Bulk Trigger Intune Device Diagnostics Collection

When troubleshooting fleet-wide issues — a failing configuration profile, a compliance regression after an OS update, or a suspected MDM agent problem — IT admins often need diagnostic logs from many devices at once. Intune exposes a per-device createDeviceLogCollectionRequest action that triggers the MDM agent to upload a log bundle to Intune, where it can be downloaded as a ZIP for analysis.

The Intune admin center only lets you trigger this action one device at a time, which is impractical for tenants with hundreds or thousands of devices. This recipe shows how to fan the action out across your entire managed device estate (or a filtered subset) using Microsoft Graph.

When to run this recipe

• A widespread issue is reported and you need diagnostic data from many devices for root-cause analysis
• You are preparing a Microsoft support case and need logs from a representative device sample
• You want to verify MDM agent health across the fleet after a major configuration change
• A compliance policy is failing unexpectedly on multiple devices

After completing this recipe you will have:

• A log collection request queued against every targeted managed device in Intune
• A CSV/JSON record of which devices were successfully requested, skipped, or failed
• Diagnostic log ZIP bundles downloadable from the Intune admin center once devices check in (Windows / macOS / iOS / Android supported; coverage varies by platform)
• A repeatable script you can rerun against filtered device sets (by OS, compliance state, group membership, etc.)

Devices will upload logs on their next MDM check-in. For Windows, this typically happens within 8 hours; you can shorten this by also triggering a sync action.

Operational risks

• Network load on endpoints: Each device uploads a multi-MB diagnostic bundle. Running this against thousands of devices simultaneously can produce a noticeable spike in outbound traffic from client networks.
• Platform coverage is uneven: createDeviceLogCollectionRequest is fully supported on Windows 10/11 co-managed and MDM-enrolled devices. macOS, iOS, and Android support is limited or requires the device to be corporate-owned / supervised. Unsupported devices will return errors — expect these and do not treat them as failures.
• Offline devices: The request queues until the device next checks in. Devices that never check in (retired, lost) will show a pending request indefinitely.
• Throttling: Microsoft Graph enforces per-tenant and per-app throttling. For large fleets, pace the requests (batches of 20 with a short delay) to avoid HTTP 429 responses.

Privacy and compliance

• Diagnostic logs may contain user names, device names, installed app inventory, and event log excerpts. Treat the downloaded bundles as confidential and store them according to your data retention policy.
• In jurisdictions with works councils or strict privacy controls (e.g. Germany, France), confirm that bulk log collection is permitted before running.
• Do not leave collected logs in admin mailboxes or shared drives indefinitely — purge after the investigation is complete.

What NOT to do

• Do not run this against your entire fleet as a routine health check — it is an on-demand troubleshooting tool.
• Do not skip the dry-run / targeting review step. A typo in a filter can target the wrong population.