Reduce license costs with Application Inventory and Usage Report in Log Analytics

 Microsoft Intune is a cloud-based endpoint management solution. It manages user access and simplifies app and device management across your many devices, including mobile devices, desktop computers, and virtual endpoints.

You can protect access and data on organization-owned and users personal devices. And, Intune has compliance and reporting features that support the Zero Trust security model.

Intune simplifies app management with a built-in app experience, including app deployment, updates, and removal. You can connect to and distribute apps from your private app stores, enable Microsoft 365 apps, deploy Win32 apps, create app protection policies, and manage access to apps and their data. For more information, go to Manage apps using Microsoft Intune.

Intune provides several Reports regarding e,g. App Distribution and Install Status but also Discovered Apps on all managed devices.

Es wurde kein Alt-Text für dieses Bild angegeben.

For most customers these reports provide enough information but in context of application inventory information are missing like e.g. application usage (software metering) or hosts and client devices used for application start. From business perspective this information are necessary to provide License Management and allow license decrease in case an Application is not used in the company.

Therefore most customers use 3rd party solution to get application usage information which increase license spent... but these information alternativaly can be provided additionally in LogAnalytics based on Applocker-Generated Event-IDs and shown and exported via Kusto Query Language (KQL).

Applocker has the ability to enforce its policy in an audit-only mode where all app access activity is registered in event logs. These events can be collected for further analysis.

Table of content

In this post I will cover the following steps:

  1. Environment Setup
  2. Create Applocker Policy
  3. Create Configuration Profile in Intune
  4. Collect Event Log data with LogAnalytics Agent
  5. Use KQL for data query


1 - Environment Setup

Following prerequesites must be ensured to ensure agent based data collection. Customers using Microsoft Defender for Cloud may already use this kind of services as also needed for data analysis.

1.) For data collection a LogAnalytics environment is necessary:

2.) Enable Intune Diagnostics Data Forwarding to LogAnalytics

Es wurde kein Alt-Text für dieses Bild angegeben.

3.) Deploy Microsoft Monitoring Agent OR Azure Monitoring Agent to client devices. Both approaches are valid!


2 - Create Applocker Policy

AppLocker enforces rules by grouping enforcement for different types of files. AppLocker includes five different types of rules collections:

  • Executable files: .exe and .com
  • Windows Installer files: .msi, mst, and .msp
  • Scripts: .ps1, .bat, .cmd, .vbs, and .js
  • DLLs: .dll and .ocx
  • Packaged apps and packaged app installers: .appx

Within this blog we will only focus on .EXE files!

For creation you need to log into the PC using an account with local administrative privileges. Next, open the local security policy by entering the gpedit.msc command at the Windows Run prompt. Once the Local Group Policy Editor opens, navigate through the console tree to Computer Configuration \ Windows Settings \ Security Settings \ Application Control Policies \ AppLocker.

Es wurde kein Alt-Text für dieses Bild angegeben.

If you expand the Windows AppLocker container, shown in the figure above, the console will reveal four sub-containers, each of which are related to a specific type of rule.

Within this step I recommend selecting the option to create default rules.

Es wurde kein Alt-Text für dieses Bild angegeben.

The default rules ensure that Windows is able to run. In the case of executable rules, for example, the default rules allow any executable file located in the Windows folder or the Program Files folder to run. Additionally, the default rules allow the BUILTIN\Administrator account to run all files.

Es wurde kein Alt-Text für dieses Bild angegeben.

In the next step these rules must be configured re enforcement level.

Es wurde kein Alt-Text für dieses Bild angegeben.

  • You can configure the enforcement setting to Enforce rules or Audit only on the rule collection. Enforce rules, rules are enforced for the rule collection and all events are audited. Audit only, rules are only evaluated but all events generated from that evaluation are written to the AppLocker log.

For this example please choose Audit only and final Apply.

Es wurde kein Alt-Text für dieses Bild angegeben.

Finally please make a right-click on Applocker and export the generated rule set.

This generates a file with similar content.

Es wurde kein Alt-Text für dieses Bild angegeben.

3 - Create Configuration Profile in Intune

In Microsoft Intune we need to create a configuration profile and push the created Applocker Configuration to all relevant windows devices.

Please use Device => Configuration Profiles => Create Profile and choose Windows 10 or later; Profile Typ = Templaces and please choose Custom.

Es wurde kein Alt-Text für dieses Bild angegeben.

Give the policy a new name and move on to Configuration Settings.

Use following settings:

  • Name: EXE Rule Collection
  • Description: Executable Rules
  • OMA-URI: ./Vendor/MSFT/AppLocker/ApplicationLaunchRestrictions/apprulset0001/EXE/Policy
  • Data Type: String
  • Value: The whole XML Element "<RuleCollection Type="Exe" EnforcementMode="AuditOnly">" out of your exported applocker-policy


Es wurde kein Alt-Text für dieses Bild angegeben.

Finally assign this Configuration Policy to Group of Windows Devices.

After finishing this step and successful assignment you can double check in Eventlog that event information are stored in section "Application and Service Protocols" => Microsoft => Windows => Applocker => EXE and DLL


4 - Collect Event Log data with LogAnalytics Agent

All Event related information for EXE and DLL are stored on each device and must be forwarded to central defined LogAnalytics space. For this step the Monitoring Agent (MMA or AMA) must be configured via LogAnalytics.

Please login to https://portal.azure.com and use "LogAnalytics" Service. Within your defined space choose "Legacy agents management" from the left side, Add Windows Event Log and choose "Microsoft-Windows-Applocker/EXE and DLL".

Es wurde kein Alt-Text für dieses Bild angegeben.

After final apply the relevant information will be forwarded to Log Analytics space.

See also: Collect Windows event log data sources with Log Analytics agent in Azure Monitor - Azure Monitor | Microsoft Learn


5 - Use KQL for data query

After some time the data is provided to LogAnalytics and can be queried within "Logs" Section. This section opens a query section which provides results below and also enables you to export data.

Es wurde kein Alt-Text für dieses Bild angegeben.

Here some examples which of course can be adjusted by you.

Event

This query provides you ALL available Eventlog information in LogAnalytics.

Event
| where EventLog == "Microsoft-Windows-AppLocker/EXE and DLL"

This query provides you ALL available Eventlog information related to your Applocker-Policy in LogAnalytics.

Event
| where EventLog == "Microsoft-Windows-AppLocker/EXE and DLL" and UserName !contains "NT" and EventID == 8002
| extend EvData=parse_xml(EventData)
| extend EventDetail = EvData.DataItem.UserData.RuleAndFileData
| extend parent_name=tostring(EventDetail.FilePath)
| project TimeGenerated, Computer, UserName, parent_name

This query provides information regarding Timestamp, Computer name, Username and used Application which is extracted from an XML information. Event-ID is filtered to 8002 and Username ignores "NT" System Account Information.

Es wurde kein Alt-Text für dieses Bild angegeben.
Event
| where EventLog == "Microsoft-Windows-AppLocker/EXE and DLL" and UserName !contains "NT" and EventID == 8002
| extend EvData=parse_xml(EventData)
| extend EventDetail = EvData.DataItem.UserData.RuleAndFileData
| extend parent_name=extract(@"([^\\]*\.\w+)", 1, tostring(EventDetail.FilePath))
| project parent_name
| summarize Count=count() by parent_name
| sort by Count
Es wurde kein Alt-Text für dieses Bild angegeben.

This query is based on previous one but summarizes the started applications which gives more information related to software metering. Additionally used RegEx helped to extract the Filename only.

For more information related Event IDs please visit: Using Event Viewer with AppLocker (Windows) | Microsoft Learn

Comments

Post a Comment

Popular posts from this blog

4 Most common Issues while registering devices with Microsoft Intune MDM

Image
  The built-in Mobile Device Management (MDM) for Office 365 helps you secure and manage your users' mobile devices like iPhones, iPads, Androids, and Windows phones. You can create and manage device security policies, remotely wipe a device, and view detailed device reports. During implementation or deployment, there are some common issues which occur in many of the environment  1-   Windows Update Sometimes you will notice that Windows Update is showing-Up-To-Date but in actual, the version needed for the MDM Registration is not updating automatically and eventually fails every time in the loop Solution Suggested Go to this  link  upgrade your Windows 10 to the latest version You will find a home page like the screenshot below. Click on UPDATE Now button. It will download a .exe file. Run the file and click on UPDATE Now button and press YES. Here it will update your Windows 10 to the Latest Version Note:  You can still work during downloading a...
Read more

Managing Windows Updates with Intune: Best Practices with Update Rings

Image
  Keeping Windows devices up to date is one of the most critical, and often most overlooked, aspects of endpoint security. With Microsoft Intune, you can manage Windows updates centrally using Update Rings , giving you control over when updates install, how users experience restarts, and how you test updates before broad deployment. In this guide, I’ll walk you through: What update rings are Why they’re essential for patch compliance How to configure them in Intune Best practices for rollout and user experience 1. What Are Windows Update Rings in Intune? Update rings in Intune allow you to: Define when and how Windows updates are delivered Set deadlines for installation and restarts Delay feature updates (e.g., to test before production) Control user experience during updates They apply to Windows 10 and 11 devices enrolled in Intune, including those provisioned via Autopilot. 2. Why Update Management Matters Without structured update management, you risk: Devices missing crit...
Read more

The Intune Device Lifecycle: From Onboarding to Retirement (Best Practices)

  Managing endpoints isn’t just about deployment, it’s about handling the entire device lifecycle : from onboarding and day-to-day management to secure deprovisioning when a device is no longer in use. Microsoft Intune provides a streamlined, policy-driven approach to each phase of this lifecycle, and when done right, it reduces IT overhead, increases security, and improves the user experience. In this post, I’ll walk you through the key stages of managing a device in Intune from start to finish, and how to handle each one effectively. Stage 1: Provisioning & Onboarding This is where the device journey begins, and it sets the tone for everything that follows. Tools and features to use: Windows Autopilot for zero-touch setup Enrollment Status Page (ESP) to control setup sequence Dynamic groups to assign configurations automatically Baseline security policies (compliance, Defender, encryption) Goal: Make the first experience smooth, secure, and consistent for every user. Sta...
Read more