Collect Intune Logs from MEM Portal Diagnostic Data

In this post, you will learn more details about how to collect Intune logs using the MEM portal. This is helpful to collect Intune logs from Windows 10 and Windows 11. All the troubleshooting related to Intune and MDM can be done using these diagnostic logs.

The diagnostic logs contain MDM event logs, Intune Management Extension logs, registry values, etc. These are helpful logs to Intune admins to understand what is the exact issue with Windows 10 or Windows 11 devices.

Let’s see what the improvements are in Intune. Learn more about How to Collect Windows 10 Diagnostics Information from Intune Portal. Microsoft has enabled a public preview of the Windows 10 Device diagnostics feature to Collect Diagnostics from Windows devices with Remote Action.

Patch My PC

The Collect diagnostics remote action lets you collect and download Windows device logs without interrupting the user. Well, are you worried about privacy? Don’t worry what can access only non-user locations and file types, so no personal information is collected.

Collect Intune Logs from MEM Portal Collect Diagnostic Data -  Intune Logs Collection from MEM Portal Prerequisites
Collect Intune Logs from MEM Portal Collect Diagnostic Data – Intune Logs Collection from MEM Portal Prerequisites

Intune Logs Collection from MEM Portal Prerequisites

There are some prerequisites of the Collect Intune Logs from the MEM Portal. Let’s see the Intune Logs Collection Prerequisites. The Collect diagnostics remote action is supported for:

Client requirements – Let’s see what are the client-side requirement from where you are accessing the Intune or MEM portal.

1E Nomad
  • Desktop: Windows 10 1909 / 19H2 or later (Home, Pro, Enterprise and Education versions) supported.
  • HoloLens 2: Windows 10 2004 / 20H1 or later.
  • Device must be online, be available via the internet and Windows Push Notification Service (WNS) must have access to the machine.

Intune requirements – Let’s have a look at the Intune RBAC-related permissions required to collect Intune logs from the MEM portal.

  • To initiate a device diagnostics, you must be assigned to a Global Admin role, Intune Admin role, School Administrator, Help Desk Operator, or have the Collect diagnostics permission assigned to a custom role.

The device you’d like to collect diagnostics from must be designated as Corporate-Owned.

Collect Intune Logs from MEM Portal

Let’s go through the process – Collect Intune Logs from MEM Portal. Make sure you already have all the prerequisites in place.

Sign in to the Microsoft Endpoint Manager admin center https://endpoint.microsoft.com/. Navigate to Devices – Windows. All Windows devices listed here that you manage. Select the device from the list to collect diagnostics.

Collect Intune Logs from MEM Portal 1 - Intune Logs Collection Prerequisites from MEM Portal
Collect Intune Logs from MEM Portal Collect Diagnostic Data

You can go open the individual device blade – Under device, On the Overview page, select  and click Collect diagnostics

Collect Intune Logs from MEM Portal 2
Collect Intune Logs from MEM Portal Collect Diagnostic Data

The popup will appear with the following message. Clicking on Yes will attempt to collect the diagnostics from the selected device.

Collect Intune Logs from MEM Portal 3
Collect Intune Logs from MEM Portal Collect Diagnostic Data

A notification will appear automatically in the top right-hand corner with the message Collect diagnostics initiated. You can also see the status by selecting the notification icon.

Collect Intune Logs from MEM Portal 4
Collect Intune Logs from MEM Portal Collect Diagnostic Data

A pending notification appears on the device’s Overview page. Under Device action status you can also see the status.

Collect Intune Logs from MEM Portal 5
Collect Intune Logs from MEM Portal Diagnostic Data 13

How to Check the Collect Diagnostics Status

To see the complete status of the action, select Device diagnostics (Preview). Here you can see the Status “Pending diagnostics upload”. The entire action could take time longer time, Sit back and relax and wait to complete the action.

There are three status messages for diagnostic tasks. Let’s see what are those and how those are going to help with Intune troubleshooting.

Completed: Diagnostics were successful and are available for download.

Pending diagnostics Upload: The device is running the diagnostics and will finish shortly, or the device is offline/unreachable and has not received the request. The diagnostics task is good for 12 hours, so if the machine comes online and/or checks into the Intune service, the diagnostic action will be kicked off.

Failed: The device ran diagnostics but failed to complete the task or failed to upload. To troubleshoot this issue, please review the MDMDiagnostics registry key at HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MdmDiagnostics and the subkeys inside.

If collecting diagnostics fails, we recommend you run the device action again. If it continues to fail, please open a case with Intune support from the Endpoint Manager admin center.

How to Check the Collect Diagnostics Status
How to Check the Collect Diagnostics Status

How to Download Intune Logs Diagnostics

Let’s check How to Download Intune Logs Diagnostics. After the action completes successfully, Under the Device diagnostics tab, you can see Status “Complete”. Select the Download button.

Diagnostics are available for download for 28 days and then deleted. Each device can have up to 10 collections stored at one time.

 How to Download Intune Logs Diagnostics
How to Download Intune Logs Diagnostics

The popup will appear with the following message. Clicking on Yes will attempt to download device diagnostics collected from the device.

How to Download Intune Logs Diagnostics
How to Download Intune Logs Diagnostics

The Diagnostics data zip file is added to your download tray and automatically save to your computer.

 How to Download Intune Logs Diagnostics
How to Download Intune Logs Diagnostics

Extract the downloaded file, If you are using 7Zip to unzip the files you may experience it returning empty folders this is a known issue with compressed files created by Windows and 7Zip. We recommend using a different tool to unzip the files.

Open directory to view data collected of the device as shown below, You will notice the zip file has many folders. This can be confusing and unfortunately. MEM Team is working on an update to flatten the folders and simplify the process after diagnostics are gathered. 

Note – No personal information is collected. The maximum size of diagnostics is currently 250MB.

The list below is in the same order as the diagnostic zip file. Examining these data can help to diagnose. Each collection contains the following data:

 How to Download Intune Logs Diagnostics
How to Download Intune Logs Diagnostics

Registry Keys:

  1. HKLM\Software\Microsoft\IntuneManagementExtension – This registry key contains specific information about the Intune Management Extension.
  2. HKLM\SOFTWARE\Microsoft\SystemCertificates\AuthRoot – This registry key contains info about certificates installed on your machine.
  3. HKLM\SOFTWARE\Microsoft\Windows Advanced Threat Protection – This registry key contains detailed info on your Microsoft Defender ATP configuration.
  4. HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\LogonUI – This registry key contains the last logged on user.
  5. HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings – This registry key contains info on your Internet configuration.
  6. HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall – This registry key contains the 32-bit applications that are installed on the machine.
  7. HKLM\Software\Policies – This registry key contains information on the policies configured on the machine.
  8. HKLM\SOFTWARE\Policies\Microsoft\Cryptography\Configuration\SSL – This registry key contains more information on certificates.
  9. HKLM\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection – This registry key contains policy information related to Microsoft Defender ATP.
  10. HKLM\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall – This registry key contains the 64-bit applications that are installed on the machine.
  11. HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL – This registry key contains information on the TLS configuration on the machine.

Commands:

Event Viewers:

  1. Application
  2. Microsoft-Windows-AppLocker/EXE and DLL
  3. Microsoft-Windows-AppLocker/MSI and Script
  4. Microsoft-Windows-AppLocker/Packaged app-Deployment
  5. Microsoft-Windows-AppLocker/Packaged app-Execution
  6. Microsoft-Windows-Bitlocker/Bitlocker Management
  7. Microsoft-Windows-SENSE/Operational
  8. Microsoft-Windows-SenseIR/Operational
  9. Setup
  10. System

Files:  

How to Disable Collect Intune Logs option from MEM Portal Diagnostics

If you don’t want to allow IT admins to collect diagnostics for managed Windows devices. You can disable the Collect diagnostics remote action for all devices by following these steps:

Only a global administrator or Intune administrator can make this change.

  • Sign in to the Microsoft Endpoint Manager admin center https://endpoint.microsoft.com/ 
  • Tenant administration – Device diagnostics (Preview).
  • Toggle switch to Disabled.

Diagnostics are available for 30 days, even after you disable the feature, and then remove it.

 How to Disable Collect Intune Logs option from MEM Portal Diagnostics
How to Disable Collect Intune Logs option from MEM Portal Diagnostics

Author

About Author – Jitesh has over 5 years of working experience in the IT Industry. He writes and shares his experiences related to Microsoft device management technologies and IT Infrastructure management. His primary focus area is Windows 10 Deployment solution with Configuration Manager, Microsoft Deployment Toolkit (MDT), and Microsoft Intune.

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.