Accessing Event Viewer Logs on AAD Remote Computer

Question

Accessing Event Viewer Logs on AAD Remote Computer

Mikkel Lund Knudsen 116

Hey,

So we got a bunch of supporters asking for how to access Event Viewer Remotely.

Devices are Windows 11 running AAD. (not hybrid).

What do we need to configure in Intune, and which firewall ports are required to be opened?

Mikkel Lund Knudsen 116 Reputation points

2022-09-22T19:55:56.397+00:00

Anyone else having a nice and easy way of collecting logs on a AAD device?
Jason Sandys 31,406 Reputation points Microsoft Employee Moderator

2022-09-22T22:26:36.54+00:00

Is there a reason the built-in diagnostic log collection in Intune does not meet your needs or requirements?
Mikkel Lund Knudsen 116 Reputation points

2022-09-22T22:28:33.46+00:00

It takes way too long time.
I can't choose which one to include or exclude - and its not live.

Am I the only one missing this for troubleshooting live?
Jason Sandys 31,406 Reputation points Microsoft Employee Moderator

2022-09-26T17:08:08.077+00:00

Live troubleshooting falls more in the domain of Remote Help. In the modern world, you really shouldn't assume connectivity to an end-user's device. I know there are plenty of times where you can probably assume that, but that's just not a core assumption of AADJ.
Ihab Abedrabbo 21 Reputation points

2025-05-28T08:09:34.13+00:00

I was looking for a solution as well since ages and still Microsoft have not provided anything similar to on-premises local AD joined devices. This is really really really irritating and super frustrating, it seems that Microsoft adds only more and more components and not-so-elegant porkarounds to achieve something so simple and trivial in the old days! Really pathetic

1 answer

Your answer

Mikkel Lund Knudsen 116 Reputation points

2022-09-22T19:55:56.397+00:00

Anyone else having a nice and easy way of collecting logs on a AAD device?
Jason Sandys 31,406 Reputation points Microsoft Employee Moderator

2022-09-22T22:26:36.54+00:00

Is there a reason the built-in diagnostic log collection in Intune does not meet your needs or requirements?
Mikkel Lund Knudsen 116 Reputation points

2022-09-22T22:28:33.46+00:00

It takes way too long time.
I can't choose which one to include or exclude - and its not live.

Am I the only one missing this for troubleshooting live?
Jason Sandys 31,406 Reputation points Microsoft Employee Moderator

2022-09-26T17:08:08.077+00:00

Live troubleshooting falls more in the domain of Remote Help. In the modern world, you really shouldn't assume connectivity to an end-user's device. I know there are plenty of times where you can probably assume that, but that's just not a core assumption of AADJ.
Ihab Abedrabbo 21 Reputation points

2025-05-28T08:09:34.13+00:00

I was looking for a solution as well since ages and still Microsoft have not provided anything similar to on-premises local AD joined devices. This is really really really irritating and super frustrating, it seems that Microsoft adds only more and more components and not-so-elegant porkarounds to achieve something so simple and trivial in the old days! Really pathetic

Answer 1

Crystal-MSFT 53,981 Microsoft External Staff

@Mikkel Lund Knudsen , Based on my research, Intune has a feature "Windows 10 Device diagnostics" which utilizes the Windows DiagnosticLog CSP, allowing Intune to collect a set of files, like registry, event viewers and commands. For the event viewer log, it contains Application, System, Setup and Applocker related event log. We can see more details in the following link:
https://learn.microsoft.com/en-us/mem/intune/remote-actions/collect-diagnostics

On windows 11 device, we can also use this feature. on the device, select "Collect diagnostics" to collect the log. After the status shows complete. Go to "Device diagnostics" and click download button to download the logs.

https://techcommunity.microsoft.com/t5/intune-customer-success/intune-public-preview-windows-10-device-diagnostics/ba-p/2179712

In addition, for the firewall port, I didn't find the official article mentioned any additional ports required. We can firstly try the above feature. if it is failed to collect due to port issue, we can capture netmon log to see which port is used.

Hope it can help.

If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

Mikkel Lund Knudsen 116 Reputation points

2022-09-08T09:38:41.743+00:00

So instead of collecting the logs remote - we want to configure Intune so that it can grab logs on the devices?

How long are they kept?
What about the data - is it kept locally in the browser, or kept in Intune?
If its kept in Intune, then who pays for the data?
Crystal-MSFT 53,981 Reputation points Microsoft External Staff

2022-09-09T05:39:32.57+00:00

@Mikkel Lund Knudsen , Thanks for your reply. From your description, It seems you don't want to use "Collect diagnostics". If there's any misunderstanding, please let us know.

Could you let us know what you want Intune really do? What event log you want Intune to collect? And Where you want the log to put?

In General, the diagnostic collection is stored for 28 days in Intune and then deleted. Each device may have up to 10 diagnostics. After 10, the oldest set of diagnostics is removed and replaced. And the maximum size of diagnostics is 250 MB. This feature is included with your M365, Intune, EMS, or otherwise qualifying subscription. It didn't need any extra cost.

Meanwhile, after we click download, the data will be downloaded to the local device where you do this action.

Hope it can help.
Mikkel Lund Knudsen 116 Reputation points

2022-09-09T09:28:16.513+00:00

Let me test this out.

Collecting Logs atm :)

EDIT : The .zip file I downloaded has like 1-50 folders in the .zip - go figure out where the Application, System end Security Event Logs are.

Completely messed up way of doing Log Collection :(
Crystal-MSFT 53,981 Reputation points Microsoft External Staff

2022-09-12T03:09:08.35+00:00

@Mikkel Lund Knudsen ,, Yes, this feature will collect a series of logs.

Currently, it can't select to collect a part of these logs. But you can feedback to Intune uservoice to see if we can have the feature to collect the logs selectively in the future.
https://feedbackportal.microsoft.com/feedback/forum/ef1d6d38-fd1b-ec11-b6e7-0022481f8472

Thanks for your understanding.
Mikkel Lund Knudsen 116 Reputation points

2022-09-12T08:52:31.107+00:00

So actually - the folders of 30, 43 and 44 would be Application, Setup and System? :)

Nice to know.
Crystal-MSFT 53,981 Reputation points Microsoft External Staff

2022-09-13T03:00:20.21+00:00

@Mikkel Lund Knudsen , I have tested on some devices and the result is the same. So I think yes, the folders of 30, 43 and 44 would be Application, Setup and System.
Mikkel Lund Knudsen 116 Reputation points

2022-09-13T11:27:55.327+00:00

Thank you :)
Gill, Amarjeet 1 Reputation point

2022-09-19T13:47:09.517+00:00

Wanted to post this tip as wasn't clear to me. Use the Windows native zip (right click on file>Open with> Windows explorer) to unarchive the file. It will retain the formatting. 7-zip was not able to maintain the format.

Share via

Accessing Event Viewer Logs on AAD Remote Computer

1 answer

Your answer