Windows 365: custom alerts
Introduction
This is an addition to the Windows 365 series on my blog focusing on alerting and custom alerts for Windows 365 in Intune.
Windows 365 built-in alerts are found in Intune>tenant administration>alerts — although these may not provide you all use cases that you desire:
If you want go learn more about Windows 365: Windows 365 (oceanleaf.ch)
This is why I want to show you how you can build custom alerts & notifications with some automation.
In the following guide, I will show how to setup an alert if someone modifies any provisioning policy of Windows 365, because it can have a significant impact on your Cloud PCs. You can apply this concept to other Windows 365 or Intune actions, as seen in this concept flow:
Prerequisites
- Azure Log Analytics Workspace
- Windows365AuditLogs from Intune diagnostics settings are forwarded to a Log Analytics Workspace (find some similar guides on my blog)
Setup
- Create an Alert rule in Azure
2. Choose your scope — your Log Analytics Workspace where the Windows 365 logs are forwarded to
3. Add a custom log search as signal
Windows365AuditLogs
| where OperationName contains "CloudPcProvisioningPolicy"
4. Configure the settings accordingly and check the estimated monthly costs (you can also change the aggregation granularity and frequency of evaluation)
5. Choose an existing action group or create a new (I will show you how to create a new one)
6. Insert a notification recipient (Email/SMS/notification or Vioce)
7. (Optional) add an action to take
8. Specify the alert rule details and create the alert rule
Demo
Any time an admin creates, deletes or changes a provisioning policy an alert will be triggered, since there is a new audit event fetched through that query. The recipients in the alert group, will for example receive an email:
Bonus tip: Windows 365 audit event types
Here is a list of all available Windows 365 audit event types so you can adjust the query for your own needs:
- CloudPcProvisioningPolicy
- CloudPcUserSEtting
- CloudPcModel
- Health check
- CloudPcOnpremisesConnection
