Intune Sync Engine Log Analysis

Hafiz Omar 0 Reputation points
2026-07-02T02:44:31.8633333+00:00

Hi team

I pushed a critical software deployment via Intune, but 10 devices are stuck in a pending state. I need to look past the high-level cloud dashboard. Where are the local MDM log files stored on a Windows 11 client machine, and what tool should I use to parse them to see if the sync engine is throwing errors ?

Windows for business | Windows 365 Enterprise
0 comments No comments

2 answers

Sort by: Most helpful
  1. Marcin Policht 94,615 Reputation points MVP Volunteer Moderator
    2026-07-02T03:25:58.8633333+00:00

    Refer to https://learn.microsoft.com/en-us/windows/client-management/mdm-collect-logs

    Download the MDM Diagnostic Information log from Windows devices

    On your managed device, go to Settings > Accounts > Access work or school.

    Select your work or school account, then select Info.

    Access work or school page in Settings.

    At the bottom of the Settings page, select Create report.

    Access work or school page and then Create report.

    A window opens that shows the path to the log files. Select Export.

    Access work or school log files.

    In File Explorer, navigate to C:\Users\Public\Documents\MDMDiagnostics to see the report.

    Use command to collect logs directly from Windows devices

    You can also collect the MDM Diagnostic Information logs using the following command:

    XML

    mdmdiagnosticstool.exe -area "DeviceEnrollment;DeviceProvisioning;Autopilot" -zip "c:\users\public\documents\MDMDiagReport.zip"
    
    • In File Explorer, navigate to c:\Users\Public\Documents\MDMDiagnostics to see the report.

    Understanding zip structure

    The zip file has logs according to the areas that were used in the command. This explanation is based on DeviceEnrollment, DeviceProvisioning, and Autopilot areas. It applies to the zip files collected via command line or Feedback Hub

    • DiagnosticLogCSP_Collector_Autopilot_*: Autopilot etls
    • DiagnosticLogCSP_Collector_DeviceProvisioning_*: Provisioning etls (Microsoft-Windows-Provisioning-Diagnostics-Provider)
    • MDMDiagHtmlReport.html: Summary snapshot of MDM configurations and policies. Includes, management url, MDM server device ID, certificates, policies.
    • MdmDiagLogMetadata.json: mdmdiagnosticstool metadata file that contains command-line arguments used to run the tool.
    • MDMDiagReport.xml: contains a more detailed view into the MDM configurations, such as enrollment variables, provisioning packages, multivariant conditions, and others. For more information about diagnosing provisioning packages, see Diagnose provisioning packages.
    • MdmDiagReport_RegistryDump.reg: contains dumps from common MDM registry locations
    • MdmLogCollectorFootPrint.txt: mdmdiagnosticslog tool logs from running the command
    • *.evtx: Common event viewer logs microsoft-windows-devicemanagement-enterprise-diagnostics-provider-admin.evtx main one that contains MDM events.

    Collect logs directly from Windows devices

    MDM logs are captured in the Event Viewer in the following location:

    • Applications and Services Logs > Microsoft > Windows > DeviceManagement-Enterprise-Diagnostic-Provider

    Here's a screenshot:

    mdm event viewer.

    In this location, the Admin channel logs events by default. However, if you need more details logs you can enable Debug logs by choosing Show Analytic and Debug logs option in View menu in Event Viewer.

    Collect admin logs

    1. Right-click the Admin node.
    2. Select Save all events as.
    3. Choose a location and enter a filename.
    4. Select Save.
    5. Choose Display information for these languages and then select English.
    6. Select Ok.

    For more detailed logging, you can enable Debug logs. Right-click on the Debug node and then select Enable Log.

    Collect debug logs

    1. Right-click on the Debug node.
    2. Select Save all events as.
    3. Choose a location and enter a filename.
    4. Select Save.
    5. Choose Display information for these languages and then select English.
    6. Select Ok.

    You can open the log files (.evtx files) in the Event Viewer on a Windows device.

    Collect logs remotely from Windows devices

    When the PC is already enrolled in MDM, you can remotely collect logs from the PC through the MDM channel if your MDM server supports this facility. The DiagnosticLog CSP can be used to enable an event viewer channel by full name. Here are the Event Viewer names for the Admin and Debug channels:

    • Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider%2FAdmin
    • Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider%2FDebug

    If the above response helps answer your question, remember to "Accept Answer" so that others in the community facing similar issues can easily find the solution. Your contribution is highly appreciated.

    hth

    Marcin

    Was this answer helpful?

    0 comments No comments

  2. Domic Vo 25,675 Reputation points Independent Advisor
    2026-07-02T03:24:09.29+00:00

    Hello,

    On a Windows 11 client enrolled in Intune, the local MDM activity is logged primarily in the Event Viewer under Applications and Services Logs > Microsoft > Windows > DeviceManagement-Enterprise-Diagnostics-Provider. This is the authoritative source for MDM transactions, policy application, and sync errors. Each event is tagged with an Event ID that corresponds to the MDM stack, for example Event ID 201 for policy application and Event ID 404 for sync failures.

    In addition to the Event Viewer, Intune writes diagnostic traces to C:\Windows\System32\LogFiles\DeviceManagement. These log files are not human‑readable in raw form, so the recommended tool to parse and analyze them is MDMDiagnosticTool.exe, which is built into Windows. You can run it from an elevated command prompt with mdmdiagnostictool.exe -area DeviceEnrollment;DeviceProvisioning;DeviceManagement -cab c:\temp\MDMLogs.cab. This will generate a CAB file containing all relevant logs, including the sync engine traces, which you can then open with tools like CMTrace or expand manually to inspect XML and ETL files.

    For deployment troubleshooting, you should also check the Intune Management Extension logs located at C:\ProgramData\Microsoft\IntuneManagementExtension\Logs. The key files are IntuneManagementExtension.log and AgentExecutor.log. These logs record the status of Win32 app deployments, including pending, success, and failure states. Parsing them with CMTrace or any log viewer will show whether the client is stuck waiting for a dependency, failing to download content, or encountering a policy conflict.

    By combining the Event Viewer MDM logs with the Intune Management Extension logs, you can see both the high‑level sync status and the detailed app deployment execution. This will allow you to pinpoint whether the issue is a sync engine error, a content delivery problem, or a policy misconfiguration.

    I hope you've found something useful here. If it helps you get more insight into the issue, it's appreciated to accept the answer. Should you have more questions, feel free to leave a message. Have a nice day!

    Domic Vo

    Was this answer helpful?

    0 comments No comments

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.