Intune Logs Event IDs IME Logs Details for Windows Client Side Troubleshooting

Let’s check to understand Intune logs for Windows 10 and Windows 11 PCs. Intune is a SaaS (software as a service) solution, and I have not seen any Intune server-side logs. The server-side troubleshooting is mostly managed by Microsoft support.

The Intune client-side logs are one of the options that you can troubleshoot issues. The other option to troubleshoot Intune issues from the client-side is using network traces. This is basically reverse engineering using Fiddler traces etc…

Some of the Intune server-side details are available through various reporting nodes in Intune portal. You can perform the basic Intune user policy deployment troubleshooting from the MEM admin center portal. You can directly collect Intune logs from the MEM Admin center portal using the Collect Intune Logs from the MEM Portal Diagnostic Data guide.

Patch My PC

One example is given below How To Start Troubleshooting Intune Issues from the server-side. The next level of troubleshooting is with MDM Diagnostics Tool to collect the log and information from the client-side.

We can divide Intune logs into two parts. One is the logs related to Intune Management Extension (IME), and the other section of the logs is related to Windows MDM event logs. Moreover, you can’t compare SCCM logs with Intune logging options.

Intune Advanced Diagnostic Report

I recommend starting collecting Intune logs from the Windows 10 or Windows 11 settings app. This report shows the applied configuration states of your device, including Policy CSPSettings, certificates, configuration sources, and resource information.

1E Nomad

How to collect Intune Advanced Diagnostic Report from Windows PCs:

  • Go to the Settings app from the Start menu or button.
  • Click on Accounts.
  • Click on Access School or Work from the Accounts page.
  • Click on the Azure AD account that you want to collect the logs/report for.

Diagnostic Report will be stored -> C:\Users\Public\Documents\MDMDiagnostics

Intune Logs Event IDs IME Logs Details for Windows Client Side Troubleshooting
Intune Logs Event IDs IME Logs Details for Windows Client Side Troubleshooting

Intune Logs in Windows – Management Logs

We have an option to collect all the Intune-related logs from a Windows PC. You can collect all the Intune management logs from the settings -> Accounts -> Access School or Work.

You can click on Export your management log files. The logs file will get stored in the same location as Intune diagnostic reports. Some of the log files collected during this process are given below.

C:\Users\Public\Documents\MDMDiagnostics ==> MDMDiagReport.cab (You can extract cab file to check the logs).

 Intune Logs in Windows - Management Logs
Intune Logs in Windows – Management Logs
AgentExecutor.log, AutopilotConciergeFile.json, AutopilotDDSZTDFile.json, ClientHealth.log, DeviceHash_DESKTOP-EQI637E.csv, DiagnosticLogCSP_Collector_Autopilot_2020_11_10_16_17_18.etl, DiagnosticLogCSP_Collector_DeviceProvisioning_2021_7_5_17_44_24.etl, IntuneManagementExtension-20210623-103112.log, IntuneManagementExtension-20210630-185736.log, IntuneManagementExtension.log, MDMDiagHtmlReport.html, MdmDiagLogMetadata.json,MDMDiagReport.xml, MdmDiagReport_RegistryDump.reg, MdmLogCollectorFootPrint.txt.microsoft-windows-aad-operational.evtx, microsoft-windows-appxdeploymentserver-operational.evtx, microsoft-windows-assignedaccess-admin.evtx, microsoft-windows-assignedaccess-operational.evtx, microsoft-windows-assignedaccessbroker-admin.evtx, microsoft-windows-assignedaccessbroker-operational.evtx, microsoft-windows-crypto-ncrypt-operational.evtx, microsoft-windows-devicemanagement-enterprise-diagnostics-provider-admin.evtx, microsoft-windows-devicemanagement-enterprise-diagnostics-provider-debug.evtx, microsoft-windows-devicemanagement-enterprise-diagnostics-provider-operational.evtx, microsoft-windows-moderndeployment-diagnostics-provider-autopilot.evtx, microsoft-windows-moderndeployment-diagnostics-provider-managementservice.evtx, microsoft-windows-provisioning-diagnostics-provider-admin.evtx, microsoft-windows-shell-core-operational.evtx, microsoft-windows-user device registration-admin.evtx, Sensor.log, setupact.log

Intune Management Extension Logs

Intune management extension is the lightweight agent that helps deploy complex apps, PowerShell scripts, and many other services on Windows devices. IME logs are similar to ConfigMgr logs, and these logs are located in the following location. IME is the Intune Logs in Windows PCs.

C:\ProgramData\Microsoft\IntuneManagementExtension\Logs

 Intune Management Extension Logs
Intune Management Extension Logs

While writing this post, we have four (4) IME logs inside the IntuneManagementExtension\Logs folder.

  1. AgentExecutor.log
  2. ClientHealth.log
  3. IntuneManagementExtension.log
  4. Sensor.log

AgentExecutor.log

The AgentExecutor.log is part of Intune logs (IME), and this Intune log helps to troubleshoot the PowerShell script and Proactive Remediation script deployments to the Windows 11 or Windows 10 PCs.

C:\Program Files (x86)\Microsoft Intune Management Extension\Policies\Scripts\50b368da-f63e-4eb2-af9e-13bbd030d62f_cb7f2730-5580-4652-877d-f097c8b4064a.ps1
C:\Program Files (x86)\Microsoft Intune Management Extension\Policies\Results\50b368da-f63e-4eb2-af9e-13bbd030d62f_cb7f2730-5580-4652-877d-f097c8b4064a.output
cmd line for running powershell is -executionPolicy bypass -file “C:\Program Files (x86)\Microsoft Intune Management Extension\Policies\Scripts\50b368da-f63e-4eb2-af9e-13bbd030d62f_cb7f2730-5580-4652-877d-f097c8b4064a.ps1”

Intune Management Extension Logs -  AgentExecutor.log
Intune Management Extension Logs – AgentExecutor.log

ClientHealth.log – IME Intune Logs

The ClientHealth.log records all the health and remediation actions related to Intune Management Extension agent on Windows 11 or Windows 10 clients.

More details on the IME health check-related activities are explained in Intune Management Extension Health Evaluation | IME Health Issue | ClientHealthEval.exe | Task Scheduler.

Summary: rule Verify/Remediate Intune Management Extension Service startup type. with ID 05980f21-0099-4ac4-8ba7-c9f5f0cd0b7f, result = Pass, details = N/A
Start processing rule Verify/Remediate Intune Management Extension service status.
Finish sending health report.
The client health report was sent successfully. Done.
Client Health evaluation completes.

IntuneManagementExtension.log – Intune Application Management Log File

The log file IntuneManagementExtension.log is Intune Application Management Log File for IntuneWin applications. More details about IME troubleshooting is available – Intune Management Extension Deep Dive.

[Win32App] ===Step=== Check detection without existing AppResult
[StatusService] Unable to get error code and hence returning unknown.
[StatusService] Saved AppInstallStatusReport for user 50b368da-f63e-4eb2-af9e-13bbd030d62f for app 389fa8ca-2cee-4431-907d-2802e7c46a0a in the StatusServiceReports registry.
[AppStatusMgr] downloadTime is 1/1/0001 12:00:00 AM

 ClientHealth.log - IME Intune Logs  IntuneManagementExtension.log - Intune Application Management Log File
ClientHealth.log – IME Intune Logs IntuneManagementExtension.log – Intune Application Management Log File

Intune Event Logs

As mentioned above, Intune and Windows MDM-related component logs are available only in event logs. You can collect all the necessary event logs from the MDMDiagReport.cab file as discussed above. Let’s check which are the critical event logs that would be helpful for Intune deployment troubleshooting.

Event logs are the extended type of Intune Logs in Windows. In most of the scenarios, I use the event logs that are highlighted in bold. Those are core MDM event logs and are very helpful in troubleshooting Intune policy deployment issues.

Intune log (event) path is the Applications and Services LogsMicrosoft – Windows – Devicemanagement-Enterprise-Diagnostics-Provider – Admin.

 Intune Event Logs
Intune Event Logs
  • microsoft-windows-aad-operational
  • microsoft-windows-appxdeploymentserver-operational
  • microsoft-windows-assignedaccess-admin
  • microsoft-windows-assignedaccess-operational
  • microsoft-windows-assignedaccessbroker-admin
  • microsoft-windows-assignedaccessbroker-operational
  • microsoft-windows-crypto-ncrypt-operational
  • microsoft-windows-devicemanagement-enterprise-diagnostics-provider-admin (Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider/Admin)
  • microsoft-windows-devicemanagement-enterprise-diagnostics-provider-debug
  • microsoft-windows-devicemanagement-enterprise-diagnostics-provider-operational (Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider/Operational)
  • microsoft-windows-moderndeployment-diagnostics-provider-autopilot
  • microsoft-windows-moderndeployment-diagnostics-provider-managementservice
  • microsoft-windows-provisioning-diagnostics-provider-admin
  • microsoft-windows-shell-core-operational
  • microsoft-windows-user device registration-admin

Event ID 208 – Intune Server Sync Initiated

The event ID 208 indicates that the Windows MDM client-initiated policy sync with the MDM server, and in this scenario, it’s Intune. The event log clearly shows that the OMA-DM session started for a particular enrollmentID.

This is the first event ID you should look for when you initiate manual policy sync (Initiate a Manual Intune Policy Sync) from Windows 10 or Windows 11 PCs.

MDM Session: OMA-DM session started for EnrollmentID (FFF6BB6A-4071-4E45-B14B-99DB4FB147BA) with server: (MS DM Server), Server version: (4.0), Client Version: (1.2), PushRouterOrigin: (0x3), UserAgentOrigin: (0x2), Initiator: (0x0), Mode: (0x2), SessionID: (0x45), Authentication Type: (0x1).

Event ID 208 - Intune Server Sync Initiated
Event ID 208 – Intune Server Sync Initiated

Event ID 813 for Intune Policy Integer

The event ID 813 indicates that the Windows CSP policy is applied on Windows 10 or Windows 11 PC. The Intune policy setting is based on an integer value. The 813 event ID also indicates that this policy setting is successfully applied on the client PCs.

EVENT ID 813 (Integer) – MDM PolicyManager: Set policy int, Policy: (DeferQualityUpdatesPeriodInDays), Area: (Update), EnrollmentID requesting merge: (FFF6BB6A-4071-4E45-B14B-99DB4FB147BA), Current User: (Device), Int: (0x0), Enrollment Type: (0xD), Scope: (0x0).

 Event ID 813 for Intune Policy Integer
Event ID 813 for Intune Policy Integer

Intune Event Logs – Event ID 814

Let’s go through some of the details of important event logs as part of Intune logs post. Event ID 814 means the MDM client received a policy update from the server and successfully applied it on the Windows 10 or Windows 11 client PC.

The event ID 814 signifies the type of Intune policy received as well. This event ID indicates that the policy received is STRING. As you know, there are different types of policy types in Windows CSP. The string is one of those policies.

EVENT ID 814 – MDM PolicyManager: Set policy string, Policy: (CPL_Personalization_DisableThemeChange), Area: (ADMX_ControlPanelDisplay), EnrollmentID requesting merge: (D0892524-8DFC-D50E7CA19DBF), Current User: (S-1-5-21-2901188661-3025291148-348095268-1124), String: (), Enrollment Type: (0x6), Scope: (0x1).

 Intune Event Logs - Event ID 814
Intune Event Logs – Event ID 814

Event ID – 2900 – Warning Not Compliant

The event ID 2900 indicates a warning when the MDM client tries to assess the compliance state of the PC. In the following example, Bitlocker CSP is checking the compliance status on a Cloud PC, and obliviously my lab VMs are not BitLocker enabled.

BitLocker CSP: GetDeviceEncryptionComplianceStatus indicates FDV is not compliant with returned status 0x200

Intune Logs -  Event ID - 2900 - Warning Not Compliant
Intune Logs – Event ID – 2900 – Warning Not Compliant

Event ID 809 – Unknown Win32 Error

The event ID 809 indicates an error with Intune policy implementation on Windows 10 or Windows 11 PCs. You will have to evaluate further and troubleshoot the issue. You will need to check the registry entries related to this particular policy and further troubleshoot this issue.

You can search registry with any of the keywords in the event log below – AllowTelemetry, FFF6BB6A-4071-4E45-B14B-99DB4FB147BA, etc., to understand the issue further. Some further tips are available in Intune User Policy Troubleshooting Tips For Prevent Changing Theme.

MDM PolicyManager: Set policy int, Policy: (AllowTelemetry), Area: (System), EnrollmentID requesting set: (FFF6BB6A-4071-4E45-B14B-99DB4FB147BA), Current User: (Device), Int: (0x2), Enrollment Type: (0xD), Scope: (0x0), Result:(0x86000011) Unknown Win32 Error code: 0x86000011.

The event ID 820 indicates access denied error in the following example. The Windows 10 or Windows 11 MDM client is trying to check the status of RequireRetrieveHealthCertificateOnBoot, and this is not available for Cloud PCs (?) hence it gets the following error (0x80004005) Unspecified error.

Event ID 820 – MDM PolicyManager: Set policy precheck precheck call. Policy: (Security), Area: (RequireRetrieveHealthCertificateOnBoot), int value: (0x1) Result:(0x80004005) Unspecified error.

Event ID 809 - Unknown Win32 Error - Intune Logs
Event ID 809 – Unknown Win32 Error – Intune Logs

Event ID 404 Unspecified Error

The event ID 404 indicates different types of errors. One of them can be easily ignored, and that is the FakePolicy event log. This is a known bug with Windows 11 and Windows 10.

So you can safely ignore this error The system cannot find the file specified for fake policy OMA-URI.

MDM ConfigurationManager: Command failure status. Configuration Source ID: (FFF6BB6A-4071-4E45-B14B-99DB4FB147BA), Enrollment Name: (MDMFullWithAAD), Provider Name: (Policy), Command Type: (Add: from Replace or Add), CSP URI: (./Device/Vendor/MSFT/Policy/ConfigOperations/ADMXInstall/Receiver/Properties/Policy/FakePolicy/Version), Result: (The system cannot find the file specified.).

The event log 404 error (Unspecified error) for Intune policy assignment related to secure boot and PCHealth etc., could not be applied on most of the Windows 10 and Windows 11 virtual machines.

The RequireRetrieveHealthCertificateOnBoot might not be available for Azure VM/ AVD VMs / Cloud PCs in most of the scenarios. So, you might need to filter out the deployment of these policies to VMs or VDIs.

MDM ConfigurationManager: Command failure status. Configuration Source ID: (FFF6BB6A-4071-4E45-B14B-99DB4FB147BA), Enrollment Name: (MDMFullWithAAD), Provider Name: (Policy), Command Type: (Add: from Replace or Add), CSP URI: (./Vendor/MSFT/Policy/Config/Security/RequireRetrieveHealthCertificateOnBoot), Result: (Unspecified error).

 Event ID 404 Unspecified Error - Intune Policy Intune Logs
Event ID 404 Unspecified Error – Intune Policy Intune Logs

Feedback Hub – Company Portal Log Collection

You also can provide feedback or record the issue via feedback hub integration with the Company portal. I have not used this option to give a full experience. However, this seems to collect a lot of data, including screenshots and screen recordings. I’m also not sure whether this type of data collection is allowed from all corporate organization privacy perspectives.

Make sure you save a local copy of the diagnostic and attachments created when giving feedback. The path where it gets stored is C:\Users\Anoop\Documents\FeedbackHub.

Intune Logs in Windows PCs Location Details How to Collect Diagnostic Reports
Intune Logs in Windows PCs Location Details How to Collect Diagnostic Reports

Community Tool to Collect Intune Logs

This package is used in conjunction with the Microsoft Support One Data Collector (ODC) tool to gather data from Windows Intune client machines.

The XML file contains data locations and scripts to collect a variety of files, registry keys, and command-line output to assist support engineers in troubleshooting Intune issues.

markstan/IntuneOneDataCollector: Intune One Data Collector – automated tool to collect data for Intune support issues. (github.com)

Resources

Author

Anoop is Microsoft MVP! He is a Solution Architect on enterprise client management with more than 20 years of experience (calculation done in 2021) in IT. He is Blogger, Speaker, and Local User Group HTMD Community leader. His main focus is on Device Management technologies like SCCM 2012, Current Branch, Intune. He writes about technologies like ConfigMgr, Windows 11, Windows 10, Azure AD, Microsoft Intune, Windows 365, AVD, etc.…

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.