Jelle Revyn

Jul 21, 2020 • 4 minutes read

Intune Log Collection (Private preview)

A week ago the IntuneSupportTeam's twitter account tweeted this:

Of course I jumped on it and opened my Outlook and put my tenantID & domainname into a mail to the email mentioned in the tweet.

⭐If you don't want to search where to find your tenantID you could use https://www.whatismytenantid.com. FYI: Azure Active Directory portal ➡ Manage ➡ Properties is one of the more "official" ways.⭐

Today (21st of july 2020) this feature became available on my tenant (EMEA).

Before we start there are some important things to bear in mind:

  • This private preview uses the Windows DiagnosticLog CSP, so all restrictions, capabilities,... of this CSP are in effect.
  • To collect logs you must be a Global Admin, Intune Admin or a role that has Log Collection permissions assigned.
  • The machines you can collect logs from need to be Windows 1909 or higher and must be designated as corporate (No BYOD atm).
  • Logs collected are stored for 30 days and then automatically deleted. A maximum of 10 logs per machine can be stored before the oldest logs are deleted. Only one log collection can run on a machine at any time.

Disclamer: Private Preview, all of this is subject to change when it goes public. ❗

Let's start with collecting logs for a device:

To run a log collection navigate to devices via
"Devices" ➡ "All devices" and select the device you want to collect logs from.
Don't forget it needs to be Windows 1909 or higher and marked as corporate!

PS: Windows 1909 has build number 10.0.18363

Select-device-for-log-preview.png
Selecting a correct device

Now select the three dots (...) and click "collect logs", after that move on to the "Log collection (Preview)" in the left pane.

Collect-Logs-log-preview.png
Collect logs

In the "Log collection (Preview)" overview you can now see who requested the log collection and when the request was initiated.

Request-initiated-log-preview.jpg
Request initiated

After a few minutes the status changes to "Pending log upload".

Pending-upload-log-preview.png
Pending log upload

You can now download the zip file using the "Download" button.

Download-log-preview.png
Download zip

Analysing the zip file

When you open the zip file you will see a lot of folders (1 to 20) this is a limitation of the Windows Diagnostic Log CSP.

zip-log-preview.png
Inside the Windows Diagnostic Log CSP zip file
Each folder corresponds with a setting that is collected.
  1. "HKLM\Software\Policies"
  2. "HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall"
  3. "%windir%\system32\ipconfig.exe /all"
  4. "%windir%\system32\mdmdiagnosticstool.exe -area Autopilot;deviceprovisioning;deviceenrollment;HololensFallbackDeviceOwner -zip %ProgramData%\Microsoft\mdmlogs.zip" (This is just result of the mdmdiagnostictool, the logs are in folder 16)
  5. "%windir%\system32\ping.exe -n 50 localhost"
  6. "%windir%\system32\msinfo32.exe /report %ProgramData%\Microsoft\msinfo32.log" (Folder may be empty, results are in folder 16)
  7. "%windir%\system32\certutil.exe -store"
  8. "%windir%\system32\certutil.exe -store -user my"
  9. "%windir%\system32\Dsregcmd.exe /status"
  10. "%windir%\system32\netsh.exe advfirewall show allprofiles"
  11. "%windir%\system32\netsh.exe advfirewall show global"
  12. "%windir%\system32\gpresult.exe /F /H %ProgramData%\Microsoft\gpresult.html"
  13. "%ProgramData%\Microsoft\DiagnosticLogCSP\Collectors\*.etl"
  14. "%SystemRoot%\System32\LogFiles\wmi\*.etl.*"
  15. "%ProgramData%\Microsoft\IntuneManagementExtension\Logs\*.*"
  16. Folder contains MDM Logs and MSINFO32 outpu
  17. "%windir%\ccm\logs\*.*"
  18. "%windir%\logs\measuredboot\*.*"
  19. "%windir%\System32\Winevt\Logs\*.*"
  20. "%windir%\logs\CBS\*.*"

Personal thoughts and experience

The Intune Troubleshooting PM states that generally the log collection takes only a few minutes to run, depending on network and file sizes.

I've tried to speed up the process using:

  • The "Sync" button in the endpoint manager console
  • Right-clicking the company portal app and selecting "sync this device".
  • Using the "PushLaunch" method.

Sadly without any success.

As you can see in the "download" screenshot it shows that it roughly took 45min to be able to download the log file. This needs more extensive research on how this actually works. What if the machine is offline or unable to talk to Intune? How fast is your connection? How fast does it show the results...

It also doesn't always work, I've got devices that I'm currently trouble shooting with the Log Collection team that get the status "Pending log upload" and then after a while go to a "blank" status. This could be one of two things: "Upload failed" or "log files are to large" (over 256mb). To be continued...

And last but I guess most importantly, at the moment it only tracks 20 registry keys or data sets. Luckily the team is open to feedback to let them know what you want to see added and they will try to add it in a future release. What would you like to see added? Let me know by sending me a tweet.

I will end this blog with a quick note that if you try to open the zip file "DiagLogs-<name.of.the.pc.here>-20200721T171537Z.zip" with 7-zip you will get header errors and all extracted files will be empty. The workaround is to open it with Window's build in tool in Explorer and you're good to go!

Some zip details:

  • Zip file size: 35mb
  • Extracted file size: 356mb

7zip-error-log-preview.png
7-zip header error