With Windows 10 Device diagnostics feature (Collect Diagnostics) you can collect logs with Intune(MEM). In February 2021, Microsoft announced the Intune service release 2102 that included a public preview of the Windows 10 Device diagnostics feature.
In this post we will explore in-depth about Windows 10 Device Diagnostics requirements, steps to collect logs with Intune. Explore what the logs contain and how useful this information is for troubleshooting.
With lot of people working remotely, the troubleshooting part is going to be difficult for IT. The Intune log collection feature comes to rescue when you need to troubleshoot a remote device without contacting user. If you can collect logs with Intune remotely and analyze them that’s an awesome thing. The Collect Diagnostics remote action in the Endpoint Manager Admin center collects the logs from a remote device.
Windows 10 Device Diagnostics Requirements
According to Microsoft, here are some of the requirements for Windows 10 Device diagnostics.
- Desktop: Windows 10 1909 / 19H2 or later (build number 10.0.18363+) – Home, Pro, Enterprise and Education versions supported.
- HoloLens 2: Windows 10 2004 / 20H1 or later (build number 10.0.19041+).
- To collect Windows Device Logs with Intune, the device must be online and should be available via the internet. In addition, the Windows Push Notification Service (WNS) must have access to the machine.
- To initiate device diagnostics, you must be assigned to a Global Admin role, Intune Admin role, School Administrator, Help Desk Operator, or have the Collect diagnostics permission assigned to a custom role.
- The device you’d like to collect diagnostics from must be designated as Corporate-Owned.
Where can I find Collect Diagnostics in Intune Portal?
Microsoft has added a new remote action to the Endpoint Manager Admin center called Collect Diagnostics. Selecting this option should collect logs with Intune. Without needing to contact the user, you can collect the logs from the Windows Device.
In the Microsoft Endpoint Manager admin center, select a Windows device. Click the three horizontal dots and you will find the Collect Diagnostics option.
How to Collect Logs with Intune
- Visit the Microsoft Intune admin center.
- Click Devices and then click Windows. Select the Windows 10 Device from which you want to collect Logs with Intune.
- Click the three horizontal dots and from the list of actions, select Collect Diagnostics.
- Intune will now attempt to collect the diagnostics (Windows device logs) that are on this Windows 10/Windows 11 device.
You will see a notification. Intune will attempt to collect the diagnostics that are on this device. To download and view the diagnostics, go to Monitor > Device diagnostics. To continue with diagnostics collection, click Yes.
On the same window, click Device Diagnostics (Preview) and notice that the status shows as Pending diagnostics Upload. This means the Windows Device logs are being collected. You have to wait until the status changes to Complete.
After few minutes we see that the log collection is complete. You can also see date and time for both request initiated and diagnostics uploaded. Under Diagnostics, click Download button.
You get a notification “This download contains the diagnostics collected from this device. Do you want to continue?” Click Yes. In the next step save the Windows 10 Device diagnostics zip file.
Windows 11/10 Device diagnostics feature (Collect Diagnostics) States
When you perform Collect Diagnostics on a Windows 10 device, the status is important. It tells you whether the log collection was successful or had any issues. There are three status messages for a diagnostic task.
- Complete – If you see this status, it means the diagnostics were successful and are available for download.
- Pending diagnostics Upload – You see this status when you initiate Collect Diagnostics on a remote Windows 10 device. This status should soon change to Complete if your Windows device is online and can contact Intune service.
- Failed – The device ran diagnostics but failed to complete the task or failed to upload. To troubleshoot this issue, please review the MDMDiagnostics registry key at HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MdmDiagnostics and the sub keys inside.
Extract Windows 10/11 Device diagnostics File
In the above step, we successfully collected the diagnostics from a Windows 10 device from MEM portal. The Windows 10 diagnostics file is a zip file. Extract the zip file and all you see is set of folders that has got data and logs collected from the Windows 10 device. Each file, command, registry, or event viewers is stored in an individual folder to be compressed into a zip file.
At the end of the list, you see a results.xml file that actually contains summary of what information is collected from the windows 10 device. Here is the output of results.xml.
41f22791-a210-4c27-83df-15506dad7088 SasUrlPlaceHolder HKLM\Software\Microsoft\IntuneManagementExtension HKLM\SOFTWARE\Microsoft\SystemCertificates\AuthRoot "HKLM\SOFTWARE\Microsoft\Windows Advanced Threat Protection" HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\LogonUI "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings" HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall HKLM\Software\Policies HKLM\SOFTWARE\Policies\Microsoft\Cryptography\Configuration\SSL "HKLM\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection" HKLM\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL %programfiles%\windows defender\mpcmdrun.exe -GetFiles %windir%\system32\certutil.exe -store %windir%\system32\certutil.exe -store -user my %windir%\system32\Dsregcmd.exe /status %windir%\system32\ipconfig.exe /all %windir%\system32\mdmdiagnosticstool.exe -area Autopilot;deviceprovisioning;deviceenrollment;tpm;HololensFallbackDeviceOwner -cab %temp%\MDMDiagnostics\mdmlogs-2021-03-17-08-36-26.cab %windir%\system32\msinfo32.exe /report %temp%\MDMDiagnostics\msinfo32.log %windir%\system32\netsh.exe advfirewall show allprofiles %windir%\system32\netsh.exe advfirewall show global %windir%\system32\netsh.exe lan show profiles %windir%\system32\netsh.exe winhttp show proxy %windir%\system32\netsh.exe wlan show profiles %windir%\system32\netsh.exe wlan show wlanreport %windir%\system32\ping.exe -n 50 localhost %windir%\system32\powercfg.exe /batteryreport /output %temp%\MDMDiagnostics\battery-report.html %windir%\system32\powercfg.exe /energy /output %temp%\MDMDiagnostics\energy-report.html Application Microsoft-Windows-AppLocker/EXE and DLL Microsoft-Windows-AppLocker/MSI and Script Microsoft-Windows-AppLocker/Packaged app-Deployment Microsoft-Windows-AppLocker/Packaged app-Execution Microsoft-Windows-Bitlocker/Bitlocker Management Microsoft-Windows-SENSE/Operational Microsoft-Windows-SenseIR/Operational Setup System %ProgramData%\Microsoft\DiagnosticLogCSP\Collectors*.etl %ProgramData%\Microsoft\IntuneManagementExtension\Logs*.* %ProgramData%\Microsoft\Windows Defender\Support\MpSupportFiles.cab %ProgramData%\Microsoft\Windows\WlanReport\wlan-report-latest.html %temp%\MDMDiagnostics\battery-report.html %temp%\MDMDiagnostics\energy-report.html %temp%\MDMDiagnostics\mdmlogs-2021-03-17-08-36-26.cab %temp%\MDMDiagnostics\msinfo32.log %windir%\ccm\logs*.log %windir%\ccmsetup\logs*.log %windir%\logs\CBS\cbs.log %windir%\logs\measuredboot*.* %windir%\Logs\WindowsUpdate*.etl
What Logs are Collected by Windows 10 Device Diagnostics Feature
So, what do we do next when we collect logs with Intune? We explore what logs are collected by Windows 10 Device Diagnostics. The standard diagnostics template Intune collects the following Windows 10 logs.
General Log Files
These commands collect the files generated during the log collection and files on the machine used for debugging issues.
%ProgramData%\Microsoft\DiagnosticLogCSP\Collectors*.etl %ProgramData%\Microsoft\IntuneManagementExtension\Logs*.* %ProgramData%\Microsoft\Windows Defender\Support\MpSupportFiles.cab %ProgramData%\Microsoft\Windows\WlanReport\wlan-report-latest.html %temp%\MDMDiagnostics\battery-report.html %temp%\MDMDiagnostics\energy-report.html %temp%\MDMDiagnostics\mdmlogs-.cab %temp%\MDMDiagnostics\msinfo32.log %windir%\logs\CBS\cbs.log %windir%\logs\measuredboot*.* %windir%\Logs\WindowsUpdate*.etl
Configuration Manager Client Log Files
The following Configuration Manager logs (CCM logs) are collected.
%windir%\ccm\logs*.log
%windir%\ccmsetup\logs*.log
Event Viewer Details
Event Viewer details collected includes common event viewers for troubleshooting issues, including Application, System and Setup. In addition, the AppLocker event viewers to assist in debugging AppLocker issues and the SENSE event viewers to help debugging issues with anti-virus/malware are also collected.
Application Microsoft-Windows-AppLocker/EXE and DLL Microsoft-Windows-AppLocker/MSI and Script Microsoft-Windows-AppLocker/Packaged app-Deployment Microsoft-Windows-AppLocker/Packaged app-Execution Microsoft-Windows-Bitlocker/Bitlocker Management Microsoft-Windows-SENSE/Operational Microsoft-Windows-SenseIR/Operational Setup System
HoloLens 2 Commands and Files
%windir%\system32\mdmdiagnosticstool.exe -area Autopilot;deviceprovisioning;deviceenrollment;tpm;HololensFallbackDeviceOwner -cab %temp%\MDMDiagnostics\mdmlogs-2021-03-17-08-36-26.cab %programdata%\MDMDiagnostics\mdmlogs-.zip %ProgramData%\Microsoft\DiagnosticLogCSP\Collectors*.etl %windir%\logs\measuredboot*.*
Still Need Help?
If you need further assistance on the above article or want to discuss other technical issues, check out some of these options.