Prereqswinsrvassessment
Prereqswinsrvassessment
Prereqswinsrvassessment
This document explains the required steps to configure the Windows Server (Server, Security, Hyper-V, Failover Cluster and IIS)
Assessment included with your Azure Log Analytics Workspace and entitled Microsoft On-Demand assessment.
There are configuration and setup tasks to be completed prior to executing the assessment setup tasks in this document. For all
pre-work, follow the Getting Started with On-Demand Assessments in the Services Hub Resource Center.
Table of Contents
System Requirements and Configuration at Glance.......................................................................................... 2
Supported Versions.................................................................................................................................................................................. 2
Powershell Remoting............................................................................................................................................................................... 2
Appendix .............................................................................................................................................................. 14
This document was last updated on September 8, 2021. To ensure you have the latest version of this document, check here:
https://go.microsoft.com/fwlink/?linkid=865884
System Requirements and Configuration at Glance
According to the scenario you want to use, review the following details to ensure that you meet the necessary
requirements.
Supported Versions
• This service is available for servers running on Windows Server 2012 or later.
Unsupported Versions
• IIS Server running with Shared Configuration (http://www.iis.net/learn/web-hosting/configuring-servers-in-the-
windows-web-platform/shared-configuration_211).
• IIS Server running in workgroup (not domain joined). This scenario can be accomplished by running the collection
process directly on each target server separately.
Powershell Remoting
To complete the assessment with the accurate results, you will need to configure all in-scope target machines for
Powershell remoting.
• Windows Update Agent must be running on all in-scope servers for the security update scan
Additional requirements for Windows Server 2008-2012 R2 (or later if defaults modified) Target Machines:
The following three items must be configured on target servers to support data collection: PowerShell Remoting,
WinRM service and Listener, and Inbound Allow Firewall Rules.
Note1: PowerShell version 2 or greater is required on target machines and comes installed by default starting with
Windows Server 2008 R2. For Windows Server 2008 SP2, PowerShell version 2 is not installed by default. It is available for
download here https://aka.ms/wmf3download
Note 2: Windows Server 2012 R2 and Windows Server 2016 have WinRM and PowerShell remoting enabled by default.
The following configuration steps detailed below will only need to be implemented if the default configuration for target
servers has been altered.
Note 3: Windows Server 2008-Windows Server 2012 have WinRM disabled by default. The following configuration steps
detailed below will need to be configured to support PowerShell Remoting.
• Execute Enable-PSRemoting Powershell cmdlet on each target machine within the scope of the
assessment. This one command will configure PS-Remoting, WinRM service and listener, and enable required
Inbound FW rules. A detailed description of everything Enable-PSRemoting does is documented here.
OR
Two steps are involved to configure a group policy to enable both WinRM listener and the required inbound allow firewall
rules:
A) Identify the IP address of the source computer where data collection will occur from.
B) Create a new GPO linked to the in-scope servers’ organizational unit(s), and define an inbound rule for the tools
machine
A.) Log into the chosen data collection machine to identify its current IP address using IPConfig.exe from the command prompt.
C:\>ipconfig
Windows IP Configuration
Make a note of the IPv4 address of your machine. The final step in the configuration will use this address to ensure only the data
collection machine can communicate with the Windows Update Agent on the target servers.
1. Create a new GPO. Make sure the GPO applies to the servers’ organizational unit(s). Give the new group policy a name based on
your group policy naming convention or something that identifies its purpose similar to “Windows Server Assessment”
On the data collection machine, change the following setting in the group policy editor (gpedit.msc) from "not
configured" to "enabled":
Computer Configuration->Administrative Templates->System-> User Profiles
'Do not forcefully unload the user registry at user logoff'
After you have finished the installation of the Microsoft Management Agent/OMS Gateway, and configured Security
Updates Prerequisites on the Data Collection machine and target machines, continue with the next section to set up the
assessment.
To test if the tool will be able to collect event log data from a Windows Server 2008/Windows Server 2008 R2 or later, you can
try to connect to the Windows Server 2008/Windows Server 2008 R2 or later using eventvwr.msc. If you are able to connect,
collecting event log data is possible. If the remote connection is unsuccessful you may need to enable the Windows built-in
firewall to allow Remote Event Log Management.
Before you can create firewall rules remotely on the server, the option remote firewall management must have been
enabled on all Windows Server 2008/Windows Server 2008 R2 or later with the Advanced Firewall enabled. To allow Remote
Event Log Management, create a new GPO:
Configure a GPO
1. Create a new GPO and link it to the corresponding OU for your servers.
Within the GPO open Computer Configuration\Policies\Windows Settings\Security Settings\Windows Firewall with
Advanced Security\ Windows Firewall with Advanced Security, right-click Inbound Rules and then click New Rule.
2. In the New Inbound Rule Wizard, on the Rule Type page, select Predefined. In the rule list, click
Remote Event Log Management, and then click Next.
3. On the Predefined Rules page, select the Remote Event Log Management (RPC) rule check box, and click Next. Note:
the other two Remote Event Log Management rules are not required for the assessment but might be needed for
Remote Event Log Management
4. On the Action page, select Allow the connection and then click Finish.
NOTE: Allow for this GPO to replicate and apply to all servers that are being assessed before starting data collection.
You can also import a list of servers from a text file by using the below approach:
PS C:\WINDOWS\system32> $Servers = Get-Content "C:\Docs\ServerList.txt"
Add-WindowsServerAssessmentTask -ServerName $Servers -WorkingDirectory "C:\OMS\WinSrv"
where the text file would contain a list of multiple servers that are semicolon separated for eg:
“Server01;Server02;Server03”.
command where <YourServerNames> is the semicolon separated FQDN or NetBIOS name of one or more of the
servers in the environment and <DirectoryPath> is the path to an existing directory used to store the files created
4. Provide the required user account credentials. These credentials are used to run the Windows Server Assessment.
NOTE: This domain account must have all the following rights:
5. The script will continue with the necessary configuration. It will create a scheduled task that will trigger the data
collection.
6. Data collection is triggered by the scheduled task named “WindowsServerAssessment” within an hour of
running the previous script and then every 7 days. The task can be modified to run on a different date/time or
even forced to run immediately.
7. During collection and analysis, data is temporarily stored under the WorkingDirectory folder that was configured
during setup, using the following structure:
9. After a few hours, your assessment results will be available on your log analytics dashboard. Click the Windows
Server Assessment tile to review:
10. You will then be presented with findings grouped by the focus area.
The Windows Server Assessment in the log analytics workspace uses multiple data collection methods to collect information
from your environment. This section describes the methods used to collect data from your environment. No Microsoft Visual
Basic (VB) scripts are used to collect data.
1. Registry Collectors
2. Xperf
3. EventLogCollector
4. Windows PowerShell
5. FileDataCollector
6. WMI
7. Nltest
8. LDAP Collectors
9. Custom C# Code
10. Validation
1. Registry Collectors
Registry keys and values are read from the data collection machine and all servers. They include items such as:
• Service information from HKLM\SYSTEM\CurrentControlSet\Services
• Operating System information from HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion
2. XPerf
Xperf is a tool that is part of the Windows Performance Toolkit that can create boot time statistics. With Xperf the boot
time is evaluated and the top 10 processes that utilize disk and/or cpu most.
3. EventLogCollector
Collects event logs from target machines. We mostly collect the last 7 days of different event logs.
4. Windows PowerShell
Collects various information, such as:
• BCD store boot configuration Data
• Defragmentation rate
5. FileDataCollector
Enumerates files and their properties in a folder on a remote machine.
7. Custom C# Code
Collects information not captured using other collectors. The primary example here is the collection of effective user rights
on the Windows servers.
8. Validation
Collects information not captured using other collectors. The primary example here is the collection of effective user rights
on Servers.
Check computer Registry FQDN name and WMI against every target machine
get-wmiobject Win32_ComputerSystem -computer localhost | fl Name,Domain
Expected Result:
Name : <ComputerName>
Domain : dns.name