This chapter covers Change Tracking and Inventory, two core Azure automation features that monitor configuration changes and software inventory across your Azure and hybrid machines. For the AZ-104 exam, this topic falls under Domain 5 (Monitoring), Objective 5.1, and typically appears in 5–10% of exam questions. You must understand how to enable, configure, and query these features, as well as their dependencies on Log Analytics workspaces, automation accounts, and the Azure Monitor Agent or Log Analytics agent.
Jump to a section
Imagine a high-security warehouse with thousands of items on shelves. You install a network of security cameras that record every time a door opens, a box is moved, or a person enters an area. Each camera captures a snapshot of the shelf before and after any change. The footage is stored in a central server that timestamps every event and logs the details: who moved what, when, and from where to where. An inventory management system periodically scans the warehouse and compares the current state against the last known good state. If a box is missing or a new box appears, the system flags it. Now, if a thief steals a box, you can rewind the footage to see exactly when and how it happened. In Azure, Change Tracking works similarly: it installs an agent on VMs (like cameras) that snapshots the OS files, registry, software, and services at regular intervals. The Log Analytics workspace acts as the central server, storing all change events. When you query for changes, the system compares snapshots and shows you what changed, when, and what the old and new values were. Inventory is like the periodic scan—it collects metadata about installed software, services, and drivers, and stores it for compliance and troubleshooting.
What Are Change Tracking and Inventory?
Change Tracking and Inventory are features of Azure Automation that provide visibility into configuration changes and software inventory on Azure VMs, on-premises machines, and other cloud VMs (AWS, GCP) connected to Azure. Change Tracking monitors changes to:
Windows registry
Windows services
Linux daemons
Windows and Linux files
Windows and Linux software
Windows and Linux system services
Inventory collects and displays metadata about installed software, Windows services, Linux daemons, and Windows registry keys.
Why They Exist
In any production environment, configuration drift—unintended changes to system settings, installed software, or services—can lead to security vulnerabilities, compliance violations, or application failures. Change Tracking provides an audit trail of who changed what and when, enabling rapid root cause analysis. Inventory helps maintain an up-to-date catalog of software assets for licensing, compliance, and vulnerability management.
How It Works Internally
Change Tracking and Inventory rely on the Log Analytics agent (formerly Microsoft Monitoring Agent) or the Azure Monitor Agent (AMA). The agent is installed on each VM and communicates with a Log Analytics workspace over HTTPS (port 443). The workspace stores change events and inventory data. An Automation Account is required to manage the feature configuration and to run the tracking solution.
Data Collection Flow: 1. On each VM, the agent collects configuration snapshots at regular intervals (default: every 15 minutes for files and registry, every 30 minutes for services and software). 2. The agent compares the current snapshot with the previous snapshot stored locally. 3. If a change is detected, the agent sends the change event (old value, new value, timestamp, user/process that made the change) to the Log Analytics workspace. 4. The workspace indexes the data and makes it queryable via Log Analytics queries or the Azure portal. 5. Inventory data is collected less frequently (default: every 24 hours) and includes a full list of installed software, services, and daemons.
Agent Communication: The agent uses the Azure Monitor Agent (AMA) for new deployments, but the legacy Log Analytics agent is still supported. The AMA uses data collection rules (DCRs) to define what to collect. For Change Tracking and Inventory, the solution requires the Microsoft.EnterpriseManagement.Monitoring solution installed in the Log Analytics workspace.
Key Components, Values, Defaults, and Timers
- Log Analytics Workspace: Required. Stores all change and inventory data. Must be in the same region as the Automation Account for Change Tracking. - Automation Account: Required. Hosts the Change Tracking and Inventory solution configuration. Linked to the Log Analytics workspace. - Azure Monitor Agent (AMA) or Log Analytics Agent: Installed on each VM. AMA is recommended for new deployments. - Data Collection Rules (DCRs): For AMA, you define which logs and performance counters to collect. For Change Tracking, you must add the appropriate DCRs. - Default Collection Frequencies: - Files and Registry: every 15 minutes - Services and Software: every 30 minutes - Inventory: every 24 hours - Retention: Change data is retained in the Log Analytics workspace according to the workspace’s retention policy (default 30 days for free tier, 31 days for paid tiers, configurable up to 730 days). - File Tracking: You can specify file paths (including wildcards) to monitor. For Windows, you can also monitor registry keys. - Inventory: Collects software from Windows (registry Uninstall key) and Linux (RPM/DPKG databases).
Configuration and Verification Commands
Enable Change Tracking and Inventory via Portal: 1. Navigate to Automation Account > Change Tracking and Inventory. 2. Select the Log Analytics workspace. 3. Choose VMs to enable (Azure VMs or non-Azure machines). 4. For Azure VMs, the agent can be automatically installed. For non-Azure, install manually.
Enable via PowerShell:
$automationAccount = Get-AzAutomationAccount -ResourceGroupName 'RG' -Name 'AutoAcc'
$workspace = Get-AzOperationalInsightsWorkspace -ResourceGroupName 'RG' -Name 'LAW'
$solution = New-AzOperationalInsightsSolution -Workspace $workspace -Product 'ChangeTracking' -Publisher 'Microsoft' -PlanName 'ChangeTracking' -Offer 'OMSGallery'Query changes using Log Analytics:
ConfigurationChange
| where TimeGenerated > ago(24h)
| where ConfigChangeType == 'Software'
| project TimeGenerated, Computer, SoftwareName, OldValue, NewValueManual agent installation on Windows:
msiexec /i 'MMASetup-AMD64.exe' /qn ADD_OPINSIGHTS_WORKSPACE_ID=<WorkspaceID> OPINSIGHTS_WORKSPACE_KEY=<PrimaryKey>Interaction with Related Technologies
Azure Policy: Can enforce that VMs have Change Tracking enabled via built-in policies like "[Preview]: Configure Change Tracking for VMs"
Azure Monitor: Change data is stored in Log Analytics workspace and can be visualized in workbooks or used for alerts.
Azure Automation Update Management: Uses the same Log Analytics workspace and agent; Change Tracking can correlate changes with update failures.
Azure Security Center / Defender for Cloud: Uses inventory data for vulnerability assessment and threat detection.
Limitations and Considerations
Agent Dependency: Without the agent, no data is collected.
Scale: Large numbers of VMs generate significant data volume, which incurs costs. Use data collection rules to filter.
File Size Limit: The agent can track files up to 2 MB in size.
Registry Monitoring: Only supports registry keys under HKLM\Software\Microsoft\Windows\CurrentVersion and a few other predefined paths. Custom paths must be added manually.
Linux File Monitoring: Requires the agent to have read permissions on the file path.
Data Latency: Changes may take up to 15 minutes to appear in the portal.
Troubleshooting
Agent not reporting: Check if the agent is running (services.msc > HealthService). Verify network connectivity to the workspace endpoint (e.g., <WorkspaceID>.oms.opinsights.azure.com).
No data in portal: Ensure the Change Tracking solution is added to the workspace. Check if the VM is enabled in the Automation Account.
Inventory missing software: Verify that the software is installed correctly and the agent can read the registry (Windows) or package database (Linux).
Create a Log Analytics Workspace
The Log Analytics workspace is the central repository for all change and inventory data. When you create a workspace, specify a name, subscription, resource group, and region. The region must match the region of the Automation Account for Change Tracking. The workspace pricing tier (Pay-as-you-go, Per GB, etc.) determines data retention and cost. For Change Tracking, you need at least the free tier (500 MB/day) or a paid tier. After creation, note the Workspace ID and primary key, as they are required for agent configuration.
Create or Select an Automation Account
An Automation Account is required to manage Change Tracking and Inventory. If you don't have one, create it in the same region as the workspace. The Automation Account can be linked to only one Log Analytics workspace at a time for Change Tracking. When you enable Change Tracking for the first time, you must link the Automation Account to the workspace. This linkage is done automatically if you enable through the portal, but can be done manually via PowerShell. The Automation Account stores the solution configuration and runbooks that manage data collection.
Install the Azure Monitor Agent on VMs
For each VM you want to monitor, install the Azure Monitor Agent (AMA). For Azure VMs, this can be done automatically from the portal when enabling Change Tracking. For hybrid machines, use the installation script or manual steps. The agent communicates with the Log Analytics workspace over HTTPS. It collects configuration snapshots at regular intervals and compares them to detect changes. The agent must be running as a service (e.g., HealthService on Windows). If the agent is not installed or is disconnected, no data will be collected.
Enable Change Tracking and Inventory in the Automation Account
In the Azure portal, navigate to your Automation Account and select 'Change Tracking and Inventory' under Configuration Management. Click 'Enable'. You will be prompted to select a Log Analytics workspace. After linking, the solution is deployed to the workspace. This step installs the 'ChangeTracking' and 'InfrastructureInsights' solutions in the workspace. You can then select which VMs to enable. For each VM, the agent is installed (if not already) and the VM is added to the scope. The portal shows a list of VMs and their status (enabled, not enabled, not connected).
Configure What to Track
By default, Change Tracking monitors Windows services, Linux daemons, and software inventory. You can add custom file paths and registry keys. In the portal, under Change Tracking > Edit Settings, you can add file paths (e.g., C:\ConfigFiles\*.config). For registry, you can add keys like HKLM\Software\MyApp. These settings are stored in the Automation Account and pushed to the agents. The agent then includes these paths in its snapshot comparison. The default collection interval for files and registry is 15 minutes, but you can change it per path (minimum 5 minutes).
Query and Review Change Data
Once data is flowing, you can view changes in the portal under Change Tracking. The dashboard shows a summary of recent changes. For detailed queries, use Log Analytics. For example, to see all file changes: `ConfigurationChange | where ConfigChangeType == 'Files'`. You can also set up alerts based on change events, e.g., when a critical file is modified. The data can be exported to Excel or Power BI. Inventory data is available under the Inventory blade, showing installed software, services, and drivers.
Enterprise Scenario 1: Compliance Auditing for Financial Services
A financial services company must comply with PCI DSS, which requires tracking all changes to critical system files and registry keys on payment processing servers. They deploy Change Tracking on 200 Windows Server VMs. They configure file tracking for C:\Program Files\PaymentApp\*.config and registry tracking for HKLM\Software\PaymentApp. The Log Analytics workspace retains data for 1 year. The compliance team runs weekly queries to generate change reports. They also set up alerts for any changes to the payment application configuration files, triggering an incident response. The biggest challenge is data volume—each VM sends change events every 15 minutes, resulting in ~10 GB of data per month. They optimize by filtering out known-good changes (e.g., scheduled updates) using Log Analytics queries.
Enterprise Scenario 2: Software License Management in a Large Enterprise A multinational corporation with 10,000 VMs uses Inventory to track software installations across Azure and on-premises. They need to ensure no unlicensed software is installed and to plan for license renewals. Inventory collects software names, versions, and publishers. The IT team runs monthly reports to identify unauthorized software (e.g., any instance of a non-approved media player). They also use Inventory to identify VMs with outdated software for patching. The scale requires careful cost management; they use data collection rules to exclude certain software categories (e.g., standard OS components) to reduce data ingestion. A common issue is that Inventory may miss software installed outside standard locations (e.g., portable apps), so they combine Inventory with Change Tracking for file-level monitoring.
Scenario 3: Security Incident Investigation
A security team suspects a breach after a critical service stopped running. They use Change Tracking to see if any services were modified. They query: ConfigurationChange | where ConfigChangeType == 'WindowsServices' | where Computer == 'SQLServer01' | project TimeGenerated, ServiceName, OldState, NewState, InitiatingUser. They find that the SQL Server service was stopped by an unknown user at 2:00 AM. They also check file changes and find that a DLL was replaced. This evidence helps them contain the incident and patch the vulnerability. Without Change Tracking, they would have had to manually inspect logs from multiple sources.
1. Exactly What AZ-104 Tests (Objective 5.1) The exam expects you to know:
How to enable Change Tracking and Inventory via the portal and PowerShell.
The dependencies: Log Analytics workspace, Automation Account, agent.
Default collection frequencies: 15 min for files/registry, 30 min for services/software, 24 hours for inventory.
How to add custom file paths and registry keys.
How to query change data using Log Analytics (simple KQL like ConfigurationChange).
The difference between Change Tracking and Inventory.
How to configure for hybrid machines (non-Azure).
2. Common Wrong Answers and Why Candidates Choose Them - Wrong: 'Change Tracking can be enabled without a Log Analytics workspace.' Reality: A workspace is mandatory; the feature stores data there. - Wrong: 'Inventory collects data every 15 minutes.' Reality: Inventory runs every 24 hours; Change Tracking runs more frequently. - Wrong: 'You use the Azure Diagnostics extension for Change Tracking.' Reality: The Log Analytics agent (or AMA) is required; Diagnostics extension collects performance counters, not configuration changes. - Wrong: 'Change Tracking monitors network security group changes.' Reality: Change Tracking monitors OS-level changes (files, registry, services, software); network changes are tracked by Azure Network Watcher or Azure Policy.
3. Specific Numbers and Terms That Appear on the Exam
- Default file/registry tracking interval: 15 minutes.
- Default service/software tracking interval: 30 minutes.
- Default inventory interval: 24 hours.
- Agent: Azure Monitor Agent (AMA) or Log Analytics agent (MMA).
- Solution names: 'ChangeTracking' and 'InfrastructureInsights'.
- Required resource: Automation Account.
- KQL table: ConfigurationChange.
4. Edge Cases and Exceptions - If a VM is moved to a different resource group, you must re-enable Change Tracking. - For Linux, file tracking requires the agent to have read access; if not, changes are not detected. - Registry tracking is limited to certain hives; custom hives must be added manually. - Change Tracking does not track Azure Resource Manager resource changes (e.g., VM size changes); that's Azure Activity Log.
5. How to Eliminate Wrong Answers - If a question asks about 'configuration changes on a VM', look for options that include Log Analytics workspace and Automation Account. Eliminate any that mention Storage Account or Event Hub as primary storage. - If the question says 'real-time changes', change tracking is not real-time (15 min delay). Eliminate 'immediate' or 'real-time' options. - If the question involves 'software inventory', the answer should mention Inventory feature, not Change Tracking. - For hybrid machines, correct answer includes installing the agent and connecting to the workspace.
Change Tracking monitors files, registry, services, and software on VMs; Inventory provides a full snapshot of installed software every 24 hours.
A Log Analytics workspace and an Automation Account are required for Change Tracking and Inventory.
Default collection intervals: 15 minutes for files/registry, 30 minutes for services/software, 24 hours for inventory.
The Azure Monitor Agent (AMA) or Log Analytics agent must be installed on each VM.
Use the `ConfigurationChange` table in Log Analytics to query change data.
Change Tracking does not track Azure resource changes; use Azure Activity Log for that.
For hybrid machines, install the agent manually and connect to the Log Analytics workspace.
These come up on the exam all the time. Here's how to tell them apart.
Change Tracking
Monitors OS-level changes: files, registry, services, software.
Requires Log Analytics agent and Automation Account.
Data stored in Log Analytics workspace, queryable via KQL.
Default collection interval: 15-30 minutes.
Best for auditing configuration drift on VMs.
Azure Activity Log
Monitors Azure resource management changes: create, update, delete.
No agent required; enabled by default for all subscriptions.
Data stored in Activity Log, can be exported to Log Analytics.
Events appear within minutes of the operation.
Best for tracking who changed Azure resources and when.
Mistake
Change Tracking captures changes in real-time.
Correct
Change Tracking polls every 15 minutes for files/registry and 30 minutes for services/software. There is a delay of up to 15 minutes before changes appear in the portal.
Mistake
Inventory and Change Tracking are the same feature.
Correct
Inventory collects a full list of installed software and services every 24 hours. Change Tracking detects changes to those items and reports old and new values.
Mistake
You can enable Change Tracking without an Automation Account.
Correct
An Automation Account is mandatory. It stores the solution configuration and manages the data collection.
Mistake
Change Tracking can monitor changes to Azure resources like virtual networks.
Correct
Change Tracking only monitors OS-level configurations (files, registry, services, software). Azure resource changes are tracked via Azure Activity Log or Azure Policy.
Mistake
The Log Analytics agent is optional if you use the Azure Monitor Agent.
Correct
The Azure Monitor Agent is the replacement for the Log Analytics agent. Either is required; you cannot use neither.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
Change Tracking monitors and logs changes to configuration items like files, registry keys, services, and software on VMs. It records the old and new values, timestamps, and the user/process that made the change. Inventory, on the other hand, collects a full list of installed software, Windows services, and Linux daemons at regular intervals (default 24 hours). Inventory provides a point-in-time snapshot, while Change Tracking provides a historical log of changes. Both are part of the same solution and require the same dependencies.
In the Azure portal, navigate to your Automation Account and select 'Change Tracking and Inventory' under Configuration Management. Click 'Enable', select the Log Analytics workspace, and then choose the VM from the list. The agent will be automatically installed if not already present. Alternatively, you can enable from the VM's blade: go to the VM, select 'Change Tracking' under Operations, and follow the prompts. For PowerShell, use `New-AzOperationalInsightsSolution` to add the solution and then enable the VM.
Yes. Change Tracking supports Linux VMs. It monitors Linux daemons, files, and software (via RPM/DPKG databases). The same Log Analytics agent (or AMA) must be installed. File tracking requires the agent to have read permissions on the monitored paths. The default collection intervals are the same as for Windows.
The feature itself is free, but you pay for data ingestion into the Log Analytics workspace. The cost depends on the workspace pricing tier (Pay-as-you-go, Per GB, etc.) and the volume of change events. Each change event is a log entry. To reduce costs, you can limit the number of monitored paths, increase collection intervals, or use data collection rules to filter out certain events. There is also a free tier (500 MB/day) that may suffice for small environments.
In the Azure portal, go to the Automation Account > Change Tracking and Inventory. Select the 'Change Tracking' tab. You can filter by VM name, time range, and change type. For more detailed queries, use Log Analytics. For example: `ConfigurationChange | where Computer == 'MyVM' | project TimeGenerated, ConfigChangeType, ItemName, OldValue, NewValue`. This returns all changes for that VM.
There is no hard limit, but performance and cost are considerations. The Log Analytics workspace can handle millions of events per day. However, each VM generates change events at regular intervals. For large deployments (thousands of VMs), you should use data collection rules to filter out unnecessary changes and consider scaling the workspace tier. The Automation Account can manage up to 1000 VMs per account; beyond that, use multiple Automation Accounts.
Yes. You can create an alert rule in Azure Monitor that queries the `ConfigurationChange` table. For example, create a log alert that fires when `ConfigurationChange | where ItemName contains 'critical.config'` returns any results. The alert can trigger an action (email, webhook, runbook). Note that there is a delay of up to 15 minutes between the change and the alert.
You've just covered Change Tracking and Inventory — now see how well it sticks with free AZ-104 practice questions. Full explanations included, no account needed.
Done with this chapter?