Collect diagnostics from a Windows device

The Collect diagnostics remote action lets you collect and download Windows device logs without interrupting the user. Only non-user locations and file types can be accessed, so no personal information is collected.

The diagnostic collection is stored for 28 days and then deleted. Each device can have up to 10 collections stored at one time.

Collect diagnostics is also available as a Bulk device action that collects diagnostic logs from up to 25 Windows devices at a time.

Requirements

The Collect diagnostics remote action is supported for:

  • Intune or co-managed devices.
  • Windows 10 version 1909 and later.
  • Windows 11
  • Microsoft HoloLens 2 2004 and later.
  • Global Admins, Intune Admins, or a role with Collect diagnostics permissions (under Remote tasks).
  • Corporate-owned devices.
  • Devices that are online and able to communicate with the service during diagnostics.

Collect diagnostics

To use the Collect diagnostics action:

  1. Sign in to the Microsoft Endpoint Manager admin center > Devices > Windows > select a supported device.
  2. On the device’s Overview page, select > Collect diagnostics > Yes. A pending notification appears on the device’s Overview page.
  3. To see the status of the action, select Device diagnostics monitor.
  4. After the action completes, select Download in the row for the action > Yes.
  5. The data zip file is added to your download tray and you can save it to your computer.

Data collected

No personal information is collected. This list below is the same order as the diagnostic zip. Each collection contains the following data:

Registry Keys:

  1. HKLM\Software\Microsoft\IntuneManagementExtension
  2. HKLM\SOFTWARE\Microsoft\SystemCertificates\AuthRoot
  3. HKLM\SOFTWARE\Microsoft\Windows Endpoint
  4. HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\LogonUI
  5. HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings
  6. HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall
  7. HKLM\Software\Policies
  8. HKLM\SOFTWARE\Policies\Microsoft\Cryptography\Configuration\SSL
  9. HKLM\SOFTWARE\Policies\Microsoft\Windows Endpoint
  10. HKLM\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall
  11. HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL

Commands:

  1. %programfiles%\windows defender\mpcmdrun.exe -GetFiles
  2. %windir%\system32\certutil.exe -store
  3. %windir%\system32\certutil.exe -store -user my
  4. %windir%\system32\Dsregcmd.exe /status
  5. %windir%\system32\ipconfig.exe /all
  6. %windir%\system32\mdmdiagnosticstool.exe
  7. %windir%\system32\msinfo32.exe /report %temp%\MDMDiagnostics\msinfo32.log
  8. %windir%\system32\netsh.exe advfirewall show allprofiles
  9. %windir%\system32\netsh.exe advfirewall show global
  10. %windir%\system32\netsh.exe lan show profiles
  11. %windir%\system32\netsh.exe winhttp show proxy
  12. %windir%\system32\netsh.exe wlan show profiles
  13. %windir%\system32\netsh.exe wlan show wlanreport
  14. %windir%\system32\ping.exe -n 50 localhost
  15. %windir%\system32\powercfg.exe /batteryreport /output %temp%\MDMDiagnostics\battery-report.html
  16. %windir%\system32\powercfg.exe /energy /output %temp%\MDMDiagnostics\energy-report.html

Event Viewers:

  1. Application
  2. Microsoft-Windows-AppLocker/EXE and DLL
  3. Microsoft-Windows-AppLocker/MSI and Script
  4. Microsoft-Windows-AppLocker/Packaged app-Deployment
  5. Microsoft-Windows-AppLocker/Packaged app-Execution
  6. Microsoft-Windows-Bitlocker/Bitlocker Management
  7. Microsoft-Windows-HelloForBusiness/Operational
  8. Microsoft-Windows-SENSE/Operational
  9. Microsoft-Windows-SenseIR/Operational
  10. Setup
  11. System

Files:

  1. %ProgramData%\Microsoft\DiagnosticLogCSP\Collectors*.etl
  2. %ProgramData%\Microsoft\IntuneManagementExtension\Logs*.*
  3. %ProgramData%\Microsoft\Windows Defender\Support\MpSupportFiles.cab
  4. %ProgramData%\Microsoft\Windows\WlanReport\wlan-report-latest.html
  5. %temp%\MDMDiagnostics\battery-report.html
  6. %temp%\MDMDiagnostics\energy-report.html
  7. %temp%\MDMDiagnostics\mdmlogs-<Date/Time>.cab
  8. %temp%\MDMDiagnostics\msinfo32.log
  9. %windir%\ccm\logs*.log
  10. %windir%\ccmsetup\logs*.log
  11. %windir%\logs\CBS\cbs.log
  12. %windir%\logs\measuredboot*.*
  13. %windir%\Logs\WindowsUpdate*.etl

Disable device diagnostics

You can disable the Collect diagnostics remote action for all devices by following these steps:

  1. Sign in to the Microsoft Endpoint Manager admin center > Tenant administration > Device diagnostics.

  2. Change the control to Disabled.

    Screenshot that shows the Device diagnostics pane with the highlighted control set to Disabled.

Known issues with device diagnostics

Currently there are the two main issues that may cause device diagnostics to fail:

  1. A timeout may occur on devices without patches KB4601315 or KB4601319. These patches contain a fix to the DiagnosticLog CSP that prevents timeout during upload. After the update installs, make sure to reboot your device.
  2. The device wasn't able to receive the device action within a 24-hour window. If the device is offline or turned off this may cause a failure.