Last Updated on February 15, 2021 by rudyooms
It’s very nice to see, Microsoft is working on some new features. One of the features which are in development is the possibility to collect remote logs.
Source: In development – Microsoft Intune | Microsoft Docs
Also look at the possibility to restart an app install!. That’s great.
But as these features are in development, we don’t have the option to collect logs remotely.
Luckily Solarwinds has a remote background feature, which allows you to gather some event logs remotely.
How to troubleshoot an azure ad joined device with only a remote background available? Or when you don’t want to cause any trouble to the end-user.
I have seen some solutions with PowerShell scripts deployed from Intune. This kind of solutions will transfer the zip file to azure file storage. But I don’t want to wait…
You can launch a remote background session and copy-paste this script. This script will collect all the necessary files and logs and combine them into a nice zip file.
######################
#Configure Variables #
######################
$regKeys = 'HKLM\Software\Microsoft\PolicyManager'
$tempFolder = 'c:\temp\MEMLogs'
$regOutput = 'c:\temp\MEMLogs\PolicyManager.reg'
$timestamp = get-date -f yyyy-MM-dd-HHmmss
# temp folder
If(!$(Get-Item $tempFolder)) {mkdir $tempFolder }
#########################
#Registry Policymanager #
#########################
$regKeys | % {$i++
& reg export $_ "$tempFolder\$i.reg"}
Get-Content "$tempFolder\*.reg" | ? {$_ -ne 'Windows Registry Editor Version 5.00'} | Add-Content $regOutput
Remove-Item "$tempFolder\*.reg" -Exclude "PolicyManager.reg"
##########################
#Export MDMDiagnosticLog #
##########################
Start-Process MdmDiagnosticsTool.exe -Wait -ArgumentList "-out $tempFolder\MDMDiag.html" -NoNewWindow
##########################
#Export Eventlog #
##########################
Copy-Item -Path "$env:SystemRoot\System32\Winevt\Logs\Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider%4Operational.evtx" -Destination $tempFolder
Copy-Item -Path "$env:SystemRoot\System32\Winevt\Logs\Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider%4Admin.evtx" -Destination $tempFolder
Copy-Item -Path "$env:SystemRoot\System32\Winevt\Logs\Microsoft-Windows-BitLocker%4BitLocker Management.evtx" -Destination $tempFolder
Copy-Item -Path "$env:SystemRoot\System32\Winevt\Logs\Microsoft-Windows-AppLocker%4EXE and DLL.evtx" -Destination $tempFolder
Copy-Item -Path "$env:SystemRoot\System32\Winevt\Logs\Microsoft-Windows-Windows Defender%4Operational.evtx" -Destination $tempFolder
##########################
#Export Intune Logs #
##########################
Copy-Item -Path C:\ProgramData\Microsoft\IntuneManagementExtension\Logs\*.* -Destination $tempFolder
##########################
#Export MDMDiagnosticLog #
##########################
Get-ChildItem -Path HKLM:SOFTWARE\Microsoft\Enrollments -Recurse | where{$_.Property -like "*UPN*"} | Out-File "$tempFolder\MDMRegistration.txt"
Get-ChildItem -Path HKLM:SOFTWARE\Microsoft\Enrollments -Recurse | where{$_.Property -like "*EntDMID*"} | Out-File -Append "$tempFolder\MDMRegistration.txt"
##########################
#Export computerinfo #
##########################
# computer info
Get-ComputerInfo | Out-File "$tempFolder\$env:COMPUTERNAME.txt"
##########################
#Export TPM INFO #
##########################
tpmtool gatherlogs $tempFolder
##########################
#Add to zip #
##########################
Get-Item -Path $tempFolder\*.* -Exclude "*.zip" | Compress-Archive -DestinationPath "$tempFolder\MEM_$timestamp.zip"
Remove-Item -Path $tempFolder\*.* -Exclude "*.zip"
Now we can simply transfer the Zip file to our own device with the use of the Solarwinds Remote Background agent and start investing.
Conclusion:
Until Microsoft has developed the remote collect logs possibility, this option to automatically collect all the logs is great to have and can really buy you some time when troubleshooting.