
Deployment of complete environment for ClientInspector (v2), which is a cool showcase to demo Log ingestion API & Azure DCR to store data in Azure LogAnalytics

The purpose of this repository is to provide everything needed to deploy a complete environment for ClientInspector (Github)

The deployment includes the following steps:

  1. create Azure Resource Group for Azure LogAnalytics Workspace
  2. create Azure LogAnalytics Workspace
  3. create Azure App registration used for upload of data by ClientInspector
  4. create Azure service principal on Azure App
  5. create needed secret on Azure app
  6. create the Azure Resource Group for Azure Data Collection Endpoint (DCE) in same region as Azure LogAnalytics Workspace
  7. create the Azure Resource Group for Azure Data Collection Rules (DCR) in same region as Azure LogAnalytics Workspace
  8. create Azure Data Collection Endpoint (DCE) in same region as Azure LogAnalytics Workspace
  9. delegate permissions for Azure App on LogAnalytics workspace - see section Security for more info
  10. delegate permissions for Azure App on Azure Resource Group for Azure Data Collection Rules (DCR)
  11. delegate permissions for Azure App on Azure Resource Group for Azure Data Collection Endpoints (DCE)
  12. deployment of Azure Workbooks
  13. deployment of Azure Dashboards

If you want to deploy a demo environment, you can click here

You can see details on how to configure the deployment here

Video 7m 25s - Deployment via ClientInspector DeploymentKit

Workbooks & Dashboards, part of deployment

Click here to see the included workbooks

Click here to see the included dashboards


Click here to see the security configured as part of deployment with 1 Azure app

Click here to see the security separate with 2 Azure app's

Introduction to ClientInspector


Are you in control? - or are some of your core infrastructure processes like patching, antivirus, bitlocker enablement drifting? Or would you like to do advanced inventory, where you can lookup your warranty state against Lenovo or Dell warranty, then keep reading.

Check out ClientInspector, which can help you get great insight to your complete client environment.

ClientInspector is free to the community - built to be a cool showcase of how you can bring back data from your clients using Azure Log Ingestion Pipeline, Azure Data Collection Rules, Azure LogAnalytics; view them with Azure Monitor & Azure Dashboards - and get "drift-alerts" using Microsoft Sentinel.

Video 3m 01s - Dashboards

How to get deploy a ClientInspectorV2 demo-environment

Video 7m 25s - Deployment of demo environment via ClientInspector DeploymentKit

If you want to deploy a demo environment, please download and modify the file Deployment-DemoEnvironment.ps1 (right-click and choose 'save link as'). Just fill out Azure SubscriptionId and Azure TenantId - and you will get a complete environment with this configuration.

You will have the option to control the demo number using the $UseRandomNumber = $true/false. If you choose $true the number will randomize, so it is easy to re-run multiple times.

Parameter Configuration
AzureAppName Demo1 - Automation - Log-Ingestion
AzAppSecretName Secret used for Log-Ingestion
LogAnalyticsResourceGroup rg-logworkspaces-demo1
LoganalyticsWorkspaceName log-platform-management-client-demo1-p
LoganalyticsLocation westeurope
AzDceName dce-log-platform-management-client-demo1-p
AzDceResourceGroup rg-dce-log-platform-management-client-demo1-p
AzDcrResourceGroup rg-dcr-log-platform-management-client-demo1-p
AzDcrPrefix clt
TemplateCategory Demo IT Operation Security Templates
WorkbookDashboardResourceGroup rg-dashboards-workbooks-demo1

How to deploy your production setup

  1. Download Deployment.ps1 (right-click and choose 'save link as')
  2. Open the file Deployment.ps1 in your favorite editor
  3. Change the variables to your needs
# Variables

# Azure App
$AzureAppName                    = "<put in name for your Azure App used for log ingestion>" # sample - "xxxx - Automation - Log-Ingestion"
$AzAppSecretName                 = "Secret used for Log-Ingestion"  # sample showed - use any text to show purpose of secret on Azure app

# Azure Active Directory (AAD)
$TenantId                        = "<put in your Azure AD TenantId>"

# Azure LogAnalytics
$LogAnalyticsSubscription        = "<put in the SubId of where to place environment>"
$LogAnalyticsResourceGroup       = "<put in RG name for LogAnalytics workspace>" # sample: "rg-logworkspaces-p"
$LoganalyticsWorkspaceName       = "<put in name of LogAnalytics workspace>" # sample: "log-platform-management-client-p"
$LoganalyticsLocation            = "<put in desired region>" # sample: westeurope

# Azure Data Collection Endpoint
$AzDceName                       = "<put in naming convention for Azure DCE>" # sample: "dce-" + $LoganalyticsWorkspaceName
$AzDceResourceGroup              = "<put in RG name for Azure DCE>" # sample: "rg-dce-" + $LoganalyticsWorkspaceName

# Azure Data Collection Rules
$AzDcrResourceGroup              = "<put in RG name for Azure DCRs>" # sample: "rg-dcr-" + $LoganalyticsWorkspaceName
$AzDcrPrefixClient               = "<put in prefix for easier sorting/searching of DCRs>" # sample: "clt" (short for client)

# Azure Workbooks & Dashboards
$TemplateCategory                = "<put in name for Azure Workbook Templates name>" # sample: "CompanyX IT Operation Security Templates"
$WorkbookDashboardResourceGroup  = "<put in RG name where workbooks/dashboards will be deployed>" # sample: "rg-dashboards-workbooks"
  1. Verify that you have the required Powershell modules installed. Otherwise you can do this with these commands.
Module Install cmdlet
Az Install-module Az -Scope CurrentUser
Microsoft.Graph Install-module Microsoft.Graph -Scope CurrentUser
Az.Portal Install-module Az.portal -Scope CurrentUser
  1. Start the deployment. You will be required to login to Azure and Microsoft Graph with an account with Contributor permissions on the Azure subscription

  2. When deployment is completed, you can cut/paste the variables on the screen - and copy it to your favorite editor

    NOTE: You need to adjust the line-separate issue for parameter $LogAnalyticsWorkspaceResourceId

$LogAnalyticsWorkspaceResourceId            = 

must bc changed to one-liner

$LogAnalyticsWorkspaceResourceId            = "/subscriptions/fce4f282-fcc6-43fb-94d8-bfxxxxxxxxx/resourceGroups/rg-logworkspaces-client/providers/Microsoft.OperationalInsights/workspaces/log-platform-management-client-p" 
  1. Insert the lines in the ClientInspector.ps1 file in this section

<# ----- onboarding lines ----- BEGIN #>

<#  ----- onboading lines -----  END  #>



<# ----- onboarding lines ----- BEGIN #>

    $TenantId                                   = "xxxxxx" 
    $LogIngestAppId                             = "xxxxxx" 
    $LogIngestAppSecret                         = "xxxxx" 

    $DceName                                    = "dce-log-platform-management-client-eu01-p" 
    $LogAnalyticsWorkspaceResourceId            = "/subscriptions/6ab28656-d943-439a-9079-4fd3ac3062a1/resourceGroups/rg-logworkspaces-p/providers/Microsoft.OperationalInsights/workspaces/log-platform-management-client-eu01-p" 

    $AzDcrPrefix                                = "clt" 
    $AzDcrSetLogIngestApiAppPermissionsDcrLevel = $false
    $AzDcrLogIngestServicePrincipalObjectId     = "xxxx" 
    $AzLogDcrTableCreateFromReferenceMachine    = @()
    $AzLogDcrTableCreateFromAnyMachine          = $true

<#  ----- onboading lines -----  END  #>

  1. You are now done with the initial setup of the infrastructure for ClientInspector.

Potential deployment issues (Azure AD replication latency)

Due to latency in Azure tenant replication, the steps with delegation sometimes do not complete on the initial run. To mitigate this, the script will pause for 1 min - hopefully Azure AD will replicate by that time.

If it is not working, wait 10-15 min - and re-run the script, if needed - and it will fix any missing things. NOTE: Before doing that, grap the secret from the screen - as it will not be seen afterwards.

LogIngestion Azure App Name:
CompanyName - Automation - Log-Ingestion

LogIngestion Azure App Id:
LogIngestion Azure App Secret:

LogIngestion Azure Service Principal Object Id for app:

Azure LogAnalytics Workspace Resource Id:

Azure Data Collection Endpoint Name:

Azure Data Collection Endpoint Log Ingestion Uri:


Please insert these lines in ClientInspector:

$TenantId                                   = "f0fa27a0-8e7c-4f63-9a77-ec94786b7c9e" 
$LogIngestAppId                             = "8837b5cf-9b6e-46b9-8c53-3d66137c13d9" 
$LogIngestAppSecret                         = "<<<removed>>>" 

$DceName                                    = "dce-log-platform-management-client-p" 
$LogAnalyticsWorkspaceResourceId            = 

$AzDcrPrefix                                = "clt" 
$AzDcrSetLogIngestApiAppPermissionsDcrLevel = $false
$AzDcrLogIngestServicePrincipalObjectId     = "5a1cba73-26f3-4267-9078-259ee35e0bc4" 
$AzLogDcrTableCreateFromReferenceMachine    = @()
$AzDcrDceTableCreateFromAnyMachine          = $true

Azure Workbooks, part of deployment

Workbook Name Purpose
ANTIVIRUS SECURITY CENTER - CLIENTS - V2 Antivirus Security Center from Windows - default antivirus, state, configuration
APPLICATIONS - CLIENTS - V2 Installed applications, both using WMI and registry
BITLOCKER - CLIENTS - V2 Bitlocker & TPM configuration
DEFENDER AV - CLIENTS - V2 Microsoft Defender Antivirus settings including ASR, exclusions, realtime protection, etc
GROUP POLICY REFRESH - CLIENTS - V2 Group Policy - last refresh
INVENTORY - CLIENTS - V2 Computer information - bios, processor, hardware info, Windows OS info, OS information, last restart, vpn
INVENTORY COLLECTION ISSUES - CLIENTS - V2 Collection issues related to WMI
LAPS - CLIENTS - V2 LAPS - version
LOCAL ADMINS - CLIENTS - V2 Local administrators group membership
NETWORK INFORMATION - CLIENTS - V2 Network adapters, IP configuration
UNEXPECTED SHUTDOWNS - CLIENTS - V2 Events from eventlog looking for specific events including logon events, blue screens, etc.
WINDOWS FIREWALL - CLIENTS - V2 Windows firewall - settings for all 3 modes
WINDOWS UPDATE - CLIENTS - V2 Windows Update - last result (when), windows update source information (where), pending updates, last installations (what)

Azure Dashboards, part of deployment

Dashboards Name Purpose


Code signing

Both the ClientInspector.ps1-file and the AzLogDcrIngestPS module (AzLogDcrIngest.psm1) are signed with my code signing certificate (2LINKIT - my company). This way you can run it, if you require scripts to be signed. Of course you can also choose to sign it with your own internal code signing certificate.


Please download the public key certificate and put it into your 'trusted publisher' container to trust the publisher (2LINKIT - my company). You can deploy this using Intune or Group Policy.

Trusted Publisher
Trusted Publisher
Trusted Publisher

Intune deployment doesn't require trusted publisher to be in place

By default Intune will do a BYPASS when running a remediation scripts.

Azure RBAC

For simplicity, the deployment will configure the created Azure app with RBAC permissions to both do log ingestion and table/DCR management.

Target Delegation To Azure RBAC Permission Comment
Azure Resource Group for Azure Data Collection Rules Azure app used for log ingestion Monitoring Publisher Metrics used to send in data
Azure Resource Group for Azure Data Endpoint Azure app used for log ingestion Reader needed to retrieve information about DCE - used as part of uploading data
Azure Resource Group for Azure Data Collection Rules Azure app used for log ingestion Contributor needed to send in data
Azure Resource Group for Azure Data Collection Endpoint Azure app used for log ingestion Contributor needed to create/update DCEs (if needed after deployment)
Azure LogAnalytics Workspace Azure app used for log ingestion Contributor needed to create/update Azure LogAnaltyics custom log tables

If you want to separate permissions from log ingestion and create/update table/DCR management, you can do this by creating a separate Azure app used for table/DCR management (fx. xxxx - Automation - Log Ingest Management). Click here to see the security separate with 2 Azure app's

Azure RBAC Security adjustment, separation of permissions between log ingestion and table/DCR management

If you want to separate the log ingestion process with the table management process, you can do this by having one more Azure app, which is used for table/dcr/schema management.

You need to adjust permissions according to these settings:

Target Delegation To Azure RBAC Permission Comment
Azure Resource Group for Azure Data Collection Rules Azure app used for log ingestion Monitoring Publisher Metrics used to send in data
Azure Resource Group for Azure Data Endpoint Azure app used for log ingestion Reader

When you run this script, it will configure the log ingestion account with Contributor permissions, if you run with default config. This configuration must be adjusted, so the logestion app will only need Reader permissions.
needed to retrieve information about DCE - used as part of uploading data
Azure Resource Group for Azure Data Collection Rules Azure app used for table/DCR management Contributor needed to send in data
Azure Resource Group for Azure Data Collection Endpoint Azure app used for table/DCR management Contributor needed to create/update DCEs and also needed to create/update an DCR with referrences to a DCE
Azure LogAnalytics Workspace Azure app used for table/DCR management Contributor needed to create/update Azure LogAnaltyics custom log tables