SCOM – Agentless Exception Monitoring (AEM) – FAQ

Agentless Exception Monitoring (AEM) is an older technology which has been around since a few years now. First it started off as Desktop Error Monitoring as a part of the MDOP kit and later on it has been implemented into SCOM and since then it exists as a feature until SCOM 2012 SP1. This post is not going to show how to configure AEM but it should provide you with answers which are hard to find anywhere and you will be hitting during implementation. Therefore I setup this post up in a FAQ kind of style post.

If you look closer at AEM you can identify 3 kind of technologies. The first technology is SCOM itself, which you might already know how deal with. The second technology is group policy. Because group policies are going to configure how your clients will behalf on sending the errors. The third technology is Windows Error Reporting (WER). WER is the technology that reports user-mode hangs, user-mode faults, and kernel-mode faults in Windows Vista and higher Windows operating systems. Each of these 3 technologies we need to understand to successfully implement AEM. OK let’s start…

Operations Manager

Q: When I run the Client Monitoring configuration wizard to setup AEM I see that AEM can be configured to use https to submit errors instead http. How do I configure that?
A: Very good question, some time ago I wrote a post about exactly this problem. You can find it here.

Q: I have configured AEM, the wizard ran successfully and created the share for the error dumps. Which rule will clean up the share and after how many days will the share cleaned up?
A: In order to find this answer go to the Authoring/Rules in your SCOM console and search for a rule called “Client Monitoring Cab and Status File(s) trimmer rule”. This rule will run once a day and clean up the CAB and Status files from the share which haven’t been touched in 90 days. You can override this 90 day value for the status files and CAB files.

Q: There are out-of-the box 4 error reports available. 2 reports are for analyzing application errors and 2 are for analyzing errors. Do you know if there are any more reports available?
A: Microsoft does not provide any more reports. You would need to check the community but most of the reports I found didn’t work in SCOM 2012 and because of that I created reports for my own needs. You can find my reports here.

Group Policy

Q: I understand there is a ADM template generated and it is used to configure the clients to receive the appropriate settings for sending the errors. But there are 11 settings do I need to enable all of them? We only have Windows 7 clients and newer and would like to receive hang and crash errors.
A: Well it depends what version of clients you have in your environment. Windows Vista and newer version of clients have WER implemented. Windows XP and older operating systems have Dr. Watson as an error engine which uses totally different settings than WER. Mostly GPO’s are just adding keys/values into the registry of the client and these settings will control what you or your application can do on your client. Now, if you are going to open the ADM template in Notepad, you will see which registry keys are modified and which values will be set.

If you use GPO to configure WER these registry keys are being used:

KEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting
or
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Windows Error Reporting

Dr. Watson will use this settings in the following registry key:
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\PCHealth\ErrorReporting

Because you have Windows 7 clients you ONLY need to set the policies which modify the WER registry keys and this is ONE policy setting. The other settings in the ADM template will not work in your environment therefore you will not need to configure it.

image

Q: If I just create an empty policy I can configure WER settings in the GPO using the user and the computer part of the policy. The configurations are located under
[User Configuration or Computer Configuration]\Administartive Templates\Windows Components\Windows Error Reporting. Which setting will win if I configure the same setting in both sections user and configuration?
A: Let’s assume you disable WER in the user settings and enable WER in the computer settings the computer setting will win if it is configured in the same policy. If you configure these settings in two different policies but you link the policy to the same organizational unit, the policy with higher precedence will win.

Q: Why generates SCOM 2012 SP1 still a ADM template although there is a newer format ADMX for GPO templates.
A: Good question, the only reason I see is that the intension is to support older versions of Group Policy Editors which are not capable of importing ADMX files. I hope that Microsoft will change that in the next version.

Q: I understand that the policy settings WER uses are located under KEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting
but there are also key under HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Windows Error Reporting
and also
HKEY_CURRENT_USER\Software\Microsoft\Windows\Windows Error Reporting. And in addition I also can configure WER settings in the GUI of the Windows Client. Which setting will win?
A: Glad you ask. The GPO setting always overrides the other settings and therefore KEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting will win.

Windows Error Reporting

Q: I am receiving Windows Error Reports and I am seeing the information in the SCOM console as expected. How can I check the error reports on my Windows test client to confirm the information? Is there a tool available?
A: Of course, there is a tool to check WER crashes on a Windows 7 client. Nirsoft has a tool called AppCrashView which is free and lets you explore the local crashes on the Windows 7 client. You can download from their website.

image

Q: I also have AEM installed and I am interested in viewing minidump files from crashed Windows clients? How can I do that?
A: I recommend looking into BlueScreenView from Nirsoft . This tool is free and will not only display each parameter of the crash but also the tool will also display the blue screen which the user experienced on his client. Very useful!

image

Q: I need to simulate application and blue screen crashes. How can I do that?
A: There are some utilities available, I recommend using these:

Simulating application crashes

Simulating blue screens

Q: There are many different settings which can be configured for the WER service. Are there any good sources for understanding WER and about the settings I can configure?
A: If you use bing you will find a whole lot of information. A good starting point are these websites …

I hope this Q & A helps you getting started with AEM.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s