Use logs and diagnostics to investigate device issues

  • 7 minutes

When the Microsoft Intune admin center displays a generic "Error" or "Failed" status for a policy or app deployment, it tells you what went wrong, but rarely why. To uncover the "why," administrators must dig into the granular data generated by the device itself.

By collecting and interpreting local device logs and telemetry, you can transition from guessing what caused a failure to definitively proving the root cause.

Here is how to gather and analyze device diagnostics across your managed fleet.

Collect diagnostics remotely via Intune

For Windows devices, you do not need to interrupt the end-user or initiate a remote control session to gather critical logs. Intune provides a built-in remote action to pull this data silently.

How to trigger remote collection

  1. Sign in to the Microsoft Intune admin center.
  2. Navigate to Devices > All devices and select the failing Windows device.
  3. Across the top action bar, select Collect diagnostics (you may need to click the ... menu to see it).
  4. Intune will send a command to the device to zip up its registry keys, MDM event logs, and system information.

How to download the logs

  1. Once the action completes, navigate to Monitor > Device diagnostics.
  2. After the action completes, select ... > Download in the row for the action, then select Yes
  3. What to look for: Inside the zip, open the MDMDiagReport.html file. This is a highly readable summary of all applied policies, enrollment details, and current configuration states. You should also review the raw Event Viewer logs (.evtx files) included in the bundle.

Tip

With copilot embedded and the license active you can get those insights easier. With copilot you can bring all device information into a single pane. Navigate to Devices > All devices, select a device, and click the Copilot button Summarize with Copilot (top right).

Collect logs locally on the device

If the device is offline, failing to communicate with Intune, or running a non-Windows OS, you must gather logs locally.

Windows Advanced Diagnostic Report

If you have physical access to the device or are on a support call with the user:

  1. Go to Settings > Accounts > Access work or school.
  2. Click on the connected Microsoft Entra ID or Intune account and select Info.
  3. Scroll to the bottom and click Create report.
  4. The path to the generated HTML file will be displayed (usually C:\Users\Public\Documents\MDMDiagnostics\MDMDiagReport.html).

Mobile Devices (iOS, iPadOS, Android)

Mobile operating systems heavily restrict direct log access. You must use the Intune Company Portal app.

  1. Instruct the user to open the Company Portal app.
  2. Have them shake their device (iOS only), or navigate to the app's settings menu and select Help or Get help and then Send logs.
  3. This process uploads the logs directly to Microsoft and provides the user with an Incident ID.
  4. You can provide this Incident ID to Microsoft Support to help them isolate the issue on their backend.

Interpret Windows MDM Event Logs

When diagnosing complex Windows deployment failures (such as a custom OMA-URI failing to apply), the Event Viewer is your most powerful tool.

Where to find the MDM logs

Whether viewing locally on the machine or analyzing the .evtx files from a remote diagnostic pull, navigate to: Applications and Services Logs > Microsoft > Windows > DeviceManagement-Enterprise-Diagnostics-Provider > Admin

Key Event IDs to track

  • Event ID 814: Indicates that a string policy was successfully applied. This confirms Intune successfully pushed the setting to the local registry.
  • Event ID 404: Indicates a failure. The device received the command from Intune but could not execute it. The error description will often provide the exact registry path or CSP (Configuration Service Provider) that failed.
  • Event ID 11: Indicates the start of a synchronization session with the Intune management server.

Leverage Endpoint Analytics for proactive telemetry

While Event Logs are great for reactive troubleshooting (fixing a broken policy), Endpoint Analytics provides proactive telemetry to investigate system-level device issues before the user even opens a ticket.

  • Location: In the Intune admin center, go to Reports > Endpoint analytics.
  • Startup performance: If a user complains their device is "slow," use this telemetry to see exactly how many seconds it takes to boot, and which specific Group Policies or background apps are causing the delay.
  • Application reliability: If a line-of-business app keeps crashing, this telemetry will show you the exact crash rate across your entire fleet, helping you determine if a recent Windows Update or a bad app version is the root cause.
  • Work from anywhere: Use this report to evaluate how prepared devices are for secure remote productivity (for example, cloud identity readiness and cloud management posture) when troubleshooting remote-work issues.
  • Advanced Analytics: For deeper insights, Advanced Analytics adds additional reports and capabilities, but it requires a separate Microsoft Intune Advanced Analytics license (or Intune Suite, if applicable).