Menu Close

SCOM Management – MP – Making a SCOM Admin’s life a little easier

Current Version:  4/28/2019

Download link:


This is a Management Pack that eases the administrative burdens in SCOM.  It allows you to have a lot of handy discovered properties, and includes tasks that allow you to delegate administrative actions to your users.  It also serves as a good example MP on how to write classes, discoveries, and most importantly many task examples for command line, VBscript, and PowerShell.

I didn’t write all these – a bunch of ideas came from Jimmy Harper, Matt Taylor, Tim McFadden, Daniele Grandini, Raphael Burri, Brian Barrington, Patrick Donovan  and their feedback + MP examples.  This was more of an effort to combine lots of useful administration in one place.


This MP creates a folder in the console with some views for Agents and Servers.  It includes a view for the custom agent class properties (SCOM Agents) along with custom class properties for Management servers and Gateways (SCOM Servers).  It also includes views for Health Service and Health Service Watchers, for specific tasks that apply to those classes.




First – useful discovered properties:





The “real” Agent Version

The Update Rollup level of the agent

If Active Directory Integration is enabled or not for the agent assignment

Any Management Groups that the agent belongs to.  This is nice to see for old management groups that get left behind.

Any OMS Workspaces the agent reports to.

Any OMS Proxy URL if configured.

A check if PowerShell is installed and what version.  This is important because PowerShell 2.0 is required on all agents if you want to move to SCOM 2016.

CLR .NET runtime version available to PowerShell

OS/CPU Architecture (AMD64 or x86)

OS Version and Name

Primary and Failover management servers.  I am getting this straight from the agents config XML file, sometimes agents might not be configured as you think – this is from the authoritative source…. what’s in that specific agents config.

The default Agent Action account.  Helpful to find any agents where someone installed incorrectly.

The agent install path.

If the APM services are installed with the agent, or if the Agent was installed with NOAPM.

If the agent uses a Certificate for Healthservice communication, along with Cert Expiration, Thumbprint, and Issuer.

The Agent IP Address

The Port connectivity availability status of agents to an array of MS and GW servers to test for firewalls


Also I added server discovery of properties (Management Servers and Gateways):







Next up – the tasks:


SCOM Agent tasks:



One of the problems with tasks, is that they are scoped to a specific class.  Some cool tasks are attached to Windows Computer, some to HealthService, some to specific app classes.  Or – people write tasks and scope to System.Entity.  This places the task in ALL views.  That’s handy, but if everyone did that we’d have an unusable console for tasks.

Agent – AD INT DISABLE (and ENABLE) – this task will enable or disable AD integration for agent assignment, and restart the agent.

Agent – DELETE – This allows your end users to DELETE agents from SCOM if they should no longer be monitored.

Computer Management – duh.

Create Test Event – this task creates event 100 with source TEST in the app event log, and there is a rule in the MP to generate an info alert.  This will let you test end to end agent function, and notifications.



Execute any PowerShell – this task accepts one parameter – “ScriptBody” which allows you to pass any PowerShell statements and they will execute locally on the agent and return output:




Execute any Service Restart – this will take a servicename as a parameter and restart the service on any agent on demand.  You should NOT use this for the Healthservice – there is a special task for that:



Execute any Software from Share – this task will accept an executable or command line including an e4xecutable, and a share path which contains the software, and it will run it locally on the agent.  This is useful to install missing UR updates, or any other software you want deployed.  This will require that “Domain Computers” have read access to the files on the share.



Export Event Log – this task will export any local event log and save the export to a share.  It will require that the “Domain Computers” have write access to the share.



HealthService – FLUSH – This task will stop the agent service, delete the health service store, cache, and config, and start the service back up, provoking a complete refresh of the agents config, management packs, and ESE database store.

HealthService – RESTART – This is a special task which will reliably bounce the HealthService on agents using an “out of band” script process.  Many scripts to bounce the agent service fail because when the service stops, the script to start it back up is destroyed from memory.

HSLockDown – LIST Accounts, and HSLockDown – Add SYSTEM.  These will list the accounts configured under HSLockdown and will also add Local System back if desired.

Management Group – ADD and Management Group – REMOVE – these are script based tasks to add or remove a management group from an agent

OMS Workspace – ADD and OMS Workspace – REMOVE – these are script based tasks to add or remove OMS workspaces and configure a proxy for direct internet or OMS Gateway

Ping – (Console Task)

Remote Desktop – (Console Task)


SCOM HealthService Tasks:


This is a special task that will allow you to set agents back to “Remotely Manageable” instead of having to edit the SQL tables!


SCOM HealthService Watcher Tasks:


The “Agent – Delete” task is really cool.  It allows an operator with access to the task to be able to clean up (DELETE) agents from the SCOM console – without having access to the Administrator role.  This task will run on the management servers and delete agents (this is a Delete – not an uninstall)  This is handy for cleaning up old agents that are not present anymore.


SCOM Server Tasks:


I have included “Agent – INSTALL” and “Agent – DELETE” tasks, targeting the management servers.  These will allow you to push installAND delete SCOM agents from the Operators console.  You simply need to Override the task and proved the computers FQDN:


In order for this task to work – it will attempt to push the agent as the SCOM Management Server Action account.  You will need to grant that account administrative rights on your server in order to be able to use this.



Do you have other useful agent management tasks that you think should be in a pack like this?  Or discovered properties that are useful as well?  I welcome your feedback.


Warning:  Some of these tasks can be considered “risky” to deliver to your Operators, like exposing the ability to execute any PowerShell, restart any service, and install any software from a share.  If those are things you don’t ever want exposed in your SCOM environment – then delete those tasks from the MP, or do not expose them in your non-administrator scoped console access.



Download the MP here:


Version History:

  • – Initial Release
  • – Updated with additional properties and dual versions for safer tasks.
  • – Corrected minor bug in script names in export event log task
  • – Updated to support SCOM 2012R2 UR13 and SCOM 2016 UR3 in update rollup discovery
  • – Updated OS Version discovery to PowerShell to better handle WS2016 and Windows 10
  • – Major Re-write to include Server Roles, add OMS workspaces, UR levels
  • – Renamed Views, Added Health Service Watcher View, Added Agent install and delete tasks, Added install path property
  • – Added AD Integration discovered property and tasks to enable/disable AD integration
  • – Added APM installed discovery to find agents that need NOAPM reinstall, Added Tasks for Agent Delete, and Set IsManualyInstalled to false, Added view for HealthService objects
  • – Added discovery for OMS proxy, Added tasks for OMS Workspace ADD and REMOVE, Minor bug fixes to Agent Properties powershell discovery.
  • – Bug fixes, Added properties for OMS, Added tasks for OMS, Changes to views based on customer requests
  • – Updated server properties discovery to properly detect UR level on Gateways
  • – Updated to support discovery of SCOM 2016 UR4
  • – Updated for SCOM 2012 R2 UR14
  • – Updated for SCOM 2016 UR5
  • – Updated for TLS 1.2 support
  • – Added OS/CPU Architecture property
  • – Added IP address and Port availability check
  • – Added support for SCOM UR6
  • – Fixed bugs for UR6 display, Added properties for certificates such as expiration, thumbprint, issuer
  • – Added tasks for HSLockdown, Added preliminary support for SCOM 2019
  • – Added support for SCOM 2019 RTM
  • – Added support for SCOM 2016 UR7


  1. Ronald

    The discovery on gateways is not correct if you run version 1807, it still shows UR level 1801 in the version 7.0.063 of this pack.
    That’s because the file being checked ‘HealthService.dll’ is not changed.
    When you replace HealthService.dll to MOMAgentManagement.dll on line 1615 of the pack it does show the correct UR Level version, but i don’t know if that’s ok for older scom versions.

  2. Seeper

    would be nice to add a new column in Agents view to obtain maximumQueueSizeKb value

    key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlsSet\Services\HealthService\Parameters\Management Groups\maximumQueueSizeKb

    • Kevin Holman

      Here is my personal opinion on that.

      I almost *never* adjust it. If you need to adjust it – that means your MP is doing something bad, and I’d rather attack the MP. If the default queue size of an agent isnt big enough – then something is wrong. Too many times support has done this as a band-aid solution to the real issue. Allowing a bigger queue is almost always a bad thing. It means we are allowing MP’s to discover too much data, or workflows to output too much data. I’d rather focus on making the MP better. There are rare occurrences where I’d adjust this (like for VERY specific and well written 3rd party MP’s which need it for VERY specific reasons) but these are atypical.

      So, that being said – this is just my personal experience with my customers. Why do you adjust it in your environment?

      • TysonP

        Considering your viewpoint that it should not be changed (except in rare circumstances), perhaps it would be helpful to add the column anyway so that any agents with modified/custom queue size can be identified easily and reviewed. This might be useful when there are numerous admins chef-ing in the kitchen.

        Easy for me/us to suggest tasks that create more work for you. 😉
        Thanks for all of your contributions!

        • Kevin Holman

          If someone just HAS to have that in a view, they need only click one view down in this MP – “SCOM HealthService” – as this is already a discovered property of the Healthservice class.

  3. Rick Bywalski

    So one issue I found when I was trying to dual home machines from my current prod 2012 to my pre prod 2016 if I selected a group of machines and there was a single machine in there I did not have access to with the account I was using it would fail the entire group. Is there a way to have the rest work and only the one that I do not have access to fail?

  4. Kiwifulla

    I’ve upgraded to SCOM 2016 UR6 and confirmed KB4459897-AMD64-ENU-WebConsole.msp installed correctly for the Web Console, but MP still shows it as Web Console UR Level = 2016 UR5. I’ve left it all day but it’s still the same.



  5. Michiel

    Great work Kevin, maybe you could add a task that can update the workspace key for a Log Analytics workspace. (aka remove and add with the new key in one step)

    • Kevin Holman

      Would you want it to wipe out ALL existing workspaces, or remove one, while adding one? Some customers multi-home to multiple workspaces…. so the two step process is “safer” unless you want a task that literally removed one by the ID, and adds one by the ID.

  6. Saiyad Rahim

    Awesome MP as always Kevin.
    Would you be able to incorporate Server Description as well:

    I am interested in showing Servers “Description” in SCOM either from Active Directory and/or using the Servers “Computer Description” field from the server itself?

    Ideally would like to show this info in the Active Alerts, Windows Computers and Discovered Inventory Views as a new Column.

    Also if this could be present in the Windows Computer properties of “ServerXX” Detail View under Windows Computers.

    I would like to have this available for all windows servers /computers either in or out of Domain.

    If you can help me project both Description from AD and from the Server itself in its own column each would be much better to compare and standardise this info in both areas.

    or if its easier to make the Servers Description field as default and if that is blank it should show the Description from AD.

    Hope there is an easier way to get this info into SCOM.

    • kevinholman

      Most people do just that. However, if you use scoped views and limit what tasks your users can run, you generally won’t approve some of these tasks as they allow non-administrators ability to run tasks on agents as local system, which is technically an elevation of privilege. This is why you should never grant all users all tasks. Other MP’s work the same way with any agent tasks.

  7. Benny

    Is there an easy way to publish all the views in this MP only for the Administrators? After importing this MP operators can se and run tasks…

  8. Shiva

    Can anyone suggest me what can i use to monitor servers from untrusted domain, GW or seperate MS in untrusted Domain and which one will be better and Why ?
    What all the difference we get in terms of the performance if we use GW or MS ..

    Please help and suggest…

    • Kevin Holman

      No. However, when you scope access to the console for non-admins – you should be choosing what views and tasks are available to your users.

  9. Benny

    Ok but when i am trying to change that under User Roles and properties on operators etc, it is greyed out and i cant edit anything there.

  10. Benny

    Ok i think i got it now, i have to create a new User Role to be able to choose what to scope… I made a new User Role based on Operator and under Dashboard and Views i choosed “Only the dashboards and views…” Marked everything and unmarked “SCOM Management views”… I guess that the Task pane is dependent on the Monitor Tree, so did not choosed anything there?

  11. Brian

    Hi Kevin, Thanks for the MP. I like the useful features (Agent version, Action Account, PS Installed…). I landed on this MP while needing to determine if the APM is installed. However, if I Repair the Agent and untick the box to keep or install APM, the State View reports as true. I’ve uninstalled the agent entirely and installed it without APM but the State View in SCOM Agents shows true. Even after using the “Execute any Powershell” and the NOAPM=1 command it shows as true. I’m having trouble using this to determine the install state of APM and cannot seem to produce a false for APM Installed.

    Do you have any idea as to what could be happening to show all of the properties as true regardless of the install state? Or, why all of our APM Installed are true?

    • Brian

      So, it turns out that the APM agent is installed even if the box is unticked to “keep or install APM”. Even on a clean install, the APM agent is still installed. The only difference I noticed is the Startup Type for the “Microsoft Monitoring Agent APM” service to either Disabled or Automatic depending on whether or not the “keep or install APM” box is ticked.

      Even though APM is “not installed” (installed but startup type set to disabled) the “SCOM Agents” State View still shows the APM Installed as True. Perhaps a better property to show would be if the Startup Type for the Microsoft Monitoring Agent APM service as Automatic for Disabled.

      Even though APM is “not installed” (installed but startup type set to disabled) IIS still grabs the profiler service after rebooting the server. Catch-22.

      • Kevin Holman

        This is by design.

        Installed means installed. It doesn’t matter what the service looks like. The purpose of not installing APM is that the binaries are service are not installed at all. If yours is installing APM, even with the box unchecked – something is wrong.

Leave a Reply

Your email address will not be published. Required fields are marked *