How to access and read Intune management extension logs

Why are log files important?

It's important for IT administrators to be able to perform troubleshooting activities when something goes wrong. If that sounds broad, that's because it is. In the context of desktop management, it can be something like a failed application installation or configuration. In all those different cases it's important for the IT administrator to have a starting point for troubleshooting. That starting point is most often the right log file. It doesn't matter if that's an event log or a log file that belongs specifically to the related application.

The idea is that any application, agent, service, or anything else, by installation default automatically writes information to the related log file. This should not only happen when something goes wrong or fails; there should be a log for anything important happening on the desktop. The latter is also important, as that enables the IT administrator to follow the flow of the application to better pinpoint the potential issue. Admins can use all that information -- both important events and failures -- for troubleshooting. That makes log files a key component for troubleshooting.

Nowadays, many applications also provide the option to enable something like verbose logging. That will empower the application to write more detailed information to the log file for more detailed troubleshooting options.

Where does the Intune management extension store log files?

Most applications contain log files that are accessible and available within the Intune management extension. Intune contains a single important location that stores all the different available log files for that agent -- C:\ProgramData\Microsoft\IntuneManagementExtension\Logs.

By default, everyone has at least read permissions to that location and to the log files that are stored in that location. To view those log files, IT administrators can use their preferred reader because those log files contain plain text written in a specific format. Even Notepad is a valid option. Another viable option is the more frequently used CMTrace, as it can easily handle the formatting of the log files and provides a quick overview of the errors and warnings within the log file.

There are also failures, such as Windows Autopilot failures, that automatically collect the diagnostics of the related device and makes those diagnostics available within the Microsoft Intune admin center portal.

Besides accessing the log files directly locally on the device, it's also possible to access the log files via the Microsoft Intune admin center portal. There are two different common methods for retrieving the Intune management extension log files. The first method is via the installation details of an application on a device and the second method is via the overview of a device. In both cases, there will be a button called Collect diagnostics that admins can use for collecting the Intune management extension log files of that specific device.

As this is a remote action on a device, this does require the device to be online. The collected log files will be available within the portal in the Device diagnostics section of the device. When the device is online it can still take more than a few minutes before the log files will be available within the portal. IT can download the collected files as a zipped file; it contains many registry keys, collected information, event logs and log files -- including the Intune management extension log files.

Note that there are also failures, such as Windows Autopilot failures, that automatically collect the diagnostics of the related device and makes those diagnostics available within the Microsoft Intune admin center portal. This can save administrators the step of retrieving the files when an issue occurs.

What log files are available for the Intune management extension?

In the early days of the Intune management extension, IT administrators only had two or three log files for the provided functionalities. In the past year, however, the number of those log files have grown significantly.

At this moment, the following log files are available, listed in alphabetic order:

• AgentExecutor.log. This log file contains the information provided by the agent executor. That component executes the different actions that are performed by the Intune management extension.
• AppActionProcessor.log. This log file contains the information provided by the action processor for apps. That component processes the actions for assigned apps.
• ClientHealth.log. This log file contains the information provided by the client health component. That component checks the health of the Intune management extension.
• DeviceHealthMonitoring.log. This log file contains the information provided by the data collection component. That component collects data about hardware readiness, device inventory, and more.
• HealthScripts.log. This log file contains the information provided by the health scripts component. That component runs the assigned detection and remediation scripts, at the required schedule.
• IntuneManagementExtension.log. This is one of the log files that it started with and it is still the main log file around the Intune management extension. Most of the activities of the Intune management extension are still logged in this log file. When different components are used for the actual execution, the detailed logging will also move the log files that belong to the used component.
• Sensor.log. This log file contains the information provided by the sensor framework component. That component subscribes to different events on the devices, to gather usage information.
• Win32AppInventory.log. This log file contains the information provided by the app inventory collector. That component collects the inventory of the installed MSI applications.

When a log file reaches its maximum size, which by default is 3 MB, the endpoint or application creates a new log file with the same name. From there, the endpoint or app will rename the file as the date of creation.