Microsoft Intune Compliance & Device Logs

m365-azureSystem ConfigurationCloud Admin PortalSIEM / Log Aggregator

Location

Microsoft Intune Admin Center > Devices > Monitor (or Microsoft Graph API /deviceManagement)

Description

Intune device management logs capturing device compliance state, configuration profile deployment results, app installation status, device enrollment events, remote action execution (wipe, lock, retire), and discovered application inventory.

Forensic Value

Intune logs reveal the security posture of endpoints during a breach. Non-compliant device status indicates missing patches, disabled encryption, or outdated antivirus that enabled the compromise. Device enrollment events from unexpected locations suggest attacker device registration. Remote wipe and lock action logs document containment actions taken during incident response. Application inventory identifies which apps were installed on compromised devices without requiring direct endpoint access.

Tools Required

Microsoft Intune Admin CenterMicrosoft Graph APIPowerShell (Microsoft.Graph.Intune)SIEM (Sentinel)

Acquisition Methods

FTK Imager Full Disk Image

windows — physical

EnCase Forensic Full Disk Image

windows — physical

dd / dc3dd Raw Disk Image

windows — physical

Guymager Full Disk Image

windows — physical

FTK Imager Logical Image (AD1)

windows — logical