Troubleshooting Logs in Microsoft Endpoint Manager
This blog post is part of a Microsoft Endpoint Manager blog series and focused on Microsoft Endpoint Manager troubleshooting with logs location, tools, monitoring options, and advanced logging.
When working with Microsoft Endpoint Manager and Windows 10 devices, sometimes you don’t know if your settings are applying as required to your devices or not – kind of shadow situation.
In many cases, when some configuration fails to apply to Windows 10 devices, you don’t know what can cause the problem. You find yourself starting with navigating in irrelevant components and trying to find the root cause.
Monitor, logs, and troubleshooting with Microsoft Endpoint Manager isn’t the most challenging thing you need to deal with, but you must know the components, the logs’ location, and the option that you’ve got.
Daily, I saw many Cloud Operators and System administrators managing Microsoft Endpoint Manager and trying to troubleshoot failed configurations and find why their design isn’t applying to Windows 10.
Microsoft Endpoint Manager and Windows 10 have many troubleshooting options to find the issues. These options are based on the many logs location that Microsoft Endpoint Manager got on Windows 10 devices.
When Microsoft Endpoint Manager runs specific settings and configurations against Windows 10, each running is logged.
If we apply Endpoint Protection policies or use Apps, each action and component are logged in Microsoft Endpoint Manager, Windows 10, and Azure Sentinel or Azure Log Analytics.
Before starting with troubleshooting, you must know the options and capabilities you’ve got inside the different components and consoles. Some are in Windows 10, some are in Microsoft Endpoint Manager, and some are inside Azure Sentinel.
Note: Azure Sentinel providing an excellent view for Microsoft Endpoint Manager.
First thing first, let’s start with the primary component that we’ve got and the c2omponents that we need to troubleshoot based on the following options:
- Windows 10 built-in MDM
- Intune Management Extension
- Azure Sentinel based on Azure Log Analytics (based Diagnostic Logs)
Windows 10 built-in MDM
A built-in Windows 10 management component can communicate with Microsoft Endpoint Manager in two ways:
- The enrollment client, which enrolls and configures the device to communicate with Microsoft Endpoint Manager.
- The management client periodically synchronizes with Microsoft Endpoint Manager to check for updates and apply the latest IT policies.
Note: the default Microsoft Endpoint Manager client is a built-in service (not the IME)
The relevant event log folder is:
Microsoft-Windows-AAD This event log provides information related to Azure AD communications.
DeviceManagement-Enterprise-Diagnostics Provider event logs provide information regarding the MDM sessions of the device, Including MDM PolicyManager information.
Microsoft-Windows-Shell-Core event log provides information mainly related to logon tasks and run once actions on the device.
Microsoft-Windows-SettingsSync event logs provide information for sync settings on Windows 10 devices (work or school account).
Microsoft-Windows-Workplace Join event logs provide information when connecting a Windows device with your workplace and accessing a web application.
Microsoft-Windows-EnterpriseMgmt event logs provide information for admin information (and errors) regarding the device’s MDM sessions.
MDMDiagReport provides information for applied configuration states of the devices, including Policy CSP settings, certificates, configuration sources, and resource information.
Microsoft-Windows-AAD-Operational event log provides operational information for Azure AD communications, including device registration and token requests.
Examples for errors and related logs – Microsoft-Windows-AAD event log and device token issue
Microsoft-Windows-EnterpriseMgmt event logs with an event for CSP policy and specific installer
Troubleshooting Tools for Windows 10 built-in MDM
Many tools can collect logs from Windows 10 or Microsoft Endpoint Manager.
The MdmDiagnosticsTool is a command-line tool that can collect Device enrollment and AutoPilot logs, including events, registry, and logs consolidated into a single folder or single file.
The tool can be run from CMD with many syntaxes, for example, the parameter of:
MdmDiagnosticsTool.exe -out c:\temp\Ellitest
Advanced Diagnostics Report is part of MDMDiagReport and can show the devices’ applied configuration states, including Policy CSP settings, certificates, configuration sources, and resource information.
The result will be export to MDMDiagReport
DSREGCMD is an essential tool but valuable tool that provide information for the following Windows 10 components:
- Device State
- Device Details
- Tenant Details
- User State
- SSO State
- Diagnostic Data
for a detailed description and Troubleshooting devices using the dsregcmd command
The status parameters will provide the primary information for all States and Data for the local machine, like in the example below with the following command: dsregcmd /status.
Intune Management Extension
Once the workstation is enrolled and is part of Microsoft Endpoint Manager, we can deploy apps, PowerShell scripts, and many configurations.
The services that handle the apps and script are the Intune Management Extension (IME), and therefore this is dealt with a bit differently.
The Extension will synchronize with Microsoft Endpoint Manager once every hour. Suppose you need to start your PowerShell script immediately. In that case, you can either wait an hour (by default) or restart the Microsoft Intune Extension Service either from a local device or trigger a different configuration from Microsoft Endpoint Manager.
Intune Management Extension Win32 App list:
- Retrieve Content Metadata
- Pre-Install Detection
- Extended Requirements
- Integrity Check and Unzip
- Post-Install Detection
- Report Status
IME Event and Log Location
The IME is slightly different from the Windows 10 built-in MDM behavior, but the log location and the event folder are similar to MDM. The information is available at the following site:
Information on the parameters for the IME can be found in the following registry path:
The MSI and the installer logs can be found at the following location:
Note: if you disconnect a device from Azure AD and rejoin it again, you will need to reinstall the IME as it will have a different device identifier.
IME logs can be found here:
The logs are:
Script Execution – In a situation when PowerShell script is running on Windows 10 devices, the scripts and the script output will be stored here, but only until execution is complete:
- C:\Program files (x86)\Microsoft Intune Management Extension\Policies\Scripts
- C:\Program Files (x86)\Microsoft Intune Management Extension\Policies\Results
A transcript of the script execution can be found underneath C:_showmewindows (a hidden folder)
- The full content of the script will also be logged in the IntuneManagementExtension.log
- The error code and result output of the script can also be found in the registry:
Event Logs – There are a couple of MDM event logs which can be found herein the following path Applications and Services Logs > Microsoft > Windows with logs: DeviceManagement-Enterprise-Diagnostics-Provider
Scheduled Task logs the results in the ClientHealth.log in the following location: Microsoft > Intune > Intune Management Extension Health Evaluation.
Example of generic issues
There’s a lot of ways to troubleshoot issues when applying apps. Here are some generic examples:
The MSI Job isn’t created
Things to check:
- Did the Mobile MSI Job get delivered to the Windows 10 device?
- Check the registry values for with following keys:HKLM\SOFTWARE\Microsoft\EnterpriseDesktopManagement\S-0-0-00-0000000000-00000000000-00000000000-0000000000-00\MSI\<MSIProductID> (For Device targeted MSI Deployment)HKLM\SOFTWARE\Microsoft\EnterpriseDesktopManagement\<UserSID>\MSI\<MSIProductID> (For User targeted MSI Deployments)
Issue: The application not installed
Things to check:
- Check the Status and LastError registry values.
- Value definitions below70 = Successfully installed/uninstalled
10 = Initialized
20 = DownloadInProgress
25 = PendingDownloadRetry
30 = DownloadFailed
40 = DownloadCompleted
48 = PendingUserSession
50 = EnforcementInProgress
55 = PendingEnforcementRetry
60 = EnforcementFailed
70 = EnforcementCompleted
In Conclusion, there are many ways to troubleshoot Microsoft Endpoint Manager with Windows 10 device, and based on your issues. You can navigate to the relevant logs and start troubleshooting.
More Information for Microsoft Endpoint Manager troubleshooting