You are invited to October HERO Sessions !!! Mark your calendar


 To know more scroll down. 

  Join our latest HERO sessions!  
  IT Heroes, our aim is to keep you updated on anything and everything IT-related in the region, from the latest news on Microsoft products and services, to new innovations and tools. Now you can get all this and more through:  
Monthly HERO events and sessions.
Monthly technical newsletter with latest technology updates.
Subscribe Here
HERO Portal. Get in Touch.
  Make sure to clear your schedule so you can catch up on what IT Pros and Developers like yourself have been buzzing about and waiting for.

kindly note that the 2 sessions are at the same time so please Register for the sessions that interest you.

First Session:
Visual Studio 2013 – Reality Behind Codestan
Second Session:
Developing Windows Azure and Web Services Jump Start
Date: Saturday 25th of October
Time: 10:30AM – 3:00PM
Presenter: Ahmed Ramy & Amr Yousef
Venue: The Greek Campus , 28 Falaki Street, bab el luk, downtown.

Register Now
Date: Saturday 25th of October
Time: 10:30AM – 3:00PM
Presenter: Ahmed Sengab
Venue: The Greek Campus , 28 Falaki Street, bab el luk, downtown.

Register Now
  First Session:  
  Visual Studio 2013 – Reality Behind Codestan  
  So how is it going in your office? Do you feel it is chaotic, unplanned and ad-hoc!. Is that the case especially for software department/unit? We call that codestan, a land for coders and techies where it is exactly as your environment. If you are a codestan-er then seize the opportunity to attend this HERO session and get to know more about Visual Studio 2013, productivity features and more….

Before coming to the session boost your Technical Skills, Earn Points and get Free Microsoft certificates for each course that you complete with Microsoft Virtual Academy

Related courses:
C# Fundamentals for Absolute Beginners
Programming in C# Jump Start

  Second Session:  
  Developing Windows Azure and Web Services Jump Start  
  Web developers!!! Are you looking for ways to increase your reach and reduce your work? Do you want find out how to build Web API or WCF services that can access data and are hosted on Windows Azure? If your answer is YES, so seize the opportunity to attend this HERO Session. Get to know more about how to build services that can be accessed by apps across multiple devices and get the end-to-end scenario for building the entire application.

Before coming to the session boost your Technical Skills, Earn Points and get Free Microsoft certificates for each course that you complete with Microsoft Virtual Academy

Related courses:
Windows Azure Web Sites – Deep Dive Jump Start
Developing Windows Azure and Web Services Jump Start
Windows Azure SQL Database
Windows Azure Pack: Infrastructure as a Service Jump Start

  See you there!

Microsoft Egypt


Microsoft respects your privacy. Please read our online Privacy Statement.

If you would prefer not to receive future promotional emails from Microsoft Corporation please click here. These settings will not affect any newsletters you’ve requested or any mandatory service communications that are considered part of certain Microsoft services.

To set your contact preferences for Microsoft Communications, click here.

%%Member_City%%, %%Member_State%% %%Member_PostalCode%% %%Member_Country%%


Microsoft Azure Infrastructure as a Service – Part 1

Microsoft Azure is offering among its different services, the Virtual Machine which is considered the infrastructure as a Service, the layer where you can create, deploy, migrate and manage Virtual Machine with different kind of operating systems provided by Microsoft or by third certified parties. It can run Microsoft Technology like the Windows server 2008 or Server 2012 or non-Microsoft technology like Linux, SUSE and so on. The Azure Virtual machine also provide you with different solution that…(read more)

Booting Windows 8.1 Update natively from a .VHDX image

This is very useful when you need to boot Windows natively, but you need to have different environments, like working with BETAS/CTPs, etc., like it is my case. ;)

In many cases HyperV might not suitable for you, for instance, if I want to deploy mobile apps from Visual Studio (Windows Phone apps or Xamarin apps to Android devices), I’d need to connect the mobile devices to USB ports. But, HyperV VMs don’t support USB connections to devices, etc…

In the past, I used to follow more complex steps in order to create a Windows 8 or Windows 7 .VHD master image, then booting natively my machine by configuring the boot options with bcdedit. Here’s my old post:

I found a newer and shorter way to do it, therefore, a better way. I’m also using now .VHDX rather than .VHD, since I’ll be using Windows 8.1 or further.

Here are the steps. Pretty simple, actually! :)

1. You need to have any Windows .ISO image, like a “Windows 8.1 Enterprise with Update (x64) – DVD (English)” from MSDN subscription, or any other version.

2. Download Convert-WindowsImage.ps1 from Microsoft TechNet Gallery ( ) and copy it to a temporary directory.

3. Start the PowerShell console in administrator mode

4. Before executing the PowerShell script, you’ll need to allow scripts executions in the policies of your machine or user. If you want to allow that at a local machine scope, run the following command in the PowerShell console:

Set-ExecutionPolicy Unrestricted -Scope LocalMachine

For more info about those policies, read the following:

5. Run the script you downloaded as:

.Convert-WindowsImage.ps1 –ShowUI

6. In the window, choose the required Windows ISO file

7. Choose the SKU (Like Enterprise or Professional)

8. Choose the VHD/VHDX Format (I go for VHDX since I don’t require legacy compatibility and the new VHDX format is more reliable)

9. Select Type. For production systems, I recommend “Fixed”, but for development and testing with betas, since I need many incremental versions, I use “Dynamic” so when the .VHDX is not being used, it will have a much smaller size, just the MB being used.

10. For the size, I go for the maximum allowed by the tool, which is 100GB. But, after installing Windows and if the .VHDX is not being used, it will take just around 8GB or less. But you know, it will grow, eventually.. ;)


12. Hit and burn the VHDX! :)


In the PowerShell console, you’ll see something like the following:


Since my .VHDX is Dynamic and it is still not mounted, its size was just something less than 8GB! :)


MOUNT the .VHDX as a drive in your machine

Right-click the VHDX and mount it. In my case I got the M: as my mounted drive.

STEPS to BOOT natively from the VHDX

The following steps are needed to make your computer boot from the VHDX file:
1.Open an administrative command prompt via WIN+X Command Prompt (Admin)
2.Type bcdboot M:Windows in order to create the boot files in your .VHDX drive.

3. Now, you don’t need to have the drive mounted, so, un-mount it by right clicking the drive (M: in my case) and select on “Eject” 

4. Type bcdedit /v to see the result in the Windows Boot Loader section. You’ll see something like the following.

Search for the path to your .VHDX file:


5. Taking the GUID identifier you can change the description in your bootlist by typing:

bcdedit /set {52770d04-0937-11e4-a590-c8d719662ef2} description “Windows 8.1 Enterprise .VHDX”

(Of course, you should have and use a different GUID..)


Check it out by typing bcdedit /v again and searching for the path to your .VHDX and the new description:


You can also check it out in the Computer properties –> Advanced System Settings –> Advaced –>Startup and Recvovery –>Settings button:


If you had configured Hyper-V on your Windows 8.1 computer, don’t forget to enable the hypervisor launchtype:

bcdedit /set hypervisorlaunchtype auto

When messing with the startup, it rebuilds your boot configuration data store. But it doesn’t know if Hyper-V needs to have some specific settings enabled in the boot configuration data store in order to start the hypervisor. In any case, this is not related and you just need to do it if you also have HyperV installed.

Aditionally, bcdedit has many useful options, like copying an entry for pointing to another .VHDX that you just copied in your hard drive, etc. Just type bcdedit /? to check it out or see other options that I explain at the end of my old post:

If you reboot your machine, you’ll be able to select the new NATIVE WINDOWS BOOT but from a .VHDX! :)


Have fun! :)

Advisor Search How To: Part II – More on Filtering, using Boolean Operators, the Time Dimension, Numbers and Ranges

This is the second installment of a Series (I don’t know yet how many posts they will be in the end) that walks thru the concepts of System Center Advisor Search Syntax – while the full documentation and syntax reference is here, these posts are meant to guide your first steps with practical examples. I’ll start very simple, and build upon each example, so you can get an understanding of practical use cases for how to use the syntax to extract the insights you need from the data.

In my first post I introduced filtering, querying by keyword or by a field’s exact value match, and some Boolean operators. If you have not read that yet, please do, then come back to this one.

In this second post we’ll build upon those concepts, and try some slightly more elaborate filters.

So we left the other post with a query like

EventLog=Application OR EventLog=System

Since we haven’t specified additional filters, this query will return the entries for both event logs for ALL Computers that have sent such data

EventLog=Application OR EventLog=System

Clicking on one of the fields/filters will narrow down the query to a specific computer, excluding all other ones; the query would become something like

EventLog=Application OR EventLog=System

which, as you’ll remember, given the implicit AND, is the same as

EventLog=Application OR EventLog=System AND

and gets evaluated in this explicit order – look at the parenthesis

(EventLog=Application OR EventLog=System) AND

Now, just like for the event log field, you can bring back data only for a SET of specific machines, by OR’ing them

(EventLog=Application OR EventLog=System) AND ( OR OR

Similarly, this other query will bring back % CPU Time only for the selected two machines

CounterName=”% Processor Time”  AND InstanceName=”_Total” AND ( OR

and so forth.


Now, it should be enough with Boolean operators.

Let’s look at something else: with datetime and numeric fields, you can also search for values GREATER THAN, LESSER THAN OR EQUAL, etc – we use the simple operators  >, < , >=, <= , != for this.

For example I can query a specific event log for just a specific period of time, i.e. the last 24 hours can be expressed with the mnemonic expression below

EventLog=System TimeGenerated>NOW-24HOURS

Sure, you can also control the time interval graphically, and most times you might want to do that,

Time Controls and Selectors in System Center Advisor Search

but there are advantages about including a time filter right into the query:

  1. it works great with dashboards where you can override the time for each tile this way, regardless of the ‘global’ time selector on the dashboard page (Stas already described why this is useful)
  2. it will be great once we have scheduling of queries to use in a monitoring fashion to periodically ‘keep an eye’ on certain things or KPI’s

When filtering by time, keep in mind that you get results for the INTERSECTION of the two time windows: the one specified in the UI (S1) and the one specified in the query (S2).


This means, if the time windows don’t intersect (i.e. UX is asking for ‘this week’ and the query is asking for ‘last week’) then there is no intersection and you get no results.


Those comparison operators we used for the TimeGenerated field are also useful in other situations, for example with numeric fields.

For example, given that Advisor Legacy Configuration Assessment’s Alerts have the following Severities: 0 = Information , 1 = Warning , 2 = Critical. You can query for both ‘warning’ and ‘critical’ alerts and exclude informational ones with this query

Type=Alert  Severity>=1


Last but not least, we support range queries. This means you can provide the beginning and the end of a range of values in a sequence. Example: Show me the Events from the Operations Manager event log where the EventID is greater or equal to 2100 but no greater than 2199 (these would be Health Service Modules errors mostly around connectivity issues with Advisor, BTW)

Type=Event EventLog=”Operations Manager” EventID:[2100..2199]

Type=Event EventLog="Operations Manager" EventID:[2100..2199]

[Note that for the range syntax you MUST use the ‘:’ colon field:value separator and NOT the ‘equal’ sign, enclose the lower and upper end of the range in square brackets and separate them with two dots ‘..’]

And that’s all for this time around! Hoping you are learning something useful and applicable to your needs with this tutorial, and onto the next post in the series, where I will start looking at the “|” pipeline and begin exploring search commands!

Till then, happy searching!

Advisor Search How To: Part I – How to filter big data

With this blog post I am starting a series where I walk thru some concepts of the System Center Advisor Search Syntax – the full documentation and syntax reference is here, but these posts are meant to guide your first steps with practical examples. I’ll start very simple, and build upon each example, so you can get an understanding of practical use cases for how to use the syntax to extract the insights you need from the data.

The first thing to know that the first part of a search query (before any “|” vertical pipe character – of which we’ll talk in a future blog post) is always a FILTER – think of it as a WHERE clause in TSQL: it determines WHAT subset of data to pull out of the system, from the Big Data store. After all, Searching a Big Data store is largely about specifying the characteristics of the data we want to extract, so it is natural that a query would start with the WHERE clause.

The most basic filters you can use are KEYWORDs – such as ‘error’ or ‘timeout’, or a computer name – this type of simple queries will generally return diverse shapes of data within the same result set. This is because we have different Types of data in the system – my ‘query for ‘error’ in the screenshot below returned 100K ‘Event’ records (collected by the Log Management feature), 18 ‘Alerts’ (generated by Advisor Configuration Assessment) and 12 ‘ ConfigurationChange’ (captured by the Change Tracking Intelligence Pack):

Types of System Center Advisor Search Results

These are NOT really object types/classes: if you are familiar with OpsMgr, please try to FORGET all you know about Classes and Objects in SCOM! It’s much easier here: Type is just a tag, or a property, a string/name/category, that is attached to a piece of data.

Some documents in the system are tagged as Type:Alert and some are tagged as Type:PerfHourly, or Type:Event… you get the idea.

Each search ‘result’ (or document, or record, or entry) shows all the raw properties and their values for each of those pieces of data, and you can use those field names to specify in the filter that you want to retrieve only the records where the field has that given value.

‘Type’ is really just a field that all records have, but it is for any practical use not different from any other field.

Anyhow, by convention, we established that based on the value of the ‘Type’ field, that record will have a different ‘shape’ or form (different fields). Incidentally, Type=PerfHourly, or Type=Event is also the syntax that you need to learn to query for hourly performance data aggregates or events.

[Note that you can use either a colon or a equal sign after the field name and before the value: Type:Event and Type=Event are absolutely identical in meaning, you can chose the style you prefer.]

So, if the Type=PerfHourly records have a field called ‘CounterName’, you can write a query like Type=PerfHourly CounterName=”% Processor Time”  

this will give you only the performance data where the performance counter name is “% Processor Time”.

You can also be more specific and throw a InstanceName=”_Total” in there (if you know Windows Performance Counters, you know what I am talking about).

Also you can click on a facet and another field:value filter will be automatically added to your filter in the query bar – i.e. screenshot below shows you where to click to add InstanceName:’_Total’ to the query without typing

Interacting with Fields / Filters / Facets in System Center Advisor Search

Your query now becomes

Type=PerfHourly CounterName=”% Processor Time” InstanceName=”_Total”

Note that you DO NOT HAVE to specify Type=PerfHourly at all to get to this result. Since the fields ‘CounterName’ and ‘InstanceName’ (at the time of this writing) only exist on records of Type=PerfHourly, even just the query below is specific enough to bring back the exact same results as the longer, previous one

CounterName=”% Processor Time” InstanceName=”_Total”

This is because all the filters in the query are evaluated as being in AND with each other: effectively, the more fields you add to the criteria, the less and more specific/refined results you get.

For example this query 
Type=Event EventLog=”Windows PowerShell”
is identical to this query

Type=Event AND EventLog=”Windows PowerShell”

and it will return all events that were logged in (and collected from) the ‘Windows Powershell’ eventlog in windows. If you add a filter multiple times (i.e. clicking repeatedly on the same facet), the issue is purely cosmetic: it might clutter the search bar but still returns the same identical results since the implicit AND operator is always there.

You can easily reverse the implicit AND operator by using a NOT operator explicitly, i.e.:

Type:Event NOT(EventLog:”Windows PowerShell”)

or (equivalent)

Type=Event EventLog!=”Windows PowerShell”
this will return all events from ALL OTHER logs, that are NOT the ‘Windows Powershell’ log.

Or you can use other Boolean operator, such as ‘OR’: the query below returns back records for which the EventLog is either Application OR System

EventLog=Application OR EventLog=System

With the above query you’ll get entries for BOTH logs in the same result set.

While removing the OR (hence leaving the implicit AND in place) such as the following query

EventLog=Application EventLog=System

Will produce NO results – because there isn’t a event log entry that belongs to BOTH logs – each event log entry was written in just to one of the two logs.


Till the next installment. I’ll try to keep a frequent pace.

Useful Advisor Search Query Collection

This is a living document that will be periodically updated to collect useful, well-known, or sample queries to use in the Search experience in System Center Advisor Preview.

I dump new useful searches here as I come up with or stumble into them. Will keep this post periodically updated, so check it from time to time or subscribe to it.

These are some of the queries I use in my own Advisor account’s dashboard

My Dashboard in System Center Advisor

I hope this will provide useful examples to learn from… but reminder the full query language reference is published here: when you don’t understand why a given search magically works (or doesn’t) in your environment Smile

They are grouped by broad categories that generally map to the Intelligence Pack that produces a specific ‘Type’ of data.


General Exploration Queries

Which Management Group is generating the most data points?
* | Measure count() by ManagementGroupName

Distribution of data Types
* | Measure count() by Type

List all Computers
ObjectName!=”Advisor Metrics” ObjectName!=ManagedSpace | measure max(SourceSystem) by Computer | Sort Computer

List all Computers with their most recent data’s timestamp
ObjectName!=”Advisor Metrics” ObjectName!=ManagedSpace | measure max(TimeGenerated) by Computer | Sort Computer

List all Computers whose last reported data is older than 4 hours
ObjectName!=”Advisor Metrics” ObjectName!=ManagedSpace ObjectName!=”Advisor Metrics” ObjectName!=ManagedSpace | Measure Max(TimeGenerated) as LastData by Computer | Where LastData<NOW-4HOURS | Sort Computer

Note – the ObjectName!= filters in the three queries above is just a workaround to filter out some performance data whose target object in SCOM is NOT a ‘Computer’, hence will have a improper value in that field.

Note#2 – if you see ‘duplicate’ computer names (the NETBIOS name and the FQDN for the same machine listed as distinct computer), this might be due to IIS Logs – see post here where I describe the issue with the ‘Computer’ field . If you know you have *other* data for that computer for sure – not just IIS logs – you can then easily filter those out (another workaround) and the last query above now becomes

Type!=W3CIISLog ObjectName!=”Advisor Metrics” ObjectName!=ManagedSpace ObjectName!=”Advisor Metrics” ObjectName!=ManagedSpace | Measure Max(TimeGenerated) as LastData by Computer | Where LastData<NOW-4HOURS | Sort Computer



Capacity (Aggregated Performance Data)

All performance data

Average CPU utilization by Top 5 machines
* Type=PerfHourly CounterName=”% Processor Time” InstanceName=”_Total” | Measure avg(SampleValue) as AVGCPU by Computer | Sort AVGCPU desc | Top 5

Max CPU time used by HyperV by machine
Type=PerfHourly CounterName=”% Total Run Time” InstanceName=”_Total”  ObjectName=”Hyper-V Hypervisor Logical Processor” | Measure max(Max) as MAXCPU by Computer | Where MAXCPU>0

CPU Utilization by VM/Virtual Core
Type=PerfHourly ObjectName=”Hyper-V Hypervisor Virtual Processor” CounterName=”% Guest Run Time” NOT(InstanceName=”_Total”) | Measure Avg(SampleValue) by InstanceName

Memory Utilization by VM/Virtual Core
Type=PerfHourly ObjectName=”Hyper-V Dynamic Memory VM” CounterName=”Average Pressure” | Measure Avg(SampleValue) by InstanceName

Top Hosts with Highest Core Utilization
CounterName=”% Core Utilization” Type=PerfHourly | Measure Avg(SampleValue) by Computer 

Top Hosts with Highest Memory Utilization
CounterName=”% Memory Utilization” Type=PerfHourly | Measure Avg(SampleValue) by Computer 

Top Hosts with Inefficient VMs
CounterName=”NumberVMOverUtilized” or CounterName=”NumberVMIdle” or CounterName=”NumberVMPoweredOff” Type=PerfHourly | Measure Avg(SampleValue) by Computer 

Top Hosts by Utilization (mathematical average of CPU and Memory usage counters)
CounterName=”% Core Utilization” or CounterName=”% Memory Utilization” Type=PerfHourly | Measure Avg(SampleValue) as CombinedCPUMemAvg by Computer 


Log Management (Windows Events)

All Events

Count of Events containing the word “started” grouped by EventID
Type=Event “started” | Measure count() by EventID

Count of Events grouped by Event Log
Type=Event | Measure count() by EventLog

Count of Events grouped by Event Source
Type=Event | Measure count() by Source

Count of Events grouped by Event ID
Type=Event | Measure count() by EventID

All Events with level “Warning”
Type=Event EventLevelName=warning

Count of Events with level “Warning” grouped by Event ID
Type=Event EventLevelName=warning | Measure count() by EventID

How many connections to Operations Manager’s SDK service by day
Type=Event EventID=26328 EventLog=”Operations Manager” | Measure count() interval 1DAY

Events in the Operations Manager Event Log whose Event ID is in the range between 2000 and 3000
Type=Event EventLog=”Operations Manager” EventID:[2000..3000]

Operations Manager Event Log’s Health Service Modules events around connectivity with Advisor
Type=Event EventLog=”Operations Manager” EventID:[2100..2199]

When did my servers initiate restart?
shutdown Type=Event EventLog=System Source=User32  EventID=1074 | Select TimeGenerated,Computer 

Windows Firewall Policy settings have changed
Type=Event  EventLog=”Microsoft-Windows-Windows Firewall With Advanced Security/Firewall”  EventID=2008  

On which machines and how many times have Windows Firewall Policy settings changed
Type=Event  EventLog=”Microsoft-Windows-Windows Firewall With Advanced Security/Firewall”  EventID=2008  | measure count() by Computer 


Log Management (IIS Logs)

All IIS Log Entries

Count of IIS Log Entries by HTTP Request Method
Type=W3CIISLog | Measure count() by csMethod

Count of IIS Log Entries by Client IP Address
Type=W3CIISLog | Measure count() by cIP

IIS Log Entries for a specific client IP Address (replace with your own)
Type=W3CIISLog  cIP=”″ | Select csUriStem,scBytes,csBytes,TimeTaken,scStatus

Count of IIS Log Entries by URL requested by client (without query strings)
Type=W3CIISLog | Measure count() by csUriStem

Count of IIS Log Entries by Host requested by client
Type=W3CIISLog | Measure count() by csHost

Count of IIS Log Entries by URL for the host “” (replace with your own)
Type=W3CIISLog csHost=”” | Measure count() by csUriStem

Count of IIS Log Entries by HTTP User Agent
Type=W3CIISLog | Measure count() by csUserAgent

Total Bytes sent by Client IP Address
Type=W3CIISLog | Measure Sum(csBytes) by cIP

Total Bytes received by each Azure Role Instance [not enabled yet; see tracking item]
Type=W3CIISLog | Measure Sum(csBytes) by RoleInstance

Total Bytes received by each IIS Computer
Type=W3CIISLog | Measure Sum(csBytes) by Computer

Total Bytes responded back to clients by each IIS Server IP Address
Type=W3CIISLog | Measure Sum(scBytes) by sIP

Total Bytes responded back to clients by Client IP Address
Type=W3CIISLog | Measure Sum(scBytes) by cIP

Average HTTP Request time by Client IP Address
Type=W3CIISLog | Measure Avg(TimeTaken) by cIP

Average HTTP Request time by HTTP Method
Type=W3CIISLog | Measure Avg(TimeTaken) by csMethod

[For more W3CIISLog search examples, also read the blog post I published earlier.]


Change Tracking

All Configuration Changes

All Software Changes
Type=ConfigurationChange ConfigChangeType=Software

All Windows Services Changes
Type=ConfigurationChange ConfigChangeType=WindowsServices

Change Type<Software> per Computer
Type=ConfigurationChange ConfigChangeType=Software | Measure count() by Computer

List when Windows Services have been stopped
Type=ConfigurationChange ConfigChangeType=WindowsServices SvcState=Stopped

List of all Windows Services that have been stopped, by frequency
Type=ConfigurationChange ConfigChangeType=WindowsServices SvcState=Stopped | measure count() by SvcDisplayName

Count of different Software change types
Type=ConfigurationChange ConfigChangeType=Software | measure count() by ChangeCategory


Configuration Assessment (Legacy Advisor Scenario)
NOTE: For the legacy Advisor Configuration Assessment scenario, in addition to the old Silverlight screens, some data is also indexed in the new Search feature for exploration purposes. Records of Type=ConfigurationObject are indexed and updated every time an object is discovered (or re-discovered) by Advisor Configuration Assessment. There are also records of Type=ConfigurationObjectProperties that represent the properties of those objects. These are only inserted in the index when their VALUE has CHANGED since the previous known value Advisor had discovered till the previous discovery. This is somewhat similar to ‘Change Tracking’ Intelligence Pack, but less sophisticated. Also records of Type=Alert are indexed once Alerts are fired (each time, even if it is a ‘repeat’ i.e. because the HealthService has restarted) on Advisor agents by Advisor Configuration Assessment Alert Rules you are not ignoring.

All ‘Advisor Managed’ Computers that have reported Configuration Assessment data
Type=ConfigurationObject ObjectType=”Microsoft.Windows.Computer” | Measure count() by Computer

All ‘Advisor Managed’ Computers that have reported Configuration Assessment data (alternate version)
Type=ConfigurationObject ObjectType=”Microsoft.Windows.Computer”  | Measure Max(TimeGenerated) by Computer

Count of machines by Operating System
Type=ConfigurationObject  ObjectType=”Microsoft.Windows.OperatingSystem” | Measure count() by ObjectDisplayName

All Property changes tracked by Advisor Configuration Assessment for Computer “” (replace with your own computer name)
Type=”ConfigurationObjectProperty” RootObjectName=””

IP Address changes tracked by Advisor Configuration Assessment for Computer “” (replace with your own computer name)
Type=”ConfigurationObjectProperty” Name=”Microsoft.Windows.Computer.IPAddress” RootObjectName=””

Check SQL Collation settings for each database called “tempdb” on each SQL instance on each SQL server
Type=”ConfigurationObjectProperty” Name=”Microsoft.SQLServer.Database.Collation” ObjectDisplayName=”tempdb” | Select ObjectDisplayName, ParentObjectName, RootObjectName, Value

Machines grouped by Organizational Unit
Type=”ConfigurationObjectProperty” Name=”Microsoft.Windows.Computer.OrganizationalUnit” | Measure count() by Value | Where AggregatedValue>0

All Alerts generated by Advisor
Type=Alert SourceSystem=Advisor

Worst Severity of Alerts by Computer
Type=Alert | measure Max(Severity) by Computer 

Alerts grouped by Rule/Monitor that generated them
Type=Alert | measure count() by WorkflowName 

Alerts for ‘SQL Server’ workload
Type=Alert SourceSystem=Advisor Workload=“SQL Server”

Active Machine-Generated Recommendations for ‘Windows’ (or ‘SQL Server’) Workloads
Type=Recommendation RecommendationStatus=Active AdvisorWorkload=Windows
Type=Recommendation RecommendationStatus=Active AdvisorWorkload=”SQL Server” 

Active Machine-Generated Recommendations grouped by Computer
Type=Recommendation RecommendationStatus=Active | Measure count() by RootObjectName

List Active Directory Sites (based on computers that had that changed)
Type=ConfigurationObjectProperty Name=”Microsoft.Windows.Computer.ActiveDirectorySite” | Measure count() by Value

Which machines have the most memory assigned (and that has changed – probably you will only have data for VMs with dynamic memory most of the times with this query)
Type=ConfigurationObjectProperty Name=”Microsoft.Windows.OperatingSystem.PhysicalMemory” | Measure Max(Value) by RootObjectName

System Update Assessment

Missing Required Updates
Type=RequiredUpdate | Select UpdateTitle,KBID,UpdateClassification,UpdateSeverity,PublishDate,Computer

Missing Required Updates for server “”
Type=RequiredUpdate (UpdateSeverity=Critical and UpdateClassification=”Security Updates” and Server=””) | Select Computer,UpdateTitle,KBID,Product,UpdateSeverity,PublishDate

Missing Critical Security Updates
Type=RequiredUpdate (UpdateSeverity=Critical and UpdateClassification=”Security Updates”) | Select Computer,UpdateTitle,KBID,Product,UpdateSeverity,PublishDate

Missing Security Updates
Type=RequiredUpdate UpdateClassification=”Security Updates” | Select Computer,UpdateTitle,KBID,Product,UpdateSeverity,PublishDate

Missing Update Rollups
Type=RequiredUpdate UpdateClassification=”Update Rollups” | Select UpdateTitle,KBID,UpdateClassification,UpdateSeverity,PublishDate,Computer

Missing Updates by Product
Type=RequiredUpdate | Measure count() by Product

Missing Updates for a specific product (“Windows Server 2012″ in the example)
Type=RequiredUpdate Product=”Windows Server 2012″


Malware Assessment

Devices with Signatures out of date
Type=ProtectionStatus | measure max(ProtectionStatusRank) as Rank by DeviceName | where Rank:250

Protection Status updates per day
Type=ProtectionStatus | Measure count(ScanDate) interval 1DAY | Sort TimeGenerated desc

Malware detected grouped by ‘threat’
Type=ProtectionStatus NOT (ThreatStatus=”No threats detected”) | Measure count() by Threat



Other searches on blogs

Stas has some useful ones mainly around System Update and Malware Assessments

For more W3CIISLog search examples, I also posted another blog post.

Microsoft Azure Active Directory – Part 2 (MFA)

Previously blogged about Microsoft Azure Active Directory Premium , one of the Enterprise Mobility Suite services on Microsoft Azure , and how can we use it and create users and assign them to the AD Premium. In this blog post, I will show you how to do the Multi factor authentication (MFA) configuration for the assigned users.
Let’s first understand what is the Multi-factor authentication or the MFA. The MFA is a way to authenticate the user trying to sign in to an application whether it…(read more)

Trace Parser: NULL::inner–explained

If you have analyzed AX traces in the Trace Parser, you most likely came across something like this during your efforts:


First time I saw it, I was puzzled – an object named “NULL” with a method named “inner”, I’ve never heard of that before – what is it? I started asking around, no one seemed to know. Bing didn’t help me either. I did a search in our source files, it gave me more hits than I wanted to explorer. About to give up, it struck me, that the name is not too bad for a method that doesn’t exists on an object and is inside the caller.

So the answer is simple and straight forward. “NULL::inner” is used for all embedded methods in X++ when shown in the trace parser. Navigating to the caller in the Trace Parser also clearly shows that an embedded method exists (with the name “doEscape()”).


As a side note, I can mention that the Call Stack window in the X++ Debugger doesn’t include embedded methods.