Have you ever wondered how Intune’s Collect Diagnostics feature gathers logs from managed devices? In this deep dive, we break down the entire process, from Graph API requests to CSP execution, and uncover why the expected WNS push notification wasn’t being sent, forcing us to trigger a sync manually.
Introduction: Intune Collect Diagnostics
One of the most useful troubleshooting features when managing devices through Microsoft Intune is the ability to collect diagnostics logs from a device remotely (of course, the AutopilotDiagnostics Tool is also pretty great). This allows IT administrators to gather detailed diagnostic data, including event logs, policy status, registry values, and connectivity information, to investigate issues without bothering the end user or requiring physical access to the device.
Intune’s “Collect Diagnostics” feature initiates this process, triggering a device check-in and collecting the diagnostics. In an ideal scenario, this should happen almost immediately (well after 5 minutes) after pressing the “Collect Diagnostics” button, thanks to Windows Notification Services (WNS) sending a push notification to the device.
However, we recently observed that the WNS push notification wasn’t being sent at all, forcing us to manually initiate a sync in Intune. But before diving into this issue, let’s first break down how the remote diagnostics process should work from start to finish.
So prepare yourself for another Deep Dive!
How Intune Collect Diagnostics Work (Step-by-Step Flow)
1. Admin Initiates Remote Log Collection in Intune
The admin selects a managed device in Intune and clicks “Collect Diagnostics.” This action triggers a Graph API request to start the log collection process.
2. Graph API Sends a Device Log Collection Request
When the Collect diagnostics button is pressed A POST request is sent to:
https://graph.microsoft.com/beta/deviceManagement/managedDevices/{deviceId}/createDeviceLogCollectionRequest
In big lines, This Graph CreateDeviceLogCollectionRequest Command will instruct the device to gather diagnostics and upload them to a specfied Azure Blob Storage URL. Let’s find out how that works
3. WNS Push Notification Should Be Sent to the Device
Intune attempts to trigger an immediate device sync via Windows Notification Services (WNS). The expected push notification looks like this:
PUSHROUTERSUBMITORIGIN_EE_MDMDIAGNOSTICS
If successful, the device should create a new scheduled task to check in with Intune to retrieve the command. If the device is offline, it should sync as soon as it reconnects.
4. Device Creates a 5-Minute Queued Task for Sync
If the push notification is received, Windows will create a scheduled task with a 5-minute delay before executing the deviceenroller.exe that will require the device to check in to the service. This 5 minutes queued task, is visible in Event Viewer under: PushLaunch: Queued schedule created for queued alerts
This mechanism is likely in place to prevent duplicate check-ins (with MMP-C also asking the device to check in). If you want to know more about this queued schedule, please read this blog:
5. Device Syncs & Retrieves CSP Command (If Push Works)
If the WNS push notification is successfully received, the device processes the sync request with a 5-minute delay. After 5 minutes, the OMA-DM Client kicks off and retrieves the ArchiveDefinition DiagnosticLog CSP command:
./Vendor/MSFT/DiagnosticLog/DiagnosticArchive/ArchiveDefinition
This DiagnosticLog CSP command tells the device to start collecting diagnostic logs.
6. DiagnosticLog CSP Executes the Request
From there on, the OMA-DM Client starts asking the diagnosticlogscsp.dll to process the request.
The diagnosticlogscsp.dll processes the request by calling the DLL function:
CArchiveDefinitionNode::Execute
This Execute function will start doing some funny things.
Create a working directory for temporary storage. C:\windows\systemtemp
As shown above, it will generate an `input.xml` file in that same directory that defines what logs to collect.
- This input.xml is, in fact, the content that we also received with the CSP
- From then on, it will execute `MdmDiagnosticsTool.exe` to collect the actual log.
7. MdmDiagnosticsTool.exe` Runs and Collects Logs
The tool is executed with parameters like:
C:\Windows\System32\MdmDiagnosticsTool.exe -xml C:\Windows\SystemTemp\input.xml -zip C:\Windows\SystemTemp\mdmdiagnostics -server <GUID>
As we have seen earlier, the `input.xml` file dictates exactly what diagnostics data is collected, including:
– Registry keys (e.g., Intune Policies, device management settings).
– Event logs (e.g., device check-in history, Autopilot events, security logs).
– Intune and Windows update logs.
– Network connectivity logs.
We can spot this behavior when looking closer at the ArchiveDefinitionNode::Execute (diagnosticlogcsp.dll).
With the mdmdiagnosticstool knowing what to do, it will start the collection of the diagnostic data. This diagnostic log collection itself has been taken care of by the createmdmenterprisediagnosticsreport function in the MDMdiagnostics.dll
Besides collecting the regular logs, the Diagnostic Report function will also kick off the CreateLogCabOnArea function.
This function will contact the windows.management.service.dll (Autopilot) by performing an API call and asking for the Autopilot logs.
When performing the API call, it will retrieve the datasourceinfo.json file.
This JSON file holds the Autopilot Event logs/files and registry keys it needs to gather.
8. Logs Are Compressed & Uploaded to Intune
Once all the diagnostic data is collected, the logs are zipped into a single `.zip` file:
C:\Windows\SystemTemp\mdmdiagnostics.zip
The device uploads the ZIP file to the Azure Blob Storage URL provided in the CSP request.
9. Admin Downloads the Logs from Intune
Once uploaded, the log file becomes available for download in the Intune Admin Center. The admin can analyze the logs to troubleshoot enrollment, policy, and connectivity issues. Admin downloads the logs from the Intune portal for analysis
Process Flow Summary
| Step Action | Step Action |
| 1 | Admin clicks “Collect Diagnostics” in Intune |
| 2 | Intune sends a Graph API request (createDeviceLogCollectionRequest) |
| 3 | Intune triggers a WNS push notification (PUSHROUTERSUBMITORIGIN_EE_MDMDIAGNOSTICS) |
| 3.5 | Device creates a 5-minute queued task (PushLaunch) instead of checking in immediately |
| 4 | After the delay, the device syncs and receives the CSP command (DiagnosticLog/DiagnosticArchive) |
| 5 | diagnosticlogscsp.dll processes the request and creates input.xml |
| 6 | MdmDiagnosticsTool.exe is launched, reading instructions from input.xml |
| 7 | Logs are collected from registry, ETW, Autopilot, and Intune components |
| 8 | Logs are compressed into mdmdiagnostics.zip |
| 9 | ZIP file is uploaded to Intune’s Azure Blob Storage using SAS URL |
| 10 | Admin downloads the logs from the Intune portal for analysis |
Process Flow Mermaid Flow
The Issue: WNS Push Notification Was Not Sent at All
While investigating this process and writing this blog, we noticed that when we initiated “Collect Diagnostics,” the expected WNS push notification wasn’t being sent at all. As a result:
🔹 The device never received the command to check in automatically. (or we needed to wait until the 8 hour sync schedule task kicked in)
🔹 Logs weren’t being collected until we manually triggered a sync.
Workaround: Manually Syncing the Device
Since the WNS push notification wasn’t triggering a check-in, we had to manually force the device to sync by:
1. Going to Intune Admin Center.
2. Selecting the affected device.
3. Clicking “Sync” to manually trigger a check-in.
After doing this, the device successfully pulled the CSP command and collected and uploaded the logs as expected. Within 10 minutes, the diagnostic logs were available for us to download.
Final Thoughts & Key Takeaways
✅ Intune Remote Diagnostics is designed to work via Graph API, CSP, and WNS.
✅ Windows always schedules a 5-minute delay before executing sync requests.
✅ If WNS works, the device syncs after the delay, and logs are collected.
✅ If WNS fails, the device never syncs, requiring a manual check-in.
✅ Manually clicking “Sync” in Intune forces the device to process the log collection command.
If you want to learn more about troubleshooting your Autopilot enrollment with these diagnostic tools, please subscribe to this webinar! We will go even beyond this deep dive above!
Troubleshooting Autopilot Enrollment with MDM Diagnostics Logs Webinar – Patch My PC