Collect Intune logs from Windows Devices

In this blog post, I’ll walk you through the steps to Collect Intune logs from Windows devices, helping you analyze and resolve issues efficiently. Troubleshooting Intune-related issues can be challenging without the right logs. Whether you’re diagnosing deployment failures or intune policy related issues, having access to Intune logs from Windows devices is crucial.

While you can manually retrieve logs from Intune-managed Windows devices, there are situations where this isn’t practical—such as when you can’t remotely connect to the device. In such cases, Intune offers a built-in solution: the Collect diagnostics remote action in the Intune Admin Center. This feature allows you to remotely gather and download logs without needing direct access to the device.

Collect Intune Logs from macOS Devices.

Prerequisites

• Winodws 10 v1909 or later.
• Corporate-owned and Intune-managed devices.
• Device must be online and connected to Internet.
• Global admin or Intune admin role or a custom role to with Collect diagnostic permission and Read permission under device compliance policies.

Confirm if Device Diagnostics is Enabled

Before you can Collect logs from an Intune-managed device. Ensure that the device diagnostics is enabled on Intune admin center. To check and confirm, follow below steps:

• Sign in to Intune admin center > Tenant administration > device diagnostics.
• Ensure that the setting Device diagnostics are available for corporate-managed devices running Windows 10, version 1909 and later, or Windows 11. Diagnostics may include user identifiable information such as user or device name is set to Enabled.

Collect Intune Logs of Windows Device

To initiate log collection of a Windows device from Intune console, follow below steps:

• Sign in to Intune admin center > Devices > Windows > select a device.
• Go to the Overview page and click on three dots (…) > Select Collect diagnostics.

• You will be prompted for confirmation. Click on Yes. The message reads: Intune will attempt to collect the diagnosticss that are on this device. To download and view the diagnostics, go to Monitor > Device diagnotics. Continue with diagnostics collection?

• After you click on Yes, you will see a message on the screen: Collect diagnostics pending. Along with that a Device action status is generated with the date and time stamp. Ensure that the device is switched on and connected to Internet for log collection. If the device is offline, Intune service will not be able to collect logs.

• After few minutes, Device action status for Collect diagnostics will change to Complete. You can now go to Device diagnostics and click on three dots (…) on the right-hand side, then click on Download.

• Downloading of the logs in a zip file will start.

• Extract the zip file, and you will find the contents as shown in below screenshot. There will be more data than what is shown in the screenshot. Below screenshot is just for reference.

Exploring Collected Windows Logs

Now, let’s explore the key files you can analyze for troubleshooting Intune-related issues. One of the most important files is results.xml, which provides a summary of the data collected using the Collect diagnostics. Below screenshot shows an contents of this file. You’ll find results.xml inside the diagnostics ZIP file. Opening it allows you to review the collected data from the target Windows device.

Below are some of the Important log files which are collected by Intune Collect diagnostics. These logs can be found in the folder FoldersFiles ProgramData_Microsoft_IntuneManagementExtension_Logs. Open the folder and analyze below log files.

• Intunemanagementextension.log
• appworkload.log
• win32appinventory.log
• agentexecutor.log
• sensor.log
• healthscripts.log
• devicehealthmonitoring.log
• clientcertcheck.log

Microsoft has listed the details of the collected zip file diagnostic data on their web page: Data collected. I have also provided it here for quick reference:

Event Viewer files

Below are the event viewer files which are collected by Collect diagnostics:

• Events Application Events.evtx
• Events Microsoft-Windows-AppLocker_EXE_and_DLL Events.evtx
• Events Microsoft-Windows-AppLocker_MSI_and_Script Events.evtx
• Events Microsoft-Windows-AppLocker_Packaged_app-Deployment Events.evtx
• Events Microsoft-Windows-AppLocker_Packaged_app-Execution Events.evtx
• Events Microsoft-Windows-AppXDeployment_Operational Events.evtx
• Events Microsoft-Windows-AppXDeploymentServer_Operational Events.evtx
• Events Microsoft-Windows-AppxPackaging_Operational Events.evtx
• Events Microsoft-Windows-Bitlocker_Bitlocker_Management Events.evtx
• Events Microsoft-Windows-HelloForBusiness_Operational Events.evtx
• Events Microsoft-Windows-SENSE_Operational Events.evtx
• Events Microsoft-Windows-SenseIR_Operational Events.evtx
• Events Microsoft-Windows-Shell-Core_Operational Events.evtx
• Events Microsoft-Windows-Windows_Firewall_With_Advanced_Security_Firewall Events.evtx
• Events Microsoft-Windows-WinRM_Operational Events.evtx
• Events Microsoft-Windows-WMI-Activity_Operational Events.evtx
• Events Setup Events.evtx
• Events System Events.evtx

Registry Keys

• HKLM\SOFTWARE\Microsoft\CloudManagedUpdate
• HKLM\SOFTWARE\Microsoft\EPMAgent
• HKLM\SOFTWARE\Microsoft\PolicyManager\current\device\DeviceHealthMonitoring
• HKLM\SOFTWARE\Microsoft\IntuneManagementExtension
• HKLM\SOFTWARE\Microsoft\SystemCertificates\AuthRoot
• HKLM\SOFTWARE\Microsoft\Windows Advanced Threat Protection
• HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\LogonUI
• HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings
• HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
• HKLM\SOFTWARE\Microsoft\DeviceInventory
• HKLM\SOFTWARE\Policies
• HKLM\SOFTWARE\Policies\Microsoft\Cryptography\Configuration\SSL
• HKLM\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection
• HKLM\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall
• HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL
• HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\Mdm
• HKLM\SYSTEM\Setup\SetupDiag\Results

Commands

• %programfiles%\windows defender\mpcmdrun.exe -GetFiles
• %windir%\system32\certutil.exe -store
• %windir%\system32\certutil.exe -store -user my
• %windir%\system32\Dsregcmd.exe /status
• %windir%\system32\ipconfig.exe /all
• %windir%\system32\mdmdiagnosticstool.exe
• %windir%\system32\msinfo32.exe /report %temp%\MDMDiagnostics\msinfo32.log
• %windir%\system32\netsh.exe advfirewall show allprofiles
• %windir%\system32\netsh.exe advfirewall show global
• %windir%\system32\netsh.exe lan show profiles
• %windir%\system32\netsh.exe winhttp show proxy
• %windir%\system32\netsh.exe wlan show profiles
• %windir%\system32\netsh.exe wlan show wlanreport
• %windir%\system32\ping.exe -n 50 localhost
• %windir%\system32\pnputil.exe /enum-drivers
• %windir%\system32\powercfg.exe /batteryreport /output %temp%\MDMDiagnostics\battery-report.html
• %windir%\system32\powercfg.exe /energy /output %temp%\MDMDiagnostics\energy-report.html

Files

• %ProgramData%\Microsoft\DiagnosticLogCSP\Collectors\*.etl
• %ProgramFiles%\Microsoft EPM Agent\Logs\*.*
• %Program Files%\Microsoft Device Inventory Agent\Logs
• %ProgramData%\Microsoft\IntuneManagementExtension\Logs\*.*
• %ProgramData%\Microsoft\Windows Defender\Support\MpSupportFiles.cab
• %ProgramData%\Microsoft\Windows\WlanReport\wlan-report-latest.html
• %ProgramData%\USOShared\logs\system\*.etl
• %ProgramData Microsoft Update Health Tools\Logs\*.etl
• %temp%\CloudDesktop*.log
• %temp%\MDMDiagnostics\battery-report.html
• %temp%\MDMDiagnostics\energy-report.html
• %temp%\MDMDiagnostics\mdmlogs-<Date/Time>.cab
• %temp%\MDMDiagnostics\msinfo32.log
• %windir%\ccm\logs\*.log
• %windir%\ccmsetup\logs\*.log
• %windir%\logs\CBS\cbs.log
• %windir%\logs\measuredboot\*.*
• %windir%\logs\Panther\unattendgc\setupact.log
• %windir%\logs\SoftwareDistribution\ReportingEvent\measuredboot\*.log
• %windir%\Logs\SetupDiag\SetupDiagResults.xml
• %windir%\logs\WindowsUpdate\*.etl
• %windir%\SensorFramework*.etl
• %windir%\system32\config\systemprofile\AppData\Local\mdm\*.log
• %windir%\temp%computername%*.log
• %windir%\temp\officeclicktorun*.log
• %TEMP%\winget\defaultstate*.log

Disable Collect diagnostics Remote Action

You can also disable the collection of diagnostics information from Intune-managed devices. To disable Collect diagnostics remote action, follow below steps:

• Sign in to Intune admin center > Tenant administration > device diagnostics.
• Set Device diagnostics are available for corporate-managed devices running Windows 10, version 1909 and later, or Windows 11. Diagnostics may include user identifiable information such as user or device name to Disabled.

Collect Diagnostics logs Automatically for Autopilot

If there is any failure during Autopilot, its difficult to collect diagnostics logs as you might not have access to the system yet. By default, Intune will automatically capture the diagnostics log information if there is any failure during the autopilot process.

To ensure that the autopilot logs are automatically captured, ensure that the setting Automatically capture diagnostics when devices experience a failure during the Autopilot process on Windows 10 version 1909 or later and Windows 11. Diagnostics may include user identifiable information such as user or device name is Enabled.

To download the diagnostic logs for Autopilot when automatic capture setting is enabled and there is an autopilot failure, follow below steps:

• Sign in to Intune admin center > Devices > Windows > select a device.
• Select Device diagnostics > Download.