IIS addendum packs to tune IIS from 2012 forward.’IIS addendum packs’ to tune IIS from 2012 forward. The GitHub repository has two packs 2012/2016+ (version agnostic pack). This includes an IIS enabled group, Daily report and cleanup DataSource and WriteAction (tasks), as well as a regular expression to set up the IIS enabled group. The IIS enabled group is to enable IIS monitoring on servers IIS monitoring is needed.
Customize for environment
Update addendums to server naming conventions for enabled IIS monitoring. Read below to better understand addendum functionality.
First, the addendums include class/group, datasource and write action alert reports and automated alert closure workflows, as well as event count logic/reset monitorType.
Second, the group discovery, find/replace the pattern to various application/web server naming conventions where IIS monitoring IS wanted.
Third, the version agnostic has overrides to disable most perf and rule alerts. Can provide OFF packs to turn off performance counter collection rules, to keep both the OperationsManager, and OperationsManagerDW databases cleaner, thereby faster with less data.
IIS2012 overrides
Lastly, once addendum updated, save file, move to SCOM MS, and import.
Enjoy the ‘IIS addendum packs’ for how few alerts, perhaps life changing?! (sarcasm)
DC Security bundle pack is much like the various universe/multiverse sci fi storylines.
Proactive Security bundle to help with three (3) various DC authentication event sets encompassing Kerberos, NetLogon, and DCOM. These events were enabled as part of the server cumulative patches. The management packs run workflows on the servers, then combine into a daily alert report of the unique event description details.
Save the files from GitHub to your local SCOM MS and import.
Proactive Security bundle components
Proactive DC Kerberos KDC Authentications 1.0.0.1
Download: https://github.com/theKevinJustin/DCAuthAlerts
Documentation: https://kevinjustin.com/blog/2023/08/30/DC-Auth-Alerts/
Purpose: Monitor DC Kerberos authentication alerts on CA, DC role servers, as well as any operating system. Daily alert report consolidates alerts as well as on-demand report tasks.
Change Impact: Low
Security Impact: Low
Any testing needed: No
Proactive DC NetLogon Allowed Sessions 1.0.3.1
Download: https://github.com/theKevinJustin/DCAuthAlerts
Documentation: https://kevinjustin.com/blog/2023/08/30/DC-Auth-Alerts/
Purpose: Monitor DC NetLogon authentication alerts on DC role servers. Daily alert report consolidates alerts as well as on-demand report tasks.
Change Impact: Low
Security Impact: Low
Any testing needed: No
Proactive Microsoft Windows DCOM Server Security Bypass 1.0.0.8
Download: https://github.com/theKevinJustin/DCAuthAlerts
Documentation: https://kevinjustin.com/blog/2023/08/30/DC-Auth-Alerts/
Purpose: Monitor DC DCOM security bypass event ID’s 10036,7,8 in Security EventLog. Pull from DC and run SCOM alert report, as well as on-demand report task.
Change Impact: Low
Security Impact: Low
Any testing needed: No
The ‘MECM/SCCM Addendum pack’ encompasses Endpoint Management which as of late, has taken on a number of names over the past few years.
The ‘MECM/SCCM Addendum pack’ started from administrators and field engineers’ inputs on actionable/manual intervention required alerts. While Endpoint Management has taken on a number of names over the past few years, monitoring the platform functionality has stayed pretty much the same. The underlying application infrastructure is based on registry key discovery of installed roles.
Add monitoring for MECM servers per health model through daily team report, alert cleanup, custom groups to address subscription objects, servers, custom disk and client cache cleanup workflows, and lastly service restart automation.
Quick overview
The classes and DataSource/WriteAction alert reports require updates to target server naming convention(s). The alert report is most effective this way, only giving the administrator/AppOwner alerts relevant to owned/supported servers. Why – make the changes most effective, i.e. alert when manual intervention required.
Workflows, classes, and MonitorType
Update Discovery to find/replace hashtags
Leveraging Kevin Holman’s MP fragment find/replace common variables notated by the ##variable##, we begin by updating the ##MECMServerNamingConvention## with a regular expression of the servers involved with Configuration Management.
Second, we update the disk specific alerts if drives fill, where different amounts of space is required to alert before application/server crashes, different than the OS Logical Disk full composite alerts for % and MB free alerts. These disk specific updates allowing administrator to get unique alerts for common disk full scenarios.
Third, update MECM Group discoveries for various regular expressions.
Lastly, review MECM Rules, Tasks, Monitor and Overrides for pack functionality.
After updating relevant pieces, save file, move to SCOM MS, and Import.
My customers have loved this, hopefully this experience is shared!
Trellix bought McAfee, and rebranded, but the service, application, registry keys, etc. have not yet changed. Many times, the pack fills in the gaps that the admin misses. Examples when Application services crash or become non-responsive, or just adding the capability to summarize issues seen in a daily alert report.
System Event ID 7031 is logged for each application/service when the process has issues?
Trellix agent services have a monitor alert when System Event Log, EventID 7031 events have the agent services in the event description.
Second, my own spin for Application monitoring starts with the mantra ‘smarter vs. harder. Besides dynamic discovery based on registry key, adding the Service MonitorType gives additional monitorign flexibility adding Samples and Intervals to decrease false positive alerts. Simply put – count logic – x failures in y time before alerting.
Service MonitorType adds Samples and Intervals to decrease false positive alerts.
Third, the pack adds Trellix Agent rules, monitors, on-demand report task, and recovery scripts build out the manual intervention required alert action mantra.
Trellix Agent rules, monitors, on-demand report task, and recovery scripts build out the manual intervention required alert action mantra.
The MCM addendum pack helps monitor MEM. See start menu folder structure for Endpoint Manager software.
Rebranding central – MEM, EM, MECM, SCCM, Configuration manager, depending on the synonym, we’re referring to the same product. Tune the most common critical alerts per the health model to warning.
Did you know – MCM discoveries are based on registry keys added with various role installs on windows servers. These registry keys are typically under this path: HKLM\SOFTWARE\Microsoft\SMS\Operations Management\Components
What capabilities does the ‘MCM addendum pack’ provide?
Quite simply, the pack provides warning severity overrides for common alerts, disable event collection rules.
9 overrides for monitors and rules included in addendum.
Includes warning severity changes for the following rules and monitors:
Leverage DHCP addendum to tune DHCP subnet monitoring.
Leverage the ‘DHCP Addendum pack’. Why? DHCP manages IP ranges, particularly customer facing issues like VPN connectivity, VDI/AVD/appliance devices, as well as client workstations/laptops/GFE’s. The DHCP management pack alerts when a subnet is nearing zero available IP’s before you have an outage. This article will help you understand how the addendum’s new capabilities tune DNS monitoring to best practice.
What capabilities does the ‘DHCP Addendum pack’ provide?
Two groups, one DHCP server group, and DHCP subscription group to configure notifications to SME for DHCP related classes
Overrides for common alerts, disable event collection rules
Utilize the DHCP Addendum
Download the DHCP Addendum on GitHub, to get alerts where manual intervention required.
Update XML
The pack greatly decreases alerts, and the XML authoring is an easy feat. After you import the pack, find/replace is required for two pieces.
Discovery group regular expressions (RegEx)
##DHCPServerRegEx##
Find ##DHCPServerRegEx## and replace with your DNS server expressions.
Example server names: 12dc01, 19dc01,19dc02,19dc03, etc.
RegEx = (?i)12dc0|19dc0
Using PowerShell on SCOM management server (MS) to determine group GUIDs for replace in Overrides/Discoveries.
Update group GUIDs, after installing this pack.
Find/replace the GUIDs, as they are unique to every SCOM management group, hard coding the group ID GUID is not possible. We will be running Get-SCOMClassInstance to determine the group GUID’s applicable in the management group.
From PowerShell, on your SCOM management server, run get-SCOMClassInstance commands for the two groups added.
get-scomclassinstance -DisplayName “Microsoft Windows DHCP 2016+ Servers” | ft Id
get-scomclassinstance -DisplayName “Microsoft Windows DHCP 2016+ subscription components” | ft Id
Example
Leveraging Notepad++ to find/replace the group GUID with SCOM environment specific GUIDs
Find/Replace the GUID in the pack with the ID from the output above.
OS Addendum packs for Windows Server from 2012 forward
Download the ‘OS Addendum packs’ for new capabilities contains Event count logic monitor type, Disk cleanup, Group Policy, self-healing/reset monitors, as well as ‘eventLog full’ logic and reports. Additional monitors reduce alert noise. Examples of common alert scenarios are: StorPort storage errors, Group Policy 1096 identification and rebuild. Disk Cleanup & EventLog service recovery, which includes Event Log file expansion and rollover.
Update logical disk paths and retentions. The default report contains quite a few common checks, including root folders broken out by path, highest to lowest GB’. The workflow is scalable to add additional application paths, as well as file retention timeframes. Workflow runs on a weekly basis to cleanup/archive log files, paths. See Disk cleanup logic blog for more details.
‘ OS Addendum packs’ contains Logical disk breakdown of root folders to list paths were files stored, highest to lowest
UpdateStorPortCountForRepeatedStorageErrors
StorPort storage errors typically cut lots of alerts with storage reads/writes. The ‘count’ monitors decrease the alerts, and the daily alert report consolidates the warning alerts (critical by default). If you’re seeing these alerts, the default should decrease overall alerts to near zero. Tune as needed for disk alerts, by updating MatchCount or TimerWait in Seconds (the x events in y time piece of the monitor logic)
Update StorPort Count for Repeated Storage read/write errors
Logical disk cleanup, most times is harder vs. smarter manual intervention required, why not smarter vs. harder?
‘Disk cleanup logic’ traditionally follows manual intervention. Why would you want harder and manual? This article will present options to clean up system and non-system disks, by leveraging largest root folder, API’s and more. This is one step in the OS Addendum pack that needs explanation and can be tailored to applications where admins have regular manual cleanup actions.
Breakdown of Disk cleanup
We want to check system disks and non-system disks for different scenarios. Figure out Disk free space, user profiles, largest folder on root of disk, IIS cleanup, and MECM/SCCM client cache clear API. Second, utilize different behaviors depending on PowerShell version, application log(s) cleanup, and expand drive alerts when NO space after cleanup action.
Check Software Distribution for ConfigMgr/SCCM/MECM client
Checking software distribution path was an item for discussion where the folder was larger than 3GB, stemming from customer and field engineers recommendations.
If ($DiskFreeSpace.FreeSpace -lt 15 )
{
# Audit Software Distribution
#==================================
If ( $SoftwareDistribution -lt “3000” )
{
Write-host “NO SME/SystemOwner/SysAdmin/Server Action required”
}
If ( $SoftwareDistribution -gt “3000” )
{
Write-host “SME/SystemOwner/SysAdmin/Server Action required, stopping Windows Update service, removing SoftwareDIstribution folder and restarting”
Get-Service -Name wuauserv | Stop-Service
Remove-Item -Path C:\Windows\SoftwareDistribution -Recurse
Get-Service -Name wuauserv | Start-Service
Write-host “Windows Update wuauserv service restarted after SoftwareDistribution directory removed”
}
Cleanup Application log folders
The nice part of this is you can reuse this by changing the path and deletion actions to tailor to customer environment. The script comes in handy for VEEAM, SQL, IIS instances and log directory on multiple drives.
The PKI addendum pack monitors PKI certificate hierarchy. Certificates can be a challenge, where we want to change focus to WHEN manual intervention is required.
The ‘PKI Addendum pack’ is a tricky pack, due to certificate hierarchy. The decisions included are part of the three pillars – health, Security, Compliance, as well as alerting WHEN manual intervention required.
The PKI pack provides discoveries of the server certificate stores to then analyze certificates for validity, chain, and expiration. The v1.4.3.0 release adds some task logic and script changes that helps discover more stores, trusted root, etc.
WHAT CAPABILITIES DOES THE ‘PKI ADDENDUM PACK’ PROVIDE?
Set timeframe for certificate per organizational standards.
Break out different expiration alerts based on internal/external certificate, or by AD Client Certificate enrollment templates (to build out the manual intervention required scenario when alerts are generated).
Create groups breaking out application self-signed, PKI certificates.
Separate RDP Auth, Domain Controller, Computer, and OCSP certificates.
If this sounds interesting, and you want to dabble in XML authoring…
Download the pack from GitHub to improve PKI monitoring on Windows Servers.
Additional screenshots of addendum components
Addendum pack creates multiple groups to break out various types of certificates that have different decisions/behaviors requiring unique timing
Groups
Addendum pack created groups to help admins get to the ‘manual intervention’ required alerting goal.
Discoveries
Leverage dynamic groups based on server name and EnhancedKeyUsageList (EKU) list
PKI dynamic group discoveries
Overrides
Change PKI pack default discoveries, lifetime threshold expirations and more
Override PKI pack defaults
DOCUMENTATION AND LINKS
Addendum requires the PKI Certificate MP release v1.4.3.0 download
Stop using the SCOM console to push agents. Move this to Endpoint Manager as application/package and task sequence to install and configure on every server built.
Shout out to Neal Smith, for his help simplifying the ‘SCOM agent application’ install per ConfigMgr/MECM best practice! Stop using the SCOM console to push agents. Move this to Endpoint Manager as application/package and task sequence to install and configure on every server built. Need a MECM package (Application) for the SCOM agent. Leverage a best practice, be more secure, include in task sequence, and automate manual install.
Easy button wrapper
Why? Helpdesk and server admin teams don’t have access to Tier0 devices. After no access, the Manual process (instruction steps get missed), then server is not monitored, becoming an outage resolution task/follow-up.
Use the below thread = ‘easy button’ to package SCOM agent when MECM administrator has availability to add SCOM agent to SCCM task sequence.
MECM/SCCM Application/package script :
Using Powershell.exe:
###############Startscript
“SCOM Super Installer”
start-transcript -path “c:\windows\ccm\logs\SCOMSUPERINSTALLER.log”
##ONLY THIS SECTION NEEDS TO BE EDITED, replace different domain FQDNS and the gateway/management server(s), management groups
# Leverage find/replace for the ##something## variables
# Provide SCOM Gateway or SCOM management server MS for $SCOMGATEWAYFQDN variable.
# Include SCOM Mgmt Group Name for ##SCOMMGMTGroupName##
Switch ($domain) {
“##DomainFQDN1##” {$SCOMManagementGroup=”##SCOMMGMTGroupName##”;$SCOMGATEWAYFQDN=”##SCOMServerName##”}
“##DomainFQDN2##” {$SCOMManagementGroup=”##SCOMMGMTGroupName##”;$SCOMGATEWAYFQDN=”##SCOMServerName##”}
}
########ONLY THIS SECTION NEEDS TO BE EDITED
Lastly, after SCOM agent added to Endpoint Manager, monitoring new servers should be a no-brainer. One less manual step having ‘SCOM agent application’ as part of the task sequence.
To provide the best experiences, we use technologies like cookies to store and/or access device information. Consenting to these technologies will allow us to process data such as browsing behavior or unique IDs on this site. Not consenting or withdrawing consent, may adversely affect certain features and functions.
Functional
Always active
The technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user, or for the sole purpose of carrying out the transmission of a communication over an electronic communications network.
Preferences
The technical storage or access is necessary for the legitimate purpose of storing preferences that are not requested by the subscriber or user.
Statistics
The technical storage or access that is used exclusively for statistical purposes.The technical storage or access that is used exclusively for anonymous statistical purposes. Without a subpoena, voluntary compliance on the part of your Internet Service Provider, or additional records from a third party, information stored or retrieved for this purpose alone cannot usually be used to identify you.
Marketing
The technical storage or access is required to create user profiles to send advertising, or to track the user on a website or across several websites for similar marketing purposes.
