diff --git a/windows/client-management/mdm/diagnosticlog-csp.md b/windows/client-management/mdm/diagnosticlog-csp.md index d0a24d5007..5e0ad6cc32 100644 --- a/windows/client-management/mdm/diagnosticlog-csp.md +++ b/windows/client-management/mdm/diagnosticlog-csp.md @@ -9,26 +9,687 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: manikadhiman -ms.date: 08/05/2019 +ms.date: 11/19/2019 --- # DiagnosticLog CSP +The DiagnosticLog configuration service provider (CSP) provides the following feature areas: -The DiagnosticLog configuration service provider (CSP) is used in the following scenarios: -- [Controlling ETW trace sessions](#diagnosticlog-csp-for-controlling-etw-trace-sessions) -- [Triggering devices to upload existing event logs, log files, and registry values to cloud storage](#diagnosticlog-csp-for-triggering-devices-to-upload-files-to-cloud) +- [DiagnosticArchive area: Capture and upload event logs, log files and registry values for troubleshooting](#DiagnosticArchive-area:-Capture-and-upload-event-logs,-log-files-and-registry-values-for-troubleshooting) +- [Policy area: Configure Windows event log policies such as maximum log size](#Policy-area:-Configure-Windows-event-log-policies-such-as-maximum-log-size) +- [EtwLog area: Control ETW trace sessions](#EtwLog-area:-control-etw-trace-sessions) +- [DeviceStateData area: Additional device information](#DeviceStateData-area:-Additional-device-information) +- [FileDownload area: Pull trace and state data directly from the device](#FileDownload-area:-Pull-trace-and-state-data-directly-from-the-device) -## DiagnosticLog CSP for controlling ETW trace sessions -The DiagnosticLog CSP is used for generating and collecting diagnostic information from the device: Event Tracing for Windows (ETW) log files and current MDM configured state of the device. +Here are the links to the DDFs: +- [DiagnosticLog CSP version 1.4](diagnosticlog-ddf.md#version-1-4) +- [DiagnosticLog CSP version 1.3](diagnosticlog-ddf.md#version-1-3) +- [DiagnosticLog CSP version 1.2](diagnosticlog-ddf.md#version-1-2) -DiagnosticLog CSP supports the following type of event tracing: +The following diagram shows the DiagnosticLog CSP in tree format. +![diagnosticlog csp diagram](images/provisioning-csp-diagnosticlog.png) + +**./Vendor/MSFT/DiagnosticLog** +The root node for the DiagnosticLog CSP. + +Rest of the nodes in this CSP are described within their respective feature area sections. + +## DiagnosticArchive area: Capture and upload event logs, log files and registry values for troubleshooting +The DiagnosticArchive functionality within the DiagnosticLog CSP is used to trigger devices to gather troubleshooting data into a zip archive file and upload that archive to cloud storage. DiagnosticArchive is designed for ad-hoc troubleshooting scenarios, such as an IT admin investigating an app installation failure using a collection of event log events, registry values, and app or OS log files. + +> [!Note] +> DiagnosticArchive is a "break glass" backstop option for device troubleshooting. Diagnostic data such as log files can grow to many gigabytes. Gathering, transferring, and storing large amounts of data may burden the user's device, the network and cloud storage. Management servers invoking DiagnosticArchive must take care to minimize data gathering frequency and scope. + +The following section describes the nodes for the DiagnosticArchive functionality. + +**DiagnosticArchive** +Added in version 1.4 of the CSP in Windows 10, version 1903. Root node for the DiagnosticArchive functionality. + +The supported operation is Get. + +**DiagnosticArchive/ArchiveDefinition** +Added in version 1.4 of the CSP in Windows 10, version 1903. + +The supported operations are Add and Execute. + +The data type is string. + +Expected value: +Set and Execute are functionality equivalent, and each accepts an XML snippet (as a string) describing what data to gather and where to upload it. + +The following is an example of the XML. This example instructs the CSP to gather: +- All the keys and values under a registry path +- All the *.etl files in a folder +- The output of two commands +- Additional files created by one of the commands +- All the Application event log events. + +The results are zipped and uploaded to the specified SasUrl. The filename format is "DiagLogs-{ComputerName}-YYYYMMDDTHHMMSSZ.zip". + +``` xml + + server generated guid value such as f1e20cb4-9789-4f6b-8f6a-766989764c6d + server generated url where the HTTP PUT will be accepted + HKLM\Software\Policies + %ProgramData%\Microsoft\DiagnosticLogCSP\Collectors\*.etl + %windir%\system32\ipconfig.exe /all + %windir%\system32\mdmdiagnosticstool.exe -out %ProgramData%\temp\ + %ProgramData%\temp\*.* + Application + + +``` +The XML should include the following elements within the `Collection` element: + +**ID** +The ID value is a server-generated GUID string that identifies this data-gathering request. To avoid accidental repetition of data gathering, the CSP ignores subsequent Set or Execute invocations with the same ID value. + +**SasUrl** +The SasUrl value is the target URI to which the CSP uploads the results zip file. It is the responsibility of the management server to provision storage in such a way that the server accepts the HTTP PUT to this URL. For example, the device management service could: +- Provision cloud storage, such as an Azure blob storage container or other storage managed by the device management server +- Generate a dynamic https SAS token URL representing the storage location (and which is understood by the server to allow a one-time upload or time-limited uploads) +- Pass this value to the CSP as the SasUrl value. + +Assuming a case where the management server's customer (such as an IT admin) is meant to access the data, the management server would also expose the stored data through its user interface or APIs. + +**One or more data gathering directives, which may include any of the following:** + +- **RegistryKey** + - Exports all of the key names and values under a given path (recursive). + - Expected input value: Registry path such as "HKLM\Software\Policies". + - Output format: Creates a .reg file, similar to the output of reg.exe EXPORT command. + - Privacy guardrails: To enable diagnostic log capture while reducing the risk of an IT admin inadvertently capturing user-generated documents, registry paths are restricted to those under HKLM and HKCU. + +- **Events** + - Exports all events from the named Windows event log. + - Expected input value: A named event log channel such as "Application" or "Microsoft-Windows-DeviceGuard/Operational". + - Output format: Creates a .evtx file. + +- **Commands** + - This directive type allows the execution of specific commands such as ipconfig.exe. Note that DiagnosticArchive and the Commands directives are not a general-purpose scripting platform. These commands are allowed in the DiagnosticArchive context to handle cases where critical device information may not be available through existing log files. + - Expected input value: The full command line including path and any arguments, such as `%windir%\\system32\\ipconfig.exe /all`. + - Output format: Console text output from the command is captured in a text file and included in the overall output archive. For commands which may generate file output rather than console output, a subsequent FolderFiles directive would be used to capture that output. The example XML above demonstrates this pattern with mdmdiagnosticstool.exe's -out parameter. + - Privacy guardrails: To enable diagnostic data capture while reducing the risk of an IT admin inadventantly capturing user-generated documents, only the following commands are allowed: + - %windir%\\system32\\certutil.exe + - %windir%\\system32\\dxdiag.exe + - %windir%\\system32\\gpresult.exe + - %windir%\\system32\\msinfo32.exe + - %windir%\\system32\\netsh.exe + - %windir%\\system32\\nltest.exe + - %windir%\\system32\\ping.exe + - %windir%\\system32\\powercfg.exe + - %windir%\\system32\\w32tm.exe + - %windir%\\system32\\wpr.exe + - %windir%\\system32\\dsregcmd.exe + - %windir%\\system32\\dispdiag.exe + - %windir%\\system32\\ipconfig.exe + - %windir%\\system32\\logman.exe + - %windir%\\system32\\tracelog.exe + - %programfiles%\\windows defender\\mpcmdrun.exe + - %windir%\\system32\\MdmDiagnosticsTool.exe + - %windir%\\system32\\pnputil.exe + +- **FoldersFiles** + - Captures log files from a given path (without recursion). + - Expected input value: File path with or without wildcards, such as "%windir%\\System32", or "%programfiles%\\*.log". + - Privacy guardrails: To enable diagnostic log capture while reducing the risk of an IT admin inadventently capturing user-generated documents, only paths under the following roots are allowed: + - %PROGRAMFILES% + - %PROGRAMDATA% + - %PUBLIC% + - %WINDIR% + - %TEMP% + - %TMP% + - Additionally, only files with the following extensions are captured: + - .log + - .txt + - .dmp + - .cab + - .zip + - .xml + - .html + - .evtx + - .etl + +**DiagnosticArchive/ArchiveResults** +Added in version 1.4 of the CSP in Windows 10, version 1903. This policy setting displays the results of the last archive run. + +The supported operation is Get. + +The data type is string. + +A Get to the above URI will return the results of the data gathering for the last diagnostics request. For the example above it returns: + +``` xml + + + + + 1 + 1 + 0 + SyncHdr + 200 + + + 2 + 1 + 1 + Get + 200 + + + 3 + 1 + 1 + + + ./Vendor/MSFT/DiagnosticLog/DiagnosticArchive/ArchiveResults + + + + f1e20cb4-9789-4f6b-8f6a-766989764c6d + HKLM\Software\Policies + C:\ProgramData\Microsoft\DiagnosticLogCSP\Collectors\*.etl + %windir%\system32\ipconfig.exe /all + %windir%\system32\mdmdiagnosticstool.exe -out c:\ProgramData\temp\ + c:\ProgramData\temp\*.* + Application + + + + + + + +``` + +Each data gathering node is annotated with the HRESULT of the action and the collection is also annotated with an overall HRESULT. In this example, note that the mdmdiagnosticstool.exe command failed. + +The zip file which is created also contains a results.xml file whose contents align to the Data section in the SyncML for ArchiveResults. Accordingly, an IT admin using the zip file for troubleshooting can determine the order and success of each directive without needing a permanent record of the SyncML value for DiagnosticArchive/ArchiveResults. + + +## Policy area: Configure Windows event log policies such as maximum log size + +The following section describes the nodes for the Policy functionality. + +**Policy** +Added in version 1.4 of the CSP in Windows 10, version 1903. Root node to control settings for channels in Event Log. + +The supported operation is Get. + +**Policy/Channels** +Added in version 1.4 of the CSP in Windows 10, version 1903. Node that contains Event Log channel settings. + +The supported operation is Get. + +**Policy/Channels/_ChannelName_** +Added in version 1.4 of the CSP in Windows 10, version 1903. Dynamic node to represent a registered channel. The node name must be a valid Windows event log channel name, such as ``Microsoft-Client-Licensing-Platform%2FAdmin``. When specifying the name in the LocURI, it must be URL encoded, otherwise it may unexpectedly translate into a different URI. + +Supported operations are Add, Delete, and Get. + +Add **Channel** +``` xml + + ​ + ​ + 2​ + ​ + ​ + ​ + ./Vendor/MSFT/DiagnosticLog/Policy/Channels/ChannelName​ + ​ + ​ + ​ + node​ + ​ + ​ + ​ + ​ + ​ + ​ + +``` +Delete **Channel** +``` xml + + ​ + ​ + 3​ + ​ + ​ + ​ + ./Vendor/MSFT/DiagnosticLog/Policy/Channels/ChannelName​ + ​ + ​ + ​ + ​ + ​ + ​ + +``` +Get **Channel** +``` xml + + ​ + ​ + 4​ + ​ + ​ + ​ + ./Vendor/MSFT/DiagnosticLog/Policy/Channels/ChannelName​ + ​ + ​ + ​ + ​ + ​ + ​ + +``` +**Policy/Channels/_ChannelName_/MaximumFileSize** +Added in version 1.4 of the CSP in Windows 10, version 1903. This policy setting specifies the maximum size of the log file in megabytes. + +If you enable this policy setting, you can configure the maximum log file size to be between 1 megabyte and 2 terabytes in megabyte increments. + +If you disable or do not configure this policy setting, the maximum size of the log file will be set to the locally configured value. This value can be changed by the local administrator using the Log Properties dialog, and it defaults to 1 megabyte. + +Supported operations are Add, Delete, Get, and Replace. + +The data type is integer. + +Add **MaximumFileSize** +``` xml + + ​ + ​ + 6​ + ​ + ​ + ​ + ./Vendor/MSFT/DiagnosticLog/Policy/Channels/ChannelName/MaximumFileSize​ + ​ + ​ + ​ + int​ + text/plain​ + ​ + 3​ + ​ + ​ + ​ + ​ + +``` + +Delete **MaximumFileSize** +``` xml + + ​ + ​ + 7​ + ​ + ​ + ​ + ./Vendor/MSFT/DiagnosticLog/Policy/Channels/ChannelName/MaximumFileSize​ + ​ + ​ + ​ + ​ + ​ + ​ + +``` +Get **MaximumFileSize** +``` xml + + ​ + ​ + 5​ + ​ + ​ + ​ + ./Vendor/MSFT/DiagnosticLog/Policy/Channels/ChannelName/MaximumFileSize​ + ​ + ​ + ​ + ​ + ​ + ​ + +``` + +Replace **MaximumFileSize** +``` xml + + ​ + ​ + 8​ + ​ + ​ + ​ + ./Vendor/MSFT/DiagnosticLog/Policy/Channels/ChannelName/MaximumFileSize​ + ​ + ​ + ​ + int​ + text/plain​ + ​ + 5​ + ​ + ​ + ​ + ​ + +``` + +**Policy/Channels/_ChannelName_/SDDL** +Added in version 1.4 of the CSP in Windows 10, version 1903. This policy setting represents SDDL string controlling access to the channel. + +Supported operations are Add, Delete, Get, and Replace. + +The data type is string. + +Default string is as follows: + +https://docs.microsoft.com/windows/desktop/WES/eventmanifestschema-channeltype-complextype. + +Add **SDDL** +``` xml + + ​ + ​ + 10​ + ​ + ​ + ​ + ./Vendor/MSFT/DiagnosticLog/Policy/Channels/ChannelName/SDDL​ + ​ + ​ + ​ + chr​ + text/plain​ + ​ + YourSDDL​ + ​ + ​ + ​ + ​ + +``` + +Delete **SDDL** +``` xml + + + ​ + ​ + 11​ + ​ + ​ + ​ + ./Vendor/MSFT/DiagnosticLog/Policy/Channels/ChannelName/SDDL​ + ​ + ​ + ​ + ​ + ​ + ​ + +``` + +Get **SDDL** +``` xml + + ​ + ​ + 9​ + ​ + ​ + ​ + ./Vendor/MSFT/DiagnosticLog/Policy/Channels/ChannelName/SDDL​ + ​ + ​ + ​ + ​ + ​ + ​ + +``` + +Replace **SDDL** +``` xml + + ​ + ​ + 12​ + ​ + ​ + ​ + ./Vendor/MSFT/DiagnosticLog/Policy/Channels/ChannelName/SDDL​ + ​ + ​ + ​ + chr​ + text/plain​ + ​ + YourNewSDDL​ + ​ + ​ + ​ + ​ + +``` + +**Policy/Channels/_ChannelName_/ActionWhenFull** +Added in version 1.4 of the CSP in Windows 10, version 1903. This policy setting controls Event Log behavior when the log file reaches its maximum size. + +Supported operations are Add, Delete, Get, and Replace. + +The data type is string. + +The following are the possible values: +- Truncate — When the log file reaches its maximum file size, new events are not written to the log and are lost. +- Overwrite — When the log file reaches its maximum file size, new events overwrite old events. +- Archive — When the log file reaches its maximum size, the log file is saved to the location specified by the "Archive Location" policy setting. If archive location value is not set, the new file is saved in the same directory as current log file. + +If you disable or do not configure this policy setting, the locally configured value will be used as default. Every channel that is installed, whether inbox or by ISVs, is responsible for defining its own local configuration, and that configuration can be changed by any administrator. Values set via this policy override but do not replace local configuration. + + +Add **ActionWhenFull** +``` xml + + ​ + ​ + 14​ + ​ + ​ + ​ + ./Vendor/MSFT/DiagnosticLog/Policy/Channels/ChannelName/ActionWhenFull​ + ​ + ​ + ​ + chr​ + text/plain​ + ​ + Archive​ + ​ + ​ + ​ + ​ + +``` + +Delete **ActionWhenFull** +``` xml + + ​ + ​ + 15​ + ​ + ​ + ​ + ./Vendor/MSFT/DiagnosticLog/Policy/Channels/ChannelName/ActionWhenFull​ + ​ + ​ + ​ + ​ + ​ + ​ + +``` + +Get **ActionWhenFull** +``` xml + + ​ + ​ + 13​ + ​ + ​ + ​ + ./Vendor/MSFT/DiagnosticLog/Policy/Channels/ChannelName/ActionWhenFull​ + ​ + ​ + ​ + ​ + ​ + ​ + +``` + +Replace **ActionWhenFull** +``` xml + + ​ + ​ + 16​ + ​ + ​ + ​ + ./Vendor/MSFT/DiagnosticLog/Policy/Channels/ChannelName/ActionWhenFull​ + ​ + ​ + ​ + chr​ + text/plain​ + ​ + Truncate​ + ​ + ​ + ​ + ​ + +``` + +**Policy/Channels/_ChannelName_/Enabled** +Added in version 1.4 of the CSP in Windows 10, version 1903. This policy setting specifies whether the channel should be enabled or disabled. + +Supported operations are Add, Delete, Get, and Replace. + +The data type is boolean. + +The following are the possible values: +- TRUE — Enables the channel. +- FALSE — Disables the channel. + +If you disable or do not configure this policy setting, the locally configured value is used as default. + +Get **Enabled** +``` xml + + ​ + ​ + 17​ + ​ + ​ + ​ + ./Vendor/MSFT/DiagnosticLog/Policy/Channels/ChannelName/Enabled​ + ​ + ​ + ​ + ​ + ​ + ​ + +``` + +Add **Enabled** +``` xml + + ​ + ​ + 18​ + ​ + ​ + ​ + ./Vendor/MSFT/DiagnosticLog/Policy/Channels/ChannelName/Enabled​ + ​ + ​ + ​ + bool​ + text/plain​ + ​ + TRUE​ + ​ + ​ + ​ + ​ + +``` + +Delete **Enabled** +``` xml + + ​ + ​ + 19​ + ​ + ​ + ​ + ./Vendor/MSFT/DiagnosticLog/Policy/Channels/ChannelName/Enabled​ + ​ + ​ + ​ + ​ + ​ + ​ + +``` + +Replace **Enabled** +``` xml + + ​ + ​ + 20​ + ​ + ​ + ​ + ./Vendor/MSFT/DiagnosticLog/Policy/Channels/ChannelName/Enabled​ + ​ + ​ + ​ + bool​ + text/plain​ + ​ + FALSE​ + ​ + ​ + ​ + ​ + +``` + +## EtwLog area: Control ETW trace sessions +The Event Tracing for Windows (ETW) log feature of the DiagnosticLog CSP is used to control the following types of event tracing: - Collector-based tracing - Channel-based tracing +The ETW log feature is designed for advanced usage, and assumes developers' familiarity with ETW. For more information, see [About Event Tracing](https://docs.microsoft.com/windows/win32/etw/about-event-tracing). + ### Collector-based tracing -This type of event tracing simultaneously collects event data from a collection of registered ETW providers. +This type of event tracing collects event data from a collection of registered ETW providers. An event collector is a container of registered ETW providers. Users can add or delete a collector node and register or unregister multiple providers in this collector. @@ -51,7 +712,7 @@ For each registered provider in this collector, the user can: - Change trace level to filter events from this provider - Enable or disable the provider in the trace session -The changes on **State**, **Keywords** and **TraceLevel** takes effect immediately while trace session is in progress. +The changes on **State**, **Keywords**, and **TraceLevel** takes effect immediately while trace session is in progress. > [!Note] > Microsoft-WindowsPhone-Enterprise-Diagnostics-Provider (GUID - 3da494e4-0fe2-415C-b895-fb5265c5c83b) has the required debug resource files built into Windows OS, which will allow the logs files to be decoded on the remote machine. Any other logs may not have the debug resources required to decode. @@ -72,19 +733,6 @@ For each channel node, the user can: For more information about using DiagnosticLog to collect logs remotely from a PC or mobile device, see [Diagnose MDM failures in Windows 10](diagnose-mdm-failures-in-windows-10.md). -Here are the links to the DDFs: - -- [DiagnosticLog CSP version 1.2](diagnosticlog-ddf.md#version-1-2) -- [DiagnosticLog CSP version 1.3](diagnosticlog-ddf.md#version-1-3) -- [DiagnosticLog CSP version 1.4](diagnosticlog-ddf.md#version-1-4) - -The following diagram shows the DiagnosticLog CSP in tree format. - -![diagnosticlog csp diagram](images/provisioning-csp-diagnosticlog.png) - -**./Vendor/MSFT/DiagnosticLog** -The root node for the DiagnosticLog CSP. - To gather diagnostics using this CSP: 1. Specify a *CollectorName* for the container of the target ETW providers. @@ -102,6 +750,8 @@ To gather diagnostics using this CSP: 7. Stop logging using **TraceControl** EXECUTE command “STOP”. 8. Collect the log file located in the `%temp%` folder using the method described in [Reading a log file](#reading-a-log-file). +The following section describes the nodes for EtwLog functionality. + **EtwLog** Node to contain the Error Tracing for Windows log. @@ -601,6 +1251,10 @@ Set channel **State** ``` +## DeviceStateData area: Additional device information + +The following section describes the nodes for the DeviceStateData functionality. + **DeviceStateData** Added in version 1.3 of the CSP in Windows 10, version 1607. Node for all types of device state data that are exposed. @@ -630,6 +1284,17 @@ The supported value is Execute. ``` +## FileDownload area: Pull trace and state data directly from the device +The FileDownload feature of the DiagnosticLog CSP enables a management server to pull data directly from the device. In the FileDownload context the client and server roles are conceptually reversed, with the management server acting as a client to download the data from the managed device. + +### Comparing FileDownload and DiagnosticArchive +Both the FileDownload and DiagnosticArchive features can be used to get data from the device to the management server, but they are optimized for different workflows. + +- FileDownload enables the management server to directly pull byte-level trace data from the managed device. The data transfer takes place through the existing OMA-DM/SyncML context. It is typically used together with the EtwLogs feature as part of an advanced monitoring or diagnostic flow. FileDownlod requires granular orchestration by the management server, but avoids the need for dedicated cloud storage. +- DiagnosticArchive allows the management server to give the CSP a full set of instructions as single command. Based on those instructions the CSP orchestrates the work client-side to package the requested diagnostic files into a zip archive and upload that archive to cloud storage. The data transfer happens outsite of the OMA-DM session, via an HTTP PUT. + +The following section describes the nodes for the FileDownload functionality. + **FileDownload** Node to contain child nodes for log file transportation protocols and corresponding actions. @@ -801,577 +1466,7 @@ The data type is Base64. The supported operation is Get. -**Policy** -Added in version 1.4 of the CSP in Windows 10, version 1903. Root node to control settings for channels in Event Log. - -The supported operation is Get. - -**Policy/Channels** -Added in version 1.4 of the CSP in Windows 10, version 1903. Node that contains Event Log channel settings. - -The supported operation is Get. - -**Policy/Channels/_ChannelName_** -Added in version 1.4 of the CSP in Windows 10, version 1903. Dynamic node to represent a registered channel. The node name must be a valid Windows event log channel name, such as ``Microsoft-Client-Licensing-Platform%2FAdmin``. When specifying the name in the LocURI, it must be URL encoded, otherwise it may unexpectedly translate into a different URI. - -Supported operations are Add, Delete, and Get. - -Add **Channel** -``` xml - - ​ - ​ - 2​ - ​ - ​ - ​ - ./Vendor/MSFT/DiagnosticLog/Policy/Channels/ChannelName​ - ​ - ​ - ​ - node​ - ​ - ​ - ​ - ​ - ​ - ​ - -``` -Delete **Channel** -``` xml - - ​ - ​ - 3​ - ​ - ​ - ​ - ./Vendor/MSFT/DiagnosticLog/Policy/Channels/ChannelName​ - ​ - ​ - ​ - ​ - ​ - ​ - -``` -Get **Channel** -``` xml - - ​ - ​ - 4​ - ​ - ​ - ​ - ./Vendor/MSFT/DiagnosticLog/Policy/Channels/ChannelName​ - ​ - ​ - ​ - ​ - ​ - ​ - -``` -**Policy/Channels/_ChannelName_/MaximumFileSize** -Added in version 1.4 of the CSP in Windows 10, version 1903. This policy setting specifies the maximum size of the log file in megabytes. - -If you enable this policy setting, you can configure the maximum log file size to be between 1 megabyte and 2 terabytes in megabyte increments. - -If you disable or do not configure this policy setting, the maximum size of the log file will be set to the locally configured value. This value can be changed by the local administrator using the Log Properties dialog, and it defaults to 1 megabyte. - -Supported operations are Add, Delete, Get, and Replace. - -The data type is integer. - -Add **MaximumFileSize** -``` xml - - ​ - ​ - 6​ - ​ - ​ - ​ - ./Vendor/MSFT/DiagnosticLog/Policy/Channels/ChannelName/MaximumFileSize​ - ​ - ​ - ​ - int​ - text/plain​ - ​ - 3​ - ​ - ​ - ​ - ​ - -``` - -Delete **MaximumFileSize** -``` xml - - ​ - ​ - 7​ - ​ - ​ - ​ - ./Vendor/MSFT/DiagnosticLog/Policy/Channels/ChannelName/MaximumFileSize​ - ​ - ​ - ​ - ​ - ​ - ​ - -``` -Get **MaximumFileSize** -``` xml - - ​ - ​ - 5​ - ​ - ​ - ​ - ./Vendor/MSFT/DiagnosticLog/Policy/Channels/ChannelName/MaximumFileSize​ - ​ - ​ - ​ - ​ - ​ - ​ - -``` - -Replace **MaximumFileSize** -``` xml - - ​ - ​ - 8​ - ​ - ​ - ​ - ./Vendor/MSFT/DiagnosticLog/Policy/Channels/ChannelName/MaximumFileSize​ - ​ - ​ - ​ - int​ - text/plain​ - ​ - 5​ - ​ - ​ - ​ - ​ - -``` - -**Policy/Channels/_ChannelName_/SDDL** -Added in version 1.4 of the CSP in Windows 10, version 1903. This policy setting represents SDDL string controlling access to the channel. - -Supported operations are Add, Delete, Get, and Replace. - -The data type is string. - -Default string is as follows: - -https://docs.microsoft.com/windows/desktop/WES/eventmanifestschema-channeltype-complextype. - -Add **SDDL** -``` xml - - ​ - ​ - 10​ - ​ - ​ - ​ - ./Vendor/MSFT/DiagnosticLog/Policy/Channels/ChannelName/SDDL​ - ​ - ​ - ​ - chr​ - text/plain​ - ​ - YourSDDL​ - ​ - ​ - ​ - ​ - -``` - -Delete **SDDL** -``` xml - - - ​ - ​ - 11​ - ​ - ​ - ​ - ./Vendor/MSFT/DiagnosticLog/Policy/Channels/ChannelName/SDDL​ - ​ - ​ - ​ - ​ - ​ - ​ - -``` - -Get **SDDL** -``` xml - - ​ - ​ - 9​ - ​ - ​ - ​ - ./Vendor/MSFT/DiagnosticLog/Policy/Channels/ChannelName/SDDL​ - ​ - ​ - ​ - ​ - ​ - ​ - -``` - -Replace **SDDL** -``` xml - - ​ - ​ - 12​ - ​ - ​ - ​ - ./Vendor/MSFT/DiagnosticLog/Policy/Channels/ChannelName/SDDL​ - ​ - ​ - ​ - chr​ - text/plain​ - ​ - YourNewSDDL​ - ​ - ​ - ​ - ​ - -``` - -**Policy/Channels/_ChannelName_/ActionWhenFull** -Added in version 1.4 of the CSP in Windows 10, version 1903. This policy setting controls Event Log behavior when the log file reaches its maximum size. - -Supported operations are Add, Delete, Get, and Replace. - -The data type is string. - -The following are the possible values: -- Truncate — When the log file reaches its maximum file size, new events are not written to the log and are lost. -- Overwrite — When the log file reaches its maximum file size, new events overwrite old events. -- Archive — When the log file reaches its maximum size, the log file is saved to the location specified by the "Archive Location" policy setting. If archive location value is not set, the new file is saved in the same directory as current log file. - -If you disable or do not configure this policy setting, the locally configured value will be used as default. Every channel that is installed, whether inbox or by ISVs, is responsible for defining its own local configuration, and that configuration can be changed by any administrator. Values set via this policy override but do not replace local configuration. - - -Add **ActionWhenFull** -``` xml - - ​ - ​ - 14​ - ​ - ​ - ​ - ./Vendor/MSFT/DiagnosticLog/Policy/Channels/ChannelName/ActionWhenFull​ - ​ - ​ - ​ - chr​ - text/plain​ - ​ - Archive​ - ​ - ​ - ​ - ​ - -``` - -Delete **ActionWhenFull** -``` xml - - ​ - ​ - 15​ - ​ - ​ - ​ - ./Vendor/MSFT/DiagnosticLog/Policy/Channels/ChannelName/ActionWhenFull​ - ​ - ​ - ​ - ​ - ​ - ​ - -``` - -Get **ActionWhenFull** -``` xml - - ​ - ​ - 13​ - ​ - ​ - ​ - ./Vendor/MSFT/DiagnosticLog/Policy/Channels/ChannelName/ActionWhenFull​ - ​ - ​ - ​ - ​ - ​ - ​ - -``` - -Replace **ActionWhenFull** -``` xml - - ​ - ​ - 16​ - ​ - ​ - ​ - ./Vendor/MSFT/DiagnosticLog/Policy/Channels/ChannelName/ActionWhenFull​ - ​ - ​ - ​ - chr​ - text/plain​ - ​ - Truncate​ - ​ - ​ - ​ - ​ - -``` - -**Policy/Channels/_ChannelName_/Enabled** -Added in version 1.4 of the CSP in Windows 10, version 1903. This policy setting specifies whether the channel should be enabled or disabled. - -Supported operations are Add, Delete, Get, and Replace. - -The data type is boolean. - -The following are the possible values: -- TRUE — Enables the channel. -- FALSE — Disables the channel. - -If you disable or do not configure this policy setting, the locally configured value is used as default. - -Get **Enabled** -``` xml - - ​ - ​ - 17​ - ​ - ​ - ​ - ./Vendor/MSFT/DiagnosticLog/Policy/Channels/ChannelName/Enabled​ - ​ - ​ - ​ - ​ - ​ - ​ - -``` - -Add **Enabled** -``` xml - - ​ - ​ - 18​ - ​ - ​ - ​ - ./Vendor/MSFT/DiagnosticLog/Policy/Channels/ChannelName/Enabled​ - ​ - ​ - ​ - bool​ - text/plain​ - ​ - TRUE​ - ​ - ​ - ​ - ​ - -``` - -Delete **Enabled** -``` xml - - ​ - ​ - 19​ - ​ - ​ - ​ - ./Vendor/MSFT/DiagnosticLog/Policy/Channels/ChannelName/Enabled​ - ​ - ​ - ​ - ​ - ​ - ​ - -``` - -Replace **Enabled** -``` xml - - ​ - ​ - 20​ - ​ - ​ - ​ - ./Vendor/MSFT/DiagnosticLog/Policy/Channels/ChannelName/Enabled​ - ​ - ​ - ​ - bool​ - text/plain​ - ​ - FALSE​ - ​ - ​ - ​ - ​ - -``` - -## DiagnosticLog CSP for triggering devices to upload files to cloud -The DiagnosticLog CSP is used for triggering devices to upload existing event logs, log files, and registry values to cloud storage. The following section describes the nodes for the DiagnosticArchive functionality. - -**DiagnosticArchive** -Added in version 1.4 of the CSP in Windows 10, version 1903. Root note for the DiagnosticArchive functionality. - -The supported operation is Get. - -**DiagnosticArchive/ArchiveDefinition** -Added in version 1.4 of the CSP in Windows 10, version 1903. - -The supported operations are Add and Execute. - -The data type is string. - -Expected value: -Set and Execute are functionality equivalent, and each accepts an XML snippet (as a string) describing what data to gather and where to upload it when done. This XML defines what should be collected and compressed into a zip file to be uploaded to Azure blog storage. - -The following is an example of the XML. This example instructs that a zip file be created containing the output from a dump of the specified registry key, all the files in a folder, the output of two commands, all the files in another folder, the output of a command, all the Application events, two sets of files, and another command output. All of this will be uploaded to the blob storage URL as specified in the tags and must be in the noted format with the container and the key in the URL. The administrator can retrieve this URL from Azure. The file uploaded will be in the format DiagLogs-{ComputerName}-YYYYMMDDTHHMMSSZ.zip. - -``` xml - - f1e20cb4-9789-4f6b-8f6a-766989764c6d - {web address}/{container}{key} - HKLM\Software\Policies - C:\ProgramData\Microsoft\DiagnosticLogCSP\Collectors\*.etl - %windir%\system32\ipconfig.exe /all - %windir%\system32\mdmdiagnosticstool.exe -out c:\ProgramData\temp\ - c:\ProgramData\temp\*.* - %windir%\system32\ping.exe -n 50 localhost - Application - %ProgramData%\Microsoft\DiagnosticLogCSP\Collectors\*.etl - %SystemRoot%\System32\LogFiles\wmi\*.etl.* - - %windir%\system32\pnputil.exe /enum-drivers - - -``` -Where: - -- ID is a unique GUID value that defines this particular run of the DiagnosticLog CSP. -- There can be multiple RegistryKey, FolderFiles, Command, and Events elements, which extract or execute and collect the output from the action specified. -- SasUrl is generated from the Azure Blob Storage UX in Azure such that it will allow write access to the blob to upload the zip file created by all the actions specified. - -**DiagnosticArchive/ArchiveResults** -Added in version 1.4 of the CSP in Windows 10, version 1903. This policy setting displays the results of the last archive run. - -The supported operation is Get. - -The data type is string. - -A Get to the above URI will return the results of the gathering of data for the last diagnostics request. For the example above it returns: - -``` xml - - - - - 1 - 1 - 0 - SyncHdr - 200 - - - 2 - 1 - 1 - Get - 200 - - - 3 - 1 - 1 - - - ./Vendor/MSFT/DiagnosticLog/DiagnosticArchive/ArchiveResults - - - - f1e20cb4-9789-4f6b-8f6a-766989764c6d - HKLM\Software\Policies - C:\ProgramData\Microsoft\DiagnosticLogCSP\Collectors\*.etl - %windir%\system32\ipconfig.exe /all - %windir%\system32\mdmdiagnosticstool.exe -out c:\ProgramData\temp\ - c:\ProgramData\temp\*.* - %windir%\system32\ping.exe -n 50 localhost - Application - %ProgramData%\Microsoft\DiagnosticLogCSP\Collectors\*.etl - %SystemRoot%\System32\LogFiles\wmi\*.etl.* - %windir%\system32\pnputil.exe /enum-drivers - - - - - - - -``` -> [!Note] -> Each data gathering node is annotated with the HRESULT of the option and the collection is also annotated with an HRESULT. In this example, note that the mdmdiagnosticstool.exe command failed. - -## Reading a log file +### Reading a log file To read a log file: 1. Enumerate log file under **./Vendor/MSFT/DiagnosticLog/FileDownload/DMChannel**. 2. Select a log file in the Enumeration result. diff --git a/windows/client-management/mdm/images/provisioning-csp-diagnosticlog.png b/windows/client-management/mdm/images/provisioning-csp-diagnosticlog.png index 9829586338..a12415ae84 100644 Binary files a/windows/client-management/mdm/images/provisioning-csp-diagnosticlog.png and b/windows/client-management/mdm/images/provisioning-csp-diagnosticlog.png differ