Category Archives: Microsoft

Open Sourcing Download All Microsoft SCOM MPs Script

I am open sourcing download the script that I’ve created for downloading all Microsoft SCOM MPs. Open sourcing is meant to be a joke of course. It is a script with code that is available for viewing and changing as whatever serves your purpose since its creation. The difference is that I am moving to GitHub so it will be easier for contribution by all. There is not new version but you can find all code here. The TechNet gallery page will be left as placeholder but will not contain the script anymore. You can find a link to GitHub repository there as well.  I hope this change is welcome.

Updated: OMSSearch PowerShell Module

You may ask what an MVP does on a rainy day? Probably a good answer will be: Trying to make your life easier?.

AS Microsoft published more information on the Operations Management Suite API I’ve decided to take a look update the OMSSearch PowerShell module. I’ve added –Start, –End and –Top parameters to Execute-OMSSearchQuery so you can make more granular searches. Also Stefan Stranger helped by adding Get-OMSWorkspace cmdlet. You will find all information and new version on Github.

Programmatically Search Operations Management Suite

At Ignite Jo Chan showed us how we can now execute Search queries trough Operations Management Suite API which is basically Azure Resource Manager API. He demonstrated that with a tool called ARMClient. That tool seems nice but I wanted to get results with PowerShell as it is more familiar to me.

Searching over Internet I’ve found ARMPowerShell Module. I’ve installed the module and with simple command like Connect-ARM I was able to authenticate. Look trough Jo’s examples from Ignite I’ve managed to get results with the following commands:

$Subscription = $ARMSubscriptions.Values | where {$_.DisplayName -eq “Visual Studio Ultimate with MSDN”}
$ResourceGroupName = “oi-default-east-us”
$OMSWorkspace = “test-stan”
$SubscriptionID = $Subscription.subscriptionId
$BaseSavedSearches = “/subscriptions/$SubscriptionID/resourcegroups/$ResourceGroupName/providers/microsoft.operationalinsights/workspaces/$OMSWorkspace/savedSearches”

$OMSSavedSearches = Execute-ARMQuery -SubscriptionId $SubscriptionID `
                                     -HTTPVerb       Get `
                                     -Base           $BaseSavedSearches `
                                     -APIVersion     “2014-10-10″

$BaseSearch = “/subscriptions/$SubscriptionID/resourcegroups/$ResourceGroupName/providers/microsoft.operationalinsights/workspaces/$OMSWorkspace/search”
$Query = “shutdown Type=Event EventLog=System Source=User32 EventID=1074 | Select TimeGenerated,Computer”
$OMSSearchResult = Execute-ARMQuery  -SubscriptionId $SubscriptionID `
                                     -HTTPVerb       Post `
                                     -Base           $BaseSearch `
                                     -Data           @{Query=$Query} `
                                     -APIVersion     “2014-10-10″

Unfortunately this module requires some user interaction. For example Connect-ARM pops up a prompt for entering your credentials. And I’ve wanted to be able to query the OMS API from Azure Automation. This lead me to writing my own small OMS module.

First I needed to find a way to authenticate and get token so I can execute web requests with Invoke-WebRequest. On StackOverflow I’ve found the following code. This allows me to get token from Azure AD. What I’ve needed is to load ADAL assembly. In my module I’ve wrote a function Import-ADALDll to do that. For that function and for the Azure Automation module I borrowed some code from my friend and fellow MVP Tao Yang. To get Token I’ve wrote a separate function called Get-AADToken. Now that I have those two pieces in hand I’ve wrote two other functions:

  • Get-OMSSavedSearches – This will return all Saved Searches in your OMS workspace. I thought that it will be useful as you can get the actual query and use it later. Result is returned as object.
  • Execute-OMSSearchQuery – With this function you will be able to execute queries. Simple as that. Results are returned as object.

The module I’ve created is called OMSSearch and you can find it in GitHub along with small documentation.

After you archive the files from Github into file you can upload that file as module in Azure Automation:


When the module is uploaded you will be able to create OMS Connection. OMS Connection probably is not the right term but here is how mine looks:


You have TenantADName which represents the UPN suffix that is attached to the accounts you create in your Azure AD. You will also create Azure AD account that has co-administrator rights in your subscription or owner/contributor rights on the resource group where your OMS workspaces is located.

You will enter the credentials for that account in the OMS Connection.

Besides those two there are some other prerequisites that you need to have. You can find those in the GItHub page.

After that a simple Runbook like this will returned saved searches:

workflow Get-SavedSearches
    $OMSCon = Get-AutomationConnection -Name ‘stasoutlook’
    $Token = Get-AADToken -OMSConnection $OMSCon
    $subscriptionId = “3c1d68a5-4064-4522-94e4-e0378165555e”
    $ResourceGroupName = “oi-default-east-us”
    $OMSWorkspace = “test”    

    Get-OMSSavedSearches `
        -OMSWorkspaceName $OMSWorkspace  `
        -ResourceGroupName $ResourceGroupName `
        -SubscriptionID $subscriptionId `
        -Token $Token


The other example is with executing queries:

workflow Get-RestartedServers
    $OMSCon = Get-AutomationConnection -Name ‘stasoutlook’
    $Token = Get-AADToken -OMSConnection $OMSCon
    $subscriptionId = “3c1d68a5-4064-4522-94e4-e03781655555e”
    $ResourceGroupName = “oi-default-east-us”
    $OMSWorkspace = “test” 
    $Query = ‘shutdown Type=Event EventLog=System Source=User32 EventID=1074 | Select TimeGenerated,Computer’

    Execute-OMSSearchQuery -SubscriptionID $subscriptionId `
                           -ResourceGroupName $ResourceGroupName    `
                           -OMSWorkspaceName $OMSWorkspace `
                           -Query $Query `
                           -Token $Token


Hope you will find this module useful until may be we have Azure cmdlets for OMS.

Windows Firewall Auditing with Operations Management Suite Part 2

While I was writing the previous blog on that subject I’ve remembered that I’ve forgot writing on another tip with Windows Firewall auditing. This tip is a small one. You can easily gather log data about Windows Firewall Port changes by adding the following log:

  • Microsoft-Windows-Windows Firewall With Advanced Security/Firewall


That way when someone adds/removes or modifies Windows Firewall rules you will see them in OMS and audit them:


Have fun analyzing logs.

Windows Firewall Auditing with Operations Management Suite

I was browsing trough Operations Management Suite and in the Security and Audit Solution I’ve noticed something new. There was a tile with text “Distinct IP Addresses Accessed”.


When I first saw that tile my number was 0. Clicking on the tile lead me to the following query:

Type=WindowsFirewall CommunicationDirection=SEND | measure count() by RemoteIP

This hinted me that this information is not coming from Security event log. Logging to a server where I have the Microsoft Monitoring Agent installed I was able to find the Management Pack that gathers that log:


This also showed me from where those events are taken. Quick search over Internet I’ve found how to enable those logs with group policy. You need to create or use existing group policy. Edit the group policy. Go to Computer Configuration –> Policies –> Windows Settings –> Security Settings –> Windows Firewall with Advanced Security –> Windows Firewall with Advanced Security. On that page you will see a link Windows Firewall Properties:


Clicking on it will allow you to configure logging for every Windows Firewall Profile – Domain, Private and Public.


When you click customize you can configure the location of the logs, in what size the logs are created and should dropped packets be log and or successful connections as well.


You can leave the location not configured as this will use the default one and that is what we need. I lower the limit to lower size because OMS will pick only the old non-active logs. And I also enable dropped packets and successful connections.

You can enable the same settings on specific profile or on all Windows Firewall profiles.

After enabling this policy on the servers of your choice you will start to see that tile populated and of course when you click on the tile a query will be executed and will show results:


Hope this will be helpful for you in enabling OMS.

Auditing PowerShell with Operations Management Suite

It has been a long time since I haven’t blogged about my new love Operations Management Suite Smile. This blog post will show you how easily you can audit all PowerShell commands that executed in your environment with Log Analytics in Operations Management Suite.

I love PowerShell and I think GUI should be only for discoverability and we (IT Pros) should work only with PowerShell even if it is hard in the beginning. One of the advantage of using PowerShell it has universal auditing no matter you use Microsoft products or third party one. We can easily create a group policy that will log every PowerShell cmdlet that is executed. I just need to open Group Policy Management Console in my AD, create new policy and under Computer Configuration  –> Policies –> Administrative Templates –> Windows Components –> Windows PowerShell configure Turn on Module Logging like this:


You can enable logging per module. In my case I am including all PowerShell modules.

When you configure such policy for all your servers including domain controllers all PowerShell commands will be logged.

If you have servers that are not in dome you can easily use other technologies to configure those logs like DSC.

After that your can open the Operations Management Suite portal. Go to Settings Tile –> Logs tab and add Microsoft-Windows-PowerShell/Operational log :


After that just wait until logs are being sent to MSOMS.

Finding who used command like Restart-Computer is simple as executing the following query:


For me this is very powerful scenario that you can use in your environment. Imagine even more scenarios when we have the option of adding custom fields which was announced as coming at Ignite.

My Webinar on Log Analytics in Operations Management Suite

Yesterday I’ve done a webinar for my company Lumagate on Azure OpInsights which is now called Operations Management Suite.

If you are interested in viewing this webinar you can find it on Lumagate’s content Library.