Anavem
EnglishFrancais
Anavem
Languagefr
How to Control Diagnostic Log Collection on Windows Devices Using Microsoft Intune

How to Control Diagnostic Log Collection on Windows Devices Using Microsoft Intune

Configure Intune policies to manage diagnostic log collection and telemetry data on Windows devices through Settings Catalog policies and admin-initiated collection controls.

April 8, 2026 18 min
hardintune 8 steps 18 min

Why Control Diagnostic Log Collection in Microsoft Intune?

Managing diagnostic log collection on Windows devices through Microsoft Intune is crucial for maintaining security, compliance, and operational efficiency in enterprise environments. As organizations increasingly rely on cloud-based device management, controlling what diagnostic data is collected and transmitted becomes a critical aspect of data governance and privacy protection.

Microsoft Intune's diagnostic collection feature allows administrators to gather comprehensive device logs remotely, including event logs, registry data, policy information, and custom application logs. However, without proper controls, this capability can lead to excessive data collection, privacy concerns, and potential compliance violations. The ability to configure telemetry levels and limit diagnostic data collection helps organizations balance operational needs with data protection requirements.

What Diagnostic Data Does Intune Collect by Default?

By default, Intune's diagnostic collection gathers extensive system information including Windows event logs, MDM policy configurations, registry entries related to device management, and any custom logs placed in the designated collection directory. The process uses the DiagnosticLog Configuration Service Provider (CSP) and the built-in MdmDiagnosticsTool.exe to create comprehensive diagnostic packages.

The collection process is triggered through Graph API calls and delivered via Windows Notification Service (WNS) push notifications, ensuring that administrators can gather logs from devices regardless of their current network location. Understanding how to control this process through Settings Catalog policies and custom configurations allows IT teams to implement precise data collection strategies that align with their organization's security and compliance requirements.

Implementation Guide

Full Procedure

01

Access Microsoft Intune Admin Center and Verify Prerequisites

Start by signing into the Microsoft Intune admin center to verify your environment is ready for diagnostic log management.

Open your browser and navigate to https://endpoint.microsoft.com. Sign in with your administrator credentials that have the Policy and Profile Manager or Intune Service Administrator role.

Once logged in, verify your devices are properly enrolled by navigating to Devices > All devices > Windows devices. You should see your managed Windows devices listed with their enrollment status showing as "MDM" or "Co-managed".

Pro tip: Check that the Intune Management Extension is installed on your devices by looking for the "Microsoft Intune Management Extension" service in Services.msc on the target devices.

Verify WNS connectivity by checking that devices can reach *.wns.windows.com and *.notify.windows.com. This is crucial for push-triggered diagnostic collection.

Verification: Select a test device and click Sync. The device should show "Sync initiated" and complete within 2-3 minutes, confirming proper communication with Intune services.

02

Create a Settings Catalog Policy to Control Telemetry Collection

Configure a Settings Catalog policy to limit diagnostic data collection at the device level. This controls what telemetry Windows sends to Microsoft and affects the scope of diagnostic logs.

In the Intune admin center, navigate to Devices > Manage devices > Configuration > Create > New policy.

Select the following options:

  • Platform: Windows 10 and later
  • Profile type: Settings catalog

Click Create and name your policy "Diagnostic Data Control Policy" with a description like "Limits diagnostic data collection and telemetry on managed Windows devices".

Click Add settings and search for "telemetry". Add these key settings:

Administrative Templates > Windows Components > Data Collection and Preview Builds:
- Allow Telemetry: Set to "1 - Basic" or "0 - Security [Enterprise only]"
- Disable diagnostic data capture: Enabled
- Configure collection of browsing data for Microsoft 365 Analytics: Disabled

For additional control, search for "diagnostic" and add:

Administrative Templates > Windows Components > Data Collection and Preview Builds:
- Allow device name to be sent in Windows diagnostic data: Disabled
- Limit Enhanced diagnostic data to the minimum required by Windows Analytics: Enabled
Warning: Setting AllowTelemetry to "0 - Security" is only available on Windows Enterprise and Education editions. Standard Windows will default to Basic level.

Verification: After creating the policy, check the Settings tab shows all configured options with their intended values.

03

Configure Device Assignment and Deployment Settings

Assign your diagnostic control policy to the appropriate device groups and configure deployment settings for optimal rollout.

In your Settings Catalog policy, click on the Assignments tab. Choose your assignment strategy:

  • Include groups: Select Azure AD groups containing your target Windows devices
  • Exclude groups: Add any test or pilot groups that need different settings

For a phased rollout, create multiple policies with different telemetry levels:

Pilot Group: AllowTelemetry = "2 - Enhanced"
Production Group: AllowTelemetry = "1 - Basic"
High Security Group: AllowTelemetry = "0 - Security"

Click Next and review your settings. Under Applicability Rules, you can add conditions like:

  • Operating system edition (Enterprise, Professional)
  • Device ownership (Corporate, Personal)

Set the policy to Create and monitor the deployment status in Devices > Monitor > Configuration > Assignment status.

Pro tip: Use a test group first with enhanced telemetry to verify the policy applies correctly before restricting data collection on production devices.

Verification: Check the assignment status shows "Success" for your target devices. On a test device, run gpresult /r in Command Prompt to verify the policy is applied.

04

Set Up Custom Log Collection Paths

Configure custom application logs to be included in Intune's diagnostic collection by placing them in the correct directory structure.

On your managed Windows devices, create the custom log directory if it doesn't exist. Run PowerShell as Administrator and execute:

New-Item -Path "C:\ProgramData\Microsoft\IntuneManagementExtension\Logs" -ItemType Directory -Force
Get-ChildItem "C:\ProgramData\Microsoft\IntuneManagementExtension\Logs"

Place your custom application logs in this directory. The logs must meet these requirements:

  • Files must have .log extension
  • No subfolders allowed - flat directory structure only
  • Maximum file size should be under 100MB per log

Example of copying application logs to the collection path:

# Copy application logs to Intune collection directory
Copy-Item "C:\MyApp\Logs\application.log" -Destination "C:\ProgramData\Microsoft\IntuneManagementExtension\Logs\MyApp-application.log"
Copy-Item "C:\Program Files\CustomApp\debug.log" -Destination "C:\ProgramData\Microsoft\IntuneManagementExtension\Logs\CustomApp-debug.log"

You can automate this process with a PowerShell script deployed via Intune:

# Script to copy custom logs for Intune collection
$LogPath = "C:\ProgramData\Microsoft\IntuneManagementExtension\Logs"
$SourceLogs = @(
    "C:\MyApp\Logs\*.log",
    "C:\AnotherApp\Logs\*.log"
)

foreach ($Source in $SourceLogs) {
    Get-ChildItem $Source | ForEach-Object {
        $DestName = "$(Split-Path $Source -Parent | Split-Path -Leaf)-$($_.Name)"
        Copy-Item $_.FullName -Destination "$LogPath\$DestName" -Force
    }
}
Warning: Custom logs in subfolders will NOT be collected. Ensure all .log files are directly in the Logs directory, not in subdirectories.

Verification: List the contents of the collection directory to confirm your custom logs are present: Get-ChildItem "C:\ProgramData\Microsoft\IntuneManagementExtension\Logs" -Name

05

Initiate Diagnostic Log Collection via Intune Admin Center

Trigger the diagnostic log collection process for specific devices through the Intune admin center interface.

In the Intune admin center, navigate to Devices > All devices > Windows devices. Select the device you want to collect diagnostics from by clicking on its name.

In the device overview page, locate and click the Collect diagnostics button in the top toolbar. This will trigger the collection process.

The system will display a confirmation dialog. Click Yes to proceed. You'll see a notification that diagnostic collection has been initiated.

Behind the scenes, Intune performs these actions:

1. POST request to: https://graph.microsoft.com/beta/deviceManagement/managedDevices/{deviceId}/createDeviceLogCollectionRequest
2. WNS push notification sent to device
3. Device queues 5-minute delayed task
4. MdmDiagnosticsTool.exe executes with generated input.xml
5. Logs collected and zipped to C:\Windows\SystemTemp\mdmdiagnostics.zip
6. ZIP uploaded to Azure Blob Storage via SAS URL

Monitor the collection progress by navigating to Devices > Monitor > Device diagnostics. The status will show:

  • Pending: Collection request queued
  • In progress: Device is gathering logs
  • Completed: Logs ready for download
  • Failed: Collection encountered an error
Pro tip: The collection process includes a 5-minute delay by design. Don't expect immediate results - allow 5-20 minutes for completion depending on device performance and log volume.

Verification: Check the Device diagnostics page shows your request with a timestamp and "In progress" or "Completed" status.

06

Download and Analyze Collected Diagnostic Logs

Retrieve and examine the diagnostic logs once collection is complete to verify the process worked correctly and review the collected data.

In the Intune admin center, go to Devices > Monitor > Device diagnostics. Locate your completed diagnostic collection request.

Click the Download link next to the completed request. This will download a ZIP file named mdmdiagnostics.zip containing all collected logs.

Extract the ZIP file to examine its contents. The diagnostic package typically includes:

mdmdiagnostics.zip contents:
├── EventLogs/
│   ├── Application.evtx
│   ├── System.evtx
│   └── Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider-Admin.evtx
├── Registry/
│   ├── MDM_Registry.txt
│   └── Enrollment_Registry.txt
├── Policies/
│   ├── MDMPolicies.xml
│   └── CSPPolicies.xml
├── CustomLogs/
│   ├── MyApp-application.log
│   └── CustomApp-debug.log
└── DiagnosticInfo.txt

Use PowerShell to programmatically analyze the logs:

# Extract and analyze diagnostic logs
Expand-Archive -Path "mdmdiagnostics.zip" -DestinationPath "C:\DiagnosticAnalysis"

# Check for custom logs
Get-ChildItem "C:\DiagnosticAnalysis" -Recurse -Filter "*.log" | Select-Object Name, Length, LastWriteTime

# Analyze policy application
$PolicyXML = [xml](Get-Content "C:\DiagnosticAnalysis\Policies\MDMPolicies.xml")
$PolicyXML.MDMPolicies.Policy | Where-Object {$_.Name -like "*Telemetry*"} | Select-Object Name, Value

Verify your telemetry control policies are working by checking the registry entries in the diagnostic package:

Look for these registry keys in MDM_Registry.txt:
HKLM\SOFTWARE\Policies\Microsoft\Windows\DataCollection\AllowTelemetry
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\DataCollection
Warning: Diagnostic logs may contain sensitive information including registry data, event logs, and custom application logs. Handle and store these files securely according to your organization's data protection policies.

Verification: Confirm the ZIP file contains your custom logs from the IntuneManagementExtension\Logs directory and that telemetry policy settings appear in the registry exports.

07

Configure Automated Log Collection Policies

Set up automated diagnostic collection policies using PowerShell scripts and Intune Win32 apps for regular log gathering without manual intervention.

Create a PowerShell script that automates the log collection process. Save this as AutoDiagnosticCollection.ps1:

# Automated Diagnostic Log Collection Script
param(
    [string]$LogRetentionDays = "30",
    [string]$CollectionSchedule = "Weekly"
)

# Set up logging
$LogFile = "C:\ProgramData\Microsoft\IntuneManagementExtension\Logs\AutoCollection.log"
Start-Transcript -Path $LogFile -Append

# Function to copy application logs
function Copy-ApplicationLogs {
    $SourcePaths = @(
        "C:\Program Files\MyApp\Logs\*.log",
        "C:\Windows\Logs\CBS\*.log",
        "C:\ProgramData\MyCompany\*.log"
    )
    
    $DestPath = "C:\ProgramData\Microsoft\IntuneManagementExtension\Logs"
    
    foreach ($Source in $SourcePaths) {
        if (Test-Path (Split-Path $Source)) {
            Get-ChildItem $Source -ErrorAction SilentlyContinue | ForEach-Object {
                $NewName = "Auto-$($_.BaseName)-$(Get-Date -Format 'yyyyMMdd')$($_.Extension)"
                Copy-Item $_.FullName -Destination "$DestPath\$NewName" -Force
                Write-Output "Copied: $($_.Name) to $NewName"
            }
        }
    }
}

# Clean old logs
Get-ChildItem "C:\ProgramData\Microsoft\IntuneManagementExtension\Logs\Auto-*.log" | 
    Where-Object {$_.LastWriteTime -lt (Get-Date).AddDays(-[int]$LogRetentionDays)} | 
    Remove-Item -Force

# Copy current logs
Copy-ApplicationLogs

# Create collection trigger file
$TriggerFile = "C:\ProgramData\Microsoft\IntuneManagementExtension\Logs\CollectionTrigger.log"
"Automated collection triggered at $(Get-Date)" | Out-File $TriggerFile -Force

Stop-Transcript

Package this script as an Intune Win32 app. Create the detection script DetectAutoCollection.ps1:

# Detection script for auto collection
$TriggerFile = "C:\ProgramData\Microsoft\IntuneManagementExtension\Logs\CollectionTrigger.log"
if (Test-Path $TriggerFile) {
    $LastRun = (Get-Item $TriggerFile).LastWriteTime
    if ($LastRun -gt (Get-Date).AddDays(-7)) {
        Write-Output "Auto collection is current"
        exit 0
    }
}
exit 1

Deploy the Win32 app with these settings:

  • Install command: powershell.exe -ExecutionPolicy Bypass -File AutoDiagnosticCollection.ps1
  • Detection method: Use the detection script
  • Assignment: Required for device groups
  • Restart behavior: No restart required
Pro tip: Use Intune's built-in scheduling by setting the Win32 app to reinstall periodically, or combine with a scheduled task for more precise timing control.

Verification: Check the Win32 app deployment status in Apps > Monitor > App install status and verify the trigger file is created on target devices.

08

Monitor and Troubleshoot Diagnostic Collection Issues

Implement monitoring and troubleshooting procedures to ensure diagnostic log collection works reliably across your managed devices.

Set up monitoring by creating a PowerShell script to check collection status across multiple devices. Save as MonitorDiagnosticCollection.ps1:

# Monitor diagnostic collection across devices
$TenantId = "your-tenant-id"
$ClientId = "your-app-id"
$ClientSecret = "your-client-secret"

# Get access token
$TokenBody = @{
    Grant_Type    = "client_credentials"
    Scope         = "https://graph.microsoft.com/.default"
    Client_Id     = $ClientId
    Client_Secret = $ClientSecret
}

$TokenResponse = Invoke-RestMethod -Uri "https://login.microsoftonline.com/$TenantId/oauth2/v2.0/token" -Method POST -Body $TokenBody
$Headers = @{Authorization = "Bearer $($TokenResponse.access_token)"}

# Get diagnostic collection requests
$DiagnosticRequests = Invoke-RestMethod -Uri "https://graph.microsoft.com/beta/deviceManagement/deviceLogCollectionRequests" -Headers $Headers

# Analyze results
$DiagnosticRequests.value | ForEach-Object {
    Write-Output "Device: $($_.deviceName)"
    Write-Output "Status: $($_.status)"
    Write-Output "Requested: $($_.requestedDateTime)"
    Write-Output "Size: $($_.sizeInKB) KB"
    Write-Output "---"
}

Common troubleshooting scenarios and solutions:

Warning: If WNS is blocked by firewall, diagnostic collection will fail. Ensure these URLs are accessible: *.wns.windows.com, *.notify.windows.com, and *.push.apple.com for iOS devices.

Issue 1: Collection stuck in "Pending" status

# Force device sync to trigger collection
# Run on affected device or via Intune remote PowerShell
Get-ScheduledTask -TaskName "PushLaunch" | Start-ScheduledTask
Start-Process "C:\Windows\System32\deviceenroller.exe" -ArgumentList "/c /AutoEnrollMDM"

# Check WNS connectivity
Test-NetConnection -ComputerName "client.wns.windows.com" -Port 443

Issue 2: Custom logs not included

# Verify custom log placement
$LogPath = "C:\ProgramData\Microsoft\IntuneManagementExtension\Logs"
Get-ChildItem $LogPath -Filter "*.log" | Select-Object Name, Length, LastWriteTime

# Check for subdirectories (not supported)
Get-ChildItem $LogPath -Directory | ForEach-Object {
    Write-Warning "Subdirectory found: $($_.Name) - Custom logs in subdirectories are not collected"
}

Issue 3: Large log files causing timeouts

# Check log file sizes and compress if needed
Get-ChildItem "C:\ProgramData\Microsoft\IntuneManagementExtension\Logs\*.log" | 
    Where-Object {$_.Length -gt 50MB} | 
    ForEach-Object {
        Write-Warning "Large log file: $($_.Name) - $([math]::Round($_.Length/1MB,2)) MB"
        # Optionally compress or truncate large files
        $Content = Get-Content $_.FullName -Tail 10000
        $Content | Out-File "$($_.FullName).truncated" -Encoding UTF8
    }

Verification: Run the monitoring script weekly and check that diagnostic collections complete within 20 minutes. Failed collections should be investigated using the troubleshooting steps above.

Frequently Asked Questions

How long does Microsoft Intune diagnostic log collection take to complete?+
Intune diagnostic log collection typically takes 5-20 minutes to complete. The process includes a built-in 5-minute delay after the WNS push notification is received, followed by the actual log gathering and upload process. Larger log volumes or slower devices may extend this timeframe. You can monitor progress in the Device diagnostics section of the Intune admin center.
Can I include custom application logs in Intune diagnostic collection?+
Yes, you can include custom application logs by placing them in the C:\ProgramData\Microsoft\IntuneManagementExtension\Logs\ directory. The logs must have a .log extension and be placed directly in this folder (no subfolders). Files in subdirectories will not be collected. The logs are automatically included when you trigger diagnostic collection through the Intune admin center.
What happens if Windows Notification Service (WNS) is blocked during diagnostic collection?+
If WNS is blocked by firewall or network restrictions, diagnostic collection will fail to initiate properly. The collection request will remain in 'Pending' status indefinitely. To resolve this, ensure your network allows access to *.wns.windows.com and *.notify.windows.com on port 443. You can force a manual sync from the Intune admin center as a workaround, but WNS connectivity is essential for reliable push-triggered collections.
How do I limit telemetry data collection on Windows devices through Intune policies?+
Use Intune Settings Catalog policies to control telemetry collection. Navigate to Devices > Configuration > Create > Settings catalog, then add the 'Allow Telemetry' setting under Administrative Templates > Windows Components > Data Collection. Set it to '0 - Security' (Enterprise only), '1 - Basic', or '2 - Enhanced' based on your requirements. You can also enable 'Disable diagnostic data capture' to block additional diagnostic data collection beyond the specified telemetry level.
What should I do if diagnostic log collection fails or times out in Intune?+
First, verify the device is online and can communicate with Intune services. Check WNS connectivity by testing access to *.wns.windows.com. Force a device sync from the Intune admin center and wait 5-10 minutes. If custom logs are missing, verify they're placed correctly in C:\ProgramData\Microsoft\IntuneManagementExtension\Logs\ with .log extensions and no subfolders. Large log files (>100MB) may cause timeouts - consider truncating or compressing them before collection.
Tags
#intune#windows-management#diagnostic-logs

Further Intelligence

Deepen your knowledge with related resources

How to Get Windows 11 26H1: What It Is, Who It's For, and How to Install It
tutorial
Windows

How to Get Windows 11 26H1: What It Is, Who It's For, and How to Install It

Deep Dive
How to Control Windows Start Menu Shortcuts Using Microsoft Intune
tutorial
Cloud Computing

How to Control Windows Start Menu Shortcuts Using Microsoft Intune

Deep Dive
How to Change SharePoint Domain in Microsoft 365 Without Downtime
tutorial
Cloud Computing

How to Change SharePoint Domain in Microsoft 365 Without Downtime

Deep Dive

Discussion

Share your thoughts and insights

Sign in to join the discussion

Sign inCreate account