Intune Win32 App Failure Log Collection Backend Secrets

Today, I will talk about the Intune Win32 app log collection back-end process in this post. This Intune log collection feature got introduced in Feb 2019.

The Intune Win32 App Failure Log Collection is natively supported within Intune.

More Details about Intune Win32 App DeploymentIntune Management Extension (Win32 App) Level 3 Troubleshooting Guide Intune win32 App

Introduction

The Intune Management Extension (IME/Win32 App) log collection feature is available only for Win32 apps with a failed instance.

Patch My PC

If the Intune Win32 app is successfully installed on the end device, the status you can check from Intune > Devices > All Devices > Search for the device > Managed Apps, there would be no button “Collect log.”

The collect log button is only visible if the Win32 app reports a failure in Intune.

Collect Logs Intune Non-Win32 Apps Deployments

Collecting client logs (Windows platform) remotely is not available in Intune. The purpose can be achieved with Azure Log Analytics.

This process requires an active Azure subscription to collect Intune Managed Windows Clients logs. You can read about it here.

Adaptiva

With Windows 10 1903, Microsoft updated the DiagnosticLog CSP (v 1.4), which makes it possible to collect log files from Windows 10 via MDM (Microsoft documentation update for this CSP is yet to be made).

But as of now, this works in conjunction with Azure Blob Storage, so that you would require a subscription to an Azure Storage Account. This has already been covered in detail by Oliver Kieselbach in his blog post here in detail.

Procedure to Collect Log

The following is the process of collecting logs from a failed Intune Win32 App assignment. The collect log button won’t be enabled if the Win32 app installation is successful on the client device.

  • Intune > Devices > All Devices > Search for the device > Managed Apps,
  • Clicks on the Collect log button
Intune Win32 App Failure Log Collection - Process
Intune Win32 App Failure Log Collection – Process
  • Provide the folder path from where the log will be retrieved and click on OK
 Intune Win32 App Failure Log Collection - Folder Path
Intune Win32 App Failure Log Collection – Folder Path

Pre-requisites to Intune Win32 App Failure Log Collection

  • The user needs to be active on the end device for 2 hours.
  • Exact <FileName> along with full path details needs to be provided to Intune to be able to retrieve the log.

Once Intune has retrieved the logs, you will get the Download options in the same section if the above criteria are met.

Intune Win32 App Failure Log Collection - prerequisites
Intune Win32 App Failure Log Collection – prerequisites

How Intune Collect Log works in the Backend

The following are Intune’s calls to Windows clients to complete the Intune Win32 App Failure Log Collection process.

Intune Portal

Admin specifies data collection (essentially the IME/Win32 app logs). Internally, Intune creates a mobileAppTroubleshootingEvents object via a Graph POST call.

 RequestURL: https://graph.microsoft.com/beta/users('<User_GUID>')/mobileAppTroubleshootingEvents
Request method: POST
Version: HTTP/1.1
POST Data 
{
    "id": "<User_GUID>_<mdmDevice_GUID>_<App_GUID>"
}
Response
HTTP/1.1 200/201 OK
Content-Type: application/json 
Content-Length: #
{
"@odata.type": "#microsoft.graph.mobileAppTroubleshootingEvent", 
"id": "<User_GUID>_<mdmDevice_GUID>_<App_GUID>"
} 

NOTE!The mobileAppTroubleshootingEvents objects are created in the Azure Storage Account of the Intune subscription. The object id is in the format <User_GUID>_<mdmDevice_GUID>_<App_GUID>

Intune Backend Post Call

With the mobileAppTroubleshootingEvents object id, Intune creates a appLogCollectionRequests event, also a POST call.

RequestURL: https://graph.microsoft.com/beta/users('<User_GUID>')/mobileAppTroubleshootingEvents('<ObjectID>')/appLogCollectionRequests
Request method: POST
Version: HTTP/1.1
POST Data
{
  "customLogFolders": [
    "Custom Log Folders value"
  ],
  "id": "<User_GUID>_<mdmDevice_GUID>_<App_GUID>"
}
Response
HTTP/1.1 200/201 OK
 Content-Type: application/json
 Content-Length: #
{
   "@odata.type": "#microsoft.graph.appLogCollectionRequest",
   "id": "<User_GUID>_<mdmDevice_GUID>_<App_GUID>",
   "status": "completed/pending/failed",
   "errorMessage": "Error Message value",
   "customLogFolders": [
     "Custom Log Folders value"
   ],
   "completedDateTime": ""
 } 

Intune Backend Tracking the Status

This results in a PUSH from Intune. Intune also generates a GET call simultaneously to track the status.

RequestURL: https://graph.microsoft.com/beta/users('User_GUID')/mobileAppTroubleshootingEvents('mobileAppTorubleshootingEvents_Obejct_ID')/appLogCollectionRequests/<appLogCollectionEvents_ID>
Version: HTTP/1.1
Request method: GET
Response
HTTP/1.1 200/201 OK
 Content-Type: application/json
 Content-Length: #
{
"@odata.context": "https://graph.microsoft.com/beta/$metadata#users('User_GUID')/mobileAppTroubleshootingEvents('id')/appLogCollectionRequests/$entity",
"id": "<User_GUID>_<mdmDevice_GUID>_<App_GUID>",
"status": "pending",
"errorMessage": "0",
"customLogFolders": [
"Custom Log Folders value"
],
"completedDateTime": ""
} 

Intune Management Extension (IME) agent Jason Post

Intune Management Extension (IME) agent at client side processes the log collection (Intune Win32 App Failure Log Collection) using the JSON value as provided in the POST call (Log flow is copied below).

RequestURL: https://graph.microsoft.com/beta/users('User_GUID')/mobileAppTroubleshootingEvents('mobileAppTorubleshootingEvents_Obejct_ID')/appLogCollectionRequests/<appLogCollectionEvents_ID>
Version: HTTP/1.1
Request method: GET
Response
HTTP/1.1 200/201 OK
 Content-Type: application/json
 Content-Length: #
{
"@odata.context": "https://graph.microsoft.com/beta/$metadata#users('User_GUID')/mobileAppTroubleshootingEvents('id')/appLogCollectionRequests/$entity",
"id": "<User_GUID>_<mdmDevice_GUID>_<App_GUID>",
"status": "pending",
"errorMessage": "0",
"customLogFolders": [
"Custom Log Folders value"
],
"completedDateTime": ""
} 

IME log entries showing the log collection request as being processed

Using the JSON value as provided in the POST call above (Log flow is copied below).

 [Policy] Get 1 policies for user <User_GUID>  in session #
[AppLogUploadRequest] Start Processing log collection for device <Device SID> user <User_GUID>        
[AppLogUploadRequest] Start processing AppLogUploadRequest for application <App_GUID>
[AppLogUploadRequest] IT Pro inputFolder/Files has 1 and distinctInputFolder/Files has 1 [currently only supports file path]
[AppLogUploadRequest] Enterring GetFullPathAndCheckTypeCoreLogicRegular for path C:\ProgramData\Microsoft\IntuneManagementExtension\Logs\IntuneManagementExtension.log
[AppLogUploadRequest] File C:\ProgramData\Microsoft\IntuneManagementExtension\Logs\IntuneManagementExtension.log of full file path C:\ProgramData\Microsoft\IntuneManagementExtension\Logs\IntuneManagementExtension.log is valid.        
[AppLogUploadRequest] File C:\ProgramData\Microsoft\IntuneManagementExtension\Logs\_IntuneManagementExtension.log is valid to be collected.
[AppLogUploadRequest] zipFileName is C:\WINDOWS\TEMP\907fbd5e-b239-4541-9c69-e3fb04c7e149-5a38177e-c174-401b-a001-ad374c412c81-48027ae1-9129-4b43-ab3c-c0c0c8f41f1a-8eb1658a-61c4-4824-93a8-0b9a8c4c803d as accoundId-userId-deviceId-applicationId
[AppLogUploadRequest] Has 2 valid and distinct files to upload
[AppLogUploadRequest] Enterring ZipArchiveCoreLogic for fileC:\ProgramData\Microsoft\IntuneManagementExtension\Logs\IntuneManagementExtension.log
[AppLogUploadRequest] Catching IOException which could because of still being processed by another thread
[AppLogUploadRequest] Enterring ZipArchiveCoreLogic for file C:\ProgramData\Microsoft\IntuneManagementExtension\Logs\_IntuneManagementExtension.log
[AppLogUploadRequest] 3 files added to the zip
[AppLogUploadRequest] Encrypted zip file size is 334 KB
[AppLogUploadRequest] C:\WINDOWS\TEMP\907fbd5e-b239-4541-9c69-e3fb04c7e149-5a38177e-c174-401b-a001-ad374c412c81-48027ae1-9129-4b43-ab3c-c0c0c8f41f1a-8eb1658a-61c4-4824-93a8-0b9a8c4c803dEncrypted.zip Status is : 5

Upload URL Details for IME Client

The PUSH from Intune also contains another important thing – the upload URL which the IME will use to upload the processed log.

 [GenericPolicy] Sending  results to service. session RequestPayload:      [{"PolicyType":4,"ResultPayload":"{\"AccountId\":\"\",\"UserId\":\"\",\"DeviceId\":\"\",\"ApplicationId\":\"\",\"UploadLastRequstedTime\":\"\",\"UploadSASUrl\":\"https://lgmsvcsapeweu.blob.core.windows.net/####/####/637025025070097599.zip?sv=2018-03-28\\u0026sr=b\\u0026sig=Ro8O8BAxORBV9aKM5BA4ypk%2BsceG4cqJ8OZmyy%2BWO7c%3D\\u0026se=2019-08-27T16%3A35%3A07Z\\u0026sp=rw\",\"UploadPublicKey\":\"\\u003cRSAKeyValue\\u003e\\u003cModulus\\u003euc5ggCV2vFChjKM3dvInc7DTuPZLz1fbU3U31EYx56Gh8OD/Zf6FT/Czd2kVAuKnHhd03e\",\"UploadFolders\":\"C:\\\\ProgramData\\\\Microsoft\\\\IntuneManagementExtension\\\\Logs\\\\IntuneManagementExtension.log\",\"UploadState\":5,\"UploadCompletedTime\":\"\",\"UploadLastAttemptedTime\":\"\",\"UploadLastErrorCode\":0,\"ACK\":false}"}]
[GenericPolicy] Results are successfully sent.

Intune Makes A Download URL – Collect Log

As IME completes the log upload process, the GET call reports status as Success, and Intune generates another POST call to create the Download URL.

Now the Intune Win32 App Failure Log Collection process is completed. The Intune admin can download the Win32 App failure log from the Intune portal.

RequestURL: https://graph.microsoft.com/beta/users('User_GUID')/mobileAppTroubleshootingEvents('mobileAppTorubleshootingEvents_Obejct_ID')/appLogCollectionRequests/<appLogCollectionEvents_ID>/createDownloadUrl
Version: HTTP/1.1
Request method: POST
Response
HTTP/1.1 200/201 OK
 Content-Type: application/json
 Content-Length: #
{
  "value": {
    "@odata.type": "microsoft.graph.appLogCollectionDownloadDetails",
    "downloadUrl": "https://example.com/downloadUrl/",
    "decryptionKey": "Decryption Key value",
    "appLogDecryptionAlgorithm": "aes256"
  }
} 

Resources

1 thought on “Intune Win32 App Failure Log Collection Backend Secrets”

  1. Hi Joymalya,
    This is a great post. I wanted to understand that if there is a way to give custom permissions to users to be able to collect Win32 logs through Intune RBAC.

    Reply

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.