This post will brief you about the options available to validate policy deployment from Intune and collect the logs for diagnostics.
Validate Intune policies status from “Access to work or school” and collect diagnostics logs
The “Access to work or school” page in Windows 10 settings contain useful information about Intune policies. This can be the first place to quickly check if required policies have been applied to the device. As you can see in below screenshot, the Policies section list all policies currently managed by organization. Similarly, the Application section list all applications which are currently managed by organization.
If you do not see the expected policies / application applied then you can check the Sync status in same page. You can force sync as well from here.
You can also generate diagnostics report in HTML format using “Create report” button (see above screenshot). Here are the complete steps.
- Go to Settings > Access Work and School
- Select Tenant <Tenant>’s Azure AD > and click on Info
- Scroll down to the bottom and click on Create report
The report will be saved to:
C:\Users\Public\Public Documents\MDMDiagnostics\MDMDiagReport.html
Generate detailed diagnostics report
The detailed MDM diagnostics report can also generated from “Access work or school” page. You can find Export your management log files link under “Related settings“. If the window is maximized then you can find this option at top right side of the screen.
The report will be generated to a cab file (MDMDiagReport.cab) in C:\Users\Public\Documents\MDMDiagnostics folder.
Collect diagnostics log from Endpoint Manager admin center
The diagnostics logs can be collected from Endpoint Manager Admin Center by following below steps. These logs include MDM, MECM Client, Autopilot, Registry keys, Event viewers logs, networking and other important logs useful for troubleshooting.
- Go to Devices and select Device
- From Overview menu select “Collect diagnostics”.
- Click Yes on confirmation prompt
The log collection process will take some time. You can monitor the status from Devices | <Device Name> | Device diagnostics (preview). Once log collection process completed, you will see an option to download the logs.
The log files will be organized in different folders named as number (1,2,3….) which contain the details mentioned above.
The “result.xml” file in root folder will have details of the information collected by diagnostics tool. Please check Microsoft documentation to know more about data collected by diagnostics tool.
Intune Management Extension
The Intune management extension supplements the in-box Windows 10 MDM features. It’s allow Microsoft Intune to run the PowerShell scripts on Windows 10 devices.
The IME run as a service called “Microsoft Intune Management Extension”. The service name is IntuneManagementExtension.
IME logs are located in C:\ProgramData\Microsoft\IntuneManagementExtension\Logs folder. You can use CMTrace.exe to view these logs.
- AgentExecutor
- ClientHealth
- IntuneManagementExtension
The full content of the script logged in the IntuneManagementExtension log which can be useful in troubleshooting.
Related Posts
- Enroll Windows 11 Device to Intune through Azure AD Join method
- Windows 11 enrollment with Provisioning package failed with error code 0x800700b7
- Invalid_Client error when joining Windows 10 device to Azure AD tenant
- That account info didn’t work – error when disconnecting Windows 10 / 11 Work or School account
