Intune Device Diagnostics

Share This Post

A colleague made me aware of a new preview feature in Intune called Device Diagnostics. The feature lets you collect troubleshooting information from an online client without having to disturb the user. The feature collects a wide range of information on the users system and stores this data in the cloud for up to 28 days. The complete list of items collected is listed below. This is a really nice gem that support and operational departments should utilize fully!

Requirements

  • Windows 10 version 1909 or later
  • Devices must be corporate owned and enrolled into Intune
  • Devices must be online
  • Permissions (Global Admin, Intune Admin or a custom role with the Collect Diagnostic permission)

To check if the feature is enabled in your tenant open the Endpoint Manager Admin Center, and under Tenant Administration there should be an option for Device Diagnostics.

Device Diagnostics Tenant Enabled

Data Collection

To collect diagnostic information from a device: firstly check that the device is corporate owned, then select the three dots to expand the top menu and select Collect Diagnostics. The data collection will take a few minutes.

Collecting Device Diagnostics in Intune

To view the current status and download the collected information select Device Diagnostic under Monitor. It is possible to have up to 10 diagnostic packages per device.

Downloading Device Diagnostics from Intune

Review Collected Data

Within the diagnostics zip file there are 50 folders, one for each element in the collection list. At the very bottom there is an XML file called results.xml that will contain information on the commands that where executed and if they were successful or not (see the picture below). If a command fails the resulting folder in the diagnostic file will be empty.

Unfortunately the filenames within the diagnostic file only contain words like export, output or events, providing no details as to what the file actually contains. If you wanted to view the list of programs installed on the device, folders 6 and 10 would have to be reviewed. Whereas Windows Updates are located in folder 50.

Use the following script from Microsoft to parse the extracted folders into something more readable.

Usage: Devicediagnostics.ps1 MyDeviceDiagFile.zip 

param($DiagnosticArchiveZipPath) 
 
#region Formatting Choices 
$flatFileNameTemplate = '({0:D2}) {1} {2}' 
$maxLengthForInputTextPassedToOutput = 80 
#endregion 
 
#region Create Output Folders and Expand Zip 
$diagnosticArchiveTempUnzippedPath = $DiagnosticArchiveZipPath + "_expanded" 
if(-not (Test-Path $diagnosticArchiveTempUnzippedPath)){mkdir $diagnosticArchiveTempUnzippedPath} 
$reformattedArchivePath = $DiagnosticArchiveZipPath + "_formatted" 
if(-not (Test-Path $reformattedArchivePath)){mkdir $reformattedArchivePath} 
Expand-Archive -Path $DiagnosticArchiveZipPath -DestinationPath $diagnosticArchiveTempUnzippedPath 
#endregion 
 
#region Discover and Move/rename Files 
$resultElements = ([xml](Get-Content -Path (Join-Path -Path $diagnosticArchiveTempUnzippedPath -ChildPath "results.xml"))).Collection.ChildNodes | Foreach-Object{ $_ } 
$n = 1 
 
# only process supported directives 
$supportedDirectives = @('Command', 'Events', 'FoldersFiles', 'RegistryKey') 
foreach( $element in $resultElements) { 
  # only process supported directives, skip unsupported ones 
  if(!$supportedDirectives.Contains($element.Name)) { continue } 
 
  $directiveNumber = $n 
  $n++ 
  $directiveType = $element.Name 
  $directiveStatus = [int]$element.Attributes.ItemOf('HRESULT').psbase.Value 
  $directiveUserInputRaw = $element.InnerText 
 
  # trim the path to only include the actual command - not the full path 
  if ($element.Name -eq 'Command') { 
    $lastIndexOfSlash = $directiveUserInputRaw.LastIndexOf('\'); 
    $directiveUserInputRaw = $directiveUserInputRaw.substring($lastIndexOfSlash+1); 
  } 
 
  $directiveUserInputFileNameCompatible = $directiveUserInputRaw -replace '[\\|/\[\]<>\:"\?\*%\.\s]','_' 
  $directiveUserInputTrimmed = $directiveUserInputFileNameCompatible.substring(0, [System.Math]::Min($maxLengthForInputTextPassedToOutput, $directiveUserInputFileNameCompatible.Length)) 
  $directiveSummaryString = $flatFileNameTemplate -f $directiveNumber,$directiveType,$directiveUserInputTrimmed 
  $directiveOutputFolder = Join-Path -Path $diagnosticArchiveTempUnzippedPath -ChildPath $directiveNumber 
  $directiveOutputFiles = Get-ChildItem -Path $directiveOutputFolder -File 
  foreach( $file in $directiveOutputFiles) { 
    $leafSummaryString = $directiveSummaryString,$file.Name -join ' ' 
    Copy-Item $file.FullName -Destination (Join-Path -Path $reformattedArchivePath -ChildPath $leafSummaryString) 
  } 
} 
#endregion  
Remove-Item -Path $diagnosticArchiveTempUnzippedPath -Force -Recurse

List of Information Collected

At the time of writing the following information is collected:

Registry Keys:

  1. HKLM\Software\Microsoft\IntuneManagementExtension
  2. HKLM\SOFTWARE\Microsoft\SystemCertificates\AuthRoot
  3. HKLM\SOFTWARE\Microsoft\Windows Advanced Threat Protection
  4. HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\LogonUI
  5. HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings
  6. HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall
  7. HKLM\Software\Policies
  8. HKLM\SOFTWARE\Policies\Microsoft\Cryptography\Configuration\SSL
  9. HKLM\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection
  10. HKLM\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall
  11. HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL

Commands:

  1. %programfiles%\windows defender\mpcmdrun.exe -GetFiles
  2. %windir%\system32\certutil.exe -store
  3. %windir%\system32\certutil.exe -store -user my
  4. %windir%\system32\Dsregcmd.exe /status
  5. %windir%\system32\ipconfig.exe /all
  6. %windir%\system32\mdmdiagnosticstool.exe
  7. %windir%\system32\msinfo32.exe /report %temp%\MDMDiagnostics\msinfo32.log
  8. %windir%\system32\netsh.exe advfirewall show allprofiles
  9. %windir%\system32\netsh.exe advfirewall show global
  10. %windir%\system32\netsh.exe lan show profiles
  11. %windir%\system32\netsh.exe winhttp show proxy
  12. %windir%\system32\netsh.exe wlan show profiles
  13. %windir%\system32\netsh.exe wlan show wlanreport
  14. %windir%\system32\ping.exe -n 50 localhost
  15. %windir%\system32\powercfg.exe /batteryreport /output %temp%\MDMDiagnostics\battery-report.html
  16. %windir%\system32\powercfg.exe /energy /output %temp%\MDMDiagnostics\energy-report.html

Event Viewers:

  1. Application
  2. Microsoft-Windows-AppLocker/EXE and DLL
  3. Microsoft-Windows-AppLocker/MSI and Script
  4. Microsoft-Windows-AppLocker/Packaged app-Deployment
  5. Microsoft-Windows-AppLocker/Packaged app-Execution
  6. Microsoft-Windows-Bitlocker/Bitlocker Management
  7. Microsoft-Windows-SENSE/Operational
  8. Microsoft-Windows-SenseIR/Operational
  9. Setup
  10. System

Files:  

  1. %ProgramData%\Microsoft\DiagnosticLogCSP\Collectors*.etl
  2. %ProgramData%\Microsoft\IntuneManagementExtension\Logs*.*
  3. %ProgramData%\Microsoft\Windows Defender\Support\MpSupportFiles.cab
  4. %ProgramData%\Microsoft\Windows\WlanReport\wlan-report-latest.html
  5. %temp%\MDMDiagnostics\battery-report.html
  6. %temp%\MDMDiagnostics\energy-report.html
  7. %temp%\MDMDiagnostics\mdmlogs-<Date/Time>.cab
  8. %temp%\MDMDiagnostics\msinfo32.log
  9. %windir%\ccm\logs*.log
  10. %windir%\ccmsetup\logs*.log
  11. %windir%\logs\CBS\cbs.log
  12. %windir%\logs\measuredboot*.*
  13. %windir%\Logs\WindowsUpdate*.etl

Known Issues

  • Unzipping diagnostics with 7Zip returns empty folders – This is a known issue with compressed files created by Windows and 7Zip. We recommend using a different tool to unzip the files.
  • If uploading diagnostics to Intune takes more than 30 seconds, the diagnostic collection task will fail – This is a known issue with the DiagnosticLog CSP that has been fixed in KB4601315 and KB4601319, which were released on February 2th, 2021 via Windows Update. Please ensure your machines have been updated.
  • Device diagnostics has been pending for a while, what should I do? – Best practice is to ensure the device can communicate with the service. Forcing a device check-in will ensure the device is able to reach the Intune service.  If the device can reach the service, retry the diagnosticsaction.
  • How long are the diagnostics available? – Diagnostics are available for download for 28 days and then automatically deleted per data retention requirements.
  • How many diagnostics can I run on a device? – Each device may have up to 10 diagnostics. After 10, the oldest set of diagnostics is removed and replaced.
  • What’s the maximum size of diagnostics I can collect? – 250mb of compressed files currently.

Want To See More?
Azure AD

Access Reviews with On-Premise Groups

In some of my earlier post I have talked about Access Reviews that are part of the Identity Governance tools in Azure AD. One of

Fredrik May 15, 2022
Azure

Access Reviews: Manage Guest Users

Azure AD’s B2B (Business to Business) functionality allows organizations to invite external users into their organization so that they can collaborate. However, very few of

Fredrik March 22, 2022