SCOM Management Pack: Detecting USB Storage Device Connect and Disconnect Events

Written by Tao Yang

There was a requirement at work that people need to be notified when a USB storage device (USB key or portable USB hard disks) is connected or disconnected from SCOM monitored Windows computers.

So I wrote a 2 very simple alert generating rules to detect USB Mass Storage Device creation and deletion WMI event. I set both rules to run every 60 seconds so within 60 seconds of the event, an Information alert is generated in SCOM:

Alert for USB Storage Device Connection Event:

image

Alert for USB Storage Device Removal Event:

image

I have also created a dynamic group called Virtual Windows Computers in the MP so I can disable both rules for virtual machines. This is how I defined the group:

image

Please note this Virtual Machine discovery only detects virtual machines running on Microsoft’s virtual host platform. If you open System Center Internal Library MP in MPViewer and check the Raw XML for discovery “Discover if Windows Computer is a Virtual Machine”, you’ll see it the WQL:

image

So if you have non-Microsoft virtual machines (i.e. VMware) in your environment and you want to disable these 2 rules for those virtual machines, you will need to modify my group or create your own group in my management pack.

Download: USB Storage Device Detection Management Pack

2 comments on “SCOM Management Pack: Detecting USB Storage Device Connect and Disconnect Events

  1. Hi, my name is Ngoc Nguyen from Vietnam.
    Could you guide me how to use this MP?

    Thanks and best regards,
    Ngoc Nguyen

  2. You can also get very detailed SCOM alerts for USB and mobile devices using the secRMM SCOM Management Pack at http://squadratechnologies.com/Products/secRMM/SystemCenter/secRMMSystemCenter.aspx. There is also SCCM and Orchestrator integration if required.

Leave a Reply