Proactive Patching alerts

Proactive
proactive scrabble tiles

As a SME or team lead, ever need to know ‘Proactive Patching alerts’?  i.e. What servers need patches applied, aren’t patching, or were missed?  This pack builds on three (3) pillars – Health/Security/Compliance, enabling Cyber teams and more.  This became an alternate option to a complex pack, with SSRS report, used by a customer to identify systems.  The report was long, and had many blank lines/pages, which required a re-write.  This pack started with the pending restart monitor directly from the AquilaWeb reboot pack logic.  The logic helps SysAdmin/Domain Admin/NOC/NOSC/SOC teams to know when servers need reboots.  This need is driven further due to multiple reboots (sometimes) required with Windows monthly updates, and Application updates.  Used across multiple customers, this is the first pack enabling a proactive stance to answer the ‘Am I compliant’ question.

 

Quick Download: https://github.com/theKevinJustin/ProactivePatchUptimeReboot/

Testing the Proactive Patch alerts

David Allen built the ‘Aquilaweb.Support.PendingReboot.Monitor.PendingReboot’ PowerShell monitor, to tell system owners when the pending restart flag was present.  Some builds though, make system changes which repeatedly flip the registry key, causing many alerts.  Also, downloading the Aquila pack is a trick, as TechNet was retired.

 

David provided a great idea, which was built upon.  This gave rise to the question of, what if the server was not patched, or not rebooted in a period of time?   With my Cyber hat on, this became the next piece of content to create.  That gave rise to another question – do these scenarios need to reflect in health (monitor), or not (rule)?   We’re all about choices, free will, so the pack is built with those options (rules disabled out of the box).

Pending restart monitor XML showing options
Pending restart monitor XML showing options

The pack is setup to alert with CBS application updates, SCCM/MECM/Config Mgr Endpoint Management updates, and Windows Updates.  This has been my experience for the most accurate reflections of alerts on secure builds where Application/System Owner needs to take action.

Last Patch and Last Reboot monitor/rules in the download, are set to 45 days.  Tune this value down, if patching occurs at the 30 day mark, increase if you need more time before alerts.

Last Patch Monitor reflecting number of days
Last Patch Monitor reflecting number of days

 

Otherwise, download and import into your environment.  Depending on your subscription/notification settings, the Proactive set of alerts are built upon the Windows Operating System class.  If subscriptions include the class, the notifications are automatic to System/Application owners.

 

Useful links

David Allen blog

Addendum, what does it mean blog

Get to know your monitor

Ever need to disable a specific monitor?

I know I get tired of clicking through the console, maybe you do too?
Do you know the Monitor name and class?
If yes, then you can enable/disable monitors from PowerShell

 

So let’s get started.

From your management server, you can run SCOM commands as your ID (assuming your ID is set up in SCOM)

 

This example has 2 purposes:

  1. SQL2016 SP1 does NOT populate the proper fields, and will be fixed in SP2 per the SQL Engineering blog (Look at comments section – blog here)
  2. Tired of the warning alerts in my SCOM console

 

Find the monitors

$Monitor = get-scommonitor | where { $_.DisplayName -like “Service Pack Compliance” } | where { $_.Name -like “*Microsoft.SQLServer.2016.DBEngine*” }

 

Let’s focus for a second on some differences, and how you can interchange the two depending on what information you know

DisplayName attribute is what you see in the console (note the spaces)

Name attribute typically has dots for the spaces

 

Override a class

Disable-SCOMMonitor -Class $Class -ManagementPack $MP -Monitor $Monitor

Just in case you need to undo the override

Enable-SCOMMonitor -Class $Class -ManagementPack $MP -Monitor $Monitor

 

Override a group

$Group = (Get-SCOMGroup -DisplayName “Group*”)

 

# Enable the group

Enable-SCOMMonitor -Group $Group -ManagementPack $MP -Monitor $Monitor

 

# Disable the group

Disable-SCOMMonitor -Group $Group -ManagementPack $MP -Monitor $Monitor

 

 

Reference Links

Disable-SCOMMonitor https://docs.microsoft.com/en-us/powershell/systemcenter/systemcenter2016/operationsmanager/vlatest/disable-scommonitor

Enable-SCOMMonitor https://docs.microsoft.com/en-us/powershell/systemcenter/systemcenter2016/OperationsManager/vlatest/Enable-SCOMMonitor

PowerShell Rule and Monitor Template packs MP including fragments

 

Hit the easy button!

 

For all those diehard SCOM Console MP authoring folks, don’t forget about Wei Lim’s blogs to help add PowerShell script functionality into rules and monitors.

 

PowerShell Rules Blog https://blogs.msdn.microsoft.com/wei_out_there_with_system_center/2015/09/28/opsmgr-new-sample-powershell-collection-rule-wizards-in-the-ops-console/

PowerShell Monitor blog https://blogs.msdn.microsoft.com/wei_out_there_with_system_center/2015/07/09/opsmgr-new-sample-wizard-to-create-powershell-monitors-in-the-ops-console/

Performance Data blog https://blogs.msdn.microsoft.com/wei_out_there_with_system_center/2015/10/03/opsmgr-collecting-performance-data-using-a-powershell-script-collection-rule-created-from-a-wizard/

Download Rule https://gallery.technet.microsoft.com/Sample-Management-Pack-e48040f7

Download Monitor https://gallery.technet.microsoft.com/Sample-Management-Pack-17b76379

 

If authoring with Visual Studio or Notepad++, don’t forget Holman’s MP fragments!

Discover Class = Class.And.Discovery.Script.PowerShell.mpx

Monitor Timed Script PowerShell = Monitor.TimedScript.PowerShell.mpx

Monitor Timed Script SQL Query PowerShell = Monitor.TimedScript.PowerShell.SQLQuery.mpx

PowerShell Performance Rule = Rule.Performance.Collection.PowerShellScript.mpx

 

Download fragments here

 

Happy MP Authoring!

Console Errors in the new Active Directory Directory Services MP

New MP released that resolves this – v10.0.2.0 download here

 

Console Errors in the new Active Directory Directory Services MP

doh

 

At least it’s not the Security patch issue when you click on Health/State views, right?

https://support.microsoft.com/en-us/help/3200006/system-center-operations-manager-management-console-crashes-after-you

 

In the SCOM Console

Do you get an error when clicking on Authoring Tab, Management Pack Objects, Overrides?

overridesconsoleerror

If you are running the 2012-2016 Active Directory Directory Services v10.0.1.0 MP’s, you most likely get an error

“Microsoft.EnterpriseManagement.Common.ObjectNotFoundException: An object of class ManagementPackClass with ID <guid here>”

 

Unfortunately, the RODC group rule overrides were not referenced to the Discovery MP.

It’s an awesome MP, and I’m thankful for the new AD MP.

Check out Holman’s blog for all the fun and features.

 

Figure out which management pack has the issue with the ID

To find the offending item from the console error, see this blog.

Blog Summary = Using Ops Manager Shell, export the overrides

get-scomOverrides | out-file d:\monadmin\overrides.txt

Search for your GUID to know the ID and what in SCOM that ID is attached to.

Property          : Enabled
XmlTag            : RulePropertyOverride
Rule              : ManagementPackElementUniqueIdentifier=78ee983f-268d-0b99-0ca6-b1ca75c46621
Context           : ManagementPackElementUniqueIdentifier=0903521d-f768-3d26-a0af-ae52f8c09a29
ContextInstance   : 
Enforced          : False
Value             : false
ManagementGroup   : SCOM2012R2
ManagementGroupId : 28b70e43-4655-edfc-6127-ff4a72642488
Identifier        : 1|Microsoft.Windows.Server.AD.2012.Monitoring/31bf3856ad364e35|1.0.0.0|Microsoft.Windows.Server.2012.AD.DomainController.DRAOutboundBytesComp.Collection.Override.RODCGroup||
Name              : Microsoft.Windows.Server.2012.AD.DomainController.DRAOutboundBytesComp.Collection.Override.RODCGroup

The highlighted items show a Override for a Rule, named ‘DRA Outbound Bytes Comp’ (compressed)

 

Now, if you’re impatient like me, and can’t wait for the new sealed MP to fix the console error, here’s how you can fix the MP.

Unseal the three monitoring MP’s

After unsealing the MP, update the RulePropertyOverride(s) for 2012, 2012R2, and 2016 Monitoring management packs, and then import into your SCOM Management group.

MP Viewer How-To, Tool Download

 

Add Referencing MP to the Rule overrides
For 2012 – AD2012Core! was missing (See Manifest section for AD2012Core MP info)
For 2012R2 – AD2012R2Core! was missing (See Manifest section for AD2012R2Core MP info)
For 2016 – AD2016Core! was missing (See Manifest section for AD2016Core MP info)
The RODC group is created with each version of AD Directory Services (2008, 2012,2016)
In the 2008 MP the overrides exist in the Discovery MP
To correct the 2012, 2012R2, 2016 MP’s, the discovery MP reference must be added to the Rule

 

Verify overrides in SCOM Console

Click on Authoring Tab, Management Pack Objects, Overrides

overridesconsoleerror  “Microsoft.EnterpriseManagement.Common.ObjectNotFoundException: An object of class ManagementPackClass with ID <guid here>”

Through persistence, you may be able to search for Overrides

 

In ‘Look For’ bar, type RODC

Hit enter

Verify there are 4 (fyi there are 4 rules per AD version you have installed in your management group)

 

Remove Sealed AD Monitoring MP’s

Import unsealed MP’s

 

Verify in Console that overrides show up (No Errors seen)

 

Click on Authoring Tab, Management Pack Objects, Overrides

In ‘Look For’ bar, type RODC

Hit enter

 

Verify 16 (4 rules per AD version (2008, 2012,2012R2, 2016;  or 12 rules will display if AD 2008 packs are not installed)

Sample XML for Overrides
<Overrides>
<RulePropertyOverride ID=”Microsoft.Windows.Server.2012.AD.DomainController.DRAIntersiteOutBytes.Collection.Override.RODCGroup” Context=”AD2012Core!Microsoft.Windows.Server.2012.AD.RODCGroup” Enforced=”false” Rule=”Microsoft.Windows.Server.2012.AD.DomainController.DRAIntersiteOutBytes.Collection” Property=”Enabled”>
<Value>false</Value>
</RulePropertyOverride>
<RulePropertyOverride ID=”Microsoft.Windows.Server.2012.AD.DomainController.DRAOutboundBytesComp.Collection.Override.RODCGroup” Context=”AD2012Core!Microsoft.Windows.Server.2012.AD.RODCGroup” Enforced=”false” Rule=”Microsoft.Windows.Server.2012.AD.DomainController.DRAOutboundBytesComp.Collection” Property=”Enabled”>
<Value>false</Value>
</RulePropertyOverride>
<RulePropertyOverride ID=”Microsoft.Windows.Server.2012.AD.DomainController.DRAOutboundBytesNotComp.Collection.Override.RODCGroup” Context=”AD2012Core!Microsoft.Windows.Server.2012.AD.RODCGroup” Enforced=”false” Rule=”Microsoft.Windows.Server.2012.AD.DomainController.DRAOutboundBytesNotComp.Collection” Property=”Enabled”>
<Value>false</Value>
</RulePropertyOverride>
<RulePropertyOverride ID=”Microsoft.Windows.Server.2012.AD.DomainController.DRAOutboundBytesTotal.Collection.Override.RODCGroup” Context=”AD2012Core!Microsoft.Windows.Server.2012.AD.RODCGroup” Enforced=”false” Rule=”Microsoft.Windows.Server.2012.AD.DomainController.DRAOutboundBytesTotal.Collection” Property=”Enabled”>
<Value>false</Value>
</RulePropertyOverride>
</Overrides>

 

Enjoy!

woohoo