When we talk about best practices for monitoring, this will typically include (SLA) Service Level Availability. SLA is an important piece in your environment, as uptime and happy customers come with a high SLA. There are some cases where IT Teams do work on demand. On-demand work is outside of a standard change window, a scheduled change. Typically this is outside configuration management tools, responsible to update software (applications/packages), machines, drivers, compliance settings, and more. In the one-off, non-scheduled maintenance or recovery, try leveraging ‘SCOM Agent Maintenance’ PowerShell commands on SCOM agents.
SCOM Agent maintenance PowerShell commands
cd “C:\Program Files\Microsoft Monitoring Agent\Agent”
Import-module .\MaintenanceMode.dll
Start-SCOMAgentMaintenanceMode -Duration 10 -Reason PlannedOther
# Verify
# If messages show with current timestamp, Agent objects are in maintenance.
get-eventlog -LogName “Operations Manager” -newest 50 | ? { $_.Message -like “Suspending monitoring*” } | ft TimeGenerated,Message -autosize
TimeGenerated Message
————- ——-
6/25/2020 8:37:57 AM Suspending monitoring for instance “modeldev” with id:”{F9E45AA4-7DF7-C1F1-70C9-5D76C9F2725C}” …
6/25/2020 8:37:57 AM Suspending monitoring for instance “C:” with id:”{ED00048A-7DDC-D4BE-901D-D64DA281B7C6}” as the…
6/25/2020 8:37:57 AM Suspending monitoring for instance “central_log” with id:”{EA619D69-D1CC-3B19-D93C-2E3FCD1409AE…
PS C:\Program Files\Microsoft Monitoring Agent\Agent> get-eventlog -LogName “Operations Manager” -newest 25 | ? { $_.Message -like “Resuming monitoring*” } | ft TimeGenerated,Message -autosize
343998 Jun 25 08:50 Information HealthService 1073743040 Resuming monitoring for instance “modeldev” wit…
343997 Jun 25 08:50 Information HealthService 1073743040 Resuming monitoring for instance “C:” with id:”…
343996 Jun 25 08:50 Information HealthService 1073743040 Resuming monitoring for instance “central_log” …
343995 Jun 25 08:50 Information HealthService 1073743040 Resuming monitoring for instance “dnmll05s1.UNE…
Hmm, tried this on a few machines but the 2222 event never shows in the Operations Manager event log.
the reg key are there. i
Hello Kenneth,
I don’t recall 2222 Events using SCOM agent based maintenance mode.
One possibility for missing 222[23] events may be the result of AV/Malware PowerShell blocks.
Request the AV/Malware tool put in logging and re-test. This would validate blocking. Then verify with your Cyber team what exceptions are in place.
Learn reference link
Operations Manager event ID’s 1215, 1216 indicate object put in maintenance.
Operations Manager event ID’s 2222,2223 are for SCOM scripts being run.
2222 ReadMaintenanceModeRegEntry.ps1
2223 StartMaintenanceModeWA.ps1
What event ID’s do you see in the ‘Operations Manager’ event log when you run ‘Start-SCOMAgentMaintenanceMode?
Further PowerShell commands to check Operations Manager event log after Start-SCOMAgentMaintenanceMode command run (pending event log has not been cleared, or rolled over). Run the following PowerShell commands:
# This is event ID 1215
get-eventlog -LogName “Operations Manager” | WHERE { $_.Message -like “Suspending monitoring*” } | ft TimeGenerated,EventId,Message -autosize
# This is event ID 1216
get-eventlog -LogName “Operations Manager” | WHERE { $_.Message -like “Resuming monitoring*” } | ft TimeGenerated,EventId,Message -autosize
# Maintenance related events 2222,2223
get-eventlog -LogName “Operations Manager” | WHERE { ($_.EventID -eq “2222”) -OR ($_.EventID -eq “2223”) } | format-table TimeGenerated,EventId,Message -autosize
Reference links:
SCOM EventID reference
Cookdown lists the 2222 Event
Link
Note from above learn article
To confirm that maintenance mode request is successful, look in the Operations Manager system log for event ID 19999. In case event ID 19999 isn’t available, submit the maintenance mode request again.
Link