To collect data, such as Windows events, from a non-domain-joined (workgroup) Windows 10 computer and send it to an Azure Log Analytics workspace, you must install an agent on the computer. The Azure Monitor Agent (AMA) is the current and recommended agent for this purpose. The agent is installed on the client machine and configured with the specific Log Analytics Workspace ID and Primary Key. This configuration allows the agent to securely send collected data from the local machine to the designated workspace in Azure for analysis and querying.

A. Join Azure AD.

Joining Azure AD is for identity and device management. While it can simplify agent deployment via Intune, it is not a direct requirement for sending logs to Log Analytics.

B. Configure Windows Defender Firewall.

While the agent requires outbound internet access (typically TCP 443), which the firewall must allow, the primary action is installing the agent itself, not just configuring the firewall.

C. Create an event subscription.

Event subscriptions are part of the Windows Event Forwarding (WEF) feature, used to forward events between Windows computers, not to send them directly to Azure Log Analytics.

1. Microsoft Learn

Azure Monitor documentation. "Install Azure Monitor Agent on Windows client devices." This document explicitly outlines the procedure for installing the agent on Windows client machines

including those on-premises or not joined to Azure. It states

"This article describes how to install the Azure Monitor Agent on Windows client devices... You can also use this process to install the agent on on-premises servers."

2. Microsoft Learn

Azure Monitor documentation. "Azure Monitor Agent overview." This overview describes the agent's function: "The Azure Monitor agent (AMA) collects monitoring data from the guest operating system of Azure and hybrid virtual machines and delivers it to Azure Monitor." A workgroup computer is considered a hybrid machine in this context.

3. Microsoft Learn

Azure Monitor documentation. "Connect Windows computers to Azure Monitor." This guide details connecting computers outside of Azure

stating

"For computers outside of Azure (that is

on-premises) ... you can install the Log Analytics agent for Windows manually and configure it to report to a specific Log Analytics workspace." Note: While this page mentions the older Log Analytics agent

the principle and requirement for an agent remain the same

with the Azure Monitor Agent being the successor. The core task is installing an agent.