Windows Analytics – Why wouldn’t you…

I just launched Windows Analytics in my org, so while its fresh, I thought I’d write a bit about what I did.

Windows Analytics is (in my opinion) a critical piece to any organisations Windows as a Service strategy and will complement how you can maintain Windows 10 while validating the applications in your organisation.

Windows Analytics is a free solution from Microsoft (both the solution and the Azure Storage – Windows Analytics data is zero rated), so the only real cost is your time.

Windows Analytics has three components that make up the solution, two are free to use, while the third (Device Health) requires some licensing to be in place.

WA

For more detailed information – docs.microsoft.com has some excellent information along with the Windows Analytics Blog

Windows Analytics and Privacy

There are some important things to understand about the flow of data to Microsoft and what you can control and what you can’t.  Some organisations require their data to be (or not be in some cases) in certain countries.   More information on this is available here

Doing the thing…

How do you sell Windows Analytics to your village elders?  Well, that depends on how receptive your Village Elders are (I’m lucky, mine are super empowering).

Start by selling it to your InfoSec/cyber security team first, they’ll love Windows Analytics and will support you (plus, you might just earn some collateral with them, which could be useful a bit later).

Another group that should love Windows Analytics will be your application lifecycle team.  The Windows 10 “Windows as a Service” six-month cadence can be a challenge for orgs of all sizes, but let’s face it, there is no going back to the old five years mainstream plus five years extended support model where organisations can sit on an operating system for a good 10 years.

Start a proof of concept in a self-contained lab environment.  Most organisations have a development or testing environment, but (My opinion only) there’s no harm running your own off network lab – well, that what I do.

From here, I’m assuming you have your Azure (If you don’t, create your free account here)

Let’s kick this off.

Create your OMS Workspace (keep in mind at the time of writing, there are plans to move this to the Azure portal).  Add the Upgrade Readiness solution

Do the same for Update compliance and Device Health (but only if your org is licenced to use Device Health) solutions.

Microsoft uses a unique commercial ID to map information from user computers to your OMS workspace. This should be generated for you automatically (see here for more information).

Proxy whitelisting / Firewall

This is where you use that collateral from your InfoSec team to get this done. Information on what to whitelist is here

Some updates for your clients

If you’re awesome at patching, you can skip this part, if your patching “school report” states “Room for improvement”, then you’ll need to make sure certain updates are deployed to your clients. Information on these updates is here

Group Policy / MDM

For many enterprises, allowing or changing the telemetry levels will be a challenge, but Microsoft have many different configurations depending on the comfit levels of your InfoSec people. Information around the GPO/MDM settings is here

You will want to apply these setting in a controlled manner to the pilot devices first before widespread deployment.

Pilot time

You now have the essentials in place, its time to pilot. From here, you will need to download the Upgrade Readiness deployment script. There are two configurations of the script, Deployment and Pilot.

Both have a RunConfig.bat file which will need some customising. I only changed the log path and added my orgs Commercial ID, but there are a few other settings you may wish to configure.

Using the deployment method of your choosing (or manually) run the pilot version batch file.

It can take up to 48-72 hours for data to show in your OMS portal.

Deployment at scale!!

Once you are happy with your pilot, you can look at deployment at scale.  Apply the Windows Analytics GPO/MDM to your production devices and using the deployment tool of choice (e.g. SCCM) deploy and run the “Deployment” version of RunConfig.bat.  Small FYI – The Deployment version of RunConfig.bat can only be run with the System account.

Sit back, relax and see all that awesome telemetry data come in over the next two to three days.

A few other things…

Access control – Consider who will be accessing the OMS portal and what level of access they will have. Only a very small number of IT people will need admin access. My recommendation would be to give all, but the small number of IT admins read only access.

Connect to SCCM – Windows Analytics can integrate into SCCM – Do this!! More information here

Troubleshooting

 

 

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s