David Overton's Blog and Discussion Site
This site is my way to share my views and general business and IT information with you about Microsoft, IT solutions for ISVs, technologists and businesses, large and small. I specialise in Windows Intune and SBS 2008.
This blog is purely the personal opinions of David Overton. If you can't find the information you were looking for e-mail me at admin@davidoverton.com.

To find out more about my Windows Intune BOOK - Microsoft Windows Intune 2.0: Quickstart Administration click here

To find out more about my SBS 2008 BOOK - Small Business Server 2008, Installation, Migration and Configuration click here

Log files on each PC with Windows Intune
David Overton's Blog

Buy my books

Windows Intune:Quickstart Administration


This is the RAW book (Read as Written).
Click here for more information
Buy or pre-order today

SBS 2008 - Installation, Migration and Configuration

Small Business Server 2008 – Installation, Migration, and Configuration

Buy today in book or e-book form

Request a Review Copy

Twitter

Syndication

Intune Log FilesWindows Intune is a cloud based management service with alerts and information stored in the Microsoft cloud, however sometimes it is very useful to see what is going on, on the actual PC.  There are various log files that can be found on the client PC should you wish to explore.  These are found at %ProgramFiles%\microsoft\onlinemanagement\logs.

 

 

 

 

We can see several files in here, of which the following are particularly interesting if we want to go diving into the product:

  • Enrollment – This file details the process of a computer enroling with Windows Intune.  If the computer fails to appear in the Windows Intune list of computers, this is the log to watch. If enrollment to Windows Intune for the computer was successful we should see the following in the log file:

2011-10-05 09:00:46:615 12260 2d7c Enroll *********
2011-10-05 09:00:46:615 12260 2d7c Enroll **  END  **  Enroll: StartUpdateAgentService: Online Management Updates Service started, or already running
2011-10-05 09:00:46:615 12260 2d7c Enroll *************

  • HostProtection – This log provides details of any anti-malware activity on the computer.  For example, a malware entry will be logged as below:

2011-11-14    13:35:28:093    4076    2b78    EventConsumer::ReportMalwareStatusEvent() -
<sco:MalwareStatusEvent xmlns:sco="schemas.microsoft.com/management/services/hostprotection/2009/01" ActivityType="FullStatusResync">
<MalwareStatus>
<ID>7480</ID>
<Name>RemoteAccess:Win32/RealVNC</Name>
<URL>http://go.microsoft.com/fwlink/?linkid=37020&amp;name=RemoteAccess%3AWin32%2FRealVNC&amp;threatid=7480</URL>
<Severity>Moderate</Severity>
<Category>RemoteControlSoftware</Category>
<CurrentStatus>Quarantined</CurrentStatus>
<ExecutionStatus>NotBlocked</ExecutionStatus>
<LastEventTime>2011-10-22T13:16:50.303630900Z</LastEventTime>
<NumDetections>1</NumDetections>
</MalwareStatus>

  • PolicyAgent – In here, we can see what is happening with policies, so we might see lines like this:

2011-11-14    22:22:33:713    4708    3b30    Found 8 updated policies. Updating stored priorities.
2011-11-14    22:22:33:713    4708    3b30    Adding prioritization entry: SystemCenterOnline:2E38653A-DCD2-DD5A-A762-ADEEAFC7B50C:2 -> 0.

2011-11-14    22:22:33:740    4708    3b30    Processing Policy enactment.
2011-11-14    22:22:33:827    4708    3b30    Scoping policy to: SystemCenterOnline:2E38653A-DCD2-DD5A-A762-ADEEAFC7B50C:2

2011-11-14    22:23:10:995    4708    3b30    No setting changes were detected from last enactment.
2011-11-14    22:23:10:995    4708    3b30    Not sending 'no change' report as it is not time yet.
2011-11-14    22:23:11:266    4708    3b30    Deleted Policy Platform reports for JobId: 88A32B3C-0934-4979-A4F8

  • RemoteAssistance – This log shows the start and stop of requests for remote assistance.
  • TaskExecution – This log shows task requests
  • Updates – This details information about updates evaluated and executed, for example:

    2011-11-14    22:22:32:588    8732    3298    Agent    *************
    2011-11-14    22:22:32:588    8732    3298    Agent    ** START **  Agent: Finding updates [CallerId = Microsoft Online Management Policy Agent]
    2011-11-14    22:22:32:588    8732    3298    Agent    *********
    2011-11-14    22:22:32:588    8732    3298    Agent      * Online = No; Ignore download priority = No
    2011-11-14    22:22:32:588    8732    3298    Agent      * Criteria = "categoryids contains '079245C3-8311-462a-B5C3-D1B28F515203'"
    2011-11-14    22:22:32:588    8732    3298    Agent      * ServiceID = Windows Intune
    2011-11-14    22:22:32:588    8732    3298    Agent      * Search Scope = {Machine}
    2011-11-14    22:22:32:753    8732    3298    Agent    Skipping search for Windows Updates due to category criteria
    2011-11-14    22:22:32:754    8732    3298    Agent      * Added update {2F941A3D-666A-42F7-8FBD-2FFF0093723D}.4 to search result
    2011-11-14    22:22:32:754    8732    3298    Agent      * Added update {7917987F-6437-4004-920F-51553913C646}.4 to search result
    2011-11-14    22:22:32:754    8732    3298    Agent      * Added update {90997A53-BC2D-DC61-84ED-F35C3D7435E0}.1 to search result
    2011-11-14    22:22:32:754    8732    3298    Agent      * Added update {1F7434B8-656E-C9DC-C769-4A3CBC1DD489}.1 to search result
    2011-11-14    22:22:32:754    8732    3298    Agent      * Added update {49A0A378-D7CE-E838-93C2-BC5867138363}.3 to search result
    2011-11-14    22:22:32:754    8732    3298    Agent      * Added update {2E38653A-DCD2-DD5A-A762-ADEEAFC7B50C}.2 to search result
    2011-11-14    22:22:32:754    8732    3298    Agent      * Added update {E6A51D20-7021-B5C3-3D34-3ADAE2E61E18}.10 to search result
    2011-11-14    22:22:32:754    8732    3298    Agent      * Added update {6CF2F3FA-591F-D220-87FC-A2AC36530AC3}.5 to search result
    2011-11-14    22:22:32:754    8732    3298    Agent      * Found 8 updates and 3 categories in search; evaluated appl. rules of 20 out of 69 deployed entities
    2011-11-14    22:22:32:756    8732    3298    Agent    *********
    2011-11-14    22:22:32:756    8732    3298    Agent    **  END  **  Agent: Finding updates [CallerId = Microsoft Online Management Policy Agent]
    2011-11-14    22:22:32:756    8732    3298    Agent    *************
    2011-11-14    22:22:32:756    4708    1f48    COMAPI    >>--  RESUMED  -- COMAPI: Search [ClientId = Microsoft Online Management Policy Agent]
    2011-11-14    22:22:32:766    4708    1f48    COMAPI      - Updates found = 8

Feel free to explore the logs

 

David


Posted Tue, Nov 15 2011 8:25 AM by David Overton

Add a Comment

(optional)  
(optional)
(required)  
Remember Me?

(c)David Overton 2006-13