Read IntuneManagementExtension logs using PowerShell

Reading logs is always something you just have to do, but the Intune logs are not easy to read without tools like CMTrace on the user’s device. (The formatting is not that nice without it) In this blog post, I will show you an easy way to read one or two specific logs, or all the logs at once, and each in its own Out-Gridview console for easy filtering when searching for keywords.


The difficult part of PowerShell is always… Formatting text, getting the right things in the column you want, and so on… This was one of those things I thought was going to be easy, but it wasn’t 🙂 Some events span multiple lines and that made thinks more complicated 🙁 I think this script would be easier to make if I just started using Regex, but it looks difficult… But perhaps it isn’t, it sure is something that I want to learn and it’s on my list of things to do 😉

Running the script

The script consists of two Functions, the Get-IntuneLogContent function for reading the log file and the Show-IntuneManagementExtensionLog function which allows you to select the log file(s) you want using switches. The switches are: (They all point to the corresponding logfile in C:\ProgramData\Microsoft\IntuneManagementExtension\Logs\, the All switch shows them all)

  • AgentExecutor
  • All
  • ClientHealth
  • IntuneManagementExtension
  • Sensor

In the example below, I ran the Show-IntuneManagementExtensionLog function with the IntuneManagementExtension and ClientHealth switches.

Show-IntuneManagementExtensionLog -AgentExecutor -IntuneManagementExtension

This will give you two Out-GridView consoles:


You can use the Filter bar to search for specific things, in the example below I searched for Adobe events that I just deployed to this VM:

Note: You can run this as a user, no Administrative PowerShell session is needed. Perhaps you do need to run “Set-ExecutionPolicy Bypass -Scope CurrentUser” however. Afterward, you can run the line below to make the Functions available in the PowerShell session.

. .\Show-IntuneManagementExtensionLog.ps1

The script

Below is the script containing the two functions, I stored it in my OneDrive account of my test user for easy access 🙂

#Function for reading the Intune Management Extension log
function Get-IntuneLogContent {
    param (
        [Parameter(Mandatory = $true)][string]$Filepath
    if (-not (Test-Path -Path $Filepath -ErrorAction SilentlyContinue)) {
        Write-Warning ("Error accessing {0}, check permissions" -f $false)

    #Start reading logfile
    $LogTotal = foreach ($line in Get-Content -Path $Filepath) {
        #Get Time-stamp
        try {
            $time = (Select-String 'time=(.*)' -InputObject $line).Matches.groups[0].value.split('"')[1]
        catch {
            $time = 'n.a.'

        #Get date
        try {
            $date = (Select-String 'date=(.*)' -InputObject $line).Matches.groups[0].value.split('"')[1]
        catch {
            $date = 'n.a.'
        #Set datetime to n.a. if not found
        if ($date -ne 'n.a.' -and $time -ne 'n.a.') {
            $datetime = "$($date) $($time)"
        else {
            $datetime = 'n.a.' 

        #Get the component value
        try {
            $component = (Select-String 'component=(.*)' -InputObject $line).matches.groups[0].value.split('"')[1]
        catch {
            $component = 'n.a'

        #If line is part of a muli-line, display it or else split it to message text
        If ($line.StartsWith('<![LOG') -ne $true -or ($line.Split('!><')[3]).length -eq 0 ) {
            $text = $line
        else {
            $text = $line.Split('!><')[3]

            'Log Text'  = $text
            'Date/Time' = $datetime
            Component   = $component

    #Return found items in a GridView
    $LogTotal | Out-GridView -Title $Filepath
function Show-IntuneManagementExtensionLog {
    [CmdletBinding(DefaultParameterSetName = "Default")]
    param (      
        [parameter(ParameterSetName = "Indiviudal")][switch]$AgentExecutor,
        [parameter(ParameterSetName = "All")][switch]$All,
        [parameter(ParameterSetName = "Indiviudal")][switch]$ClientHealth,
        [parameter(ParameterSetName = "Indiviudal")][switch]$IntuneManagementExtension,
        [parameter(ParameterSetName = "Indiviudal")][switch]$Sensor

    #Warn if not parameter specified
    if (-not ($AgentExecutor.IsPresent -or $All.IsPresent -or $ClientHealth.IsPresent -or $IntuneManagementExtension.IsPresent -or $Sensor.IsPresent)) {
        Write-Warning ("No parameter specified, please use the AgentExecutor, All, ClientHealth, IntuneManagementExtension or Sensor parameter to display the log(s)...")

    #If all parameter is set, set all switches to True
    if ($all) {
        Write-Host ("Processing all logs...") -ForegroundColor Green
        $AgentExecutor = $true
        $ClientHealth = $true
        $IntuneManagementExtension = $true
        $Sensor = $true

    #Invoke the Get-IntuneLogContent with the path of the log
    if ($AgentExecutor) {
        Write-Host ("Processing AgentExecutor log") -ForegroundColor Green
        Get-IntuneLogContent -FilePath C:\ProgramData\Microsoft\IntuneManagementExtension\Logs\AgentExecutor.log

    if ($ClientHealth) {
        Write-Host ("Processing ClientHealth log") -ForegroundColor Green
        Get-IntuneLogContent -FilePath C:\ProgramData\Microsoft\IntuneManagementExtension\Logs\ClientHealth.log

    if ($IntuneManagementExtension) {
        Write-Host ("Processing IntuneManagementExtension log") -ForegroundColor Green
        Get-IntuneLogContent -FilePath C:\ProgramData\Microsoft\IntuneManagementExtension\Logs\IntuneManagementExtension.log

    if ($Sensor) {
        Write-Host ("Processing Sensor log") -ForegroundColor Green
        Get-IntuneLogContent -FilePath C:\ProgramData\Microsoft\IntuneManagementExtension\Logs\Sensor.log

Download the script(s) from GitHub here

4 thoughts on “Read IntuneManagementExtension logs using PowerShell

  1. Pingback: Blog post – Use PowerShell for reading Intune Management Extension logs – 247 TECH

  2. Pingback: Endpoint Manager Newsletter – 16th September 2022 – Andrew Taylor

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.