Easy Guide to Collect Logs with Intune MEM
With Windows 10 Device diagnostics feature (Collect Diagnostics) you can collect logs with Intune(MEM). In February 2021, Microsoft announced the Intune service release 2102 that included a public preview of the Windows 10 Device diagnostics feature.
In this post we will explore in-depth about Windows 10 Device Diagnostics requirements, steps to collect logs with Intune. Explore what the logs contain and how useful this information is for troubleshooting.
With lot of people working remotely, the troubleshooting part is going to be difficult for IT. The Intune log collection feature comes to rescue when you need to troubleshoot a remote device without contacting user. If you can collect logs with Intune remotely and analyze them that’s an awesome thing. The Collect Diagnostics remote action in the Endpoint Manager Admin center collects the logs from a remote device.
Table of Contents
Windows 10 Device Diagnostics Requirements
According to Microsoft, here are some of the requirements for Windows 10 Device diagnostics.
- Desktop – Windows 10 1909 / 19H2 or later (build number 10.0.18363+) – Home, Pro, Enterprise and Education versions supported.
- HoloLens 2 – Windows 10 2004 / 20H1 or later (build number 10.0.19041+).
- To collect Windows Device Logs with Intune, the device must be online and should be available via the internet. In addition, the Windows Push Notification Service (WNS) must have access to the machine.
- To initiate a device diagnostics, you must be assigned to a Global Admin role, Intune Admin role, School Administrator, Help Desk Operator, or have the Collect diagnostics permission assigned to a custom role.
- The device you’d like to collect diagnostics from must be designated as Corporate-Owned.
Where Can I find Collect Diagnostics in Intune Portal
Microsoft has added a new remote action to the Endpoint Manager Admin center called Collect Diagnostics. Selecting this option should collect logs with Intune. Without needing to contact the user, you can collect the logs from the Windows Device.
In the Microsoft Endpoint Manager admin center, select a Windows device. Click the three horizontal dots and you will find the Collect Diagnostics option.
How to Collect Logs with Intune
- Visit the Microsoft Endpoint Manager admin center.
- Click Devices and then click Windows. Select the Windows 10 Device from which you want to collect Logs with Intune.
- Click the three horizontal dots and from the list of actions, select Collect Diagnostics.
- Intune will now attempt to collect the diagnostics (Windows device logs) that are on this Windows 10/Windows 11 device.
You will see a notification. Intune will attempt to collect the diagnostics that are on this device. To download and view the diagnostics, go to Monitor > Device diagnostics. To continue with diagnostics collection, click Yes.
On the same window, click Device Diagnostics (Preview) and notice that the status shows as Pending diagnostics Upload. This means the Windows Device logs are being collected. You have to wait until the status changes to Complete.
After few minutes we see that the log collection is complete. You can also see date and time for both request initiated and diagnostics uploaded. Under Diagnostics, click Download button.
You get a notification “This download contains the diagnostics collected from this device. Do you want to continue?” Click Yes. In the next step save the Windows 10 Device diagnostics zip file.
Windows 10 Device diagnostics feature (Collect Diagnostics) States
When you perform Collect Diagnostics on a Windows 10 device, the status is important. It tells you whether the log collection was successful or had any issues. There are three status messages for a diagnostic task.
- Complete – If you see this status, it means the diagnostics were successful and are available for download.
- Pending diagnostics Upload – You see this status when you initiate Collect Diagnostics on a remote Windows 10 device. This status should soon change to Complete if your Windows device is online and can contact Intune service.
- Failed – The device ran diagnostics but failed to complete the task or failed to upload. To troubleshoot this issue, please review the MDMDiagnostics registry key at HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MdmDiagnostics and the sub keys inside.
Extract Windows 10 Device diagnostics File
In the above step, we successfully collected the diagnostics from a Windows 10 device from MEM portal. The Windows 10 diagnostics file is a zip file. Extract the zip file and all you see is set of folders that has got data and logs collected from the Windows 10 device. Each file, command, registry, or event viewers is stored in an individual folder to be compressed into a zip file.
At the end of the list, you see a results.xml file that actually contains summary of what information is collected from the windows 10 device. Here is the output of results.xml.
41f22791-a210-4c27-83df-15506dad7088 SasUrlPlaceHolder HKLM\Software\Microsoft\IntuneManagementExtension HKLM\SOFTWARE\Microsoft\SystemCertificates\AuthRoot "HKLM\SOFTWARE\Microsoft\Windows Advanced Threat Protection" HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\LogonUI "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings" HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall HKLM\Software\Policies HKLM\SOFTWARE\Policies\Microsoft\Cryptography\Configuration\SSL "HKLM\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection" HKLM\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL %programfiles%\windows defender\mpcmdrun.exe -GetFiles %windir%\system32\certutil.exe -store %windir%\system32\certutil.exe -store -user my %windir%\system32\Dsregcmd.exe /status %windir%\system32\ipconfig.exe /all %windir%\system32\mdmdiagnosticstool.exe -area Autopilot;deviceprovisioning;deviceenrollment;tpm;HololensFallbackDeviceOwner -cab %temp%\MDMDiagnostics\mdmlogs-2021-03-17-08-36-26.cab %windir%\system32\msinfo32.exe /report %temp%\MDMDiagnostics\msinfo32.log %windir%\system32\netsh.exe advfirewall show allprofiles %windir%\system32\netsh.exe advfirewall show global %windir%\system32\netsh.exe lan show profiles %windir%\system32\netsh.exe winhttp show proxy %windir%\system32\netsh.exe wlan show profiles %windir%\system32\netsh.exe wlan show wlanreport %windir%\system32\ping.exe -n 50 localhost %windir%\system32\powercfg.exe /batteryreport /output %temp%\MDMDiagnostics\battery-report.html %windir%\system32\powercfg.exe /energy /output %temp%\MDMDiagnostics\energy-report.html Application Microsoft-Windows-AppLocker/EXE and DLL Microsoft-Windows-AppLocker/MSI and Script Microsoft-Windows-AppLocker/Packaged app-Deployment Microsoft-Windows-AppLocker/Packaged app-Execution Microsoft-Windows-Bitlocker/Bitlocker Management Microsoft-Windows-SENSE/Operational Microsoft-Windows-SenseIR/Operational Setup System %ProgramData%\Microsoft\DiagnosticLogCSP\Collectors*.etl %ProgramData%\Microsoft\IntuneManagementExtension\Logs*.* %ProgramData%\Microsoft\Windows Defender\Support\MpSupportFiles.cab %ProgramData%\Microsoft\Windows\WlanReport\wlan-report-latest.html %temp%\MDMDiagnostics\battery-report.html %temp%\MDMDiagnostics\energy-report.html %temp%\MDMDiagnostics\mdmlogs-2021-03-17-08-36-26.cab %temp%\MDMDiagnostics\msinfo32.log %windir%\ccm\logs*.log %windir%\ccmsetup\logs*.log %windir%\logs\CBS\cbs.log %windir%\logs\measuredboot*.* %windir%\Logs\WindowsUpdate*.etl
What Logs are Collected by Windows 10 Device Diagnostics Feature
So, what do we do next when we collect logs with Intune? We explore what logs are collected by Windows 10 Device Diagnostics. The standard diagnostics template Intune collects the following Windows 10 logs.
General Log Files
These commands collect the files generated during the log collection and files on the machine used for debugging issues.
%ProgramData%\Microsoft\DiagnosticLogCSP\Collectors*.etl %ProgramData%\Microsoft\IntuneManagementExtension\Logs*.* %ProgramData%\Microsoft\Windows Defender\Support\MpSupportFiles.cab %ProgramData%\Microsoft\Windows\WlanReport\wlan-report-latest.html %temp%\MDMDiagnostics\battery-report.html %temp%\MDMDiagnostics\energy-report.html %temp%\MDMDiagnostics\mdmlogs-.cab %temp%\MDMDiagnostics\msinfo32.log %windir%\logs\CBS\cbs.log %windir%\logs\measuredboot*.* %windir%\Logs\WindowsUpdate*.etl
Configuration Manager Client Log Files
The following Configuration Manager logs (CCM logs) are collected.
%windir%\ccm\logs*.log
%windir%\ccmsetup\logs*.log
Event Viewer Details
Event Viewer details collected includes common event viewers for troubleshooting issues, including Application, System and Setup. In addition, the AppLocker event viewers to assist in debugging AppLocker issues and the SENSE event viewers to help debugging issues with anti-virus/malware are also collected.
Application Microsoft-Windows-AppLocker/EXE and DLL Microsoft-Windows-AppLocker/MSI and Script Microsoft-Windows-AppLocker/Packaged app-Deployment Microsoft-Windows-AppLocker/Packaged app-Execution Microsoft-Windows-Bitlocker/Bitlocker Management Microsoft-Windows-SENSE/Operational Microsoft-Windows-SenseIR/Operational Setup System
HoloLens 2 Commands and Files
%windir%\system32\mdmdiagnosticstool.exe -area Autopilot;deviceprovisioning;deviceenrollment;tpm;HololensFallbackDeviceOwner -cab %temp%\MDMDiagnostics\mdmlogs-2021-03-17-08-36-26.cab %programdata%\MDMDiagnostics\mdmlogs-.zip %ProgramData%\Microsoft\DiagnosticLogCSP\Collectors*.etl %windir%\logs\measuredboot*.*
Intune Windows 10 Device Diagnostics FAQ’s
Some of the common FAQ’s about Windows 10 device diagnostics.
How can I extract Windows 10 device Diagnostics File?
You can either user built-in windows zip extractor or third party tool like 7zip, winzip or winrar.
What Should I do if Device diagnostics process is stuck at pending status?
For a Windows 10 device if you see Device diagnostics is in pending status, ensure the device is online. You can also force a device check-in that will ensure the device is able to reach the Intune service.
How long does Microsoft Store the Windows 10 Device Diagnostics?
Diagnostics are available for download for 28 days.
Does Windows 10 device Diagnostics collect Configuration Manager logs?
Yes, the Configuration Manager client logs from C:\Windows\CCM and C:\Windows\CCMsetup folder are collected.
What is the Limit to Collect logs on Windows 10 device?
10 is the limit. After 10, the oldest set of diagnostics is removed and replaced.
What Intune Release adds Windows 10 Device diagnostics feature?
Intune service release 2102.
Size Limit to collect logs with Intune?
250MB.
What is Collect Diagnostics feature in Intune?
The Collect Diagnostics remote action in the Endpoint Manager Admin center collects the logs from a remote device.
I don’t understand, I cannot see how any of the outputted files from the diagnostics zip file are of any use. You get some reg files and etl… the XML file is just a list of things it gathered – its a pretty useless report you must admit.
What if you need to troubleshoot windows updates for business or feature updates policies?
I’m sorry, but the cynic sys admin in me is starting to see more and more just what a con Intune and so called ‘co-managed’ tenancy really is.
Things from Intune/MEM are not really ‘managed’ at all and more directed and loosely controlled, I think over time more and more people will realize just how limited MEM really is and switch workloads back to MECM or find an alternative MDM solution.
I agree NazK. I have been a CM engineer my entire career and have attempted to migrate companies to Intune a few times and it has been an absolute disaster every time. It appears it only works for small, truly modern companies where AAD joined devices is all you need, a limited app stack, and very limited support. This is now my 5th go at this (not counting consulting) and it just does not provide anything to the business except headaches. Pre-provisioning is just simply unreliable and troubleshooting is miserable. I have AP working for a global company because they are “cloud first” but literally every day we are fighting issues. I just can’t do this anymore.
I read the forums and all the big names in the space are now saying it might be better to be co-managed. No, it is not. It is better to not use Intune and stick with CM. Add on to this that in all these rollouts I have not had a single opened cased with Microsoft be solved — we just have to abandon strategies (that should work) and move on to something else.
Just last month there was a global outage on AP but we were never notified and in the Intune console said everything was “OKAY”. Had to dig deeper through menus to see the alerts and updates. It lasted a couple of weeks before Microsoft fixed it. There was nothing I could do anyways.
Is there any possibility to extend the list of default locations from which functionality polls the data ?
e.g. Custom Application logs acquisition from specific location
This feature is excellent and I’m already making heavy use of it. I am, however, not understanding why they bother including the results of “%windir%\system32\ping.exe -n 50 localhost” in the .zip. What would that ever show that would be useful? I’d love to get a sample of 50 pings to the default gateway or something since that could show me that the Wi-Fi connection isn’t great, but pinging localhost 50 times seems completely useless. Is this some sort of secret diagnostic thing I don’t know about?