Howto delete powershell transcript files with intune

Shorty 0 Reputation points
2023-02-08T15:35:55.9+00:00

Hi there,

we have several powershell scripts that are using the command start-transcript to do a kind of debug logging when running via the Intune Management Engine. Those files are stored in the default Intune Folder in C:\ProgramData\Microsoft\IntuneManagementExtension\Logs and every filename has a timestamp at the end. Our Goal is to keep at least 5 newest logs files.

How can we now delete existing log files with powershell scripts that runs "with" Intune? Currently we are receiving the following error message:

    + FullyQualifiedErrorId : RemoveFileSystemItemArgumentError,Microsoft.PowerShell.Commands.RemoveItemCommand

Is there a way to achive this with Powershell? Does start-transcript has some kind of Log-Rotation?

Microsoft Intune
Microsoft Intune
A Microsoft cloud-based management solution that offers mobile device management, mobile application management, and PC management capabilities.
4,373 questions
PowerShell
PowerShell
A family of Microsoft task automation and configuration management frameworks consisting of a command-line shell and associated scripting language.
2,086 questions
0 comments

7 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Shorty 0 Reputation points
    2023-02-10T07:38:57.1+00:00

    @MotoX80

    Why should I do this? Its not only for a single computer it's for nearly 300 of them, so adding full controll / access for everyone is not possible.

    0 comments
  2. MotoX80 32,061 Reputation points
    2023-02-10T16:34:41.9933333+00:00

    so adding full controll / access for everyone is not possible.

    My suggestion for granting everyone access to the logs folder is based on the fact that they are just log files. And you want the user to delete them anyway. Everyone isn't really every account on the network, it would only apply to the users who log on to the desktop. Users on other PC's would need to be admins on that machine in order to get through the C$ share in order to get to the logs folder. And if they have admin access, they can delete them anyway.

    I do not have any experience with Intune, so my comments are basically from a file security and general Windows experience perspective.

    In your image you show that the user is the file owner but the only ACL that would apply is Administrators:Full. So if a given script/user can create a transcript log file, then it should be able to delete them. Unless you have defined an ACL on the logs folder that specifies "Creator Owner:Write", but not delete. If you look at the permissions on the Logs folder with the Windows Explorer does it show the same permissions that Get-Acl shows? Do the permissions on an individual log file show the same as on the logs folder?

    Is this user a member of the Administrators group and does Intune launch the process with UAC elevation? In the transcript file in the first few lines, PS logs Username and RunAs User. Do they both have the users ID listed?

    Can you create a simple text file and immediately delete it?

    "Log file test." 
$test_file_name = $env:programdata + "\Microsoft\IntuneManagementExtension\logs\INTUNE-delete-test.log"
"xxxxx" | Out-file $test_file_name
Remove-Item $test_file_name
"Admin test"
$admin = ([Security.Principal.WindowsPrincipal] [Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole] "Administrator")
"Your name is {0}" -f  $env:USERNAME 
"Admin level is {0}" -f  $admin
whoami.exe

    If the Stop-Transcript statement is not getting executed, then perhaps PS or Intune still has an open handle on the log file. Download and run the handle utility and search for a log file name.

    https://learn.microsoft.com/en-us/sysinternals/downloads/handle

    0 comments