How to collect Device Diagnostics logs using Intune Portal

by | Intune, Cloud

In this post I will show you how to collect Device Diagnostics logs using Intune Portal. MEM Admin center has the ability to collect the Diagnostics logs remotely from the device.

Collecting the diagnostics logs remotely through portal gives the ability to get the logs remotely without disturbing the user. Good thing is that, diagnostics logs are stored for 28 days and we can collect upto 10 collections of these logs.

Table Of Contents
  1. Verify Device diagnostics is enabled
  2. Initiate Device Diagnostics on Intune portal
  3. What is included in Device Diagnostics

Verify Device diagnostics is enabled

Make sure Device diagnostics is turned on. Login to MEM Admin center and navigate to Tenant administration > Diagnostics settings.

Device diagnostics are available for corporate-managed devices running Windows 10, version 1909 and later, or Windows 11 should be Enabled.

Intune Device Diagnostics Enabled

Initiate Device Diagnostics on Intune portal

On MEM Admin Center, navigate to Devices and click on specific device. With Overview option selected, click on Collect diagnostics.

Click on Yes to initiate collecting the diagnostics logs.

Collect Diagnostics

You will see under Notifications that Collect diagnostics initiated.

Collect diagnostics initiated

Allow some time, you may check the status by clicking on Device diagnostics under same Device.

We can see the Status showing as Pending diagnostics upload. If device is online and reporting back to the portal, it should collect the logs within next 20 mins.

Pending diagnostics upload

You might see the error as Failed with following message:


The diagnostic upload failed because it timed out. This is a known issue for devices that don't have the Windows KB4601315 or KB4601319 installed.

Following steps are recommended for it:

Make sure to install either KB4601315 or KB4601319 based on the OS type. Then, reboot the device and retry.
Device diagnostics Failed

Once above pre-requisite is met, you will be able to see the Device diagnostics status showing as Complete and ready to Download. Click on it to download local copy of the file which is in zip format.

What is included in Device Diagnostics

CollectDiagnosticsLogsIntune 07

Extract the content from zip file. Following information / data is collected as part of Device Diagnostics.

Registry Keys:

  1. HKLM\Software\Microsoft\IntuneManagementExtension
  2. HKLM\SOFTWARE\Microsoft\SystemCertificates\AuthRoot
  3. HKLM\SOFTWARE\Microsoft\Windows Advanced Threat Protection
  4. HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\LogonUI
  5. HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings
  6. HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall
  7. HKLM\Software\Policies
  8. HKLM\SOFTWARE\Policies\Microsoft\Cryptography\Configuration\SSL
  9. HKLM\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection
  10. HKLM\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall
  11. HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL

Commands:

  1. %programfiles%\windows defender\mpcmdrun.exe -GetFiles
  2. %windir%\system32\certutil.exe -store
  3. %windir%\system32\certutil.exe -store -user my
  4. %windir%\system32\Dsregcmd.exe /status
  5. %windir%\system32\ipconfig.exe /all
  6. %windir%\system32\mdmdiagnosticstool.exe
  7. %windir%\system32\msinfo32.exe /report %temp%\MDMDiagnostics\msinfo32.log
  8. %windir%\system32\netsh.exe advfirewall show allprofiles
  9. %windir%\system32\netsh.exe advfirewall show global
  10. %windir%\system32\netsh.exe lan show profiles
  11. %windir%\system32\netsh.exe winhttp show proxy
  12. %windir%\system32\netsh.exe wlan show profiles
  13. %windir%\system32\netsh.exe wlan show wlanreport
  14. %windir%\system32\ping.exe -n 50 localhost
  15. %windir%\system32\powercfg.exe /batteryreport /output %temp%\MDMDiagnostics\battery-report.html
  16. %windir%\system32\powercfg.exe /energy /output %temp%\MDMDiagnostics\energy-report.html

Event Viewers:

  1. Application
  2. Microsoft-Windows-AppLocker/EXE and DLL
  3. Microsoft-Windows-AppLocker/MSI and Script
  4. Microsoft-Windows-AppLocker/Packaged app-Deployment
  5. Microsoft-Windows-AppLocker/Packaged app-Execution
  6. Microsoft-Windows-AppxPackaging/Operational
  7. Microsoft-Windows-Bitlocker/Bitlocker Management
  8. Microsoft-Windows-HelloForBusiness/Operational
  9. Microsoft-Windows-SENSE/Operational
  10. Microsoft-Windows-SenseIR/Operational
  11. Microsoft-Windows-Windows Firewall With Advanced Security/Firewall
  12. Setup
  13. System

Files:

  1. %ProgramData%\Microsoft\DiagnosticLogCSP\Collectors*.etl
  2. %ProgramData%\Microsoft\IntuneManagementExtension\Logs*.*
  3. %ProgramData%\Microsoft\Windows Defender\Support\MpSupportFiles.cab
  4. %ProgramData%\Microsoft\Windows\WlanReport\wlan-report-latest.html
  5. %temp%\MDMDiagnostics\battery-report.html
  6. %temp%\MDMDiagnostics\energy-report.html
  7. %temp%\MDMDiagnostics\mdmlogs-<Date/Time>.cab
  8. %temp%\MDMDiagnostics\msinfo32.log
  9. %windir%\ccm\logs*.log
  10. %windir%\ccmsetup\logs*.log
  11. %windir%\logs\CBS\cbs.log
  12. %windir%\logs\measuredboot*.*
  13. %windir%\Logs\WindowsUpdate*.etl
  14. %windir%\temp%computername%*.log
  15. %windir%\temp\officeclicktorun*.log

Important Links

https://docs.microsoft.com/en-us/mem/intune/remote-actions/collect-diagnostics

Leave a Reply