You have to read logs, but the Intune logs are difficult without tools like CMTrace on the user’s device. (The formatting is not that nice without it) In this blog post, I will show you an easy way to read one or two specific logs, or all the logs at once, and each in its Out-Gridview console for easy filtering when searching for keywords.
Challenges
The difficult part of PowerShell is always… Formatting text, getting the right things in the column you want, and so on… This was one of those things I thought was going to be easy, but it wasn’t 🙂 Some events span multiple lines, and that made things more complicated 🙁 I think this script would be easier to make if I just started using Regex, but it doesn’t look easy… But perhaps it isn’t. It sure is something that I want to learn, and it’s on my list of things to do 😉
Running the script
The script consists of two Functions, the Get-IntuneLogContent function for reading the log file and the Show-IntuneManagementExtensionLog function, which allows you to select the log file(s) you want using switches. The switches are: (They all point to the corresponding logfile in C:\ProgramData\Microsoft\IntuneManagementExtension\Logs\, the All switch shows them all)
- AgentExecutor
- All
- ClientHealth
- IntuneManagementExtension
- Sensor
In the example below, I ran the Show-IntuneManagementExtensionLog function with the IntuneManagementExtension and ClientHealth switches.
Show-IntuneManagementExtensionLog -AgentExecutor -IntuneManagementExtension
This will give you two Out-GridView consoles:
and
You can use the Filter bar to search for specific things. In the example below, I searched for Adobe events that I had just deployed to this VM:
Note: You can run this as a user. No Administrative PowerShell session is needed. You may need to run “Set-ExecutionPolicy Bypass -Scope CurrentUser” however. Afterward, you can run the line below to make the Functions available in the PowerShell session.
. .\Show-IntuneManagementExtensionLog.ps1
The script
Below is the script containing the two functions. I stored it in my OneDrive account of my test user for easy access 🙂
#Function for reading the Intune Management Extension log
function Get-IntuneLogContent {
param (
[Parameter(Mandatory = $true)][string]$Filepath
)
if (-not (Test-Path -Path $Filepath -ErrorAction SilentlyContinue)) {
Write-Warning ("Error accessing {0}, check permissions" -f $false)
return
}
#Start reading logfile
$LogTotal = foreach ($line in Get-Content -Path $Filepath) {
#Get Time-stamp
try {
$time = (Select-String 'time=(.*)' -InputObject $line).Matches.groups[0].value.split('"')[1]
}
catch {
$time = 'n.a.'
}
#Get date
try {
$date = (Select-String 'date=(.*)' -InputObject $line).Matches.groups[0].value.split('"')[1]
}
catch {
$date = 'n.a.'
}
#Set datetime to n.a. if not found
if ($date -ne 'n.a.' -and $time -ne 'n.a.') {
$datetime = "$($date) $($time)"
}
else {
$datetime = 'n.a.'
}
#Get the component value
try {
$component = (Select-String 'component=(.*)' -InputObject $line).matches.groups[0].value.split('"')[1]
}
catch {
$component = 'n.a'
}
#If line is part of a muli-line, display it or else split it to message text
If ($line.StartsWith('<![LOG') -ne $true -or ($line.Split('!><')[3]).length -eq 0 ) {
$text = $line
}
else {
$text = $line.Split('!><')[3]
}
[PSCustomObject]@{
'Log Text' = $text
'Date/Time' = $datetime
Component = $component
}
}
#Return found items in a GridView
$LogTotal | Out-GridView -Title $Filepath
}
function Show-IntuneManagementExtensionLog {
[CmdletBinding(DefaultParameterSetName = "Default")]
param (
[parameter(ParameterSetName = "Indiviudal")][switch]$AgentExecutor,
[parameter(ParameterSetName = "All")][switch]$All,
[parameter(ParameterSetName = "Indiviudal")][switch]$ClientHealth,
[parameter(ParameterSetName = "Indiviudal")][switch]$IntuneManagementExtension,
[parameter(ParameterSetName = "Indiviudal")][switch]$Sensor
)
#Warn if not parameter specified
if (-not ($AgentExecutor.IsPresent -or $All.IsPresent -or $ClientHealth.IsPresent -or $IntuneManagementExtension.IsPresent -or $Sensor.IsPresent)) {
Write-Warning ("No parameter specified, please use the AgentExecutor, All, ClientHealth, IntuneManagementExtension or Sensor parameter to display the log(s)...")
return
}
#If all parameter is set, set all switches to True
if ($all) {
Write-Host ("Processing all logs...") -ForegroundColor Green
$AgentExecutor = $true
$ClientHealth = $true
$IntuneManagementExtension = $true
$Sensor = $true
}
#Invoke the Get-IntuneLogContent with the path of the log
if ($AgentExecutor) {
Write-Host ("Processing AgentExecutor log") -ForegroundColor Green
Get-IntuneLogContent -FilePath C:\ProgramData\Microsoft\IntuneManagementExtension\Logs\AgentExecutor.log
}
if ($ClientHealth) {
Write-Host ("Processing ClientHealth log") -ForegroundColor Green
Get-IntuneLogContent -FilePath C:\ProgramData\Microsoft\IntuneManagementExtension\Logs\ClientHealth.log
}
if ($IntuneManagementExtension) {
Write-Host ("Processing IntuneManagementExtension log") -ForegroundColor Green
Get-IntuneLogContent -FilePath C:\ProgramData\Microsoft\IntuneManagementExtension\Logs\IntuneManagementExtension.log
}
if ($Sensor) {
Write-Host ("Processing Sensor log") -ForegroundColor Green
Get-IntuneLogContent -FilePath C:\ProgramData\Microsoft\IntuneManagementExtension\Logs\Sensor.log
}
}
Download the script(s) from GitHub here
Pingback: Blog post – Use PowerShell for reading Intune Management Extension logs – 247 TECH
Pingback: Endpoint Manager Newsletter – 16th September 2022 – Andrew Taylor
Github link doesn’t work
You’re righ, it was pointing to the article! My bad 🙂 Fixed!
I am a little confused, when I run this, all it does it open up the script in notepad, does not show any logs. I am running this command:
.\ReadIntuneLogs.ps1 Show-IntuneManagementExtensionLog -AgentExecutor -IntuneManagementExtension
Sorry! Didn’t see the comment, it was thrown in the Spam 🙁 You should first run the script in your session by . .\Show-IntuneManagementExtensionLog.ps1 and then you can use Show-IntuneManagementExtensionLog -AgentExecutor -IntuneManagementExtension for example