Using SCOM as a basic configuration audit system – Part 1

I’m going to start a series of articles, I don’t know how many yet, on how to use your OpsMgr infrastructure to check for proper configuration of the managed systems. Then number of posts will be based on how much I can write in one hour J. The basic need started with the growing number of patches needed to guarantee a complete and hassle free monitoring experience “Things to make and do for agent health”. Obviously OpsMgr is not the first choice tool to solve this kind of problem, it has not any standardized building block or formal architecture whereas System Center Configurations Manager has. So if you have SCCM agents deployed on the same systems managed by OpsMgr this series of posts is not for you, you better use the SCCM DCM feature to address the compliance checking and if you have Service Manager in place then you can have the formal plumbing, too.

This first installment will set the scope of this project and some background on the health model needed.

At the end of our effort we’ll have a management pack that will address these requirements:

  • it needs to check for a minimum service pack level given a specific operating system
  • it needs to check for the presence of a set of patches for a given operating system and service pack level
  • optionally it needs to integrate the health model of OpsMgr agent (HealthService) with the compliance level
  • it needs to report on non-compliant systems with a detailed status regarding missing patches

For the sake of these posts I will concentrate on Windows Server 2008 and Windows Server 2008 R2, but the same technique can be applied to other systems (for example Windows 2003), for this reason I will use vbscript instead of powershell for any scripting needed. Moving away for the official support statement for OpsMgr I will target any reporting need to SQL Server 2008 schema, so the reports will work on SQL Server 208 and superior, but not on SQL Server 2005.

Regarding the health model I’ll need to set a new baseline (with baseline I’m referring to the operating system + service pack combination) for R2 SP1, the baselines I’m going to tackle are:

· Windows Server 2008

· Windows Server 2008 R2 RTM

· Windows Server 2008 R2 with Service Pack 1

for these baselines I’ll set up a monitor (targeted at the OS) under the configuration branch to assess the proper agent compliance


At the same time I’ll establish a loose relationship with the HealthService to project the compliance status to the agent health. This projection will be disabled by default


The next post will address the core scripting needed to assess the compliance level.

– Daniele

This posting is provided "AS IS" with no warranties, and confers no rights.

  1. #1 by Jonathan Almquist on January 1, 2012 - 6:39 pm

    This is great – looking forward to reading future articles!

  2. #2 by Bob Cornelissen on January 1, 2012 - 12:56 pm

    Very nice Daniele, Looking forward to this series.

  3. #3 by Ernie on December 31, 2011 - 10:31 am

    Thanks for this and following posts to come, I am sure we will all find this extremely useful

  1. Using SCOM as a basic configuration audit system – Part 2 the script « Quae Nocent Docent

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: