Forum Discussion
Find Out Who Sent The Remote Commands
My company has recently adopted InTune. I'm learning the process and becoming efficient with reimaging enrolling PCs. I know its possible to send command remote commands such as wiping devices, reset...
Log in to the Microsoft Endpoint Manager Admin Center:
- Access Audit Logs:
- In the Admin Center, navigate to Tenant Administration > Audit Logs.
- Filter for Relevant Actions:
- Use the search and filter options to look for specific activities, such as "Device action," "Reset PIN," or "Wipe device."
- Apply filters such as:
- Date and time range: Narrow down to the timeframe of the suspected command.
- Activity type: For example, search for "Reset PIN" or "Device Wipe."
- Initiator: Find the user account that initiated the action.
- Review the Logs:
- Each entry will include details like:
- Initiator: The name or account of the tech who sent the command.
- Timestamp: When the action was taken.
- Target: The device or user affected by the command.
- Activity: The specific action (e.g., Reset PIN, Wipe device).
- Each entry will include details like:
- Export Logs for Further Analysis (Optional):
- You can export the logs to a CSV file for detailed review or sharing with others.
If You Don’t See the Relevant Details:
- Ensure that your account has sufficient permissions to access audit logs. The necessary roles include:
- Global Admin
- Intune Service Admin
- Audit Reader
- Verify that auditing is enabled in your organization. By default, Intune auditing should be enabled, but it’s worth confirming in the Azure AD Audit Logs or Microsoft 365 Compliance Center.
Advanced Logging Options:
For deeper analysis or integration with other tools:
- Use the Microsoft Graph API to query Intune audit logs programmatically.
- Check the Microsoft 365 Compliance Center for broader audit logs, particularly if Intune actions are part of a larger investigation.