Added 19H1 ETW nodes

2025-05-12 13:27:23 +00:00 · 2019-06-28 16:37:50 -07:00 · 2019-06-28 16:37:50 -07:00 · eeee9d38fb
commit eeee9d38fb
parent f4f11974e6
2 changed files with 561 additions and 165 deletions
--- a/windows/client-management/mdm/diagnosticlog-csp.md
+++ b/windows/client-management/mdm/diagnosticlog-csp.md
@ -9,13 +9,12 @@ ms.topic: article
 ms.prod: w10
 ms.technology: windows
 author: manikadhiman
-ms.date: 06/26/2017
+ms.date: 06/27/2019
 ---
 # DiagnosticLog CSP
-
+The DiagnosticLog CSP is used for generating and collecting diagnostic information from the device: Event Tracing for Windows (ETW) log files and current MDM configured state of the device.
 The DiagnosticLog configuration service provider (CSP) is used for generating and collecting diagnostic information from the device: Event Tracing for Windows (ETW) log files and current MDM configured state of the device.
 DiagnosticLog CSP supports the following type of event tracing:
@ -49,9 +48,8 @@ For each registered provider in this collector, the user can:
 The changes on **State**, **Keywords** and **TraceLevel** takes effect immediately while trace session is in progress.
-> **Note**  Microsoft-WindowsPhone-Enterprise-Diagnostics-Provider (GUID - 3da494e4-0fe2-415C-b895-fb5265c5c83b) has the required debug resource files built into Windows OS, which will allow the logs files to be decoded on the remote machine. Any other logs may not have the debug resources required to decode.
+> [!Note]
-
+> Microsoft-WindowsPhone-Enterprise-Diagnostics-Provider (GUID - 3da494e4-0fe2-415C-b895-fb5265c5c83b) has the required debug resource files built into Windows OS, which will allow the logs files to be decoded on the remote machine. Any other logs may not have the debug resources required to decode.
 ### Channel-based tracing
@ -74,35 +72,29 @@ Here are the links to the DDFs:
 -   [DiagnosticLog CSP version 1.2](diagnosticlog-ddf.md#version-1-2)
 -   [DiagnosticLog CSP version 1.3](diagnosticlog-ddf.md#version-1-3)
-The following diagram shows the DiagnosticLog configuration service provider in tree format.
+The following diagram shows the DiagnosticLog CSP in tree format.
 ![diagnosticlog csp diagram](images/provisioning-csp-diagnosticlog.png)
 <a href="" id="--vendor-msft-diagnosticlog"></a>**./Vendor/MSFT/DiagnosticLog**  
-The root node for the DiagnosticLog configuration service provider.
+The root node for the DiagnosticLog CSP.
-The following steps describe the process for gathering diagnostics using this CSP.
+To gather diagnostics using this CSP:
 1.  Specify a *CollectorName* for the container of the target ETW providers.
 2.  (Optional) Set logging and log file parameters using the following options:
-    -   **TraceLogFileMode**
+    - <a href="#etwlog-collectors-collectorname-tracelogfilemode">TraceLogFileMode</a>
-    -   **LogFileSizeLimitMB**
+    - <a href="#etwlog-collectors-collectorname-logfilesizelimitmb">LogFileSizeLimitMB</a>
    Each of these are described later in this topic.
 3.  Indicate one or more target ETW providers by supplying its *ProviderGUID* to the Add operation of EtwLog/Collectors/*CollectorName*/Providers/*ProviderGUID*.
 4.  (Optional) Set logging and log file parameters using the following options:
-
+    - <a href="#etwlog-collectors-collectorname-providers-providerguid-tracelevel">TraceLevel</a>
-    -   **TraceLevel**
+    -   <a href="#etwlog-collectors-collectorname-providers-providerguid-keywords">Keywords</a>
-    -   **Keywords**
+5.  Start logging using **TraceControl** EXECUTE command “START”.
    Each of these are described later in this topic.
 5.  Start logging using **TraceControl** EXECUTE command “START”
 6.  Perform actions on the target device that will generate activity in the log files.
-7.  Stop logging using **TraceControl** EXECUTE command “STOP”
+7.  Stop logging using **TraceControl** EXECUTE command “STOP”.
-8.  Collect the log file located in the `%temp%` folder using the method described in [Reading a log file](#reading-a-log-file)
+8.  Collect the log file located in the `%temp%` folder using the method described in [Reading a log file](#reading-a-log-file).
 <a href="" id="etwlog"></a>**EtwLog**  
 Node to contain the Error Tracing for Windows log.
@ -174,8 +166,6 @@ The following table represents the possible values:
 | 0     | Stopped     |
 | 1     | Started     |
 <a href="" id="etwlog-collectors-collectorname-tracelogfilemode"></a>**EtwLog/Collectors/*CollectorName*/TraceLogFileMode**  
 Specifies the log file logging mode.
@ -185,30 +175,10 @@ Supported operations are Get and Replace.
 The following table lists the possible values:
-<table>
+| Value | Description        |
-<colgroup>
+|-------|--------------------|
-<col width="50%" />
+| EVENT_TRACE_FILE_MODE_SEQUENTIAL (0x00000001) | Writes events to a log file sequentially; stops when the file reaches its maximum size. |
-<col width="50%" />
+| EVENT_TRACE_FILE_MODE_CIRCULAR (0x00000002)  | Writes events to a log file. After the file reaches the maximum size, the oldest events are replaced with incoming events.   |
 </colgroup>
 <thead>
 <tr class="header">
 <th>Value</th>
 <th>Description</th>
 </tr>
 </thead>
 <tbody>
 <tr class="odd">
 <td><p>EVENT_TRACE_FILE_MODE_SEQUENTIAL (0x00000001)</p></td>
 <td><p>Writes events to a log file sequentially; stops when the file reaches its maximum size.</p></td>
 </tr>
 <tr class="even">
 <td><p>EVENT_TRACE_FILE_MODE_CIRCULAR (0x00000002)</p></td>
 <td><p>Writes events to a log file. After the file reaches the maximum size, the oldest events are replaced with incoming events.</p></td>
 </tr>
 </tbody>
 </table>
 <a href="" id="etwlog-collectors-collectorname-tracecontrol"></a>**EtwLog/Collectors/*CollectorName*/TraceControl**  
 Specifies the logging and report action state.
@ -222,8 +192,6 @@ The following table lists the possible values:
 | START | Start log tracing. |
 | STOP  | Stop log tracing   |
 The supported operation is Execute.
 After you have added a logging task, you can start a trace by running an Execute command on this node with the value START.
@ -295,8 +263,6 @@ Dynamic nodes to represent active provider configuration per provider GUID.
 > **Note**  Microsoft-WindowsPhone-Enterprise-Diagnostics-Provider (GUID - 3da494e4-0fe2-415C-b895-fb5265c5c83b) has the required debug resource files built into Windows OS, which will allow the logs files to be decoded on the remote machine. Any other logs may not have the debug resources required to decode.
 Supported operations are Add, Delete, and Get.
 Add a provider
@ -347,44 +313,15 @@ The data type is an integer.
 Supported operations are Get and Replace.
-The following table lists the possible values.
+The following table lists the possible values:
 <table>
 <colgroup>
 <col width="50%" />
 <col width="50%" />
 </colgroup>
 <thead>
 <tr class="header">
 <th>Value</th>
 <th>Description</th>
 </tr>
 </thead>
 <tbody>
 <tr class="odd">
 <td><p>1 – TRACE_LEVEL_CRITICAL</p></td>
 <td><p>Abnormal exit or termination events</p></td>
 </tr>
 <tr class="even">
 <td><p>2 – TRACE_LEVEL_ERROR</p></td>
 <td><p>Severe error events</p></td>
 </tr>
 <tr class="odd">
 <td><p>3 – TRACE_LEVEL_WARNING</p></td>
 <td><p>Warning events such as allocation failures</p></td>
 </tr>
 <tr class="even">
 <td><p>4 – TRACE_LEVEL_INFORMATION</p></td>
 <td><p>Non-error events, such as entry or exit events</p></td>
 </tr>
 <tr class="odd">
 <td><p>5 – TRACE_LEVEL_VERBOSE</p></td>
 <td><p>Detailed information</p></td>
 </tr>
 </tbody>
 </table>
 | Value | Description        |
 |-------|--------------------|
 | 1 – TRACE_LEVEL_CRITICAL | Abnormal exit or termination events |
 | 2 – TRACE_LEVEL_ERROR  | Severe error events   |
 | 3 – TRACE_LEVEL_WARNING  | Warning events such as allocation failures   |
 | 4 – TRACE_LEVEL_INFORMATION  | Non-error events, such as entry or exit events   |
 | 5 – TRACE_LEVEL_VERBOSE  | Detailed information   |
 Set provider **TraceLevel**
@ -412,7 +349,7 @@ Set provider **TraceLevel**
 <a href="" id="etwlog-collectors-collectorname-providers-providerguid-keywords"></a>**EtwLog/Collectors/*CollectorName*/Providers/*ProviderGUID*/Keywords**  
 Specifies the provider keywords to be used as MatchAnyKeyword for this provider.
-the data type is a string.
+The data type is a string.
 Supported operations are Get and Replace.
@ -420,7 +357,7 @@ Default value is 0 meaning no keyword.
 Get provider **Keywords**
-``` syntax
+``` xml
 <SyncML xmlns="SYNCML:SYNCML1.2">
  <SyncBody>
    <Get>
@ -440,7 +377,7 @@ Get provider **Keywords**
 Set provider **Keywords**
-``` syntax
+``` xml
 <SyncML xmlns="SYNCML:SYNCML1.2">
  <SyncBody>
    <Replace>
@ -470,32 +407,11 @@ The data type is a boolean.
 Supported operations are Get and Replace. This change will be effective during active trace session.
-The following table lists the possible values. Default value is TRUE.
+The following table lists the possible values:
-
+| Value | Description        |
-<table>
+|-------|--------------------|
-<colgroup>
+| TRUE | Provider is enabled in the trace session. This is the default. |
-<col width="50%" />
+| FALSE  | Provider is disabled in the trace session.   |
 <col width="50%" />
 </colgroup>
 <thead>
 <tr class="header">
 <th>Value</th>
 <th>Description</th>
 </tr>
 </thead>
 <tbody>
 <tr class="odd">
 <td><p>TRUE</p></td>
 <td><p>Provider is enabled in the trace session.</p></td>
 </tr>
 <tr class="even">
 <td><p>FALSE</p></td>
 <td><p>Provider is disables in the trace session.</p></td>
 </tr>
 </tbody>
 </table>
 Set provider **State**
@ -630,32 +546,12 @@ The data type is a boolean.
 Supported operations are Get and Replace.
-The following table lists the possible values.
+The following table lists the possible values:
 <table>
 <colgroup>
 <col width="50%" />
 <col width="50%" />
 </colgroup>
 <thead>
 <tr class="header">
 <th>Value</th>
 <th>Description</th>
 </tr>
 </thead>
 <tbody>
 <tr class="odd">
 <td><p>TRUE</p></td>
 <td><p>Channel is enabled.</p></td>
 </tr>
 <tr class="even">
 <td><p>FALSE</p></td>
 <td><p>Channel is disabled.</p></td>
 </tr>
 </tbody>
 </table>
 | Value | Description        |
 |-------|--------------------|
 | TRUE | Channel is enabled. |
 | FALSE  | Channel is disabled. |
 Get channel **State**
@ -897,26 +793,526 @@ Node to transfer the selected log file block to the DM server.
 <a href="" id="filedownload-dmchannel-filecontext-datablocks-blocknumber"></a>**FileDownload/DMChannel/*FileContext*/DataBlocks/**<strong>*BlockNumber*</strong>  
 The data type is Base64.
-The only supported operation is Get.
+The supported operation is Get.
 <a href="" id="policy"></a>**Policy**  
 Added in Windows 10, version 1903. Root node to control settings for channels in Event Log.
 The supported operation is Get.
 <a href="" id="policy-channels"></a>**Policy/Channels**  
 Added in Windows 10, version 1903. Node that contains Event Log channel settings.
 The supported operation is Get.
 <a href="" id="policy-channels-channelname"></a>**Policy/Channels/_ChannelName_**  
 Added in Windows 10, version 1903. Dynamic node to represent a registered channel. The node name must be a valid Windows event log channel name, such as ``Microsoft-Client-Licensing-Platform%2FAdmin``. When specifying the name in the LocURI, it must be URL encoded, otherwise it may unexpectedly translate into a different URI.
 Supported operations are Add, Delete, and Get.
 Add **Channel**
 ``` xml
 <SyncML xmlns="SYNCML:SYNCML1.2">
  <SyncBody>
    <Add>
      <CmdID>2</CmdID>
      <Item>
        <Target>
          <LocURI>
            ./Vendor/MSFT/DiagnosticLog/Policy/Channels/ChannelName
          </LocURI>
        </Target>
        <Meta>
          <Format xmlns="syncml:metinf">node</Format>
          <Type></Type>
        </Meta>
        <Data></Data>
      </Item>
    </Add>
    <Final/> 
  </SyncBody>
 </SyncML>
 ```
 Delete **Channel**
 ``` xml
 <SyncML xmlns="SYNCML:SYNCML1.2">
  <SyncBody>
    <Delete>
      <CmdID>3</CmdID>
      <Item>
        <Target>
          <LocURI>
            ./Vendor/MSFT/DiagnosticLog/Policy/Channels/ChannelName
          </LocURI>
        </Target>
      </Item>
    </Delete>
    <Final/> 
  </SyncBody>
 </SyncML>
 ```
 Get **Channel**
 ``` xml
 <SyncML xmlns="SYNCML:SYNCML1.2">
  <SyncBody>
    <Get>
      <CmdID>4</CmdID>
      <Item>
        <Target>
          <LocURI>
            ./Vendor/MSFT/DiagnosticLog/Policy/Channels/ChannelName
          </LocURI>
        </Target>
      </Item>
    </Get>
    <Final/> 
  </SyncBody>
 </SyncML>
 ```
 <a href="" id="policy-channels-channelname-maximumfilesize"></a>**Policy/Channels/_ChannelName_/MaximumFileSize**  
 Added in Windows 10, version 1903. This policy setting specifies the maximum size of the log file in megabytes.
 If you enable this policy setting, you can configure the maximum log file size to be between 1 megabyte and 2 terabytes in megabyte increments.
 If you disable or do not configure this policy setting, the maximum size of the log file will be set to the locally configured value. This value can be changed by the local administrator using the Log Properties dialog, and it defaults to 1 megabyte.
 Supported operations are Add, Delete, Get, and Replace.
 The data type is integer.
 Add **MaximumFileSize**
 ``` xml
 <SyncML xmlns="SYNCML:SYNCML1.2">
  <SyncBody>
    <Add>
      <CmdID>6</CmdID>
      <Item>
        <Target>
          <LocURI>
            ./Vendor/MSFT/DiagnosticLog/Policy/Channels/ChannelName/MaximumFileSize
          </LocURI>
        </Target>
        <Meta>
          <Format xmlns="syncml:metinf">int</Format>
          <Type>text/plain</Type>
        </Meta>
        <Data>3</Data>
      </Item>
    </Add>
    <Final/> 
  </SyncBody>
 </SyncML>
 ```
 Delete **MaximumFileSize**
 ``` xml
 <SyncML xmlns="SYNCML:SYNCML1.2">
  <SyncBody>
    <Delete>
      <CmdID>7</CmdID>
      <Item>
        <Target>
          <LocURI>
            ./Vendor/MSFT/DiagnosticLog/Policy/Channels/ChannelName/MaximumFileSize
          </LocURI>
        </Target>
      </Item>
    </Delete>
    <Final/> 
  </SyncBody>
 </SyncML>
 ```
 Get **MaximumFileSize**
 ``` xml
 <SyncML xmlns="SYNCML:SYNCML1.2">
  <SyncBody>
    <Get>
      <CmdID>5</CmdID>
      <Item>
        <Target>
          <LocURI>
            ./Vendor/MSFT/DiagnosticLog/Policy/Channels/ChannelName/MaximumFileSize
          </LocURI>
        </Target>
      </Item>
    </Get>
    <Final/> 
  </SyncBody>
 </SyncML>
 ```
 Replace **MaximumFileSize**
 ``` xml
 <SyncML xmlns="SYNCML:SYNCML1.2">
  <SyncBody>
    <Replace>
      <CmdID>8</CmdID>
      <Item>
        <Target>
          <LocURI>
            ./Vendor/MSFT/DiagnosticLog/Policy/Channels/ChannelName/MaximumFileSize
          </LocURI>
        </Target>
        <Meta>
          <Format xmlns="syncml:metinf">int</Format>
          <Type>text/plain</Type>
        </Meta>
        <Data>5</Data>
      </Item>
    </Replace>
    <Final/> 
  </SyncBody>
 </SyncML>
 ```
 <a href="" id="policy-channels-channelname-sddl"></a>**Policy/Channels/_ChannelName_/SDDL**  
 Added in Windows 10, version 1903. This policy setting represents SDDL string controlling access to the channel.
 Supported operations are Add, Delete, Get, and Replace.
 The data type is string.
 Default string is as follows:
 https://docs.microsoft.com/en-us/windows/desktop/WES/eventmanifestschema-channeltype-complextype. 
 Add **SDDL**
 ``` xml
 <SyncML xmlns="SYNCML:SYNCML1.2">
  <SyncBody>
    <Add>
      <CmdID>10</CmdID>
      <Item>
        <Target>
          <LocURI>
            ./Vendor/MSFT/DiagnosticLog/Policy/Channels/ChannelName/SDDL
          </LocURI>
        </Target>
        <Meta>
          <Format xmlns="syncml:metinf">chr</Format>
          <Type>text/plain</Type>
        </Meta>
        <Data>YourSDDL</Data>
      </Item>
    </Add>
    <Final/> 
  </SyncBody>
 </SyncML>
 ```
 Delete **SDDL**
 ``` xml
 <SyncML xmlns="SYNCML:SYNCML1.2">
  <SyncBody>
    <Delete>
      <CmdID>11</CmdID>
      <Item>
        <Target>
          <LocURI>
            ./Vendor/MSFT/DiagnosticLog/Policy/Channels/ChannelName/SDDL
          </LocURI>
        </Target>
      </Item>
    </Delete>
    <Final/> 
  </SyncBody>
 </SyncML>
 ```
 Get **SDDL**
 ``` xml
 <SyncML xmlns="SYNCML:SYNCML1.2">
  <SyncBody>
    <Get>
      <CmdID>9</CmdID>
      <Item>
        <Target>
          <LocURI>
            ./Vendor/MSFT/DiagnosticLog/Policy/Channels/ChannelName/SDDL
          </LocURI>
        </Target>
      </Item>
    </Get>
    <Final/> 
  </SyncBody>
 </SyncML>
 ```
 Replace **SDDL**
 ``` xml
 <SyncML xmlns="SYNCML:SYNCML1.2">
  <SyncBody>
    <Replace>
      <CmdID>12</CmdID>
      <Item>
        <Target>
          <LocURI>
            ./Vendor/MSFT/DiagnosticLog/Policy/Channels/ChannelName/SDDL
          </LocURI>
        </Target>
        <Meta>
          <Format xmlns="syncml:metinf">chr</Format>
          <Type>text/plain</Type>
        </Meta>
        <Data>YourNewSDDL</Data>
      </Item>
    </Replace>
    <Final/> 
  </SyncBody>
 </SyncML>
 ```
 <a href="" id="policy-channels-channelname-actionwhenfull"></a>**Policy/Channels/_ChannelName_/ActionWhenFull**  
 Added in Windows 10, version 1903. This policy setting controls Event Log behavior when the log file reaches its maximum size. 
 Supported operations are Add, Delete, Get, and Replace.
 The data type is string.
 The following are the possible values:  
 - Truncate — When the log file reaches its maximum file size, new events are not written to the log and are lost.
 - Overwrite — When the log file reaches its maximum file size, new events overwrite old events.
 - Archive — When the log file reaches its maximum size, the log file is saved to the location specified by the "Archive Location" policy setting. If archive location value is not set, the new file is saved in the same directory as current log file.
 If you disable or do not configure this policy setting, the locally configured value will be used as default. Every channel that is installed, whether inbox or by ISVs, is responsible for defining its own local configuration, and that configuration can be changed by any administrator. Values set via this policy override but do not replace local configuration.
 Add **ActionWhenFull**
 ``` xml
 <SyncML xmlns="SYNCML:SYNCML1.2">
  <SyncBody>
    <Add>
      <CmdID>14</CmdID>
      <Item>
        <Target>
          <LocURI>
            ./Vendor/MSFT/DiagnosticLog/Policy/Channels/ChannelName/ActionWhenFull
          </LocURI>
        </Target>
        <Meta>
          <Format xmlns="syncml:metinf">chr</Format>
          <Type>text/plain</Type>
        </Meta>
        <Data>Archive</Data>
      </Item>
    </Add>
    <Final/> 
  </SyncBody>
 </SyncML>
 ```
 Delete **ActionWhenFull**
 ``` xml
 <SyncML xmlns="SYNCML:SYNCML1.2">
  <SyncBody>
    <Delete>
      <CmdID>15</CmdID>
      <Item>
        <Target>
          <LocURI>
            ./Vendor/MSFT/DiagnosticLog/Policy/Channels/ChannelName/ActionWhenFull
          </LocURI>
        </Target>
      </Item>
    </Delete>
    <Final/> 
  </SyncBody>
 </SyncML>
 ```
 Get **ActionWhenFull**
 ``` xml
 <SyncML xmlns="SYNCML:SYNCML1.2">
  <SyncBody>
    <Get>
      <CmdID>13</CmdID>
      <Item>
        <Target>
          <LocURI>
            ./Vendor/MSFT/DiagnosticLog/Policy/Channels/ChannelName/ActionWhenFull
          </LocURI>
        </Target>
      </Item>
    </Get>
    <Final/> 
  </SyncBody>
 </SyncML>
 ```
 Replace **ActionWhenFull**
 ``` xml
 <SyncML xmlns="SYNCML:SYNCML1.2">
  <SyncBody>
    <Replace>
      <CmdID>16</CmdID>
      <Item>
        <Target>
          <LocURI>
            ./Vendor/MSFT/DiagnosticLog/Policy/Channels/ChannelName/ActionWhenFull
          </LocURI>
        </Target>
        <Meta>
          <Format xmlns="syncml:metinf">chr</Format>
          <Type>text/plain</Type>
        </Meta>
        <Data>Truncate</Data>
      </Item>
    </Replace>
    <Final/> 
  </SyncBody>
 </SyncML>
 ```
 <a href="" id="policy-channels-channelname-enabled"></a>**Policy/Channels/_ChannelName_/Enabled**  
 Added in Windows 10, version 1903. This policy setting specifies whether the channel should be enabled or disabled.
 Supported operations are Add, Delete, Get, and Replace.
 The data type is boolean.
 The following are the possible values:  
 - TRUE — Enables the channel.
 - FALSE — Disables the channel.
 If you disable or do not configure this policy setting, the locally configured value is used as default.
 Get **Enabled**
 ``` xml
 <SyncML xmlns="SYNCML:SYNCML1.2">
  <SyncBody>
    <Get>
      <CmdID>17</CmdID>
      <Item>
        <Target>
          <LocURI>
            ./Vendor/MSFT/DiagnosticLog/Policy/Channels/ChannelName/Enabled
          </LocURI>
        </Target>
      </Item>
    </Get>
    <Final/> 
  </SyncBody>
 </SyncML>
 ```
 Add **Enabled**
 ``` xml
 <SyncML xmlns="SYNCML:SYNCML1.2">
  <SyncBody>
    <Add>
      <CmdID>18</CmdID>
      <Item>
        <Target>
          <LocURI>
            ./Vendor/MSFT/DiagnosticLog/Policy/Channels/ChannelName/Enabled
          </LocURI>
        </Target>
        <Meta>
          <Format xmlns="syncml:metinf">bool</Format>
          <Type>text/plain</Type>
        </Meta>
        <Data>TRUE</Data>
      </Item>
    </Add>
    <Final/> 
  </SyncBody>
 </SyncML>
 ```
 Delete **Enabled**
 ``` xml
 <SyncML xmlns="SYNCML:SYNCML1.2">
  <SyncBody>
    <Delete>
      <CmdID>19</CmdID>
      <Item>
        <Target>
          <LocURI>
            ./Vendor/MSFT/DiagnosticLog/Policy/Channels/ChannelName/Enabled
          </LocURI>
        </Target>
      </Item>
    </Delete>
    <Final/> 
  </SyncBody>
 </SyncML>
 ```
 Replace **Enabled**
 ``` xml
 <SyncML xmlns="SYNCML:SYNCML1.2">
  <SyncBody>
    <Replace>
      <CmdID>20</CmdID>
      <Item>
        <Target>
          <LocURI>
            ./Vendor/MSFT/DiagnosticLog/Policy/Channels/ChannelName/Enabled
          </LocURI>
        </Target>
        <Meta>
          <Format xmlns="syncml:metinf">bool</Format>
          <Type>text/plain</Type>
        </Meta>
        <Data>FALSE</Data>
      </Item>
    </Replace>
    <Final/> 
  </SyncBody>
 </SyncML>
 ```
 <!--
 <a href="" id="diagnosticarchive"></a>**DiagnosticArchive**  
 Added in Windows 10, version 1903. Root note for archive definition and collection. 
 The supported operation is Get.
 <a href="" id="diagnosticarchive-archivedefinition"></a>**DiagnosticArchive/ArchiveDefinition**  
 Added in Windows 10, version 1903. 
 The supported operations are Add and Execute.
 The data type is string.
 Expected value:
 Set and Execute are functionality equivalent, and each accepts an XML snippet (as a string) describing what data to gather and where to upload it when done.
 The xml is in the following format:
 ``` xml
 <Collection>
 <ID>f1e20cb4-9789-4f6b-8f6a-766989764c6d</ID>
 <SasUrl>xxxxxx</SasUrl>
 <RegistryKey>HKLM\Software\Policies</RegistryKey>
 <FoldersFiles>C:\ProgramData\Microsoft\DiagnosticLogCSP\Collectors\*.etl</FoldersFiles>
 <Command>c:\windows\system32\ipconfig.exe /all</Command>
 <Events>Application</Events>
 </Collection>
 ```
 Where:
 - ID is a unique GUID value that defines this particular run of the DiagnosticLog CSP.
 - There can be multiple RegistryKey, FolderFiles, Command, and Events elements, which extract or execute and collect the output from the action specified. 
 - SasUrl is generated from the Azure Blob Storage UX in Azure such that it will allow write access to the blob to upload the zip file created by all the actions specified. 
 <a href="" id="diagnosticarchive-archiveresults"></a>**DiagnosticArchive/ArchiveResults**  
 Added in Windows 10, version 1903. This policy setting displays the results of the last archive run. 
 The supported operation is Get.
 The data type is string. 
 -->
 ## Reading a log file
-
+To read a log file:  
-
+1.  Enumerate log file under **./Vendor/MSFT/DiagnosticLog/FileDownload/DMChannel**.
-1.  Enumerate log file under **./Vendor/MSFT/DiagnosticLog/FileDownload/DMChannel**
+2.  Select a log file in the Enumeration result.
-2.  Select a log file in the Enumeration result
+3.  Set **BlockSizeKB** per DM server payload limitation.
-3.  Set **BlockSizeKB** per DM server payload limitation
+4.  Get **BlockCount** to determine total read request.
-4.  Get **BlockCount** to determine total read request
+5.  Set **BlockIndexToRead** to initialize read start point.
-5.  Set **BlockIndexToRead** to initialize read start point
+6.  Get **BlockData** for upload log block.
-6.  Get **BlockData** for upload log block
+7.  Increase **BlockIndexToRead**.
-7.  Increase **BlockIndexToRead**
+8.  Repeat step 5 to 7 until **BlockIndexToRead == (BlockIndexToRead – 1)**.
 8.  Repeat step 5 to 7 until **BlockIndexToRead == (BlockIndexToRead – 1)**
--- a/windows/client-management/mdm/images/provisioning-csp-diagnosticlog.png
+++ b/windows/client-management/mdm/images/provisioning-csp-diagnosticlog.png