SCOM – File Count Management Pack

December 21, 2017


I come at a lot of customers to implement or support SCOM. Sometimes the same questions or troubles come up.

One of that questions is: “Is it possible to monitor the count of files (with a specific extension) in a share?”

The answer to this question is yes and no. There is a possibility to count files on Windows Servers that have an agent installed using this management pack: but for shares located on non-Windows Servers, let’s say on a SAN for example I haven’t found a solution available.

Therefore I created my own management pack to monitor the file count, independent of the location of the file share (Windows Server or not).

In this post I describe how the management pack works. With the management pack you can count files with a specific extension (or no extension if everything should be counted) in a share (optionally also subfolders included).

There is also the ability to add a specific age zo the given scenario is possible: Count if there are more then 20 files in a share (subfolders included) that are older then 10 minutes.

First of all we need a seed discovery which is targeted to a registry key located on a SCOM agent monitored Windows Server.

The value in the registry is located under SOFTWARE\Filecount. The value is “CSV” and it should contain the path to a CSV file. The server will be discovered as a “File Count Watcher Node”

Next stop is the csv file itself, for every share to be monitored it should contain a line with a specific syntax shown in the screenshot below

Different parameters are added:

  • ID
    • Must be unique per share
  • Share
    • UNC path of the share
  • Extension
    • The extension of the files that needs to be counted, leave empty to count all files in the share
  • Count
    • How many files must be present for a critical state
  • Time
    • This is the time in minutes of the maximum file age of file count
  • Recurse
    • 0 = No need to count files in subfolders
    • 1 = Count also files in subfolders

When the info is filled in, SCOM will discover every line as a “File Count Share”. The properties are used to configure the monitoring.

A monitor is also defined based on the properties filled in the csv file, but it’s basically a powershell script with necessary parameters.

The core of the script is this command:

$count  = Get-ChildItem -Recurse $strShare\$strExtension | where{$_.LastWriteTime -le (Get-Date).AddMinutes($strAge)}|Measure-Object |%{$_.Count}

The file count is also gathered as a performance counter so it can be included in reporting or in a Squared Up dashboard for example.

The management pack is also configured to use a specific Run As account. This account needs rights on the shares: at least Read-only Share rights and Read-Only NTFS rights.

I’ve been able to help some customers already by using this management pack.

The first customer where I set this up is a big hospital in Belgium where they use this management pack to monitor shares which are used to store (and process) images and movies made during surgery.

The content should be processed from the network share and transferred somewhere else but sometimes the processing hangs and the share is getting full without anyone knowing. Since they have the management pack in place this hasn’t happened anymore.

If you have interest in the management pack, I’ve made it available via GitHub:

Best regards,






SCOM – Powershell Recovery Action – Stopped Windows Service

August 31, 2017


Today I was at a customer who had a really specific question regarding monitoring of Windows Services with Operations Manager (SCOM).

We had already set up some basic recovery actions which restart the service automatically after it was stopped.

For some other services the customer wanted to add extra functionality: The recovery action should retry starting the service a maximum of 3 times, if the service wasn’t started after 3 tries the customer wanted to receive an email telling them the recovery action failed. Out-of-the-box SCOM is unable to do stuff like that, therefore I used Powershell to accomplish this.

Sidenote: To be able to use Powershell as a recovery action you can use the free management pack provided by the community & SquaredUp, it can be downloaded from this website: This management pack adds Powershell everywhere it is missing in Operations Manager, this is one of the default management packs I always install at customers.


To be fully functional different components are needed:

  • A monitor that checks the status of the service
    • This monitor can be created from the Authoring pane of the SCOM console using the Windows Service template


  • A recovery action for the monitor created previously
    • The recovery action can be created from health explorer1
  • A rule that picks up the event created by the recovery action Powershell script
    • This is an Alert Generating Rule (NT Event Log), the configuration is linked to the type and location of the event logged during the script2
  • A subscription on the rule to send the email.

The powershell script:

# Fill in the service name here

$ServiceName = “LPD Service”

$ServiceStarted = $False

$i =0;

#Create Eventlog source, erroraction Ignore is neededbecause once the source is created an error is thrown because the source already exists

New-Eventlog -LogName Application -Source “Powershell – Restart Service” -ErrorAction Ignore


# In second or third run, wait a minute before trying
to start the service

if ($i -gt 0){Start-Sleep -s 60}

#Try to start the service

Start-Service $ServiceName

$Service Get-Service -Name $ServiceName

     if($Service.Status -eq “Running”)


    $ServiceStarted = $true



    if (($i -eq 3) -and ($ServiceStarted $false))


    $eventmessage = $Servicename failed to restart after $i attempts, exiting script”

    #Log error event in eventviewer

    Write-Eventlog -LogName Application -Source “Powershell – Restart Service” -EntryType Error -Eventid 101 -Message $eventmessage




Until ($ServiceStarted = $true)

 $eventmessage = $ServiceName restarted after $i attempt(s)”

Write-Eventlog -LogName Application -Source “Powershell – Restart Service” -EntryType Information -Eventid100 -Message $eventmessage

 If you have any difficulties doing this, don’t hesitate to drop a comment below.

If you find this post useful, please consider buying me a virtual beer with a bitcoin donation: 3QhpQ5z5hbPXXRS8x6R5RagWVrRQ5mDEZ1


Best regards,


Hardware Inventory after SCCM OSD Task Sequence

August 4, 2017


I like using a lot of custom collections based on data from Hardware Inventory: Operating System Version, Hardware Manufacturer, Hardware Model, etc.

However to make sure the properties are available the Hardware Inventory needs to run at least once, using this information you will be able to start the hardware inventory right after the OSD task sequence completes. We will be using the Task Sequence Variable SMSTSPostAction:

Somewhere in the task sequence add “Set Task Sequence Variable” step. Give it an appropriate name and fill in the information as seen in the screenshot below:

If you want to copy/paste, here’s the value: %windir%\System32\wbem\WMIC /namespace:\\root\ccm path sms_client CALL TriggerSchedule “{00000000-0000-0000-0000-000000000001}” /NOINTERACTIVE

When the task sequence completes, this action will occur.

When processing was succesfull you should see something like this in the dataldr.log (on the Configuration Manager site server)

Also locally on the computer where the task sequence was run, information can be found in the smsts.log and in the Inventoryprovider.log. Both logs located under C:\windows\ccm\logs

Hope this helps!


Best regards,






August 15, 2016


Empowerment of users is always great, we all want to be able to do some required actions when we want to, instead of logging requests and waiting for the actions to occur.

The Microsoft EMS is a combined set of cloud services wrapped up in one license formule. More info can be found here : But today we focus on the olympic games in Rio 2016 self serivce group management and password reset.

First we need to enable the required features in Azure AD.


Now add the test user to the required Azure groups and open

Now this user can create new security or office 365 groups ( depending on the group membershp above )

Now what’s really great is that we can delegate the group membership ( adding or removing users to the group ) to the group owners. We could also do this using AD and supply a users and computers mmc internally or use FIM but this is straight out of the box.

Let’s see how it looks.


Now we can create a new group ( we’ll use an O365 group )


Now we have set up this group to require owner approval, so in this case we can decide who can be a member.

So if we log on with another user ( with an EMS license ) , look for the group we can request access !


Let’s join.


And the owner can approve / deny,


And the requested user can verify the status of his request using the same interface but my requests


That’s it , great functionality for delegating the creation and the ownership of security or office 365 groups. Power to the users !


Gino D.

Quick Tip ! Automate it !

April 28, 2016


I am a big fan of automation , you improve efficiency by generating a consistent result fast.

But it needs to be worth it, you need a certain quantity of requests before the investment pays off.

Luckily we have these kind of environments in our partner portfolio.

Here we use the service manager portal not for the end-users but we present the portal to the first line helpdesk so they don’t have to escalate certain tasks to second line. All requests are automated by orchestrator runbooks.


And we are on 4874 completed request.


Simple math : about 10 minutes if the action is performed manually , this makes 48740 minutes -> 812 hours -> 101 working days saved, this time can be spent on tasks that create a real added value for the partner.


Gino D

ZTIexecuterunbook MDT 2013 Update 1

November 20, 2015


Strange issue today , a fresh install of Orchestrator and sccm , both latest version installed. SCCM 2012 R2 SP1 CU1 and Orchestrator 2012 R2 UR7.

Combined this with the power of MDT 2013 update 1 in order to execute runbooks from a task sequence.

So far so good, I’ve had a similar setup for another customer so nothing could go wrong…

But when I run the task sequence for executing the runbook my task sequence fails and ztiexecuterunbook under MININT\SMSOSD\OSDLogs show:

Microsoft Deployment Toolkit version: 6.3.8298.1000 ZTIExecuteRunbook 11/18/2015 3:58:54 PM 0 (0x0000)

The task sequencer log is located at C:\Windows\CCM\Logs\SMSTSLog\SMSTS.LOG. For task sequence failures, please consult this log. ZTIExecuteRunbook 11/18/2015 3:58:54 PM 0 (0x0000)

Orchestrator server URL = http://SERVERNAME:81/Orchestrator2012/Orchestrator.svc/Jobs ZTIExecuteRunbook 11/18/2015 3:58:54 PM 0 (0x0000)

Runbook name = New Runbook ZTIExecuteRunbook 11/18/2015 3:58:54 PM 0 (0x0000)

Runnbook ID = 444a1fd8-3168-470c-9a8f-805523de27b3 ZTIExecuteRunbook 11/18/2015 3:58:54 PM 0 (0x0000)

Runbook parameter mode = MANUAL ZTIExecuteRunbook 11/18/2015 3:58:54 PM 0 (0x0000)

Added parameter IntExchange (17ebabac-3fa0-4585-b7e4-54fb0156d650) ZTIExecuteRunbook 11/18/2015 3:58:54 PM 0 (0x0000)

Added parameter StrComputername (c684fd8f-e6e0-44b1-b8d0-6e91f879681f) ZTIExecuteRunbook 11/18/2015 3:58:54 PM 0 (0x0000)

Added parameter StrClusterName (5e029040-b071-4499-a04e-ad593fe5f795) ZTIExecuteRunbook 11/18/2015 3:58:54 PM 0 (0x0000)

Property UserDomain is now = *** ZTIExecuteRunbook 11/18/2015 3:58:54 PM 0 (0x0000)

Property UserID is now = *** ZTIExecuteRunbook 11/18/2015 3:58:55 PM 0 (0x0000)

<Message containing password has been suppressed> ZTIExecuteRunbook 11/18/2015 3:58:55 PM 0 (0x0000)

FAILURE ( 10802 ): Unable to find job. ZTIExecuteRunbook 11/18/2015 3:58:55 PM 0 (0x0000)

The runbook gets started on orchestrator but the task sequence fails !

So we started to do some tests and found that we could simulate the issue on another environment.

Problem turned out to be an error in the scripts of MDT2013update 1. We created 2 identical task sequences executing a simple runbook. One with MDT 2013 toolkit files and one with MDT2013 update 1 toolkit files.


MDT 2013 works fine :


Ztiexecuterunbook shows the wait for completion state.


Now for the MDT 2013 update 1 :


And ztiexecuterunbook shows:


Apparently something slipped through Quality Control 🙂


Gino D

Orchestrator Quick Tip ! Junction

August 26, 2015


When you have multiple actions that you want to run in a parallel way you can link them and use the junction in order to wait for all actions to be finished before continuing.

Here’s the Technet explanation :

Now consider the following example :

We use the logging IP in order to grab some information in service manager and save it in a custom field. This is accomplished by calling several sub runbooks.

It looks like this :


Now if we return no data from the junction then our get log data is not succesful as the logging ID is empty.


If you run the tester you recieve no error but the logging id is empty.



While the action clearly stated to use the logging_id from the start activity.


Now if we add the return activity from our previous branch we recieve exactly the same issue.


I had to add a link to our first subrunbook in order to be able to retrieve the Logging_id from our first start action. Then it works.


And set the returned data from the junction to this activity.


At last success.


Gino D