There are many new additions and improvements that are coming to Microsoft Intune with the Service Release 2102 and one of them is the ability to collect diagnostic logs from managed Windows 10 endpoints via remote action from the MEM Admin portal.
Check out all that's new with the latest service release here.
This blog post however focuses on the new remote action that is being made available – Collect Diagnostic Logs
Table of Contents
Initiate Diagnostic Log Collection from Intune – MEM Admin portal
Previously, except for collecting IME logs for failed Win32 app deployments, there was no simple way to collect complete device diagnostics remotely from the admin portal.
To achieve the same, solutions required to use a Azure Blob storage to upload the collected diagnostics from an endpoint to be retrieved later. This is documented here by Oliver Kieselbach.
But with this new development, such solutions are not required anymore, since Intune now natively allows you to collect diagnostic logs from a Windows 10 endpoint and retrieve the same, all remotely from the MEM Admin portal.
Requirements for Device Diagnostics
As an admin, you require any of the following roles assigned to your account to initiate a device diagnostic collection request.
- Global Admin role,
- Intune Admin role,
- School Administrator,
- Help Desk Operator, or
- Have the
Collect diagnosticspermission assigned to the custom role.
The devices also needs to meet some requirements as below
- Endpoints running Windows 10 ver 1909 or later.
- The device must be online, active, and must not have any connection issues related to WNS (if behind firewall/proxy network).
- The device must be designated as Corporate-Owned. [AAD joined or Hybrid AAD joined devices]
So as an IT Admin, where will you find this option?
- In the MEM Admin Portal, navigate to Devices > Windows (from Platform) > Windows Devices > Select the device for which you would like to collect diagnostic logs.
- Click on the 3 dots on the right side and from the menu list, click on Collect diagnostics
- You will get a confirmation dialog box like this. Click on Yes.
Now you will have to show some patience for Intune to actually collect the diagnostic logs from the device. Once done, it will be available at the location Monitor > Device diagnostics.
Now while Intune was doing its work of collecting the diagnostic data from the device, I went ahead to look at the Graph API calls it made to trigger the actions.
Request URL: https://graph.microsoft.com/beta/deviceManagement/managedDevices('2cd14dd9-07e0-4fbf-9f1d-9aaef8363bde')/createDeviceLogCollectionRequest Request Method: POST Status Code: 200 OK
And the accompanying GET call to query the device action status
Request URL: https://graph.microsoft.com/beta/deviceManagement/manageddevices('2cd14dd9-07e0-4fbf-9f1d-9aaef8363bde')?$select=deviceactionresults,managementstate Request Method: GET Status Code: 200 OK
If you are interested, here is the Graph API documentation for createDeviceLogCollectionRequest
I would guess that on the endpoint, this should be facilitated via the DiagnosticLog CSP v1.4 which adds the DiagnosticArchive functionality that is used to trigger devices to gather troubleshooting data into a zip archive file and upload that archive to cloud storage.
Download collected Diagnostic Log from Intune – MEM Admin portal
When Intune finishes collecting diagnostic data from the endpoint, sadly there is no alert that is provided.
As an Admin, you would need to go back to the device and then from under the Monitor section, select Device diagnostics (Preview), and then, if the action is complete, you get the Download button as can be seen below.
The downloaded zipped filename format is "DiagLogs-{ComputerName}-YYYYMMDDTHHMMSSZ.zip" which matches with what is documented in the DiagnosticLog CSP, so herein it becomes clear that it is actually using the same.
Extracting the same, you get a folder with sub-folders like this
Now the sub-folders are all numbered so from an overview perspective, it’s actually hard to tell which folder will contain what information.
However, MS documentation of DiagnosticLog CSP already shows how you can use the results.xml file that is there with a PowerShell to get a more human-friendly view of what each numbered folder contains.
Select-XML -Path results.xml -XPath '//RegistryKey | //Command | //Events | //FoldersFiles' | Foreach-Object -Begin {$i=1} -Process { [pscustomobject]@{DirectiveNumber=$i; DirectiveHRESULT=$_.Node.HRESULT; DirectiveInput=$_.Node.('#text')} ; $i++}
Or you can use the other PS example as shown in the same document to get a more flatter view like this
This way, it is more human-friendly to look at the collected logs.
Still for your quick reference,
folder number 39 -> Contains IME Logs folder number 44 -> Contains MDM Logs Cab file folder number 45 -> Contains msinfo32 information
Quick Look into Registry for debugging Failed requests
Information related to device Diagnostics collection requests can be seen from here in registry HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MdmDiagnostics
Every collect request will have its own RunId and creates a sub-key with a GUID that relates to the ID as present in the value of the reg_item Results key.
Notice HRESULT=0 in the value of Results key should generally signify that the request has been successfully completed.
If you check the value of the XML key, you can get an idea of what is actually being collected.
<Collection> <ID>ac0d3519-6b20-xxxx-xxxx-66db0daa1a5d</ID> <SasUrl<![CDATA[https://lgmsvcsapesea.blob.core.windows.net/d70bf40e-1822-44b4-xxxx-0cc777c5bf70/2cd14dd9-xxxx-4fbf-9f1d-9aaef8363bde/ac0d3519-6b20-xxxx-af87-66db0daa1a5d?sv=2018-03-28&sr=c&sig=pi4LEU5IUvq3uhuK3NLEod%2FGhVzLpkM0BoXdbq2M3E8%3D&se=2021-03-05T04%3A49%3A44Z&sp=rw]]></SasUrl> <RegistryKey>HKLM\Software\Microsoft\IntuneManagementExtension</RegistryKey> <RegistryKey>HKLM\SOFTWARE\Microsoft\SystemCertificates\AuthRoot</RegistryKey> <RegistryKey>"HKLM\SOFTWARE\Microsoft\Windows Advanced Threat Protection"</RegistryKey> <RegistryKey>HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\LogonUI</RegistryKey> <RegistryKey>"HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings"</RegistryKey> <RegistryKey>HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall</RegistryKey> <RegistryKey>HKLM\Software\Policies</RegistryKey> <RegistryKey>HKLM\SOFTWARE\Policies\Microsoft\Cryptography\Configuration\SSL</RegistryKey> <RegistryKey>"HKLM\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection"</RegistryKey> <RegistryKey>HKLM\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall</RegistryKey> <RegistryKey>HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL</RegistryKey> <Command>%programfiles%\windows defender\mpcmdrun.exe -GetFiles</Command> <Command>%windir%\system32\certutil.exe -store</Command> <Command>%windir%\system32\certutil.exe -store -user my</Command> <Command>%windir%\system32\Dsregcmd.exe /status</Command> <Command>%windir%\system32\ipconfig.exe /all</Command> <Command>%windir%\system32\mdmdiagnosticstool.exe -area Autopilot;deviceprovisioning;deviceenrollment;tpm;HololensFallbackDeviceOwner -cab %temp%\MDMDiagnostics\mdmlogs-2021-03-04-16-49-44.cab</Command> <Command>%windir%\system32\msinfo32.exe /report %temp%\MDMDiagnostics\msinfo32.log</Command> <Command>%windir%\system32\netsh.exe advfirewall show allprofiles</Command> <Command>%windir%\system32\netsh.exe advfirewall show global</Command> <Command>%windir%\system32\netsh.exe lan show profiles</Command> <Command>%windir%\system32\netsh.exe winhttp show proxy</Command> <Command>%windir%\system32\netsh.exe wlan show profiles</Command> <Command>%windir%\system32\netsh.exe wlan show wlanreport</Command> <Command>%windir%\system32\ping.exe -n 50 localhost</Command> <Command>%windir%\system32\powercfg.exe /batteryreport /output %temp%\MDMDiagnostics\battery-report.html</Command> <Command>%windir%\system32\powercfg.exe /energy /output %temp%\MDMDiagnostics\energy-report.html</Command> <Events>Application</Events><Events>Microsoft-Windows-AppLocker/EXE and DLL</Events> <Events>Microsoft-Windows-AppLocker/MSI and Script</Events> <Events>Microsoft-Windows-AppLocker/Packaged app-Deployment</Events> <Events>Microsoft-Windows-AppLocker/Packaged app-Execution</Events> <Events>Microsoft-Windows-Bitlocker/Bitlocker Management</Events> <Events>Microsoft-Windows-SENSE/Operational</Events> <Events>Microsoft-Windows-SenseIR/Operational</Events> <Events>Setup</Events><Events>System</Events> <FoldersFiles>%ProgramData%\Microsoft\DiagnosticLogCSP\Collectors\*.etl</FoldersFiles> <FoldersFiles>%ProgramData%\Microsoft\IntuneManagementExtension\Logs\*.*</FoldersFiles> <FoldersFiles>%ProgramData%\Microsoft\Windows Defender\Support\MpSupportFiles.cab</FoldersFiles> <FoldersFiles>%ProgramData%\Microsoft\Windows\WlanReport\wlan-report-latest.html</FoldersFiles> <FoldersFiles>%temp%\MDMDiagnostics\battery-report.html</FoldersFiles> <FoldersFiles>%temp%\MDMDiagnostics\energy-report.html</FoldersFiles> <FoldersFiles>%temp%\MDMDiagnostics\mdmlogs-2021-03-04-16-49-44.cab</FoldersFiles> <FoldersFiles>%temp%\MDMDiagnostics\msinfo32.log</FoldersFiles> <FoldersFiles>%windir%\ccm\logs\*.log</FoldersFiles> <FoldersFiles>%windir%\ccmsetup\logs\*.log</FoldersFiles> <FoldersFiles>%windir%\logs\CBS\cbs.log</FoldersFiles> <FoldersFiles>%windir%\logs\measuredboot\*.*</FoldersFiles> <FoldersFiles>%windir%\Logs\WindowsUpdate\*.etl</FoldersFiles> <ClientTimeoutInSeconds>5400</ClientTimeoutInSeconds> </Collection>
And if you do not want to allow IT admins to collect diagnostics from any endpoints in your environment due to concerns related to privacy or anything as such, surely you can disable the feature for the tenant.
Navigate to Tenant Administration > Device diagnostics (Preview) and toggle the switch to Disabled.
The End
The ability to collect diagnostic logs from endpoint remotely from the MEM Admin portal is a long-awaited feature and is a much welcome addition to have in the MEM remote device actions arsenal.
Joymalya Basu Roy is an Indian IT professional with around 6.5 years of work experience in IT Software Support and Services. Having completed his B.Tech in Computer Science and Engineering back in 2015, he is 30 years old as of 2022, ethnolinguistically a Bengali, and hails from the Indian city of Kolkata, West Bengal. Presently associated with Atos as a Senior Consultant – Architect, he works in Digital Workplace T&T projects leading the build & deployment, adoption, and support of Microsoft Intune across greenfield/brownfield environments for Android/iOS/Windows. He is also honored to be recognized as a Microsoft MVP for Enterprise Mobility – 2021 and 2022-23.