deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-12 21:37:22 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

Merge pull request #1001 from MicrosoftDocs/MDBranchTask3391186

Browse Source 
Updates to DiagnosticLog CSP doc
This commit is contained in:
Daniel Simpson 2019-09-03 08:56:40 -07:00 committed by GitHub
commit dc854e2196
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
4 changed files with 1521 additions and 164 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

789
windows/client-management/mdm/diagnosticlog-csp.md
View File

@ -9,18 +9,22 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: manikadhiman
ms.date: 06/26/2017
ms.date: 08/05/2019
---
# DiagnosticLog CSP
The DiagnosticLog configuration service provider (CSP) is used in the following scenarios:
- [Controlling ETW trace sessions](#diagnosticlog-csp-for-controlling-etw-trace-sessions)
- [Triggering devices to upload existing event logs, log files, and registry values to cloud storage](#diagnosticlog-csp-for-triggering-devices-to-upload-files-to-cloud)
The DiagnosticLog configuration service provider (CSP) is used for generating and collecting diagnostic information from the device: Event Tracing for Windows (ETW) log files and current MDM configured state of the device.
## DiagnosticLog CSP for controlling ETW trace sessions
The DiagnosticLog CSP is used for generating and collecting diagnostic information from the device: Event Tracing for Windows (ETW) log files and current MDM configured state of the device.
DiagnosticLog CSP supports the following type of event tracing:
- Collector-based tracing
- Channel-based tracing
- Collector-based tracing
- Channel-based tracing
### Collector-based tracing
@ -49,11 +53,10 @@ For each registered provider in this collector, the user can:
The changes on **State**, **Keywords** and **TraceLevel** takes effect immediately while trace session is in progress.
> **Note**  Microsoft-WindowsPhone-Enterprise-Diagnostics-Provider (GUID - 3da494e4-0fe2-415C-b895-fb5265c5c83b) has the required debug resource files built into Windows OS, which will allow the logs files to be decoded on the remote machine. Any other logs may not have the debug resources required to decode.
> [!Note]
> Microsoft-WindowsPhone-Enterprise-Diagnostics-Provider (GUID - 3da494e4-0fe2-415C-b895-fb5265c5c83b) has the required debug resource files built into Windows OS, which will allow the logs files to be decoded on the remote machine. Any other logs may not have the debug resources required to decode.
### Channel-based tracing
### Channel-based tracing
The type of event tracing exports event data from a specific channel. This is only supported on the desktop.
@ -73,36 +76,31 @@ Here are the links to the DDFs:
- [DiagnosticLog CSP version 1.2](diagnosticlog-ddf.md#version-1-2)
- [DiagnosticLog CSP version 1.3](diagnosticlog-ddf.md#version-1-3)
- [DiagnosticLog CSP version 1.4](diagnosticlog-ddf.md#version-1-4)
The following diagram shows the DiagnosticLog configuration service provider in tree format.
The following diagram shows the DiagnosticLog CSP in tree format.
![diagnosticlog csp diagram](images/provisioning-csp-diagnosticlog.png)
<a href="" id="--vendor-msft-diagnosticlog"></a>**./Vendor/MSFT/DiagnosticLog**
The root node for the DiagnosticLog configuration service provider.
The root node for the DiagnosticLog CSP.
The following steps describe the process for gathering diagnostics using this CSP.
To gather diagnostics using this CSP:
1. Specify a *CollectorName* for the container of the target ETW providers.
2. (Optional) Set logging and log file parameters using the following options:
- **TraceLogFileMode**
- **LogFileSizeLimitMB**
Each of these are described later in this topic.
- <a href="#etwlog-collectors-collectorname-tracelogfilemode">TraceLogFileMode</a>
- <a href="#etwlog-collectors-collectorname-logfilesizelimitmb">LogFileSizeLimitMB</a>
3. Indicate one or more target ETW providers by supplying its *ProviderGUID* to the Add operation of EtwLog/Collectors/*CollectorName*/Providers/*ProviderGUID*.
4. (Optional) Set logging and log file parameters using the following options:
- **TraceLevel**
- **Keywords**
Each of these are described later in this topic.
5. Start logging using **TraceControl** EXECUTE command “START”
- <a href="#etwlog-collectors-collectorname-providers-providerguid-tracelevel">TraceLevel</a>
- <a href="#etwlog-collectors-collectorname-providers-providerguid-keywords">Keywords</a>
5. Start logging using **TraceControl** EXECUTE command “START”.
6. Perform actions on the target device that will generate activity in the log files.
7. Stop logging using **TraceControl** EXECUTE command “STOP”
8. Collect the log file located in the `%temp%` folder using the method described in [Reading a log file](#reading-a-log-file)
7. Stop logging using **TraceControl** EXECUTE command “STOP”.
8. Collect the log file located in the `%temp%` folder using the method described in [Reading a log file](#reading-a-log-file).
<a href="" id="etwlog"></a>**EtwLog**
Node to contain the Error Tracing for Windows log.
@ -174,8 +172,6 @@ The following table represents the possible values:
| 0 | Stopped |
| 1 | Started |
<a href="" id="etwlog-collectors-collectorname-tracelogfilemode"></a>**EtwLog/Collectors/*CollectorName*/TraceLogFileMode**
Specifies the log file logging mode.
@ -185,30 +181,10 @@ Supported operations are Get and Replace.
The following table lists the possible values:
<table>
<colgroup>
<col width="50%" />
<col width="50%" />
</colgroup>
<thead>
<tr class="header">
<th>Value</th>
<th>Description</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td><p>EVENT_TRACE_FILE_MODE_SEQUENTIAL (0x00000001)</p></td>
<td><p>Writes events to a log file sequentially; stops when the file reaches its maximum size.</p></td>
</tr>
<tr class="even">
<td><p>EVENT_TRACE_FILE_MODE_CIRCULAR (0x00000002)</p></td>
<td><p>Writes events to a log file. After the file reaches the maximum size, the oldest events are replaced with incoming events.</p></td>
</tr>
</tbody>
</table>
| Value | Description |
|-------|--------------------|
| EVENT_TRACE_FILE_MODE_SEQUENTIAL (0x00000001) | Writes events to a log file sequentially; stops when the file reaches its maximum size. |
| EVENT_TRACE_FILE_MODE_CIRCULAR (0x00000002) | Writes events to a log file. After the file reaches the maximum size, the oldest events are replaced with incoming events. |
<a href="" id="etwlog-collectors-collectorname-tracecontrol"></a>**EtwLog/Collectors/*CollectorName*/TraceControl**
Specifies the logging and report action state.
@ -222,8 +198,6 @@ The following table lists the possible values:
| START | Start log tracing. |
| STOP | Stop log tracing |
The supported operation is Execute.
After you have added a logging task, you can start a trace by running an Execute command on this node with the value START.
@ -295,8 +269,6 @@ Dynamic nodes to represent active provider configuration per provider GUID.
> **Note**  Microsoft-WindowsPhone-Enterprise-Diagnostics-Provider (GUID - 3da494e4-0fe2-415C-b895-fb5265c5c83b) has the required debug resource files built into Windows OS, which will allow the logs files to be decoded on the remote machine. Any other logs may not have the debug resources required to decode.
Supported operations are Add, Delete, and Get.
Add a provider
@ -347,44 +319,15 @@ The data type is an integer.
Supported operations are Get and Replace.
The following table lists the possible values.
The following table lists the possible values:
<table>
<colgroup>
<col width="50%" />
<col width="50%" />
</colgroup>
<thead>
<tr class="header">
<th>Value</th>
<th>Description</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td><p>1 TRACE_LEVEL_CRITICAL</p></td>
<td><p>Abnormal exit or termination events</p></td>
</tr>
<tr class="even">
<td><p>2 TRACE_LEVEL_ERROR</p></td>
<td><p>Severe error events</p></td>
</tr>
<tr class="odd">
<td><p>3 TRACE_LEVEL_WARNING</p></td>
<td><p>Warning events such as allocation failures</p></td>
</tr>
<tr class="even">
<td><p>4 TRACE_LEVEL_INFORMATION</p></td>
<td><p>Non-error events, such as entry or exit events</p></td>
</tr>
<tr class="odd">
<td><p>5 TRACE_LEVEL_VERBOSE</p></td>
<td><p>Detailed information</p></td>
</tr>
</tbody>
</table>
| Value | Description |
|-------|--------------------|
| 1 TRACE_LEVEL_CRITICAL | Abnormal exit or termination events |
| 2 TRACE_LEVEL_ERROR | Severe error events |
| 3 TRACE_LEVEL_WARNING | Warning events such as allocation failures |
| 4 TRACE_LEVEL_INFORMATION | Non-error events, such as entry or exit events |
| 5 TRACE_LEVEL_VERBOSE | Detailed information |
Set provider **TraceLevel**
@ -412,7 +355,7 @@ Set provider **TraceLevel**
<a href="" id="etwlog-collectors-collectorname-providers-providerguid-keywords"></a>**EtwLog/Collectors/*CollectorName*/Providers/*ProviderGUID*/Keywords**
Specifies the provider keywords to be used as MatchAnyKeyword for this provider.
the data type is a string.
The data type is a string.
Supported operations are Get and Replace.
@ -470,32 +413,11 @@ The data type is a boolean.
Supported operations are Get and Replace. This change will be effective during active trace session.
The following table lists the possible values. Default value is TRUE.
<table>
<colgroup>
<col width="50%" />
<col width="50%" />
</colgroup>
<thead>
<tr class="header">
<th>Value</th>
<th>Description</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td><p>TRUE</p></td>
<td><p>Provider is enabled in the trace session.</p></td>
</tr>
<tr class="even">
<td><p>FALSE</p></td>
<td><p>Provider is disables in the trace session.</p></td>
</tr>
</tbody>
</table>
The following table lists the possible values:
| Value | Description |
|-------|--------------------|
| TRUE | Provider is enabled in the trace session. This is the default. |
| FALSE | Provider is disabled in the trace session. |
Set provider **State**
@ -630,32 +552,12 @@ The data type is a boolean.
Supported operations are Get and Replace.
The following table lists the possible values.
The following table lists the possible values:
<table>
<colgroup>
<col width="50%" />
<col width="50%" />
</colgroup>
<thead>
<tr class="header">
<th>Value</th>
<th>Description</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td><p>TRUE</p></td>
<td><p>Channel is enabled.</p></td>
</tr>
<tr class="even">
<td><p>FALSE</p></td>
<td><p>Channel is disabled.</p></td>
</tr>
</tbody>
</table>
| Value | Description |
|-------|--------------------|
| TRUE | Channel is enabled. |
| FALSE | Channel is disabled. |
Get channel **State**
@ -897,26 +799,585 @@ Node to transfer the selected log file block to the DM server.
<a href="" id="filedownload-dmchannel-filecontext-datablocks-blocknumber"></a>**FileDownload/DMChannel/*FileContext*/DataBlocks/**<strong>*BlockNumber*</strong>
The data type is Base64.
The only supported operation is Get.
The supported operation is Get.
<a href="" id="policy"></a>**Policy**
Added in version 1.4 of the CSP in Windows 10, version 1903. Root node to control settings for channels in Event Log.
The supported operation is Get.
<a href="" id="policy-channels"></a>**Policy/Channels**
Added in version 1.4 of the CSP in Windows 10, version 1903. Node that contains Event Log channel settings.
The supported operation is Get.
<a href="" id="policy-channels-channelname"></a>**Policy/Channels/_ChannelName_**
Added in version 1.4 of the CSP in Windows 10, version 1903. Dynamic node to represent a registered channel. The node name must be a valid Windows event log channel name, such as ``Microsoft-Client-Licensing-Platform%2FAdmin``. When specifying the name in the LocURI, it must be URL encoded, otherwise it may unexpectedly translate into a different URI.
Supported operations are Add, Delete, and Get.
Add **Channel**
``` xml
<SyncML xmlns="SYNCML:SYNCML1.2">
<SyncBody>
<Add>
<CmdID>2</CmdID>
<Item>
<Target>
<LocURI>
./Vendor/MSFT/DiagnosticLog/Policy/Channels/ChannelName
</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">node</Format>
<Type></Type>
</Meta>
</Item>
</Add>
<Final/>
</SyncBody>
</SyncML>
```
Delete **Channel**
``` xml
<SyncML xmlns="SYNCML:SYNCML1.2">
<SyncBody>
<Delete>
<CmdID>3</CmdID>
<Item>
<Target>
<LocURI>
./Vendor/MSFT/DiagnosticLog/Policy/Channels/ChannelName
</LocURI>
</Target>
</Item>
</Delete>
<Final/>
</SyncBody>
</SyncML>
```
Get **Channel**
``` xml
<SyncML xmlns="SYNCML:SYNCML1.2">
<SyncBody>
<Get>
<CmdID>4</CmdID>
<Item>
<Target>
<LocURI>
./Vendor/MSFT/DiagnosticLog/Policy/Channels/ChannelName
</LocURI>
</Target>
</Item>
</Get>
<Final/>
</SyncBody>
</SyncML>
```
<a href="" id="policy-channels-channelname-maximumfilesize"></a>**Policy/Channels/_ChannelName_/MaximumFileSize**
Added in version 1.4 of the CSP in Windows 10, version 1903. This policy setting specifies the maximum size of the log file in megabytes.
If you enable this policy setting, you can configure the maximum log file size to be between 1 megabyte and 2 terabytes in megabyte increments.
If you disable or do not configure this policy setting, the maximum size of the log file will be set to the locally configured value. This value can be changed by the local administrator using the Log Properties dialog, and it defaults to 1 megabyte.
Supported operations are Add, Delete, Get, and Replace.
The data type is integer.
Add **MaximumFileSize**
``` xml
<SyncML xmlns="SYNCML:SYNCML1.2">
<SyncBody>
<Add>
<CmdID>6</CmdID>
<Item>
<Target>
<LocURI>
./Vendor/MSFT/DiagnosticLog/Policy/Channels/ChannelName/MaximumFileSize
</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">int</Format>
<Type>text/plain</Type>
</Meta>
<Data>3</Data>
</Item>
</Add>
<Final/>
</SyncBody>
</SyncML>
```
Delete **MaximumFileSize**
``` xml
<SyncML xmlns="SYNCML:SYNCML1.2">
<SyncBody>
<Delete>
<CmdID>7</CmdID>
<Item>
<Target>
<LocURI>
./Vendor/MSFT/DiagnosticLog/Policy/Channels/ChannelName/MaximumFileSize
</LocURI>
</Target>
</Item>
</Delete>
<Final/>
</SyncBody>
</SyncML>
```
Get **MaximumFileSize**
``` xml
<SyncML xmlns="SYNCML:SYNCML1.2">
<SyncBody>
<Get>
<CmdID>5</CmdID>
<Item>
<Target>
<LocURI>
./Vendor/MSFT/DiagnosticLog/Policy/Channels/ChannelName/MaximumFileSize
</LocURI>
</Target>
</Item>
</Get>
<Final/>
</SyncBody>
</SyncML>
```
Replace **MaximumFileSize**
``` xml
<SyncML xmlns="SYNCML:SYNCML1.2">
<SyncBody>
<Replace>
<CmdID>8</CmdID>
<Item>
<Target>
<LocURI>
./Vendor/MSFT/DiagnosticLog/Policy/Channels/ChannelName/MaximumFileSize
</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">int</Format>
<Type>text/plain</Type>
</Meta>
<Data>5</Data>
</Item>
</Replace>
<Final/>
</SyncBody>
</SyncML>
```
<a href="" id="policy-channels-channelname-sddl"></a>**Policy/Channels/_ChannelName_/SDDL**
Added in version 1.4 of the CSP in Windows 10, version 1903. This policy setting represents SDDL string controlling access to the channel.
Supported operations are Add, Delete, Get, and Replace.
The data type is string.
Default string is as follows:
https://docs.microsoft.com/en-us/windows/desktop/WES/eventmanifestschema-channeltype-complextype.
Add **SDDL**
``` xml
<SyncML xmlns="SYNCML:SYNCML1.2">
<SyncBody>
<Add>
<CmdID>10</CmdID>
<Item>
<Target>
<LocURI>
./Vendor/MSFT/DiagnosticLog/Policy/Channels/ChannelName/SDDL
</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">chr</Format>
<Type>text/plain</Type>
</Meta>
<Data>YourSDDL</Data>
</Item>
</Add>
<Final/>
</SyncBody>
</SyncML>
```
Delete **SDDL**
``` xml
<SyncML xmlns="SYNCML:SYNCML1.2">
<SyncBody>
<Delete>
<CmdID>11</CmdID>
<Item>
<Target>
<LocURI>
./Vendor/MSFT/DiagnosticLog/Policy/Channels/ChannelName/SDDL
</LocURI>
</Target>
</Item>
</Delete>
<Final/>
</SyncBody>
</SyncML>
```
Get **SDDL**
``` xml
<SyncML xmlns="SYNCML:SYNCML1.2">
<SyncBody>
<Get>
<CmdID>9</CmdID>
<Item>
<Target>
<LocURI>
./Vendor/MSFT/DiagnosticLog/Policy/Channels/ChannelName/SDDL
</LocURI>
</Target>
</Item>
</Get>
<Final/>
</SyncBody>
</SyncML>
```
Replace **SDDL**
``` xml
<SyncML xmlns="SYNCML:SYNCML1.2">
<SyncBody>
<Replace>
<CmdID>12</CmdID>
<Item>
<Target>
<LocURI>
./Vendor/MSFT/DiagnosticLog/Policy/Channels/ChannelName/SDDL
</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">chr</Format>
<Type>text/plain</Type>
</Meta>
<Data>YourNewSDDL</Data>
</Item>
</Replace>
<Final/>
</SyncBody>
</SyncML>
```
<a href="" id="policy-channels-channelname-actionwhenfull"></a>**Policy/Channels/_ChannelName_/ActionWhenFull**
Added in version 1.4 of the CSP in Windows 10, version 1903. This policy setting controls Event Log behavior when the log file reaches its maximum size.
Supported operations are Add, Delete, Get, and Replace.
The data type is string.
The following are the possible values:
- Truncate — When the log file reaches its maximum file size, new events are not written to the log and are lost.
- Overwrite — When the log file reaches its maximum file size, new events overwrite old events.
- Archive — When the log file reaches its maximum size, the log file is saved to the location specified by the "Archive Location" policy setting. If archive location value is not set, the new file is saved in the same directory as current log file.
If you disable or do not configure this policy setting, the locally configured value will be used as default. Every channel that is installed, whether inbox or by ISVs, is responsible for defining its own local configuration, and that configuration can be changed by any administrator. Values set via this policy override but do not replace local configuration.
Add **ActionWhenFull**
``` xml
<SyncML xmlns="SYNCML:SYNCML1.2">
<SyncBody>
<Add>
<CmdID>14</CmdID>
<Item>
<Target>
<LocURI>
./Vendor/MSFT/DiagnosticLog/Policy/Channels/ChannelName/ActionWhenFull
</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">chr</Format>
<Type>text/plain</Type>
</Meta>
<Data>Archive</Data>
</Item>
</Add>
<Final/>
</SyncBody>
</SyncML>
```
Delete **ActionWhenFull**
``` xml
<SyncML xmlns="SYNCML:SYNCML1.2">
<SyncBody>
<Delete>
<CmdID>15</CmdID>
<Item>
<Target>
<LocURI>
./Vendor/MSFT/DiagnosticLog/Policy/Channels/ChannelName/ActionWhenFull
</LocURI>
</Target>
</Item>
</Delete>
<Final/>
</SyncBody>
</SyncML>
```
Get **ActionWhenFull**
``` xml
<SyncML xmlns="SYNCML:SYNCML1.2">
<SyncBody>
<Get>
<CmdID>13</CmdID>
<Item>
<Target>
<LocURI>
./Vendor/MSFT/DiagnosticLog/Policy/Channels/ChannelName/ActionWhenFull
</LocURI>
</Target>
</Item>
</Get>
<Final/>
</SyncBody>
</SyncML>
```
Replace **ActionWhenFull**
``` xml
<SyncML xmlns="SYNCML:SYNCML1.2">
<SyncBody>
<Replace>
<CmdID>16</CmdID>
<Item>
<Target>
<LocURI>
./Vendor/MSFT/DiagnosticLog/Policy/Channels/ChannelName/ActionWhenFull
</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">chr</Format>
<Type>text/plain</Type>
</Meta>
<Data>Truncate</Data>
</Item>
</Replace>
<Final/>
</SyncBody>
</SyncML>
```
<a href="" id="policy-channels-channelname-enabled"></a>**Policy/Channels/_ChannelName_/Enabled**
Added in version 1.4 of the CSP in Windows 10, version 1903. This policy setting specifies whether the channel should be enabled or disabled.
Supported operations are Add, Delete, Get, and Replace.
The data type is boolean.
The following are the possible values:
- TRUE — Enables the channel.
- FALSE — Disables the channel.
If you disable or do not configure this policy setting, the locally configured value is used as default.
Get **Enabled**
``` xml
<SyncML xmlns="SYNCML:SYNCML1.2">
<SyncBody>
<Get>
<CmdID>17</CmdID>
<Item>
<Target>
<LocURI>
./Vendor/MSFT/DiagnosticLog/Policy/Channels/ChannelName/Enabled
</LocURI>
</Target>
</Item>
</Get>
<Final/>
</SyncBody>
</SyncML>
```
Add **Enabled**
``` xml
<SyncML xmlns="SYNCML:SYNCML1.2">
<SyncBody>
<Add>
<CmdID>18</CmdID>
<Item>
<Target>
<LocURI>
./Vendor/MSFT/DiagnosticLog/Policy/Channels/ChannelName/Enabled
</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">bool</Format>
<Type>text/plain</Type>
</Meta>
<Data>TRUE</Data>
</Item>
</Add>
<Final/>
</SyncBody>
</SyncML>
```
Delete **Enabled**
``` xml
<SyncML xmlns="SYNCML:SYNCML1.2">
<SyncBody>
<Delete>
<CmdID>19</CmdID>
<Item>
<Target>
<LocURI>
./Vendor/MSFT/DiagnosticLog/Policy/Channels/ChannelName/Enabled
</LocURI>
</Target>
</Item>
</Delete>
<Final/>
</SyncBody>
</SyncML>
```
Replace **Enabled**
``` xml
<SyncML xmlns="SYNCML:SYNCML1.2">
<SyncBody>
<Replace>
<CmdID>20</CmdID>
<Item>
<Target>
<LocURI>
./Vendor/MSFT/DiagnosticLog/Policy/Channels/ChannelName/Enabled
</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">bool</Format>
<Type>text/plain</Type>
</Meta>
<Data>FALSE</Data>
</Item>
</Replace>
<Final/>
</SyncBody>
</SyncML>
```
## DiagnosticLog CSP for triggering devices to upload files to cloud
The DiagnosticLog CSP is used for triggering devices to upload existing event logs, log files, and registry values to cloud storage. The following section describes the nodes for the DiagnosticArchive functionality.
<a href="" id="diagnosticarchive"></a>**DiagnosticArchive**
Added in version 1.4 of the CSP in Windows 10, version 1903. Root note for the DiagnosticArchive functionality.
The supported operation is Get.
<a href="" id="diagnosticarchive-archivedefinition"></a>**DiagnosticArchive/ArchiveDefinition**
Added in version 1.4 of the CSP in Windows 10, version 1903.
The supported operations are Add and Execute.
The data type is string.
Expected value:
Set and Execute are functionality equivalent, and each accepts an XML snippet (as a string) describing what data to gather and where to upload it when done. This XML defines what should be collected and compressed into a zip file to be uploaded to Azure blog storage.
The following is an example of the XML. This example instructs that a zip file be created containing the output from a dump of the specified registry key, all the files in a folder, the output of two commands, all the files in another folder, the output of a command, all the Application events, two sets of files, and another command output. All of this will be uploaded to the blob storage URL as specified in the <SasUrl> tags and must be in the noted format with the container and the key in the URL. The administrator can retrieve this URL from Azure. The file uploaded will be in the format DiagLogs-{ComputerName}-YYYYMMDDTHHMMSSZ.zip.
``` xml
<Collection>
<ID>f1e20cb4-9789-4f6b-8f6a-766989764c6d</ID>
<SasUrl>{web address}/{container}{key}</SasUrl>
<RegistryKey>HKLM\Software\Policies</RegistryKey>
<FoldersFiles>C:\ProgramData\Microsoft\DiagnosticLogCSP\Collectors\*.etl</FoldersFiles>
<Command>%windir%\system32\ipconfig.exe /all</Command>
<Command>%windir%\system32\mdmdiagnosticstool.exe -out c:\ProgramData\temp\</Command>
<FoldersFiles>c:\ProgramData\temp\*.*</FoldersFiles>
<Command>%windir%\system32\ping.exe -n 50 localhost</Command>
<Events>Application</Events>
<FoldersFiles>%ProgramData%\Microsoft\DiagnosticLogCSP\Collectors\*.etl</FoldersFiles>
<FoldersFiles>%SystemRoot%\System32\LogFiles\wmi\*.etl.*
</FoldersFiles>
<Command>%windir%\system32\pnputil.exe /enum-drivers</Command>
</Collection>
```
Where:
- ID is a unique GUID value that defines this particular run of the DiagnosticLog CSP.
- There can be multiple RegistryKey, FolderFiles, Command, and Events elements, which extract or execute and collect the output from the action specified.
- SasUrl is generated from the Azure Blob Storage UX in Azure such that it will allow write access to the blob to upload the zip file created by all the actions specified.
<a href="" id="diagnosticarchive-archiveresults"></a>**DiagnosticArchive/ArchiveResults**
Added in version 1.4 of the CSP in Windows 10, version 1903. This policy setting displays the results of the last archive run.
The supported operation is Get.
The data type is string.
A Get to the above URI will return the results of the gathering of data for the last diagnostics request. For the example above it returns:
``` xml
<SyncML>
<SyncHdr/>
<SyncBody>
<Status>
<CmdID>1</CmdID>
<MsgRef>1</MsgRef>
<CmdRef>0</CmdRef>
<Cmd>SyncHdr</Cmd>
<Data>200</Data>
</Status>
<Status>
<CmdID>2</CmdID>
<MsgRef>1</MsgRef>
<CmdRef>1</CmdRef>
<Cmd>Get</Cmd>
<Data>200</Data>
</Status>
<Results>
<CmdID>3</CmdID>
<MsgRef>1</MsgRef>
<CmdRef>1</CmdRef>
<Item>
<Source>
<LocURI>./Vendor/MSFT/DiagnosticLog/DiagnosticArchive/ArchiveResults</LocURI>
</Source>
<Data>
<Collection HRESULT="0">
<ID>f1e20cb4-9789-4f6b-8f6a-766989764c6d</ID>
<RegistryKey HRESULT="0">HKLM\Software\Policies</RegistryKey>
<FoldersFiles HRESULT="0">C:\ProgramData\Microsoft\DiagnosticLogCSP\Collectors\*.etl</FoldersFiles>
<Command HRESULT="0">%windir%\system32\ipconfig.exe /all</Command>
<Command HRESULT="-2147024637">%windir%\system32\mdmdiagnosticstool.exe -out c:\ProgramData\temp\</Command>
<FoldersFiles HRESULT="0">c:\ProgramData\temp\*.*</FoldersFiles>
<Command HRESULT="0">%windir%\system32\ping.exe -n 50 localhost</Command>
<Events HRESULT="0">Application</Events>
<FoldersFiles HRESULT="0">%ProgramData%\Microsoft\DiagnosticLogCSP\Collectors\*.etl</FoldersFiles>
<FoldersFiles HRESULT="0">%SystemRoot%\System32\LogFiles\wmi\*.etl.*</FoldersFiles>
<Command HRESULT="0">%windir%\system32\pnputil.exe /enum-drivers</Command>
</Collection>
</Data>
</Item>
</Results>
<Final/>
</SyncBody>
</SyncML>
```
> [!Note]
> Each data gathering node is annotated with the HRESULT of the option and the collection is also annotated with an HRESULT. In this example, note that the mdmdiagnosticstool.exe command failed.
## Reading a log file
1. Enumerate log file under **./Vendor/MSFT/DiagnosticLog/FileDownload/DMChannel**
2. Select a log file in the Enumeration result
3. Set **BlockSizeKB** per DM server payload limitation
4. Get **BlockCount** to determine total read request
5. Set **BlockIndexToRead** to initialize read start point
6. Get **BlockData** for upload log block
7. Increase **BlockIndexToRead**
8. Repeat step 5 to 7 until **BlockIndexToRead == (BlockIndexToRead 1)**
To read a log file:
1. Enumerate log file under **./Vendor/MSFT/DiagnosticLog/FileDownload/DMChannel**.
2. Select a log file in the Enumeration result.
3. Set **BlockSizeKB** per DM server payload limitation.
4. Get **BlockCount** to determine total read request.
5. Set **BlockIndexToRead** to initialize read start point.
6. Get **BlockData** for upload log block.
7. Increase **BlockIndexToRead**.
8. Repeat step 5 to 7 until **BlockIndexToRead == (BlockIndexToRead 1)**.

888
windows/client-management/mdm/diagnosticlog-ddf.md
View File

@ -23,6 +23,7 @@ The content below are the latest versions of the DDF files:
- [DiagnosticLog CSP version 1.2](#version-1-2)
- [DiagnosticLog CSP version 1.3](#version-1-3)
- [DiagnosticLog CSP version 1.4](#version-1-4)
## <a href="" id="version-1-2"></a>DiagnosticLog CSP version 1.2
@ -1284,6 +1285,893 @@ The content below are the latest versions of the DDF files:
</MgmtTree>
```
## <a href="" id="version-1-4"></a>DiagnosticLog CSP version 1.4
```xml
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE MgmtTree PUBLIC " -//OMA//DTD-DM-DDF 1.2//EN"
"http://www.openmobilealliance.org/tech/DTD/DM_DDF-V1_2.dtd"
[<?oma-dm-ddf-ver supported-versions="1.2"?>]>
<MgmtTree xmlns:MSFT="http://schemas.microsoft.com/MobileDevice/DM">
<VerDTD>1.2</VerDTD>
<Node>
<NodeName>DiagnosticLog</NodeName>
<Path>./Vendor/MSFT</Path>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<DFFormat>
<node />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFType>
<MIME>com.microsoft/1.4/MDM/DiagnosticLog</MIME>
</DFType>
</DFProperties>
<Node>
<NodeName>EtwLog</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<Description>Root node of all types of event logging nodes that CSP manages.</Description>
<DFFormat>
<node />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFType>
<DDFName></DDFName>
</DFType>
</DFProperties>
<Node>
<NodeName>Collectors</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<Description>Root node of registered "Collector" nodes.</Description>
<DFFormat>
<node />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFType>
<DDFName></DDFName>
</DFType>
</DFProperties>
<Node>
<NodeName></NodeName>
<DFProperties>
<AccessType>
<Add />
<Delete />
<Get />
</AccessType>
<Description>Each dynamic node represents a registered 'Collector' node. CSP will maintain an ETW trace session for this collector with its name used as a unique identifier. In a collector, a valid ETW provider can be registered and unregistered. The collector's associated trace session will enable the registered providers in it if the provider's state is 'Enabled'. Each provider's state, trace level and keywords can be controlled separately. The name of this node must not be a valid Windows event channel name. It can be a etw provider guid as long as it is not equal to an already registered 'Provider' node name.</Description>
<DFFormat>
<node />
</DFFormat>
<Occurrence>
<ZeroOrMore />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFTitle>CollectorName</DFTitle>
<DFType>
<DDFName></DDFName>
</DFType>
</DFProperties>
<Node>
<NodeName>TraceStatus</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<Description>This node is used for getting the status of this collector node's associated trace session. 1 means "in progress"; 0 means "not started or stopped".</Description>
<DFFormat>
<int />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>TraceLogFileMode</NodeName>
<DFProperties>
<AccessType>
<Get />
<Replace />
</AccessType>
<DefaultValue>1</DefaultValue>
<Description>This node is used for setting or getting the trace log file mode of this collector node's associated trace session. The only two allowed values are 1 and 2, which are EVENT_TRACE_FILE_MODE_SEQUENTIAL and EVENT_TRACE_FILE_MODE_CIRCULAR. Default value is 1.</Description>
<DFFormat>
<int />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>TraceControl</NodeName>
<DFProperties>
<AccessType>
<Exec />
<Get />
</AccessType>
<Description>This node is to trigger "start" and "stop" of this collector node's associated trace session. "Get" returns the name of this node.</Description>
<DFFormat>
<chr />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>LogFileSizeLimitMB</NodeName>
<DFProperties>
<AccessType>
<Get />
<Replace />
</AccessType>
<DefaultValue>4</DefaultValue>
<Description>This node is used for setting or getting the trace log file size limit(in Megabytes) of this collector node's associated trace session. The value range is 1~2048. Default value is 4.</Description>
<DFFormat>
<int />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>Providers</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<Description>Root node of all providers registered in this collector node.</Description>
<DFFormat>
<node />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<DDFName></DDFName>
</DFType>
</DFProperties>
<Node>
<NodeName></NodeName>
<DFProperties>
<AccessType>
<Add />
<Delete />
<Get />
</AccessType>
<Description>Each dynamic node represents an ETW provider registered in this collector node. The node name must be a valid provider GUID.</Description>
<DFFormat>
<node />
</DFFormat>
<Occurrence>
<ZeroOrMore />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFTitle>ProviderGuid</DFTitle>
<DFType>
<DDFName></DDFName>
</DFType>
</DFProperties>
<Node>
<NodeName>Keywords</NodeName>
<DFProperties>
<AccessType>
<Get />
<Replace />
</AccessType>
<DefaultValue>"0"</DefaultValue>
<Description>This node is used for setting or getting the keywords of the event provider in this collector node's associated trace session. The string is in the form of hexadecimal digits and 16 chars wide. It'll be internally converted into ULONGLONG data type in the CSP. Default value is "0", which means all events from this provider are included. If the associated trace session is in progress, new keywords setting is applied immediately; if not, it'll be applied next time that session is started.</Description>
<DFFormat>
<chr />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>TraceLevel</NodeName>
<DFProperties>
<AccessType>
<Get />
<Replace />
</AccessType>
<DefaultValue>5</DefaultValue>
<Description>This node is used for setting or getting the trace level of this event provider in this collector node's associated trace session. Default value is 5, which is TRACE_LEVEL_VERBOSE. If the associated trace session is in progress, new trace level setting is applied immediately;if not, it'll be applied next time that session is started.</Description>
<DFFormat>
<int />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>State</NodeName>
<DFProperties>
<AccessType>
<Get />
<Replace />
</AccessType>
<DefaultValue>true</DefaultValue>
<Description>This node is used for setting or getting the state of the event provider in this collector node's associated trace session. If the trace session isn't started, changing the value controls whether to enable the provider or not when session is started; if trace session is already started, changing its value causes enabling or disabling the provider in the live trace session. Default value is true.</Description>
<DFFormat>
<bool />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
</Node>
</Node>
</Node>
</Node>
<Node>
<NodeName>Channels</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<Description>Root node of registered "Channel" nodes.</Description>
<DFFormat>
<node />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFType>
<DDFName></DDFName>
</DFType>
</DFProperties>
<Node>
<NodeName></NodeName>
<DFProperties>
<AccessType>
<Add />
<Delete />
<Get />
</AccessType>
<Description>Each dynamic node represents a registered 'Channel' node. The node name must be a valid Windows event log channel name, e.g. "Microsoft-Client-Licensing-Platform%2FAdmin". When specifying the name in the LocURI, it must be url encoded or it'll be translated into a different URI unexpectedly.</Description>
<DFFormat>
<node />
</DFFormat>
<Occurrence>
<ZeroOrMore />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFTitle>ChannelName</DFTitle>
<DFType>
<DDFName></DDFName>
</DFType>
</DFProperties>
<Node>
<NodeName>Export</NodeName>
<DFProperties>
<AccessType>
<Exec />
<Get />
</AccessType>
<Description>This node is to trigger exporting events into a log file from this node's associated Windows event channel. The log file's extension is .evtx, which is the standard extension of windows event channel log. The "Get" command returns the name of this node.</Description>
<DFFormat>
<null />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>State</NodeName>
<DFProperties>
<AccessType>
<Get />
<Replace />
</AccessType>
<Description>This node is used for setting or getting the 'Enabled' state of this node's associated windows event channel in the system. Setting it to "TRUE" enables the channel; setting it to "FALSE" disables the channel. </Description>
<DFFormat>
<bool />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>Filter</NodeName>
<DFProperties>
<AccessType>
<Get />
<Replace />
</AccessType>
<DefaultValue>""</DefaultValue>
<Description>This node is used for setting or getting the xpath query string to filter the events when exporting the log file from the channel. Default value is empty string.</Description>
<DFFormat>
<chr />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
</Node>
</Node>
</Node>
<Node>
<NodeName>DeviceStateData</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<Description>Root node of all types of device state data that CSP exposes.</Description>
<DFFormat>
<node />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFType>
<DDFName></DDFName>
</DFType>
</DFProperties>
<Node>
<NodeName>MdmConfiguration</NodeName>
<DFProperties>
<AccessType>
<Exec />
</AccessType>
<Description>This node is to trigger snapping of the Device Management state data with "SNAP".</Description>
<DFFormat>
<chr />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
</Node>
<Node>
<NodeName>FileDownload</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<Description>Root node of all csp nodes that are related to log file download in csp.</Description>
<DFFormat>
<node />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFType>
<DDFName></DDFName>
</DFType>
</DFProperties>
<Node>
<NodeName>DMChannel</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<Description>Root node of all csp nodes that are used for controlling file download for their associated log file generated by logging csp nodes.</Description>
<DFFormat>
<node />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFType>
<DDFName></DDFName>
</DFType>
</DFProperties>
<Node>
<NodeName></NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<Description>Each dynamic node represents a 'FileContext' node corresponding to a log file generated by one of the logging CSP nodes(underneath 'EtwLog' node). The node name must be the name of a registered 'Provider', 'Collector' or 'Channel' node. The log file and its location will be determined by CSP based on the node name. File download is done by dividing the log file into multiple blocks of configured block size and then sending the blocks as requested by MDM server.</Description>
<DFFormat>
<node />
</DFFormat>
<Occurrence>
<ZeroOrMore />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFTitle>FileContext</DFTitle>
<DFType>
<DDFName></DDFName>
</DFType>
</DFProperties>
<Node>
<NodeName>BlockSizeKB</NodeName>
<DFProperties>
<AccessType>
<Get />
<Replace />
</AccessType>
<DefaultValue>4</DefaultValue>
<Description>This node is used for setting or getting the block size (in Kilobytes) for the download of assoicated log file. The value range is 1~16. Default value is 4.</Description>
<DFFormat>
<int />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>BlockCount</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<Description>This node is used for getting the total number of blocks for the associated log file. If the log file isn't generated yet, the value returned is -1; if the trace session is in progress, the value returned is -2.</Description>
<DFFormat>
<int />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>BlockIndexToRead</NodeName>
<DFProperties>
<AccessType>
<Get />
<Replace />
</AccessType>
<Description>This node is used for setting and getting the block index that points to the data block for 'BlockData' node. The value range is 0~(BlockCount-1).</Description>
<DFFormat>
<int />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>BlockData</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<Description>This node is used to get the binary data of the block that 'BlockIndexToRead' node is pointing to.</Description>
<DFFormat>
<b64 />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<DDFName></DDFName>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>DataBlocks</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<Description>Root node of all 'BlockNumber' nodes for the associated log file. The number of its children should be the total block count of the log file. No children nodes exist if 'BlockCount' node's value is less than 0.</Description>
<DFFormat>
<node />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<DDFName></DDFName>
</DFType>
</DFProperties>
<Node>
<NodeName></NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<Description>Each dynamic node represents a 'BlockNumber' node. The node name is an integer equal to the index of the block which this node stands for. Therefore the node name should be ranging from 0 to (BlockCount -1). It returns the binary data of the block which this node is referring to.</Description>
<DFFormat>
<b64 />
</DFFormat>
<Occurrence>
<ZeroOrMore />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFTitle>BlockNumber</DFTitle>
<DFType>
<DDFName></DDFName>
</DFType>
</DFProperties>
</Node>
</Node>
</Node>
</Node>
</Node>
<Node>
<NodeName>Policy</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<Description>Contains policy for diagnostic settings.</Description>
<DFFormat>
<node />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<CaseSense>
<CIS />
</CaseSense>
<DFType>
<DDFName></DDFName>
</DFType>
</DFProperties>
<Node>
<NodeName>Channels</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<Description>Contains policy for Event Log channel settings.</Description>
<DFFormat>
<node />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFType>
<DDFName></DDFName>
</DFType>
</DFProperties>
<Node>
<NodeName></NodeName>
<DFProperties>
<AccessType>
<Get />
<Add />
<Delete />
</AccessType>
<Description>Each dynamic node represents a registered 'Channel' node. The node name must be a valid Windows event log channel name, e.g. "Microsoft-Client-Licensing-Platform%2FAdmin". When specifying the name in the LocURI, it must be url encoded or it'll be translated into a different URI unexpectedly.</Description>
<DFFormat>
<node />
</DFFormat>
<Occurrence>
<ZeroOrMore />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFTitle>ChannelName</DFTitle>
<DFType>
<DDFName></DDFName>
</DFType>
</DFProperties>
<Node>
<NodeName>MaximumFileSize</NodeName>
<DFProperties>
<AccessType>
<Get />
<Add />
<Delete />
<Replace />
</AccessType>
<Description>Maximum size of the channel log file in MB.</Description>
<DFFormat>
<int />
</DFFormat>
<Occurrence>
<ZeroOrOne />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>SDDL</NodeName>
<DFProperties>
<AccessType>
<Get />
<Add />
<Delete />
<Replace />
</AccessType>
<Description>SDDL String controlling access to the channel. Default: https://docs.microsoft.com/en-us/windows/desktop/WES/eventmanifestschema-channeltype-complextype</Description>
<DFFormat>
<chr />
</DFFormat>
<Occurrence>
<ZeroOrOne />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<CaseSense>
<CS />
</CaseSense>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>ActionWhenFull</NodeName>
<DFProperties>
<AccessType>
<Get />
<Add />
<Delete />
<Replace />
</AccessType>
<Description>Action to take when the log file reaches maximum size. "Truncate", "Overwrite", "Archive".</Description>
<DFFormat>
<chr />
</DFFormat>
<Occurrence>
<ZeroOrOne />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<CaseSense>
<CIS />
</CaseSense>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>Enabled</NodeName>
<DFProperties>
<AccessType>
<Get />
<Add />
<Delete />
<Replace />
</AccessType>
<Description>This policy setting specifies whether the channel should be enabled or disabled. Set value to TRUE to enable and FALSE to disable.</Description>
<DFFormat>
<bool />
</DFFormat>
<Occurrence>
<ZeroOrOne />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
</Node>
</Node>
</Node>
<Node>
<NodeName>DiagnosticArchive</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<Description>Root note for archive definition and collection.</Description>
<DFFormat>
<node />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFType>
<DDFName></DDFName>
</DFType>
</DFProperties>
<Node>
<NodeName>ArchiveDefinition</NodeName>
<DFProperties>
<AccessType>
<Add />
<Exec />
</AccessType>
<DFFormat>
<chr />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>ArchiveResults</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<Description>Pull up the results of the last archive run.</Description>
<DFFormat>
<chr />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<CaseSense>
<CIS />
</CaseSense>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
</Node>
</Node>
</MgmtTree>
```
## Related topics

BIN
windows/client-management/mdm/images/provisioning-csp-diagnosticlog.png
View File

Binary file not shown.
Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 28 KiB

After

Width:  |  Height:  |  Size: 86 KiB

8
windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md
View File

@ -144,6 +144,13 @@ For details about Microsoft mobile device management protocols for Windows 10 s
<td style="vertical-align:top"><p>Added new CSP in Windows 10, version 1903.</p>
</td></tr>
<tr>
<td style="vertical-align:top"><a href="diagnosticlog-csp.md" data-raw-source="[DiagnosticLog CSP](diagnosticlog-csp.md)">DiagnosticLog CSP</a><br>
<a href="diagnosticlog-ddf.md" data-raw-source="[DiagnosticLog DDF](diagnosticlog-ddf.md)">DiagnosticLog DDF</a></td>
<td style="vertical-align:top"><p>Added version 1.4 of the CSP in Windows 10, version 1903. Added the new 1.4 version of the DDF. Added the following new nodes:<br>
Policy, Policy/Channels, Policy/Channels/ChannelName, Policy/Channels/ChannelName/MaximumFileSize, Policy/Channels/ChannelName/SDDL, Policy/Channels/ChannelName/ActionWhenFull, Policy/Channels/ChannelName/Enabled, DiagnosticArchive, DiagnosticArchive/ArchiveDefinition, DiagnosticArchive/ArchiveResults.
</p>
</td></tr>
<tr>
<td style="vertical-align:top"><a href="enrollmentstatustracking-csp.md" data-raw-source="[EnrollmentStatusTracking CSP](enrollmentstatustracking-csp.md)">EnrollmentStatusTracking CSP</a></td>
<td style="vertical-align:top"><p>Added new CSP in Windows 10, version 1903.</p>
</td></tr>
@ -1896,6 +1903,7 @@ How do I turn if off? | The service can be stopped from the "Services" console o
|New or updated topic | Description|
|--- | ---|
|[DiagnosticLog CSP](diagnosticlog-csp.md)<br>[DiagnosticLog DDF](diagnosticlog-ddf.md)|Added version 1.4 of the CSP in Windows 10, version 1903. Added the new 1.4 version of the DDF. Added the following new nodes:<br>Policy, Policy/Channels, Policy/Channels/ChannelName, Policy/Channels/ChannelName/MaximumFileSize, Policy/Channels/ChannelName/SDDL, Policy/Channels/ChannelName/ActionWhenFull, Policy/Channels/ChannelName/Enabled, DiagnosticArchive, DiagnosticArchive/ArchiveDefinition, DiagnosticArchive/ArchiveResults.|
|[Enroll a Windows 10 device automatically using Group Policy](enroll-a-windows-10-device-automatically-using-group-policy.md)|Enhanced the article to include additional reference links and the following two topics:<br>Verify auto-enrollment requirements and settings, Troubleshoot auto-enrollment of devices.|
### July 2019