Let’s see what the improvements are in Intune. Learn more about How to Collect Windows 10 Diagnostics Information from Intune Portal. Microsoft has enabled a public preview of the Windows 10 Device diagnostics feature to Collect Diagnostics from Windows devices with Remote Action. The Collect diagnostics remote action lets you collect and download Windows device logs without interrupting the user. Well, are you worried about privacy? Don’t worry what can access only non-user locations and file types, so no personal information is collected.
The Collect diagnostics remote action is supported for:
- Desktop: Windows 10 1909 / 19H2 or later (Home, Pro, Enterprise and Education versions) supported.
- HoloLens 2: Windows 10 2004 / 20H1 or later.
- Device must be online, be available via the internet and Windows Push Notification Service (WNS) must have access to the machine.
- To initiate a device diagnostics, you must be assigned to a Global Admin role, Intune Admin role, School Administrator, Help Desk Operator, or have the Collect diagnostics permission assigned to a custom role.
- The device you’d like to collect diagnostics from must be designated as Corporate-Owned.
Collect Diagnostic From Intune Portal
- Sign in to the Microsoft Endpoint Manager admin center [https://endpoint.microsoft.com/]. Navigate to Devices > Windows. All Windows devices listed here that you manage. Select the device from list to collect diagnostics.
- Under device, On Overview page, select … and click Collect diagnostics.
- The popup will appear with following message. Clicking on Yes will attempt to collect the diagnostics from selected device.
- A notification will be appear automatically in the top right-hand corner with message Collect diagnostics initiated. You can also see the status by selecting the notification icon.
- A pending notification appears on the device’s Overview page. Under Device action status you can also see the status.
- To see the complete status of the action, select Device diagnostics (Preview). Here you can see Status “Pending diagnostics upload”. The entire action could take time longer time, Sit back and relax and wait to complete the action.
There are three status messages for a diagnostic task –
- Completed: Diagnostics were successful and are available for download.
- Pending diagnostics Upload: The device is running the diagnostics and will finish shortly, or the device is offline/unreachable and has not received the request. The diagnostics task is good for 12 hours, so if the machine comes online and/or checks into the Intune service, the diagnostic action will be kicked off.
- Failed: The device ran diagnostics but failed to complete the task or failed to upload. To troubleshoot this issue, please review the MDMDiagnostics registry key at HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MdmDiagnostics and the sub keys inside. If collecting diagnostics fails, we recommend you run the device action again. If it continues to fail, please open a case with Intune support from the Endpoint Manager admin center.
- After the action completes successfully, Under Device diagnostics (Preview), you can see Status “Complete”. Select Download button.
Diagnostics are available for download for 28 days and then deleted. Each device can have up to 10 collections stored at one time.
- The popup will appear with following message. Clicking on Yes will attempt to download device diagnostics collected from device.
- The Diagnostics data zip file is added to your download tray and automatically save to your computer.
- Extract the downloaded file, If you are using 7Zip to unzip the files you may experience it returns an empty folders this is known issue with compressed files created by Windows and 7Zip. We recommend using a different tool to unzip the files.
- Open directory to view data collected of device as shown below, You will notice the zip file has many folders. This can be confusing and unfortunately. MEM Team is working on an update to flatten the folders and simplify the process after diagnostics are gathered.
Note – No personal information is collected. The maximum size of diagnostics is currently 250mb.
- This list below is the same order as the diagnostic zip file. Examining these data can help to diagnose. Each collection contains the following data:
- HKLM\Software\Microsoft\IntuneManagementExtension – This registry key contains specific information about the Intune Management Extension.
- HKLM\SOFTWARE\Microsoft\SystemCertificates\AuthRoot – This registry key contains info about certificates installed on your machine.
- HKLM\SOFTWARE\Microsoft\Windows Advanced Threat Protection – This registry key contains detailed info on your Microsoft Defender ATP configuration.
- HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\LogonUI – This registry key contains the last logged on user.
- HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings – This registry key contains info on your Internet configuration.
- HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall – This registry key contains the 32-bit applications that are installed on the machine.
- HKLM\Software\Policies – This registry key contains information on the policies configured on the machine.
- HKLM\SOFTWARE\Policies\Microsoft\Cryptography\Configuration\SSL – This registry key contains more information on certificates.
- HKLM\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection – This registry key contains policy information related to Microsoft Defender ATP.
- HKLM\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall – This registry key contains the 64-bit applications that are installed on the machine.
- HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL – This registry key contains information on the TLS configuration on the machine.
- %programfiles%\windows defender\mpcmdrun.exe -GetFiles – The command captures support data for troubleshooting ATP issues.
- %windir%\system32\certutil.exe -store – This command outputs the certificates installed on the machine’s store.
- %windir%\system32\certutil.exe -store -user my – This command outputs the certificates installed on the machine’s user store.
- %windir%\system32\Dsregcmd.exe /status – This command outputs Azure AD information for the machine.
- %windir%\system32\ipconfig.exe /all – This command outputs the IP address information for the machine.
- %windir%\system32\mdmdiagnosticstool.exe – This command captures MDM diagnostics for the machine.
- %windir%\system32\msinfo32.exe /report %temp%\MDMDiagnostics\msinfo32.log – This command outputs the hardware, software and driver details for the machine.
- %windir%\system32\netsh.exe advfirewall show allprofiles – This command outputs the firewall configuration for all profiles.
- %windir%\system32\netsh.exe advfirewall show global – This command outputs the global firewall configuration.
- %windir%\system32\netsh.exe lan show profiles – This command outputs the configuration of the LAN Adapter.
- %windir%\system32\netsh.exe winhttp show proxy – This command outputs network proxy configuration.
- %windir%\system32\netsh.exe wlan show profiles – This command outputs the proxy configuration of the Wireless LAN Adapters.
- %windir%\system32\netsh.exe wlan show wlanreport – This command outputs the status of the Wireless LAN.
- %windir%\system32\ping.exe -n 50 localhost – This command runs a test of the local network host.
- %windir%\system32\powercfg.exe /batteryreport /output %temp%\MDMDiagnostics\battery-report.html – This command generates a detailed report about day-to-day battery usage.
- %windir%\system32\powercfg.exe /energy /output %temp%\MDMDiagnostics\energy-report.html – This command generates a Battery Report, useful for troubleshooting laptop battery/power issues.
- Microsoft-Windows-AppLocker/EXE and DLL
- Microsoft-Windows-AppLocker/MSI and Script
- Microsoft-Windows-AppLocker/Packaged app-Deployment
- Microsoft-Windows-AppLocker/Packaged app-Execution
- Microsoft-Windows-Bitlocker/Bitlocker Management
- %ProgramData%\Microsoft\Windows Defender\Support\MpSupportFiles.cab
Disable Device Diagnostics
If you don’t want to allow IT admins to collect diagnostics for managed Windows devices. You can disable the Collect diagnostics remote action for all devices by following these steps:
Only a global administrator or Intune administrator can make this change.
- Sign in to the Microsoft Endpoint Manager admin center [https://endpoint.microsoft.com/]> Tenant administration > Device diagnostics (Preview).
- Toggle switch to Disabled.
Diagnostics are available for 30 days, even after you disable the feature, and then removed.
- Collect diagnostics from a Windows device
- Intune Public Preview – Windows 10 Device diagnostics
- How to Extract Specific Windows Index from Windows 10 Multiple Edition ISO
- How to Configure Collection Size Limits for Task Sequence Deployment Settings | Configuration Manager | SCCM
- How to Enable God Mode in Windows 10 | Easy Access Settings
- Windows 10 How to Disable Web Search From Start Menu
- How to Change Windows 10 Multi-Tasking Options with Alt + Tab Shortcut Keys | Microsoft Edge Tabs
- How to Display Windows 10 Last Sign-in Information During User logon | Group Policy
- Fix Windows 10 Disk Space Issues Automatically with Storage Sense
- How to Remove RDP Connection Entries from Windows Remote Desktop Connection Client | Windows 10
- How to Customize Folders Appearance in Windows 10 Start Menu
- How to Check ConfigMgr Task Sequence Size | SCCM
- FIX Error Code 0x800f0922 Windows 10 Update Failed to Install
- How to Export All Devices Data from Intune Portal | Endpoint Manager
- How to Use Windows 10 PC as a Mobile Hotspot