Forum Discussion

shaunburton85's avatar
shaunburton85
Copper Contributor
Dec 07, 2024

Find Out Who Sent The Remote Commands

My company has recently adopted InTune. I'm learning the process and becoming efficient with reimaging enrolling PCs. I know its possible to send command remote commands such as wiping devices, resetting PIN codes for mobile devices and etc.

 

I would like to know how can I find out sent the command. For example, if a command was sent to an iPhone to reset the PIN code, is there a log or somewhere I can check to see which tech sent that command?

 

Thank you,

Shaun Burton

  • kyazaferr's avatar
    kyazaferr
    Steel Contributor

    Log in to the Microsoft Endpoint Manager Admin Center:

    1. Access Audit Logs:
      • In the Admin Center, navigate to Tenant Administration > Audit Logs.
    2. Filter for Relevant Actions:
      • Use the search and filter options to look for specific activities, such as "Device action," "Reset PIN," or "Wipe device."
      • Apply filters such as:
        • Date and time range: Narrow down to the timeframe of the suspected command.
        • Activity type: For example, search for "Reset PIN" or "Device Wipe."
        • Initiator: Find the user account that initiated the action.
    3. Review the Logs:
      • Each entry will include details like:
        • Initiator: The name or account of the tech who sent the command.
        • Timestamp: When the action was taken.
        • Target: The device or user affected by the command.
        • Activity: The specific action (e.g., Reset PIN, Wipe device).
    4. Export Logs for Further Analysis (Optional):
      • You can export the logs to a CSV file for detailed review or sharing with others.

    If You Don’t See the Relevant Details:

    • Ensure that your account has sufficient permissions to access audit logs. The necessary roles include:
      • Global Admin
      • Intune Service Admin
      • Audit Reader
    • Verify that auditing is enabled in your organization. By default, Intune auditing should be enabled, but it’s worth confirming in the Azure AD Audit Logs or Microsoft 365 Compliance Center.

    Advanced Logging Options:

    For deeper analysis or integration with other tools:

    • Use the Microsoft Graph API to query Intune audit logs programmatically.
    • Check the Microsoft 365 Compliance Center for broader audit logs, particularly if Intune actions are part of a larger investigation.
  • Ankido's avatar
    Ankido
    Iron Contributor

    Hi, 

    To find out who sent remote commands in Microsoft Intune, you can use the activity logs available in the admin interface. Here are the steps:

    1. Go to Activity Logs

    • Open the Microsoft Intune Admin Center
    • Navigate to Tenant administration > Audit logs.

    2. Filter the Logs

    • Use the filtering option to search for specific events, such as:
      • Category: "Device actions"
      • Activity: The specific action, e.g., "Reset passcode" or "Wipe device."
      • Target: The device or user affected by the action.
    • You can also specify a date range to narrow your search.

    3. Check Who Sent the Command

    • In the logs, you will find information about who initiated the action. This is displayed under the field Initiated by or similar.
    • It includes:
      • The username or email address of the administrator.
      • The time the command was sent.
      •  

    4. Alternative: Logs from the Device

    • If it concerns a specific device, you can:
      • Go to Devices > Select the device > Device actions.
      • Check the details of actions performed on that device.

    5. Export Logs (If Needed)

    • For more advanced analysis, export the logs and review them in Excel or a SIEM solution (Security Information and Event Management).

    6. If Logs Are Missing

    • Ensure that logging is enabled in your tenant. Go to Azure Active Directory > Audit logs for more extensive audit data.
    • If your organization uses Microsoft Defender for Endpoint, additional insights might be available there.

    By following these steps, you can identify which technician or administrator sent the remote command.

     

    I hope this will help you.

Resources