Windows 365: custom alerts

Niklas Tinner
3 min readNov 23, 2023

Introduction

This is an addition to the Windows 365 series on my blog focusing on alerting and custom alerts for Windows 365 in Intune.

Windows 365 built-in alerts are found in Intune>tenant administration>alerts — although these may not provide you all use cases that you desire:

Intune alerts

If you want go learn more about Windows 365: Windows 365 (oceanleaf.ch)

This is why I want to show you how you can build custom alerts & notifications with some automation.

In the following guide, I will show how to setup an alert if someone modifies any provisioning policy of Windows 365, because it can have a significant impact on your Cloud PCs. You can apply this concept to other Windows 365 or Intune actions, as seen in this concept flow:

Concept flow

Prerequisites

  • Azure Log Analytics Workspace
  • Windows365AuditLogs from Intune diagnostics settings are forwarded to a Log Analytics Workspace (find some similar guides on my blog)
Forward Windows365AuditLogs to Azure Log Analytics workspace

Setup

  1. Create an Alert rule in Azure
Create alert rule

2. Choose your scope — your Log Analytics Workspace where the Windows 365 logs are forwarded to

Scope

3. Add a custom log search as signal

Windows365AuditLogs
| where OperationName contains "CloudPcProvisioningPolicy"
Custom log search

4. Configure the settings accordingly and check the estimated monthly costs (you can also change the aggregation granularity and frequency of evaluation)

Configuration

5. Choose an existing action group or create a new (I will show you how to create a new one)

Action group
Create action group

6. Insert a notification recipient (Email/SMS/notification or Vioce)

7. (Optional) add an action to take

Action

8. Specify the alert rule details and create the alert rule

Alert rule details

Demo

Any time an admin creates, deletes or changes a provisioning policy an alert will be triggered, since there is a new audit event fetched through that query. The recipients in the alert group, will for example receive an email:

Alert rule fired

Bonus tip: Windows 365 audit event types

Here is a list of all available Windows 365 audit event types so you can adjust the query for your own needs:

  • CloudPcProvisioningPolicy
  • CloudPcUserSEtting
  • CloudPcModel
  • Health check
  • CloudPcOnpremisesConnection

Learn more about Intune monitoring

--

--