Thursday, May 10, 2018

SCOM - Security Monitoring MP has been Updated

Last year, Nathan Gau (Microsoft Premier Field Engineer) released an awesome free management pack to the community with the specific focus of enhancing your security monitoring capabilities with SCOM.

I've been using this management pack in our own environment and on customer sites for a while now and there's some really useful alerts that it can generate which give you an extra layer of security monitoring within your environment.

Some examples of the alerts include:

  • Active Directory Domain Admin/Enterprise Admin/Schema Admin group changes
  • Detecting the clearance of security logs
  • Detection of new services being created on Domain Controllers
  • Golden Ticket detection
  • App Locker rules for detection of WCE, Mimikatz, PSExec, Powersploit
  • Scheduled task creation

The management pack isn't designed to be the only security monitoring tool that you use and it should instead be an addition to complement your overall security alert management strategy.

Here's how the author has positioned the management pack on his blog:

"To be clear, this is not a foolproof management pack. It is another defense in depth strategy that can help an organization to determine if they are breached, potentially catching the attacker before data loss occurs. It will not catch every intrusion, so please do not assume that putting this in makes you secure. It is 100% dependent on good alert management process, a subject that I have written extensively. With that said, main goal in this design was to keep alert noise down to a minimum. The hope is that very little of this will fire out of the box. If this MP is generating alerts, they should be investigated."

Since its inception, there has been a lot of work put into this management pack with the list of contributors making up a 'who's-who' list of the best in the SCOM community.
If you're using SCOM, then I highly recommend you take this free community MP for a test drive and see for yourself the value it can add to your security monitoring arsenal.

You can get all the information you need on this MP (including the latest change log and a summary of all features) from Nathan's main blog post on it from the following link:

Introducing the Security Monitoring Management Pack for SCOM


Thursday, April 26, 2018

SCOM 2016 Update Rollup 5 is Now Available

A couple of days ago, Microsoft announced the latest Update Rollup (UR5) for SCOM 2016.

The Fixes

Unlike the last UR4 release, this update comes with a raft of new bug fixes - including a handy one for when you want to co-exist the SCOM and SCSM consoles on the same server along with a fix for a widely reported bug that occurs when performing an in-place upgrade of SCOM 2016 to the Semi-Annual Channel SCOM 1801.

Here's what you get with UR5:

  • The SCOM console and Service Manager console for PowerShell modules can now coexist on the same server. (Note Both SCOM Update Rollup 5 (this update) and Service Manager Update Rollup 5 (update KB 4093685) must be installed to resolve this issue.)
  • Active Directory Integration rules are not visible or editable in an upgraded 2016 Management Group. This prevents the ongoing management of Active Directory integration assignment in the upgraded Management Group.
  • When the UNIX host name on the server is in lowercase, the OS and MonitoredBy information is displayed incorrectly in the Unix/Linux Computers view.
  • Active Directory integrated agents do not display correct failover server information.
  • Performance views in the web console do not persist the selection of counters after web console restart or refresh.
  • The PowerShell cmdlet Get-SCXAgent fails with error “This cmdlet requires PowerShell version 3.0 or greater.”
  • During the upgrade from SCOM 2016 to SCOM 1801, if the reporting server is installed on a server other than the management server, the upgrade fails. Additionally, you receive the error message, "The management server to which this component reports has not been upgraded."
  • If a group name has been changed through the operations console, the Get-SCOMGroup cmdlet does not retrieve the group data that includes the changed group name.
  • Error HTTP 500 occurs when you access Diagram view through the web console.
  • When you download a Linux management pack after you upgrade to SCOM 2016, the error "OpsMgr Management Configuration Service failed to process configuration request (Xml configuration file or management pack request)" occurs.
  • The SQLCommand Timeout property is exposed so that it can be dynamically adjusted by users to manage random and expected influx of data scenarios.
  • The MonitoringHost process crashes and returns the exception "System.OverflowException: Value was either too large or too small for an Int32."
  • When company knowledge is edited by using the Japanese version of Microsoft Office through the SCOM console, the error (translated in English) "Failed to launch Microsoft Word. Please make sure Microsoft Word is installed. Here is the error message: Item with specified name does not exist" occurs.
  • Accessing Silverlight dashboards displays the "Web Console Configuration Required" message because of a certificate issue.
  • Microsoft.SystemCenter.ManagementPack.Recommendations causes errors to be logged on instances of Microsoft SQL Server that have case-sensitive collations.
  • Deep monitoring displays error “Discovery_Not_Found” if the installation of JBoss application server is customized.
  • Adds support for the Lancer driver on IBM Power 8 Servers that use AIX.
  • The ComputerOptInCompatibleMonitor monitor is disabled in the Microsoft.SystemCenter.Advisor.Internal management pack. This monitor is no longer valid.
My Advice

As always, my advice for deploying this update is to head over to Kevin Holman's blog and wait for his handy step-by-step guide to get this up and running in your non-production environments first.

Monday, February 19, 2018

Speaking at the Global Azure Bootcamp 2018

This coming April 21st, I'll be presenting a session on Azure Monitoring at the Global Azure Bootcamp 2018 event in Dublin.

This annual event is now in its sixth year of running and is held on the same date in nearly 200 locations around the globe - bringing together some of the best speakers and contributors in the Azure community.

Organised as a free event by the Irish MVP community with support from the awesome people over at our local Microsoft team, we're running an agenda of three tracks side-by-side covering topics across Azure Infrastructure & Security (Track 1), Azure Compute/General (Track 2) and Azure Workshops/Lightning Talks (Track 3).

If you haven't attended one of these events before, here's the lowdown on what to expect (taken from our official event website):

"Welcome to Global Azure Bootcamp! All around the world, user groups and communities want to learn about Azure and Cloud Computing. On April 21, 2018, tech communities world-wide will come together once again in the sixth great Global Azure Bootcamp event!

In Dublin, we are organising the biggest community lead event yet, with two tracks and in-depth workshops during the day. Bootcamps are happening on the same day all over the world - come to Dublin and join in - please share your experience under the social hashtag #GlobalAzure!

It is important to point out, that while this event is *about* Azure, it is *not* a commercial event. Azure bootcamp Dublin is organised by the local MVP tech commmunity - we are here to share our knowledge, not sell anything."

Registration is filling up fast and if you miss out on a seat at the first attempt, we've put a waiting list system in place to hopefully help you grab a cancellation spot. You can check out the full agenda and list of speakers on the day along with your free registration at our new website here -

Hope to see some of you guys there!

Thursday, February 8, 2018

SCOM 1801 Has Just Been Released!

The latest release of SCOM (1801) has just been announced and it brings with it some major changes in licensing along with some nice additional features and enhancements compared to earlier versions.
Licensing Changes

This is the first release of SCOM in the new Semi-Annual Channel (SAC) model and it will enable Microsoft to deliver much faster capabilities to our favourite monitoring platform than we ever had before - e.g. two product releases per year versus one every three or four years. Due to this faster release cadence, SAC releases only have an 18-month support policy with the concept being similar to how we manage, deploy and get support for service packs to our operating systems and other applications.

If this short-term release cycle isn't something that you fancy, then you can still deploy SCOM using the Long-Term Servicing Channel (LTSC) model - which will provide new version releases at a much lower frequency and no new features will be added - mainly just bug fixes. With LTSC, you get up to 5 years of mainstream support followed by 5 more years of extended support - as has been standard with the versions of SCOM we've been using up to now.

Key Features

We get a number of new features with this release with my favourites being the new HTML 5 widgets, Service Map integration and the enhanced performance gains. Here's the full list of everything that's new:

  • Improved HTML5 dashboard experience 
  • Enhanced SDK performance 
  • Linux Logfile monitoring enhancements 
  • Linux Kerberos support 
  • GUI support for entering SCOM License key 
  • Service Map integration 
  • Updates and Recommendations for third-party vendor Management Packs 
  • System Center Visual Studio Authoring Extension (VSAE) support for Visual Studio 2017

The bits for this new release should start hitting your normal licensing channels for download around about now (if it's not there, give it a day or so to fully populate) and in the meantime, you can download an evaluation copy of SCOM 1801 from the Evaluation Center here.

I'll post back in the coming days with my thoughts on the new release and anything extra that I come across.


SCOM 'Updates and Recommendations' Feature Now Supports External Partner MP's

Earlier this week Microsoft announced that the Updates and Recommendations feature (first introduced in SCOM 2016) will be extended for the new SCOM 1801 semi-annual release to include management pack recommendations from certified external partners - such as NiCE and Comtrade to name a few.

The screenshot below shows this new capability in action where you can see a mixture of external partner management packs offered alongside the typical Microsoft ones.

How It Works

The Updates component of this feature periodically checks for updates to the existing management packs that you've deployed into your environment and then suggests which ones to upgrade.

For the Suggestions component, a discovery scans your monitored servers for workloads/technologies that are supported for monitoring with a SCOM management pack and then suggests which ones you should download for a better monitoring experience. It will also detect and suggest any dependent management packs that you might need to bring in so you don't run into any partial import problems.

This image shows an example of how this all comes together...

I've used the Updates and Recommendations feature a fair amount of times in SCOM 2016 and it's definitely a much better upgrade to the original 'Updates available for installed management packs' option that we had in SCOM 2012 R2 (which never really had a full up-to-date view of all current management packs anyway) and this extended capability for external vendors can only be a good thing going forward.

Here's what Microsoft had to say in their original post on this new capability...

"We are extending this feature to support Management Packs authored and offered by several external technologies and consulting partners of SCOM. Partners have extended their support by signing up with the SCOM team to onboard their Management Packs to ease the Management Pack discovery problem solved by this feature. With the partner support, this feature is now able to recommend Management Packs for both Microsoft and non-Microsoft workloads."

SCOM 1801 is now generally available and you can read all about it here and download an evaluation copy of it from here.

Tuesday, February 6, 2018

Speaking at CDC Germany 2018

Last year I had the opportunity to head over to Munich and present at the awesome Cloud and Datacenter (CDC) conference organised by my good friend and well-known MVP Carsten Rachfal and I'm delighted to confirm I've been invited back again this year to present at CDC 2018.

I really enjoyed my time presenting over in Munich last year and the conference was packed with some of the best cloud and datacenter-focused speakers from around the world (the plentiful food and quality local beer helped too!). The attendees also came well prepared with some excellent interaction and questions across all of the sessions that I watched or was involved in.

This years event is being held in Congress Park Hanau (just east of Frankfurt) and with nearly thirty speakers already confirmed, it has the makings to be an even better conference than last years one - which will be hard to top!

Held over two days (15th & 16th May) and across six different tracks, there will be a mixture of sessions to choose from - some in English, some in German.

You can register to attend CDC Germany 2018 here and I'll post back with an update closer to the event.

Hope to see some of you guys over there 😊

Monday, February 5, 2018

SCOM 2016 and OMS '101' Series

A few years back, Antoni Hanus (Microsoft PFE) released a really useful beginners guide for SCOM titled 'Operations Manager 101'.

This PDF-style guide contained over 100 pages of information and walk-through's designed to get people up and running with SCOM quickly. It was that useful, that I always recommended it to my SCOM customers as a great free learning resource and the feedback on it was always positive.

The only downside to the guide was that it was authored specifically for SCOM 2007 and along with the retro-style Microsoft logo that you can see in the image above, all of the screenshots and content looked way too out-of-date for people dipping their toes with SCOM 2016. There was also no reference to how SCOM can now connect to OMS.

Thankfully, over the weekend I came across a blog post from Antoni where he has taken the opportunity to update this guide and push it out as a combined web-series for SCOM 2016 and OMS.

He's already got over 20 new blog posts linked to this series with more to come and if you're deploying SCOM (or just want to ramp up your SCOM 2016 administration skills), then I encourage you to check it out at the link below:

Happy reading!

Thursday, January 25, 2018

Dude, where's my 'Outside-In' monitoring gone?

If you've been working with SCOM for as long as I have, you'll most likely have come across the very cool Global Service Monitor (GSM) feature that Microsoft first demonstrated way back in 2012 during the release of SCOM 2012 Service Pack 1 at the awesome Microsoft Management Summit in Vegas.

GSM simulates the end-user experience of accessing a web application as it can schedule automatic synthetic transactions from locations around the world - providing an 'Outside-In' availability, performance and reliability monitoring view of your externally facing web applications.

If you purchased a Software Assurance license for System Center 2012, then you were entitled to deploy the GSM management pack into your SCOM environments and use the Global Service Monitor connector shown in the following image to connect GSM in the cloud back into your on-premise SCOM deployment.

I've deployed GSM to a lot of customers over the years and it worked exactly as it was meant to along with adding some nice value when we were modeling IT services that needed an end-user perspective of the availability and performance of specific web applications.

Fast-forward to when SCOM 2016 was first released and although the GSM management pack guide only specified support for SCOM 2012, it still worked and delivered that 'Outside-In' monitoring experience.

Recently however, the GSM connector has stopped working for SCOM 2012 and also for SCOM 2016. If you had GSM running in your SCOM environment, you will probably have noticed an alert relating to a DNS resolution error - which on investigation looks like there's a DNS zone missing on the Microsoft side.

While no official statement has been released by Microsoft as to this connector being deprecated and this DNS issue may still be resolved, it's probably a good time to start thinking of an alternative option to GSM. This is where the Azure-based Application Insights platform comes in.

A few years back I wrote a few blog posts (here and here) that discussed an alternative to GSM when using Application Insights and last week after a discussion between a some MVP friends relating to the Global Service Monitor DNS resolution error in SCOM, Cameron Fuller (Cloud and Datacenter Management legend) put together an awesome walk-through blog post on using Application Insights as an alternative to GSM in SCOM.

Along with showing how to create a web availability test in Application Insights, Cameron also dives into some examples around custom dashboards and automatic application mapping. If you want to learn more, then I totally recommend checking out his post at the link below:


Monday, December 4, 2017

Update Rollup 14 for SCOM 2012 R2 Now Available

Last week Microsoft announced the release of Update Rollup 14 (UR14) for SCOM 2012 R2.

The Fixes

This latest update is as lightweight as they come and contains just a single key fix/enhcancement:

Update Rollup 14 for System Center components adds support for Transport Layer Security (TLS) protocol version 1.2. For more information about how to set up, configure, and run your environment to use TLS 1.2, see the following article in the Microsoft Knowledge Base:

4055768 TLS 1.2 Protocol Support Deployment Guide for System Center 2012 R2

The Gotcha's

The Web Console component of this update has the same known issue that we've seen with both UR13 for SCOM 2012 R2 and UR4 for SCOM 2016 whereby, after applying the update your web console's Silverlight configuration breaks! Here's a description of the issue:

When you access Silverlight dashboards, a “Web Console Configuration Required” message is displayed.

To work around the Silverlight dashboard issue, you'll need to work through the following steps:
  1. Click Configure in the dialog box.
  2. When you are prompted to run or save the SilverlightClientConfiguration.exe file, click Save.
  3. Run the SilverlightClientConfiguration.exe file.
  4. Right-click the .exe file, click Properties, and then select the Digital Signatures tab.
  5. Select the certificate that has Digest Algorithm as SHA256, and then click Details.
  6. In the Digital Signature Details dialog box, click View Certificate.
  7. In the dialog box that appears, click Install Certificate.
  8. In the Certificate Import Wizard, change the store location to Local Machine, and then click Next.
  9. Select the Place all certificates in the following store option and then select Trusted Publishers.
  10. Click Next and then click Finish.
  11. Refresh your browser window.

My Advice

As usual, my advice for deploying this update is to head over to Kevin Holman's blog and check out his handy step-by-step guide to get this up and running in your non-production environments first.

Tuesday, November 7, 2017

Update on the Roadmap for SCSM and Orchestrator

Back in June, Microsoft announced a change to the release cycle of System Center - where customers with an active Software Assurance license will see two new version releases a year. This change follows a similar track to how Microsoft now offer Configuration Manager - which has moved to a three-times-a-year release model - and it also brings the release cadence for System Center in line with Windows Server.

In the original announcement here of the new release cycle, you might have noticed that there was plenty of talk about how SCOM, SCVMM and DPM would be invested in but no mention of anything related to Service Manager (SCSM) or Orchestrator.

Over the last year or two, all of the messaging coming out of Microsoft has been that both SCSM and Orchestrator are essentially an abandoned ship - with no development or investment love coming their way as the move to cloud-based alternatives accelerates their demise.

Well, if you're currently working with SCSM and Orchestrator (or have a valid reason to not look at the cloud-based alternatives), then you'll be happy to know that Microsoft have recently clarified their position on their support and investment for both products in their 'SCSM Roadmap and Future' blog post here.

An encouraging quote directly from the blog post reads:

"System Center Service Manager and Orchestrator are still being developed and are part of this new release cycle along with the rest of System Center. Some semi-annual updates will only have fixes and some will have additional functionality. The features that get added to the entire suite each cycle will depend on customer demand and will be prioritized as such. The products which receive enhancements will likely vary each time. All products are therefore still fully supported.

Like many on-prem product groups, the SCSM team is currently working on incorporating more Azure and cloud service components into SCSM."

This should help allay fears that SCSM and Orchestrator are completely dead in the water but in the spirit of innovation, if you haven't yet looked at and tried out solutions such as Azure Automation, Azure Logic Apps and the ITSM integration with Azure Log Analytics, then you're missing a trick and need to check them out sooner rather than later!