- Article
- 11 minutes to read
This article provides instructions and guidance for using the client installer for Azure Monitor Agent. It also explains how to leverage Data Collection Rules on Windows client devices.
Using the new client installer described here, you can now collect telemetry data from your Windows client devices in addition to servers and virtual machines.Both the extension and this installer use Data Collection rules to configure the same underlying agent.
Comparison with virtual machine extension
Here is a comparison between client installer and VM extension for Azure Monitor agent:
| Functional component | For VMs/servers via extension | For clients via installer |
|---|---|---|
| Agent installation method | Via VM extension | Via client installer |
| Agent installed | Azure Monitor Agent | Same |
| Authentication | Using Managed Identity | Using AAD device token |
| Central configuration | Via Data collection rules | Same |
| Associating config rules to agents | DCRs associates directly to individual VM resources | DCRs associate to Monitored Object (MO), which maps to all devices within the AAD tenant |
| Data upload to Log Analytics | Via Log Analytics endpoints | Same |
| Feature support | All features documented here | Features dependent on AMA agent extension that don't require additional extensions. This includes support for Sentinel Windows Event filtering |
| Networking options | Proxy support, Private link support | Proxy support only |
Supported device types
| Device type | Supported? | Installation method | Additional information |
|---|---|---|---|
| Windows 10, 11 desktops, workstations | Yes | Client installer | Installs the agent using a Windows MSI installer |
| Windows 10, 11 laptops | Yes | Client installer | Installs the agent using a Windows MSI installer. The installs works on laptops but the agent is not optimized yet for battery, network consumption |
| Virtual machines, scale sets | No | Virtual machine extension | Installs the agent using Azure extension framework |
| On-premises servers | No | Virtual machine extension (with Azure Arc agent) | Installs the agent using Azure extension framework, provided for on-premises by installing Arc agent |
Prerequisites
- The machine must be running Windows client OS version 10 RS4 or higher.
- To download the installer, the machine should have C++ Redistributable version 2015) or higher
- The machine must be domain joined to an Azure AD tenant (AADj or Hybrid AADj machines), which enables the agent to fetch Azure AD device tokens used to authenticate and fetch data collection rules from Azure.
- You may need tenant admin permissions on the Azure AD tenant.
- The device must have access to the following HTTPS endpoints:
- global.handler.control.monitor.azure.com
<virtual-machine-region-name>.handler.control.monitor.azure.com (example: westus.handler.control.azure.com)<log-analytics-workspace-id>.ods.opinsights.azure.com (example: 12345a01-b1cd-1234-e1f2-1234567g8h99.ods.opinsights.azure.com)(If using private links on the agent, you must also add the data collection endpoints)
- A data collection rule you want to associate with the devices. If it doesn't exist already, create a data collection rule. Do not associate the rule to any resources yet.
Install the agent
Download the Windows MSI installer for the agent using this link. You can also download it from Monitor > Data Collection Rules > Create experience on Azure portal (shown below):
Open an elevated admin command prompt window and update path to the location where you downloaded the installer.
To install with default settings, run the following command:
msiexec /i AzureMonitorAgentClientSetup.msi /qnTo install with custom file paths or network proxy settings, use the command below with the values from the following table:
msiexec /i AzureMonitorAgentClientSetup.msi /qn DATASTOREDIR="C:\example\folder"Parameter Description INSTALLDIR Directory path where the agent binaries are installed DATASTOREDIR Directory path where the agent stores its operational logs and data PROXYUSE Must be set to "true" to use proxy PROXYADDRESS Set to Proxy Address. PROXYUSE must be set to "true" to be correctly applied PROXYUSEAUTH Set to "true" if proxy requires authentication PROXYUSERNAME Set to Proxy username. PROXYUSE and PROXYUSEAUTH must be set to "true" PROXYPASSWORD Set to Proxy password. PROXYUSE and PROXYUSEAUTH must be set to "true" Verify successful installation:
(Video) Azure Log Analytics Workspace I How to set up Microsoft Monitoring Agent on On-premises Server I OMS- Open Control Panel -> Programs and Features OR Settings -> Apps -> Apps & Features and ensure you see ‘Azure Monitor Agent’ listed
- Open Services and confirm ‘Azure Monitor Agent’ is listed and shows as Running.
Proceed to create the monitored object that you'll associate data collection rules to, for the agent to actually start operating.
Note
The agent installed with the client installer currently doesn't support updating configuration once it is installed. Uninstall and reinstall AMA to update its configuration.
Create and associate a 'Monitored Object'
You need to create a 'Monitored Object' (MO) that creates a representation for the Azure AD tenant within Azure Resource Manager (ARM). This ARM entity is what Data Collection Rules are then associated with.Currently this association is only limited to the Azure AD tenant scope, which means configuration applied to the tenant will be applied to all devices that are part of the tenant and running the agent.The image below demonstrates how this works:
Then, proceed with the instructions below to create and associate them to a Monitored Object, using REST APIs or PowerShell commands.
Permissions required
Since MO is a tenant level resource, the scope of the permission would be higher than a subscription scope. Therefore, an Azure tenant admin may be needed to perform this step. Follow these steps to elevate Azure AD Tenant Admin as Azure Tenant Admin. It will give the Azure AD admin 'owner' permissions at the root scope. This is needed for all methods described below in this section.
Using REST APIs
1. Assign ‘Monitored Object Contributor’ role to the operator
This step grants the ability to create and link a monitored object to a user.
Request URI
PUT https://management.azure.com/providers/microsoft.insights/providers/microsoft.authorization/roleassignments/{roleAssignmentGUID}?api-version=2021-04-01-previewURI Parameters
| Name | In | Type | Description |
|---|---|---|---|
roleAssignmentGUID | path | string | Provide any valid guid (you can generate one using https://guidgenerator.com/) |
Headers
- Authorization: ARM Bearer Token (using ‘Get-AzAccessToken’ or other method)
- Content-Type: Application/json
Request Body
{"properties":{"roleDefinitionId":"/providers/Microsoft.Authorization/roleDefinitions/56be40e24db14ccf93c37e44c597135b","principalId":"aaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa"}}Body parameters
| Name | Description |
|---|---|
| roleDefinitionId | Fixed value: Role definition ID of the 'Monitored Objects Contributor' role: /providers/Microsoft.Authorization/roleDefinitions/56be40e24db14ccf93c37e44c597135b |
| principalId | Provide the Object Id of the identity of the user to which the role needs to be assigned. It may be the user who elevated at the beginning of step 1, or another user who will perform later steps. |
After this step is complete, reauthenticate your session and reacquire your ARM bearer token.
2. Create Monitored Object
This step creates the Monitored Object for the Azure AD Tenant scope. It will be used to represent client devices that are signed with that Azure AD Tenant identity.
Permissions required: Anyone who has 'Monitored Object Contributor' at an appropriate scope can perform this operation, as assigned in step 1.
Request URI
PUT https://management.azure.com/providers/Microsoft.Insights/monitoredObjects/{AADTenantId}?api-version=2021-09-01-previewURI Parameters
| Name | In | Type | Description |
|---|---|---|---|
AADTenantId | path | string | ID of the Azure AD tenant that the device(s) belong to. The MO will be created with the same ID |
Headers
- Authorization: ARM Bearer Token
- Content-Type: Application/json
Request Body
{ "properties":{ "location":"eastus" }}Body parameters
| Name | Description |
|---|---|
location | The Azure region where the MO object would be stored. It should be the same region where you created the Data Collection Rule. This is the location of the region from where agent communications would happen. |
3. Associate DCR to Monitored Object
Now we associate the Data Collection Rules (DCR) to the Monitored Object by creating Data Collection Rule Associations.
Permissions required: Anyone who has ‘Monitored Object Contributor’ at an appropriate scope can perform this operation, as assigned in step 1.
Request URI
PUT https://management.azure.com/{MOResourceId}/providers/microsoft.insights/datacollectionruleassociations/{associationName}?api-version=2021-09-01-previewSample Request URI
PUT https://management.azure.com/providers/Microsoft.Insights/monitoredObjects/{AADTenantId}/providers/microsoft.insights/datacollectionruleassociations/{associationName}?api-version=2021-09-01-previewURI Parameters
| Name | In | Type | Description |
|---|---|---|---|
| ``MOResourceId` | path | string | Full resource ID of the MO created in step 2. Example: 'providers/Microsoft.Insights/monitoredObjects/{AADTenantId}' |
Headers
- Authorization: ARM Bearer Token
- Content-Type: Application/json
Request Body
{"properties":{"dataCollectionRuleId": "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Insights/dataCollectionRules/{DCRName}"}}Body parameters
| Name | Description |
|---|---|
dataCollectionRuleID | The resource ID of an existing Data Collection Rule that you created in the same region as the Monitored Object. |
Using PowerShell for onboarding
$TenantID = "xxxxxxxxx-xxxx-xxx" #Your Tenant ID$SubscriptionID = "xxxxxx-xxxx-xxxxx" #Your Subscription ID$ResourceGroup = "rg-yourResourseGroup" #Your resroucegroupConnect-AzAccount -Tenant $TenantID#Select the subscriptionSelect-AzSubscription -SubscriptionId $SubscriptionID#Grant Access to User at root scope "/"$user = Get-AzADUser -UserPrincipalName (Get-AzContext).AccountNew-AzRoleAssignment -Scope '/' -RoleDefinitionName 'Owner' -ObjectId $user.Id#Create Auth Token$auth = Get-AzAccessToken$AuthenticationHeader = @{ "Content-Type" = "application/json" "Authorization" = "Bearer " + $auth.Token }#1. Assign ‘Monitored Object Contributor’ Role to the operator$newguid = (New-Guid).Guid$UserObjectID = $user.Id$body = @"{ "properties": { "roleDefinitionId":"/providers/Microsoft.Authorization/roleDefinitions/56be40e24db14ccf93c37e44c597135b", "principalId": `"$UserObjectID`" }}"@$requestURL = "https://management.azure.com/providers/microsoft.insights/providers/microsoft.authorization/roleassignments/$newguid`?api-version=2021-04-01-preview"Invoke-RestMethod -Uri $requestURL -Headers $AuthenticationHeader -Method PUT -Body $body###########################2. Create Monitored Object# "location" property value under the "body" section should be the Azure region where the MO object would be stored. It should be the "same region" where you created the Data Collection Rule. This is the location of the region from where agent communications would happen.$Location = "eastus" #Use your own loacation$requestURL = "https://management.azure.com/providers/Microsoft.Insights/monitoredObjects/$TenantID`?api-version=2021-09-01-preview"$body = @"{ "properties":{ "location":`"$Location`" }}"@$Respond = Invoke-RestMethod -Uri $requestURL -Headers $AuthenticationHeader -Method PUT -Body $body -Verbose$RespondID = $Respond.id###########################3. Associate DCR to Monitored Object#See reference documentation https://learn.microsoft.com/en-us/rest/api/monitor/data-collection-rule-associations/create?tabs=HTTP$associationName = "assoc01" #You can define your custom associationname, must change the association name to a unique name, if you want to associate multiple DCR to monitored object$DCRName = "dcr-WindowsClientOS" #Your Data collection rule name$requestURL = "https://management.azure.com$RespondId/providers/microsoft.insights/datacollectionruleassociations/$associationName`?api-version=2021-09-01-preview"$body = @" { "properties": { "dataCollectionRuleId": "/subscriptions/$SubscriptionID/resourceGroups/$ResourceGroup/providers/Microsoft.Insights/dataCollectionRules/$DCRName" } }"@Invoke-RestMethod -Uri $requestURL -Headers $AuthenticationHeader -Method PUT -Body $body#(Optional example). Associate another DCR to Monitored Object#See reference documentation https://learn.microsoft.com/en-us/rest/api/monitor/data-collection-rule-associations/create?tabs=HTTP$associationName = "assoc02" #You must change the association name to a unique name, if you want to associate multiple DCR to monitored object$DCRName = "dcr-PAW-WindowsClientOS" #Your Data collection rule name$requestURL = "https://management.azure.com$RespondId/providers/microsoft.insights/datacollectionruleassociations/$associationName`?api-version=2021-09-01-preview"$body = @" { "properties": { "dataCollectionRuleId": "/subscriptions/$SubscriptionID/resourceGroups/$ResourceGroup/providers/Microsoft.Insights/dataCollectionRules/$DCRName" } }"@Invoke-RestMethod -Uri $requestURL -Headers $AuthenticationHeader -Method PUT -Body $body#4. (Optional) Get all the associatation.$requestURL = "https://management.azure.com$RespondId/providers/microsoft.insights/datacollectionruleassociations?api-version=2021-09-01-preview"(Invoke-RestMethod -Uri $requestURL -Headers $AuthenticationHeader -Method get).valueUsing PowerShell for offboarding
#This will remove the monitor object$TenantID = "xxxxxxxxx-xxxx-xxx" #Your Tenant ID$SubscriptionID = "xxxxxx-xxxx-xxxxx" #Your Subscription ID$ResourceGroup = "rg-yourResourseGroup" #Your resroucegroupConnect-AzAccount -Tenant $TenantID#Select the subscriptionSelect-AzSubscription -SubscriptionId $SubscriptionID#Delete monitored object$requestURL = "https://management.azure.com/providers/Microsoft.Insights/monitoredObjects/$TenantID`?api-version=2021-09-01-preview"#Invoke-RestMethod -Uri $requestURL -Headers $AuthenticationHeader -Method DeleteVerify successful setup
Check the ‘Heartbeat’ table (and other tables you configured in the rules) in the Log Analytics workspace that you specified as a destination in the data collection rule(s).The SourceComputerId, Computer, ComputerIP columns should all reflect the client device information respectively, and the Category column should say 'Azure Monitor Agent'. See example below:
Manage the agent
Check the agent version
You can use any of the following options to check the installed version of the agent:
- Open Control Panel > Programs and Features > Azure Monitor Agent and see the 'Version' listed
- Open Settings > Apps > Apps and Features > Azure Monitor Agent and see the 'Version' listed
Uninstall the agent
You can use any of the following options to check the installed version of the agent:
- Open Control Panel > Programs and Features > Azure Monitor Agent and click 'Uninstall'
- Open Settings > Apps > Apps and Features > Azure Monitor Agent and click 'Uninstall'
If you face issues during 'Uninstall', refer to troubleshooting guidance below
Update the agent
In order to update the version, install the new version you wish to update to.
Troubleshoot
View agent diagnostic logs
- Rerun the installation with logging turned on and specify the log file name:
Msiexec /I AzureMonitorAgentClientSetup.msi /L*V <log file name> - Runtime logs are collected automatically either at the default location
C:\Resources\Azure Monitor Agent\or at the file path mentioned during installation.- If you can't locate the path, the exact location can be found on the registry as
AMADataRootDirPathonHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AzureMonitorAgent.
- If you can't locate the path, the exact location can be found on the registry as
- The 'ServiceLogs' folder contains log from AMA Windows Service, which launches and manages AMA processes
- 'AzureMonitorAgent.MonitoringDataStore' contains data/logs from AMA processes.
Common installation issues
Missing DLL
- Error message: "There's a problem with this Windows Installer package. A DLL required for this installer to complete could not be run. …"
- Ensure you have installed C++ Redistributable (>2015) before installing AMA:
Not AAD joined
Error message: "Tenant and device ids retrieval failed"
- Run the command
dsregcmd /status. This should produce the output asAzureAdJoined : YESin the 'Device State' section. If not, join the device with an AAD tenant and try installation again.
Silent install from command prompt fails
Make sure to start the installer on administrator command prompt. Silent install can only be initiated from the administrator command prompt.
Uninstallation fails due to the uninstaller being unable to stop the service
- If There's an option to try again, do try it again
- If retry from uninstaller doesn't work, cancel the uninstall and stop Azure Monitor Agent service from Services (Desktop Application)
- Retry uninstall
Force uninstall manually when uninstaller doesn't work
- Stop Azure Monitor Agent service. Then try uninstalling again. If it fails, then proceed with the following steps
- Delete AMA service with "sc delete AzureMonitorAgent" from admin cmd
- Download this tool and uninstall AMA
- Delete AMA binaries. They're stored in
Program Files\Azure Monitor Agentby default - Delete AMA data/logs. They're stored in
C:\Resources\Azure Monitor Agentby default - Open Registry. Check
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Azure Monitor Agent. If it exists, delete the key.
Post installation/Operational issues
Once the agent is installed successfully (i.e. you see the agent service running but don't see data as expected), you can follow standard troubleshooting steps listed here for Windows VM and Windows Arc-enabled server respectively.
Questions and feedback
Take this quick survey or share your feedback/questions regarding the client installer.
FAQs
How do I install Azure Monitor Agent on Windows? ›
You can install Azure Monitor Agent on Azure virtual machines and on Azure Arc-enabled servers by using New-AzConnectedMachineExtension , the PowerShell cmdlet for adding a virtual machine extension.
How do I Monitor Windows services with Azure Monitor? ›- Step 1: Enable VM Inventory and Change Tracking. This feature monitors the Virtual Machine for changes in software, files, windows registry and windows services. ...
- Step 2: Configure Alert. ...
- Step 3: Testing the Alert.
- In the Azure portal, click All services. In the list of resources, type Monitor. As you begin typing, the list filters based on your input. Select Monitor.
- On the Monitor navigation menu, select Log Analytics and then select a workspace.
- Run Setup to install the agent.
- On the Welcome page, click Next.
- On the License Terms page, read the license and then click I Agree.
- On the begin Upgrade page, click Upgrade.
- On the Completion page, click Finish.
- Log on to the machine using the account for which you've prepared permissions as explained above.
- In your web browser, sign in to Azure DevOps Server 2019, and navigate to the Agent pools tab: ...
- Click Download agent.
- On the Get agent dialog box, click Windows.
Select it, and on the Azure Log Analytics tab, the agent should display a message stating The Microsoft Monitoring Agent has successfully connected to the Microsoft Operations Management Suite service. You can also perform a log query in the Azure portal: In the Azure portal, search for and select Monitor.
What are the three main functions of Azure Monitor? ›Microsoft combined three unique services—Azure Monitor, Log Analytics, and Application Insights—under the umbrella of Azure Monitor to provide powerful end-to-end monitoring of your applications and the components they rely on. Log Analytics and Application Insights are now features of Azure Monitor.
How do I Monitor my VM Monitor Azure Monitor? ›- Monitor virtual machines with Azure Monitor: Collect data - Azure Monitor.
- Enable set of recommended metric alert rules for an Azure virtual machine.
- View app dependencies with VM insights - Azure Monitor. ...
- Create availability alert rule for Azure virtual machine (preview) - Azure Monitor.
Go to Server > Server Monitor > Servers > click on the desired monitor. Go to Services and Processes tab. Click on Discover Services and Processes . This will discover the processes & services running in your Windows server.
How does Azure Monitor work? ›Azure Monitor collects and aggregates the data from every layer and component of your system into a common data platform. It correlates data across multiple Azure subscriptions and tenants, in addition to hosting data for other services.
How do I grant access to Azure Monitor? ›
- Open a resource that contains the monitoring data you want to retrieve. ...
- Select Access Control (IAM).
- Under Grant access to this resource, select Add role assignment. ...
- The portal lists various roles you can give to your Managed Grafana resource. ...
- Click Next.
Azure administrators implement, manage, and monitor an organization's Microsoft Azure environment, including virtual networks, storage, compute, identity, security, and governance.
What is Azure Microsoft monitoring agent? ›Azure Monitor Agent (AMA) collects monitoring data from the guest operating system of Azure and hybrid virtual machines and delivers it to Azure Monitor for use by features, insights, and other services, such as Microsoft Sentinel and Microsoft Defender for Cloud.
What is Windows Agent setup? ›The Windows agent monitors local services and reports any issues. The agent is also used with Patch Manager to communicate with the Windows Update server to request a lists of available updates for the device. When installing on a Hyper-V server, its is a good idea to install an agent on every virtual machine.
How does a monitoring agent work? ›The Monitoring agent is a collectd-based daemon that gathers system and application metrics from virtual machine instances and sends them to Monitoring. By default, the Monitoring agent collects disk, CPU, network, and process metrics.
How do I manually install Azure agent? ›Manual installation
To manually install the Windows VM Agent, download the VM Agent installer and select the latest release. You can also search a specific version in the GitHub Windows IaaS VM Agent releases. The VM Agent is supported on Windows Server 2008 (64 bit) and later.
- Click Settings > All Settings.
- Under Node & Group Management, click Manage Agents > Add Agent.
- Click Connect to a previously installed agent > click Next.
- Enter the name, IP address, and port number for the agent and click Server-initiated communication.
...
Navigate to the capabilities tab:
- From the Agent pools tab, select the desired agent pool.
- Select Agents and choose the desired agent.
- Choose the Capabilities tab. Note. Microsoft-hosted agents don't display system capabilities.
Checking agent status and version
Go to the VM properties page in Azure portal, and check the Agent status. If the Azure VM Agent is working correctly, the status shows Ready. If VM Agent is in Not Ready status, the extensions and Run command on the Azure portal won't work.
The 32-bit and 64-bit versions of the Microsoft Monitoring Agent can be downloaded from the Microsoft Download Center or it can be deployed through the Administration pane of the SCOM console.
How do I install Azure VM monitoring agent? ›
You can use Resource Manager templates to install Azure Monitor Agent on Azure virtual machines and on Azure Arc-enabled servers and to create an association with data collection rules. You must create any data collection rule prior to creating the association.
How do I install cloud monitoring agent? ›- Open a terminal connection to your VM instance using SSH or a similar tool and ensure you have sudo access.
- Change to a directory you have write access to, for example your home directory.
- Add the agent's package repository and install the agent: ...
- Start the agent service.
- Sign into the Azure portal.
- Select Browse on the left side of the portal, and then go to Log Analytics (OMS) and select it.
- In your list of Log Analytics workspaces, select the one that you want to use with the Azure VM.
Azure Monitor Agent (AMA) collects monitoring data from the guest operating system of Azure and hybrid virtual machines and delivers it to Azure Monitor for use by features, insights, and other services, such as Microsoft Sentinel and Microsoft Defender for Cloud.
How does the monitoring agent monitor the cloud usage? ›By default, the Monitoring agent collects disk, CPU, network, and process metrics. You can configure the Monitoring agent to monitor third-party applications to get the full list of agent metrics.
How does Microsoft monitoring agent work? ›Windows agent
On a monitored Windows computer, the Operations Manager agent is listed as the Microsoft Monitoring Agent (MMA) service. The Microsoft Monitoring Agent service collects event and performance data, executes tasks, and other workflows defined in a management pack.
- Download the Automate Schedule Agent for Windows file from our website.
- Double-click the Automate_Schedule_Agent_for_Windows. ...
- Double-click the setupAutomateScheduleAgent.exe file.
- Follow the onscreen instructions to start the installation.
- Find OMS Solutions.
- Setup OMS instance in Azure Portal.
- OMS Dashboard in Azure Portal.
- Configure Data Sources.
- Configure Data Sources.
- OMS Portal.
To begin, open your Cloud Control and go to "Setup -> Extensibility -> Self Update". Open the "Agent Software" folder and check if the Agent Software of Windows x64 is with status "Applied", as in the image below: If the agent is not applied, you need to download it, deploy and then activate it.
How do I install Azure connected machine agent? ›- Prerequisites. ...
- Generate an installation script. ...
- Install the agent by using the script. ...
- Verify the connection with Azure Arc. ...
- Connect hybrid machines to Azure by using PowerShell. ...
- Connect hybrid machines to Azure from Windows Admin Center. ...
- Next steps.
How do I manually install Azure VM agent? ›
Manual installation
To manually install the Windows VM Agent, download the VM Agent installer and select the latest release. You can also search a specific version in the GitHub Windows IaaS VM Agent releases. The VM Agent is supported on Windows Server 2008 (64 bit) and later.
...
Follow these steps:
- Select. Start. , ...
- Double-click. Administrative Tools. ...
- Double-click. Services. ...
- Right-click the agent service, and select. Properties. ...
- Select. Automatic. ...
- Select. OK.
The Windows agent monitors local services and reports any issues. The agent is also used with Patch Manager to communicate with the Windows Update server to request a lists of available updates for the device. When installing on a Hyper-V server, its is a good idea to install an agent on every virtual machine.