Expanding IME Log Retention

2023-09-27 2023-09-27 528 words 3 minutes

Contents

What are we talking about here?

Logs, Again!

This is a bit of a followup on my last post about collecting log files using Intune.

The log files generated by the Intune Management Extension are extremely useful when troubleshooting a variety of issues, although I focus primarily on Win32 app related problems.

Recently, I have noticed that the IntuneManagementExtension.log is filled with more and more information about the GRSManager, Win32AppInventory and ReevaluationScheduleManager as well as log lines related specifically to Win32 app installations which generate a vast amount of log lines.

While these log lines can be useful, the sheer volume of them can cause the IntuneManagementExtension.log and AgentExecutor.log to fill up and roll over very quickly.

This can be pretty annoying for troubleshooting, as by default the IME is only configured to retain 3 logs (Current + 2 roll overs. Rollover occurs at 3MB by default). So when you get around to collecting logs, any information related to the issue you’re experiencing is potentially long gone.

What can we do about it?

Well, thankfully we can fix this relatively easily.

There are 2 registry keys that we can create that control the size at which the logs rollover, and how many rolled over logs we keep.

The registry keys that control this are not set by default, so it isn’t immediately obvious what needs changed.

We want to create LogMaxHistory and LogMaxSize under HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\IntuneWindowsAgent\Logging and configure them accordingly.

In this example, I want to keep 6 logs and rollover at 5MB.

Note

The more logs retained, and the increased size of the logs can potentially impact disk space on your devices

And, like everything you can do this programatically with PowerShell and Proactive Remediation!

Proactive Remediation

Detection

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
# Check if keys are already set

# IME Logging settings path
$regKeyFullPath = "HKLM:\SOFTWARE\Microsoft\IntuneWindowsAgent\Logging"

#check if the registry key exists
$expectedLogMaxSize = 5242880
$expextedLogMaxHistory = 6
try{

    if (Test-Path -Path $regKeyFullPath){
        $logMaxSize = Get-ItemProperty -Path $regKeyFullPath -Name "LogMaxSize" -ErrorAction SilentlyContinue
        $logMaxHistory = Get-ItemProperty -Path $regKeyFullPath -Name "LogMaxHistory" -ErrorAction SilentlyContinue

        if ($logMaxSize -eq $expectedLogMaxSize -and $logMaxHistory -eq $expextedLogMaxHistory) {
            exit 1
        } else {
            exit 0
        }
    }
    else{
        Write-Error "Reg key not found, IME agent may be missing"
        Exit 1
    }

} catch {
    Write-Error "Unable to get registry keys: $_"
    exit 1
}

Remediation

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
# IME Logging settings path
$regKeyFullPath = "HKLM:\SOFTWARE\Microsoft\IntuneWindowsAgent\Logging"

try{    
    # Set LogMaxSize to 5MB
    Set-ItemProperty -Path $regKeyFullPath -Name "LogMaxSize" -Value "5242880" -Type String -Force
    
    # Set LogMaxHistory to 6
    Set-ItemProperty -Path $regKeyFullPath -Name "LogMaxHistory" -Value "6" -Type String -Force
} catch {
    Write-Error "Unable to set registry keys: $_"
    exit 1
}

Here’s a handy video from Intune.Training showing how to configure Proactive Remediation to deploy the Detection and Remediation scripts.

Intune Training - S02E09 - How to Configure Proactive Remediations in Microsoft Intune

Summary

Not much to summarize other than it can be useful to keep more than the default number of retained logs!