Autopilot diags 2

Author: frankroj

memdocs/intune/remote-actions/collect-diagnostics.md

@@ -31,9 +31,9 @@ ms.collection: M365-identity-device-management
 
 # Collect diagnostics from a Windows device
 
-The **Collect diagnostics** remote action lets you collect and download Windows device logs without interrupting the user. Only non-user locations and file types can be accessed, so no personal information is collected.
+The **Collect diagnostics** remote action lets you collect and download Windows device logs without interrupting the user. Only non-user locations and file types are accessed.
 
-Autopilot diagnostics can also be captured automatically when devices experience a failure during the Autopilot process. When logs are finished processing on a failed device, they will be automatically captured and uploaded to Intune. Autopilot diagnostics and logs may include user identifiable information such as user name or device name.
+The **Collect diagnostics** remote action can also be configured to automatically collect and upload Windows devices logs upon an Autopilot failure on a device. When an Autopilot failure occurs, logs will be processed on the failed device and then automatically captured and uploaded to Intune.
 
 The diagnostic collection is stored for 28 days and then deleted. Each device can have up to 10 collections stored at one time.
 
@@ -55,110 +55,122 @@ The *Collect diagnostics* remote action is supported for:
 
 To use the *Collect diagnostics* action:
 
-1. Sign in to the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431) > **Devices** > **Windows** > select a supported device.
-2. On the device’s **Overview** page, select **…** >  **Collect diagnostics** > **Yes**. A pending notification appears on the device’s **Overview** page.
-3. To see the status of the action, select **Device diagnostics monitor**.
-4. After the  action completes, select **Download** in the row for the action > **Yes**.
-5. The data zip file is added to your download tray and you can save it to your computer.
+1. Sign in to the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431)
+2. Navigate to **Devices** > **Windows** > select a supported device.
+3. On the device’s **Overview** page, select **…** >  **Collect diagnostics** > **Yes**. A pending notification appears on the device’s **Overview** page.
+4. To see the status of the action, select **Device diagnostics monitor**.
+5. After the  action completes, select **Download** in the row for the action > **Yes**.
+6. The data zip file is added to your download tray and you can save it to your computer.
+
+## Diagnostics collection on Autopilot failure
+
+ For Autopilot diagnostics collection, no additional action is required. Autopilot diagnostics will be automatically captured when devices experience a failure as long as the Autopilot automatic capture diagnostic feature is enabled.
 
-> [!NOTE]
-> For Autopilot diagnostics collection, no additional action is required. Autopilot diagnostics will be automatically captured when devices experience a failure as long as the Autopilot automatic capture diagnostic feature is enabled.
+To view the diagnostics collected after an Autopilot failure:
+
+1. Sign in to the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431)
+2. Navigate to **Devices** > **Monitor** > **Autopilot deployments (preview)**.
+3. In the middle pane, select a device.
+4. On the right hand **Properties** pane, under **Device Diagnostics**, select **Download**.
+5. The data zip file is added to your download tray and you can save it to your computer.
 
 ## Data collected
 
-No personal information is collected. If you've installed [KB5011543](https://support.microsoft.com/topic/march-22-2022-kb5011543-os-builds-19042-1620-19043-1620-and-19044-1620-preview-4fe2d1c0-720f-47fe-9523-75339bc107a1) on Windows 10 or [KB5011563](https://support.microsoft.com/topic/march-28-2022-kb5011563-os-build-22000-593-preview-40df54c9-b5a9-42e5-ae1c-9a33ff91ca91) on Windows 11, the format of the zip file will be simpler, including a flattened structure where the logs collected are named to match the data collected, and when multiple files are collected a folder is created.  
+While there is no intent to collect personal data, some identifiable information such as user names or device name might be collected when they are contained in collected logs or data from other locations.
+
+If you've installed [KB5011543](https://support.microsoft.com/topic/march-22-2022-kb5011543-os-builds-19042-1620-19043-1620-and-19044-1620-preview-4fe2d1c0-720f-47fe-9523-75339bc107a1) on Windows 10 or [KB5011563](https://support.microsoft.com/topic/march-28-2022-kb5011563-os-build-22000-593-preview-40df54c9-b5a9-42e5-ae1c-9a33ff91ca91) on Windows 11, the format of the zip file will be simpler, including a flattened structure where the logs collected are named to match the data collected, and when multiple files are collected a folder is created.  
 
 This list below is the same order as the diagnostic zip.  Each collection contains the following data:
 
 Registry Keys:
 
-1. HKLM\SOFTWARE\Microsoft\CloudManagedUpdate
-1. HKLM\SOFTWARE\Microsoft\IntuneManagementExtension
-1. HKLM\SOFTWARE\Microsoft\SystemCertificates\AuthRoot
-1. HKLM\SOFTWARE\Microsoft\Windows Advanced Threat Protection
-1. HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\LogonUI
-1. HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings
-1. HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
-1. HKLM\SOFTWARE\Policies
-1. HKLM\SOFTWARE\Policies\Microsoft\Cryptography\Configuration\SSL
-1. HKLM\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection
-1. HKLM\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall
-1. HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL
-1. HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\Mdm
+- HKLM\SOFTWARE\Microsoft\CloudManagedUpdate
+- HKLM\SOFTWARE\Microsoft\IntuneManagementExtension
+- HKLM\SOFTWARE\Microsoft\SystemCertificates\AuthRoot
+- HKLM\SOFTWARE\Microsoft\Windows Advanced Threat Protection
+- HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\LogonUI
+- HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings
+- HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
+- HKLM\SOFTWARE\Policies
+- HKLM\SOFTWARE\Policies\Microsoft\Cryptography\Configuration\SSL
+- HKLM\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection
+- HKLM\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall
+- HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL
+- HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\Mdm
 
 Commands:
 
-1. %programfiles%\windows defender\mpcmdrun.exe -GetFiles
-1. %windir%\system32\certutil.exe -store
-1. %windir%\system32\certutil.exe -store -user my
-1. %windir%\system32\Dsregcmd.exe /status
-1. %windir%\system32\ipconfig.exe /all
-1. %windir%\system32\mdmdiagnosticstool.exe 
-1. %windir%\system32\msinfo32.exe /report %temp%\MDMDiagnostics\msinfo32.log
-1. %windir%\system32\netsh.exe advfirewall show allprofiles
-1. %windir%\system32\netsh.exe advfirewall show global
-1. %windir%\system32\netsh.exe lan show profiles
-1. %windir%\system32\netsh.exe winhttp show proxy
-1. %windir%\system32\netsh.exe wlan show profiles
-1. %windir%\system32\netsh.exe wlan show wlanreport
-1. %windir%\system32\ping.exe -n 50 localhost
-1. %windir%\system32\powercfg.exe /batteryreport /output %temp%\MDMDiagnostics\battery-report.html
-1. %windir%\system32\powercfg.exe /energy /output %temp%\MDMDiagnostics\energy-report.html
+- %programfiles%\windows defender\mpcmdrun.exe -GetFiles
+- %windir%\system32\certutil.exe -store
+- %windir%\system32\certutil.exe -store -user my
+- %windir%\system32\Dsregcmd.exe /status
+- %windir%\system32\ipconfig.exe /all
+- %windir%\system32\mdmdiagnosticstool.exe 
+- %windir%\system32\msinfo32.exe /report %temp%\MDMDiagnostics\msinfo32.log
+- %windir%\system32\netsh.exe advfirewall show allprofiles
+- %windir%\system32\netsh.exe advfirewall show global
+- %windir%\system32\netsh.exe lan show profiles
+- %windir%\system32\netsh.exe winhttp show proxy
+- %windir%\system32\netsh.exe wlan show profiles
+- %windir%\system32\netsh.exe wlan show wlanreport
+- %windir%\system32\ping.exe -n 50 localhost
+- %windir%\system32\powercfg.exe /batteryreport /output %temp%\MDMDiagnostics\battery-report.html
+- %windir%\system32\powercfg.exe /energy /output %temp%\MDMDiagnostics\energy-report.html
 
 Event Viewers:
 
-1. Application
-1. Microsoft-Windows-AppLocker/EXE and DLL
-1. Microsoft-Windows-AppLocker/MSI and Script
-1. Microsoft-Windows-AppLocker/Packaged app-Deployment
-1. Microsoft-Windows-AppLocker/Packaged app-Execution
-1. Microsoft-Windows-AppxPackaging/Operational
-1. Microsoft-Windows-Bitlocker/Bitlocker Management
-1. Microsoft-Windows-HelloForBusiness/Operational
-1. Microsoft-Windows-SENSE/Operational
-1. Microsoft-Windows-SenseIR/Operational
-1. Microsoft-Windows-Windows Firewall With Advanced Security/Firewall
-1. Microsoft-Windows-WinRM/Operational
-1. Microsoft-Windows-WMI-Activity/Operational
-1. Setup
-1. System
+- Application
+- Microsoft-Windows-AppLocker/EXE and DLL
+- Microsoft-Windows-AppLocker/MSI and Script
+- Microsoft-Windows-AppLocker/Packaged app-Deployment
+- Microsoft-Windows-AppLocker/Packaged app-Execution
+- Microsoft-Windows-AppxPackaging/Operational
+- Microsoft-Windows-Bitlocker/Bitlocker Management
+- Microsoft-Windows-HelloForBusiness/Operational
+- Microsoft-Windows-SENSE/Operational
+- Microsoft-Windows-SenseIR/Operational
+- Microsoft-Windows-Windows Firewall With Advanced Security/Firewall
+- Microsoft-Windows-WinRM/Operational
+- Microsoft-Windows-WMI-Activity/Operational
+- Setup
+- System
 
 Files:
 
-1. %ProgramData%\Microsoft\DiagnosticLogCSP\Collectors\*.etl
-1. %ProgramData%\Microsoft\IntuneManagementExtension\Logs\*.*
-1. %ProgramData%\Microsoft\Windows Defender\Support\MpSupportFiles.cab
-1. %ProgramData%\Microsoft\Windows\WlanReport\wlan-report-latest.html
-1. %ProgramData Microsoft Update Health Tools\Logs\*.etl
-1. %temp%\MDMDiagnostics\battery-report.html
-1. %temp%\MDMDiagnostics\energy-report.html
-1. %temp%\MDMDiagnostics\mdmlogs-<Date/Time>.cab
-1. %temp%\MDMDiagnostics\msinfo32.log
-1. %windir%\ccm\logs\*.log
-1. %windir%\ccmsetup\logs\*.log
-1. %windir%\logs\CBS\cbs.log
-1. %windir%\logs\measuredboot\*.*
-1. %windir%\Logs\WindowsUpdate\*.etl
-1. %windir%\temp\%computername%*.log
-1. %windir%\temp\officeclicktorun*.log
+- %ProgramData%\Microsoft\DiagnosticLogCSP\Collectors\*.etl
+- %ProgramData%\Microsoft\IntuneManagementExtension\Logs\*.*
+- %ProgramData%\Microsoft\Windows Defender\Support\MpSupportFiles.cab
+- %ProgramData%\Microsoft\Windows\WlanReport\wlan-report-latest.html
+- %ProgramData Microsoft Update Health Tools\Logs\*.etl
+- %temp%\MDMDiagnostics\battery-report.html
+- %temp%\MDMDiagnostics\energy-report.html
+- %temp%\MDMDiagnostics\mdmlogs-<Date/Time>.cab
+- %temp%\MDMDiagnostics\msinfo32.log
+- %windir%\ccm\logs\*.log
+- %windir%\ccmsetup\logs\*.log
+- %windir%\logs\CBS\cbs.log
+- %windir%\logs\measuredboot\*.*
+- %windir%\Logs\WindowsUpdate\*.etl
+- %windir%\temp\%computername%*.log
+- %windir%\temp\officeclicktorun*.log
 
 ## Disable device diagnostics
 
-You can disable the **Collect diagnostics** remote action for all devices by following these steps:
+The the **Collect diagnostics** remote action is enabled by default. You can disable the **Collect diagnostics** remote action for all devices by following these steps:
 
 1. Sign in to the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431) > **Tenant administration** > **Device diagnostics**.
 2. Change the control under **Device diagnostics are available for corporate-managed devices running Windows 10, version 1909 and later, or Windows 11.** to **Disabled**.
 
-     :::image type="content" source="./media/collect-diagnostics/disable-device-diagnostics.png" alt-text="Screenshot that shows the Device diagnostics pane with the highlighted control set to Disabled.":::
+     :::image type="content" source="./media/collect-diagnostics/disable-device-diagnostics.png" alt-text="Screenshot that shows the Device diagnostics pane with the highlighted control for device diagnostics set to Disabled.":::
 
-## Disable Autopilot diagnostics
+## Disable Autopilot automatic collection of diagnostics
 
-You can disable Autopilot automatic diagnostic capture by following these steps:
+Autopilot automatic diagnostic capture is enabled by default. You can disable Autopilot automatic diagnostic capture by following these steps:
 
 1. Sign in to the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431) > **Tenant administration** > **Device diagnostics**.
 2. Change the control under **Automatically capture diagnostics when devices experience a failure during the Autopilot process on Windows 10 version 1909 or later and Windows 11. Diagnostics may include user identifiable information such as user or device name (preview).** to **Disabled**.
 
-     :::image type="content" source="./media/collect-diagnostics/disable-autopilot-diagnostics.png" alt-text="Screenshot that shows the Device diagnostics pane with the highlighted control set to Disabled.":::
+     :::image type="content" source="./media/collect-diagnostics/disable-autopilot-diagnostics.png" alt-text="Screenshot that shows the Device diagnostics pane with the highlighted control for Autopilot automatic diagnostics collection set to Disabled.":::
 
 ## Known issues with device diagnostics