SCOM – HTML Report: Certificate Expiration

November 7, 2018

Hi,

Today I want to give an answer to the question I often get at customers: “We want an overview of all certificates in our environment (on Windows Servers) that are expiring within X amount of days”.

This approach is based on this management pack: http://www.systemcentercentral.com/pack-catalog/pki-certificate-verification-mp/

The management pack discovers certificates on all servers (in specific stores if you will) and adds monitors to detect expiration, validity, etc. It also adds some views in the Monitoring pane of the SCOM console.

I wanted to provide a (daily) report to the customer to show them the list of certificates expiring within X amount of days. Therefore I created a custom group in SCOM where I put in all “critical” certificates with for example a specific CA. Afterwards I created a powershell script which uses the members of the group to create a report and mail it to the different stakeholders.

The report looks like this:

 

As you can see the report shows in a glance when certificates will expire and on what server they are located. As this is fully custom all layout, colours etc. can be set at will.

Mostly I choose to use red, orange and yellow to highlight the urgency in which the certificates need to be replaced.

Also keep in mind that after replacing the certificates in eg. IIS, they need to be deleted from the server(s) as well because they will keep on being discovered by SCOM if they stay on the server(s).

If you are interested in the script, please drop a comment below and I’ll be happy to assist.

 

Hope this helps!

 

Best regards,

Bert

 

Advertisements

SCOM – Quick Tip: Exchange Queue Length Monitor

July 11, 2018

Hi,

I’m currently busy at several customers setting up SCOM infrastructures. At one of those customers there were complaints by users that email messages were queued. When looking at the queues on the exchange servers they were actually HUGE.

Due to the fact Exchange was already monitored in SCOM I thought we would have seen this but that was not the case. In the Exchange Management pack there is NO monitor to check the actual queue length although there are rules which collect the queue lengths. I think this is not OK as it is really important to be notified when messages get queued in Exchange.

Therefore I created a custom Powershell monitor to check this. I created the monitor using the SquaredUp Powershell management pack, this management pack adds Powershell support everywhere throughout SCOM (where you would expect that by default :)) The management pack can be downloaded here: https://squaredup.com/content/management-packs/free-powershell-management-pack/

This is the powershell script itself:

# Any Arguments specified will be sent to the script as a single string.
# If you need to send multiple values, delimit them with a space, semicolon or other separator and then use split.
param([string]$Arguments)

$ScomAPI = New-Object -comObject “MOM.ScriptAPI”
$PropertyBag = $ScomAPI.CreatePropertyBag()

# Example of use below, in this case return the length of the string passed in and we’ll set health state based on that.
# Since the health state comparison is string based in this template we’ll need to create a state value and return it.
# Ensure you return a unique value per health state (e.g. a service status), or a unique combination of values.

Add-PSSnapin Microsoft.Exchange.Management.PowerShell.SnapIn;

$queue = ((Get-Queue | Select-Object @{ n = “MessageCount”; e = { [int]($_.MessageCount) } }).MessageCount | measure-object -sum).sum

$PropertyBag.AddValue(“Length”,$queue)

if($queue -gt 500) {
$PropertyBag.AddValue(“State”,”OverThreshold”)
}
else
{
$PropertyBag.AddValue(“State”,”UnderThreshold”)
}

# Send output to SCOM
$PropertyBag

The monitor will become critical when the messagecount exceeds 500 messages, this can be increased or decreased if needed by changing “$queue -gt 500” accordingly.

 

This monitor has helped my customer to prevent this issue from happening again.

Hope this helps!

 

Best regards,

Bert

 


Visualize Windows Update info (from SCCM) in Squared Up

July 6, 2018

Hi,

Today I want to show you guys a nice example of how we can use custom scripts to visualise data coming from SCCM in Squared Up dashboards on top of a SCOM platform. And provide a strong integration between SCCM, SCOM & Squared Up.

Squared Up is my favorite tool to create dashboards, check it out here: https://demo.squaredup.com 

I’m currently in the process of setting up a brand new SCOM 1801 environment at a customer and an SCCM CB environment at the same customer with the focus on servers and server patching. The customer wanted also an easy way to check the following parameters:

  • How many updates are pending on each server?
  • Is there a pending reboot due to the installation of Windows Updates?
  • When was the server last updated? And what Windows Updates have been applied then?
  • Are there any maintenance windows applied to a server?

Lots of questions to be answered! All this information can be found somewhere hidden in the SCCM reporting or we could create some custom reports containing that info. However, due to the fact I’m not a SQL reporting guru I wanted to see if we could show all this information in an easy way using Squared Up. As all the servers also have a SCOM agent installed we could get our information directly from there. And I have to say, it was really fun and easy to do!

I’ve used some custom powershell scripts which I added as SCOM tasks, these tasks are then added to a “Windows Updates” perspective I created for each Windows Computer object and this is the result:

All the components you see in the above perspective are based on powershell scripts put in SCOM tasks.

The “Pending Updates” counter is a custom performance counter reading information from WMI, this is the script:

 

# Any Arguments specified will be sent to the script as a single string.
# If you need to send multiple values, delimit them with a space, semicolon or other separator and then use split.
param([string]$Arguments)

$ScomAPI = New-Object -comObject “MOM.ScriptAPI”

# Collect your performance counter here. Note that in order to support the DW this script MUST only return a single
# object/counter and those must be static values. You can return multiple instances just fine though.

$Instances = @(“Total”)
$Metric = @(Get-WmiObject -Class CCM_SoftwareUpdate -Filter ComplianceState=0 -Namespace root\CCM\ClientSDK).Count

Foreach ($Instance in $Instances)
{
$PropertyBag = $ScomAPI.CreatePropertyBag()
$PropertyBag.AddValue(“Metric”, $Metric)
$PropertyBag.AddValue(“Total”,$Instance)

# Send output to SCOM
$PropertyBag
}

On top of the perspective I’ve also added a button to install all pending updates directly from the dashboard without having to logon to the server and start the installation from Software Center. When clicking the button, Software Center kicks of the installation within minutes.

 

There is also an additional dashboard where they can review the servers with the most updates pending (top 20) per domain.

 

To finish things of I added some of the above information to the “Windows Server” perspective as well. In this way the customer can immediately see additional info (highlighted in red in the below screenshot):

  • How many pending updates?
  • When was the server last rebooted?
  • Is there a pending reboot due to Windows Updates?
  • If the server is a VM, what is the Hyper-V host the VM is running on?

 

Now they are using Squared Up as the go to tool for reviewing the health of the environment and for following-up on patching!

If you would like to accomplish the same or have any questions, please feel free to drop a comment below and I’ll be happy to share my scripts.

 

Hope this helps!

Best regards,

Bert


O365 PowerBI

April 17, 2018

Hello,

Today I would like to demonstrate a real life example on how to use Microsoft Power BI.

Setting the scene :

We are currently deploying the Windows 10 platform in a large environment, we have allready performed a swap of approx 6000 devices and are now starting the refresh on existing devices that are capable of running Windows 10.

In order to do so we rely on our network or Champions. These are skilled , ict minded collegues that each have a group of enduser under their “care”. They can assist their group of users and have specific tools and communication channels available with the ICT service.

Now the customer has approximately 350 different locations in Belgium and we have created a “self-service” system where the end-user drives the upgrade by contacting his favorite champion. He/she can start the refresh operation after performing some manual, some semi-automated actions and after a few hours the laptop is completely up and running with Microsoft latest operating system.

However there are approx 12k devices that will need to be upgraded so this will be an ongoing operation for quite some time. So we needed a way to visualise and to stimulate progress. In comes Power BI !

In short Power Bi is the Business Intelligence part of Office 365 , allowing you to create valuable insight in data. We are not going to discuss the details , we are just going to perform a quick overview and show the result.

Additional info and step by step can be found here :

https://docs.microsoft.com/en-us/power-bi/guided-learning/

Step 1 : get the data

Easy , we export the data from sccm query to excel. We get raw data like pc name , AD site and client OS name.

clip_image001

We allready modify the data by creating a pivottable that show totals for location , OS version and devices.

clip_image002

Now we can import this file in our Power BI environment.

clip_image003

Step 2 : manipulate the data

Well our sccm report has the following parameters : pc name, operating system version and AD Site name. The AD site name has a syntax that contains postal code, city and adress information.

Because we want to visualise per province we needed to do the following :

=> Split the column with the ad site information based on “,”

clip_image004

=> Create an additional column that displays province information based on the postal code. Use a formula.

clip_image005

Then combine the information for maximum accuracy on geo location. Also rename to English language.

clip_image006

Good ! Now we want to display something that show the number of devices with Windows 10 versus thet total number of devices. We use a new measure.

clip_image007

Tip ! Rename you headers so you know which data you are using.

Now we define the location field and select the visualisation.

clip_image008

Stunning ! We quickly get an interactive overview of how the rollout is progressing.

clip_image009

And we can even create a location based visualisation.

clip_image010

The sky is the limit … Enjoy.

Gino D


Quick Tip ! Monitor Orchestrator

January 16, 2018

Hello,

Happy new year and best wishes to all for 2018 ! Unfortunately today on “verloren maandag” real life kicks in.

So I wanted to share how to monitor running runbooks on orchestrator using scom. Now we are not going to use the web interface as it could be that this specific component is down but the runbook server is still fully operational.

So instead we will be using a sql query to check if all runbooks not containing “component” in their path are effectively running.

The script consists of the following parts :

Part 1 : retrieving all the folder ID’s where Component is not present in the pathname

with RunbookPath as

(

select ‘Policies\’ + cast(name as varchar(max)) as [path], uniqueid from ISD_HOB_Orchestrator.dbo.folders b

where b.ParentID=‘00000000-0000-0000-0000-000000000000’ and disabled = 0 and deleted= 0

union all

select cast(c.[path] + ‘\’ + cast(b.name as varchar(max)) as varchar(max)), b.uniqueid from ISD_HOB_Orchestrator.dbo.folders b

inner join

RunbookPath c on b.ParentID = c.UniqueID

where b.Disabled = 0 and b.Deleted = 0

)

select [Path],uniqueid from RunbookPath WHERE [path] not like ‘%component%’

  • This will return all the uniqueID’s from the folders that do not have Component in their path

    Result

    Part 2 : Get all the policy names where the parent ID equals one of the uniqueID’s from the previous result

    with RunbookPath as

    (

    select ‘Policies\’ + cast(name as varchar(max)) as [path], uniqueid from ISD_HOB_Orchestrator.dbo.folders b

    where b.ParentID=‘00000000-0000-0000-0000-000000000000’ and disabled = 0 and deleted= 0

    union all

    select cast(c.[path] + ‘\’ + cast(b.name as varchar(max)) as varchar(max)), b.uniqueid from ISD_HOB_Orchestrator.dbo.folders b

    inner join

    RunbookPath c on b.ParentID = c.UniqueID

    where b.Disabled = 0 and b.Deleted = 0

    )

    SELECT NAME,[path] from [ISD_HOB_Orchestrator].[dbo].[POLICIES] pol


    JOIN ( select [Path],uniqueid from RunbookPath WHERE [path] not like ‘%component%’ ) as pat on pol.ParentID = pat.UniqueID

  • This will return all the runbooks names that are not in a path that has component in it

     

  • Result

    Part 3 : Limit this result to the runbooks that do not have a running instance

    with RunbookPath as

    (

    select ‘Policies\’ + cast(name as varchar(max)) as [path], uniqueid from ISD_HOB_Orchestrator.dbo.folders b

    where b.ParentID=‘00000000-0000-0000-0000-000000000000’ and disabled = 0 and deleted= 0

    union all

    select cast(c.[path] + ‘\’ + cast(b.name as varchar(max)) as varchar(max)), b.uniqueid from ISD_HOB_Orchestrator.dbo.folders b

    inner join

    RunbookPath c on b.ParentID = c.UniqueID

    where b.Disabled = 0 and b.Deleted = 0

    )

    SELECT NAME,[path] from [ISD_HOB_Orchestrator].[dbo].[POLICIES] pol


    JOIN ( select [Path],uniqueid from RunbookPath WHERE [path] not like ‘%component%’ ) as pat on pol.ParentID = pat.UniqueID WHERE not exists (
    SELECT * FROM ISD_HOB_Orchestrator.dbo.POLICYINSTANCES ins WHERE pol.uniqueID = ins.policyID and ins.TimeEnded IS NULL ) ORDER BY name

  • This will return all the runbook names that do not have component in their path and do not have any running instances

     

    Enjoy

    Gino D


SCOM – File Count Management Pack

December 21, 2017

Hi,

I come at a lot of customers to implement or support SCOM. Sometimes the same questions or troubles come up.

One of that questions is: “Is it possible to monitor the count of files (with a specific extension) in a share?”

The answer to this question is yes and no. There is a possibility to count files on Windows Servers that have an agent installed using this management pack: http://www.systemcentercentral.com/pack-catalog/file-system-management-pack-2/ but for shares located on non-Windows Servers, let’s say on a SAN for example I haven’t found a solution available.

Therefore I created my own management pack to monitor the file count, independent of the location of the file share (Windows Server or not).

In this post I describe how the management pack works. With the management pack you can count files with a specific extension (or no extension if everything should be counted) in a share (optionally also subfolders included).

There is also the ability to add a specific age zo the given scenario is possible: Count if there are more then 20 files in a share (subfolders included) that are older then 10 minutes.

First of all we need a seed discovery which is targeted to a registry key located on a SCOM agent monitored Windows Server.

The value in the registry is located under SOFTWARE\Filecount. The value is “CSV” and it should contain the path to a CSV file. The server will be discovered as a “File Count Watcher Node”

Next stop is the csv file itself, for every share to be monitored it should contain a line with a specific syntax shown in the screenshot below

Different parameters are added:

  • ID
    • Must be unique per share
  • Share
    • UNC path of the share
  • Extension
    • The extension of the files that needs to be counted, leave empty to count all files in the share
  • Count
    • How many files must be present for a critical state
  • Time
    • This is the time in minutes of the maximum file age of file count
  • Recurse
    • 0 = No need to count files in subfolders
    • 1 = Count also files in subfolders

When the info is filled in, SCOM will discover every line as a “File Count Share”. The properties are used to configure the monitoring.

A monitor is also defined based on the properties filled in the csv file, but it’s basically a powershell script with necessary parameters.

The core of the script is this command:

$count  = Get-ChildItem -Recurse $strShare\$strExtension | where{$_.LastWriteTime -le (Get-Date).AddMinutes($strAge)}|Measure-Object |%{$_.Count}

The file count is also gathered as a performance counter so it can be included in reporting or in a Squared Up dashboard for example.

The management pack is also configured to use a specific Run As account. This account needs rights on the shares: at least Read-only Share rights and Read-Only NTFS rights.

I’ve been able to help some customers already by using this management pack.

The first customer where I set this up is a big hospital in Belgium where they use this management pack to monitor shares which are used to store (and process) images and movies made during surgery.

The content should be processed from the network share and transferred somewhere else but sometimes the processing hangs and the share is getting full without anyone knowing. Since they have the management pack in place this hasn’t happened anymore.

If you have interest in the management pack, I’ve made it available via GitHub: https://github.com/bpinoy/ManagementPacks/tree/master/File%20Count%20MP

Best regards,

Bert

 

 

 


SCOM – Powershell Recovery Action – Stopped Windows Service

August 31, 2017

Hi,

Today I was at a customer who had a really specific question regarding monitoring of Windows Services with Operations Manager (SCOM).

We had already set up some basic recovery actions which restart the service automatically after it was stopped.

For some other services the customer wanted to add extra functionality: The recovery action should retry starting the service a maximum of 3 times, if the service wasn’t started after 3 tries the customer wanted to receive an email telling them the recovery action failed. Out-of-the-box SCOM is unable to do stuff like that, therefore I used Powershell to accomplish this.

Sidenote: To be able to use Powershell as a recovery action you can use the free management pack provided by the community & SquaredUp, it can be downloaded from this website: https://squaredup.com/free-powershell-management-pack/. This management pack adds Powershell everywhere it is missing in Operations Manager, this is one of the default management packs I always install at customers.

 

To be fully functional different components are needed:

  • A monitor that checks the status of the service
    • This monitor can be created from the Authoring pane of the SCOM console using the Windows Service template

3

  • A recovery action for the monitor created previously
    • The recovery action can be created from health explorer1
  • A rule that picks up the event created by the recovery action Powershell script
    • This is an Alert Generating Rule (NT Event Log), the configuration is linked to the type and location of the event logged during the script2
  • A subscription on the rule to send the email.

The powershell script:

# Fill in the service name here

$ServiceName = “LPD Service”

$ServiceStarted = $False

$i =0;

#Create Eventlog source, erroraction Ignore is neededbecause once the source is created an error is thrown because the source already exists

New-Eventlog -LogName Application -Source “Powershell – Restart Service” -ErrorAction Ignore

Do{

# In second or third run, wait a minute before trying
to start the service

if ($i -gt 0){Start-Sleep -s 60}

#Try to start the service

Start-Service $ServiceName

$Service Get-Service -Name $ServiceName

     if($Service.Status -eq “Running”)

    {

    $ServiceStarted = $true

     }

    $i++

    if (($i -eq 3) -and ($ServiceStarted $false))

    {

    $eventmessage = $Servicename failed to restart after $i attempts, exiting script”

    #Log error event in eventviewer

    Write-Eventlog -LogName Application -Source “Powershell – Restart Service” -EntryType Error -Eventid 101 -Message $eventmessage

    exit

    }

 }

Until ($ServiceStarted = $true)

 $eventmessage = $ServiceName restarted after $i attempt(s)”

Write-Eventlog -LogName Application -Source “Powershell – Restart Service” -EntryType Information -Eventid100 -Message $eventmessage

 If you have any difficulties doing this, don’t hesitate to drop a comment below.

If you find this post useful, please consider buying me a virtual beer with a bitcoin donation: 3QhpQ5z5hbPXXRS8x6R5RagWVrRQ5mDEZ1

 

Best regards,

Bert