Example of Hardware Inventory Customization in SCCM

System Center Configuration Manager (SCCM) gathers lots of data from workstations and places it in the SCCM database. You can use this data to more intelligently manage your systems. For example, you can deploy a specific software product only to systems that don’t have it installed. Or you can obtain a report regarding software installed on systems and whether it is being used or not. This information is useful to assist you with licensing compliance.

Sometimes, administrators need to get some information from systems that is not gathered by SCCM.  For example, an in-house developed application creates an entry in the registry, and the administrator needs to know what systems have it enabled or set to a specific value. SCCM has a process called “hardware inventory extension” that allows you to send your custom data to the SCCM database.  Getting custom data from the registry or WMI is fairly straight-forward as there is a registry provider and a WMI provider that allow you query for data.

In this article, we provide information on how to get the systems to send information of a specific event.  This solution was put together from an actual need by administrators to determine what Active Directory (AD) group policies the machines were applying. When the systems refresh their machine policies, they log a trace event in the Group Policy trace event. Trace events are different than the standard Windows event logs. Below you can see that trace events are in a different node in event viewer: Applications and Services

Events from standard Windows logs can be easily obtained by querying WMI but not Trace events. Part of this solution involves getting the trace events and putting them into WMI. Then the WMI provider is used to get the data into SCCM.

A powershell script was created to get the events into WMI. The script first creates a custom WMI class to define the type of data that will be stored in WMI. Then it gets the specific events (Group Policy event 5312) that have been logged in the last three days. The data from these events is recorded into WMI.

This is a sample of the information that event 5312 provides:

Sometimes the event indicates that no group policy was applied.  The reason is out of the scope of this article but our solution will concentrate on obtaining the group policy objects that get applied.

This is the powershell script that gets the last events 5312 that were logged and puts them into a custom WMI class. Every event that gets recorded into WMI is called an instance of our class. When the script runs, it first deletes any existing instances before adding the new instances of the events logged in the last three days. This is so we don’t have new instances appended to old ones when the script runs.

The script, called in this example event5312toWmi.ps1, has three functions, which are hi-lited. The first line of the EventsToWMI function has the following at the end: “days 3”. This is what determines how many days back from the time the script runs, to gather the events. You can change this number to any number of days that fits your needs.

The AddInstance function starts by defining that the data collected consists of a field type Date, and another field of type Text.

The createClass function creates a custom class in the root\cimv2 WMI namespace Russell_Event_5312.  The fourth line indicates that the SMS_Group_Name is Event_5312. This is the group name that will be used in SCMM.

Now we need to let SCCM know that it needs to get our custom data from WMI on each machine into the SCCM database. We do this by modifying two configuration files that tell SCCM what data to collect: configuration.mof and sms_def.mof. These files are in the following directory:

<SCCM_install_dir>\inboxes\clifiles.src\hinv

Add the following at the end of the configuration.mof file:

Add the following to the end of the SMS_DEF.mof file:

When you add the above information to the MOF files, SCCM will compile the new instructions, the dataldr.log SCCM log (in <SCCM_Install_Dir>\Logs) will immediately log “SMS_DEF.Mof change detected” or “Configuration.Mof change detected”. It will then log any errors if the compilation failed, or it will log “end of cimv2\sms-to-policy conversion; returning 0x0” if the compilation was successful and no error was detected.
After a successful compilation of the MOF changes, the next time client systems obtain policies from the Management Point, they will be instructed to report the custom data, and SCCM will be ready to receive it.

Now we need to find a way for the systems to run the powershell script at a regular basis. Since we have SCCM, we’ll have SCCM do it for us. We create an SCCM package that contains two files: the powershell script, and a batch or cmd file to call the script. In this example, we create a file called runEvent5312toWMI.cmd containing one line:

powershell.exe -NoLogo -ExecutionPolicy RemoteSigned %~dp0event5312toWmi.ps1 > c:\Event5312toWmi.log

The command line in the .cmd file runs the powershell script and sends the output to c:\Event5312toWmi.log in case you need to troubleshoot the execution of the script.

The Program in the SCCM package will just call the .cmd file.

You can advertise the program to a collection or collections of systems that you want to obtain this custom data from, and you can set the advertisement in a recurrent schedule to keep the data in SCCM current. For example, you can run the script once a day. Clients will get the data from WMI and send it to SCCM as frequently as the hardware inventory agent is configured to do so.

Once the data makes it SCCM, you can look at Resource Explorer in SCCM for one machine to see the data.

Finally, you can create some custom reports in SCCM to analyze the custom data in the SCCM database.

You can use the following queries to create SCCM reports.

All events 5312 for specified machine excluding events with “None” as applied GPO

select sys.Netbios_Name0, sys.Resource_Domain_OR_Workgr0, Event.TimeCreated00 AS “Time

Created”, Event.GPOList00 AS “GPO List” from v_R_System sys join dbo.Event_5312_DATA Event on sys.ResourceID=Event.MachineID WHERE sys.Netbios_Name0 = @ComputerName AND Event.GPOList00 <> ‘None’ order by Event.TimeCreated00 DESC

prompt: ComputerName

begin

if (@filterwildcard = “)

SELECT DISTINCT SYS.Netbios_Name0 from v_R_System SYS WHERE SYS.Client0=1 ORDER By SYS.Netbios_Name0

else

SELECT DISTINCT SYS.Netbios_Name0 from v_R_System SYS WHERE SYS.Client0=1

and SYS.Netbios_Name0 like @_filterwildcard

ORDER By SYS.Netbios_Name0

end

Information for the last event 5312 on machines in collection excluding “none” for applied GPO

select sys.Netbios_Name0, sys.Resource_Domain_OR_Workgr0, MAX(Event.TimeCreated00) AS “Time Created”, Event.GPOList00 AS “GPO List” from v_R_System sys join dbo.Event_5312_DATA Event on sys.ResourceID=Event.MachineID JOIN v_FullCollectionMembership FCM ON SYS.ResourceID = FCM.ResourceID WHERE FCM.CollectionID = @CollectionID AND Event.GPOList00 <> ‘None’ group by sys.Netbios_Name0, sys.Resource_Domain_OR_Workgr0, Event.GPOList00 order by sys.Netbios_Name0 DESC

Prompt CollectionID

begin

if (@_filterwildcard = “)

select v_Collection.CollectionID, v_Collection.Name from v_Collection order by

v_Collection.Name else

select v_Collection.CollectionID, v_Collection.Name from v_Collection

WHERE v_Collection.CollectionID like @filterwildcard

order by v_Collection.Name

end

Machines in collection that have “Baseline-Computer-Workstations” listed in the last Event 5312 excluding “None” applied

select sys.Netbios_Name0, sys.Resource_Domain_OR_Workgr0, MAX(Event.TimeCreated00) AS “Time Created”, Event.GPOList00 AS “GPO List” from v_R_System sys join dbo.Event_5312_DATA Event on sys.ResourceID=Event.MachineID JOIN v_FullCollectionMembership FCM ON SYS.ResourceID = FCM.ResourceID WHERE FCM.CollectionID = @CollectionID AND Event.GPOList00 <> ‘None’ AND Event.GPOList00 LIKE ‘%Baseline-Computer-Workstations%’ group by sys.Netbios_Name0, sys.Resource_Domain_OR_Workgr0, Event.GPOList00 order by sys.Netbios_Name0 DESC

Prompt CollectionID

begin

if (@_filterwildcard = “)

select v_Collection.CollectionID, v_Collection.Name from v_Collection order by v_Collection.Name

else

select v_Collection.CollectionID, V-Collection.Name from v_Collection

WHERE v_Collection.CollectionID like @_filterwildcard

order by v_Collection.Name

end

Machines that don’t have “Baseline-Computer-Workstations” listed in the last Event 5312 excluding “None” applied

select sys.Netbios_Name0, sys.Resource_Domain_OR_Workgr0, MAX(Event.TimeCreated00) AS “Time Created”, Event.GPOList00 AS “GPO List” from v_R_System sys join dbo.Event_5312_DATA Event on sys.ResourceID=Event.MachineID join v_FullCollectionMembership FCM ON SYS.ResourceID = FCM.ResourceID WHERE FCM.CollectionID = @CollectionID AND Event.GPOList00 <> ‘None’AND SYS.ResourceID NOT IN (SELECT sys.ResourceID FROM v_R_System SYS join dbo.Event_5312_DATA Event on sys.ResourceID=Event.MachineID JOIN v_FullCollectionMembership FCM ON SYS.ResourceID = FCM.ResourceID WHERE FCM.CollectionID = @CollectionID AND Event.GPOList00 <> ‘None’ AND Event.GPOList00 LIKE ‘%Baseline-Computer-Workstations%’) group by sys.Netbios_Name0, sys.Resource_Domain_OR_Workgr0, Event.GPOList00 order by sys.Netbios_Name0 DESC

Prompt CollectionID

begin

if (@_filterwildcard = “)

select v_Collection.CollectionID, v_Collection,Name from v_Collection order by v_Collection.Name

else

select v_Collection.CollectionID, v_Collection.Name from v_Collection

WHERE v_Collection.CollectionID like @__filterwildcard

order by v_Collection.Name

end

Share:

Facebook
Twitter
LinkedIn
Picture of Matt Tinney

Matt Tinney

Professional IT executive & business leader having decades of experience with Microsoft technologies delivering modern-day cloud & security solutions.

Contact Us

=
On Key

More Posts

Be assured of everything

Get WME Services

Stay ahead of the competition with our Professional IT offerings.

=