Adding UNIX agents via PowerShell

First, a shout out to Vanessa Bruwer @VanessaBruwer and Tyson Paul for their help!

Feel like I was pounding rocks, and had a great find! 🙂

…How to add UNIX agents manually via command line

Required

1. Unix Agent action account and agent maintenance account ID and passwords
2. Unix Resource Pool name (use get-SCOMResourcePool)

Don’t confuse the WSMAN login and use your MSAA ID

BTW, cmdlets exist with 2012R2 and 2016

From MS running PowerShell as admin

$MyPool = Get-SCOMResourcePool “UNIX/Linux Monitoring Resource Pool”
$SSHCredential = Get-SCXSSHCredential -UserName scom -ElevationType sudo
$WSCredential = Get-Credential scom

# Using MSAA account this fails

$DiscResult = Invoke-SCXDiscovery -Name “ubuntu.testlab.net” -ResourcePool $MyPool -WSManCredential $WSCredential -SSHCredential $SSHCredential

# Alternative Discovery for Network IP range
$DiscResult = Invoke-SCXDiscovery -IPRange 192.168.1.50,192.168.1.75 -ResourcePool $MyPool -WSManCredential $WSCredential -SSHCredential $SSHCredential

$DiscResult |fl -property *

$installResult = Install-SCXAgent -DiscoveryResult $DiscResult -Verbose
$installResult | fl -property *

Using MSAA account this fails

Using SCOM Agent Maintenance Account

Console verified

Resources
Old https://blogs.msdn.microsoft.com/scxplat/2009/12/11/cross-platform-powershell-scripts-released/
2012R2 (tested on my 2016 lab) https://operatingquadrant.com/2012/12/06/using-powershell-for-automated-unixlinux-agent-discovery/
PoSH cmdlet reference https://docs.microsoft.com/en-us/previous-versions/system-center/powershell/system-center-2012-r2/hh545212(v=sc.20)

SCOM Maintenance Mode PowerShell

My thanks to Matt Taylor and Kevin Holman, Ralph Kyttle, and John Kavanagh for their guidance!

Updated 24 Jun 2022

Read on if these apply
Trying to start, update, or end SCOM MM

Get alerts when MM is updated
PowerShell only in your shop!
SCORCH in play but need to convert runbooks to straight PowerShell

Ran into issues using Set-SCOMMaintenanceMode, as the cmdlet doesn’t put ALL the recursive classes under Windows Computer

Background

Set-SCOMMaintenanceMode cmdlet is actually “by design.” ☹

Start-SCOMMaintenanceMode assumes you want recursive action when you start maintenance mode….

Pick a Windows Computer and it places the Windows Computer object (AND all contained objects) into MM.

Computer in MM

All contained objects in MM

However, the problem is that Set-SCOMMaintenancemode does not have an understanding of recursiveness.

Command changes the MM entry for the Windows Computer, but NOT all the contained objects. So they retain the original setting.

Health explorer looks like this, resulting in unwanted alerts

Details

NOTE these $Time and DateTime Method are dependent on the delay between running the commands
If you start MM, and wait 5 minutes, then update, the total MM duration will be ~20 minutes

Maintenance Mode options and examples

# Setup variables for MM

# Example 1 Windows Computer

$server = “Servername.FQDN”

$instance = (get-scomclass -DisplayName “Windows Computer” |Get-SCOMClassInstance | where { $_.DisplayName -eq $server } )

# Set time for 6 minutes

$Time = (Get-Date).addMinutes(6)

Start-SCOMMaintenanceMode -Instance $Instance -EndTime $Time -Comment “Starting Maintenance Mode.” -Reason “PlannedOther”

# Example 2

# Business needs require Windows Operating System monitoring to occur while Application is in maintenance

# My Example is Defender, could be SQL, MSMQ, Lync, Skype, or your custom class created for your application

$Class = (get-scomclass)
$Class | ? { $_.Name -like “*Defender*” } | fl DisplayName,Name
$Class | ? { $_.Name -like “*Defender*” } | fl DisplayName,Name

DisplayName : Protected Endpoint
Name : Microsoft.WindowsDefender.ProtectedServer

DisplayName : Protected Candidate
Name : Microsoft.WindowsDefender.ProtectedServerCandidate

DisplayName : Unprotected Endpoint
Name : Microsoft.WindowsDefender.UnprotectedServer

DisplayName : Microsoft Windows Defender Class
Name : Microsoft.Windows.Defender.Class

# Choose the class needed

$server = “Servername.FQDN”

$instance = ( $Class | ? { $_.Name -like “Microsoft.Windows.Defender*” } |Get-SCOMClassInstance | ? { $_.DisplayName -eq $server } )

# Verify Instance variable

$instance

PS C:\Users\scomadmin> $instance

HealthState     InMaintenanceMode DisplayName
———–     —————– ———–
Success               False        WFM.testlab.net

# Don’t forget to add time variable

$Time = (Get-Date).addMinutes(6)

# Start maintenance mode

Start-SCOMMaintenanceMode -Instance $Instance -EndTime $Time -Comment “Starting Maintenance Mode.” -Reason “PlannedOther”

Start, Update, End and Verify Maintenance mode syntax

# Start MM via PoSH cmdlet

Start-SCOMMaintenanceMode -Instance $Instance -EndTime $Time -Comment “Starting Maintenance Mode.” -Reason “PlannedOther”

# Start MM using method vs. PowerShell cmdlet

Note Recursive in $WCobj.ScheduleMaintenanceMode

$windowsComment=”PlannedOther”
$windowReason=”PlannedOther”
$windowsComment=”Testing Maintenance Mode”
$windowDuration=15

$server= “wfm.testlab.net”
$instance = (get-scomclass -DisplayName “Windows Computer” |Get-SCOMClassInstance | ? { $_.DisplayName -eq $server } )
$instance.ScheduleMaintenanceMode([datetime]::Now.touniversaltime(),([datetime]::Now).addminutes($windowDuration).touniversaltime(), “$windowReason”, “$windowsComment” , “Recursive”)

# Drop Recursive if you don’t want it (but can’t imagine why you would!)

# Update MM

# Make sure you’ve put object in MM

$server= “wfm.testlab.net”
$instance = (get-scomclass -DisplayName “Windows Computer” |Get-SCOMClassInstance | ? { $_.DisplayName -eq $server } )

# 15 minutes in the future
$instance.UpdateMaintenanceMode([System.datetime]::Now.touniversaltime().addminutes(15),[Microsoft.EnterpriseManagement.Monitoring.MaintenanceModeReason]::PlannedOther,[System.string]::”Adding 15 minutes to the end time.”,[Microsoft.EnterpriseManagement.Common.TraversalDepth]::Recursive);

# Stop MM

# Make sure you’ve put object in MM

# Immediate
$instance.StopMaintenanceMode([System.DateTime]::Now.ToUniversalTime());

My thanks to Jan Nevaril

$server.StopMaintenanceMode([System.DateTime]::Now.ToUniversalTime(),“Recursive”)

Verification steps

# Verify MM

get-scommaintenancemode -ComputerName $instance.Name|fl MonitoringObjectId,StartTime,ScheduledEndTime

NOTE This will error if you’ve stopped maintenance

Example

PS C:\Users\scomadmin> get-scommaintenancemode -ComputerName $instance.Name
get-scommaintenancemode : The Data Access service is either not running or not yet initialized. Check the event log
for more information.
At line:1 char:1
+ get-scommaintenancemode -ComputerName $instance.Name
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidOperation: (Microsoft.Syste…anceModeCommand:GetSCMaintenanceModeCommand) [Get-S
COMMaintenanceMode], ServiceNotRunningException
+ FullyQualifiedErrorId : ExecutionError,Microsoft.SystemCenter.OperationsManagerV10.Commands.GetSCMaintenanceMode
Command

# Validate MM through Operations Manager Event ID’s 1215 and 1216 logged

get-eventlog -LogName “Operations Manager” | ? { $_.EventID -eq 1215 -OR $_.EventID -eq 1216 } |fl EventID,TimeGenerated,Message

# Alternate command to check latest 100 events

get-eventlog -LogName “Operations Manager” -newest 100 | ? { $_.EventID -eq 1215 -OR $_.EventID -eq 1216 } |fl EventID,TimeGenerated,Message

# Error if object NOT in MM

Cannot find an overload for “UpdateMaintenanceMode” and the argument count: “1”.

At line:1 char:1

+ $WCobj.UpdateMaintenanceMode(([System.datetime]::Now).addminutes(15). …

+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

+ CategoryInfo : NotSpecified: (:) [], MethodException

+ FullyQualifiedErrorId : MethodCountCouldNotFindBest

PS C:\Windows\system32>

Testing System datetime

PS C:\Windows\system32> [System.datetime]::Now.addminutes(15)

Thursday, August 24, 2017 9:18:04 AM

PS C:\Windows\system32> ([System.datetime]::Now.addminutes(15)).touniversaltime()

Thursday, August 24, 2017 2:18:16 PM

References

2012 PowerShell cmdlets https://docs.microsoft.com/en-us/previous-versions/system-center/hh920227(v=sc.20)

2016 PowerShell cmdlets https://docs.microsoft.com/en-us/powershell/module/operationsmanager/?view=systemcenter-ps-2016

2019 PowerShell cmdlets https://docs.microsoft.com/en-us/powershell/module/operationsmanager/?view=systemcenter-ps-2019

SDK

Ralph Kyttle Blog https://blogs.technet.microsoft.com/ralphkyttle/2014/11/10/scom-2012-r2-use-powershell-to-end-an-active-maintenance-mode/

DateTime Methods https://docs.microsoft.com/en-us/dotnet/api/system.datetime

SCOM 2019 Maintenance Mode
https://docs.microsoft.com/en-us/system-center/scom/manage-maintenance-mode-overview?view=sc-om-2019

MSDN MaintenanceModeReason Method https://docs.microsoft.com/en-us/previous-versions/system-center/developer/bb465591(v=msdn.10)

MSDN StopMaintenanceMode Method

UpdateMaintenanceMode Method https://docs.microsoft.com/en-us/previous-versions/system-center/developer/bb424495(v=msdn.10)

MM deluxe custom script https://gist.github.com/stegenfeldt/b3f044aa77894ed80d82f8849a48035b

Tip of the Day

Sharing a good knowledge transfer on various topics

Tip of the Day Blog https://blogs.technet.microsoft.com/tip_of_the_day

Specifically like to call out Shannon’s blog for this Windows tip (and my thanks to Ryan Christman for pointing this out!)

https://blogs.technet.microsoft.com/tip_of_the_day/2017/08/17/rds-tip-of-the-day-windows-productivity-tip-file-explorer-command-prompt-and-back-from-the-current-directory/

From Command Prompt or PowerShell
to start an explorer window from current path
type: start .

You can also start other processes

Start explorer (also works)
Start notepad

Or just bypass the start and type the executable
notepad
calc
gpedit.msc
services.msc

SharePoint 2013 disk cleanup

Not having a problem with Windows Server 2012 R2?

Windows Server 2012 R2 has several mechanisms to automatically cleanup previous versions of Windows Update files and uses compression for unused binaries.

If on win2k8 or win2k8R2, this will continue to grow as the OS ages and patches continue to be released.

Cleanup OS = Win2k8R2

Easiest – start with the Disk Cleanup wizard

KB2852386 https://support.microsoft.com/en-us/help/2852386/disk-cleanup-wizard-addon-lets-users-delete-outdated-windows-updates-o

Download and run this PowerShell script from TechNet Gallery

https://gallery.technet.microsoft.com/scriptcenter/CleanMgrexeKB2852386-83d7a1ae

Final Results

WinSxS is huge on win2k8R2, and the

Start with what’s in C:\Windows\SoftwareDistribution\Download)

Delete logs, everywhere. Keep the most recent, but delete or backup any older logs.

SharePoint logs: C:\Program Files\Common Files\microsoft shared\Web Server Extensions\15\LOGS

Windows Event logs

Delete Internet Explorer’s browsing history

Clean up Temp directory

Example C:\Users\Administrator\AppData\Local\Temp

Do you have SQL on the SharePoint Server? if so, do backups or otherwise compact the databases.

Reduce the size of your Windows swap file.

Optionally move to another disk like d:

Delete installation files can be downloaded again when needed. (check your downloads folder)

References

AskCore https://blogs.technet.microsoft.com/askcore/2008/09/17/what-is-the-winsxs-directory-in-windows-2008-and-windows-vista-and-why-is-it-so-large/

AskPFE https://blogs.technet.microsoft.com/askpfeplat/2014/05/13/how-to-clean-up-the-winsxs-directory-and-free-up-disk-space-on-windows-server-2008-r2-with-new-update/

Clean up WinSxS folder https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-8.1-and-8/dn251565(v=win.10)

TechNet https://social.technet.microsoft.com/Forums/office/en-US/84387164-0488-46ee-894b-86c28588b245/how-to-make-space-in-c-drive-on-sharepoint-server?forum=sharepointadmin

Configure Diagnostic Logging in SharePoint https://technet.microsoft.com/en-us/library/ee748619(v=office.14).aspx?ranMID=24542&ranEAID=TnL5HPStwNw&ranSiteID=TnL5HPStwNw-8bUDdCvIXBhE7RsUncKgCw&tduid=(988dd788212d36221791baa597407ab9)(256380)(2459594)(TnL5HPStwNw-8bUDdCvIXBhE7RsUncKgCw)()

Rita’s blog https://blogs.msdn.microsoft.com/ritazh/2012/04/04/process-to-free-up-space-on-c-drive/

Vignesh’s blog https://vigneshsharepointthoughts.com/2015/11/25/cleaning-up-disk-space-in-sharepoint-servers/

Configure diagnostic logging https://docs.microsoft.com/en-us/previous-versions/office/sharepoint-foundation-2010/ee748619(v=office.14)

Update MP’s for SCOM with VMM2012 R2

The fun starts here.

VMM is like more 3rd party management packs that require an app update, then push updates to SCOM.

The initial VMM MS configuration will upload the VMM UR packs to SCOM, but what do you do the next time you update VMM how do you upgrade SCOM to the latest UR?

Here’s a script to upgrade SCOM once VMM UR is updated on your VMM management server.

$UR=”UR11″

$VMMServer = “12VMM01”

# Set up your path, this example is monadmin\backup

$date = Get-Date -UFormat “%Y-%m-%d”

# Set up backup path

$backupPath = “C:\monadmin\backup”

$backupDrive = “C:”

####################################################################

# Functions

# Verify OperationsManager SnapIn Installed

Function VerifyOpsMgrSnapIn

{

If ( get-pssnapin -r | ? { $_.Description -contains “Operations Manager” } )

{

Write-host -f green “Operations Manager SnapIn already loaded!”

}

Else

{

add-pssnapin “Microsoft.EnterpriseManagement.OperationsManager.Client”;

Write-host -f green “Operations Manager SnapIn loaded”

}

function BackupMP

{

if ( test-path -pathtype Container $backuppath )

{

new-item -itemtype directory -path $backupPath

write-host -f green “Created $backupPath ”

}

else

{

write-host -f green “Backup Path already created $backupPath ”

}

# Get VMM management pack versions before

$before = ( get-scommanagementpack -name “*VirtualMachineManager*” )

# Set up Backup Path

$backupDrive

cd $backupPath

new-item -itemtype directory -path $backupPath\$date

cd $backupPath\$date

new-item -itemtype directory -path $backupPath\$date\SCVMM_MP$UR

cd $backupPath\$date\SCVMM_MP$UR

# Copy SCVMM MP’s to SCOM MS

copy-item “\\$VMMServer\d$\Program Files\Microsoft System Center 2012 R2\Virtual Machine Manager\ManagementPacks\*” -destination $backupPath\$date\SCVMM_MP$UR

# Backup existing MP’s on SCOM MS

# Backup SCOM Management packs to C drive

$backupDrive

cd $backupPath

new-item -itemtype directory -path c:\monadmin\backup\$date\SCVMM_MP$UR_OLD

cd $date

Get-SCOMManagementPack -Name *VirtualMachine* | Export-SCOMManagementPack -Path “$backupPath\$date”

Write-Host -f green “MP’s backed up to $backupDrive\$backupPath\$date\SCVMM_MP$UR_OLD”

# Verify copy

if ( test-path -pathtype leaf $backupPath\$date\SCVMM_MP$UR\*.mp )

{

Write-Host -f green “MP’s copied”

}

else

{

Write-Host -f yellow “Specify proper path for MP’s copy”

}

Function ImportMPIntoSCOM

{

# Import VMM MP’s into SCOM

# https://docs.microsoft.com/en-us/previous-versions/system-center/powershell/system-center-2012-r2/hh920193(v=sc.20)

# http://www.systemcentercentral.com/bulk-import-operations-manager-2012-management-packs/

$mpdir = “$backupPath\$date\SCVMM_MP$UR”

$mpfiles = (Get-item -path $backupPath\$date\SCVMM_MP$UR\*).Name

$mpcnt = $mpfiles.Count

Write-Host “Script is requesting to import $mpcnt management packs.”

If ($mpcnt -gt 0)

{

Write-Host “$Instcnt management packs were added to installation queue, installing now”

foreach ($ManagementPack in $mpfiles)

{

Set-Location $mpdir

Import-SCOMManagementPack -Fullname $ManagementPack -ErrorAction SilentlyContinue

Write-host -f green “Imported $ManagementPack into SCOM”

}

VerifyOpsMgrSnapIn

BackupMP

#UpdateRegistry

ImportMPIntoSCOM

# Verify SCOM Management packs loaded

Write-host -f Green “Before Management pack versions”

$before.Version

Write-host

$after = ( get-scommanagementpack -name “*VirtualMachineManager*” )

$after.version

Write-host -f yellow “Is After greater than Before?”

Write-host

Load Test MP with Report

Read below if you want a specific MP for load testing

I don’t know about you, but I’ve come across the situation where you need to compare performance.

This MP should help validate performance, whether to validate physical versus virtual, or a new Server Farm, storage performance between environments, etc.

Shout to Tyson Paul for his initial MP with 2016, catch his blog here!

Let’s start with the MP shell

Check out the upcoming Gallery download for MP’s and fragments here

NOTE: GUID’s will vary to your environment

To build the MP, you will need to update the following:

Pack ID to include the OS version

Add Reference for OS Monitoring MP (can use Visual Studio (VS) MP alias if VS is available for use in your environment)

Class Type ID with OS version

Discovery ID and Target with OS Version

Overrides ID with OS Version, and Target with OS MP Rule name and reference

Use the OS Monitoring MP to help with the rule names

The far right of the Override lists the Rule that must match to the OS MP

View ID with OS Version

Folder Item Element ID and ID

MP Display Strings with OS Version

Save and Import MP without the Report parameter to see what Group ID SCOM assigns the Load Test group

Part 2 – include report after group is imported

Don’t forget to update MP version under Identity!

Get Report parameter value for group ID

From PowerShell

get-ScomGroup | ? { $_.DisplayName -like “*Load Testing Group*” } | fl ID,DisplayName

Alternatively, obtain from SQL SSMS

select [ManagedEntityDefaultName],[ManagedEntityRowId]

FROM [vManagedEntity]

where [ManagedEntityDefaultName] like ‘%load%’

order by displayname

SSMS Output

In MP XML, update View Target GUID to your Group ID

Add Report section, and update parameter values Rule GUID

PowerShell commands to run from MS or console installed machine

The GUID’s needed for the report parameters section

get-scomrule | ? { $_.DisplayName -like “System Processor Queue Length*” } | fl ID,DisplayName,Name

get-scomrule | ? { $_.DisplayName -like “Current Disk Queue Length*” } | fl ID,DisplayName,Name

get-scomrule | ? { $_.DisplayName -like “Current Disk Queue*” } | fl ID,DisplayName,Name

get-scomrule | ? { $_.DisplayName -like “Current Dis*k Queue*” } | fl ID,DisplayName,Name

get-scomrule | ? { $_.DisplayName -like “*Current Disk Queue*” } | fl ID,DisplayName,Name

get-scomrule | ? { $_.DisplayName -like “*Average Disk Seconds Per Transfer*” } | fl ID,DisplayName,Name

get-scomrule | ? { $_.DisplayName -like “*Logical Disk Idle Time*” } | fl ID,DisplayName,Name

get-scomrule | ? { $_.DisplayName -like “*Processor Time Total*” } | fl ID,DisplayName,Name

get-scomrule | ? { $_.DisplayName -like “*Memory Available Megabytes*” } | fl ID,DisplayName,Name

get-scomrule | ? { $_.DisplayName -like “*Network Adapter Bytes Total*” } | fl ID,DisplayName,Name

get-scomrule | ? { $_.DisplayName -like “*Memory Pages per Second*” } | fl ID,DisplayName,Name

get-scomrule | ? { $_.DisplayName -like “*System Processor Queue Length*” } | fl ID,DisplayName,Name

Verification

From SCOM Console, Authoring Tab
1. Update group with explicit members
2. Verify Group members
From SCOM Console, Monitoring Tab
1. Verify Performance view has performance counters
From SCOM Console Reporting Tab (this may take a few minutes to push report to Reporting server)
1. Open report and run
2. Export data for analysis

Get to know your monitor

Ever need to disable a specific monitor?

I know I get tired of clicking through the console, maybe you do too?
Do you know the Monitor name and class?
If yes, then you can enable/disable monitors from PowerShell

So let’s get started.

From your management server, you can run SCOM commands as your ID (assuming your ID is set up in SCOM)

This example has 2 purposes:

SQL2016 SP1 does NOT populate the proper fields, and will be fixed in SP2 per the SQL Engineering blog (Look at comments section – blog here)
Tired of the warning alerts in my SCOM console

Find the monitors

$Monitor = get-scommonitor | where { $_.DisplayName -like “Service Pack Compliance” } | where { $_.Name -like “*Microsoft.SQLServer.2016.DBEngine*” }

Let’s focus for a second on some differences, and how you can interchange the two depending on what information you know

DisplayName attribute is what you see in the console (note the spaces)

Name attribute typically has dots for the spaces

Override a class

Disable-SCOMMonitor -Class $Class -ManagementPack $MP -Monitor $Monitor

Just in case you need to undo the override

Enable-SCOMMonitor -Class $Class -ManagementPack $MP -Monitor $Monitor

Override a group

$Group = (Get-SCOMGroup -DisplayName “Group*”)

# Enable the group

Enable-SCOMMonitor -Group $Group -ManagementPack $MP -Monitor $Monitor

# Disable the group

Disable-SCOMMonitor -Group $Group -ManagementPack $MP -Monitor $Monitor

Reference Links

Disable-SCOMMonitor https://docs.microsoft.com/en-us/powershell/systemcenter/systemcenter2016/operationsmanager/vlatest/disable-scommonitor

Enable-SCOMMonitor https://docs.microsoft.com/en-us/powershell/systemcenter/systemcenter2016/OperationsManager/vlatest/Enable-SCOMMonitor

PowerShell Rule and Monitor Template packs MP including fragments

Hit the easy button!

For all those diehard SCOM Console MP authoring folks, don’t forget about Wei Lim’s blogs to help add PowerShell script functionality into rules and monitors.

PowerShell Rules Blog https://blogs.msdn.microsoft.com/wei_out_there_with_system_center/2015/09/28/opsmgr-new-sample-powershell-collection-rule-wizards-in-the-ops-console/

PowerShell Monitor blog https://blogs.msdn.microsoft.com/wei_out_there_with_system_center/2015/07/09/opsmgr-new-sample-wizard-to-create-powershell-monitors-in-the-ops-console/

Performance Data blog https://blogs.msdn.microsoft.com/wei_out_there_with_system_center/2015/10/03/opsmgr-collecting-performance-data-using-a-powershell-script-collection-rule-created-from-a-wizard/

Download Rule https://gallery.technet.microsoft.com/Sample-Management-Pack-e48040f7

Download Monitor https://gallery.technet.microsoft.com/Sample-Management-Pack-17b76379

If authoring with Visual Studio or Notepad++, don’t forget Holman’s MP fragments!

Discover Class = Class.And.Discovery.Script.PowerShell.mpx

Monitor Timed Script PowerShell = Monitor.TimedScript.PowerShell.mpx

Monitor Timed Script SQL Query PowerShell = Monitor.TimedScript.PowerShell.SQLQuery.mpx

PowerShell Performance Rule = Rule.Performance.Collection.PowerShellScript.mpx

Download fragments here

Happy MP Authoring!

SYSTEM CENTER 2016/2019 Operations Manager – Anti-Virus Exclusions

Updated 30 June, 7 July 2020 and includes docs.microsoft.com article updates

NOTE: Process name exclusion wildcards could potentially prevent some dangerous programs from being detected.

Hopefully this table is helpful (my thanks to Matt Goedtel for the docs site updates, and Matt’s efforts to keep docs the ‘go-to’ site)

Previously the blog left the SCOM Admin and Security teams with questions where blogs did NOT match vendor site documentation. The blog merged the PFE UK team blog & Kevin Holman blog into an easier tabular view per component)

Original Blog introduction

As we are all aware, antivirus exclusions can affect monitoring data generated, and affect system performance.

Best practice is to implement specific exclusions.

Exclusions\Role	MS	DB	GW	RS	Web	Agent
Folder
Management Server installation folder Default: “C:\Program Files\Microsoft System Center 2016\Operations Manager\Server\”	*
Agent installation folder Default: “C:\Program Files\Microsoft Monitoring Agent”				*		*
Gateway installation folder Default: “C:\Program Files\Microsoft System Center 2016\Operations Manager\Gateway\”			*
Reporting installation folder Default: “C:\Program Files\Microsoft System Center 2016\Operations Manager\Reporting”				*
WebConsole installation folder Default: “C:\Program Files\Microsoft System Center 2016\Operations Manager\WebConsole”					*
SQL Data installation folder Default: “C:\Program Files\Microsoft SQL Server\MSSQL.1x<INSTANCENAME>\MSSQL\Data”		*
SQL Log installation folder Default: “C:\Program Files\Microsoft SQL Server\MSSQL.1x<INSTANCENAME>\MSSQL\Log”		*
SQL Reporting installation folder Default: “C:\Program Files\Microsoft SQL Server\MSRS.1x<INSTANCENAME>				*
File Types
EDB	*	*	*	*		*
CHK	*	*	*	*		*
LOG	*	*	*	*		*
LDF		*		*
MDF		*		*
NDF		*		*
Processes
CShost.exe	*
HealthService.exe	*	*	*	*	*	*
Microsoft.Mom.Sdk.ServiceHost.exe	*
MonitoringHost.exe	*	*	*	*	*	*
SQL Server Default: “C:\Program Files\Microsoft SQL Server\MSSQL1x.<Instance Name>\MSSQL\Binn\SQLServr.exe”		*
SQL Reporting Services Default: “C:\Program Files\Microsoft SQL Server\MSRS1x.<Instance Name>\Reporting Services\ReportServer\Bin\ReportingServicesService.exe”		*		*

Useful information for decoding the matrix

Docs site https://docs.microsoft.com/en-us/system-center/scom/plan-security-antivirus?view=sc-om-2019

Platform https://support.microsoft.com/en-us/help/822158/virus-scanning-recommendations-for-enterprise-computers-that-are-running-currently-supported-versions-of-windows

SCOM 2012/2012R2 KB975931 https://support.microsoft.com/en-us/help/975931/recommendations-for-antivirus-exclusions-that-relate-to-operations-manager

PFE UK team blog https://blogs.technet.microsoft.com/manageabilityguys/2013/11/26/system-center-2012-r2-operations-manager-anti-virus-exclusions/

SQL

https://support.microsoft.com/en-us/help/309422/choosing-antivirus-software-for-computers-that-run-sql-server

https://blogs.technet.microsoft.com/raymond_ris/2014/01/16/windows-antivirus-exclusion-recommendations-servers-clients-and-role-specific/

Version mapping by folder (my thanks to StackOverFlow https://stackoverflow.com/questions/18753886/sql-server-file-names-vs-versions )
100 = SQL Server 2008    = 10.00.xxxx
105 = SQL Server 2008 R2 = 10.50.xxxx
110 = SQL Server 2012    = 11.00.xxxx
120 = SQL Server 2014    = 12.00.xxxx
130 = SQL Server 2016    = 13.00.xxxx

Setting up OMS Capacity and Performance

Update 18 Dec 2023 – Solution retired in 2021 with OMS sunset.

https://github.com/uglide/azure-content/blob/master/articles/log-analytics/log-analytics-add-solutions.md Repository archived by the owner on Feb 1, 2021. It is now read-only.

Do you know what your HyperV hosts are doing?

Not a HyperV fan, there’s a VMWare solution also here

Documentation https://docs.microsoft.com/en-us/azure/log-analytics/log-analytics-capacity

https://github.com/uglide/azure-content/blob/master/articles/log-analytics/log-analytics-capacity.md

Capacity dashboard

Capacity and performance preview summary

Details

Setting up OMS Capacity and Performance

Already have the dashboard setup? Perhaps this will help troubleshoot

Do you have network connectivity, or is a proxy required?

Troubleshooting dashboard

Firewall https://docs.microsoft.com/en-us/azure/log-analytics/log-analytics-proxy-firewall
Windows Agents https://docs.microsoft.com/en-us/azure/log-analytics/log-analytics-windows-agents

Verify Operations Manager event log on local agent, then filter for error events and/or EventID 4506. Look for dates/times to see when events started.

Example Event ID 4506 details the Capacity and Performance Solution, citing ‘Microsoft.IntelligencePacks.CapacityPerformance.Collector’.

Operations Manager Event Log, Event ID 4506 examples

Additional options

Search LAW (Log Analytics workspace) logs

https://github.com/uglide/azure-content/blob/master/articles/log-analytics/log-analytics-log-searches.md

2. Verify no proxy is set up (unless your network requires this)

3. 4506’s result from too many workflows sending data from MS to DB’s (OpsMgr and DW). Additionally, 4506 events can be communication issues from MS to DB server(s). Lastly, use TLS1.2 configuration as a best practice to enforce encryption from MS to SQL communication. Beyond encryption, TLS may be a culprit if AlwaysOn or SQL clusters are involved, particularly as the SCOM console connections fail as SDK cannot talk with SQL side. See Kevin Holman’s blog for additional TLS1.2 information and setup.

TLS blog https://kevinholman.com/2018/05/06/implementing-tls-1-2-enforcement-with-scom/

Documentation

Learn article https://learn.microsoft.com/en-us/answers/questions/212007/scom-errors-no-data-in-summary-performance-dashboa
TechNet blog https://social.technet.microsoft.com/Forums/ie/en-US/10b38121-b0e1-43ec-bf3a-d22ae9ef0220/event-4506-data-was-dropped-due-to-too-much-outstanding-data-in-rule
MS RMSe https://www.system-center.me/opsmgr/event-4506-and-new-root-management-server-rms-management-server-ms/