Logs Collection: The hack

In this post, an easy way to collect logs from individual endpoints will be described.

Many of us have deployed several applications and scripts through Intune, where a logging mechanism is in place. The problem is that by default we are unable to gather these logs and read them. Of course we can reach out to the user and collect them, but this requires much effort and time. There is one way to collect them without much work.

Intune Management Extension Log Folder

The Intune Management Extension (IME) is a service that runs on the device and helps us deploy applications and scripts to the endpoints. It stores useful logs relevant to its function and our deployments to the below location: C:\ProgramData\Microsoft\IntuneManagementExtension\Logs

Diagnostics collection

We are able to collect diagnostics from our endpoints either directly from them by opening Settings -> Accounts -> Access word or school -> (Selecting the user account) -> Info -> (Scrolling at the bottom of the page) -> Create report

or from Intune itself by clicking “Collect Diagnostics” from the device blade

These logs provide useful information about many aspects but the one we are interested in now is the IME logs.

By opening this folder we can see the IME logs.

You may have already understood how we are going to collect our custom logs from the endpoint.

Custom logs collection

The way to go here is to use the location C:\ProgramData\Microsoft\IntuneManagementExtension\Logs as the location for our logs.

For demonstration purposes I created a simple remediation script, which simply writes an output log to the above location (check this simple guide to logging).

Start-Transcript -Path "C:\ProgramData\Microsoft\IntuneManagementExtension\Logs\log.txt" -Append -ErrorAction Stop

Write-Host "This is a custom log message. Hey!"
Write-Host "And this is another log message"
Write-Host "Where are these logs saved?"


After deploying this script, performing the collect diagnostics again and opening the IME folder we can see that the newly log file created is present here.

That way we are able to collect fast and easy debugging logs from out endpoint.

! The drawback of this approach is that it we have to manually collect diagnostics for all devices by doing the above process.

Leave a Reply

Your email address will not be published. Required fields are marked *