David Overton's Blog and Discussion Site
This site is my way to share my views and general business and IT information with you about Microsoft, IT solutions for ISVs, technologists and businesses, large and small.  
Log files on each PC with Windows Intune

Intune Log FilesWindows Intune is a cloud based management service with alerts and information stored in the Microsoft cloud, however sometimes it is very useful to see what is going on, on the actual PC.  There are various log files that can be found on the client PC should you wish to explore.  These are found at %ProgramFiles%\microsoft\onlinemanagement\logs.

 

 

 

 

We can see several files in here, of which the following are particularly interesting if we want to go diving into the product:

  • Enrollment – This file details the process of a computer enroling with Windows Intune.  If the computer fails to appear in the Windows Intune list of computers, this is the log to watch. If enrollment to Windows Intune for the computer was successful we should see the following in the log file:

2011-10-05 09:00:46:615 12260 2d7c Enroll *********
2011-10-05 09:00:46:615 12260 2d7c Enroll **  END  **  Enroll: StartUpdateAgentService: Online Management Updates Service started, or already running
2011-10-05 09:00:46:615 12260 2d7c Enroll *************

  • HostProtection – This log provides details of any anti-malware activity on the computer.  For example, a malware entry will be logged as below:

2011-11-14    13:35:28:093    4076    2b78    EventConsumer::ReportMalwareStatusEvent() -
<sco:MalwareStatusEvent xmlns:sco="schemas.microsoft.com/management/services/hostprotection/2009/01" ActivityType="FullStatusResync">
<MalwareStatus>
<ID>7480</ID>
<Name>RemoteAccess:Win32/RealVNC</Name>
<URL>http://go.microsoft.com/fwlink/?linkid=37020&amp;name=RemoteAccess%3AWin32%2FRealVNC&amp;threatid=7480</URL>
<Severity>Moderate</Severity>
<Category>RemoteControlSoftware</Category>
<CurrentStatus>Quarantined</CurrentStatus>
<ExecutionStatus>NotBlocked</ExecutionStatus>
<LastEventTime>2011-10-22T13:16:50.303630900Z</LastEventTime>
<NumDetections>1</NumDetections>
</MalwareStatus>

  • PolicyAgent – In here, we can see what is happening with policies, so we might see lines like this:

2011-11-14    22:22:33:713    4708    3b30    Found 8 updated policies. Updating stored priorities.
2011-11-14    22:22:33:713    4708    3b30    Adding prioritization entry: SystemCenterOnline:2E38653A-DCD2-DD5A-A762-ADEEAFC7B50C:2 -> 0.

2011-11-14    22:22:33:740    4708    3b30    Processing Policy enactment.
2011-11-14    22:22:33:827    4708    3b30    Scoping policy to: SystemCenterOnline:2E38653A-DCD2-DD5A-A762-ADEEAFC7B50C:2

2011-11-14    22:23:10:995    4708    3b30    No setting changes were detected from last enactment.
2011-11-14    22:23:10:995    4708    3b30    Not sending 'no change' report as it is not time yet.
2011-11-14    22:23:11:266    4708    3b30    Deleted Policy Platform reports for JobId: 88A32B3C-0934-4979-A4F8

  • RemoteAssistance – This log shows the start and stop of requests for remote assistance.
  • TaskExecution – This log shows task requests
  • Updates – This details information about updates evaluated and executed, for example:

    2011-11-14    22:22:32:588    8732    3298    Agent    *************
    2011-11-14    22:22:32:588    8732    3298    Agent    ** START **  Agent: Finding updates [CallerId = Microsoft Online Management Policy Agent]
    2011-11-14    22:22:32:588    8732    3298    Agent    *********
    2011-11-14    22:22:32:588    8732    3298    Agent      * Online = No; Ignore download priority = No
    2011-11-14    22:22:32:588    8732    3298    Agent      * Criteria = "categoryids contains '079245C3-8311-462a-B5C3-D1B28F515203'"
    2011-11-14    22:22:32:588    8732    3298    Agent      * ServiceID = Windows Intune
    2011-11-14    22:22:32:588    8732    3298    Agent      * Search Scope = {Machine}
    2011-11-14    22:22:32:753    8732    3298    Agent    Skipping search for Windows Updates due to category criteria
    2011-11-14    22:22:32:754    8732    3298    Agent      * Added update {2F941A3D-666A-42F7-8FBD-2FFF0093723D}.4 to search result
    2011-11-14    22:22:32:754    8732    3298    Agent      * Added update {7917987F-6437-4004-920F-51553913C646}.4 to search result
    2011-11-14    22:22:32:754    8732    3298    Agent      * Added update {90997A53-BC2D-DC61-84ED-F35C3D7435E0}.1 to search result
    2011-11-14    22:22:32:754    8732    3298    Agent      * Added update {1F7434B8-656E-C9DC-C769-4A3CBC1DD489}.1 to search result
    2011-11-14    22:22:32:754    8732    3298    Agent      * Added update {49A0A378-D7CE-E838-93C2-BC5867138363}.3 to search result
    2011-11-14    22:22:32:754    8732    3298    Agent      * Added update {2E38653A-DCD2-DD5A-A762-ADEEAFC7B50C}.2 to search result
    2011-11-14    22:22:32:754    8732    3298    Agent      * Added update {E6A51D20-7021-B5C3-3D34-3ADAE2E61E18}.10 to search result
    2011-11-14    22:22:32:754    8732    3298    Agent      * Added update {6CF2F3FA-591F-D220-87FC-A2AC36530AC3}.5 to search result
    2011-11-14    22:22:32:754    8732    3298    Agent      * Found 8 updates and 3 categories in search; evaluated appl. rules of 20 out of 69 deployed entities
    2011-11-14    22:22:32:756    8732    3298    Agent    *********
    2011-11-14    22:22:32:756    8732    3298    Agent    **  END  **  Agent: Finding updates [CallerId = Microsoft Online Management Policy Agent]
    2011-11-14    22:22:32:756    8732    3298    Agent    *************
    2011-11-14    22:22:32:756    4708    1f48    COMAPI    >>--  RESUMED  -- COMAPI: Search [ClientId = Microsoft Online Management Policy Agent]
    2011-11-14    22:22:32:766    4708    1f48    COMAPI      - Updates found = 8

Feel free to explore the logs

 

David


Posted Tue, Nov 15 2011 8:25 AM by David Overton

Comments

Dan wrote re: Log files on each PC with Windows Intune
on Mon, Oct 31 2016 1:42 PM

"onlinemanagement" not a folder anywhere on the hard drive. Definitely not at that path.

David Overton wrote re: Log files on each PC with Windows Intune
on Sun, Feb 5 2017 6:23 AM

Dan, this was true in 2011.  Microsoft have moved the log files since then :-)

Add a Comment

(optional)  
(optional)
(required)  
Remember Me?

(c)David Overton 2006-17