Intune Troubleshooting Part 1 - Remotely collect logs from your devices and upload them on Azure file

Reply A+ A-

In this post I will share a script that allows you to collect Intune logs (event logs, log files...) from devices create a ZIP, then upload it on Azure files.

By default on Intune you can't check why there is an issue on a device.
For this you have to go to the device and check some files and event logs.
You want a secure way to upload files without to provide credentials.
We will connect through a certificate.

Note: I will explain in a another post how to configure your storage part and certificate.

Other methods ?
I will share some different methods to collect Intune logs, as below:
Part 1: Collect remotely logs from devices and upload them on Azure files
Part 2: Collect remotely logs from devices and upload them on GitHub
Part 3: Collect remotely whatever you want (files, event logs) on devices

The script
You can find the script on GitHub using the below link.

Win32 prep tool
We will use Microsoft Win32 Content Prep Tool from MS
To download it, go to this link.

Azure content
Given that we want to upload the ZIP on Azure files we will need:
- A resource group
- A storage account name
- A file share in Files shares
- An app registration with certificate, see below.

Create the certificate
To create the certificate we will use the below code.
See here more infos.

Create the app with certificate
To create the App registration with certificate proceed as below:
- Install module Az, as here
- Type Connect-AZAccount and log on
- Type the below code:

Export the certificate
We will need to export this certificate and add it to our device cert store.
We will export it to a PFX file: intune_cert.pfx
See below the code to export the certificate:

Import certificate
Before to import the certificate, we will export the PFX password securely in a file.
This file is called cert_import.txt, we will use it later.
We will then import it from the file. 
This way we won't have to add the password in our code.
See the code for that:
See below the code to import certificate on device:
How it works ?
1. Configure Azure Storage account
2. Create a certificate
3. Create an Azure App registration with the certificate
4. Create the intunewin package
5. Create the Win32 app in Intune
6. Add appropriate parameters to the script (we will see this)
7. Assign the app

What is collected ?
Event logs
The script will collect the below event logs:
- System
- Microsoft > Windows > DeviceManagement-Enterprise-Diagnostics-Provider
- Microsoft > Windows > AAD
- Microsoft > Windows > ModernDeployment-Diagnostics-Provider
- Microsoft > Windows > AppxDeploymentServer
- Microsoft > Windows > assignedaccess
- Microsoft > Windows > assignedaccessbroker
- Microsoft > Windows > provisioning-diagnostics-provider
- Microsoft > Windows > shell-core
- Microsoft > Windows > user device registration

Intune Logs
The script will collect logs located in ProgramData\Microsoft\IntuneManagementExtension

Diagnostics report
The script will collect below diagnostic reports using MdmDiagnosticsTool:
- Main report
- Autopilot report
- DeviceEnrollment report
- DeviceProvisioning report
- TPM report

How to use the script ?
This is called Collect_Intune_Device_Logs.ps1
You will have to add some parameters to the script:
- Tenant_ID: Your tenant ID
- App_ID: Application ID of the app registration that uses your certificate
- Azure_resourceGroupName: The resource group name from Azure
- Azure_storageAccName: The storage account from Azure
- Azure_fileShareName: The file share name from Azure

Add all those infos in the Azure_infos.xml, as below:

Implement it in Intune
In this example we will create a new AZure AD group.
We will add devices from which we want to collect logs in this group.

Create the folder content
1. Create a folder Collect_intune_Device_Logs
2. Copy the file Collect_intune_Device_Logs.ps1
3. Copy the file Azure_infos.xml
4. Copy the intune_cert.pfx file in the folder
5. Copy the file cert_import.txt in the foler
6. See below my Collect_intune_Device_Logs folder

Create the package
1. Run IntuneWinAppUtil.exe
2. Select the folder Collect_intune_Device_Logs
3. Select Collect_intune_Device_Logs.ps1
4. Select an output folder
5. A package Collect_Intune_Device_Logs.intunewin will be created

Create the Win32 app
We will now integrate the intunewin package into Intune.
1. Go to Intune
2. Go to Client apps
3. Go to Apps
4. Click on Add
5. Select Windows app (Win32) then Select
6. Click on Select app package file

7. Browse to Collect_Intune_Device_Logs.intunewin

8. Click on OK
9. Type a name and a publisher name and configure as you want

10. In Install command type the below one:
11. In Uninstall command type the below one:
12. Click on Next
13. Choose your requirements
14. Click on Next
15. In Detection rules, select Use a detection script

16. Browse the script Collect_logs_Detection_script.ps1
17. Click on Add17. Click on OK 
18. Click on Next
19. In the Dependencies part click on Next
20. In the Scope tags part click on Next
21. In Assignments, go to Required and click on Add group

22. Select the group contaning device from which you want to collect logs
22. The group will be added

23. Click on Next
24. Click on Create
25. Go to Device install status
26. Once it has been installed, status will be as below:

Collect logs in action
See below my Azure file share before:

See below my Azure file share after:

Get the log
When the ps1 is running a log file is used.
You can find it in C:\Windows\Debug

What's next ?
In the next post I will proceed as above and upload logs to a private repository on GitHub.
Intune_Win32Appli 8711361545975209432

Enregistrer un commentaire

Accueil item


Learn KQL in one month


You want to support me ?

Mes articles en français

Books in French