Intune Management Extension Log Files: Complete Reference
Table of content
Introduction
When you manage Windows endpoints with Intune Management Extension, understanding its log files is critical. Whether you are troubleshooting app deployments, script execution or general health issues, IME log files contain the detailed traces you need. In this article we will cover:
-
How to find IME log files
-
The best methods to read them
-
Different access options
-
Maximum size/growth of IME log files
-
Detailed breakdown of each key log file:
-
AgentExecutor.log
-
AppActionProcessor.log
-
AppWorkload.log
-
ClientHealth.log
-
ClientCertCheck.log
-
DeviceHealthMonitoring.log
-
HealthScripts.log
-
IntuneManagementExtension.log
-
Sensor.log
-
Win32AppInventory.log
-
-
A conclusion to summarise and guide your next steps
Let’s dive in.
Finding Intune Management Extension logs
The primary folder where IME writes its logs is:
This folder contains all the major log files used by IME and should be your first stop when investigating issues.
Best Way to Read Intune Management Extension Logs
-
Use a specialized log viewer like CMTrace.exe (from SCCM toolkit) or Notepad++ with monospaced font and timestamp filters — this helps when dealing with large rolling logs.
-
Filter on timestamps to a specific deployment attempt. This means you record the time from the Intune portal when an action was triggered, then open the log and filter by that time.
-
Use search terms like Error, Failed, Download started, Install started, Exit code. These highlight key events quickly.
-
Monitor the rolling nature of logs – older entries may be archived or truncated depending on size and device policy.
-
Having remote access (e.g., via WinRM or PowerShell from Intune) helps when logs are on devices you cannot physically access.
Different ways to access IME Log files
-
Locally on device: navigate to the folder above via File Explorer or command line.
-
Via remote PowerShell / WinRM: e.g.,
-
Collect via Intune log collection: you can leverage Intune’s built-in log collection or device diagnostics package to pull this folder back to your server.
-
Use Enterprise Log Analytics / Azure Monitor: if you export IME logs to a central workspace, you can query across devices.
Maximum Size of IME Log files
There is no publicly documented hard size limit for each IME log file, but practical observations indicate:
-
Logs tend to roll over when they grow past a certain threshold (often ~100 MB) or when the service restarts.
-
The folder may accumulate numerous .log and .log.old or .log.1 files; watching total folder size is wise on low-disk devices.
-
On systems with low free space, IME may fail to write logs, causing incomplete diagnostics.
Recommendation: monitor the size of below path
folder and set alerts if it grows abnormally (e.g., >500 MB).C:\ProgramData\Microsoft\IntuneManagementExtension\Logs
Intune Management Extension Log Files – Detailed List
1. AgentExecutor.log
When working with Microsoft Intune, one of the key components behind the scenes is AgentExecutor.exe. This executable resides in C:\Program Files (x86)\Microsoft Intune Management Extension.
Whenever you create Intune remediation tasks or target a PowerShell script to a device, AgentExecutor.exe is invoked to handle the execution. Its activities are carefully tracked in the AgentExecutor.log file, making it an essential resource for troubleshooting.
Intune remediation scripts are cached locally on the device in: C:\WINDOWS\IMECache\HealthScripts\
2. AppActionProcessor.log
Tracks high-level app install/uninstall actions processed by IME. This log shows when IME initiates an install/uninstall for a Win32 application, its status, and transitions.
Useful for seeing the workflow before the actual installer runs. This also checks the application Detection and App applicability check for all applications.
3. AppWorkload.log
Focuses on the “workload” phase for Win32 apps, content download, staging, execution and clean-up. If content fails to download or fails in staging, this log reveals it.
Look here for BITS/Delivery Optimization and download-related errors.
4. ClientHealth.log
Monitors the health of the IME agent itself. Contains entries about agent start-up, failures, service restarts, connectivity to Intune, mis-configuration, and certificate issues.
If IME never runs tasks, check this log first.
5. ClientCertCheck.log
Logs certificate validation and checking for the agent and MDM/IME components. Issues with enrollment, certificate renewal or connectivity may show up here.
If you suspect certificate or compliance problems, inspect this file. ClientCertCheck.exe is used to verify and validate the certificate.
6. DeviceHealthMonitoring.log
In Windows 10 and 11, telemetry automatically gathers and transmits system usage data to Microsoft. The DeviceHealthMonitoring.log file captures events tied to this process, leveraging the 1DS SDK which is Microsoft’s open-source logging library built for handling text-based events and securely sending them to public endpoints.
This log records telemetry and device-health monitoring information collected by the IME agent, including device resource status, service health, and periodic checks. Its primary purpose is proactive monitoring of system health, rather than serving as a direct diagnostic tool for application failures.
7. HealthScripts.log
The HealthScripts component of the Intune Management Extension (IME) is responsible for checking any assigned Intune detection and remediation scripts on a device and executing them according to their schedule. All activity is logged in the HealthScripts.log file, which records script execution details, output, errors, and exit codes.
This log provides visibility into the run history of health check and remediation scripts delivered via IME, making it the place to track their behavior and results. It also clearly separates script-based health logic from app installation logic, ensuring that monitoring and troubleshooting remain distinct.
8. IntuneManagementExtension.log
A “bootstrap” log that captures when the IME service installs, initial start, upgrade events, and version checks. Less about individual tasks and more about the IME lifecycle.
Check this when IME itself fails to run or install.
The IME Agent log captures all core activities of the Intune Management Extension, including agent check-ins, policy requests, package management, policy processing, and reporting.
This log serves as a comprehensive record of communication and task execution between the agent and Intune, making it the primary source for tracking how policies and packages are delivered and processed on a device.
9. Sensor.log
The Sensor.log file in the Intune Management Extension (IME) records information generated by the SensorFramework component. It captures a wide range of device event details, including boot performance, CPU summary events, driver inventory, app usage configuration, and other system usage data.
This data is provided through Microsoft.ConfigurationManagement.SensorFramework.dll, which surfaces insights about device activity and health. While the log can be opened and reviewed, it is generally not useful for troubleshooting app deployment or device check-in issues. Instead, it serves as a reference for system performance and usage events.
10. Win32AppInventory.log
Used when the device reports inventory of Win32 apps back to Intune. Tracks the scan of installed Win32 applications, versions, detection status, and reporting.
If your Win32 app shows incorrect detection state in Intune portal, this log helps trace the inventory dimension.
FAQs
Q1. What does DNS_PROBE_FINISHED_NXDOMAIN mean in Chrome?
A1. It means Chrome sent a DNS lookup for the website, the lookup completed, but returned “NXDOMAIN” (non-existent domain). Essentially, the browser couldn’t find the IP for the domain.
Q2. Is DNS_PROBE_FINISHED_NXDOMAIN a virus or malware?
A2. No — it’s not a virus. It’s a DNS resolution error. However, malware or malicious software can cause DNS issues by hijacking DNS settings or hosts file, so it’s worth checking if you’ve recently installed odd software.
Q3. Why does DNS_PROBE_FINISHED_NXDOMAIN happen only on one device?
A3. Because that device may have a local issue (DNS cache stale, misconfigured DNS server, hosts file entry, browser extension) while other devices on the network work fine.
Q4. How do I fix DNS_PROBE_FINISHED_NXDOMAIN on mobile?
A4. On Android or iOS you would restart the device, clear Wi-Fi settings or switch to a different DNS server, flush the DNS/app cache, disable VPNs/antivirus apps. But since this blog is Windows-specific, I recommend checking a mobile-focused guide or [How to Fix DNS_PROBE_FINISHED_NXDOMAIN on Windows – Tech EUC our general DNS guide].
Q5. How do I know if the problem is my PC, my router/ISP or my domain?
A5. Try these steps:
-
Use another device on same network. If it works, your PC is the problem.
-
Use your Windows PC on another network (e.g., mobile hotspot). If it works, your router/ISP was the problem.
-
If the issue is only one domain (others work fine), then likely the domain’s DNS/hosting is at fault.
