Read-IMELog - A PowerShell script to read Intune Management Extension (IME) logs

Background

The Intune Management Extension is a Windows client component responsible for running Intune scripts and installing Win32 apps. It creates log files in the following folder:
C:\ProgramData\Microsoft\IntuneManagementExtension\Logs

IME Log entries are in the CMTrace format used by System Center Configuration Manager e.g.

<![LOG[[Win32App] Checking ESP status and phase for sessionId: 0]LOG]!><time="23:05:44.2390147" date="4-16-2023" component="IntuneManagementExtension" context="" type="1" thread="65" file="">
<![LOG[[Proxy Poller] Processing session id 2 starts]LOG]!><time="23:05:47.8411669" date="4-16-2023" component="IntuneManagementExtension" context="" type="1" thread="25" file="">

The log entries are best viewed using the CMTrace tool, but this won’t be readily available for a company that doesn’t use System Center Configuration Manager. There is no official download for cloud-only businesses using Intune.

Read-IMELog is a PowerShell script that converts IME logs to PowerShell objects, allowing flexible filtering and sorting. It can also be used for Config Manager logs.

Example usage 1 - filter on message text

$IMELog = 'C:\ProgramData\Microsoft\IntuneManagementExtension\Logs\IntuneManagementExtension.log'
Read-IMELog -Path $IMELog | where-object{$_.message -like "*ProcessDetection*"}  | Select-object -first 2

Example1

Example usage 2 - read all IME logs

$IMELogFolder = 'C:\ProgramData\Microsoft\IntuneManagementExtension\Logs'
Get-Childitem -path $IMELogFolder | Read-IMELog | Out-Gridview

Example2

Read-IMELog.ps1

See below for the PowerShell script:



This article was originally posted on Write-Verbose.com