Learn How to Collect Windows 10 Diagnostics Information from Intune Portal | Endpoint Manager

Let’s see what the improvements are in Intune. Learn more about How to Collect Windows 10 Diagnostics Information from Intune Portal. Microsoft has enabled a public preview of the Windows 10 Device diagnostics feature to Collect Diagnostics from Windows devices with Remote Action. The Collect diagnostics remote action lets you collect and download Windows device logs without interrupting the user. Well, are you worried about privacy? Don’t worry what can access only non-user locations and file types, so no personal information is collected.

Prerequisites

The Collect diagnostics remote action is supported for:

Client requirements

  • Desktop: Windows 10 1909 / 19H2 or later (Home, Pro, Enterprise and Education versions) supported.
  • HoloLens 2: Windows 10 2004 / 20H1 or later.
  • Device must be online, be available via the internet and Windows Push Notification Service (WNS) must have access to the machine.

Intune requirements

  • To initiate a device diagnostics, you must be assigned to a Global Admin role, Intune Admin role, School Administrator, Help Desk Operator, or have the Collect diagnostics permission assigned to a custom role.
  • The device you’d like to collect diagnostics from must be designated as Corporate-Owned.

Collect Diagnostic From Intune Portal

Learn How to Collect Windows 10 Diagnostics Information from Intune Portal | Endpoint Manager 1
Learn How to Collect Windows 10 Diagnostics Information from Intune Portal | Endpoint Manager
  • Under device, On Overview page, select  and click Collect diagnostics
Learn How to Collect Windows 10 Diagnostics Information from Intune Portal | Endpoint Manager
Learn How to Collect Windows 10 Diagnostics Information from Intune Portal | Endpoint Manager
  • The popup will appear with following message. Clicking on Yes will attempt to collect the diagnostics from selected device.
Learn How to Collect Windows 10 Diagnostics Information from Intune Portal | Endpoint Manager
Learn How to Collect Windows 10 Diagnostics Information from Intune Portal | Endpoint Manager
  • A notification will be appear automatically in the top right-hand corner with message Collect diagnostics initiated. You can also see the status by selecting the notification icon.
Learn How to Collect Windows 10 Diagnostics Information from Intune Portal | Endpoint Manager
Learn How to Collect Windows 10 Diagnostics Information from Intune Portal | Endpoint Manager
  • A pending notification appears on the device’s Overview page. Under Device action status you can also see the status.
Learn How to Collect Windows 10 Diagnostics Information from Intune Portal | Endpoint Manager
Learn How to Collect Windows 10 Diagnostics Information from Intune Portal | Endpoint Manager
  • To see the complete status of the action, select Device diagnostics (Preview). Here you can see Status “Pending diagnostics upload”. The entire action could take time longer time, Sit back and relax and wait to complete the action.

There are three status messages for a diagnostic task –

  1. Completed: Diagnostics were successful and are available for download.
  2. Pending diagnostics Upload: The device is running the diagnostics and will finish shortly, or the device is offline/unreachable and has not received the request. The diagnostics task is good for 12 hours, so if the machine comes online and/or checks into the Intune service, the diagnostic action will be kicked off.
  3. Failed: The device ran diagnostics but failed to complete the task or failed to upload. To troubleshoot this issue, please review the MDMDiagnostics registry key at HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MdmDiagnostics and the sub keys inside. If collecting diagnostics fails, we recommend you run the device action again. If it continues to fail, please open a case with Intune support from the Endpoint Manager admin center.
Learn How to Collect Windows 10 Diagnostics Information from Intune Portal | Endpoint Manager
Learn How to Collect Windows 10 Diagnostics Information from Intune Portal | Endpoint Manager
  • After the action completes successfully, Under Device diagnostics (Preview), you can see Status “Complete”. Select Download button.

Diagnostics are available for download for 28 days and then deleted. Each device can have up to 10 collections stored at one time.

Learn How to Collect Windows 10 Diagnostics Information from Intune Portal | Endpoint Manager
Learn How to Collect Windows 10 Diagnostics Information from Intune Portal | Endpoint Manager
  • The popup will appear with following message. Clicking on Yes will attempt to download device diagnostics collected from device.
Learn How to Collect Windows 10 Diagnostics Information from Intune Portal | Endpoint Manager
Learn How to Collect Windows 10 Diagnostics Information from Intune Portal | Endpoint Manager
  • The Diagnostics data zip file is added to your download tray and automatically save to your computer.
Learn How to Collect Windows 10 Diagnostics Information from Intune Portal | Endpoint Manager
Learn How to Collect Windows 10 Diagnostics Information from Intune Portal | Endpoint Manager
  • Extract the downloaded file, If you are using 7Zip to unzip the files you may experience it returns an empty folders this is known issue with compressed files created by Windows and 7Zip. We recommend using a different tool to unzip the files.
  • Open directory to view data collected of device as shown below, You will notice the zip file has many folders. This can be confusing and unfortunately. MEM Team is working on an update to flatten the folders and simplify the process after diagnostics are gathered. 

Note – No personal information is collected. The maximum size of diagnostics is currently 250mb.

Learn How to Collect Windows 10 Diagnostics Information from Intune Portal | Endpoint Manager
Learn How to Collect Windows 10 Diagnostics Information from Intune Portal | Endpoint Manager
  • This list below is the same order as the diagnostic zip file. Examining these data can help to diagnose. Each collection contains the following data:

Registry Keys:

  1. HKLM\Software\Microsoft\IntuneManagementExtension – This registry key contains specific information about the Intune Management Extension.
  2. HKLM\SOFTWARE\Microsoft\SystemCertificates\AuthRoot – This registry key contains info about certificates installed on your machine.
  3. HKLM\SOFTWARE\Microsoft\Windows Advanced Threat Protection – This registry key contains detailed info on your Microsoft Defender ATP configuration.
  4. HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\LogonUI – This registry key contains the last logged on user.
  5. HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings – This registry key contains info on your Internet configuration.
  6. HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall – This registry key contains the 32-bit applications that are installed on the machine.
  7. HKLM\Software\Policies – This registry key contains information on the policies configured on the machine.
  8. HKLM\SOFTWARE\Policies\Microsoft\Cryptography\Configuration\SSL – This registry key contains more information on certificates.
  9. HKLM\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection – This registry key contains policy information related to Microsoft Defender ATP.
  10. HKLM\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall – This registry key contains the 64-bit applications that are installed on the machine.
  11. HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL – This registry key contains information on the TLS configuration on the machine.

Commands:

  1. %programfiles%\windows defender\mpcmdrun.exe -GetFiles The command captures support data for troubleshooting ATP issues.
  2. %windir%\system32\certutil.exe -store This command outputs the certificates installed on the machine’s store.
  3. %windir%\system32\certutil.exe -store -user my This command outputs the certificates installed on the machine’s user store.
  4. %windir%\system32\Dsregcmd.exe /status This command outputs Azure AD information for the machine.
  5. %windir%\system32\ipconfig.exe /all This command outputs the IP address information for the machine.
  6. %windir%\system32\mdmdiagnosticstool.exe This command captures MDM diagnostics for the machine.
  7. %windir%\system32\msinfo32.exe /report %temp%\MDMDiagnostics\msinfo32.log This command outputs the hardware, software and driver details for the machine.
  8. %windir%\system32\netsh.exe advfirewall show allprofiles This command outputs the firewall configuration for all profiles.
  9. %windir%\system32\netsh.exe advfirewall show global This command outputs the global firewall configuration.
  10. %windir%\system32\netsh.exe lan show profiles This command outputs the configuration of the LAN Adapter.
  11. %windir%\system32\netsh.exe winhttp show proxy This command outputs network proxy configuration.
  12. %windir%\system32\netsh.exe wlan show profiles This command outputs the proxy configuration of the Wireless LAN Adapters.
  13. %windir%\system32\netsh.exe wlan show wlanreport This command outputs the status of the Wireless LAN.
  14. %windir%\system32\ping.exe -n 50 localhost This command runs a test of the local network host.
  15. %windir%\system32\powercfg.exe /batteryreport /output %temp%\MDMDiagnostics\battery-report.html This command generates a detailed report about day-to-day battery usage.
  16. %windir%\system32\powercfg.exe /energy /output %temp%\MDMDiagnostics\energy-report.html This command generates a Battery Report, useful for troubleshooting laptop battery/power issues.

Event Viewers:

  1. Application
  2. Microsoft-Windows-AppLocker/EXE and DLL
  3. Microsoft-Windows-AppLocker/MSI and Script
  4. Microsoft-Windows-AppLocker/Packaged app-Deployment
  5. Microsoft-Windows-AppLocker/Packaged app-Execution
  6. Microsoft-Windows-Bitlocker/Bitlocker Management
  7. Microsoft-Windows-SENSE/Operational
  8. Microsoft-Windows-SenseIR/Operational
  9. Setup
  10. System

Files:  

  1. %ProgramData%\Microsoft\DiagnosticLogCSP\Collectors*.etl
  2. %ProgramData%\Microsoft\IntuneManagementExtension\Logs*.*
  3. %ProgramData%\Microsoft\Windows Defender\Support\MpSupportFiles.cab
  4. %ProgramData%\Microsoft\Windows\WlanReport\wlan-report-latest.html
  5. %temp%\MDMDiagnostics\battery-report.html
  6. %temp%\MDMDiagnostics\energy-report.html
  7. %temp%\MDMDiagnostics\mdmlogs-<Date/Time>.cab
  8. %temp%\MDMDiagnostics\msinfo32.log
  9. %windir%\ccm\logs*.log
  10. %windir%\ccmsetup\logs*.log
  11. %windir%\logs\CBS\cbs.log
  12. %windir%\logs\measuredboot*.*
  13. %windir%\Logs\WindowsUpdate*.etl

Disable Device Diagnostics

If you don’t want to allow IT admins to collect diagnostics for managed Windows devices. You can disable the Collect diagnostics remote action for all devices by following these steps:

Only a global administrator or Intune administrator can make this change.

Diagnostics are available for 30 days, even after you disable the feature, and then removed.

Learn How to Collect Windows 10 Diagnostics Information from Intune Portal | Endpoint Manager
Learn How to Collect Windows 10 Diagnostics Information from Intune Portal | Endpoint Manager

Resources

Leave a Comment

Your email address will not be published. Required fields are marked *