Windows Intune is a cloud based management service with alerts and information stored in the Microsoft cloud, however sometimes it is very useful to see what is going on, on the actual PC. There are various log files that can be found on the client PC should you wish to explore. These are found at %ProgramFiles%\microsoft\onlinemanagement\logs.
We can see several files in here, of which the following are particularly interesting if we want to go diving into the product:
- Enrollment – This file details the process of a computer enroling with Windows Intune. If the computer fails to appear in the Windows Intune list of computers, this is the log to watch. If enrollment to Windows Intune for the computer was successful we should see the following in the log file:
2011-10-05 09:00:46:615 12260 2d7c Enroll *********
2011-10-05 09:00:46:615 12260 2d7c Enroll ** END ** Enroll: StartUpdateAgentService: Online Management Updates Service started, or already running
2011-10-05 09:00:46:615 12260 2d7c Enroll *************
- HostProtection – This log provides details of any anti-malware activity on the computer. For example, a malware entry will be logged as below:
2011-11-14 13:35:28:093 4076 2b78 EventConsumer::ReportMalwareStatusEvent() -
<sco:MalwareStatusEvent xmlns:sco="schemas.microsoft.com/management/services/hostprotection/2009/01" ActivityType="FullStatusResync">
<MalwareStatus>
<ID>7480</ID>
<Name>RemoteAccess:Win32/RealVNC</Name>
<URL>http://go.microsoft.com/fwlink/?linkid=37020&name=RemoteAccess%3AWin32%2FRealVNC&threatid=7480</URL>
<Severity>Moderate</Severity>
<Category>RemoteControlSoftware</Category>
<CurrentStatus>Quarantined</CurrentStatus>
<ExecutionStatus>NotBlocked</ExecutionStatus>
<LastEventTime>2011-10-22T13:16:50.303630900Z</LastEventTime>
<NumDetections>1</NumDetections>
</MalwareStatus>
- PolicyAgent – In here, we can see what is happening with policies, so we might see lines like this:
2011-11-14 22:22:33:713 4708 3b30 Found 8 updated policies. Updating stored priorities.
2011-11-14 22:22:33:713 4708 3b30 Adding prioritization entry: SystemCenterOnline:2E38653A-DCD2-DD5A-A762-ADEEAFC7B50C:2 -> 0.
2011-11-14 22:22:33:740 4708 3b30 Processing Policy enactment.
2011-11-14 22:22:33:827 4708 3b30 Scoping policy to: SystemCenterOnline:2E38653A-DCD2-DD5A-A762-ADEEAFC7B50C:2
2011-11-14 22:23:10:995 4708 3b30 No setting changes were detected from last enactment.
2011-11-14 22:23:10:995 4708 3b30 Not sending 'no change' report as it is not time yet.
2011-11-14 22:23:11:266 4708 3b30 Deleted Policy Platform reports for JobId: 88A32B3C-0934-4979-A4F8
Feel free to explore the logs
David
Posted
Tue, Nov 15 2011 8:25 AM
by
David Overton