What is Windows analytics?
Windows Analytics is a cloud-based suite of services that collects telemetry information from Windows devices about the operating system and applications being used, Telemetry being from the Ancient Greek Tele=Remote, Metron=Measure. Windows Analytics uses Microsoft Operations Management Suite (OMS) Log Analytics to make sense of all the telemetry data and give overviews of the environment.
There are currently 3 components to Windows Analytics
The Upgrade Readiness component of Windows Analytics offers a walk through which helps to plan and manage the Operating system upgrade process end to end using a visual workflow. Within the workflow we can see a detailed computer and application inventory, guidance on application and driver compatibility issues with suggested fixes and application usage information. Information can be seen regarding Web applications used, and Office Add ins, all of which are useful when planning an upgrade. Data can be exported to software deployment tools, including System Center Configuration Manager (SCCM), in fact Windows Analytics can be integrated with SCCM via a connector so that information is visible in the SCCM console and remediation tasks can be done from there.
Upgrade readiness main screen:
Upgrade Readiness Application drill down
This part allows you to view the patching status of devices in terms of their Windows update status and drill down further in to problem device issues. Update compliance also allows tracking of protection and threat status for Windows Defender Antivirus Enabled devices.
Finally, Device Health allows you to look at devices that are crashing and proactively fix based on being able to view via Device Reliability how many and how often devices have issues. This solution can also identify drivers that are causing device crashes, and what version drivers could be implemented to reduce number of crashes. App reliability and Login Health are also useful, being able to see which apps used and by how many devices, and which are crashing. With Login health we can better understand the login mechanisms used on devices and the reasons for success and failure.
In order to utilise these Windows Analytics solutions, we can configure clients via a combination of centrally managed settings and scripts to send the appropriate data to Microsoft; the company sending is therefore very much in control of what is sent, and in recent times Microsoft have been more open about what setting the various telemetry levels actually does. Essentially by following a few steps, you can get a pretty good health check on all your devices for very little cost.
How much will it cost?
If you have an OMS workspace, Upgrade readiness and Update compliance have no additional Windows licensing requirements. Device Health has some Windows licensing requirements described below:
Within Azure Log Analytics, Windows Analytics data is zero-rated by Microsoft meaning it is excluded from data limits and costs. If a customer is on an OMS Free tier – which has a cap on the amount of data collected per day – Windows Analytics data will not count towards this cap. Windows Analytics data can be collected from devices and still have the full cap available for collecting additional data from other sources. If a customer is on a paid OMS tier that charges per GB of data collected, they will not be charged for Windows Analytics data. Customers can collect Windows Analytics data from devices and not incur any costs. Different Azure Log Analytics plans have different data retention periods, and the Windows Analytics solutions inherit the workspace data retention policy.
Where is my data actually going?
So, if corporate data is being sent to Microsoft with Windows Analytics, how is this working and where is it being stored? I would want to know what is happening and where it is going!
The data flow sequence is as follows
- Diagnostic data is sent from devices to the Microsoft Diagnostic Data Management service, which is hosted in the US. (Clients can send information direct or via an OMS proxy if clients do not have a direct internet connection). Diagnostic data is encrypted.
- A company can choose the location of their OMS workspace e.g. U.K. based, and this will have a Commercial ID. The company then uses the Commercial ID, sending it to devices they want to monitor. This ID identifies which devices appear in which workspaces.
- Each day Microsoft produces a “snapshot” of IT-focused insights for each workspace in the Diagnostic Data Management service.
- These snapshots are copied to transient storage which is used only by Windows Analytics (also hosted in US data centres) where they are segregated by Commercial ID.
- The snapshots are then copied to the appropriate Azure Log Analytics workspace in the customers chosen location.
If the IT team are using upgrade readiness and updating fields such as target operating system and importance and readiness of Apps, this is stored in the Transient storage e.g. in the US.
In short, we can choose where our OMS workspace is, but the Data management service that the data is sent to is hosted in the US, as is the transient storage where data snapshots are held. These cannot be changed.
What am I actually sending to Microsoft?
In terms of the data about my machines I am sending, if I am running a certain version of Windows 10, and enable and set my telemetry level to Basic, Enhanced or Full, what am I actually sending? My Information Security team would be interested in this!
The following link from Microsoft allows you to drill down in to Telemetry Level and OS to find out what is being sent for each combination. https://docs.microsoft.com/en-us/windows/privacy/configure-windows-diagnostic-data-in-your-organization
How do I start using Windows Analytics?
You need an OMS workspace linked to your Azure subscription, to which Windows Analytics Solutions should be added and configured.
Windows clients need to have telemetry enabled at the appropriate level you wish to use – bear in mind to get useful data for most solutions Microsoft recommend at least Enhanced level. This can be set via Group policy, configuration manager, Intune.
There are pre-requisites for Windows clients for example older clients do not have the updates for telemetry collection so Windows 7 and 8 may need to be patched. There are also firewall and proxy pre-requisites that need to be considered such as whitelisting some of the Windows Analytics service URLs.
You then need to download and configure the Windows Analytics scripts. Firstly this should be done in pilot with the pilot version of the script manually on 10-15 pilot devices before moving on to a wider roll out with the deployment version. Microsoft recommend running the script every 30 days to perform a full scan, this can be set via SCCM or other deployment method. The script needs the commercial ID key, and the opt in options for the data that you wish to send. It can take 48h – 1 week for data from your environment to appear in the solutions in your workspace.
Further blogs to follow on the Windows Analytics scripts, and more detail on some of the individual solutions themselves.