Skip to content

Pushing the MMA Agent with MEM in a smart way

The Microsoft Monitor Agent has had quite a long history with a lot of use cases. In the past it was used to send data to SCOM/OMS products, but nowadays this is often used to send data to Log Analytics/Sentinel.

The Issue

Different teams in your organization might have the need to connect the endpoints to different Log Analytics workspaces. Some might use OMS, some Sentinel and others Update Compliance. To support this, you need the ability to install/uninstall the MMA agent dynamically so that you can easily add/remove different workspaces. While also making sure that the MMA agent is installed when it’s not present yet and that it’s removed when you want to remove the last workspace.

The solution

In order to have this flexibility while installing the MMA agent from Microsoft Endpoint Manager, I have created a custom Win32 applications with the Powershell App Deployment Toolkit (PSDAT) as a wrapper.

PSADT should be a tool that is in every’s endpoint manager arsenal. It provides a lot of flexibility in terms of installation/logging and end-user interaction. While this script doesn’t have a direct need for it, I tend to wrap all my installations with this toolkit.

The scripts

The complete scripts Deploy-Application.ps1 (which contains installation and removal) and the detection script can be found on GitHub. The rest of the blog post will focus on explaining the different steps in the script and how to configure it for MEM.

At line 55 and 56 of the script, add the Workspace ID and Key of the workspace you want to add.

$WorkspaceId = "{ID}"
$WorkspaceKey = "{Key}"

Installation

The installation is pretty straight forward, first we check if the MMA Agent has already been installed through the registry (this is done in the pre-installation phase):

$MMAAgentInstalled = $false
if(Test-Path "HKLM:\SOFTWARE\Microsoft\Microsoft Operations Manager\3.0\Setup"){
    $MMAAgentInstalled = $true
}

During the installation phase, we use the ‘MMAAgentInstalled’ variable and add the workspace if the MMA agent is installed. If it’s isn’t installed, we install the agent and pass the ID and key in the installation string. This will make sure that the workspace is added after installation.

if($MMAAgentInstalled){
	$mma = New-Object -ComObject 'AgentConfigManager.MgmtSvcCfg'
	if($mma.GetCloudWorkspace($workspaceID)){
		Write-Log -Message "Workspace is already configured" -Source $deployAppScriptFriendlyName
	}
	else{
		Write-Log -Message "Adding workspace $WorkspaceId" -Source $deployAppScriptFriendlyName
		$mma.AddCloudWorkspace($workspaceId, $workspaceKey)
		$mma.ReloadConfiguration()
	}
}
else{
	$parameters = '/C:"setup.exe /Qn ADD_OPINSIGHTS_WORKSPACE=1 OPINSIGHTS_WORKSPACE_ID=' + $WorkspaceId + ' OPINSIGHTS_WORKSPACE_KEY=' + $WorkspaceKey + ' AcceptEndUserLicenseAgreement=1"'
	Write-Log -Message "$parameters" -Source $deployAppScriptFriendlyName 
	Execute-Process -Path "$dirfiles\MMASetup-AMD64.exe" -Parameters $parameters
}

Uninstall

The uninstall has the same flow as the installation. Here we check if multiple workspaces are configured. If there are multiple, our specific workspace is removed. If there is only one, the MMA agent is uninstalled.

if($multipleWorkspaces){
	$mma.RemoveCloudWorkspace($WorkspaceId)
	$mma.ReloadConfiguration()

	Write-Log -Message "Removed workspace $workspaceId" -Source $deployAppScriptFriendlyName
}
else{
	$appInstalled = Get-InstalledApplication -Name "Microsoft Monitoring Agent"
	$appInstalledCount = $(($appInstalled | Measure-Object).Count)
	Write-Log -Message "Detected $appInstalledCount instances of $appName" -Severity 1 -Source $deployAppScriptFriendlyName

	foreach ($appInstallation in $appInstalled) {
		$uninstallString = $appInstallation.UninstallString.Replace('"', "")
		$uninstallString = $appInstallation.UninstallString.Replace('MsiExec.exe /I', "")
		Execute-MSI -Action Uninstall -Path $uninstallString
		Write-Log -Message "Exit Code: $($execProcess.ExitCode)" -Severity 1 -Source $deployAppScriptFriendlyName
	}
}

Detection

Because our specific use case, we cannot tell Intune to check if the MMA agent is installed, because we might have multiple installers with different workspaces. Instead we need to check if our specific workspace is added. This can be done through the following detection script:

$mma = New-Object -ComObject 'AgentConfigManager.MgmtSvcCfg'
if($mma.GetCloudWorkspace("YourWorkspaceIDHere")){
    Write-Host "Found Workspace"
}
else{
    Exit 1
}

Make sure to add your Workspace ID in the second line.

Intune configuration

If you want to use this solution in your own MEM environment, download the entire folder from GitHub (this contains my installation script and the PSADT source code). Wrap the entire folder with the Microsoft Win32 Content prep tool.

With your intunewim file created, navigate to endpoint.microsoft.com > Apps > Create a new app and select ‘Windows App (Win32)’ as the app type.

Upload your intunewim file and configure the ‘App Information’ according to your needs.

The install and uninstall commands are as follows:
  • Install: Deploy-Application.exe
  • Uninstall: Deploy-Application.exe -Deploymentype Uninstall

For the detection, upload the script you created in the previous step.

Now save your app and assign it to a group of users or devices.

With this solution, you can easily create multiple application for each workspace that you want to configure. Just remember to update the ‘Deploy-Application.ps1’ and detections scripts with the correct ID’s and keys.

Logging

The advantage of using PSADT for this is their built-in logging. PSADT logs to C:\Windows\Logs\Software which you can use for easy troubleshooting for software installat and uninstall.

Closing notes

Before signing off, a few closing notes:

  • This blog post focuses on MEM, but this script can be integrated with any remote management software as it uses Powershell in the background.
  • While the future of the MMA agent for Log Analytics is unclear with the announcement of the Azure Monitor Agent. It is currently the product to use if you want to want to send data to the cloud.
  • I added the Workspace ID and Key hardcoded inside the script for security. But if you want, you could configure the ID and Key as parameters inside PSADT and pass them in your install command in the MEM portal. The downside is that every MEM administrator will be able to easily read this.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

<span>%d</span> bloggers like this: