Collect Intune Logs from MEM Portal Diagnostic Data

In this post, you will learn more about collecting Intune logs using the Intune Admin portal. This is helpful to collect Intune logs from Windows 10 and Windows 11. All the troubleshooting related to Intune and MDM can be done using these diagnostic logs.

The diagnostic logs contain MDM event logs, Intune Management Extension logs, registry values, etc. These are helpful logs for Intune admins to understand the exact issue with Windows 10 or 11 devices.

Microsoft has enabled the Windows 10 Device diagnostics to feature Collect Diagnostics from Windows devices with Remote Action. Windows Autopilot diagnostics will automatically capture diagnostics about Windows Autopilot failures that occur on the Enrollment Status Page (ESP). 

Device diagnostics are available for corporate-managed devices running Windows 10, version 1909, and later, or Windows 11. Diagnostics are available for 28 days and then removed. They are not available when diagnostics are disabled.

Patch My PC

The Collect diagnostics remote action lets you collect and download Windows device logs without interrupting the user. Well, are you worried about privacy? Don’t worry you can access only non-user locations and file types, so no personal information is collected.

Prerequisites – Windows Device Diagnostics

First, you need to enable the device diagnostic settings from the Tenant Admin blade of Intune Admin Portal as shown in the screenshot below.

Device diagnostics are available for corporate-managed devices running Windows 10, version 1909 and later, or Windows 11 – Enabled.

Automatically capture diagnostics when devices experience a failure during the Autopilot process on Windows 10 version 1909 or later and Windows 11. Diagnostics may include user identifiable information such as user or device name – Enabled

Adaptiva
Collect Intune Logs from MEM Portal Diagnostic Data 1
Collect Intune Logs from MEM Portal Diagnostic Data 1

There are some prerequisites of the Collect Intune Logs from the Intune Portal. Let’s see the Intune Logs Collection Prerequisites. The Collect diagnostics remote action is supported for:

Client requirements – Let’s see what are the client-side requirement from where you are accessing the Intune portal.

  • Intune or co-managed devices.
  • Windows 10 version 1909 and later or Windows 11.
  • Microsoft HoloLens 2 2004 and later.

Intune requirements – Let’s look at the Intune RBAC-related permissions required to collect Intune logs from the Intune Admin portal.

  • To initiate a device diagnostics, you must be assigned to a Global Admin role, Intune Admin role, School Administrator, Help Desk Operator, or have the Collect diagnostics permission assigned to a custom role.

The device you’d like to collect diagnostics must be designated as Corporate-Owned. Devices that are online and able to communicate with the service during diagnostics.

Collect Intune Logs from MEM Portal Collect Diagnostic Data -  Intune Logs Collection from MEM Portal Prerequisites
Collect Intune Logs from MEM Portal Collect Diagnostic Data – Intune Logs Collection from MEM Portal Prerequisites

Collect Intune Logs from Intune Admin Portal

Let’s go through the process – Collect Intune Logs from Intune Portal. Make sure you already have all the prerequisites in place.

Intune Diagnostic Data Log Collection | Collect Intune Logs

Let’s check Intune Diagnostic Data Log Collection updates with the latest release of Microsoft Intune.

Win32 App Log collection via Intune Management Extension has moved to the Windows 10 device diagnostic platform (I hope this is the same for Windows 11 as well), reducing the time to collect logs from 1-2 hours to 15 minutes.

  • Increased the collected log size from 60 MB to 250 MB.
  • The app logs are available under the Device diagnostics monitor action for each device
  • The log files will be available at managed app monitor.

Sign in to the Microsoft Intune admin center https://intune.microsoft.com/. Navigate to Devices – Windows. All Windows devices listed here that you manage.

Collect Intune Logs from MEM Portal 1 - Intune Logs Collection Prerequisites from MEM Portal
Collect Intune Logs from MEM Portal Collect Diagnostic Data

You can open the individual device blade – Under device, On the Overview page, select  and click Collect diagnostics

Collect Intune Logs from MEM Portal 2
Collect Intune Logs from MEM Portal Collect Diagnostic Data

The popup will appear with the following message. Clicking on Yes will attempt to collect the diagnostics from the selected device.

Collect Intune Logs from MEM Portal 3
Collect Intune Logs from MEM Portal Collect Diagnostic Data

A notification will appear automatically in the top right-hand corner with the message Collect diagnostics initiated. You can also see the status by selecting the notification icon.

Collect Intune Logs from MEM Portal 4
Collect Intune Logs from MEM Portal Collect Diagnostic Data

A pending notification appears on the device’s Overview page. Under Device action status you can also see the status.

Collect Intune Logs from MEM Portal 5

How to Check the Collect Diagnostics Status

To see the complete status of the action, select Device diagnostics (Generally Available now). Here you can see the Status “Pending diagnostics upload”. The entire action could take a longer time, Sit back, relax, and wait to complete the action.

There are three status messages for diagnostic tasks. Let’s see what those are and how those are going to help with Intune troubleshooting.

Completed: Diagnostics were successful and are available for download.

Pending diagnostics Upload: The device is running the diagnostics and will finish shortly, or the device is offline/unreachable and has not received the request. The diagnostics task is good for 12 hours, so if the machine comes online and/or checks into the Intune service, the diagnostic action will be kicked off.

Failed: The device ran diagnostics but failed to complete the task or failed to upload. To troubleshoot this issue, please review the MDMDiagnostics registry key at HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MdmDiagnostics and the subkeys inside.

If collecting diagnostics fails, we recommend you run the device action again. If it continues to fail, please open a case with Intune support from the Microsoft Intune admin center.

How to Check the Collect Diagnostics Status
How to Check the Collect Diagnostics Status

How to Download Intune Logs Diagnostics

Let’s check How to Download Intune Logs Diagnostics. After the action completes successfully, Under the Device diagnostics tab, you can see Status “Complete”. Select the Download button.

Diagnostics are available for download for 28 days and then deleted. Each device can have up to 10 collections stored at one time.

 How to Download Intune Logs Diagnostics
How to Download Intune Logs Diagnostics

The popup will appear with the following message. Clicking on Yes will attempt to download device diagnostics collected from the device.

How to Download Intune Logs Diagnostics
How to Download Intune Logs Diagnostics

The Diagnostics data zip file is added to your download tray and automatically saved to your computer.

 How to Download Intune Logs Diagnostics
How to Download Intune Logs Diagnostics

Extract the downloaded file, If you are using 7Zip to unzip the files you may experience it returning empty folders. This is a known issue with compressed files created by Windows and 7Zip. We recommend using a different tool to unzip the files.

Open the directory to view data collected from the device as shown below, You will notice the zip file has many folders. This can be confusing and unfortunate. The Intune Team is working on an update to flatten the folders and simplify the process after diagnostics are gathered.

Note – No personal information is collected. The maximum size of diagnostics is currently 250MB.

The list below is in the same order as the diagnostic zip file. Examining these data can help to diagnose. Each collection contains the following data:

How to Download Intune Logs Diagnostics  | Collect Intune Logs
How to Download Intune Logs Diagnostics | Collect Intune Logs

Registry Keys: The following Registry keys were collected using Intune Device Diagnostics process from the Intune portal.

  • HKLM\SOFTWARE\Microsoft\CloudManagedUpdate
  • HKLM\SOFTWARE\Microsoft\IntuneManagementExtension
  • HKLM\SOFTWARE\Microsoft\SystemCertificates\AuthRoot
  • HKLM\SOFTWARE\Microsoft\Windows Advanced Threat Protection
  • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\LogonUI
  • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings
  • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
  • HKLM\SOFTWARE\Policies
  • HKLM\SOFTWARE\Policies\Microsoft\Cryptography\Configuration\SSL
  • HKLM\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection
  • HKLM\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall
  • HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL
  • HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\Mdm

Commands: Here are the detailed list of Commands run during the Intune device diagnostic process. You will find it useful during the troubleshooting process.

  • %programfiles%\windows defender\mpcmdrun.exe -GetFiles
  • %windir%\system32\certutil.exe -store
  • %windir%\system32\certutil.exe -store -user my
  • %windir%\system32\Dsregcmd.exe /status
  • %windir%\system32\ipconfig.exe /all
  • %windir%\system32\mdmdiagnosticstool.exe
  • %windir%\system32\msinfo32.exe /report %temp%\MDMDiagnostics\msinfo32.log
  • %windir%\system32\netsh.exe advfirewall show allprofiles
  • %windir%\system32\netsh.exe advfirewall show global
  • %windir%\system32\netsh.exe lan show profiles
  • %windir%\system32\netsh.exe winhttp show proxy
  • %windir%\system32\netsh.exe wlan show profiles
  • %windir%\system32\netsh.exe wlan show wlanreport
  • %windir%\system32\ping.exe -n 50 localhost
  • %windir%\system32\powercfg.exe /batteryreport /output %temp%\MDMDiagnostics\battery-report.html
  • %windir%\system32\powercfg.exe /energy /output %temp%\MDMDiagnostics\energy-report.html

Event Viewers Details Collected using Device Diagnostics

The Windows Event Viewer shows a log of application and system messages, including errors, information messages, and warnings. Let’s now check the event viewers details collected using Device Diagnostics.

  • %ProgramData%\Microsoft\DiagnosticLogCSP\Collectors*.etl
  • %ProgramData%\Microsoft\IntuneManagementExtension\Logs*.*
  • %ProgramData%\Microsoft\Windows Defender\Support\MpSupportFiles.cab
  • %ProgramData%\Microsoft\Windows\WlanReport\wlan-report-latest.html
  • %ProgramData Microsoft Update Health Tools\Logs*.etl
  • %temp%\MDMDiagnostics\battery-report.html
  • %temp%\MDMDiagnostics\energy-report.html
  • %temp%\MDMDiagnostics\mdmlogs-<Date/Time>.cab
  • %temp%\MDMDiagnostics\msinfo32.log
  • %windir%\ccm\logs*.log
  • %windir%\ccmsetup\logs*.log
  • %windir%\logs\CBS\cbs.log
  • %windir%\logs\measuredboot*.*
  • %windir%\Logs\WindowsUpdate*.etl
  • %windir%\temp%computername%*.log
  • %windir%\temp\officeclicktorun*.log

Files Collected using the Device Diagnostics Process Intune

The following are the files collected using the Device Diagnostics process Intune.

  • %ProgramData%\Microsoft\DiagnosticLogCSP\Collectors*.etl
  • %ProgramData%\Microsoft\IntuneManagementExtension\Logs*.*
  • %ProgramData%\Microsoft\Windows Defender\Support\MpSupportFiles.cab
  • %ProgramData%\Microsoft\Windows\WlanReport\wlan-report-latest.html
  • %temp%\MDMDiagnostics\battery-report.html
  • %temp%\MDMDiagnostics\energy-report.html
  • %temp%\MDMDiagnostics\mdmlogs-<Date/Time>.cab
  • %temp%\MDMDiagnostics\msinfo32.log
  • %windir%\ccm\logs*.log
  • %windir%\ccmsetup\logs*.log
  • %windir%\logs\CBS\cbs.log
  • %windir%\logs\measuredboot*.*
  • %windir%\Logs\WindowsUpdate*.etl
  • %windir%\temp%computername%*.log
  • %windir%\temp\officeclicktorun*.log
  • %temp%\CloudDesktop*.log

How to Disable Collect Intune Logs option from Intune Portal Diagnostics

If you don’t want to allow IT admins to collect diagnostics for managed Windows devices. With the global administrator or Intune administrator permission, you can disable the Collect diagnostics remote action for all devices by following these steps.

  • Sign in to the Microsoft Intune admin center https://intune.microsoft.com/ 
  • Navigate to the Tenant administration –> Device diagnostics.
  • Toggle switch to Disabled.

Diagnostics (Collect Intune Logs) are available for 30 days, even after you disable the feature, and then remove it.

Disable Collect Intune Logs option from MEM Portal Diagnostics
Disable Collect Intune Logs option from MEM Portal Diagnostics

Known Issue with Intune Device Diagnostics Collection

Let’s quickly check the Microsoft documented Known Issue with Intune Device Diagnostics Collection. I have experienced some of these myself. The main issue was not related to Intune but rather the core Windows OS CSP DiagnosticLog CSP.

A timeout may occur on devices without patches KB4601315 or KB4601319. These patches contain a fix to the DiagnosticLog CSP that prevents timeout during upload. After the update installs, make sure to reboot your device.

The Windows device wasn’t able to receive the device action policy from Intune portal within a 24-hour window. If the device is offline or turned off this may cause a failure.

Author

3 thoughts on “Collect Intune Logs from MEM Portal Diagnostic Data”

  1. Yes. I am struggling to parse the WindowsUpdate Logs (folder 53). They are not readable in CMTrace and unable to also import in Event Viewer as its not an ETL or something other.

    Reply

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.