Dive deeper into the IME log with a simple change of the log level

For troubleshooting purposes it is helpful to change the log level of the Intune Management Extension. Since this has to be done in an XML config file of the IME and this can affect the function of the IME when inserting a wrong value. I wrote a script which make the change of the log level easy.

How to change the log level

To change the log level of the Ime you have to open the config file. You can find it under the following path: C:\Program Files (x86)\Microsoft Intune Management Extension\Microsoft.Management.Services.IntuneWindowsAgent.exe.config

In this you will find the system.diagnostics setting here there is the attribute switchValue with which you define the log level.

Get the different log level

To write the script I first have to find out what log levels actually exist. Since there is no documentation for this, let alone this is self-explanatory, I have to find a way to get to the values. Where better to find this information than directly in the code of the IME. The Ime is C# compiled code, so I started looking for a C# decompiler and found it with JustDecompile. I downloaded this and installed it on my system.

How does decompiling the IME work now? This is actually really simple. I navigated to the path of the IME (C:\Program Files (x86)\Microsoft Intune Management Extension) and can easily decompile it with a right click:

After that I searched for the function that writes the logs and found the different event types

The script

With this information I wrote a script which changes the log level in the XML and restarts the service. You can find the script in my Git hub repository.

<#
Version: 1.0
Author: Jannik Reinhard (jannikreinhard.com)
Script: Change-ImeLogLevel
Description:
Change the loglevel from the Intune management extension
Release notes:
Version 1.0: Init
#> 

$logLevelSelection = Read-Host "Enter the log level [Critical, Error, Warning, Information, Verbose]"
while("Critical", "Error", "Warning", "Information", "Verbose" -notcontains $logLevelSelection )
{
    $logLevelSelection = Read-Host "Enter the log level [Critical, Error, Warning, Information, Verbose]"
}

$imeConfFile = "C:\Program Files (x86)\Microsoft Intune Management Extension\Microsoft.Management.Services.IntuneWindowsAgent.exe.config"

$configFile = New-Object System.XML.XMLDocument
$configFile.Load($imeConfFile)

$logLevel = $configFile.configuration.'system.diagnostics'.sources.source
$logLevel.switchValue = "$logLevelSelection"
$configFile.Save($imeConfFile)

Restart-Service -DisplayName "Microsoft Intune Management Extension"

Write-Host "IME Log level changed to $logLevelSelection"

You only have to run the script, select the log level and that’s it

Conclusion

Sometimes it is really a big help to read more from a logfile to understand the IME better or simplify for troubleshooting purposes. I hope I could help you with my blog so you can read more from the IME log.

When you are done with troubleshooting or testing, always reset the IME to the information state and delete the log file as it may contain sensitive information.

Stay healthy, Cheers
Jannik

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s