diff --git a/devices/surface-hub/surface-hub-2s-techspecs.md b/devices/surface-hub/surface-hub-2s-techspecs.md
index 5f898a3fb6..60718ec709 100644
--- a/devices/surface-hub/surface-hub-2s-techspecs.md
+++ b/devices/surface-hub/surface-hub-2s-techspecs.md
@@ -9,7 +9,7 @@ manager: laurawi
ms.author: greglin
audience: Admin
ms.topic: article
-ms.date: 06/20/2019
+ms.date: 11/19/2019
ms.localizationpriority: Medium
---
@@ -27,10 +27,10 @@ ms.localizationpriority: Medium
|**Graphics**| Intel UHD Graphics 620 |
|**Wireless**| Wi-Fi 5 (IEEE 802.11 a/b/g/n/ac compatible) Bluetooth Wireless 4.1 technology Miracast display |
|**Connections**| USB-A Mini-DisplayPort 1.2 video output RJ45 gigabit Ethernet (1000/100/10 BaseT) HDMI video input (HDMI 2.0, HDCP 2.2 /1.4) USB-C with DisplayPort input Four USB-C (on display) |
-|**Sensors**| Doppler occupancy sensor Accelerometer Gyroscope |
+|**Sensors**| Doppler occupancy 2 Accelerometer Gyroscope |
|**Audio/Video**| Full-range, front facing 3-way stereo speakers Full band 8-element MEMS microphone array Microsoft Surface Hub 2 Camera, 4K, USB-C connection, 90-degree HFOV |
|**Pen**| Microsoft Surface Hub 2 Pen (active) |
-|**Software**| Windows 10 Microsoft Teams for Surface Hub 2 Skype for Business Microsoft Whiteboard Microsoft Office (Mobile) Microsoft Power BI 2 |
+|**Software**| Windows 10 Microsoft Teams for Surface Hub 3 Skype for Business Microsoft Whiteboard Microsoft Office (Mobile) Microsoft Power BI 2 |
|**Exterior**| Casing: Precision machined aluminum with mineral-composite resin Color: Platinum Physical Buttons: Power, Volume, Source |
|**What’s in the box**| One Surface Hub 2S One Surface Hub 2 Pen One Surface Hub 2 Camera 2.5 m AC Power Cable Quick Start Guide |
|**Warranty**| 1-year limited hardware warranty |
@@ -41,4 +41,5 @@ ms.localizationpriority: Medium
|**Input Power, standby**| 5 W max |
> [!NOTE]
-> 1 System software uses significant storage space. Available storage is subject to change based on system software updates and apps usage. 1 GB= 1 billion bytes. See Surface.com/Storage for more details. 2 Software license required for some features. Sold separately.
+> 1 System software uses significant storage space. Available storage is subject to change based on system software updates and apps usage. 1 GB= 1 billion bytes. See Surface.com/Storage for more details. 2 Doppler sensor not available in Hong Kong due to local federal government restrictions.
+ 3 Software license required for some features. Sold separately.
diff --git a/windows/client-management/mdm/diagnosticlog-csp.md b/windows/client-management/mdm/diagnosticlog-csp.md
index d0a24d5007..2e5300fe0d 100644
--- a/windows/client-management/mdm/diagnosticlog-csp.md
+++ b/windows/client-management/mdm/diagnosticlog-csp.md
@@ -9,797 +9,211 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: manikadhiman
-ms.date: 08/05/2019
+ms.date: 11/19/2019
---
# DiagnosticLog CSP
+The DiagnosticLog configuration service provider (CSP) provides the following feature areas:
+- [DiagnosticArchive area](#diagnosticarchive-area). Capture and upload event logs, log files, and registry values for troubleshooting.
+- [Policy area](#policy-area). Configure Windows event log policies, such as maximum log size.
+- [EtwLog area](#etwlog-area). Control ETW trace sessions.
+- [DeviceStateData area](#devicestatedata-area). Provide additional device information.
+- [FileDownload area](#filedownload-area). Pull trace and state data directly from the device.
-The DiagnosticLog configuration service provider (CSP) is used in the following scenarios:
-- [Controlling ETW trace sessions](#diagnosticlog-csp-for-controlling-etw-trace-sessions)
-- [Triggering devices to upload existing event logs, log files, and registry values to cloud storage](#diagnosticlog-csp-for-triggering-devices-to-upload-files-to-cloud)
-
-## DiagnosticLog CSP for controlling ETW trace sessions
-The DiagnosticLog CSP is used for generating and collecting diagnostic information from the device: Event Tracing for Windows (ETW) log files and current MDM configured state of the device.
-
-DiagnosticLog CSP supports the following type of event tracing:
-
-- Collector-based tracing
-- Channel-based tracing
-
-### Collector-based tracing
-
-This type of event tracing simultaneously collects event data from a collection of registered ETW providers.
-
-An event collector is a container of registered ETW providers. Users can add or delete a collector node and register or unregister multiple providers in this collector.
-
-The ***CollectorName*** must be unique within the CSP and must not be a valid event channel name or a provider GUID.
-
-The DiagnosticLog CSP maintains a log file for each collector node and the log file is overwritten if a start command is triggered again on the same collector node.
-
-For each collector node, the user can:
-
-- Start or stop the session with all registered and enabled providers
-- Query session status
-- Change trace log file mode
-- Change trace log file size limit
-
-The configurations log file mode and log file size limit does not take effect while trace session is in progress. These are applied when user stops the current session and then starts it again for this collector.
-
-For each registered provider in this collector, the user can:
-
-- Specify keywords to filter events from this provider
-- Change trace level to filter events from this provider
-- Enable or disable the provider in the trace session
-
-The changes on **State**, **Keywords** and **TraceLevel** takes effect immediately while trace session is in progress.
-
-> [!Note]
-> Microsoft-WindowsPhone-Enterprise-Diagnostics-Provider (GUID - 3da494e4-0fe2-415C-b895-fb5265c5c83b) has the required debug resource files built into Windows OS, which will allow the logs files to be decoded on the remote machine. Any other logs may not have the debug resources required to decode.
-
- ### Channel-based tracing
-
-The type of event tracing exports event data from a specific channel. This is only supported on the desktop.
-
-Users can add or delete a channel node using the full name, such as Microsoft-Windows-AppModel-Runtime/Admin.
-
-The DiagnosticLog CSP maintains a log file for each channel node and the log file is overwritten if a start command is triggered again on the same channel node.
-
-For each channel node, the user can:
-
-- Export channel event data into a log file (.evtx)
-- Enable or disable the channel from Event Log service to allow or disallow event data being written into the channel
-- Specify an XPath query to filter events while exporting the channel event data
-
-For more information about using DiagnosticLog to collect logs remotely from a PC or mobile device, see [Diagnose MDM failures in Windows 10](diagnose-mdm-failures-in-windows-10.md).
-
-Here are the links to the DDFs:
-
-- [DiagnosticLog CSP version 1.2](diagnosticlog-ddf.md#version-1-2)
-- [DiagnosticLog CSP version 1.3](diagnosticlog-ddf.md#version-1-3)
+The following are the links to different versions of the DiagnosticLog CSP DDF files:
- [DiagnosticLog CSP version 1.4](diagnosticlog-ddf.md#version-1-4)
+- [DiagnosticLog CSP version 1.3](diagnosticlog-ddf.md#version-1-3)
+- [DiagnosticLog CSP version 1.2](diagnosticlog-ddf.md#version-1-2)
+
The following diagram shows the DiagnosticLog CSP in tree format.
-
**./Vendor/MSFT/DiagnosticLog**
The root node for the DiagnosticLog CSP.
-To gather diagnostics using this CSP:
+Rest of the nodes in the DiagnosticLog CSP are described within their respective feature area sections.
-1. Specify a *CollectorName* for the container of the target ETW providers.
-2. (Optional) Set logging and log file parameters using the following options:
+## DiagnosticArchive area
- - TraceLogFileMode
- - LogFileSizeLimitMB
+The DiagnosticArchive functionality within the DiagnosticLog CSP is used to trigger devices to gather troubleshooting data into a zip archive file and upload that archive to cloud storage. DiagnosticArchive is designed for ad-hoc troubleshooting scenarios, such as an IT admin investigating an app installation failure using a collection of event log events, registry values, and app or OS log files.
-3. Indicate one or more target ETW providers by supplying its *ProviderGUID* to the Add operation of EtwLog/Collectors/*CollectorName*/Providers/*ProviderGUID*.
-4. (Optional) Set logging and log file parameters using the following options:
- - TraceLevel
- - Keywords
-5. Start logging using **TraceControl** EXECUTE command “START”.
-6. Perform actions on the target device that will generate activity in the log files.
-7. Stop logging using **TraceControl** EXECUTE command “STOP”.
-8. Collect the log file located in the `%temp%` folder using the method described in [Reading a log file](#reading-a-log-file).
+> [!Note]
+> DiagnosticArchive is a "break glass" backstop option for device troubleshooting. Diagnostic data such as log files can grow to many gigabytes. Gathering, transferring, and storing large amounts of data may burden the user's device, the network and cloud storage. Management servers invoking DiagnosticArchive must take care to minimize data gathering frequency and scope.
-**EtwLog**
-Node to contain the Error Tracing for Windows log.
+The following section describes the nodes for the DiagnosticArchive functionality.
+
+**DiagnosticArchive**
+Added in version 1.4 of the CSP in Windows 10, version 1903. Root node for the DiagnosticArchive functionality.
The supported operation is Get.
-**EtwLog/Collectors**
-Interior node to contain dynamic child interior nodes for active providers.
+**DiagnosticArchive/ArchiveDefinition**
+Added in version 1.4 of the CSP in Windows 10, version 1903.
+
+The supported operations are Add and Execute.
+
+The data type is string.
+
+Expected value:
+Set and Execute are functionality equivalent, and each accepts an XML snippet (as a string) describing what data to gather and where to upload it.
+
+The following is an example of the XML. This example instructs the CSP to gather:
+- All the keys and values under a registry path
+- All the *.etl files in a folder
+- The output of two commands
+- Additional files created by one of the commands
+- All the Application event log events.
+
+The results are zipped and uploaded to the specified SasUrl. The filename format is "DiagLogs-{ComputerName}-YYYYMMDDTHHMMSSZ.zip".
+
+``` xml
+
+ server generated guid value such as f1e20cb4-9789-4f6b-8f6a-766989764c6d
+ server generated url where the HTTP PUT will be accepted
+ HKLM\Software\Policies
+ %ProgramData%\Microsoft\DiagnosticLogCSP\Collectors\*.etl
+ %windir%\system32\ipconfig.exe /all
+ %windir%\system32\mdmdiagnosticstool.exe -out %ProgramData%\temp\
+ %ProgramData%\temp\*.*
+ Application
+
+
+```
+The XML should include the following elements within the `Collection` element:
+
+**ID**
+The ID value is a server-generated GUID string that identifies this data-gathering request. To avoid accidental repetition of data gathering, the CSP ignores subsequent Set or Execute invocations with the same ID value.
+
+**SasUrl**
+The SasUrl value is the target URI to which the CSP uploads the results zip file. It is the responsibility of the management server to provision storage in such a way that the server accepts the HTTP PUT to this URL. For example, the device management service could:
+- Provision cloud storage, such as an Azure blob storage container or other storage managed by the device management server
+- Generate a dynamic https SAS token URL representing the storage location (and which is understood by the server to allow a one-time upload or time-limited uploads)
+- Pass this value to the CSP as the SasUrl value.
+
+Assuming a case where the management server's customer (such as an IT admin) is meant to access the data, the management server would also expose the stored data through its user interface or APIs.
+
+**One or more data gathering directives, which may include any of the following:**
+
+- **RegistryKey**
+ - Exports all of the key names and values under a given path (recursive).
+ - Expected input value: Registry path such as "HKLM\Software\Policies".
+ - Output format: Creates a .reg file, similar to the output of reg.exe EXPORT command.
+ - Privacy guardrails: To enable diagnostic log capture while reducing the risk of an IT admin inadvertently capturing user-generated documents, registry paths are restricted to those under HKLM and HKCR.
+
+- **Events**
+ - Exports all events from the named Windows event log.
+ - Expected input value: A named event log channel such as "Application" or "Microsoft-Windows-DeviceGuard/Operational".
+ - Output format: Creates a .evtx file.
+
+- **Commands**
+ - This directive type allows the execution of specific commands such as ipconfig.exe. Note that DiagnosticArchive and the Commands directives are not a general-purpose scripting platform. These commands are allowed in the DiagnosticArchive context to handle cases where critical device information may not be available through existing log files.
+ - Expected input value: The full command line including path and any arguments, such as `%windir%\\system32\\ipconfig.exe /all`.
+ - Output format: Console text output from the command is captured in a text file and included in the overall output archive. For commands which may generate file output rather than console output, a subsequent FolderFiles directive would be used to capture that output. The example XML above demonstrates this pattern with mdmdiagnosticstool.exe's -out parameter.
+ - Privacy guardrails: To enable diagnostic data capture while reducing the risk of an IT admin inadvertently capturing user-generated documents, only the following commands are allowed:
+ - %windir%\\system32\\certutil.exe
+ - %windir%\\system32\\dxdiag.exe
+ - %windir%\\system32\\gpresult.exe
+ - %windir%\\system32\\msinfo32.exe
+ - %windir%\\system32\\netsh.exe
+ - %windir%\\system32\\nltest.exe
+ - %windir%\\system32\\ping.exe
+ - %windir%\\system32\\powercfg.exe
+ - %windir%\\system32\\w32tm.exe
+ - %windir%\\system32\\wpr.exe
+ - %windir%\\system32\\dsregcmd.exe
+ - %windir%\\system32\\dispdiag.exe
+ - %windir%\\system32\\ipconfig.exe
+ - %windir%\\system32\\logman.exe
+ - %windir%\\system32\\tracelog.exe
+ - %programfiles%\\windows defender\\mpcmdrun.exe
+ - %windir%\\system32\\MdmDiagnosticsTool.exe
+ - %windir%\\system32\\pnputil.exe
+
+- **FoldersFiles**
+ - Captures log files from a given path (without recursion).
+ - Expected input value: File path with or without wildcards, such as "%windir%\\System32", or "%programfiles%\\*.log".
+ - Privacy guardrails: To enable diagnostic log capture while reducing the risk of an IT admin inadvertently capturing user-generated documents, only paths under the following roots are allowed:
+ - %PROGRAMFILES%
+ - %PROGRAMDATA%
+ - %PUBLIC%
+ - %WINDIR%
+ - %TEMP%
+ - %TMP%
+ - Additionally, only files with the following extensions are captured:
+ - .log
+ - .txt
+ - .dmp
+ - .cab
+ - .zip
+ - .xml
+ - .html
+ - .evtx
+ - .etl
+
+**DiagnosticArchive/ArchiveResults**
+Added in version 1.4 of the CSP in Windows 10, version 1903. This policy setting displays the results of the last archive run.
The supported operation is Get.
-**EtwLog/Collectors/***CollectorName*
-Dynamic nodes to represent active collector configuration.
+The data type is string.
-Supported operations are Add, Delete, and Get.
+A Get to the above URI will return the results of the data gathering for the last diagnostics request. For the example above it returns:
-Add a collector
-
-```xml
-
-
-
-
+``` xml
+
+
+
+ 1
-
-
- ./Vendor/MSFT/DiagnosticLog/EtwLog/Collectors/DeviceManagement
-
-
- node
-
-
-
-
-
-
-```
-
-Delete a collector
-
-```xml
-
-
-
-
- 1
-
-
- ./Vendor/MSFT/DiagnosticLog/EtwLog/Collectors/DeviceManagement
-
-
-
-
-
-
-```
-
-**EtwLog/Collectors/*CollectorName*/TraceStatus**
-Specifies whether the current logging status is running.
-
-The data type is an integer.
-
-The supported operation is Get.
-
-The following table represents the possible values:
-
-| Value | Description |
-|-------|-------------|
-| 0 | Stopped |
-| 1 | Started |
-
-**EtwLog/Collectors/*CollectorName*/TraceLogFileMode**
-Specifies the log file logging mode.
-
-The data type is an integer.
-
-Supported operations are Get and Replace.
-
-The following table lists the possible values:
-
-| Value | Description |
-|-------|--------------------|
-| EVENT_TRACE_FILE_MODE_SEQUENTIAL (0x00000001) | Writes events to a log file sequentially; stops when the file reaches its maximum size. |
-| EVENT_TRACE_FILE_MODE_CIRCULAR (0x00000002) | Writes events to a log file. After the file reaches the maximum size, the oldest events are replaced with incoming events. |
-
-**EtwLog/Collectors/*CollectorName*/TraceControl**
-Specifies the logging and report action state.
-
-The data type is a string.
-
-The following table lists the possible values:
-
-| Value | Description |
-|-------|--------------------|
-| START | Start log tracing. |
-| STOP | Stop log tracing |
-
-The supported operation is Execute.
-
-After you have added a logging task, you can start a trace by running an Execute command on this node with the value START.
-
-To stop the trace, running an execute command on this node with the value STOP.
-
-Start collector trace logging
-
-```xml
-
-
-
-
+ 1
+ 0
+ SyncHdr
+ 200
+
+ 2
-
-
- ./Vendor/MSFT/DiagnosticLog/EtwLog/Collectors/DeviceManagement/TraceControl
-
-
- chr
-
- START
-
-
-
-
+ 1
+ 1
+ Get
+ 200
+
+
+ 3
+ 1
+ 1
+
+
+ ./Vendor/MSFT/DiagnosticLog/DiagnosticArchive/ArchiveResults
+
+
+
+ f1e20cb4-9789-4f6b-8f6a-766989764c6d
+ HKLM\Software\Policies
+ C:\ProgramData\Microsoft\DiagnosticLogCSP\Collectors\*.etl
+ %windir%\system32\ipconfig.exe /all
+ %windir%\system32\mdmdiagnosticstool.exe -out c:\ProgramData\temp\
+ c:\ProgramData\temp\*.*
+ Application
+
+
+
+
+
+
```
-Stop collector trace logging
+Each data gathering node is annotated with the HRESULT of the action and the collection is also annotated with an overall HRESULT. In this example, note that the mdmdiagnosticstool.exe command failed.
-```xml
-
-
-
-
- 2
-
-
- ./Vendor/MSFT/DiagnosticLog/EtwLog/Collectors/DeviceManagement/TraceControl
-
-
- chr
-
- STOP
-
-
-
-
-
-```
+The zip file which is created also contains a results.xml file whose contents align to the Data section in the SyncML for ArchiveResults. Accordingly, an IT admin using the zip file for troubleshooting can determine the order and success of each directive without needing a permanent record of the SyncML value for DiagnosticArchive/ArchiveResults.
-**EtwLog/Collectors/*CollectorName*/LogFileSizeLimitMB**
-Sets the log file size limit, in MB.
-The data type is an integer.
+## Policy area
-Valid values are 1-2048. The default value is 4.
+The Policy functionality within the DiagnosticLog CSP configures Windows event log policies, such as maximum log size.
-Supported operations are Get and Replace.
-
-**EtwLog/Collectors/*CollectorName*/Providers**
-Interior node to contain dynamic child interior nodes for active providers.
-
-The supported operation is Get.
-
-**EtwLog/Collectors/*CollectorName*/Providers/***ProviderGUID*
-Dynamic nodes to represent active provider configuration per provider GUID.
-
-> **Note** Microsoft-WindowsPhone-Enterprise-Diagnostics-Provider (GUID - 3da494e4-0fe2-415C-b895-fb5265c5c83b) has the required debug resource files built into Windows OS, which will allow the logs files to be decoded on the remote machine. Any other logs may not have the debug resources required to decode.
-
-Supported operations are Add, Delete, and Get.
-
-Add a provider
-
-```xml
-
-
-
-
- 1
-
-
- ./Vendor/MSFT/DiagnosticLog/EtwLog/Collectors/DeviceManagement/Providers/3da494e4-0fe2-415C-b895-fb5265c5c83b
-
-
- node
-
-
-
-
-
-
-```
-
-Delete a provider
-
-```xml
-
-
-
-
- 1
-
-
- ./Vendor/MSFT/DiagnosticLog/EtwLog/Collectors/DeviceManagement/Providers/3da494e4-0fe2-415C-b895-fb5265c5c83b
-
-
-
-
-
-
-```
-
-**EtwLog/Collectors/*CollectorName*/Providers/*ProviderGUID*/TraceLevel**
-Specifies the level of detail included in the trace log.
-
-The data type is an integer.
-
-Supported operations are Get and Replace.
-
-The following table lists the possible values:
-
-| Value | Description |
-|-------|--------------------|
-| 1 – TRACE_LEVEL_CRITICAL | Abnormal exit or termination events |
-| 2 – TRACE_LEVEL_ERROR | Severe error events |
-| 3 – TRACE_LEVEL_WARNING | Warning events such as allocation failures |
-| 4 – TRACE_LEVEL_INFORMATION | Non-error events, such as entry or exit events |
-| 5 – TRACE_LEVEL_VERBOSE | Detailed information |
-
-Set provider **TraceLevel**
-
-```xml
-
-
-
-
- 2
-
-
- ./Vendor/MSFT/DiagnosticLog/EtwLog/Collectors/DeviceManagement/Providers/3da494e4-0fe2-415C-b895-fb5265c5c83b/TraceLevel
-
-
- int
-
- 1
-
-
-
-
-
-```
-
-**EtwLog/Collectors/*CollectorName*/Providers/*ProviderGUID*/Keywords**
-Specifies the provider keywords to be used as MatchAnyKeyword for this provider.
-
-The data type is a string.
-
-Supported operations are Get and Replace.
-
-Default value is 0 meaning no keyword.
-
-Get provider **Keywords**
-
-```xml
-
-
-
- 1
-
-
-
- ./Vendor/MSFT/DiagnosticLog/EtwLog/Collectors/DeviceManagement/Providers/3da494e4-0fe2-415C-b895-fb5265c5c83b/Keywords
-
-
-
-
-
-
-
-```
-
-Set provider **Keywords**
-
-```xml
-
-
-
- 4
-
-
-
- ./Vendor/MSFT/DiagnosticLog/EtwLog/Collectors/DeviceManagement/Providers/3da494e4-0fe2-415C-b895-fb5265c5c83b/Keywords
-
-
-
- chr
- text/plain
-
- 12345678FFFFFFFF
-
-
-
-
-
-```
-
-**EtwLog/Collectors/*CollectorName*/Providers/*ProviderGUID*/State**
-Specifies if this provider is enabled in the trace session.
-
-The data type is a boolean.
-
-Supported operations are Get and Replace. This change will be effective during active trace session.
-
-The following table lists the possible values:
-| Value | Description |
-|-------|--------------------|
-| TRUE | Provider is enabled in the trace session. This is the default. |
-| FALSE | Provider is disabled in the trace session. |
-
-Set provider **State**
-
-```xml
-
-
-
-
- 2
-
-
- ./Vendor/MSFT/DiagnosticLog/EtwLog/Collectors/DeviceManagement/Providers/3da494e4-0fe2-415C-b895-fb5265c5c83b/State
-
-
- bool
-
- false
-
-
-
-
-
-```
-
-**EtwLog/Channels**
-Interior node to contain dynamic child interior nodes for registered channels.
-
-The supported operation is Get.
-
-**EtwLog/Channels/***ChannelName*
-Dynamic nodes to represent a registered channel. The node name must be a valid Windows event log channel name, such as "Microsoft-Client-Licensing-Platform%2FAdmin"
-
-Supported operations are Add, Delete, and Get.
-
-Add a channel
-
-```xml
-
-
-
-
- 1
-
-
- ./Vendor/MSFT/DiagnosticLog/EtwLog/Channels/Microsoft-Client-Licensing-Platform%2FAdmin
-
-
- node
-
-
-
-
-
-
-```
-
-Delete a channel
-
-```xml
-
-
-
-
- 1
-
-
- ./Vendor/MSFT/DiagnosticLog/EtwLog/Channels/Microsoft-Client-Licensing-Platform%2FAdmin
-
-
-
-
-
-
-```
-
-**EtwLog/Channels/*ChannelName*/Export**
-Node to trigger the command to export channel event data into the log file.
-
-The supported operation is Execute.
-
-Export channel event data
-
-```xml
-
-
-
-
- 2
-
-
- ./Vendor/MSFT/DiagnosticLog/EtwLog/Channels/Microsoft-Client-Licensing-Platform%2FAdmin/Export
-
-
-
-
-
-
-```
-
-**EtwLog/Channels/*ChannelName*/Filter**
-Specifies the XPath query string to filter the events while exporting.
-
-The data type is a string.
-
-Supported operations are Get and Replace.
-
-Default value is empty string.
-
-Get channel **Filter**
-
-```xml
-
-
-
-
- 1
-
-
- ./Vendor/MSFT/DiagnosticLog/EtwLog/Channels/Microsoft-Client-Licensing-Platform%2FAdmin/Filter
-
-
-
-
-
-
-```
-
-**EtwLog/Channels/*ChannelName*/State**
-Specifies if the Channel is enabled or disabled.
-
-The data type is a boolean.
-
-Supported operations are Get and Replace.
-
-The following table lists the possible values:
-
-| Value | Description |
-|-------|--------------------|
-| TRUE | Channel is enabled. |
-| FALSE | Channel is disabled. |
-
-Get channel **State**
-
-```xml
-
-
-
-
- 1
-
-
- ./Vendor/MSFT/DiagnosticLog/EtwLog/Channels/Microsoft-Client-Licensing-Platform%2FAdmin/State
-
-
-
-
-
-
-```
-
-Set channel **State**
-
-```xml
-
-
-
-
- 2
-
-
- ./Vendor/MSFT/DiagnosticLog/EtwLog/Channels/Microsoft-Client-Licensing-Platform%2FAdmin/State
-
-
- bool
-
- false
-
-
-
-
-
-```
-
-**DeviceStateData**
-Added in version 1.3 of the CSP in Windows 10, version 1607. Node for all types of device state data that are exposed.
-
-**DeviceStateData/MdmConfiguration**
-Added in version 1.3 of the CSP in Windows 10, version 1607. Triggers the snapping of device management state data with SNAP.
-
-The supported value is Execute.
-
-```xml
-
-
-
-
- 2
-
-
- ./Vendor/MSFT/DiagnosticLog/DeviceStateData/MdmConfiguration
-
-
- chr
-
- SNAP
-
-
-
-
-
-```
-
-**FileDownload**
-Node to contain child nodes for log file transportation protocols and corresponding actions.
-
-**FileDownload/DMChannel**
-Node to contain child nodes using DM channel for transport protocol.
-
-**FileDownload/DMChannel/***FileContext*
-Dynamic interior nodes that represents per log file context.
-
-**FileDownload/DMChannel/*FileContext*/BlockSizeKB**
-Sets the log read buffer, in KB.
-
-The data type is an integer.
-
-Valid values are 1-16. The default value is 4.
-
-Supported operations are Get and Replace.
-
-Set **BlockSizeKB**
-
-```xml
-
-
-
-
- 1
-
-
- ./Vendor/MSFT/DiagnosticLog/FileDownload/DMChannel/DeviceManagement/BlockSizeKB
-
-
- int
-
- 1
-
-
-
-
-
-```
-
-Get **BlockSizeKB**
-
-```xml
-
-
-
-
- 1
-
-
- ./Vendor/MSFT/DiagnosticLog/FileDownload/DMChannel/DeviceManagement/BlockSizeKB
-
-
-
-
-
-
-```
-
-**FileDownload/DMChannel/*FileContext*/BlockCount**
-Represents the total read block count for the log file.
-
-The data type is an integer.
-
-The only supported operation is Get.
-
-Get **BlockCount**
-
-```xml
-
-
-
-
- 1
-
-
- ./Vendor/MSFT/DiagnosticLog/FileDownload/DMChannel/DeviceManagement/BlockCount
-
-
-
-
-
-
-```
-
-**FileDownload/DMChannel/*FileContext*/BlockIndexToRead**
-Represents the read block start location.
-
-The data type is an integer.
-
-Supported operations are Get and Replace.
-
-Set **BlockIndexToRead** at 0
-
-```xml
-
-
-
-
- 1
-
-
- ./Vendor/MSFT/DiagnosticLog/FileDownload/DMChannel/DeviceManagement/BlockIndexToRead
-
-
- int
-
- 0
-
-
-
-
-
-```
-
-Set **BlockIndexToRead** at 1
-
-```xml
-
-
-
-
- 1
-
-
- ./Vendor/MSFT/DiagnosticLog/FileDownload/DMChannel/DeviceManagement/BlockIndexToRead
-
-
- int
-
- 1
-
-
-
-
-
-```
-
-**FileDownload/DMChannel/*FileContext*/BlockData**
-The data type is Base64.
-
-The only supported operation is Get.
-
-Get **BlockData**
-
-```xml
-
-
-
-
- 1
-
-
- ./Vendor/MSFT/DiagnosticLog/FileDownload/DMChannel/DeviceManagement/BlockData
-
-
-
-
-
-
-```
-
-**FileDownload/DMChannel/*FileContext*/DataBlocks**
-Node to transfer the selected log file block to the DM server.
-
-**FileDownload/DMChannel/*FileContext*/DataBlocks/***BlockNumber*
-The data type is Base64.
-
-The supported operation is Get.
+The following section describes the nodes for the Policy functionality.
**Policy**
Added in version 1.4 of the CSP in Windows 10, version 1903. Root node to control settings for channels in Event Log.
@@ -1268,110 +682,798 @@ Replace **Enabled**
```
-## DiagnosticLog CSP for triggering devices to upload files to cloud
-The DiagnosticLog CSP is used for triggering devices to upload existing event logs, log files, and registry values to cloud storage. The following section describes the nodes for the DiagnosticArchive functionality.
+## EtwLog area
-**DiagnosticArchive**
-Added in version 1.4 of the CSP in Windows 10, version 1903. Root note for the DiagnosticArchive functionality.
+The Event Tracing for Windows (ETW) log feature of the DiagnosticLog CSP is used to control the following types of event tracing:
+- [Collector-based tracing](#collector-based-tracing)
+- [Channel-based tracing](#channel-based-tracing)
+
+The ETW log feature is designed for advanced usage, and assumes developers' familiarity with ETW. For more information, see [About Event Tracing](https://docs.microsoft.com/windows/win32/etw/about-event-tracing).
+
+### Collector-based tracing
+
+This type of event tracing collects event data from a collection of registered ETW providers.
+
+An event collector is a container of registered ETW providers. Users can add or delete a collector node and register or unregister multiple providers in this collector.
+
+The ***CollectorName*** must be unique within the CSP and must not be a valid event channel name or a provider GUID.
+
+The DiagnosticLog CSP maintains a log file for each collector node and the log file is overwritten if a start command is triggered again on the same collector node.
+
+For each collector node, the user can:
+
+- Start or stop the session with all registered and enabled providers
+- Query session status
+- Change trace log file mode
+- Change trace log file size limit
+
+The configurations log file mode and log file size limit does not take effect while trace session is in progress. These are applied when user stops the current session and then starts it again for this collector.
+
+For each registered provider in this collector, the user can:
+
+- Specify keywords to filter events from this provider
+- Change trace level to filter events from this provider
+- Enable or disable the provider in the trace session
+
+The changes on **State**, **Keywords**, and **TraceLevel** takes effect immediately while trace session is in progress.
+
+> [!Note]
+> Microsoft-WindowsPhone-Enterprise-Diagnostics-Provider (GUID - 3da494e4-0fe2-415C-b895-fb5265c5c83b) has the required debug resource files built into Windows OS, which will allow the logs files to be decoded on the remote machine. Any other logs may not have the debug resources required to decode.
+
+ ### Channel-based tracing
+
+The type of event tracing exports event data from a specific channel. This is only supported on the desktop.
+
+Users can add or delete a channel node using the full name, such as Microsoft-Windows-AppModel-Runtime/Admin.
+
+The DiagnosticLog CSP maintains a log file for each channel node and the log file is overwritten if a start command is triggered again on the same channel node.
+
+For each channel node, the user can:
+
+- Export channel event data into a log file (.evtx)
+- Enable or disable the channel from Event Log service to allow or disallow event data being written into the channel
+- Specify an XPath query to filter events while exporting the channel event data
+
+For more information about using DiagnosticLog to collect logs remotely from a PC or mobile device, see [Diagnose MDM failures in Windows 10](diagnose-mdm-failures-in-windows-10.md).
+
+To gather diagnostics using this CSP:
+
+1. Specify a *CollectorName* for the container of the target ETW providers.
+2. (Optional) Set logging and log file parameters using the following options:
+
+ - TraceLogFileMode
+ - LogFileSizeLimitMB
+
+3. Indicate one or more target ETW providers by supplying its *ProviderGUID* to the Add operation of EtwLog/Collectors/*CollectorName*/Providers/*ProviderGUID*.
+4. (Optional) Set logging and log file parameters using the following options:
+ - TraceLevel
+ - Keywords
+5. Start logging using **TraceControl** EXECUTE command “START”.
+6. Perform actions on the target device that will generate activity in the log files.
+7. Stop logging using **TraceControl** EXECUTE command “STOP”.
+8. Collect the log file located in the `%temp%` folder using the method described in [Reading a log file](#reading-a-log-file).
+
+The following section describes the nodes for EtwLog functionality.
+
+**EtwLog**
+Node to contain the Error Tracing for Windows log.
The supported operation is Get.
-**DiagnosticArchive/ArchiveDefinition**
-Added in version 1.4 of the CSP in Windows 10, version 1903.
-
-The supported operations are Add and Execute.
-
-The data type is string.
-
-Expected value:
-Set and Execute are functionality equivalent, and each accepts an XML snippet (as a string) describing what data to gather and where to upload it when done. This XML defines what should be collected and compressed into a zip file to be uploaded to Azure blog storage.
-
-The following is an example of the XML. This example instructs that a zip file be created containing the output from a dump of the specified registry key, all the files in a folder, the output of two commands, all the files in another folder, the output of a command, all the Application events, two sets of files, and another command output. All of this will be uploaded to the blob storage URL as specified in the tags and must be in the noted format with the container and the key in the URL. The administrator can retrieve this URL from Azure. The file uploaded will be in the format DiagLogs-{ComputerName}-YYYYMMDDTHHMMSSZ.zip.
-
-``` xml
-
- f1e20cb4-9789-4f6b-8f6a-766989764c6d
- {web address}/{container}{key}
- HKLM\Software\Policies
- C:\ProgramData\Microsoft\DiagnosticLogCSP\Collectors\*.etl
- %windir%\system32\ipconfig.exe /all
- %windir%\system32\mdmdiagnosticstool.exe -out c:\ProgramData\temp\
- c:\ProgramData\temp\*.*
- %windir%\system32\ping.exe -n 50 localhost
- Application
- %ProgramData%\Microsoft\DiagnosticLogCSP\Collectors\*.etl
- %SystemRoot%\System32\LogFiles\wmi\*.etl.*
-
- %windir%\system32\pnputil.exe /enum-drivers
-
-
-```
-Where:
-
-- ID is a unique GUID value that defines this particular run of the DiagnosticLog CSP.
-- There can be multiple RegistryKey, FolderFiles, Command, and Events elements, which extract or execute and collect the output from the action specified.
-- SasUrl is generated from the Azure Blob Storage UX in Azure such that it will allow write access to the blob to upload the zip file created by all the actions specified.
-
-**DiagnosticArchive/ArchiveResults**
-Added in version 1.4 of the CSP in Windows 10, version 1903. This policy setting displays the results of the last archive run.
+**EtwLog/Collectors**
+Interior node to contain dynamic child interior nodes for active providers.
The supported operation is Get.
-The data type is string.
+**EtwLog/Collectors/***CollectorName*
+Dynamic nodes to represent active collector configuration.
-A Get to the above URI will return the results of the gathering of data for the last diagnostics request. For the example above it returns:
+Supported operations are Add, Delete, and Get.
-``` xml
-
-
-
-
+Add a collector
+
+```xml
+
+
+
+ 1
- 1
- 0
- SyncHdr
- 200
-
-
- 2
- 1
- 1
- Get
- 200
-
-
- 3
- 1
- 1
-
-
- ./Vendor/MSFT/DiagnosticLog/DiagnosticArchive/ArchiveResults
-
-
-
- f1e20cb4-9789-4f6b-8f6a-766989764c6d
- HKLM\Software\Policies
- C:\ProgramData\Microsoft\DiagnosticLogCSP\Collectors\*.etl
- %windir%\system32\ipconfig.exe /all
- %windir%\system32\mdmdiagnosticstool.exe -out c:\ProgramData\temp\
- c:\ProgramData\temp\*.*
- %windir%\system32\ping.exe -n 50 localhost
- Application
- %ProgramData%\Microsoft\DiagnosticLogCSP\Collectors\*.etl
- %SystemRoot%\System32\LogFiles\wmi\*.etl.*
- %windir%\system32\pnputil.exe /enum-drivers
-
-
-
-
-
-
+
+
+ ./Vendor/MSFT/DiagnosticLog/EtwLog/Collectors/DeviceManagement
+
+
+ node
+
+
+
+
+
```
-> [!Note]
-> Each data gathering node is annotated with the HRESULT of the option and the collection is also annotated with an HRESULT. In this example, note that the mdmdiagnosticstool.exe command failed.
-## Reading a log file
+Delete a collector
+
+```xml
+
+
+
+
+ 1
+
+
+ ./Vendor/MSFT/DiagnosticLog/EtwLog/Collectors/DeviceManagement
+
+
+
+
+
+
+```
+
+**EtwLog/Collectors/*CollectorName*/TraceStatus**
+Specifies whether the current logging status is running.
+
+The data type is an integer.
+
+The supported operation is Get.
+
+The following table represents the possible values:
+
+| Value | Description |
+|-------|-------------|
+| 0 | Stopped |
+| 1 | Started |
+
+**EtwLog/Collectors/*CollectorName*/TraceLogFileMode**
+Specifies the log file logging mode.
+
+The data type is an integer.
+
+Supported operations are Get and Replace.
+
+The following table lists the possible values:
+
+| Value | Description |
+|-------|--------------------|
+| EVENT_TRACE_FILE_MODE_SEQUENTIAL (0x00000001) | Writes events to a log file sequentially; stops when the file reaches its maximum size. |
+| EVENT_TRACE_FILE_MODE_CIRCULAR (0x00000002) | Writes events to a log file. After the file reaches the maximum size, the oldest events are replaced with incoming events. |
+
+**EtwLog/Collectors/*CollectorName*/TraceControl**
+Specifies the logging and report action state.
+
+The data type is a string.
+
+The following table lists the possible values:
+
+| Value | Description |
+|-------|--------------------|
+| START | Start log tracing. |
+| STOP | Stop log tracing |
+
+The supported operation is Execute.
+
+After you have added a logging task, you can start a trace by running an Execute command on this node with the value START.
+
+To stop the trace, running an execute command on this node with the value STOP.
+
+Start collector trace logging
+
+```xml
+
+
+
+
+ 2
+
+
+ ./Vendor/MSFT/DiagnosticLog/EtwLog/Collectors/DeviceManagement/TraceControl
+
+
+ chr
+
+ START
+
+
+
+
+
+```
+
+Stop collector trace logging
+
+```xml
+
+
+
+
+ 2
+
+
+ ./Vendor/MSFT/DiagnosticLog/EtwLog/Collectors/DeviceManagement/TraceControl
+
+
+ chr
+
+ STOP
+
+
+
+
+
+```
+
+**EtwLog/Collectors/*CollectorName*/LogFileSizeLimitMB**
+Sets the log file size limit, in MB.
+
+The data type is an integer.
+
+Valid values are 1-2048. The default value is 4.
+
+Supported operations are Get and Replace.
+
+**EtwLog/Collectors/*CollectorName*/Providers**
+Interior node to contain dynamic child interior nodes for active providers.
+
+The supported operation is Get.
+
+**EtwLog/Collectors/*CollectorName*/Providers/***ProviderGUID*
+Dynamic nodes to represent active provider configuration per provider GUID.
+
+> [!Note]
+> Microsoft-WindowsPhone-Enterprise-Diagnostics-Provider (GUID - 3da494e4-0fe2-415C-b895-fb5265c5c83b) has the required debug resource files built into Windows OS, which will allow the logs files to be decoded on the remote machine. Any other logs may not have the debug resources required to decode.
+
+Supported operations are Add, Delete, and Get.
+
+Add a provider
+
+```xml
+
+
+
+
+ 1
+
+
+ ./Vendor/MSFT/DiagnosticLog/EtwLog/Collectors/DeviceManagement/Providers/3da494e4-0fe2-415C-b895-fb5265c5c83b
+
+
+ node
+
+
+
+
+
+
+```
+
+Delete a provider
+
+```xml
+
+
+
+
+ 1
+
+
+ ./Vendor/MSFT/DiagnosticLog/EtwLog/Collectors/DeviceManagement/Providers/3da494e4-0fe2-415C-b895-fb5265c5c83b
+
+
+
+
+
+
+```
+
+**EtwLog/Collectors/*CollectorName*/Providers/*ProviderGUID*/TraceLevel**
+Specifies the level of detail included in the trace log.
+
+The data type is an integer.
+
+Supported operations are Get and Replace.
+
+The following table lists the possible values:
+
+| Value | Description |
+|-------|--------------------|
+| 1 – TRACE_LEVEL_CRITICAL | Abnormal exit or termination events |
+| 2 – TRACE_LEVEL_ERROR | Severe error events |
+| 3 – TRACE_LEVEL_WARNING | Warning events such as allocation failures |
+| 4 – TRACE_LEVEL_INFORMATION | Non-error events, such as entry or exit events |
+| 5 – TRACE_LEVEL_VERBOSE | Detailed information |
+
+Set provider **TraceLevel**
+
+```xml
+
+
+
+
+ 2
+
+
+ ./Vendor/MSFT/DiagnosticLog/EtwLog/Collectors/DeviceManagement/Providers/3da494e4-0fe2-415C-b895-fb5265c5c83b/TraceLevel
+
+
+ int
+
+ 1
+
+
+
+
+
+```
+
+**EtwLog/Collectors/*CollectorName*/Providers/*ProviderGUID*/Keywords**
+Specifies the provider keywords to be used as MatchAnyKeyword for this provider.
+
+The data type is a string.
+
+Supported operations are Get and Replace.
+
+Default value is 0 meaning no keyword.
+
+Get provider **Keywords**
+
+```xml
+
+
+
+ 1
+
+
+
+ ./Vendor/MSFT/DiagnosticLog/EtwLog/Collectors/DeviceManagement/Providers/3da494e4-0fe2-415C-b895-fb5265c5c83b/Keywords
+
+
+
+
+
+
+
+```
+
+Set provider **Keywords**
+
+```xml
+
+
+
+ 4
+
+
+
+ ./Vendor/MSFT/DiagnosticLog/EtwLog/Collectors/DeviceManagement/Providers/3da494e4-0fe2-415C-b895-fb5265c5c83b/Keywords
+
+
+
+ chr
+ text/plain
+
+ 12345678FFFFFFFF
+
+
+
+
+
+```
+
+**EtwLog/Collectors/*CollectorName*/Providers/*ProviderGUID*/State**
+Specifies if this provider is enabled in the trace session.
+
+The data type is a boolean.
+
+Supported operations are Get and Replace. This change will be effective during active trace session.
+
+The following table lists the possible values:
+
+| Value | Description |
+|-------|--------------------|
+| TRUE | Provider is enabled in the trace session. This is the default. |
+| FALSE | Provider is disabled in the trace session. |
+
+Set provider **State**
+
+```xml
+
+
+
+
+ 2
+
+
+ ./Vendor/MSFT/DiagnosticLog/EtwLog/Collectors/DeviceManagement/Providers/3da494e4-0fe2-415C-b895-fb5265c5c83b/State
+
+
+ bool
+
+ false
+
+
+
+
+
+```
+
+**EtwLog/Channels**
+Interior node to contain dynamic child interior nodes for registered channels.
+
+The supported operation is Get.
+
+**EtwLog/Channels/***ChannelName*
+Dynamic nodes to represent a registered channel. The node name must be a valid Windows event log channel name, such as "Microsoft-Client-Licensing-Platform%2FAdmin"
+
+Supported operations are Add, Delete, and Get.
+
+Add a channel
+
+```xml
+
+
+
+
+ 1
+
+
+ ./Vendor/MSFT/DiagnosticLog/EtwLog/Channels/Microsoft-Client-Licensing-Platform%2FAdmin
+
+
+ node
+
+
+
+
+
+
+```
+
+Delete a channel
+
+```xml
+
+
+
+
+ 1
+
+
+ ./Vendor/MSFT/DiagnosticLog/EtwLog/Channels/Microsoft-Client-Licensing-Platform%2FAdmin
+
+
+
+
+
+
+```
+
+**EtwLog/Channels/*ChannelName*/Export**
+Node to trigger the command to export channel event data into the log file.
+
+The supported operation is Execute.
+
+Export channel event data
+
+```xml
+
+
+
+
+ 2
+
+
+ ./Vendor/MSFT/DiagnosticLog/EtwLog/Channels/Microsoft-Client-Licensing-Platform%2FAdmin/Export
+
+
+
+
+
+
+```
+
+**EtwLog/Channels/*ChannelName*/Filter**
+Specifies the XPath query string to filter the events while exporting.
+
+The data type is a string.
+
+Supported operations are Get and Replace.
+
+Default value is empty string.
+
+Get channel **Filter**
+
+```xml
+
+
+
+
+ 1
+
+
+ ./Vendor/MSFT/DiagnosticLog/EtwLog/Channels/Microsoft-Client-Licensing-Platform%2FAdmin/Filter
+
+
+
+
+
+
+```
+
+**EtwLog/Channels/*ChannelName*/State**
+Specifies if the Channel is enabled or disabled.
+
+The data type is a boolean.
+
+Supported operations are Get and Replace.
+
+The following table lists the possible values:
+
+| Value | Description |
+|-------|--------------------|
+| TRUE | Channel is enabled. |
+| FALSE | Channel is disabled. |
+
+Get channel **State**
+
+```xml
+
+
+
+
+ 1
+
+
+ ./Vendor/MSFT/DiagnosticLog/EtwLog/Channels/Microsoft-Client-Licensing-Platform%2FAdmin/State
+
+
+
+
+
+
+```
+
+Set channel **State**
+
+```xml
+
+
+
+
+ 2
+
+
+ ./Vendor/MSFT/DiagnosticLog/EtwLog/Channels/Microsoft-Client-Licensing-Platform%2FAdmin/State
+
+
+ bool
+
+ false
+
+
+
+
+
+```
+
+## DeviceStateData area
+
+The DeviceStateData functionality within the DiagnosticLog CSP provides additional device information.
+
+The following section describes the nodes for the DeviceStateData functionality.
+
+**DeviceStateData**
+Added in version 1.3 of the CSP in Windows 10, version 1607. Node for all types of device state data that are exposed.
+
+**DeviceStateData/MdmConfiguration**
+Added in version 1.3 of the CSP in Windows 10, version 1607. Triggers the snapping of device management state data with SNAP.
+
+The supported value is Execute.
+
+```xml
+
+
+
+
+ 2
+
+
+ ./Vendor/MSFT/DiagnosticLog/DeviceStateData/MdmConfiguration
+
+
+ chr
+
+ SNAP
+
+
+
+
+
+```
+
+## FileDownload area
+The FileDownload feature of the DiagnosticLog CSP enables a management server to pull data directly from the device. In the FileDownload context the client and server roles are conceptually reversed, with the management server acting as a client to download the data from the managed device.
+
+### Comparing FileDownload and DiagnosticArchive
+Both the FileDownload and DiagnosticArchive features can be used to get data from the device to the management server, but they are optimized for different workflows.
+
+- FileDownload enables the management server to directly pull byte-level trace data from the managed device. The data transfer takes place through the existing OMA-DM/SyncML context. It is typically used together with the EtwLogs feature as part of an advanced monitoring or diagnostic flow. FileDownlod requires granular orchestration by the management server, but avoids the need for dedicated cloud storage.
+- DiagnosticArchive allows the management server to give the CSP a full set of instructions as single command. Based on those instructions the CSP orchestrates the work client-side to package the requested diagnostic files into a zip archive and upload that archive to cloud storage. The data transfer happens outside of the OMA-DM session, via an HTTP PUT.
+
+The following section describes the nodes for the FileDownload functionality.
+
+**FileDownload**
+Node to contain child nodes for log file transportation protocols and corresponding actions.
+
+**FileDownload/DMChannel**
+Node to contain child nodes using DM channel for transport protocol.
+
+**FileDownload/DMChannel/***FileContext*
+Dynamic interior nodes that represents per log file context.
+
+**FileDownload/DMChannel/*FileContext*/BlockSizeKB**
+Sets the log read buffer, in KB.
+
+The data type is an integer.
+
+Valid values are 1-16. The default value is 4.
+
+Supported operations are Get and Replace.
+
+Set **BlockSizeKB**
+
+```xml
+
+
+
+
+ 1
+
+
+ ./Vendor/MSFT/DiagnosticLog/FileDownload/DMChannel/DeviceManagement/BlockSizeKB
+
+
+ int
+
+ 1
+
+
+
+
+
+```
+
+Get **BlockSizeKB**
+
+```xml
+
+
+
+
+ 1
+
+
+ ./Vendor/MSFT/DiagnosticLog/FileDownload/DMChannel/DeviceManagement/BlockSizeKB
+
+
+
+
+
+
+```
+
+**FileDownload/DMChannel/*FileContext*/BlockCount**
+Represents the total read block count for the log file.
+
+The data type is an integer.
+
+The only supported operation is Get.
+
+Get **BlockCount**
+
+```xml
+
+
+
+
+ 1
+
+
+ ./Vendor/MSFT/DiagnosticLog/FileDownload/DMChannel/DeviceManagement/BlockCount
+
+
+
+
+
+
+```
+
+**FileDownload/DMChannel/*FileContext*/BlockIndexToRead**
+Represents the read block start location.
+
+The data type is an integer.
+
+Supported operations are Get and Replace.
+
+Set **BlockIndexToRead** at 0
+
+```xml
+
+
+
+
+ 1
+
+
+ ./Vendor/MSFT/DiagnosticLog/FileDownload/DMChannel/DeviceManagement/BlockIndexToRead
+
+
+ int
+
+ 0
+
+
+
+
+
+```
+
+Set **BlockIndexToRead** at 1
+
+```xml
+
+
+
+
+ 1
+
+
+ ./Vendor/MSFT/DiagnosticLog/FileDownload/DMChannel/DeviceManagement/BlockIndexToRead
+
+
+ int
+
+ 1
+
+
+
+
+
+```
+
+**FileDownload/DMChannel/*FileContext*/BlockData**
+The data type is Base64.
+
+The only supported operation is Get.
+
+Get **BlockData**
+
+```xml
+
+
+
+
+ 1
+
+
+ ./Vendor/MSFT/DiagnosticLog/FileDownload/DMChannel/DeviceManagement/BlockData
+
+
+
+
+
+
+```
+
+**FileDownload/DMChannel/*FileContext*/DataBlocks**
+Node to transfer the selected log file block to the DM server.
+
+**FileDownload/DMChannel/*FileContext*/DataBlocks/***BlockNumber*
+The data type is Base64.
+
+The supported operation is Get.
+
+### Reading a log file
To read a log file:
1. Enumerate log file under **./Vendor/MSFT/DiagnosticLog/FileDownload/DMChannel**.
2. Select a log file in the Enumeration result.
diff --git a/windows/client-management/mdm/images/provisioning-csp-diagnosticlog.png b/windows/client-management/mdm/images/provisioning-csp-diagnosticlog.png
index 9829586338..a12415ae84 100644
Binary files a/windows/client-management/mdm/images/provisioning-csp-diagnosticlog.png and b/windows/client-management/mdm/images/provisioning-csp-diagnosticlog.png differ
diff --git a/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md b/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md
index eacb043303..15f103ba47 100644
--- a/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md
+++ b/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md
@@ -1940,6 +1940,7 @@ How do I turn if off? | The service can be stopped from the "Services" console o
|New or updated topic | Description|
|--- | ---|
|[Policy CSP - DeliveryOptimization](policy-csp-deliveryoptimization.md)|Added option 5 in the supported values list for DeliveryOptimization/DOGroupIdSource.|
+|[DiagnosticLog CSP](diagnosticlog-csp.md)|Added substantial updates to this CSP doc.|
### October 2019
diff --git a/windows/security/threat-protection/microsoft-defender-atp/configuration-score.md b/windows/security/threat-protection/microsoft-defender-atp/configuration-score.md
index 6a076bfb65..28089db697 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/configuration-score.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/configuration-score.md
@@ -72,3 +72,4 @@ See how you can [improve your security configuration](https://docs.microsoft.com
- [Software inventory](tvm-software-inventory.md)
- [Weaknesses](tvm-weaknesses.md)
- [Scenarios](threat-and-vuln-mgt-scenarios.md)
+- [Configure data access for Threat & Vulnerability Management roles](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/user-roles#create-roles-and-assign-the-role-to-an-azure-active-directory-group)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt.md b/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt.md
index eecae45f38..f71eb57ada 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt.md
@@ -21,6 +21,8 @@ ms.topic: conceptual
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-portaloverview-abovefoldlink)
+
Effectively identifying, assessing, and remediating endpoint weaknesses is pivotal in running a healthy security program and reducing organizational risk. Threat & Vulnerability Management serves as an infrastructure for reducing organizational exposure, hardening endpoint surface area, and increasing organizational resilience.
It helps organizations discover vulnerabilities and misconfigurations in real-time, based on sensors, without the need of agents or periodic scans. It prioritizes vulnerabilities based on the threat landscape, detections in your organization, sensitive information on vulnerable devices, and business context.
@@ -66,3 +68,4 @@ Microsoft Defender ATP’s Threat & Vulnerability Management allows security adm
- [Software inventory](tvm-software-inventory.md)
- [Weaknesses](tvm-weaknesses.md)
- [Scenarios](threat-and-vuln-mgt-scenarios.md)
+- [Configure data access for Threat & Vulnerability Management roles](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/user-roles#create-roles-and-assign-the-role-to-an-azure-active-directory-group)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/threat-and-vuln-mgt-scenarios.md b/windows/security/threat-protection/microsoft-defender-atp/threat-and-vuln-mgt-scenarios.md
index df00947476..45c0d61c58 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/threat-and-vuln-mgt-scenarios.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/threat-and-vuln-mgt-scenarios.md
@@ -21,6 +21,10 @@ ms.topic: article
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-portaloverview-abovefoldlink)
+
+[!include[Prerelease information](prerelease.md)]
+
## Before you begin
Ensure that your machines:
- Are onboarded to Microsoft Defender Advanced Threat Protection
@@ -189,3 +193,4 @@ ComputerName=any(ComputerName) by MachineId, AlertId
- [Weaknesses](tvm-weaknesses.md)
- [Advanced hunting overview](overview-hunting.md)
- [All Advanced hunting tables](advanced-hunting-reference.md)
+- [Configure data access for Threat & Vulnerability Management roles](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/user-roles#create-roles-and-assign-the-role-to-an-azure-active-directory-group)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/tvm-dashboard-insights.md b/windows/security/threat-protection/microsoft-defender-atp/tvm-dashboard-insights.md
index 668b2a1cb4..f4a7c9d46e 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/tvm-dashboard-insights.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/tvm-dashboard-insights.md
@@ -77,3 +77,4 @@ See [Microsoft Defender ATP icons](https://docs.microsoft.com/windows/security/t
- [Software inventory](tvm-software-inventory.md)
- [Weaknesses](tvm-weaknesses.md)
- [Scenarios](threat-and-vuln-mgt-scenarios.md)
+- [Configure data access for Threat & Vulnerability Management roles](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/user-roles#create-roles-and-assign-the-role-to-an-azure-active-directory-group)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/tvm-exposure-score.md b/windows/security/threat-protection/microsoft-defender-atp/tvm-exposure-score.md
index fca24b4b1f..11d335dbd3 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/tvm-exposure-score.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/tvm-exposure-score.md
@@ -46,3 +46,4 @@ Reduce the exposure score by addressing what needs to be remediated based on the
- [Software inventory](tvm-software-inventory.md)
- [Weaknesses](tvm-weaknesses.md)
- [Scenarios](threat-and-vuln-mgt-scenarios.md)
+- [Configure data access for Threat & Vulnerability Management roles](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/user-roles#create-roles-and-assign-the-role-to-an-azure-active-directory-group)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/tvm-remediation.md b/windows/security/threat-protection/microsoft-defender-atp/tvm-remediation.md
index 99b1ae6759..cc1eb7285f 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/tvm-remediation.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/tvm-remediation.md
@@ -21,6 +21,8 @@ ms.date: 04/11/2019
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-portaloverview-abovefoldlink)
+
>[!NOTE]
>To use this capability, enable your Microsoft Intune connections. Navigate to **Settings** > **General** > **Advanced features**. Scroll down and look for **Microsoft Intune connection**. By default, the toggle is turned off. Turn your **Microsoft Intune connection** toggle on.
@@ -113,5 +115,6 @@ The exception impact shows on both the Security recommendations page column and
- [Software inventory](tvm-software-inventory.md)
- [Weaknesses](tvm-weaknesses.md)
- [Scenarios](threat-and-vuln-mgt-scenarios.md)
+- [Configure data access for Threat & Vulnerability Management roles](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/user-roles#create-roles-and-assign-the-role-to-an-azure-active-directory-group)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/tvm-security-recommendation.md b/windows/security/threat-protection/microsoft-defender-atp/tvm-security-recommendation.md
index ee75d061da..388cc4aba3 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/tvm-security-recommendation.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/tvm-security-recommendation.md
@@ -21,6 +21,10 @@ ms.date: 04/11/2019
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-portaloverview-abovefoldlink)
+
+[!include[Prerelease information](prerelease.md)]
+
The cybersecurity weaknesses identified in your organization are mapped to actionable security recommendations and prioritized by their impact on the security recommendation list. Prioritized recommendation helps shorten the mean time to mitigate or remediate vulnerabilities and drive compliance.
Each security recommendation includes an actionable remediation recommendation which can be pushed into the IT task queue through a built-in integration with Microsoft Intune and Microsoft System Center Configuration Manager (SCCM). It is also dynamic in the sense that when the threat landscape changes, the recommendation also changes as it continuously collect information from your environment.
@@ -88,3 +92,4 @@ You can report a false positive when you see any vague, inaccurate, incomplete,
- [Software inventory](tvm-software-inventory.md)
- [Weaknesses](tvm-weaknesses.md)
- [Scenarios](threat-and-vuln-mgt-scenarios.md)
+- [Configure data access for Threat & Vulnerability Management roles](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/user-roles#create-roles-and-assign-the-role-to-an-azure-active-directory-group)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/tvm-software-inventory.md b/windows/security/threat-protection/microsoft-defender-atp/tvm-software-inventory.md
index e1d39cdf5d..d7927da6ce 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/tvm-software-inventory.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/tvm-software-inventory.md
@@ -21,6 +21,10 @@ ms.date: 04/11/2019
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-portaloverview-abovefoldlink)
+
+[!include[Prerelease information](prerelease.md)]
+
Microsoft Defender ATP Threat & Vulnerability management's discovery capability shows in the **Software inventory** page. The software inventory includes the name of the product or vendor, the latest version it is in, and the number of weaknesses and vulnerabilities detected with it.
## Navigate through your software inventory
@@ -66,3 +70,4 @@ You can report a false positive when you see any vague, inaccurate version, inco
- [Remediation and exception](tvm-remediation.md)
- [Weaknesses](tvm-weaknesses.md)
- [Scenarios](threat-and-vuln-mgt-scenarios.md)
+- [Configure data access for Threat & Vulnerability Management roles](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/user-roles#create-roles-and-assign-the-role-to-an-azure-active-directory-group)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/tvm-weaknesses.md b/windows/security/threat-protection/microsoft-defender-atp/tvm-weaknesses.md
index 7eefec6595..60ee2c044e 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/tvm-weaknesses.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/tvm-weaknesses.md
@@ -19,7 +19,9 @@ ms.date: 10/31/2019
---
# Weaknesses
**Applies to:**
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559
+- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+
+>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-portaloverview-abovefoldlink)
[!include[Prerelease information](prerelease.md)]
@@ -33,7 +35,7 @@ The **Weaknesses** page lists down the vulnerabilities found in the infected sof
>- RS5 customers | [KB 4516077](https://support.microsoft.com/help/4516077/windows-10-update-kb4516077)
>- RS4 customers | [KB 4516045](https://support.microsoft.com/help/4516045/windows-10-update-kb4516045)
>- RS3 customers | [KB 4516071](https://support.microsoft.com/help/4516071/windows-10-update-kb4516071)
->
Downloading the above-mentioned security updates will be mandatory starting Patch Tuesday, October 8, 2019.
+
## Navigate through your organization's weaknesses page
You can access the list of vulnerabilities in a few places in the portal:
@@ -129,3 +131,4 @@ You can report a false positive when you see any vague, inaccurate, missing, or
- [Remediation and exception](tvm-remediation.md)
- [Software inventory](tvm-software-inventory.md)
- [Scenarios](threat-and-vuln-mgt-scenarios.md)
+- [Configure data access for Threat & Vulnerability Management roles](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/user-roles#create-roles-and-assign-the-role-to-an-azure-active-directory-group)