Azure Arc Isn't for workstations and the 'Legacy Agent' is going Away...

David Broggy 5,716 MVP

I have clients that must collect security event logs from some of their windows 10/11 workstations.

Currently we use the 'Legacy Window Agent' to collect these logs, but this is going away.

What options are there for collecting Windows event logs to Sentinel once this legacy agent is gone?

I believe Azure Arc/AMA only supports Windows Server versions and Linux?

Thank you.

Maxim Sergeev 6,571 Reputation points Microsoft Employee

2022-08-05T04:44:43.467+00:00

Hi there,

Microsoft announced and has developed an agent for Windows clients without Arc dependency. It uses Managed Identity.
Try it from here https://video2.skills-academy.com/en-us/azure/azure-monitor/agents/azure-monitor-agent-windows-client
David Broggy 5,716 Reputation points MVP

2022-08-05T21:04:05.837+00:00

thanks but still pretty confusing.
the on-prem non-server windows workstations would use the AMA agent - I get that.
The link to the agent is terribly placed - you need a 'secret link' or you need to start the Data Collection rule wizard to find it.
When you run the installer it's not clear what to enter to associate the agent with your tenant/resource group.
David Broggy 5,716 Reputation points MVP

2022-08-06T03:27:18.66+00:00

And I see the pc must be domain joined to Azure AD.
I have a lot of cases where that won't happen, so I guess there will be no support for those devices outside of setting up WEC?
This adds a lot of complexity vs the old way.

azure-monitor-agent-windows-client
Maxim Sergeev 6,571 Reputation points Microsoft Employee

2022-08-06T04:03:56.767+00:00

Yes, old way is less secure because it uses id+key authorization.
AMA uses managed identities which is much more secure. On the other hand, it requires to be joined to AAD to make a transparent transition of data through data collection rules.

Your answer