January addendum updates

Fast and Furious (sarcasm and humor)
Fast and Furious (sarcasm and humor)

January addendum updates for multiple management packs

First, the biggest change item for large enterprise environments included a change in syntax for get-SCOMAlert
Example
get-scomalert -ResolutionState (0..254) -Name “##stringhere##*”
get-scomalert -ResolutionState 255 -Name “##stringhere##*”
Second, another change with the repo’s was a ‘whitespace audit’ encoded characters, or ‘data concealment’.  See AT&T link CyberSecurity Link
Third, after whitespace we focused on script/workflow efficiencies seen in large enterprise environments.  While Efforts began in December, the workflow efficiencies sprint resulted in two sets of improvements.
Fast and Efficient
Fast and Efficient
1) Added ‘Reset Monitors Script base code’ $Age variable
What does this mean?
Simply put $Age allows admins to define monitor age before resetting.
The default is 1 (day), but can be specified in the script to tailor to requirements.
Example
$Age = [DateTime](Get-Date).AddDays(-1)
2) Beyond incorporating $Age into the reset monitor logic, the packs utilize logic for a much faster runtime (~90%+).
What does this mean?
Updated logic quickly gathers unhealthy monitor objects, by leveraging ‘Get-SCOMManagementPack‘ and then ‘Get-SCOMClass‘, before passing to ‘Get-SCOMClassInstance‘.
Example PowerShell
## Grab the MP, get the Monitors and Rules from the MP, then grab all alerts found inside the Monitors/Rules
$SCOMCoreMP = Get-SCOMManagementPack -DisplayName “Microsoft Windows Server DNS Monitoring”
# Get classes – Examples –
$Monitoring = $SCOMCoreMP
# DNS pack naming
$DNSClasses = @(Get-SCOMClass -ManagementPack $Monitoring; )
$DNSClass = $DNSClasses | sort -property Name -uniq

Repo’s updated in January

January addendum updates include:
ADCS, ADDS, DNS, DFS/File Services, IIS, SCCM pack for MECM/MEM/MCM monitoring, Operating Systems, Proactive NOSC Daily Tasks, and Tangible ProV application monitoring.

Links below to GitHub repositories (repo’s)

Tangible ProV application monitoring

Tangible ProV application monitoring - (touch)
Tangible ProV application monitoring – (touch)

 

Use the Tangible SCOM management pack to monitor logins and ProV application registration issues.  First, the management pack configures Seed class discovery.  Second, the pack includes rules/monitors for Tangible ProV software.  Third, rules and monitors for 2802 ‘Could not validate product key’ and 4402 ‘Could not validate the contents of user logon request context: AS-REQ contains an invalid or unknown username type’ events.  Fourth, the service monitor, which uses Kevin Holman’s fragment library for service recovery scripts/rules.  Fifth, scheduled and on-demand daily reports for audit and record keeping purposes.  Lastly, alert cleanup logic, to reduce admin burden and overhead.

 

Reference the Tangible vendor’s website – Tangible ProV application website

 

NOTE: This may not apply for everyone, as the ProV application ‘Auto-provisions Active Directory user accounts for visitors or new employees whenever they want to work from one of your PCs.’

 

The Daily report piece of the pack makes things easier answering ‘what happened in the last 24-72 hours’ question.  Gathers open/closed insights and organizes alerts.

Screenshot of the daily report

Zero Alert example of daily report
Zero Alert example of daily report

Report example of insights (in text)

Open ProV alerts = 13Since last report run:#———————–Total ProV alerts = 23Auto-closed monitors = 22Auto-closed rules = 0Total automation closures:#—————————Auto-closed monitors = 262Auto-closed rules = 0# Unhealthy Tangible ProV service alert details#==============================================NetbiosComputerName TimeRaised           RepeatCount Name                     ——————- ———-           ———– —-                     DC01        8/11/2023 5:18:14 AM           0     Tangible ProV ProVService…

 

All in all, the daily report utilizes get and set-SCOMAlert to accomodate large enterprise environments.

$OpenAlerts = get-scomalert -ResolutionState (0..254) -Name “Tangible ProV ProVService Service*”

$OpenAlerts = $OpenAlerts | ? { $_.TimeRaised -ge $Time }
# $OpenAlerts.count

# Closed alerts
$ClosedAlerts = get-scomalert -ResolutionState 255 -Name “Tangible ProV ProVService Service*” | ? { $_.TimeRaised -ge $Time }
# $ClosedAlerts.count

 

 

Tangible ProV application monitoring details and download

GitHub https://github.com/theKevinJustin/TangibleProV

Download here

 

Configure SCOM agent from PowerShell

Configure SCOM agent from PowerShell
Configure SCOM agent from PowerShell

 

Ever have a need to configure a SCOM agent outside the SCOM Console GUI using SCOM.Management pack?   Tyson’s ‘SCOM Helper PowerShell module’ on monitoringguys.com may assist if you can update PowerShell and SnapIn’s.  If Tyson’s solution may not be an applicable solution in a locked down environment, the blog is a PowerShell script to manage agent configuration.

 

A shout out to Aris for his watchful eye testing and playing with this!

 

Configure SCOM agent from PowerShell

GitHub Download  https://github.com/theKevinJustin/SCOMAgentInstallApplication/

First, let’s begin the conversation.  Leverage the PowerShell script to configure SCOM/MOM agent per domain(s).  Whether DMZ forest(s), or multiple forests with SCOM gateways, the script will enable configuration management.  Alternatively, add script as a compliance check to the Configuration Management tool, or as a post install step to configure SCOM Agent (MomAgent.MSI) via application or package.  Third, utilize the PowerShell script where agent upgrade is a pre-req to resolve ‘a really old SCOM agent version’.   Lastly, the script also tests network connectivity, and verifies if configuration is requested/loaded.

 

It all starts with this object from the command:

$SCOMAgent = New-Object -ComObject AgentConfigManager.MgmtSvcCfg

 

Use the PowerShell script to:

Clean up extraneous management groups

Determine domain

Check network connectivity via test-netconnection

Reset healthservice to expedite agent configuration

 

 

Background

Because Kevin Holman blogged this almost 10 years ago in VB, and I’m pretty rusty in VB these days.  Check out Kevin’s blog titled ‘Using the agent scripting objects on a SCOM 2012 agent‘.

 

Documentation

Download https://github.com/theKevinJustin/SCOMAgentInstallApplication/

Kevin Holman’s blog for VB commands

Using the agent scripting objects on a SCOM 2012 agent

The agent configuration objects in MSDN http://msdn.microsoft.com/en-us/library/hh328967.aspx

 

Install SCOM agent MSI via command line

MECM application for SCOM agent MSI
MECM application for SCOM agent MSI
Shout out to AT and Aris for his help with this!

 

Install SCOM agent MSI via command line and roll into a ‘SCOM agent’ MECM application package.

Why an application/package?  Many times, servers are built, and the IT Enterprise doesn’t find out device is NOT monitored until it’s involved in an outage.  Proceed to add to your Configuration management tool will provide a consistent configuration to avoid the ‘NOT monitored’ configuration.

 

While there are a few options to build out a MCM/MEM/MECM/SCCM application/package to install the SCOM agent on managed windows machines.  In August, I posted Neal’s updates to install/configure the SCOM agent.  Neal’s scenario works great for a new environment, and it’s simple PowerShell.  Also, if Neal’s scenario with PowerShell is NOT your preference, try the batch file below.  Another key point, the script has logic for multiple forests and SCOM gateways (to connect said forests).  Basically test the command line script, then roll into a MCM/MEM/MECM/SCCM application/package.  Have the SCOM agent added to task sequence which consequently includes the SCOM agent in the default build.

 

 

Install SCOM agent command line script

First – NOTE each line has no hidden line feed/carriage returns

Second – go through the variables before testing

Variables to review/replace:

##SCOMManagementGroup##      # SCOM Management group, seen in SCOM console on top left corner

SCOMManagementServer##     # SCOM management Server in primary domain
##SCOMManagementServerGW##     # SCOM first gateway
##SCOMManagementServerGW2##     # Second gateway
##Domain## as forest FQDN
##Domain2## as forest FQDN

Determine domain –

‘systeminfo | findstr /i /c:”domain” | findstr /i /c:”##Domain##”

Example Lab output

C:\> systeminfo | findstr /i /c:”domain” | findstr /i /c:”testlab”
Domain:      testlab.net

 

Third – Find/Replace ##hashtagged## variables and test away!

@echo off

cls

REM This script command line is for NEW installs of the agent (nothing prior)
REM Replace ##SCOMManagementGroup## SCOM Management group, seen in SCOM console on top left corner

ECHO Installing SCOM 2019 Windows Agent…

echo Determining domain….

REM Determine if machine is in DMZ….

systeminfo | findstr /i /c:”domain” | findstr /i /c:”DMZ” && (

echo Machine found to be in DMZ…installing for that enclave and management server: ##Domain2##”

echo.

%WinDir%\System32\msiexec.exe /i %~DP0MOMAgent.msi /qn USE_SETTINGS_FROM_AD=0 USE_MANUALLY_SPECIFIED_SETTINGS=1 MANAGEMENT_GROUP=##SCOMManagementGroup## MANAGEMENT_SERVER_DNS=##SCOMManagementServerGW## SECURE_PORT=5723 ACTIONS_USE_COMPUTER_ACCOUNT=1 NOAPM=1 AcceptEndUserLicenseAgreement=1

echo.

GOTO Logging)

REM Determine if machine is on domain….

systeminfo | findstr /i /c:”domain” | findstr /i /c:”##Domain##” && (

echo Machine found to be in ##Domain##…installing for that enclave and management server: ##Domain##

echo.

%WinDir%\System32\msiexec.exe /i %~DP0MOMAgent.msi /qn USE_SETTINGS_FROM_AD=0 USE_MANUALLY_SPECIFIED_SETTINGS=1 MANAGEMENT_GROUP=##SCOMManagementGroup##  MANAGEMENT_SERVER_DNS=##SCOMManagementServer## SECURE_PORT=5723 ACTIONS_USE_COMPUTER_ACCOUNT=1 NOAPM=1 AcceptEndUserLicenseAgreement=1

echo.

GOTO Logging)

REM Neither DMZ or domain joined found above…look for alternate domain(s)

REM These all share this same management server: FOREST2.FQDN and Gateway server

%WinDir%\System32\msiexec.exe /i %~DP0MOMAgent.msi /qn USE_SETTINGS_FROM_AD=0 USE_MANUALLY_SPECIFIED_SETTINGS=1 MANAGEMENT_GROUP=##SCOMManagementGroup## MANAGEMENT_SERVER_DNS=##SCOMManagementServerGW2## SECURE_PORT=5723 ACTIONS_USE_COMPUTER_ACCOUNT=1 NOAPM=1 AcceptEndUserLicenseAgreement=1

:Logging

ECHO Installing SCOM 2019 Windows Agent Completed…>> C:\Windows\Logs\SCOM2019Agent.log

time /t >> C:\Windows\Logs\SCOM2019Agent.log

date /t >> C:\Windows\Logs\SCOM2019Agent.log

 

Lastly enjoy!   In summary, I hope the ‘Install SCOM agent MSI via  command line’ script helps get the agent deployed faster, and more consistent!

Improving SCOM Monitor reset logic

Faster - Improving SCOM Monitor reset logic
Faster – Improving SCOM Monitor reset logic

 

My thanks to Aris Somatis for his deep dive reviewing the packs with me, particularly new use cases.  The PowerShell below builds on Scott Murr’s initial TechNet published logic from years back.  Consequently, the reset logic provides a ‘manual intervention required’ alerting/monitoring system.

 

 

Improving SCOM monitor reset logic

Calling the reset method has been a game changer for my customers – including operators, system and application owners!

Background

Scott’s reset logic, from SCOM2012, helped administrators reset unhealthy monitors where alerts may have been closed.  Because Scott leveraged the ResetMonitoringState method, the community gained a way to keep true health.  Additionally, many administrators and engineers built custom management packs to provide solutions.  Second, the addendum packs blog brought in more options – best practices, lessons from the field (and customers), and health model accurate alerting for what was really broken in the environment.  Third,    addressing ‘gaps’ or ‘blind spots’ from product teams.   As a result of NEW monitoring, the packs may include: rules/monitors, datasource/writeAction (DS/WA) workflows, recovery tasks and automation, count logic monitors, overrides, discoveries, and groups.    Thirdly, to take monitoring to the next level.  To top that off, with very little/NO cost compared to competitors!

PowerShell code

Aris’s Age use case takes this even further.  Using monitor age allows further analysis to dial down ‘monitor reset’ to object is X days old.  Comparatively, the 24-72 hour setup default is used in the addendums, so Age provides a second option.  Third option can rely on SCOM’s built-in cleanup, but that’s typically 14-30 days.   Overall, flexibility is a good thing.

 

# Specify age variable for your environment

$Age = [DateTime](Get-Date).AddDays(-7)

 

PowerShell code snippet

First, the reset logic can pivot on the age requirement.  Then, adjust the Age variable per requirements.  Third, figure out which method applies to gather a unique list of classes, whether by partial string(s), or by management pack name(s).

 

Set age variable (how long ‘OLD’ monitors might be stale and need reset)

# Example sets $Age variable to 7 days ago (-7)

$Age = [DateTime](Get-Date).AddDays(-7)

 

 

Unpack two different ways to gather classes for monitors to reset

# When common string name exists in all classes

Example DFS/FileServices packs all have one of the three strings:

# DFS pack naming

$DFSClasses = @(Get-SCOMClass -Name “*FileServices*”; Get-SCOMClass -Name “*FileServer*”; Get-SCOMClass -Name “*DFS*” )

$DFSClass = $DFSClasses | sort -property Name -uniq

# Debug

$DFSClass.Count

 

# Get AD classes – Microsoft.Windows.Server.AD.2016.Discovery, Microsoft.Windows.Server.AD.Library

$ADLibrary = Get-SCOMManagementPack -name “Microsoft.Windows.Server.AD.Class.Library”

#get-scomclass -ManagementPack $ADLibrary

$ADMonitoring = Get-SCOMManagementPack -name “Microsoft.Windows.Server.AD.2016.Monitoring”

#get-scomclass -ManagementPack $ADMonitoring | fl DisplayName,Name,ID

$ADDiscovery = Get-SCOMManagementPack -name Microsoft.Windows.Server.AD.2016.Discovery

#get-scomclass -ManagementPack $ADDiscovery | fl DisplayName,Name,ID

# ADDS pack naming

$ADDSClasses = @(Get-SCOMClass -ManagementPack $ADLibrary; Get-SCOMClass -ManagementPack $ADDiscovery; )

# NOTE Excluded AD Monitoring pack as NO classes existed

$ADDSClass = $ADDSClasses | sort -property Name -uniq

 

# Debug count of unique classes

$ADDSClass.Count

 

 

Reset monitor PowerShell screenshot

Download from GitHub https://github.com/theKevinJustin/SCOMMonitorReset

SCOM Reset PowerShell
SCOM Reset PowerShell

 

Example PowerShell on HealthService resets

NOTE debug logic enabled

0
Found 0 unhealthy monitors for class Microsoft.SystemCenter.HealthServicesGroup
1
Found 1 unhealthy monitors for class Microsoft.SystemCenter.HealthServiceWatcher

Resetting Health State on ' + Microsoft.SystemCenter.HealthServiceWatcher:Microsoft.SystemCenter.AgentWatchersGroup;5e0
4f804-8b71-6eb6-0101-dcbb58022498 + '

Guid
----
0218d239-3d37-f9b1-75d2-6d52c2c7c0c1


Documentation/Sources

Building on Scott’s idea – (retired links)
Original post https://sc.scomurr.com/scom-2012-monitor-reset-cleaning-up-the-environment/
TechNet gallery download https://gallery.technet.microsoft.com/SCOM-2012-Batch-reset-63a17534
Alternate link https://gallery.technet.microsoft.com/scriptcenter/Auto-reset-script-for-d8b775ca

Delete PKI certificates

Don't you wish this were the certificates we worked with!
Don’t you wish this were the certificates we worked with!

 

Man, I wish I had a few of these certificates in my PKI infrastructure (portfolio)!  Ever need to identify an expired certificate, and or delete the certificate?  Depending on UAC, AppLocker, and other settings, the delete portion may require server logon.

 

 

Identify an expired certificate

Few ways to identify an expired certificate on servers.

Via RDP session to server

RDP to server, open MMC > Add Plug In > Certificates > for Computer

RDP to server, MMC, Certificates Plug In, Computer, expand certificate store to find expired certificate.
RDP to server, MMC, Certificates Plug In, Computer, expand certificate store to find expired certificate.

 

Via PowerShell

GCI Cert:\LocalMachine\*

The certificate store file path will vary the above command.

NOTE the SuperUser blog post will help decipher the folder name

 

Via ‘smart’ PowerShell across multiple machines

Courtesy of Vance Cozier!

“server1”,”server2″| % {invoke-command $_ -scriptblock {$env:ComputerName; GCI Cert:\LocalMachine\* }}

 

Via Monitoring for expired certificates

Using SCOM Certificate Monitoring or PKI monitoring management packs

Identify Expired certificates

Console navigation steps:

From SCOM console > Monitoring Tab

Expand PKI folder > Expand Certificates and CRLs folder

Click on ‘Certificates – Expired’ state view

SCOM Expired PKI certificates state view.
SCOM Expired PKI certificates state view.

 

Did you know

Run PowerShell commands from Holman’s SCOM Management pack (blog)- github download

Run PowerShell from Monitoring tool

From SCOM console > Monitoring Tab > SCOM Management folder > SCOM Agents

Highlight agent(s)

From Tasks Pane > click on ‘Execute any PowerShell’ task

SCOM Management pack, SCOM Agents, highlight agent(s), click on Task Pane > Execute any PowerShell task.
SCOM Management pack, SCOM Agents, highlight agent(s), click on Task Pane > Execute any PowerShell task.

On the pop-up window, click Override

Adjust timeout to 70 (seconds)

Override command line

Run the following commands (various Certificate store examples provided for removing expired certificates)

Personal Certificates folder

Get-ChildItem Cert:\LocalMachine\My | ? { (( $_.Subject -like “*GlobalSign*” ) -OR ( $_.Issuer -like “*GlobalSign*” )) -and $_.NotAfter -lt (get-date) } | fl Subject,Issuer

Trusted Root folder

Get-ChildItem Cert:\LocalMachine\Root | ? { ( $_.Subject -like “*GlobalSign*” ) -OR ( $_.Issuer -like “*GlobalSign*” ) } | fl  Subject,Issuer

Third Party Root

Get-ChildItem Cert:\LocalMachine\AuthRoot | ? { (( $_.Subject -like “*GlobalSign*” ) -OR ( $_.Issuer -like “*GlobalSign*” )) -and $_.NotAfter -lt (get-date) } | fl Subject,Issuer

Run PowerShell task.
Run PowerShell task.

Click OK button to close Overrides window

Click OK to run task

View task output

PS C:\Users\admin> Get-ChildItem Cert:\LocalMachine\Root | ? { ( $_.Subject -like “*GlobalSign*” ) -OR ( $_.Issuer

like “*GlobalSign*” ) } | fl Subject,Issuer

 

Subject : CN=GlobalSign Root CA, OU=Root CA, O=GlobalSign nv-sa, C=BE

Issuer  : CN=GlobalSign Root CA, OU=Root CA, O=GlobalSign nv-sa, C=BE

Subject : CN=GlobalSign, O=GlobalSign, OU=GlobalSign Root CA – R2

Issuer  : CN=GlobalSign, O=GlobalSign, OU=GlobalSign Root CA – R2

 

 

Once task completes, go back to the Certificates state view > highlight the certificate > Click the Rediscover Certificates task

SCOM PKI Certificate state view
SCOM PKI Certificate state view

 

 

 

Delete PKI certificates

After identifying correct certificate and folder in question that requires deletion:

    1. Verify backup of certificate
    2. Test delete via PowerShell window from SCOM

Get-ChildItem Cert:\LocalMachine\AuthRoot | ? { ( $_.Subject -like “*GlobalSign*” ) -OR ( $_.Isser -like “*GlobalSign*” ) } | Remove-Item -DeleteKey

  1. Verify Task output shows certificate deleted
  2. Refresh MMC GUI > Certificates plug in, and folder to verify certificate deleted
  3. Go back to SCOM Console Monitoring Tab
  4. Expand PKI folder
  5. Expand Certificates and CRLs folder
  6. Click on Certificates – Expired state view
  7. In Tasks pane on right, click on Rediscover certificates task, Click OK to run
  8. Open Health Explorer and reset monitor to clear alert

Alternatively, leverage PowerShell reset logic on SCOM MS, use blog

 

 

Documentation

SCOM Certificate monitoring TechCommunity blog https://techcommunity.microsoft.com/t5/system-center-blog/scom-management-pack-for-certificate-monitoring/ba-p/3619299

Download SCOM Certificate monitoring pack https://www.microsoft.com/en-us/download/details.aspx?id=104858

Long-standing PKI certificate pack and blog https://blog.topqore.com/new-version-pki-certificates-monitoring-pack-for-scom/

Identify certificate stores to windows folders https://superuser.com/questions/217719/what-are-the-windows-system-certificate-stores

STIG finding V-69223 https://www.stigviewer.com/stig/zos_tss/2016-06-30/finding/V-69223

File Services Addendum

File Services is all about sharing.
File Services is all about sharing.

‘File Services Addendum’, named Microsoft Windows Server FileServices 2016 Addendum, adds replication health/backlog script, seed and group classes, replication/service monitors, recovery tasks, and overrides to tune monitored environment.

 

Quick Download HTTPS://GITHUB.COM/THEKEVINJUSTIN/FILESERVICESADDENDUM

 

Overview of File Services monitoring

Addendum assumes the file services version agnostic version 10. pack is installed.

Looking at XML file in Notepad++, the pack references are what packs the workflows refer to (other management packs).  Kevin Holman taught building backwards compatibility with MP authoring.  Backwards compatibility allows SCOM2012+ import without errors.  To take this one step further, the v10.0.0.0 file services packs referenced represent the version agnostic packs.

NOTE: File Services Addendum references may need updates if the whole file services management packs are NOT installed.

References screenshot

File Services Addendum references may need updates if the whole file services management packs are NOT installed.

 

Addendum logic

Capabilities

Daily report and close automation, on-demand tasks for reports

DFS backlog script errors

SmSvc, DFSN, DFSR service recovery and rule alerts (from Holman fragments library)

DFS replication backlog watcher, script, alerts

 

Notepad++ screenshot

Addendum rules, tasks, monitors, recoveries.

 

Next, we look at the group/class discoveries

Update the Class/Group discoveries for DFS servers or script install paths for replication script.
Update the Class/Group discoveries for DFS servers or script install paths for replication script.

Update Class/Group discoveries for DFS servers or script install paths for replication script.

Find and replace FilePath and ##DFSServerNamingConvention## variable.

Save file and Import

 

 

Documentation

Kevin Holman MP authoring with fragments https://kevinholman.com/2019/01/17/mp-authoring-with-fragments-introducing-combo-fragments/

Kevin Holman MP fragment library https://github.com/thekevinholman/FragmentLibrary

Addendum GitHub Repository HTTPS://GITHUB.COM/THEKEVINJUSTIN/FILESERVICESADDENDUM

IIS addendum packs

IIS addendum packs to tune IIS from 2012 forward.

IIS addendum packs to tune IIS from 2012 forward.’IIS addendum packs’ to tune IIS from 2012 forward.  The GitHub repository has two packs 2012/2016+ (version agnostic pack).  This includes an IIS enabled group, Daily report and cleanup DataSource and WriteAction (tasks), as well as a regular expression to set up the IIS enabled group.  The IIS enabled group is to enable IIS monitoring on servers IIS monitoring is needed.

 

 

Customize for environment

Update addendums to server naming conventions for enabled IIS monitoring.  Read below to better understand addendum functionality.

First, the addendums include class/group, datasource and write action alert reports and automated alert closure workflows, as well as event count logic/reset monitorType.

Addendum includes class/group, datasource and write action workflows for alert reports and automated alert closure, as well as event count logic reset monitorType.

 

Second, the group discovery, find/replace the pattern to various application/web server naming conventions where IIS monitoring IS wanted.

Third, the version agnostic has overrides to disable most perf and rule alerts.  Can provide OFF packs to turn off performance counter collection rules, to keep both the OperationsManager, and OperationsManagerDW databases cleaner, thereby faster with less data.

IIS2012 overrides
IIS2012 overrides

Lastly, once addendum updated, save file, move to SCOM MS, and import.

Enjoy the ‘IIS addendum packs’ for how few alerts, perhaps life changing?! (sarcasm)

 

 

Documentation

Download Addendum packs https://github.com/theKevinJustin/IISAddendums

IIS2012 SCOM Management pack download https://www.microsoft.com/en-us/download/details.aspx?id=34767

IIS2016+ SCOM management pack download https://www.microsoft.com/en-us/download/details.aspx?id=54445

Proactive Security bundle

DC Security bundle pack is much like the various universe/multiverse sci fi storylines.
DC Security bundle pack is much like the various universe/multiverse sci fi storylines.

Proactive Security bundle to help with three (3) various DC authentication event sets encompassing Kerberos, NetLogon, and DCOM.  These events were enabled as part of the server cumulative patches.  The management packs run workflows on the servers, then combine into a daily alert report of the unique event description details.

 

 

Quick Download HTTPS://GITHUB.COM/THEKEVINJUSTIN/DCAUTHALERTS

 

Save the files from GitHub to your local SCOM MS and import.

 

Proactive Security bundle components

Proactive DC Kerberos KDC Authentications 1.0.0.1
Download: https://github.com/theKevinJustin/DCAuthAlerts
Documentation: https://kevinjustin.com/blog/2023/08/30/DC-Auth-Alerts/
Purpose: Monitor DC Kerberos authentication alerts on CA, DC role servers, as well as any operating system. Daily alert report consolidates alerts as well as on-demand report tasks.
Change Impact: Low
Security Impact: Low
Any testing needed: No

Proactive DC NetLogon Allowed Sessions 1.0.3.1
Download: https://github.com/theKevinJustin/DCAuthAlerts
Documentation: https://kevinjustin.com/blog/2023/08/30/DC-Auth-Alerts/
Purpose: Monitor DC NetLogon authentication alerts on DC role servers. Daily alert report consolidates alerts as well as on-demand report tasks.
Change Impact: Low
Security Impact: Low
Any testing needed: No

Proactive Microsoft Windows DCOM Server Security Bypass 1.0.0.8
Download: https://github.com/theKevinJustin/DCAuthAlerts
Documentation: https://kevinjustin.com/blog/2023/08/30/DC-Auth-Alerts/
Purpose: Monitor DC DCOM security bypass event ID’s 10036,7,8 in Security EventLog. Pull from DC and run SCOM alert report, as well as on-demand report task.
Change Impact: Low
Security Impact: Low
Any testing needed: No

MECM/SCCM Addendum pack

The 'MECM/SCCM Addendum pack' encompasses Endpoint Management which as of late, has taken on a number of names over the past few years.
The ‘MECM/SCCM Addendum pack’ encompasses Endpoint Management which as of late, has taken on a number of names over the past few years.

The ‘MECM/SCCM Addendum pack’ started from administrators and field engineers’ inputs on actionable/manual intervention required alerts.  While Endpoint Management has taken on a number of names over the past few years, monitoring the platform functionality has stayed pretty much the same.  The underlying application infrastructure is based on registry key discovery of installed roles.

 

 

Quick Download https://github.com/theKevinJustin/MCMAddendum

 

 

Tailor the addendum for environment

Add monitoring for MECM servers per health model through daily team report, alert cleanup, custom groups to address subscription objects, servers, custom disk and client cache cleanup workflows, and lastly service restart automation.

Quick overview

The classes and DataSource/WriteAction alert reports require updates to target server naming convention(s).  The alert report is most effective this way, only giving the administrator/AppOwner alerts relevant to owned/supported servers.   Why – make the changes most effective, i.e. alert when manual intervention required.

Workflows, classes, and MonitorType

Addendum Classes, DataSource, WriteAction, and Unit MonitorType to build out 'manual intervention required alerting'.

 

Update Discovery to find/replace hashtags

Leveraging Kevin Holman’s MP fragment find/replace common variables notated by the ##variable##, we begin by updating the ##MECMServerNamingConvention## with a regular expression of the servers involved with Configuration Management.

Subscription group example of relevant classes for subscription notifications for Application/System Owners.

Second, we update the disk specific alerts if drives fill, where different amounts of space is required to alert before application/server crashes, different than the OS Logical Disk full composite alerts for % and MB free alerts.  These disk specific updates allowing administrator to get unique alerts for common disk full scenarios.

Disk specific updates allowing administrator to get unique alerts for common disk full scenarios.

 

Third, update MECM Group discoveries for various regular expressions.

MECM Group discovery updates for various regular expressions.

 

Lastly, review MECM Rules, Tasks, Monitor and Overrides for pack functionality.

MECM Rules, Tasks, Monitor and Overrides for pack functionality.

 

After updating relevant pieces, save file, move to SCOM MS, and Import.

My customers have loved this, hopefully this experience is shared!

 

Documentation

Kevin Holman MP fragments

Endpoint Management https://learn.microsoft.com/en-us/mem/endpoint-manager-overview

Microsoft System Center 2012 Configuration Manager Monitoring 5.0.8239.1010
Download https://systemcenter.wiki/?GetCategory=System+Center+2012+Configuration+Manager