Welcome to the third part of my series in which I describe ways to get proactive notifications when something in your environment has a problem / error. So that this monitoring does not work with static values I use Microsoft Cognitive services to detect anomalies via machine learning. In this blog we will take a look at the Endpoint Analytics Startup performance bluescreen detection. Here we want to be notified when an unusual number of devices report a blue screen or problem during detection.

How did we get the data

On the Startup performance > Restart frequency page we get all the information we need. I used the Graph X-Ray tool to find out which graph endpoint gives me this information. Btw. this tool is very recommendable it makes the search for graph call very easy. So now let’s take a closer look at the call in graph explorer and adjust it.

Looks like exactly what we need. We have a history here and have the information of the average blue screen of death per device but also the percentage of BSOD of the restart reasons.

Then let’s see how we can build proactive anomaly detection using Azure Automation, Cognitive Services and PowerShell.

Deployment of Azure Cognitive Service anomaly detector

• Open the Azure Portal and Search for Anomaly detectors

• Click + Create

• Select a Subscription and Resource group
• Select a Region and enter the Name of the Anomaly Detector
• Select the price tier (For testing Free F0 is sufficient)

• Click Create

Get Teams WebHook URL

• Create an MS Teams channel and add the webhook connector

• Copy the WebHook URL

Create a App Registration

• Search for Azure Active Directory

• Select App registration

• Select +New registration

• Enter a Name and click Register

• Click API permissions and +Add a permission

• Select Microsoft Graph

• Select Application permissions

• Search for DeviceManagementManagedDevices.Read.All

• Click Grant admin consent for *** and approve with Yes

• Select Certificates & secrets and click +New client secret

• Enter a Description and select a Expires time
• Click Add

• Copy and save the Value and the Secret ID

Create Automation Account

• Search for Automation Accounts

• Click + Create

• Select a Subscription and a Resource group
• Enter and account name and select a Region
• Click Next

• Click Next

• Click Next -> Next -> Create

Create the Runbook

• Open the Automation Account
• Navigate to Variables and click + Add a variable

• Add the Secret Value, TenantId, AnomalyKey, WebHookUri and the App ID as Variable

• Select Runbooks
• Click + Create a runbook

• Enter a Name
• Select PowerShell as Runbook type
• Select 5.1 as Runtime version
• Click Create

• Insert the Script from my Github repository
• Edit the variables $anomalyEndpoint (add here your endpoint from the cognitive service)

Hint: If you want to change the sensitivity of the anomaly detection you can adjust the attributes:
– maxAnomalyRatio: The maximum anomalies to be detected in terms of the ratio of total data points.
– sensitivity: Specify a lower value to ensure that fewer anomalies are accepted

• Save and test the script

• Click Publish

• Navigate to Schedules and click + Add a schedule

• Click Link to schedule and add the created schedule

Conclusion

With increased occurrence of Bluescreen of Death it is important to be informed as early as possible, so that one can react directly and recognize the clock thing e.g. a driver update and stop this also directly or fix. I hope I could help you with this blog how you can build such a monitoring and you can be notified early so you can react.

Stay healthy, Cheers
Jannik