Integrate Windows Analytics with SCCM

Windows Analytics is a set of solutions for Azure Log Analytics (formerly known as Operations Management Suite or OMS) that provide you with extensive data about the state of devices in your deployment. There are currently three solutions which you can use singly or in any combination. Device Health, Update Compliance and Upgrade Readiness.

Integrating these solutions with SCCM is a quick and easy way to populate Azure Log Analytics with data from your Windows devices. Upgrade Readiness data is then sync’d down to SCCM for easy creation of collections of machines in various states of upgrade readiness.

(The OMS portal has been deprecated; you should start using the Azure portal instead as soon as possible).

  1. Log in to portal.azure.com and select + Create a resource and search for Update Compliance.

  1. On Update Compliance solution click Create

  1. On the Create a new Solution blade click OMS Workspace select the option to Create New Workspace. When creating the OMS Workspace and a Resource Group use a naming convention which will later make it easy to identify the purpose of each. (In this case we are creating a workspace and resource group for Windows Analytics.) Select a Location and a Pricing tier. Click OK.

 

  1. Repeat step 1 through 3 by creating resources for both Device Health and Upgrade Readiness however for these solutions select the OMS workspace which you created during the Update Compliance solution creation above.

 

  1. In the Azure portal select All services, and search for Log Analytics. (Tip: You can select the star to add it to your favorites for easy access in the future.) Click Log Analytics to open the blade then select the workspace which you created for Windows Analytics. Record the subscription ID, Workspace Name and the Workspace ID. You will need these later therefore I recommend saving them in Notepad. Label these as “Workspace Subscription ID”, “Workspace Name” and “Workspace ID”. You will be recording several more items throughout this guide, use proper labeling to avoid confusion in later steps.
  2. Log Analytics blade click the workspace which you created for Windows Analytics and select the Solutions You will see the CompatibilityAssessment (Upgrade Readiness), DeviceHealthProd (Device Health), and WaaSUpdateInsights (Update Compliance) solutions that have been created.

 

  1. In the Windows Analytics workspace select the Solutions node select CompatibilityAssessment. From the CompatibilityAssessment solution pane select Update Readiness Settings. Record the Commercial Id Key as “Update Readiness Settings Commercial Id Key”, disable Demo mode and select a Target to be evaluated. Click Save.

 

  1. In the Azure portal search for App registrations. Go to the App registrations and click New application registration. In the create application dialog enter a Name that will be associated with the OMS Connector which we will add to SCCM in later steps, leave the default Application type of Web app / API and enter a Sign-on URL (the sign-on URL is never used, it doesn’t have to be a valid URL) then click Create. (Tip: If the Create button is greyed out click in the Name text box).

 

 

  1. In the App Registrations blade select the web app you created for the OMS Connector. Record the Application ID, Object ID and Display Name of the web app as OMS Application ID, OMS Object ID and OMS Display Name. Click Settings.

 

  1. In the web app settings for the OMS Connector app select Keys. Enter a description for the key, select 2 years as the expiration duration then click Save. Once saved the key value is displayed. Record the key value as “Windows Analytics Secret Key”. DO NOT LEAVE THIS PAGE WITHOUT SAVING THE SECRET KEY.


11.  Analytics blade click the workspace you created for Windows Analytics. Select Access control (IAM) then click Add role assignment. From the Role drop-down select Contributor, under Assign access to leave the default value of Azure AD user, group or service principal, in the Select box enter the display name of the web app created for the OMS Connector, select the display name and click Save. (Tip: Another option is to set the access controls on the resources group rather than the workspace so that all resources in the group inherit the permissions)

  1. Repeat steps 8 through 11 creating a second web app that will be used for the Upgrade Readiness connector in SCCM. Be sure to set the access controls for the Upgrade Readiness web app on the Windows Analytics workspace.

  1. In the Log Analytics blade of the Azure Portal click the workspace which you created for Windows Analytics and select Advanced Settings. Select Connected Sources, and then select Windows Servers. Record the Workspace ID and Primary Key. Before leaving the Advanced Settings page download the Log Analytics Windows Agent. Copy the Log Analytics Windows agent to your SCCM primary site server.

 

  1. On the SCCM site server create the following registry subkeys and DWORD values to enable the Log Analytics Windows Agent and the Log Analytics service to communicate using TLS 1.2 : (Note: you must restart the system for the settings to take effect.)
  • HKLM\System\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client
    • Enabled [Value = 1]
    • DisabledByDefault [Value = 0]
  1. On the SCCM site server configure .NET Framework 4.6 or later to support secure cryptography create the following registry DWORD values:
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319
    • SchUseStrongCrypto [value = 1]
  • HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v4.0.30319
    • SchUseStrongCrypto [value = 1]
  1. On the SCCM site server launch setup of the Log Analytics Windows Agent. During the installation of the Log Analytics Windows Agent select the option to Connect the agent to Azure Log Analytics (OMS) and then enter the Workspace ID and Primary Key recorded from your windows analytics workspace and select the appropriate Azure Cloud Click Next and complete the Microsoft Monitoring Agent Setup wizard.

 

  1. In the SCCM console select the Administration node > Overview > Cloud Services and right click on Azure Services. Select Configure Azure Services.

  1. In the Azure Services Wizard on the App Services pane enter a Name for your OMS Connector service and select OMS Connector. Click Next.

  1. In the Azure Services Wizard on the App pane select the appropriate Azure environment, either public or government. Click Import, enter the required info and click Verify. Click OK.

  1. On the App pane of the Azure Services Wizard click Next.
  2. On the Collection pane of the Azure Services Wizard the Azure subscriptions, Azure resource group and Windows Analytics workspace should auto populate. Select a Collection of devices to report to Log Analytics. You may want to select All Systems or you might want a small subset of devices. I prefer All Systems so that I can later use the data to generate collections. Click Next. (Tip: If the Azure resource group and Windows Analytics workspace do not auto populate the issue is likely incorrectly configured access controls or an incorrectly configured the Log Analytics Windows Agent. Review the steps above to ensure those have been configured properly. Unfortunately, you may receive a message stating that the web app has already been imported when attempting to import the web app in the even that you must run Azure Services Wizard a second time due to the Azure resource group and Windows Analytics workspace not auto populating. I found two ways to correct this issue, you can go back and create a new web app in Azure or you can delete the imported web app directly from the SCCM database which is VERY ).
  3. Click Next to complete the Azure Services Wizard then click Close.
  4. Repeat steps 17 through 22 for the Upgrade Readiness connector making sure to use the information from the Upgrade Readiness web app.
  5. In the SCCM console select the Administration node > Overview > Client Settings edit and existing or create a new client agent setting as follows.:
    1. Select Windows Analytics.
    2. Set Manage Windows telemetry data with Configuration Manager to “Yes’.
    3. Enter the Commercial ID key recorded in Step 7
    4. Set a value for Windows 10 telemetry. I recommend Full.
    5. Configure a value appropriate for your environment for telemetry for Windows 8.1 and earlier.
    6. Configure a value appropriate for your environment for Enable Windows 8.1 and earlier Internet Explorer data collection.

Once complete deploy the client agent settings to a collection containing the computers from which you need Analytics data.

  1. It may take 72 hours or more before data becomes available in the Azure Portal. Once it’s available you will see information for Update Compliance, Upgrade Readiness and Device Health. I’ve pinned these to my Dashboard for easier viewing. For more details drill in to each solution.

 

  1. Once the data is visible in Azure you should be able to view and utilize Upgrade Readiness data to create collections.

  1. In the event that you are able to view the data in Azure but not in SCCM in the SCCM console select the Administration node > Overview > Azure Services, right-click the Upgrade Readiness service and select Sync with Upgrade Readiness. Synchronization only happens automatically once every 24 hours.