This post will brief you about the options available to validate policy deployment from Intune and collect the logs for diagnostics.
Validate Intune policies status from “Access to work or school” and collect diagnostics logs
The “Access to work or school” page in Windows 10 settings contain useful information about Intune policies. This can be the first place to quickly check if required policies have been applied to the device. As you can see in below screenshot, the Policies section list all policies currently managed by organization. Similarly, the Application section list all applications which are currently managed by organization.

If you do not see the expected policies / application applied then you can check the Sync status in same page. You can force sync as well from here.

You can also generate diagnostics report in HTML format using “Create report” button (see above screenshot). Here are the complete steps.
- Go to Settings > Access Work and School
- Select Tenant <Tenant>’s Azure AD > and click on Info
- Scroll down to the bottom and click on Create report
The report will be saved to:
C:\Users\Public\Public Documents\MDMDiagnostics\MDMDiagReport.html

Generate detailed diagnostics report
The detailed MDM diagnostics report can also generated from “Access work or school” page. You can find Export your management log files link under “Related settings“. If the window is maximized then you can find this option at top right side of the screen.

The report will be generated to a cab file (MDMDiagReport.cab) in C:\Users\Public\Documents\MDMDiagnostics folder.

Collect diagnostics log from Endpoint Manager admin center
The diagnostics logs can be collected from Endpoint Manager Admin Center by following below steps. These logs include MDM, MECM Client, Autopilot, Registry keys, Event viewers logs, networking and other important logs useful for troubleshooting.
- Go to Devices and select Device
- From Overview menu select “Collect diagnostics”.
- Click Yes on confirmation prompt

The log collection process will take some time. You can monitor the status from Devices | <Device Name> | Device diagnostics (preview). Once log collection process completed, you will see an option to download the logs.

The log files will be organized in different folders named as number (1,2,3….) which contain the details mentioned above.
The “result.xml” file in root folder will have details of the information collected by diagnostics tool. Please check Microsoft documentation to know more about data collected by diagnostics tool.

Intune Management Extension
The Intune management extension supplements the in-box Windows 10 MDM features. It’s allow Microsoft Intune to run the PowerShell scripts on Windows 10 devices.
The IME run as a service called “Microsoft Intune Management Extension”. The service name is IntuneManagementExtension.
IME logs are located in C:\ProgramData\Microsoft\IntuneManagementExtension\Logs folder. You can use CMTrace.exe to view these logs.
- AgentExecutor
- ClientHealth
- IntuneManagementExtension
The full content of the script logged in the IntuneManagementExtension log which can be useful in troubleshooting.

Related Posts
- Win32 App Deployment failed with error code 0x80070643
- Win32 App Deployment Failed with Error 0x87D1041C
- Win32 App Deployment failed with error 0x87D300C9
- Win32 App failed with error code 0x80070653
- That account info didn’t work – error when disconnecting Windows 10 / 11 Work or School account
- Intune – Windows 10 MDM- Basic troubleshooting
- Deploying Microsoft 365 Apps Stuck in Downloading in Company Portal
- Windows 10 / 11 Operating System Build Versions
- MDM Enroll: Device Credential, Failed (Unknown Win32 Error code : 0xcaa9001f
- Microsoft Endpoint Manager: Error Code Reference
- Intune Bulk Enrollment with Provisional Package failed Error 0xCAA2000C
Subscribe to Techuisitive Newsletter
Be the first to know about our new blog posts. Get our newsletters directly in your inbox and stay up to date about Modern Desktop Management technologies & news.