Finally! With the 2102 Microsoft Intune release, we finally have an easy way to collect logs from remote Windows 10 machines with Windows 10 Device diagnostics.
Microsoft added a new remote action to the MEM Admin center, Collect logs. With this remote action, we are able to collect logs for troubleshooting without contacting the end-user.
Collected logs will include MDM, Autopilot, event viewers, key, Configuration Manager client, networking, and other critical troubleshooting logs.
Let`s see how we can collect the logs and which logs are collected.
Collecting the logs
Sign-in to the Microsoft Endpoint Manager Admin center.
Lookup the Windows 10 device, from which you want to collect the logs.
The logs can be collected from the device Overview tab, where the other actions are also found.
Confirm the start of the action.
Open the Device diagnostics tab. Here we find the just started action.
As soon as the collection of the logs is finished a Download button is shown.
Hit Refresh after a couple of minutes, otherwise the download button will not be shown.
The collected logs
The logs are downloaded as a ZIP file. If we extract the file we find a lot of numbered folders. Every folder contains some collected information. An overview of what is collected is found in the XML file.
In the XML file, we can find what kind of information is found in which folder. I show a couple of examples.
The first couple of folders contain registry dumps, for example from the policies.
And a registry dump from the Intune Management Extension.
This is followed by all sorts of information like Windows IP configuration information.
The Application, Setup, System and BitLocker Management event logs are also collected.
In the 25th folder, we find all the MDM logs. Think of IntuneManagementExtension.log, MDMDiagHTMLReport.html and related event logs.
In one of the last folders, the mpsupportfiles.cab is found. This contains all kind of Microsoft Defender related troubleshooting stuff.
In the current working from home situation, the Collect logs feature is a very welcome addition. Before, we needed to create all kinds of self-created solutions to grab logs from remote Windows devices.
It would be nice if the folders could get some naming instead of the numbers. This would make our life even easier, the find the information we need. To get this job done during the preview, Microsoft published a script in their blog post.
But overall, log collection works great, so start testing this yourself!