In many support roles, when troubleshooting an issue, logs are critical, especially troubleshooting Intune-related issues.
My day-to-day role sees me looking at logs for Intune-managed devices, and Win32 Apps, and collecting those logs can be a pain for the admins I speak with for various reasons.
The device is offline
The user is “busy.”
No remote access to the device
[Insert other generic reason here]
It may seem reasonable to say, “X isn’t working” or “Y gives me an error message”, but these statements are not always helpful without the context provided by log files. Log files give us a detailed view of most things that happened in the run-up to the error and potentially a more helpful error message than was presented to a user.
Thankfully Intune provides us with a handy Collect diagnostics button that remedies most of these.
Where can you find Collect diagnostics?
You can find the Collect diagnostics button under Devices > Windows > [device name]
When you click Collect diagnostics, you will be prompted to confirm that you want to proceed, and informed that you can see the progress of your diagnostic collection under Monitor > Device diagnostics
Note
Collect diagnostics can take anywhere between 5 and 20 minutes to complete.
Once the diagnostic results are availalbe, you’ll be presented with a download button
What does Collect diagnostics give me?
Well, once we’ve downloaded our diagnostic bundle, we can see a whole host of data that has been collected. If we open up results.xml, we get a complete list.
<CollectionHRESULT="0"><ID>d88051d0-acce-41e7-a7ce-d864a753e2c7</ID><SasUrl>SasUrlPlaceHolder</SasUrl><RegistryKeyHRESULT="-2147024893">HKLM\SOFTWARE\Microsoft\CloudManagedUpdate</RegistryKey><RegistryKeyHRESULT="-2147024895">HKLM\SOFTWARE\Microsoft\EPMAgent</RegistryKey><RegistryKeyHRESULT="-2147024893">HKLM\Software\Microsoft\IntuneManagementExtension</RegistryKey><RegistryKeyHRESULT="-2147024893">HKLM\SOFTWARE\Microsoft\SystemCertificates\AuthRoot</RegistryKey><RegistryKeyHRESULT="-2147024893">"HKLM\SOFTWARE\Microsoft\Windows Advanced Threat Protection"</RegistryKey><RegistryKeyHRESULT="-2147024893">"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags"</RegistryKey><RegistryKeyHRESULT="-2147024893">"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon"</RegistryKey><RegistryKeyHRESULT="-2147024893">HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\LogonUI</RegistryKey><RegistryKeyHRESULT="-2147024893">HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\CloudExperienceHost</RegistryKey><RegistryKeyHRESULT="-2147024893">HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\DeviceAccess</RegistryKey><RegistryKeyHRESULT="-2147024893">"HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings"</RegistryKey><RegistryKeyHRESULT="-2147024895">HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\NDUP</RegistryKey><RegistryKeyHRESULT="-2147024893">HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\OOBE</RegistryKey><RegistryKeyHRESULT="-2147024893">HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup</RegistryKey><RegistryKeyHRESULT="-2147024893">HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall</RegistryKey><RegistryKeyHRESULT="-2147024893">HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Orchestrator</RegistryKey><RegistryKeyHRESULT="-2147024893">HKLM\Software\Policies</RegistryKey><RegistryKeyHRESULT="-2147024893">HKLM\SOFTWARE\Policies\Microsoft\Cryptography\Configuration\SSL</RegistryKey><RegistryKeyHRESULT="-2147024893">"HKLM\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection"</RegistryKey><RegistryKeyHRESULT="-2147024893">HKLM\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall</RegistryKey><RegistryKeyHRESULT="-2147024893">HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL</RegistryKey><RegistryKeyHRESULT="-2147024893">HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\MDM</RegistryKey><RegistryKeyHRESULT="-2147024893">HKLM\SYSTEM\Setup</RegistryKey><CommandHRESULT="0">%programfiles%\windows defender\mpcmdrun.exe -GetFiles</Command><CommandHRESULT="0">%windir%\system32\certutil.exe -store</Command><CommandHRESULT="0">%windir%\system32\certutil.exe -store -user my</Command><CommandHRESULT="-2147418113">%windir%\system32\dism.exe /online /get-packages</Command><CommandHRESULT="-2147418113">%windir%\system32\dism.exe /online /get-ProvisionedAppxPackages</Command><CommandHRESULT="0">%windir%\system32\Dsregcmd.exe /status</Command><CommandHRESULT="0">%windir%\system32\ipconfig.exe /all</Command><CommandHRESULT="0">%windir%\system32\mdmdiagnosticstool.exe -area Autopilot;deviceprovisioning;deviceenrollment;tpm;HololensFallbackDeviceOwner -cab %temp%\MDMDiagnostics\mdmlogs-2023-07-13-14-27-15.cab</Command><CommandHRESULT="0">%windir%\system32\msinfo32.exe /report %temp%\MDMDiagnostics\msinfo32.log</Command><CommandHRESULT="0">%windir%\system32\netsh.exe advfirewall show allprofiles</Command><CommandHRESULT="0">%windir%\system32\netsh.exe advfirewall show global</Command><CommandHRESULT="-2147024895">%windir%\system32\netsh.exe lan show profiles</Command><CommandHRESULT="0">%windir%\system32\netsh.exe winhttp show proxy</Command><CommandHRESULT="-2147024895">%windir%\system32\netsh.exe wlan show profiles</Command><CommandHRESULT="0">%windir%\system32\netsh.exe wlan show wlanreport</Command><CommandHRESULT="0">%windir%\system32\ping.exe -n 50 localhost</Command><CommandHRESULT="0">%windir%\system32\pnputil.exe /enum-drivers</Command><CommandHRESULT="0">%windir%\system32\powercfg.exe /batteryreport /output %temp%\MDMDiagnostics\battery-report.html</Command><CommandHRESULT="0">%windir%\system32\powercfg.exe /energy /output %temp%\MDMDiagnostics\energy-report.html</Command><EventsHRESULT="0">Application</Events><EventsHRESULT="0">Microsoft-Windows-AppLocker/EXE and DLL</Events><EventsHRESULT="0">Microsoft-Windows-AppLocker/MSI and Script</Events><EventsHRESULT="0">Microsoft-Windows-AppLocker/Packaged app-Deployment</Events><EventsHRESULT="0">Microsoft-Windows-AppLocker/Packaged app-Execution</Events><EventsHRESULT="0">Microsoft-Windows-AppXDeployment/Operational</Events><EventsHRESULT="0">Microsoft-Windows-AppXDeploymentServer/Operational</Events><EventsHRESULT="0">Microsoft-Windows-AppxPackaging/Operational</Events><EventsHRESULT="0">Microsoft-Windows-Bitlocker/Bitlocker Management</Events><EventsHRESULT="0">Microsoft-Windows-HelloForBusiness/Operational</Events><EventsHRESULT="0">Microsoft-Windows-SENSE/Operational</Events><EventsHRESULT="0">Microsoft-Windows-SenseIR/Operational</Events><EventsHRESULT="0">Microsoft-Windows-Shell-Core/Operational</Events><EventsHRESULT="0">Microsoft-Windows-Windows Firewall With Advanced Security/Firewall</Events><EventsHRESULT="0">Microsoft-Windows-WinRM/Operational</Events><EventsHRESULT="0">Microsoft-Windows-WMI-Activity/Operational</Events><EventsHRESULT="0">Setup</Events><EventsHRESULT="0">System</Events><FoldersFilesHRESULT="0">%ProgramData%\Microsoft\DiagnosticLogCSP\Collectors\*.etl</FoldersFiles><FoldersFilesHRESULT="0">%ProgramData%\Microsoft\IntuneManagementExtension\Logs\*.*</FoldersFiles><FoldersFilesHRESULT="0">%ProgramData%\Microsoft\Windows Defender\Support\MpSupportFiles.cab</FoldersFiles><FoldersFilesHRESULT="0">%ProgramData%\Microsoft\Windows\WlanReport\wlan-report-latest.html</FoldersFiles><FoldersFilesHRESULT="0">%programdata%\usoshared\logs\System\*.*</FoldersFiles><FoldersFilesHRESULT="-2147024893">%ProgramFiles%\Microsoft EPM Agent\Logs\*.*</FoldersFiles><FoldersFilesHRESULT="0">%ProgramFiles%\Microsoft Update Health Tools\Logs\*.etl</FoldersFiles><FoldersFilesHRESULT="0">%temp%\MDMDiagnostics\battery-report.html</FoldersFiles><FoldersFilesHRESULT="0">%temp%\MDMDiagnostics\energy-report.html</FoldersFiles><FoldersFilesHRESULT="0">%temp%\MDMDiagnostics\mdmlogs-2023-07-13-14-27-15.cab</FoldersFiles><FoldersFilesHRESULT="0">%temp%\MDMDiagnostics\msinfo32.log</FoldersFiles><FoldersFilesHRESULT="-2147024893">%temp%\winget\defaultstate\*.log</FoldersFiles><FoldersFilesHRESULT="-2147024893">%windir%\ccm\logs\*.log</FoldersFiles><FoldersFilesHRESULT="-2147024893">%windir%\ccmsetup\logs\*.log</FoldersFiles><FoldersFilesHRESULT="0">%windir%\logs\CBS\cbs.log</FoldersFiles><FoldersFilesHRESULT="0">%windir%\logs\measuredboot\*.*</FoldersFiles><FoldersFilesHRESULT="0">%windir%\Logs\WindowsUpdate\*.etl</FoldersFiles><FoldersFilesHRESULT="0">%windir%\panther\setupact.log</FoldersFiles><FoldersFilesHRESULT="0">%windir%\panther\unattendgc\setupact.log</FoldersFiles><FoldersFilesHRESULT="0">%windir%\SoftwareDistribution\ReportingEvents.log</FoldersFiles><FoldersFilesHRESULT="-2147024894">%windir%\system32\config\systemprofile\AppData\Local\mdm\*.log</FoldersFiles><FoldersFilesHRESULT="-2147024894">%windir%\temp\%computername%*.log</FoldersFiles><FoldersFilesHRESULT="-2147024894">%windir%\temp\officeclicktorun*.log</FoldersFiles><ClientTimeoutInSeconds>5400</ClientTimeoutInSeconds><OutputFileFormat>flattened</OutputFileFormat></Collection>
Now, there is a lot of data in here, like log files and reg key exports, and not all of it is necessarily useful to what you are trying to troubleshoot, so you may have to sift through it a bit, but I’ll point out the ones I find helpful.
We can use Collect Diagnostics to gather custom log files as well. However, some criteria need to be met first.
Any logs you want to be collected must be stored in C:\ProgramData\Microsoft\IntuneManagementExtension\Logs\
No subfolders
File extension must be .log
So, if we have any other logs we want copied, they just need to exist in that folder; great! But how to get them there?
It is likely your users don’t have admin rights on their device (I hope), so they can’t drop files into C:\ProgramData\Microsoft\IntuneManagementExtension\Logs\ for you. Any logs generated in the user context cannot be stored here, but you can use scripts and proactive remediation to remedy this.
Firstly, if you’re already deploying any scripts to your device through Intune, which has a transcript, or generates a log file, simply change its output path to the IME logs folder, sorted.
Secondly, we can leverage Proactive Remediation to move user logs or any other log files to the IME log folder.
Proactive Remediation
Detection
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
# List of paths to look for logs.$UserTemp=[System.Environment]::GetEnvironmentVariable('TEMP','User')$SystemTemp=[System.Environment]::GetEnvironmentVariable('TEMP','Machine')$LogToCollect="$UserTemp","$SystemTemp","$env:ProgramData\PatchMyPCIntuneLogs\","$env:ProgramData\Scappman\Logs\"# List of log files to collect.$logfiles=@()foreach($pathin$LogToCollect){if(Test-Path$path){$logfiles+=Get-ChildItem$path-Recurse-Filter"*.log"}}if($logfiles.Count-gt0){exit1}else{exit0}
# List of paths to collect logs from.$UserTemp=[System.Environment]::GetEnvironmentVariable('TEMP','User')$SystemTemp=[System.Environment]::GetEnvironmentVariable('TEMP','Machine')$LogToCollect="$UserTemp","$SystemTemp","$env:ProgramData\PatchMyPCIntuneLogs\","$env:ProgramData\Scappman\Logs\"$logfiles=@()$IntuneManagementExtensionLogs="$env:ProgramData\Microsoft\IntuneManagementExtension\Logs\"foreach($pathin$LogToCollect){if(Test-Path$path){$logfiles+=Get-ChildItem$path-Recurse-Filter"*.log"}}if($logfiles.Count-eq0){exit0}try{$logfiles|Copy-Item-Destination$IntuneManagementExtensionLogs-Force}catch{Write-Error"Unable to copy logs to $IntuneManagementExtensionLogs: $_"exit1}
Here’s a handy video from Intune.Training showing how to configure Proactive Remediation to deploy the Detection and Remediation scripts. I’ll blog this process later.
This doesn’t just apply to Intune or Windows logs, we can apply the same collection to 3rd party logs as well! If it exists on disk, we can collect it!
Two examples I’m most familiar with are Patch My PC and Scappman.
Patch My PC Intune Apps and Updates generate specific log files, which can be found in the following locations.
Additionally, Patch My PC allows you to configure logs specific to vendor applications, and as you might expect, we can copy these logs as well!
Similarly, Scappman has unique log files, which can be found in the following location.
%ProgramData%\Scappman\Logs\
We can collect logs from these paths using Collect diagnostics by adding them to our proactive remediation scripts.
Summary
Collect diagnostics is a great and relatively powerful tool available to admins to make their lives just that little bit easier. Even though the process can be a tad slow, taking upwards of 20 minutes, it’s still better than having no log files at all!
