Collect and upload any logs you need to SharePoint from Intune devices using on-demand remediation

In this post I will share a remediation script allowing you to collect any logs you want from your Intune devices on-demand.

The solution

The solution results in few steps:

- Use an XML specifying things to collect

- Upload the XML somewhere (blob storage)

- Create a SharePoint for logs

- Create an app registration

- Add permission to the app

- Add a secret or certificate*

- Use a Remediation script to collect logs

This solution can be used in addition of the Collect diagnostics feature from the Intune side.

You can easily add all content you want to collect by just modifying an XML file meaning you can collect whatever you want.

The previous script

I did a first version two 2 years ago but here I added some new things to collect and also change the way to upload file to SharePoint.

https://www.systanddeploy.com/2023/11/upload-files-to-sharepointteams-using.html

Logs collected

The script will collect content from the XML.

You can add all folders or registry keys you want in the XML.

See below what is collected by default through the XML:

In addition of the XML content the script will also export to a CSV:

- Real device uptime

- Hotfix list

- Services list

- Scheduled tasks list

- Drivers list

- Process list

- Update installed

- Pending updates list

- Disk info

- List printers

- Network adapters info

- Processors info

- Missing drivers

- Export of MpPreference

- Export of MpComputerStatus

- Export of dsregcmd /status

- IPConfig export

- Device certificates list

- User certificates list

- Local admin list

- Local user list

- Running processes and their port number

Event logs

The remediation script collevcts all event logs during the last 15 days.

All event logs will be stored in the EVTX_Files folder, as below:

Get the script

Click on the below GitHub picture to get the script

What it does ?

It works as below:

1. Collect all content mentioned in the XML

2. ZIP all things

3. Send ZIP to SharePoint

Getting SharePoint site id

The first step in order to upload something is to identify the SharePoint site on which we want to send file. 

For this we need the SharePoint site path and ID.

The SharePoint site path is easy to get, in my case it's the below one:

https://systanddeploy.sharepoint.com/sites/Support

Now to get the ID of a SharePoint site proceed as below:

1. Open your browser

2. Type the following URL: 

https://yoursharepoint.sharepoint.com/sites/yoursite/_api/site/id

In my case it's:

https://systanddeploy.sharepoint.com/sites/Support/_api/site/id

Create the Azure app

1. Go to Azure portal

2. Go to App registrations

3. Click on New registration

4. Type a name for your app

5. Let by default and click on Register

6. Go to Overview

Adding permission

Now to only add permission on a specific SharePoint site, proceed as below on your app registration:

1. Go to API permissions

2. Click on Add a permission

3. Select SharePoint

4. Select Application permissions

6. Check Sites.Selected

7. Click on Add permissions

8. Click on Grant admin consent

Here we have added permission sites.selected.

Now given that it's for a specific selected site we need to identify the selected site.

To do this, proceed as below:

1. Open Graph Explorer 

2. Choose method POST

3. In url type the below one and replace sharepointsiteid with your SharePoint site id

https://graph.microsoft.com/v1.0/sites/sharepointsiteid/permissions

4. Go to Request body

5. Type the below body by replacing specified fields

6. Click on Run query

7. If you have an error 403 forbidden in Graph Explorer, click on Modify permissions

8. There you will find a permission to allow, so allow it

9. Click again on Run query

Create a secret

If you want to use a secret proceed as below:

1. Go to Azure portal

2. Go to your Azure app

3. Click on Certificates & secrets

4. Click on New client secret

5. Create your secret

Edit the XML

1. Edit the XML with things you need to collect

2. Upload the XML somewhere like a blob storage

3. Copy the URL of your XML in the variable $XML_Logs_URL

How to use the script ?

Fill info below:

Creating the Remediation script

1. Go to Devices

4. Go to Remediations

5. Click on Create script package

6. Type a name

7. Click on Next

8. Browse OnDemand_Logs.ps1

9. Click on Next

10. Select the group

11. Choose your schedule

12. Click on Apply

13. Click on Next

14. Click on Create

Collect logs in action

1. Go to the Intune portal

2. Type a device name

3. Clic on the ...

4. Clic on Run remediation

5. Choose the remediation script

6. Click on Run remediation