Hi All, I’ve updated my Windows Domain firewall monitor, it’s a bit crude but it seems to work:
param([string]$Arguments)
$ScomAPI = New-Object -comObject "MOM.ScriptAPI"
$PropertyBag = $ScomAPI.CreatePropertyBag()
#get Windows Domain FW state from Registry
$FWState=(Get-Itemproperty Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile).EnableFirewall
$PropertyBag.AddValue("FWState",$fwstate)
$fwoff = Get-WinEvent -LogName "Microsoft-Windows-Windows Firewall With Advanced Security/Firewall" | Where-Object {$_.Id -eq 2003 -and $_.Message -clike "*Enable*" -and $_.Message -clike "*No*"}
$SID = $fwoff.properties.value.value
$objSID = New-Object System.Security.Principal.SecurityIdentifier($SID)
$objUser = $objSID.Translate([System.Security.Principal.NTAccount])
$PropertyBag.AddValue("username: ", $objUser.Value)
# Send output to SCOM
$PropertyBag
Unhealthy Expression is:
Property[@Name=‘FWState’] Equals 0
Healthy Expression is:
Property[@Name=‘FWState’] Equals 1
Alert description is:
'The Windows Firewall (Domain) has been disabled by $Data/Context/Property[@Name='username: ']$
This is calculated by a customer monitor using a PowerShell Script that queries the registry every 15 minutes for the value of HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile).EnableFirewall.’
looks like:
