I'm going to go ahead and get started now that it's 4 PM. Thank you for coming today. My name is Jenny Hunter, and I'm a program manager on the Azure Automation team. Specifically, I own change tracking and inventory,

which I'm going to be focusing on today. So just to get a little bit of gauge of room before I start talking, how many people are already familiar with change tracking and inventory? If you could raise your hands. OK, so not very many, so this is a great opportunity for me to show you what it's all about. So you've probably seen this slide a whole bunch of times

before if you've been to any of the product team talks. Essentially, much like the talks you heard on Monday, this is all about our recent reorg into Azure. And now we have a seat at the Azure Compute table. This means that we get to leverage things that are specific to the cloud while also working on those scale scenarios for you.

So while we focus more in this configure area with configuration, update management, automation, and scripting, we have access to tools throughout the lifecycle and a stay at the table to integrate with those tools. So automation configuration.

This is kind of our all up platform. This includes process automation, which if you heard Eamon's talk earlier, we have authoring in PowerShell, PowerShell workflow, graphical, and then also a new introduction of Python 2. We also have update management, which if you're interested in learning more about,

we have a talk tomorrow morning at 9 by Zach Alexander. And then configuration management, which is the area that I'm going to be focusing on today. It's split into a few different parts, including our version of PowerShell Desired State Configuration, or our expansion on that that we're calling state configuration. And it's kind of that pull server

to store your DSC configurations on the cloud. But then also your configuration management through change tracking and inventory. And all of these capabilities are available both on Windows and Linux and in your Azure and non-Azure environments. And it's the same capabilities for both. So you're getting these reports and all of these tools

for consistent data and viewing across your environment. So configuration management specifically. Like I said, it's broken into two key components, which is the state configuration side, which is our expansion on PowerShell Desired State Configuration,

where we provide a pull server for you. And you can put your code in there. And if you saw Michael Green's talk earlier, he delved really deeply into that. But I'm going to be focusing on the change tracking inventory side. So what changes occurred across your system? What does your system look like?

So we're able to track across a few main types, including software, services, files, and registry for Windows, and software, daemons, and files for Linux. So specifically, what do you have and has it changed recently? So really focusing on identifying configuration drift

and assisting in root cause analysis of your environment. So did something go wrong? It was probably a change that occurred. So yes, again, spanning across both Windows and Linux, Azure and non-Azure. Some key scenarios include creating alerts based on changes that have occurred.

Did your IIS service or W3 service suddenly go down? That's an issue. And you want to get alerted on that. As well as identifying all the machines that report a specific configuration, such as all machines that have a specific outdated version of Chrome. And then we also have this native integration with Azure VMs.

So Azure VMs are, there's no additional cost to run change tracking inventory on them. And then in addition, you can actually access change tracking inventory from the VM resource menu. So if you go to your Azure VM, you'll notice an operation section, and you'll see change tracking and inventory as items underneath that.

So I did want to highlight a little more of why are we here at the PowerShell Summit. And that's because change tracking inventory are built off of PowerShell Desired State Configuration. For almost all of our main types, we use PowerShell DSC in order to get that reported configuration. We use something called get inventory,

which is an expanded resource kind of infrastructure that we have. And we use a reference configuration to kind of get that data in. So this API is public for Linux, and I believe it is coming out soon for PowerShell Desired State Configuration in general, and later on versions.

But we have this built in right now for change tracking inventory to kind of get the current state of your machine. And then we do work on our back end to compare that to previous snapshots we have, and to let you know if it's changed. So I'm gonna go ahead and go in and just kind of show you what's going on.

So here I am in change tracking. You can see, like I said, the main types. We have daemons, files, registry, software, and Windows services. I can easily scope down into a specific section of interest to me by just dragging across,

as well as I can limit to a specific type. For instance, if I just want to see what software has changed, I can go and drill down into the different types. I can also do some cool things with features that aren't out yet but are coming out very soon,

and I'll talk a little more about how to get access to them later. But for instance, if I want to view file content, I can configure my settings, and I'm sure you saw the lightning demo of this earlier on in the week, but you can actually go in and securely access your file content for specific files

that have occurred across your system. And this is done, like I said, securely, and I know this was touched on more earlier, but we actually store it in your own Azure storage account so Microsoft never has access to your data, and even if something were to occur, people couldn't hack into that data through us. So both private and secured.

And then we also have heard from you guys, we have different time windows for collection frequency of the different types, so we're actually bringing down Windows services from a roughly 30 minute collection frequency right now to a minimum of 10 seconds. So really getting that almost real-time collections frequency.

And so what that would look like on the settings side, is right now today you have access to Windows registry, Windows files, Linux files. You'd be able to go into file content, link up a storage account, and then you would see these write SAS URLs. So we never have access to the read SAS URL. And then the collection for Windows services,

we could just go ahead and drag that down to, for instance, 26 seconds here, or I could bring it down to 10 seconds. And then inventory is giving you that insight into what is the current state of your environment, or the last reported state.

So here I could see that I have 35 machines reporting. If I just wanna see my non-Azure machines, I could type in non-Azure and get that list fast. As well as, let's say, I just wanna see my Red Hat machines. I could search Red Hat and get the list of all my Red Hat machines and what version of Red Hat they're running.

I could also look for specific versions of things, like for instance, Java. Me being the skilled IT person I am, I know that Java 1.51 is an outdated and potentially a security risk. So I could go in and see exactly which machines

have access to this Java. Let me, sometimes the internet connection at the conferences gets a little scary. So I could see that there are four machines reporting, and I could see exactly which servers have that outdated version of Java. And I could get more specifics by drilling into them. For instance, I could see that, oh this is interesting,

it's actually bouncing back and forth between the versions, and that's probably something I should look into. So this kinda gives you the insight, and this is all about, like I said earlier, detecting configuration change, or configuration drift, and knowing what do you have in your environment,

what state is it in, and has it changed recently. There's also one other thing I wanted to show you guys that I've worked on, I'll take questions at the end. There's one other thing that I've worked on specifically for the PowerShell Summit, which is we've heard a lot of people say,

you know this is great, but I don't wanna constantly be checking the dashboard, and I like to have a clear report that I can show my higher ups, and just get this good summary of the data. And so I actually developed a PowerShell script that I'm gonna show with you today. This is currently, I'll go to,

so this is currently on the PowerShell Gallery, so you have access to this if you wanna try it out. So basically it's a super simple script that takes in the basically resource group name, resource group subscription,

and then optionally your Azure Automation account name, and your credentials emailed to and from, and essentially creates a pretty little email that tells you exactly what has changed in your environment. So here is the final report. You can see I just triggered this today at 3.49 p.m., so right before I came on.

I can see in the past week exactly how many changes occurred in my environment, the top computers with those changes, what type of software is added, for instance I see 17 updates were added, and three packages, as well as I saw that there's 22 automatic services

that stopped in eight manual services. In addition, if you go through you could see that I have these optional parameters here for automation account information, and what that does is in the email it provides you with a nice little link that given the automation account information

will take you directly to your dashboard in order to see those changes. And so the great thing about this is you can actually run it from a different automation account. For instance, I ran this from an automation account called Team Resources, and then I can actually get my report

for an automation account that's completely different, or you could set this up to trigger against multiple automation accounts. So you could send out different emails to different people for different automation accounts, and here I could see I have an automation account called Woodgrove Bank, and I could see the changes that were reported on. So I'm gonna go through this script pretty fast,

but essentially you've given your OMS workspace details, subscription, optionally your automation accounts, your email details. So the credential name in this case is actually your automation account credential, so if you are familiar with automation accounts

you can securely store credentials, connections, and things like this. So this is a credential that's stored in your automation account. But you can always, if you wanna run this on premise, there are little changes you can make, for instance, changing how you log in. So most of this script was me trying to figure out how to make it look good in HTML,

since let's face it, HTML's not always pleasant to work with. So essentially, get the details, get your operational insights, which is your log analytics workspace, and then here I have the exact queries

that you run in log analytics in order to get these details. So you can customize this script to be any queries you want. So you can make it super customized for your environment, or you can leave it the generic. And this also uses a new module created by the log analytics team called log analytics query,

and if you go to the PowerShell Gallery page, because it's not currently available in the PowerShell Gallery, I have a link to how you can get it, and you can also just go to dev.loganalytics.io in order to find that gallery, and they are working on bringing it soon to the PowerShell Gallery. They're just making sure they wanna make it

securely signed and everything for you. And so this takes those results, parses them from JSON, turns them into their tables and rows, and then does all the necessary conversions in order to turn it into the proper HTML format,

and gets you that report that I showed you before. And so right now this is configured to do past week, but again, this is all customizable. In the script you'll see exactly where you set the week timeframe, and you can adjust that. So if you'd prefer daily emails, monthly emails,

you could change that to your need. So like I said, all in the PowerShell Gallery. Somehow five people have already downloaded it, so good for them. And you can run this in order to get that weekly frequency,

you can actually go into Azure Automation and attach a schedule to it. So it's super easy. If you've seen Eamon's talks or my talks in the past, you've probably seen this process before. But essentially you just go, you can create a new schedule.

So I can just choose a day in the future, say recur every week. Let's do every Tuesday. I can just change that to five p.m.

And then here you would just set the parameters that you're interested in. So workspace name, resource group, subscription, credential, email to, email from. You can also set the SMTP server. So the default is Outlook, but if you're using Gmail, Office 365,

you can adjust it accordingly. And so that gives you control over the frequency and through Azure Automation you could schedule it to recur without your intervention. So when the job runs, it's gonna give you basically just the, so this is the job that actually produced

that email I showed you. And you could see just the HTML that went into it. I could see exactly what's link was generated for the portal as well as all the information that went into it. So kind of going back a little bit.

This kind of gives you that overall, you want to access your information and kind of know what's going on in your environment. And so how do you get back to change tracking inventory at a good frequency? And so it reports those same changes that occurred. So time to talk about kind of where we've come

and where we're going. So if you've been following change tracking, we have really good consistent frequency of releasing features. Last March we actually released that view you saw where you can click on a change and see what has occurred then we released registry and Linux file tracking

last April and inventory was actually introduced in public preview at Ignite this past year as well as the VM integration. So I can show that quickly.

So like I said, if you go to a VM, for instance, I have a Linux VM here, you can scroll down and there's this operations category where there's auto shutdown, backup, disaster recovery, update management and inventory and change tracking.

So I could click on this and it'll show me exactly what is available for that specific machine. So we have that integration exactly on the VM as well as you can bring in your Azure activity log so if something occurs on Azure, you can see how it correlates to the changes in your environment.

And then this past March, we actually GA'd change tracking inventory for both the Azure automation account and in your VM. So what's coming next? I highlighted on some of that today and you've seen it some throughout the different talks throughout the week but we have that faster Windows service collection. So bringing down that collection time to almost real time from 30 minutes

to about 10 seconds as well as viewing changes and file content. We're also working on integration with the Azure Security Center. So a few of you know probably that a lot of compliance regulations require that you have file integrity monitoring. And so now we have built in integration

with Azure Security Center so that we have a little, it says file integrity monitoring or it's going to, it's currently in private preview but I could show it fast.

So when you get to your Security Center overview, when the preview is released, you'll see this in the advanced cloud defense section,

the file integrity monitoring. So this offers the same capabilities that we have today through change tracking except if you're already paying for advanced Azure Security Center, you'll actually get file and registry completely for free or no additional cost for also your on premise nodes.

And you could see across your environment which workspaces are enabled and then for one that's enabled you could just click on it. And Azure Security Center actually offers a whole bunch of content and provides you with a list of files and registries

that you can track in order to be secure with certain compliance settings. And then finally a lot of our current customers are currently using change tracking and inventory in the OMS portal experience.

We will be deprecating that in the near future and focusing on our Azure experience. So you'll still be able to access all your log analytics data from there and still be able to query from there. We just won't be maintaining support for the dashboards. And again if you're interested in any of the private previews I've mentioned

or in general just joining the cohort and getting to test these features out earlier and before the rest of the world, you can email me at jenny.hunter at microsoft.com and I'll sign you up. So one of the biggest questions I get from you guys, so what is this gonna cost me?

So in general this is all up pricing for automation and configuration. Update management is free or not, is already included in your VM cost essentially with Azure for Azure and non-Azure nodes. Change tracking, inventory, DSC, that's the grouping for configuration management.

The price is included for Azure nodes and then it's $6 on premise after the first five nodes. And then process automation, so getting to run scripts in your environment is gonna be $0.002 per minute and you're included is 500 free minutes per month. And if you wanna get more details

kind of about this pricing model and how it affects your environment, you could go to ak.ms slash automation pricing. Okay, so I kinda wanted to spend a lot of time focusing on your questions and kinda see if there are specific things that you guys wanna see me demo or questions you have,

so I wanted to allocate that time. So thank you very much and I'll take questions now. Toys R Us app, it has an embedded Java

to run some of its functions. Trouble is, the embedded Java is now the vulnerable version. Java will show up when you do the command for checking if there's Java on your box.

Would we be having our inventory system say that we have bad Java or we have a bad Toys R Us app, a red flag on the Toys R Us app? So we don't monitor specific apps through this. So you wanna tag it, the changes to a specific item.

So we'll tell you which machine is affected. Well, Java actually be a service. Yeah, so we could show you the version of the software. You can also see, for instance, in update management, if you do have a Java that's out of compliance, this machine's best.

The information on the Toys R Us app, could that be added to an inventory query? Can you rephrase the question just a little bit? If we have the identifying information on the Toys R Us app, could we throw it

at Microsoft Azure and say we like to watch this? Yeah, so if you have the information about which machines are running, so just to make sure everybody can hear, he's asking if we have the identifying information of an app that's running and we wanna make sure that Java is always up to date or is compliant.

Do we have access to that information? Can we run a query for it? So if you, probably you could do a mix of, if you want to make sure it's always up to date, you could check to see if there's a non-compliance for that machines with update management's data. You could also check if you just wanna make sure that there's a specific version

that you don't wanna have on your environment. You can get the inventory data for the machines that you know are involved. The challenge for updating is Java won't show up in the programs and features because it's not a standalone version of Java that the company

that made the Toys R Us app, just they embedded the Java code in the product. Okay, so if there is exe for the Java, then you know where that exe is going to be. I can show you through the settings.

You can actually go to your settings here. And so we watch all Windows and Linux software, Windows services, and Linux statements by default. So if it's running a service, we'll catch it by default. If you're looking for specific registries or files, you can specify here exactly which registries you want.

And same with files. So if you're looking to track a specific exe that isn't being found by the software portion, you can go to the folder that has the exe and put the file path here in order to track it. And then same on Linux. And we're working on this parody for Windows

and hopefully coming out in the near future. But Linux is actually more advanced on our side. We spend a lot of time focusing on the Linux development. And so you can actually do regex right now for Linux where you could do the wildcard support and recursion support. And then I have another question over here. I was just gonna ask if you can upload.

Like so if you have like a specific internal like CVE equivalent, can you tag that so that it'll pull that data up over time? So like let's say I discover that, you know, we have some sort of bug in the code. We're not really sure where we deployed it and we managed to catch everything. We can specify something in the portal here to like go recursively check,

which I think is what you were showing here. If it's not already tracking it, I can force it to track. Okay. Okay, so we actually focused a lot on the security

and privacy side when developing the Windows or the file content feature. So the question was whether, how we take into consideration with GDPR and all that. So we're not actively storing any of your personal information. So you generate the right SaaS key,

so that gives us access to only write into the storage account that you provided. And so we'll write the file content into a blob in that storage account. And then when you go to access the file content, your browser and through the authentication of your login in Azure generates the read token.

So if someone doesn't have RBAC access to that storage account, that tech will fail and they won't be able to access the file content. Yeah, so if you're already paying the $6

for Azure Automation DSC, this is also included in that configuration management cost. So if you're already paying it, you basically get this for free. So you get both change checking and inventory in addition to what you're already paying for with DSC.

Okay, so so the question is to give a quick overview of how inventory and change tracking are communicating for on-premise nodes. And so we use something called the MMA or Microsoft Monitoring Agent. You might be familiar with SCOM uses this agent or other OMS services also use this agent.

And so through that, we push down MP to the system that has those different DSC resource blocks I was telling you about for the daemon, services and has that get inventory call. So if I go back to my slides.

So we push down the MP that has the code we need for that get inventory call, that extended resource infrastructure and the DSC reference configuration reports back to us through the OMS agent or the MMA.

Does that answer your question? Okay, great. Any other questions? Questions about in general, how do you, what kind of machines you're grabbing from our on-premises and how that happens? And secondly, what level of granularity do you have on changes?

Permission changes, for example, or just content? So let me go to, so when you ask about on-premise machines, are you asking about like what type of operating systems do we grab? No, how do you consume the data? I've got a private data center over here. Okay, so yeah, so we use the Microsoft monitoring agent

to actually gather that data. And so it does use an internet connection, but they have something called OMS gateway, which allows you to proxy to servers that you don't or can't give internet access to. And as far as what kind of changes we pick up, so I could drill down into one of these changes.

And so we do a few different things. Our file tracking uses the MD5 hashing algorithm. So we're able to tell for content changes as well as we're tracking the file content. So I can click here and actually see what changed in this file. And both in-line if you prefer that way or side-by-side.

And then we also track ACL changes. And for most things like registry, we check even if it's just been touched. So even if no changes have occurred or it's more of an access control change, we do track that also. So the DSC resource backend gives us a lot of control

making sure that we're catching any change that can occur. For files, we're looking at not just the content, but date modified, date created. And like I said, we have the ACLs here. So we can check if there's any change to that. Are you using VSS to be able to give me

the delta between the two? Or how are you able to track the content changes? So for the content, so the question is how are we tracking the content changes? We check if there is a content change by comparing the hashing algorithms or the hashes that come out from the MD5.

And then once we determine that there is a change, then we upload the content. So how do you get the delta there before? So we have kind of like a pipeline on our backend that just does a quick comparison between the results of the moffs that we've sent.

Does that, I'm not sure, I'm following you on VSS. So we only monitor the files that you've specified. Okay, and so then those files get uploaded

to my storage account and that's how you're able to do the comparison? For the file content, we first do the comparison on the machine for the hash and we only upload the file content if we've determined that there is already a change.

So you can specify exactly which files you wanna track and then we do a first comparison on the machine itself and then only once we verify that there has been a change in the content do we send up the file content to your storage. Put a copy of the file as soon as I say,

like, track this thing, like, that goes, like, you get the hash and because there was no file, now there is a file that goes. Yep, so as soon as you indicate that you want to track an item, that next iteration, so for instance, Windows files is about every 30 minutes and then on Linux, I believe it's every five to 10 minutes so that next check that we do on the machine

will gather the file content. So I would have to follow up a little bit, probably more with you offline on the exact specifics but I believe

we have an expiration on, so the question was how do I keep the data from just continuing to grow and how do we prune it to make sure that it doesn't go old while still maintaining that you can see a file change that occurred 30 days ago or however long your cycle is for maintaining data in log analytics

and so I don't have the exact specifics but especially because we're in private preview, we're taking a lot of feedback on how people want us to do this. Our current default, I believe, is about every 30 days we just expire.

Do you support wildcards in there? So yeah, I was mentioning this very briefly earlier but we're working on that support for Windows and hopefully that'll be coming out in the next several months. Our Linux file support does support wildcards and recursion, do you know over here?

Possible extension to schedule tasks sometime? So to schedule a task. No, to monitor scheduled tasks. Oh, to monitor scheduled tasks. What would that be stored as? I'm sorry? What would the scheduled task be? Are you looking at like cron jobs or?

I guess you can export to XML or something. Okay, so we don't currently have support for monitoring like XML or command line prompts but we do love feedback so you could either, if you have any additional feedback, feel free to stop by after the session

or to go to our feedback page which if you try us out, we have a little link at the top that says provide feedback and it goes directly to our user voice where you could create an item and get votes on it to try and get the services that you want. Okay, one last question.

Okay, so there's a way to do it through DSC

in order to check if a scheduled task has changed. Okay, great. So I'll take remaining questions after this but thank you everyone for joining us and thank you for attending and joining the partial site. Thank you.