Azure Automation Runbook: New-FakeVirus

Written by Tao Yang

Often when you are playing with security related products, you would need to create dummy/fake viruses on your computers. The most common way to do this is to create a EICAR test file (

I have used this method in the past when testing the Microsoft Forefront Endpoint Protection management pack in OpsMgr. Today I needed to use it again when I was preparing a demo for the OMS Malware Assessment. I thought, why not make an Azure Automation runbook that automatically create the EICAR test file for me on remote computers, so I can trigger it manually or schedule it to run on a regular basis? So here’s what I came up with.

CAUTION: Use it at your own risk! And obviously, this runbook is designed to run on hybrid workers Smile.

Runbook: New-FakeVirus

You will need to specify 3 optional input parameters:


  • Credential: The name of the credential asset saved in your Azure Automation account – If you need to use an alternative credential to connect to the target computer (via WMI)
  • ComputerName: The target computer of where the fake virus is going to be created, if not specified, it will be created on the runbook worker itself.
  • Folder: the folder of where the file is going to be created on the target computer. If not specified, the runbook will use the System environment variable %TEMP%.

Runbook Output:


If your Windows Defender or System Center Endpoint Protection (SCEP) is working correctly, you will see this on your target computer straightaway:


If the target computer is monitored by OpsMgr and you have imported the Forefront Endpoint Protection (FEP) 2010 MP, you’ll get an alert:


And you will also see in the OMS Malware Assessment dashboard shortly:



Start A Child Runbook From Azure Automation Hybrid Worker on the Same Hybrid Worker Group

Written by Tao Yang

Today I was writing a PowerShell runbook (let’s call it Runbook A) that’s designed to run on on-prem hybrid workers. At the end of Runbook A, I needed to kick off another runbook (let’s call it Runbook B) that must run on the same Hybrid Worker group. Because I don’t want to hardcode the Hybrid Worker group name in the script (or using an Automation variable), I wrote a very simple function that returns the Hybrid Worker configuration (including the Hybrid Worker group name) from registry if runs on a Hybrid Worker.

To use it, simply place the function shown below in the parent runbook (Runbook A in this case), and call this function to retrieve the Hybrid Worker configuration.



Code Sample:


The Get-HybridWorkerConfig function would return $null value if the computer is not a Hybrid Worker.

New Activity-Level Tracing Options for Azure Automation Graphical Runbooks

Written by Tao Yang

Nowadays, OMS / Azure Automation is full of surprises. almost every time I visit the OMS and Azure Automation portals, I’d notice new features being made available.

Today, I just noticed a new setting for graphical runbooks called Activity-level tracing:


You can now configure additional verbose tracing for graphical runbooks. Please note in order to leverage this new capability, you must also turn on verbose logging for the particular graphical runbook.

Verbose Logging without Activity-level tracing:


Detailed Activity-level Tracing Enabled:


As you can see, once turned on, you can see a lot more verbose logging activities (starts with ‘GraphTrace”) for your runbook jobs.

Our Azure Automation Session Recording at Microsoft Ignite Australia

Written by Tao Yang

Last week, I had an opportunity teamed up with the legendary CDM MVP Pete Zerger (@pzerger) and delivered a session on Azure Automation at Microsoft Ignite Australia in Gold Coast, Queensland. Our session was the first session right after the opening keynote, so while some other sessions are still waiting to be uploaded to Channel 9 at the moment, our session has already been published. You can watch the recording here:

I have also published all the sample runbooks and other information on Github:

Free OMS Workshops in Sydney and Melbourne

Written by Tao Yang

Next week, I will team up with my fellow Cloud and Datacenter MVP Daniel Mar from Infront Consulting Australia and deliver 2 free Microsoft Operations Management Suite (OMS) workshops in Sydney and Melbourne. These events will take place at Microsoft’s Sydney and Melbourne office respectively.

We will deep dive into different aspects of OMS and demonstrate some existing and new capabilities. If you want to learn more about OMS and are based on either Sydney and Melbourne, please feel free to register and come to our workshops.

Sydney (1:30pm – 5:00pm Wednesday 2nd Dec) Registration link:

Melbourne (8:30am – 12:00pm Friday 4th Dec) Registration link:


Azure Automation Webhooks Now Support Hybrid Workers

Written by Tao Yang

My friend and fellow CDM MVP Pete Zerger just pinged me and told me he just spotted that Azure Automation webhooks now support targeting Hybrid Workers.

The webhook configuration used to look like this:


(Source image from David O’Brien’s blog:

Currently, the webhook configuration looks like this:


Few days ago when Pete and I delivered the Azure Automation session at Microsoft Ignite Australia, in one of our demos, we used Webhook to kick off a process to create AD user accounts on On-Prem Active Directory using Hybrid Workers. Because Webhook did not support Hybrid Workers back then, we had to use an workaround of kicking off an intermediary runbook that runs on Azure worker then start AD user creation runbook on runbook worker groups within the intermediary runbook.

Now with the new capability, we can further simplify our demo scenario by removing the intermediary runbook as we are now able to kick off runbooks on Hybrid Workers directly from webhooks!

SharePointSDK and SendEmail PS Modules Published in GitHub and PowerShell Gallery

Written by Tao Yang

I have recently published 2 PowerShell modules that I’ve written around a year ago on GitHub and PowerShell Gallery:


Original Post:

Github Repository:

PowerShell Gallery:


Original Post:

Github Repository:

PowerShell Gallery:

Please note the versions I published on Github and PowerShell Gallery are newer than the versions from my original blog posts. Originally, both modules take clear text user name and passwords as input parameters. This behaviour was flagged by the PowerShell Gallery administrators after they examined my modules using PowerShell Script Analyzer. I have just updated both modules today and replaced clear text user name and password parameters with PSCredential parameter. So if you are currently using old versions without using SMA / Azure Automation connection objects, you may need to update your scripts and runbooks after you upgrade.

Presenting in Microsoft Ignite Australia

Written by Tao Yang

Microsoft Ignite Australia is going to take place in Gold Coast, QLD between 17 – 20 November 2015. I am really honoured to co-present a session with the legend Pete Zerger on Azure Automation. Our session is scheduled for 1:30pm Tuesday 17th Nov. You can find the details of the session here:

So if you are attending Ignite Australia and would like to learn more about Azure Automation, please make sure you come to our session.

Hope to see you all in the sunny Gold Coast next week. Smile

Automating OpsMgr Part 19: Creating Any Types of Generic Rules

Written by Tao Yang


This is the 19th instalment of the Automating OpsMgr series. Previously on this series:

Although I have written number of functions in the current version of the OpsMgrExtended module that allows you to  create some popular types of rules in OpsMgr (i.e. perf collection rules and event collection rules). Sometimes, you still need to create other types of rules, such as WMI event collection rules, or rules based on module types written by yourself. In this post, I will demonstrate how to create any types of rules using the New-OMRule function.

Additionally, since the OpsMgrExtended module can be used on both your on-prem SMA infrastructure as well as on your Azure Automation account (with the help of Hybrid Workers), and pretty much all the previous runbooks and posts are based on SMA, I will use Azure Automation in this post (and maybe in the future posts too). I will demonstrate 2 sample runbooks in this post. Since Azure Automation now supports PowerShell runbooks on both Azure runbook workers as well as on hybrid workers, with the 2 sample runbooks I’m going to demonstrate, one is based on PowerShell workflow and the other one is a PowerShell runbook.

What Components are OpsMgr Rules Made Up?

Before we diving into the sample runbooks, please let me explain how are the OpsMgr rules made up. In OpsMgr, a rule is essentially a workflow that contains the following components:

  1. One or more Data Source modules
  2. Zero or one Condition Detection Modules
  3. One or more Write Action modules

To explain in plain English, a rule can have multiple data source modules and write action modules, but condition detection module is optional, and you can only use up to 1 condition detection module in your rule. The order of execution is Data Source Modules –> Condition Detection Module –> Write Action Modules. Additionally, some modules requires mandatory and/or optional configuration parameters (i.e. System.SimpleScheduler), some modules do not require any configuration parameters (i.e. Microsoft.SystemCenter.CollectPerformanceData).

OM-Rule Design Consideration

When I was writing the New-OMRule function, I have realised in order to capture all required information for each member module, the following information is required:

  • Module Type Name (Mandatory)
  • Configuration (Optional)
  • Member Module Name (Mandatory)
  • RunAs Profile Name (Optional)

i.e. in the example below, I have high lighted the information required in a member module of a rule.


Other than the information listed above, if we are writing an alert-generating rule, we would also need the following information for the alert configuration:

  • String Resource
  • Language Pack ID
  • Alert Name
  • Alert Description

I needed to figure out a way to enforce users to supply all required information listed above. In order to do that, I think the best way is to define a class for member module configurations and another class for alert configurations. However, since class definition is a new concept only been introduced in PowerShell version 5 (which still in preview other than Windows 10 machines at the time of this writing), I could not do this natively in PowerShell. In order to work around this limitation, I have defined these two classes in OpsMgrExtended.Types.dll using C#. This DLL is shipped as part of the OpsMgrExtended module.


The OM-Rule is expecting instances of these classes defined in OpsMgrExtended.Types.dll as input parameters. You will see how I used these classes in the sample runbooks.

Sample PowerShell Runbook: New-WMIPerfCollectionRule

OK, let’s start with a “simpler” one first. The New-WMIPerfCollectionRule runbook is a PowerShell runbook that can be used to create perf collection rules based on WMI queries. I think it’s simpler than the other one because it’s a PowerShell runbook (as opposed to PowerShell workflow) and we don’t have to worry about configuring alerts for the rules created by this runbook. The source code for this runbook is listed below:

As you can see, this runbook requires the following input parameters:

  • RuleName – the internal name of the rule
  • RuleDisplayName – the display name of the rule. this is what people will see in OpsMgr console
  • ClassName – The internal name of the target class (i.e. “Microsoft.Windows.OperatingSystem”)
  • WMINameSpace – the WMI name space of where the WMI class you are going to query resides. This is optional. if not specified, the default value of “Root\CIMV2” will be used
  • WMIQuery – the WMI query to retrieve the performance counter value
  • IntervalSeconds – the rule execution interval in seconds. this is optional, if not specified, the default value of 900 (15 minutes) will be used.
  • ObjectName – The object name for the performance data (i.e. Process, or LogicalDisk)
  • CounterName – the counter name for the performance data (i.e. ProcessCount, or FreeSpaceMB)
  • InstanceNameWMIProperty – the property returned from the WMI query which represent the performance data instance value (i.e. if you are collecting logical disk counters, the result of WMI query may contain a property that represent the drive letter, which can be used to identify the instance in perf data). This is optional, if not specified, the perf data instance name would be “_Total”.
  • ValueWMIProperty – the property returned from the WMI query that represent the perf value.

The first step of this runbook is to retrieve a connection object named “OpsMgrSDK_Home” from my Azure Automation account (or SMA). This connection object is pre-configured, which contains the computer name of one of my OpsMgr management servers, and the credential of a service account which has OpsMgr admin privilege in my management group.


The runbook also needs to explicitly import the OpsMgrExtended module. During the test, I found for this PowerShell runbook, I must manually import the module using Import-Module cmdlet in order to load the assemblies defined in the OpsMgrExtended.Types.dll. Since we are going to be using hybrid workers, you must manually deploy this module to your hybrid workers because at the time of this writing, Azure Automation is not able to automatically deploy required modules to hybrid workers.

Next, we must define the module configurations for each member module used by the WMI perf collection rules that this runbook creates. I have determined this type of rules should be configured using the following modules

  • One Data Source Module
    • Microsoft.Windows.WmiProvider
  • One Condition Detection Module
    • System.Performance.DataGenericMapper
  • Three Write Action Modules
    • Microsoft.SystemCenter.CollectPerformanceData
    • Microsoft.SystemCenter.DataWarehouse.PUblishPerformanceData
    • Microsoft.SystemCenter.CollectCloudPerformanceData

To explain in English, the rules created by this runbook would periodically execute a WMI query (Data source module), then map the result from WMI query to OpsMgr performance data (Condition detection module), finally store the performance data in OpsMgr operational DB, data warehouse DB and also OMS workspace (3 write action modules).

So we will need to use the New-OMModuleConfiguration function from the OpsMgrExtended PS module to create an instance of the “OpsMgrExtended.ModuleConfiguration” class. As explained earlier, the “OpsMgrExtended.ModuleConfiguration” class is defined in the OpsMgrExtended.Types.dll. Take the data source member module as an example:

I have placed the module type name, module configuration and the member module name into separate variables and passed them to the New-OMModuleConfiguration function and created a module configuration object for the data source module.


You can use Get-Help New-OMModuleConfiguration to access the help file for this function. If you need to use an alternative OpsMgr RunAs profile to for any member modules, you can also specify the name of the RunAs profile you are going to use with the –RunAsMPName and the –RunAsName parameter. The RunAsMPName parameter is used to specify the internal name of the management pack that defined the RunAs profile, and the RunAsName parameter is used to specify the internal name of the RunAs profile (i.e. if you are creating rules for SQL related classes, you might need to use the default SQL RunAs Profile, in this case, the –RunAsMPName would be “Microsoft.SQLServer.Library” and –RunAsName would be “Microsoft.SQLServer.SQLDefaultAccount”.)

Since a rule can have multiple data source modules and multiple write action modules, the New-OMRule function is expecting the array type of input for data source modules and write action modules. This is why even there is only going to be one data source member module or write action member module, we still need to place them into separate arrays before passing into the OM-Rule function:



On the other hand, since the condition detection member module is optional, and you can only have maximum one condition detection member module, you do not need to place the module configuration object for the condition detection module into an array.

Lastly, I have hardcoded the management pack name to be “Test.OpsMgrExtended” in this sample runbook. this MP must be created prior to running this runbook otherwise it would fail. However, if you have a look at the sample runbooks in previous posts, you can easily figure out a way to firstly detect the existence of this MP and use this runbook to create the MP if it does not exist in your management group.

Now, it’s time to take this runbook for a test run. I’m using the following parameters during the test run:

  • RuleName: “Test.WMIPerfCollection.Process.Count.WMI.Performance.Collection.Rule”
  • RuleDisplayName: “Windows Server Process Count Performance Collection Rule”
  • ClassName: “Microsoft.Windows.OperatingSystem”
  • WMIQuery: “select Processes from Win32_PerfRawData_PerfOS_Objects”
  • ObjectName: “Process”
  • CounterName: “ProcessCount”
  • ValueWMIProperty: “Processes” –verbose

And I have specified to run on a hybrid worker group:


The hybrid worker will pick up this job very soon, and during this test run, the job was completed around 2 minutes. after the job finishes, I’m able to find this rule in OpsMgr console:



Sample PowerShell Workflow Runbook: New-WindowsEventAlertRule

Now, let’s take a look at the second sample runbook. This runbook is designed to create rules that detects certain event log entries and generates alerts upon detection. I think it’s more complicated than the first sample because this is a traditional PowerShell workflow runbook (which works on both SMA and Azure Automation), and we also need to configure alert settings for this rule. The source code for this runbook is listed below:

This runbook takes the following input parameters:

  • RuleName – the internal name of the rule that you are creating
  • RuleDisplayName – the display name of the rule
  • ClassName – The internal name of the target class (i.e. “Microsoft.Windows.OperatingSystem”)
  • EventLog – the name of the event log (i.e. “System”)
  • EventID – the ID of the event that you are detecting
  • EventSource – is what you see as “source” in Windows event log
  • EventLevel – can be one of the following value:
    • Success
    • Error
    • Warning
    • Information
    • Audit Failure
    • Audit Success
  • AlertName – the alert name / title
  • AlertSeverity – can be one of the following value:
    • Critical
    • Warning
    • Information
  • AlertProirity – can be one of the following value:
    • Low
    • Medium
    • High

As you can see, firstly, other than the standard process of retrieving the connection object for my OpsMgr management group, I have used several “Switch” statements with inline scripts to translate the event level, alert priority and alert severity from English words (string) to numbers (integer), because when configuring member modules for OpsMgr rules, we must use the number (instead of names). Note I’ve also used “ValidateSet” to validate the input of these parameters, so only valid inputs are allowed.

I am not going to explain the member module configurations again, because I’ve already covered it in the first sample. But please note because the rules created by this runbook will be generating alerts, we must configure alert settings. In OpsMgr, when a workflow is configured to generate alerts (either rules or monitors), other than the rule / monitor itself, we must also define a String Resource for the alert message ID, as well as defining the alert name and description in a preferred language pack (by default, ENU). Therefore, we are going to use another class defined in OpsMgrExtended.Types.dll for alert configuration. The class for alert configuration is called OpsMgrExtended.AlertConfiguration, and you can use New-OMAlertConfiguration function to create an instance of this class. Same as all other functions in the OpsMgrExtended PS module, you can use Get-Help cmdlet to access the help file for New-OMAlertConfiguration. You will need to specify the following input parameters for New-OMAlertConfiguration:

  • AlertName – the name / title of the alert
  • AlertDescription – the alert description / detail
  • LanguagePackID – the 3-letter language pack code for the language pack that you wish to create the alert message under. this is an optional parameter, if not specified, the default value of “ENU’’ will be used.
  • StringResource – the ID for the alert string resource

As you can see, since the write action member module for the rules created by this runbook would be “System.Health.GenerateAlert”, and we are defining <AlertMessageId> and <AlertParameters> in the write action member module configuration:


The String Resource must match the AlertMessageId:


And if you have previously authored OpsMgr management packs, you’d probably already know how to define the <AlertParameters> section for the alert description. Basically, any variables you are using in the alert description must be defined in the <AlertParameters> section, then in the alert description, you’d reference them using “{}” and a number inside. <AlertParameter1> becomes {0}, <AlertParameter2> becomes {1}, and so on. You can up to define 10 alert parameters:


Since you can define multiple alert messages (for multiple language packs), when you are creating alert generating rules, the New-OMRule function would expect you to pass in an array that contains OpsMgrExtended.AlertConfiguration objects. So, even if you are only defining the alert in one language pack, please still place it into an array before passing to the New-OMRule function:


OK, now, let’s give this runbook a test run with the following parameters:

  • RuleName: “Test.Disk.Controller.Event.Alert.Rule”
  • RuleDisplayName: “Disk Controller Error Event Alert Rule”
  • ClassName: “Microsoft.Windows.OperatingSystem”
  • EventLog: “System”
  • EventID: 11
  • EventSource: “Disk”
  • EventLevel: Error
  • AlertName: “Windows Disk Controller Error”
  • AlertSeverity: Critical
  • AlertPriority: High


After the hybrid worker in my lab executed the runbook, I am able to see the rule created in OpsMgr console:



and the raw XML (once I’ve exported the MP):


Hybrid Worker Configuration

Since the samples in this post are all based on Azure Automation and Hybrid worker, I just want to point out this article if you need help setting it up:

Also as I mentioned earlier, you will need to deploy OpsMgrExtended module manually on to the hybrid workers by yourself. When copying the OpsMgrExtended module to your hybrid workers, make sure you copy to a folder that’s listed in the PSModulePath environment variable. During my testing with a PowerShell runbook, I initially placed it under “C:\Program Files\WindowsPowerShell\Modules” folder, as it was listed in the PSModulePath environment variable when I checked in a PowerShell console on the hybrid worker. However, I got error messages telling me the runbook could not find commands defined in the OpsMgrExtended module. To troubleshoot, I wrote a simple PowerShell runbook:


and based on the output, the folder in “C:\Program Files” is not listed!


Therefore, I had to move the module to another location (C:\Windows\System32\WindowsPowerShell\v1.0\Modules). after the move, the runbook started working.


In this post, I have demonstrated how to use the New-OMRule function from OpsMgrExtended PS module to create any types of rules in OpsMgr. Although OpsMgrExtended module has already shipped two other functions to create event collection and performance collection rules, the New-OMRule fills the gap that allows users to specify each individual member module and its configurations. This is probably the most technically in-depth post in the Automating OpsMgr series. I have tried my best to explain and demonstrate how to use the New-OMRule function. But if you are still unclear, have questions or issues, please feel free to contact me.

I haven’t figured out what I will cover in the next post, but I still have a lot to cover in this series. Since I am attending few conferences in the coming weeks in November, I probably won’t have time to work on part 20 until end of November. Until next time, happy automating!

A Sneak Peek at Squared Up’s Upcoming OMS Plugin

Written by Tao Yang


If you are an existing Squared Up customer, or have previously evaluated Squared Up’s product, you’d probably already know that currently, other than the existing SQL Plugin, Squared Up dashboards retrieve data via either OpsMgr Data Warehouse (DW) DB, or via OpsMgr SDK.

With the recent launch of Microsoft Operations Management Suite (OMS), over the last few months, folks at Squared Up have been busy developing a plug-in within Squared Up to display data within OMS. Although Squared Up has not set a release date for this plugin yet, I would like to give you a high level preview on what the OMS plug-in looks like so you know what you are expecting Smile.

Squared Up OMS Plug-in

Squared Up’s OMS Plug-in is designed to enable customers display the data collected by OMS on the Squared Up dashboards. It leverages the OMS Search API and allows users to specify the OMS search query within the plugin, and the search result returned from OMS will be displayed on the dashboard.



As you can see, you can simply use the exact same query you’ve used in OMS and copy/paste to the OMS plug-in configuration. You can also use “|” (pipe) followed by the “Select” command to specify the fields that you are interested in displaying on the dashboard.

Since OMS is collecting data that is not natively available in OpsMgr (such as Change Tracking data, Wired Data, etc.) , you can really extend your existing Squared Up investment with this plugin. For example, I have produced a dashboard using the OMS plug-in in my lab (as shown below):


In this dashboard, I have configured the following sections:

  • Windows Services Changes For the Last 6 Hours
    • Data type: ConfigurationChange
    • OMS Solution: Change Tracking
  • Software Changes For the Last 1 Day
    • Data type: ConfigurationChange
    • OMS Solution: Change Tracking
  • Top Offenders in OpsMgr (Nosiest monitoring objects)
    • Data type: Alert
    • OMS Solution: Alert Management
  • Hyper-V Host Available Memory
    • Data type: PerfHoulry
    • OMS Solution: Capacity Planning
  • Wired Data Traffic by Process
    • Data type: WiredData
    • OMS Solution: Wired Data

Without the OMS plugin, some of above listed data will not be available in Squared Up dashboards (such as change tracking data and wired data), some could be retrieved only via complex SQL queries (such as top OpsMgr offenders). Take Top OpsMgr offenders as example again, it is super easy to find out who are the OpsMgr top offenders in OMS, by using a very simple query: “Type=Alert AlertState=New TimeGenerated>NOW-24HOURS | measure count() by SourceFullName”.


Interested in the OMS Plug-in?

Currently the version running in my lab environment is the “limited release technical preview”. This plug-in will also be demonstrated in the upcoming events such as MMS.

Are you also interested in trying the Squared Up Plug-in yourself? Although Squared Up has not confirmed the release date for this plug-in, they have asked me to let everyone know that if you’d like to test and provide feedback, please contact Squared Up directly. You can find their contact details from their website: