Easy Guide to Collect Logs with Intune

With Windows 10 Device diagnostics feature (Collect Diagnostics) you can collect logs with Intune. In February 2021, Microsoft announced the Intune service release 2102 that included public preview of the Windows 10 Device diagnostics feature.

In this post we will explore in-depth about Windows 10 Device Diagnostics requirements, steps to collect logs with Intune. Explore what the logs contain and how useful this information is for troubleshooting.

With lot of people working remotely, the troubleshooting part is going to be difficult for IT. The Intune log collection feature comes to rescue when you need to troubleshoot a remote device without contacting user. If you can collect logs with Intune remotely and analyze them that’s an awesome thing. The Collect Diagnostics remote action in the Endpoint Manager Admin center collects the logs from a remote device.

Windows 10 Device Diagnostics Requirements

According to Microsoft, here are some of the requirements for Windows 10 Device diagnostics.

  • Desktop – Windows 10 1909 / 19H2 or later (build number 10.0.18363+) – Home, Pro, Enterprise and Education versions supported.
  • HoloLens 2 – Windows 10 2004 / 20H1 or later (build number 10.0.19041+).
  • To collect Windows Device Logs with Intune, the device must be online and should be available via the internet. In addition, the Windows Push Notification Service (WNS) must have access to the machine.
  • To initiate a device diagnostics, you must be assigned to a Global Admin role, Intune Admin role, School Administrator, Help Desk Operator, or have the Collect diagnostics permission assigned to a custom role.
  • The device you’d like to collect diagnostics from must be designated as Corporate-Owned.

Where Can I find Collect Diagnostics in Intune Portal

Microsoft has added a new remote action to the Endpoint Manager Admin center called Collect Diagnostics. Selecting this option should collect logs with Intune. Without needing to contact the user, you can collect the logs from the Windows Device.

In the Microsoft Endpoint Manager admin center, select a Windows device. Click the three horizontal dots and you will find the Collect Diagnostics option.

Collect Diagnostics in Intune Portal
Collect Diagnostics in Intune Portal

How to Collect Logs with Intune

  • Visit the Microsoft Endpoint Manager admin center.
  • Click Devices and then click Windows. Select the Windows 10 Device from which you want to collect Logs with Intune.
  • Click the three horizontal dots and from the list of actions, select Collect Diagnostics.
  • Intune will now attempt to collect the diagnostics (Windows device logs) that are on this Windows 10 device.
How to Collect Logs with Intune
How to Collect Logs with Intune

You will see a notification. Intune will attempt to collect the diagnostics that are on this device. To download and view the diagnostics, go to Monitor > Device diagnostics. To continue with diagnostics collection, click Yes.

How to Collect Logs with Intune
How to Collect Logs with Intune

On the same window, click Device Diagnostics (Preview) and notice that the status shows as Pending diagnostics Upload. This means the Windows Device logs are being collected. You have to wait until the status changes to Complete.

Pending diagnostics Upload
Pending diagnostics Upload

After few minutes we see that the log collection is complete. You can also see date and time for both request initiated and diagnostics uploaded. Under Diagnostics, click Download button.

collect logs with Intune
collect logs with Intune

You get a notification “This download contains the diagnostics collected from this device. Do you want to continue?” Click Yes. In the next step save the Windows 10 Device diagnostics zip file.

Windows 10 Device diagnostics
Windows 10 Device diagnostics

Windows 10 Device diagnostics feature (Collect Diagnostics) States

When you perform Collect Diagnostics on a Windows 10 device, the status is important. It tells you whether the log collection was successful or had any issues. There are three status messages for a diagnostic task.

  • Complete – If you see this status, it means the diagnostics were successful and are available for download.
  • Pending diagnostics Upload – You see this status when you initiate Collect Diagnostics on a remote Windows 10 device. This status should soon change to Complete if your Windows device is online and can contact Intune service.
  • Failed – The device ran diagnostics but failed to complete the task or failed to upload. To troubleshoot this issue, please review the MDMDiagnostics registry key at HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MdmDiagnostics and the sub keys inside.

Extract Windows 10 Device diagnostics File

In the above step, we successfully collected the diagnostics from a Windows 10 device from MEM portal. The Windows 10 diagnostics file is a zip file. Extract the zip file and all you see is set of folders that has got data and logs collected from the Windows 10 device. Each file, command, registry, or event viewers is stored in an individual folder to be compressed into a zip file.

Extract Windows 10 Device diagnostics
Extract Windows 10 Device diagnostics

At the end of the list, you see a results.xml file that actually contains summary of what information is collected from the windows 10 device. Here is the output of results.xml.

 41f22791-a210-4c27-83df-15506dad7088
 SasUrlPlaceHolder
 HKLM\Software\Microsoft\IntuneManagementExtension
 HKLM\SOFTWARE\Microsoft\SystemCertificates\AuthRoot
 "HKLM\SOFTWARE\Microsoft\Windows Advanced Threat Protection"
 HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\LogonUI
 "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings"
 HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall
 HKLM\Software\Policies
 HKLM\SOFTWARE\Policies\Microsoft\Cryptography\Configuration\SSL
 "HKLM\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection"
 HKLM\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall
 HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL
 %programfiles%\windows defender\mpcmdrun.exe -GetFiles
 %windir%\system32\certutil.exe -store
 %windir%\system32\certutil.exe -store -user my
 %windir%\system32\Dsregcmd.exe /status
 %windir%\system32\ipconfig.exe /all
 %windir%\system32\mdmdiagnosticstool.exe -area Autopilot;deviceprovisioning;deviceenrollment;tpm;HololensFallbackDeviceOwner -cab %temp%\MDMDiagnostics\mdmlogs-2021-03-17-08-36-26.cab
 %windir%\system32\msinfo32.exe /report %temp%\MDMDiagnostics\msinfo32.log
 %windir%\system32\netsh.exe advfirewall show allprofiles
 %windir%\system32\netsh.exe advfirewall show global
 %windir%\system32\netsh.exe lan show profiles
 %windir%\system32\netsh.exe winhttp show proxy
 %windir%\system32\netsh.exe wlan show profiles
 %windir%\system32\netsh.exe wlan show wlanreport
 %windir%\system32\ping.exe -n 50 localhost
 %windir%\system32\powercfg.exe /batteryreport /output %temp%\MDMDiagnostics\battery-report.html
 %windir%\system32\powercfg.exe /energy /output %temp%\MDMDiagnostics\energy-report.html
 Application
 Microsoft-Windows-AppLocker/EXE and DLL
 Microsoft-Windows-AppLocker/MSI and Script
 Microsoft-Windows-AppLocker/Packaged app-Deployment
 Microsoft-Windows-AppLocker/Packaged app-Execution
 Microsoft-Windows-Bitlocker/Bitlocker Management
 Microsoft-Windows-SENSE/Operational
 Microsoft-Windows-SenseIR/Operational
 Setup
 System
 %ProgramData%\Microsoft\DiagnosticLogCSP\Collectors*.etl
 %ProgramData%\Microsoft\IntuneManagementExtension\Logs*.*
 %ProgramData%\Microsoft\Windows Defender\Support\MpSupportFiles.cab
 %ProgramData%\Microsoft\Windows\WlanReport\wlan-report-latest.html
 %temp%\MDMDiagnostics\battery-report.html
 %temp%\MDMDiagnostics\energy-report.html
 %temp%\MDMDiagnostics\mdmlogs-2021-03-17-08-36-26.cab
 %temp%\MDMDiagnostics\msinfo32.log
 %windir%\ccm\logs*.log
 %windir%\ccmsetup\logs*.log
 %windir%\logs\CBS\cbs.log
 %windir%\logs\measuredboot*.*
 %windir%\Logs\WindowsUpdate*.etl 
Windows 10 Device diagnostics File
Windows 10 Device diagnostics File Results XML

What Logs are Collected by Windows 10 Device Diagnostics Feature

So what do we do next when we collect logs with Intune?. We explore what logs are collected by Windows 10 Device Diagnostics. The standard diagnostics template Intune collects the following Windows 10 logs.

General Log Files

These commands collect the files generated during the log collection and files on the machine used for debugging issues.

%ProgramData%\Microsoft\DiagnosticLogCSP\Collectors*.etl
 %ProgramData%\Microsoft\IntuneManagementExtension\Logs*.*
 %ProgramData%\Microsoft\Windows Defender\Support\MpSupportFiles.cab
 %ProgramData%\Microsoft\Windows\WlanReport\wlan-report-latest.html
 %temp%\MDMDiagnostics\battery-report.html
 %temp%\MDMDiagnostics\energy-report.html
 %temp%\MDMDiagnostics\mdmlogs-.cab
 %temp%\MDMDiagnostics\msinfo32.log
 %windir%\logs\CBS\cbs.log
 %windir%\logs\measuredboot*.*
 %windir%\Logs\WindowsUpdate*.etl

Configuration Manager Client Log Files

The following Configuration Manager logs (CCM logs) are collected.

 %windir%\ccm\logs*.log
%windir%\ccmsetup\logs*.log

Event Viewer Details

Event Viewer details collected includes common event viewers for troubleshooting issues, including Application, System and Setup. In addition, the AppLocker event viewers to assist in debugging AppLocker issues and the SENSE event viewers to help debugging issues with anti-virus/malware are also collected.

 Application
 Microsoft-Windows-AppLocker/EXE and DLL
 Microsoft-Windows-AppLocker/MSI and Script
 Microsoft-Windows-AppLocker/Packaged app-Deployment
 Microsoft-Windows-AppLocker/Packaged app-Execution
 Microsoft-Windows-Bitlocker/Bitlocker Management
 Microsoft-Windows-SENSE/Operational
 Microsoft-Windows-SenseIR/Operational
 Setup
 System

HoloLens 2 Commands and Files

 %windir%\system32\mdmdiagnosticstool.exe -area Autopilot;deviceprovisioning;deviceenrollment;tpm;HololensFallbackDeviceOwner -cab %temp%\MDMDiagnostics\mdmlogs-2021-03-17-08-36-26.cab
%programdata%\MDMDiagnostics\mdmlogs-.zip
 %ProgramData%\Microsoft\DiagnosticLogCSP\Collectors*.etl
 %windir%\logs\measuredboot*.*

Intune Windows 10 Device Diagnostics FAQ’s

Some of the common FAQ’s about Windows 10 device diagnostics.

How can I extract Windows 10 device Diagnostics File?

You can either user built-in windows zip extractor or third party tool like 7zip, winzip or winrar.

What Should I do if Device diagnostics process is stuck at pending status?

For a Windows 10 device if you see Device diagnostics is in pending status, ensure the device is online. You can also force a device check-in that will ensure the device is able to reach the Intune service.

How long does Microsoft Store the Windows 10 Device Diagnostics?

Diagnostics are available for download for 28 days.

Does Windows 10 device Diagnostics collect Configuration Manager logs?

Yes, the Configuration Manager client logs from C:\Windows\CCM and C:\Windows\CCMsetup folder are collected.

What is the Limit to Collect logs on Windows 10 device?

10 is the limit. After 10, the oldest set of diagnostics is removed and replaced.

What Intune Release adds Windows 10 Device diagnostics feature?

Intune service release 2102.

Limit to collect logs with Intune?

250MB.

What is Collect Diagnostics feature in Intune?

The Collect Diagnostics remote action in the Endpoint Manager Admin center collects the logs from a remote device.

Need Assistance?

Send us a message or post your question in forums.

2 thoughts on “Easy Guide to Collect Logs with Intune”

  1. Is there any possibility to extend the list of default locations from which functionality polls the data ?
    e.g. Custom Application logs acquisition from specific location

    Reply
  2. This feature is excellent and I’m already making heavy use of it. I am, however, not understanding why they bother including the results of “%windir%\system32\ping.exe -n 50 localhost” in the .zip. What would that ever show that would be useful? I’d love to get a sample of 50 pings to the default gateway or something since that could show me that the Wi-Fi connection isn’t great, but pinging localhost 50 times seems completely useless. Is this some sort of secret diagnostic thing I don’t know about?

    Reply

Leave a Comment