IntuneLogs

1.1.3

IntuneLogs.psm1

                                function Get-IntuneLogs {

    param (

        [Parameter(Mandatory = $false)]

        [string]$Path = "C:/Temp/IntuneLogs" # Standaardpad

    )

    # Controleer of het opgegeven pad bestaat, anders maak het aan

    if (-Not (Test-Path -Path $Path)) {

        Write-Host "De opgegeven directory bestaat niet. Maken van directory: $Path" -ForegroundColor Yellow

        New-Item -ItemType Directory -Force -Path $Path

    }

    # Verzamel logbestanden

    $logFiles = @(

        "$env:ProgramData\Microsoft\DiagnosticLogCSP\Collectors\*.etl",

        "$env:ProgramFiles\Microsoft EPM Agent\Logs\*.*",

        "$env:ProgramFiles\Microsoft Device Inventory Agent\Logs",

        "$env:ProgramData\Microsoft\IntuneManagementExtension\Logs\*.*",

        "$env:ProgramData\Microsoft\Windows Defender\Support\MpSupportFiles.cab",

        "$env:ProgramData\Microsoft\Windows\WlanReport\wlan-report-latest.html",

        "$env:ProgramData\USOShared\logs\system\*.etl",

        "$env:ProgramData\Microsoft Update Health Tools\Logs\*.etl",

        "$env:TEMP\CloudDesktop*.log",

        "$mdmDiagnosticsPath\battery-report.html",

        "$mdmDiagnosticsPath\energy-report.html",

        "$mdmDiagnosticsPath\mdmlogs-*.cab",

        "$mdmDiagnosticsPath\msinfo32.log",

        "$env:windir\ccm\logs\*.log",

        "$env:windir\ccmsetup\logs\*.log",

        "$env:windir\logs\CBS\cbs.log",

        "$env:windir\logs\measuredboot\*.*",

        "$env:windir\logs\Panther\unattendgc\setupact.log",

        "$env:windir\logs\SoftwareDistribution\ReportingEvent\measuredboot\*.log",

        "$env:windir\Logs\SetupDiag\SetupDiagResults.xml",

        "$env:windir\logs\WindowsUpdate\*.etl",

        "$env:windir\SensorFramework*.etl",

        "$env:windir\system32\config\systemprofile\AppData\Local\mdm\*.log",

        "$env:windir\temp\$env:COMPUTERNAME*.log",

        "$env:windir\temp\officeclicktorun*.log",

        "$env:TEMP\winget\defaultstate*.log"

    )

    $totalFiles = $logFiles.Count

    $currentFile = 0

    foreach ($file in $logFiles) {

        $currentFile++

        Write-Progress -Activity "Verzamelen van logbestanden" -Status "Bezig met bestand $currentFile van $totalFiles" -PercentComplete (($currentFile / $totalFiles) * 100)

        Get-ChildItem -Path $file -Recurse -ErrorAction SilentlyContinue | ForEach-Object {

            $destination = Join-Path -Path $Path -ChildPath $_.FullName.Substring($env:SystemDrive.Length)

            $destinationDir = Split-Path -Path $destination -Parent

            if (-Not (Test-Path -Path $destinationDir)) {

                New-Item -ItemType Directory -Force -Path $destinationDir

            }

            Copy-Item -Path $_.FullName -Destination $destination -Force

        }

    }

    # Verzamel Event Viewer logs

    $eventLogs = @(

        "Application",

        "Microsoft-Windows-AppLocker/EXE and DLL",

        "Microsoft-Windows-AppLocker/MSI and Script",

        "Microsoft-Windows-AppLocker/Packaged app-Deployment",

        "Microsoft-Windows-AppLocker/Packaged app-Execution",

        "Microsoft-Windows-AppxPackaging/Operational",

        "Microsoft-Windows-Bitlocker/Bitlocker Management",

        "Microsoft-Windows-HelloForBusiness/Operational",

        "Microsoft-Windows-SENSE/Operational",

        "Microsoft-Windows-SenseIR/Operational",

        "Microsoft-Windows-Windows Firewall With Advanced Security/Firewall",

        "Microsoft-Windows-WinRM/Operational",

        "Microsoft-Windows-WMI-Activity/Operational",

        "Microsoft-Windows-AppXDeployment/Operational",

        "Microsoft-Windows-AppXDeploymentServer/Operational",

        "Setup",

        "System"

    )

    $totalLogs = $eventLogs.Count

    $currentLog = 0

    foreach ($log in $eventLogs) {

        $currentLog++

        Write-Progress -Activity "Verzamelen van Event Viewer logs" -Status "Bezig met log $currentLog van $totalLogs" -PercentComplete (($currentLog / $totalLogs) * 100)

        $logFile = Join-Path -Path $Path -ChildPath "$log.evtx"

        wevtutil epl $log $logFile

    }

    # Voer aanvullende opdrachten uit

    $commands = @(

        "$env:ProgramFiles\windows defender\mpcmdrun.exe -GetFiles",

        "$env:windir\system32\certutil.exe -store",

        "$env:windir\system32\certutil.exe -store -user my",

        "$env:windir\system32\Dsregcmd.exe /status",

        "$env:windir\system32\ipconfig.exe /all",

        "$env:windir\system32\mdmdiagnosticstool.exe",

        "$env:windir\system32\msinfo32.exe /report $Path\msinfo32.log",

        "$env:windir\system32\netsh.exe advfirewall show allprofiles",

        "$env:windir\system32\netsh.exe advfirewall show global",

        "$env:windir\system32\netsh.exe lan show profiles",

        "$env:windir\system32\netsh.exe winhttp show proxy",

        "$env:windir\system32\netsh.exe wlan show profiles",

        "$env:windir\system32\netsh.exe wlan show wlanreport",

        "$env:windir\system32\ping.exe -n 50 localhost",

        "$env:windir\system32\pnputil.exe /enum-drivers",

        "$env:windir\system32\powercfg.exe /batteryreport /output $Path\battery-report.html",

        "$env:windir\system32\powercfg.exe /energy /output $Path\energy-report.html"

    )

    $totalCommands = $commands.Count

    $currentCommand = 0

    foreach ($command in $commands) {

        $currentCommand++

        Write-Progress -Activity "Uitvoeren van aanvullende opdrachten" -Status "Bezig met opdracht $currentCommand van $totalCommands" -PercentComplete (($currentCommand / $totalCommands) * 100)

        Invoke-Expression $command

    }

    # Verzamel register sleutels

    $registryKeys = @(

        "HKLM\SOFTWARE\Microsoft\CloudManagedUpdate",

        "HKLM\SOFTWARE\Microsoft\EPMAgent",

        "HKLM\SOFTWARE\Microsoft\PolicyManager\current\device\DeviceHealthMonitoring",

        "HKLM\SOFTWARE\Microsoft\IntuneManagementExtension",

        "HKLM\SOFTWARE\Microsoft\SystemCertificates\AuthRoot",

        "HKLM\SOFTWARE\Microsoft\Windows Advanced Threat Protection",

        "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\LogonUI",

        "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings",

        "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall",

        "HKLM\SOFTWARE\Microsoft\DeviceInventory",

        "HKLM\SOFTWARE\Policies",

        "HKLM\SOFTWARE\Policies\Microsoft\Cryptography\Configuration\SSL",

        "HKLM\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection",

        "HKLM\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall",

        "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL",

        "HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\Mdm",

        "HKLM\SYSTEM\Setup\SetupDiag\Results"

    )

    $totalKeys = $registryKeys.Count

    $currentKey = 0

    foreach ($key in $registryKeys) {

        $currentKey++

        Write-Progress -Activity "Verzamelen van register sleutels" -Status "Bezig met sleutel $currentKey van $totalKeys" -PercentComplete (($currentKey / $totalKeys) * 100)

        $keyPath = $key -replace 'HKLM', 'HKLM:'

        $outputFile = Join-Path -Path $Path -ChildPath "Registry_$($key -replace '\\', '_').txt"

        reg export $keyPath $outputFile /y

    }

    Write-Host "De logs zijn opgeslagen in: $Path" -ForegroundColor Green

    }

Export-ModuleMember -Function Get-IntuneLogs