Reporting CSP

The table below shows the applicability of Windows:

Edition Windows 10 Windows 11
Home Yes Yes
Pro Yes Yes
Windows SE No Yes
Business Yes Yes
Enterprise Yes Yes
Education Yes Yes

The Reporting configuration service provider is used to retrieve Windows Information Protection (formerly known as Enterprise Data Protection) and security auditing logs. This CSP was added in Windows 10, version 1511.

The following DDF format shows the Reporting configuration service provider in tree format.

./Vendor/MSFT
Reporting
----EnterpriseDataProtection
--------RetrieveByTimeRange
------------Logs
------------StartTime
------------StopTime
------------Type
--------RetrieveByCount
------------Logs
------------LogCount
------------StartTime
------------Type

Reporting The root node for the reporting configuration service provider.

Reporting/EnterpriseDataProtection Interior node for retrieving the Windows Information Protection (formerly known as Enterprise Data Protection) logs.

RetrieveByTimeRange Returns the logs that exist within the StartTime and StopTime. The StartTime and StopTime are expressed in ISO 8601 format. If the StartTime and StopTime aren't specified, then the values are interpreted as either first existing or last existing time.

Here are the other possible scenarios:

  • If the StartTime and StopTime aren't specified, then it returns all existing logs.
  • If the StopTime is specified, but the StartTime isn't specified, then all logs that exist before the StopTime are returned.
  • If the StartTime is specified, but the StopTime isn't specified, then all that logs that exist from the StartTime are returned.

RetrieveByCount Interior node for retrieving a specified number of logs from the StartTime. The StartTime is expressed in ISO 8601 format. You can set the number of logs required by setting LogCount and StartTime. It returns the specified number of logs or less, if the total number of logs is less than LogCount.

Logs Contains the reporting logs.

  • Value type is XML.
  • Supported operation is Get.

StartTime Specifies the starting time for retrieving logs.

  • Value type is string. Use ISO 8601 format.
  • Supported operations are Get and Replace.

StopTime Specifies the ending time for retrieving logs.

  • Value type is string. Use ISO 8601 format.
  • Supported operations are Get and Replace.

Type Added in Windows 10, version 1703. Specifies the type of logs to retrieve. You can use this policy to retrieve the Windows Information Protection learning logs.

  • Value type is integer.
  • Supported operations are Get and Replace.

LogCount Specifies the number of logs to retrieve from the StartTime.

  • Value type is int.
  • Supported operations are Get and Replace.

Example

Retrieve all available Windows Information Protection (formerly known as Enterprise Data Protection) logs starting from the specified StartTime.

<SyncML>
    <SyncBody>
        <Replace>
            <CmdID>2</CmdID>
            <Item>
                <Target><LocURI>./Vendor/MSFT/Reporting/EnterpriseDataProtection/RetrieveByTimeRange/StartTime</LocURI></Target>
                <Data>2012-11-30T01:48:14.233Z</Data>
            </Item>
        </Replace>
        <Get>
            <CmdID>4</CmdID>
            <Item>
                <Target><LocURI>./Vendor/MSFT/Reporting/EnterpriseDataProtection/RetrieveByTimeRange/Logs</LocURI></Target>
            </Item>
        </Get>
        <Final/>
    </SyncBody>
</SyncML>

Configuration service provider reference