Windows Server 2016 vuln found in Security scans

FYI – came across this today with a customer where Security scans SCOM servers.


Please note this is NOT a SCOM issue or vulnerability, and SCOM uses TLS1.2 just fine.


Found CVE-2017-8529 vulnerability on a SCOM server, so though this a good idea to communicate to the larger audience, in case Security finds vulnerabilities, based on customer 2016 server hardening.

CVE-2017-8529 details:

The remote Windows host is missing security update KB4022715 or a Registry key to prevent the host against CVE-2017-8529. It is, therefore, affected by an information disclosure vulnerability exists in Microsoft browsers in the scripting engines due to improper handling of objects in memory. An unauthenticated, remote attacker can exploit this, by convincing a user to visit a specially crafted website, to disclose files on a user’s computer.

The easiest way I found to update the server was via these two registry keys (32 bit and 64bit keys below)

# KB4022715
# Add registry key
reg add “HKLM\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ENABLE_PRINT_INFO_DISCLOSURE_FIX” /v “iexplore.exe” /t REG_DWORD /d 0 /f
reg add “HKLM\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ENABLE_PRINT_INFO_DISCLOSURE_FIX” /v “iexplore.exe” /t REG_DWORD /d 0 /f


UNIX Logical Disk classes

Time to talk about SCOM2019 UNIX classes!



Just came across an example where the UNIX Logical disk class was targeted.


Did you know: This class in the UNIX library is not like the Windows library, where Logical Disk has a matched discovery.

Logical Disk is broke out to the various UNIX flavors, where the version of UNIX has it’s own class and discovery, but the class refers to the base class of UNIX Library.


Let’s go through an example from the SCOM Console

Monitoring Tab > Discovered Inventory > Change Target Type


This lab example is for an Ubuntu (Universal Linux Library)

The Logical Disk target for the UNIX/Linux Core Library has the same output in SCOM for the flavor (i.e. Logical Disk for the Universal Linux Operating System)



How’s that possible… ?

Let’s look at the examples for the various Logical Disk Classes.


AIX 7 pack – AIX Logical disk discovery/class

<ClassType ID=”Microsoft.AIX.LogicalDisk” Abstract=”true” Accessibility=”Public” Hosted=”true” Singleton=”false” Base=”Unix!Microsoft.Unix.LogicalDisk” />

Universal Linux Monitoring Library

<ClassType ID=”Microsoft.Linux.Universal.LogicalDisk” Accessibility=”Public” Abstract=”false” Base=”Linux!Microsoft.Linux.LogicalDisk” Hosted=”true” Singleton=”false” Extension=”false” />

Linux Operating System Library

<ClassType ID=”Microsoft.Linux.LogicalDisk” Accessibility=”Public” Abstract=”true” Base=”Unix!Microsoft.Unix.LogicalDisk” Hosted=”true” Singleton=”false” Extension=”false” />


This makes sense, as Linux operating systems are SUSE, RHEL, Universal Debian and RPM.  Solaris and AIX are their own operating systems.  This helps describe the class hierarchy.


Flavor of Unix (Linux, Solaris, or AIX)

Version or flavor of Linux, Solaris, or AIX



How did I get to this conclusion?

MPViewer will help view the classes and discoveries.

What does this mean to me:    Create a single view to view ALL  UNIX ‘Logical Disk’ entries discovered.  As the UNIX flavors all use UNIX Logical Disk class for their base class,  ALL the inherited classes are displayed.



AIX Logical Disk Discovery


Univeral Linux Discovery

Universal Linux Classes


Windows Server packs are very similar

Windows Logical Disk class



Using Unix MP’s for Shell commands and scripts

Ready to move out of the UI ?

Thanks to Saurav Babu, and Tim Helton’s help, I was able to push my MP authoring limits further.

The good thing with the Shell command template in SCOM is that your script is encoded.

Bad news

  1. If functionality doesn’t exist in the UI, you can’t easily pull the monitor and just add variables to get that functionality.
  2. Scripts and Shell commands are encoded (great news for security!)

Now to the use case – need Sample Count and Match Count to prevent false positive alerts

The UNIX Shell Command library allows us to use the following variables out of the box:

Interval, SyncTime, TargetSystem, UserName, Password, Script, ScriptArgs, TimeOut, TimeOutInMS, HealthyExpression, ErrorExpression

AND we can override Interval, Script, TimeOut, TimeOutInMS

If that’s not enough options, then read on!

When the built-in functionality doesn’t exist

For this UNIX shell command/script monitor, we required SampleCount and MatchCount

Variables explained

SampleCount is the number of times (samples for an alert).

If SampleCount = 4, this means 4 samples will generate an alert

MatchCount is the number of intervals before monitor state changes

If Interval = 60 (s), and MatchCount = 10, then it will take 10 minutes (600s before we alert)

Combining the 2 means 4 samples over 10 minutes will generate an alert.

Sometimes this is called alert suppression or counting failures before alerting

Built a custom DataSource, ProbeAction, and WriteAction, as the UNIX Shell Library MP did not include these additional variables.

Please review my updated MP Fragments TechNet Gallery for the custom MP and fragments!

Encoding the script or command to run

The other issue with UNIX scripts and commands, is the UI encodes the scripts.

How do we get around it you ask?

Since we are building an MP Fragment and MP, we must figure out how to encode.

To encode the script to put into your SCOM monitor (and MP Fragment)


$script = ‘if [ `ps -ef | grep sleep | grep -v grep | wc -l` -eq “1” ]; then echo false; else echo true; fi’

# Verify script variable

# Get $script bytes
$s = [System.Text.Encoding]::UTF8.GetBytes($script)

# Verify script bytes output (optional as bytes broken out by line)

# Encode script to Base64
$encoded = [System.Convert]::ToBase64String($s)

# Verify $encoded

# Optional
# Verify string converts back properly

$encoded output is what needs to be entered into the <script></script> variable in your monitor

Example Output

PS C:\Users\scomadmin\desktop> $script = ‘if [ `ps -ef | grep sleep | grep -v grep | wc -l` -eq “1” ]; then echo false;
else echo true; fi’
PS C:\Users\scomadmin\desktop> $script
if [ `ps -ef | grep sleep | grep -v grep | wc -l` -eq “1” ]; then echo false; else echo true; fi
PS C:\Users\scomadmin\desktop> $s = [System.Text.Encoding]::UTF8.GetBytes($script)
PS C:\Users\scomadmin\desktop> $s
PS C:\Users\scomadmin\desktop> $s = [System.Text.Encoding]::UTF8.GetBytes($script)

PS C:\Users\scomadmin\desktop> $encoded = [System.Convert]::ToBase64String($s)
PS C:\Users\scomadmin\desktop> $encoded
PS C:\Users\scomadmin\desktop> [System.Text.Encoding]::UTF8.GetString($s)
if [ `ps -ef | grep sleep | grep -v grep | wc -l` -eq “1” ]; then echo false; else echo true; fi
PS C:\Users\scomadmin\desktop>


Jonathan Almquist’s blog post

Kevin Holman’s blog on service with Samples

Using SharePoint On Premise Diagnostic tool

Futuristic, perhaps, but a powered screwdriver for space, almost looks like Han Solo’s pistol (sans scope)

From previous intro, we start using the tool to diagnose SharePoint problems.

Let’s install, and get to using it!

Once this is released, I expect this to be posted to a GitHub repository.

For now, there will be some mystery for obtaining the file bundle.

Copy folder from build zip file.

Paste to SharePoint machine, whatever standard you use.

From my own past, I prefer a MonAdmin (Monitoring Admin) directory, with a scripts sub-directory, then toolname/version


cd ‘C:\Monadmin\Scripts\OPD-D2.0.1905.15001’

Start OPD via powershell

cd ‘C:\Monadmin\Scripts\OPD-D2.0.1905.15001’


Avoid some initial questions

cd ‘C:\Monadmin\Scripts\OPD-D2.0.1905.15001’

.\OPD-console.ps1 -mode SharePoint -ShareTelemetry Yes -AcceptEula

PS C:\Monadmin\Scripts\OPD-D2.0.1905.15001> .\OPD-console.ps1 -mode SharePoint -ShareTelemetry Yes -AcceptEula

Using OPD to check SharePoint environment

Start with the OPDLog Event Log

OPD Main menu

1 – Administration

Central Admin site

Current patch level


Timer jobs

2 – Performance

3 – Search

Search Hosts Online

Unable to retrieve topology

4 – Services

5 – Setup


6 – User Profile

Firewall ports (duplicated from section 4)

Happy checking and to building new SharePoint checks!

SharePoint Management framework Private Preview


Do you have an Enterprise SharePoint farms that you manage health and performance via custom scripts?

Have you used SETH to manage SharePoint 2010 problems with the farm(s)?


Would you want a scalable tool you can add your own scripts and enable/check, and then alert on what you want?




SharePoint Engineer Troubleshooting Helper (SETH) was a Microsoft tool for SharePoint 2010

Using SETH

Troubleshooting SETH



For SharePoint 2016 and 2019, the Customer Support team brought up the need for bringing back a utility to help with common SharePoint scenarios

On Premise Diagnostic (OPD) is the second generation of project (for SharePoint 2016 and 2019).


My goal was to help the Escalation Engineers have a full platform that can be implemented and is scalable for the technical community to maintain and use.


BTW, the only thing preventing 2013 SharePoint support is the dependency on WMF v5.0 or better on SharePoint servers.



SCOM management pack can be found here


Updated Skype for Business 2015 Addendum pack

Continuing work with Nick Wood on the Skype pack for additional operational features.

Previously Blogged about this July 2018, and continue to make improvements

The TechNet gallery bundle is updated with new functionality.

Skype KHI addendum

Pack gathers the Skype KHI performance counters

Packets * Discards performance rules where greater than 100 discards are seen on NIC’s,

Monitoring Tab folder/performance view

Skype Custom Overrides

Includes common overrides for noisy monitors/rules.

Install SCVMM management packs from VMM Server

Time for some automation

Ever have to upgrade SCVMM packs every time a new Update Release (UR) comes out?

Copy the files off from the VMM server to your SCOM MS, install.

How long does that take?

Try this script out – assuming you have a login on the VMM Server

TechNet Gallery post here

# Set up some variables


$VMMServer = “16VMM01”

# Set up your path, this example is monadmin\backup

$date = Get-Date -UFormat “%Y-%m-%d”

# Set up backup path

$backupPath = “C:\monadmin\backup”

$backupDrive = “C:”

# Create some functions

Watch them roll, let PowerShell do your work!

UR6 packs

SCOM management packs backed up

Check out the SCOM Console Admin tab for updates!

Troubleshooting Service Map pack




Updated 14 Mar 2019


If you get these exceptions like me, the issue has been raised, with a deliverable targeted for SCOM2019UR1.

Disable the rule to reduce noise.



Are you using Service Map Management pack, and getting errors?


This alert is based on the 46651/46652 event ID in the Operations Manager event log

From SCOM Console > Authoring Tab > Management Pack Objects > Rules

Search in ‘Look for:’ bar GenericException (yes no space in between)





Rule Details


To enable debug on the MS


For collecting logs, please do the following:

  • Create folders “c:\Debug\ext\”
  • Now, Wait for an hour(which is the default time interval set in the rule for running service map api).
  • You will see some log files created in that folder “ext”. Please share the same in email.


The file showed up after the alerts, and listed debug INFO and WARN lines, and the time stamps match up to the generic exception rules.


Stay tuned for more information, I have been trying to get more answers on the exception

{WARN} [12:35:20.966] [ScomUtils] failed to export XML for Management Pack: System.NullReferenceException: Object reference not set to an instance of an object.

   at ScomBridge.ScomUtils.WritePackXmlToFile(ManagementPack pack, String filename)



XML for Product or Company Knowledge

Digging in the archives…



From a discussion with some PFE’s – the question was ‘how do I create knowledge for a monitor/rule?’

Tyson Paul pointed out the system Center Wiki  ‘Knowledge Article authoring’  


When you create a knowledge article in an MP (let’s not even go into the console GUI! )

If the Knowledge Article references a sealed workflow (does it reference a sealed pack)

It’s Company Knowledge






If the Knowledge Article references a sealed monitor, it will show up under the ‘Company Knowledge’ tab

XML example from Skype Addendum pack on TechNet Gallery

<KnowledgeArticle ElementID=”ML2MC!Microsoft.LS.2015.Monitoring.Internal.Health.DiscoveryRunner” Visible=”true”>
<maml:section xmlns:maml=”″>
<maml:para>Any added Skype servers will not be discovered in SCOM.</maml:para>
<maml:section xmlns:maml=”″>
<maml:para>Discovery Failed.  An internal exception has occurred during discovery.</maml:para>
<maml:section xmlns:maml=”″>
<maml:para>Fix permission issues in alert.</maml:para>
<maml:para>Skype PowerShell module may not be installed.</maml:para>
<maml:para>Import-Module SkypeForBusiness</maml:para>





If the Knowledge Article is referenced in a sealed pack, OR an UNsealed pack has a rule/monitor in the same unsealed pack)

It’s Product Knowledge


Sealed pack example


Unsealed pack Example