Keep a track on who modified WUfB Intune policies using email alert

by | Intune, Azure, Cloud

In this post I will be showing the details on how to keep a track on who modified WUfB Intune policies using email alert. These covers modifying any Windows Update Ring, Quality update policy to expedite the updates and Feature update policies. This is just not related to modifying the policy but for creating the update policies as well.

Table Of Contents
  1. Why we need to create the alert
  2. Usage of Log analytics to create the alert
  3. Create Log Analytics workspace
  4. Enable Diagnostic Setting for AuditLogs
  5. Run KQL Query to get who modified Update policies
  6. Create Email Alert under Log Analytics workspace
  7. Verify Alert through Email

At a much granular level, we also define various alerts for different Windows Update for business policies such as creation, deletion and updating. As for now, I am going to cover any update/creation/deletion done for the WUfB policies.

Why we need to create the alert

Your environment could be quite complex with so many Update ring policies and other settings created. There might be multiple administrators who are managing this policy. Ideally one should not make the changes to these setting without appropriate change or request. Hence, to make sure we are properly tracking who is making the changes and what are applied, it is good to get the tracking done.

Usage of Log analytics to create the alert

The task can be achieved by setting up Log Analytics workspace, enabling the diagnostics logs for AuditLogs and creating the alert.

Create Log Analytics workspace

Login to Azure Portal and search for Log Analytics workspaces, click on Create.

Create Log Analytic workspace

Under Create Log Analytics workspace blade, specify the existing subscription and Resource Group. I created the new one to separate it out from other objects.

Specify Instance details such as:

Name: LogAnalyticsforAuditingLogs

Region: Australia Central

TrackWUfBIntunePolicy 02

Click on Review + Create

This will go through the validation. Once you see Validation passed, click on Create.

validate log analytics workspace

Allow some time to get the workspace created, once the deployment is completed click on Go to resource. You can also navigate to this workspace by navigating to Log Analytics workspaces and click on existing workspace which we just created.

TrackWUfBIntunePolicy 04

We will be coming back to this workspace at later stage to run the query. For the time being lets focus on Diagnostic Settings

Enable Diagnostic Setting for AuditLogs

Under Azure Portal, navigate to Azure Active Directory, scroll down and click on Monitoring > Diagnostic Settings.

Click on Add diagnostic setting.

Add diagnostic setting

Provide Diagnostic Setting name as AuditLogs.

Under Logs, there are multiple categories available such as AuditLogs, SigInLogs, NonInteractiveUserSignInLogs, ServicePrincipalSignInLogs, ManagedIdentifySignInLogs, ProvisioningLogs and few others.

We are interested in AuditLogs, its always good idea to select SignInLogs which provides more insight on the collecting signin information of user.

Let’s select:

  • AuditLogs
  • SigInLogs

Select Destination details as:

  • Send to Log Analytics workspace
AuditLogs send to Log Analytics workspace

Select Log Analytics workspace name we created previously and click on Save.

Run KQL Query to get who modified Update policies

We are ready with the sending the AuditLogs which is responsible to send the information related to any changes we make on Intune. This information is saved in IntuneAuditLogs table.

IntuneAuditLogs

Navigate to the Log Analytics workspace which we created. I am using the old LA workspace as it may take some time for new workspace to start populating the data.

When I go to my workspace, scroll down on left pane until you see Logs, click on it. On right Pane you will see New Query 1 page, along with all Tables generated as part of AuditLogs and SigInLogs.

Our interest here is related table IntuneAuditLogs.

Run the following Kusto Query to get the details of any changes happened for:

  • Patch DeviceConfiguration
  • Create WindowsQualityUpdateProfile
  • CreateWindowsFeatureUpdateProfile

These are the 3 major things we wanted to capture.

IntuneAuditLogs
| order by TimeGenerated
| where OperationName in ("Patch DeviceConfiguration", "Create WindowsQualityUpdateProfile", "Create WindowsFeatureUpdateProfile")
//| where OperationName == "Patch DeviceConfiguration"
| parse Properties with * ',"TargetDisplayNames":["' Setting '"],' *
| where Setting != ""
| project TimeGenerated, Identity, OperationName, Setting
TrackWUfBIntunePolicy 08

When I run the query, I can see the results displayed in below Pane. This is what we wanted to capture as part of the alert. Though we can come anytime over here to run this query to get the details. But that’s not the good idea to check it on manually, better to have alert generated.

Create Email Alert under Log Analytics workspace

Under Log Analytics workspace, scroll down and click on Monitoring > Alerts, click on Create Alert Rule.

Create Alert rule

Under Create an alert rule, Condition blade, select Custom log search.

Custom log search

Under Log query page, specify the same query which we used previously, once again providing the info:

IntuneAuditLogs
| order by TimeGenerated
| where OperationName in ("Patch DeviceConfiguration", "Create WindowsQualityUpdateProfile", "Create WindowsFeatureUpdateProfile")
//| where OperationName == "Patch DeviceConfiguration"
| parse Properties with * ',"TargetDisplayNames":["' Setting '"],' *
| where Setting != ""
| project TimeGenerated, Identity, OperationName, Setting
Log query

In left Pane, under Measurement, specify the Aggregation granularity which has set to 5 minutes as default, this looks like a very aggressive setting. Probably few couple of hours are ok to do the calculation.

Under Alert logic, specify:

  • Operator: Greater than
  • Threshold value: 1
  • Frequency of evaluation: 5 minutes (default value) – The frequency of evaluation should always be less than Aggregation granularity.
Alert logic

This also gives you Estimated monthly cost, click on Next: Actions.

Click on Create action group

Create action group

Specify Instance details:

Action group Name: Track WUfB changes

Display Name: WUfBChanges

Click Next: Notifications.

Track WUfB changes

Under Notifications, specify:

Notification type: Email/SMS message/Push/Voice

Name: TrackWUfB Changes

Specify email id and click on OK.

Track alert notification type email

Under Details, specify:

Severity: 2 – Warning

Alert rule name: Track WUfB settings

Alert Rule details

Click on Review + Create  and finally click on Create to get the alert created.

Verify Alert through Email

Once any changes are made now, you will be able to get the alert generated within 5 minutes as per the settings we have specified.

TrackWUfBIntunePolicy 17

Finally, I can see the alert getting generated along with the link provided which will take you to the log analytics and showing the results for specific time period alert window we have set.

KQL query

Leave a Reply