7C43-5886-1D00-0A61BB2A375B",
"event_source_name": "",
"event_id": 66,
"version": 0,
"level": 4,
"task": 66,
"opcode": 0,
"keywords": 9223372036854906880,
"time_created": "2025-12-31T19:32:58.269044+00:00",
"event_record_id": 12,
"correlation": {},
"execution": {
"process_id": 3076,
"thread_id": 3612
},
"channel": "Microsoft-Windows-UniversalTelemetryClient/Operational",
"computer": "WIN11-22H2-X64",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"OldLevel": 1,
"NewLevel": 1,
"Source": "Api"
},
"message": ""
}
Event ID 67 — You cannot enable a policy that causes your organization to manage all Windows diagnostic data without being AAD joined or setting a valid Commerci...
Description
You cannot enable a policy that causes your organization to manage all Windows diagnostic data without being AAD joined or setting a valid CommercialId on the device.
Message #
Event ID 68 — Invalid Processor mode configuration.
Description
Invalid Processor mode configuration.