SOLVED

Intune Device Wipe Logs

Copper Contributor

We recently had a couple of managed iOS devices get wiped by Intune. However I have learned that the Intune Audit Logs don't record wipes.

 

Is this something Intune is looking to introduce?

 

Seems like a pretty important thing to have an audit of.

 

Richard

9 Replies

@Richard1069 

Hello! You've posted your question in the Tech Community Discussion space, which is intended for discussion around the Tech Community website itself, not product questions. I'm moving your question to the Microsoft Intune space - please post Intune questions here in the future. 

Hi @Richard1069,

 

You should be able to see that in the Audit Logs. Navigate to Tenant Administration- Audit Logs - Filter by Device - Wipe ManagedDevice. Screenshot attached for more clarity.

 

Hope this helps!

Moe

@Moe_Kinani thanks for reply. However I have been to that location in audit logs and there's no log for a wipe. It's strange because I can filter to find a managed wipe as you suggest, but nothing shows up. 

Is it older than one year? I can see the wipe actions for the phones I’ve done 8 months ago.

Moe

@Moe_Kinani Hi Moe, thanks for that. The devices were wiped just a few days ago. Do you know if that particular log needs to be specified in Tenant Admin -> Diagnostic Settings?

It should be enabled by default for all customers, are you logging in with Global Admin?

https://docs.microsoft.com/en-us/mem/intune/fundamentals/monitor-audit-logs#audit-logs-for-intune-wo...

Moe
Thanks again. Yes I have global admin. Ok so it looks like if I do a manual wipe of a device, it records it in the audit logs. However, a wipe initiated by a Configuration Profile - eg. if a user has too many passcode attempts the device is wiped - this is not recorded in the logs.
best response confirmed by Richard1069 (Copper Contributor)
Solution

Hi @Richard1069 

 

This makes sense to me now. You don’t find devices information actions in audit logs, as it shows audit log actioned by admins.
You might be able to find those details if you send LOG > IntuneDevices: to Log Analytics and alert via email. This setting sits under Diagnostics Settings as you mentioned, check this url below-

https://docs.microsoft.com/en-us/mem/intune/fundamentals/review-logs-using-azure-monitor

 

Moe

 

Cheers Moe. I will have a look at that.
1 best response

Accepted Solutions
best response confirmed by Richard1069 (Copper Contributor)
Solution

Hi @Richard1069 

 

This makes sense to me now. You don’t find devices information actions in audit logs, as it shows audit log actioned by admins.
You might be able to find those details if you send LOG > IntuneDevices: to Log Analytics and alert via email. This setting sits under Diagnostics Settings as you mentioned, check this url below-

https://docs.microsoft.com/en-us/mem/intune/fundamentals/review-logs-using-azure-monitor

 

Moe

 

View solution in original post