Enable Change Tracking and Inventory using Azure Monitoring Agent

Applies to: ✔️ Windows VMs ✔️ Linux VMs ✔️ Windows Registry ✔️ Windows Files ✔️ Linux Files ✔️ Windows Software ✔️ File Content Changes

This article describes how you can enable Change Tracking and Inventory for single and multiple Azure Virtual Machines (VMs) from the Azure portal.

Prerequisites

• An Azure subscription. If you don't have one yet, you can activate your MSDN subscriber benefits or sign up for a free account.
• A virtual machine configured in the specified region.

Enable Change Tracking and Inventory

Enable change tracking and inventory for single VM from Azure portal

This section provides detailed procedure on how you can enable change tracking on a single Azure VM and Arc-enabled VM.

Single Azure VM -portal

1. Sign in to Azure portal and navigate to Virtual machines.

   

2. Select the virtual machine for which you want to enable Change Tracking.

3. In the search, enter Change tracking to view the change tracking and inventory page.

   

4. In the Stay up-to-date with all changes layout, select Enable using AMA agent (Recommended) option and Enable.

   It will initiate the deployment and the notification appears on the top right corner of the screen.

   

Note

• When you enable Change Tracking in the Azure portal using the Azure Monitoring Agent, the process automatically creates a Data Collection Rule (DCR). This rule will appear in the resource group with a name in the format ct-dcr-aaaaaaaaa. After the rule is created, add the required resources.
• It usually takes up to two to three minutes to successfully onboard and enable the virtual machine(s). After you enable a virtual machine for change tracking, you can make changes to the files, registries, or software for the specific VM.

Single Azure Arc VM - portal

1. Sign in to Azure portal. Search for and select Machines-Azure Arc.

   

2. Select the Azure-Arc machine for which you want to enable Change Tracking.

3. Under Operations, select Change tracking to view the change tracking and inventory page.

4. In the Stay up-to-date with all changes layout, select Enable using AMA agent (Recommended) option and Enable.

   

   It will initiate the deployment and the notification appears on the top right corner of the screen.

Enable change tracking and inventory for multiple VMs using Azure portal and Azure CLI

This section provides detailed procedure on how you can enable change tracking and inventory on multiple Azure VMs and Azure Arc-enabled VMs.

Multiple Azure VMs - portal

1. Sign in to Azure portal and navigate to Virtual machines.

   

2. Select the virtual machines to which you intend to enable change tracking and select Services > Change Tracking.

   

   Note

   You can select up to 250 virtual machines at a time to enable this feature.

3. In Enable Change Tracking page, select the banner at the top of the page, Click here to try new change tracking and inventory with Azure Monitoring Agent (AMA) experience.

   

4. In Enable Change Tracking page, you can view the list of machines that are enabled, ready to be enabled and the ones that you can't enable. You can use the filters to select the Subscription, Location, and Resource groups. You can select a maximum of three resource groups.

   

5. Select Enable to initiate the deployment.

6. A notification appears on the top right corner of the screen indicating the status of deployment.

Arc-enabled VMs - portal/CLI

To enable the Change Tracking and Inventory on Arc-enabled servers, ensure that the custom Change Tracking Data collection rule is associated to the Arc-enabled VMs.

Follow these steps to associate the data collection rule to the Arc-enabled VMs:

1. Create Change Tracking Data collection rule.

2. Sign in to Azure portal and go to Monitor and under Settings, select Data Collection Rules.

   

3. Select the data collection rule that you have created in Step 1 from the listing page.

4. In the data collection rule page, under Configurations, select Resources and then select Add.

   

5. In the Select a scope, from Resource types, select Machines-Azure Arc that is connected to the subscription and then select Apply to associate the ctdcr created in Step 1 to the Arc-enabled machine and it will also install the Azure Monitoring Agent extension.

   

6. Install the Change Tracking extension as per the OS type for the Arc-enabled VM.

   Linux

   az connectedmachine extension create  --name ChangeTracking-Linux  --publisher Microsoft.Azure.ChangeTrackingAndInventory --type-handler-version 2.20  --type ChangeTracking-Linux  --machine-name XYZ --resource-group XYZ-RG  --location X --enable-auto-upgrade
   

   Windows

   az connectedmachine extension create  --name ChangeTracking-Windows  --publisher Microsoft.Azure.ChangeTrackingAndInventory --type-handler-version 2.20  --type ChangeTracking-Windows  --machine-name XYZ --resource-group XYZ-RG  --location X --enable-auto-upgrade
   

Enable Change Tracking at scale using policy

This section provides detailed procedure on how you can enable change tracking and inventory at scale using policy.

Prerequisite

• You must create the Data collection rule.

Enable Change tracking

Using the Deploy if not exist (DINE) policy, you can enable Change tracking with Azure Monitoring Agent at scale and in the most efficient manner.

1. In Azure portal, select Policy.

2. In the Policy page, under Authoring, select Definitions

3. In Policy | Definitions page, under the Definition Type category, select Initiative and in Category, select Change Tracking and Inventory. You'll see a list of three policies:

   Arc-enabled virtual machines

   • Select Enable Change Tracking and Inventory for Arc-enabled virtual machines.

     

   Virtual machines Scale Sets

   • Select Enable Change Tracking and inventory for Virtual Machine Scale Sets.

     

   Virtual machines

   • Select Enable Change Tracking and inventory for virtual machines.

     

4. Select Enable Change Tracking and Inventory for virtual machines to enable the change tracking on Azure virtual machines. This initiative consists of three policies:

   • Assign Built in User-Assigned Managed identity to Virtual machines

   • Configure ChangeTracking Extension for Windows virtual machines

   • Configure ChangeTracking Extension for Linux virtual machines

     

5. Select Assign to assign the policy to a resource group. For example, Assign Built in User-Assigned Managed identity to virtual machines.

   Note

   The Resource group contains virtual machines and when you assign the policy, it will enable change tracking at scale to a resource group. The virtual machines that are on-boarded to the same resource group will automatically have the change tracking feature enabled.

6. In the Enable Change Tracking and Inventory for virtual machines page, enter the following options:

   1. In Basics, you can define the scope. Select the three dots to configure a scope. In the Scope page, provide the Subscription and Resource group.
   2. In Parameters, select the option in the Bring your own user assigned managed identity.
   3. Provide the Data Collection Rule Resource id. Learn more on how to obtain the Data Collection Rule Resource ID after you create the Data collection rule.
   4. Select Review + create.

Create data collection rule

1. Download CtDcrCreation.json file on your machine.

2. Go to Azure portal and in the search, enter Deploy a custom template.

3. In the Custom deployment page > select a template, select Build your own template in the editor.

4. In the Edit template, select Load file to upload the CtDcrCreation.json file.

5. Select Save.

6. In the Custom deployment > Basics tab, provide Subscription and Resource group where you want to deploy the Data Collection Rule. The Data Collection Rule Name is optional. The resource group must be same as the resource group associated with the Log Analytic workspace ID chosen here.

   

   Note

   • Ensure that the name of your Data Collection Rule is unique in that resource group, else the deployment will overwrite the existing Data Collection Rule.
   • The Log Analytics Workspace Resource Id specifies the Azure resource ID of the Log Analytics workspace used to store change tracking data. Ensure that location of workspace is from the Change tracking supported regions

7. Select Review+create > Create to initiate the deployment of CtDcrCreation.

8. After the deployment is complete, select CtDcr-Deployment to see the DCR Name. Use the Resource ID of the newly created Data Collection Rule for Change tracking and inventory deployment through policy.

   

Note

After creating the Data Collection Rule (DCR) using the Azure Monitoring Agent's change tracking schema, ensure that you don't add any Data Sources to this rule. This can cause Change Tracking and Inventory to fail. You must only add new Resources in this section.

Next steps

• For details of working with the feature, see Manage Change Tracking.
• To troubleshoot general problems with the feature, see Troubleshoot Change Tracking and Inventory issues.