Error sealing Management Pack using VSAE – The “PackageToBundle” task failed unexpectedly.

I cannot count the hours I have lost initially – later, every time that tiny little error appeared, I would remember that the solution had been easy. Time to finally write a note to myself!

When sealing a SCOM Management Pack Solution using Visual Studio Authoring Extensions, the following error would appear in the output window:

The "PackageToBundle" task failed unexpectedly.
Microsoft.Deployment.WindowsInstaller.BadQuerySyntaxException: SQL query syntax invalid or unsupported.
   at Microsoft.Deployment.WindowsInstaller.Database.OpenView(String sqlFormat, Object[] args)
   at Microsoft.EnterpriseManagement.Packaging.DataAccess.Insert(String query, Object[] args)
      at Microsoft.Build.BackEnd.TaskBuilder.d__26.MoveNext()
Done building project "my.ConnectedMG.Library.mpproj" -- FAILED.

The solution in my case: Check each Management Packs’ LanguagePack. I would get above error when using certain special characters in the Name or Description element (e.g. single quotes). After removing those from the LanguagePack, the MP seals just nicely.



PKI Certificate Verification MP – Update

In the last 10 months I have added several minor features to the certificate verification management pack for SCOM 2012. Some of them rose from needs of clients but most were suggested by people using the MP. Many thanks for everyone providing feedback and especially for testing the pre-release builds.

You can head over to the management pack calalog and download the updated MP version

Changes in this update

The quick bullet list of improvements as also listed in the MP guide looks like this:

  • Added Tasks: Archive Certificate, List Certificate Properties, Disable/Enable Monitoring, Rediscover
  • Added Recoveries: Archive Certificate, Disable Monitoring
  • Added Discovery: Web Hosting certificate store (Server 2012 / 2012 R2)
  • Additional certificate property: Certificate Template. It is also listed on reports.
  • Discovery filter expanded to certificate template.
  • Alert description: Additional details on the certificate chain and SCOM action account used.
  • CRL Lifetime Monitor: Threshold is exposed as an overridable parameter.
  • CRL health roll up monitor added.
  • Expiring certificate view & report: Default threshold of 1 month may be overridden.
  • Views: Changed criteria on views to make them more reliable when using user scopes.
  • Reporting bug: Certificate inventory did not list all certificates.
  • Additional MP: Rediscovery Tasks. Immediate trigger of store content discovery after archive, disable/enable or rediscover tasks

And a few extra words on some of them

While some changes are pretty much self explanatory, I am going to give you some background information on others below. Plus two little PowerShell bits to make everyone’s lives a bit easier.

Added tasks

To make checking on the validity of certificates easier for SCOM operators, I have added agent tasks that will

  • list certificate properties (and check validity)
  • archive a certificate
  • disable respectively re-enable monitoring for a single certificate (append friendly name tag)
  • attempt immediate rediscovery

Archiving a certificate may obviously have a disastrous impact on payloads working with a certificate. However; it may be undone locally on an agent computer using some PowerShell code as in the following example:

#sample script to remove the ARCHIVED flag from certificates
#open personal computer store (read/write & include archived)
$store = New-Object  System.Security.Cryptography.X509Certificates.X509Store "My","LocalMachine"
$storeOpenFlags = [System.Security.Cryptography.X509Certificates.OpenFlags]"ReadWrite, IncludeArchived"

$unarchive = New-Object System.Management.Automation.Host.ChoiceDescription "&Yes", "Set Archive Flag to 'false'"
$skip = New-Object System.Management.Automation.Host.ChoiceDescription "&No", "Keep archive flag"
$confOpt = [System.Management.Automation.Host.ChoiceDescription[]]($unarchive, $skip)

if ($store.StoreHandle) {
    Write-Output ("Listing ARCHIVED certificates in store " + $store.Name)
    $store.Certificates | where {$_.Archived -eq $true} | % {
        $cert = $_
        $cert | ft Thumbprint, Subject, Issuer
        switch ($host.ui.PromptForChoice("Unarchive", "Remove 'ARCHIVED' flag from certificate?", $confOpt, 1))
            0 {    $cert.set_Archived($false)
                if ($cert.Archived -eq $false) {Write-Output ("SUCCESS: Removal of ARCHIVED flag on certificate with thumbprint " + $cert.Thumbprint + " succeeded")}
                else { Write-Output ("ERROR: Removing ARCHIVED flag on certificate with thumbprint " + $cert.Thumbprint + " failed"); continue }
else { Write-Output ("Failed to open store " + $store.Name) }

#don't forget to close store after operation

Since there’s no undo option for deleted certificates, the MP does not contain a task to delete certificates.


Disabling monitoring for a single certificate is achieved by appending the tag “_DoNotMonitor” to the end of a certificate’s friendly name. Such certificates are then becoming members of a group and monitoring will stop by means of predefined overrides. Instead of using the SCOM task, a system administrator might simply use the certmgr snap-in to alter the friendly name.

Tag friendly name

Tag friendly name to disable monitoring


The rediscovery task will only be available, if the additional MP ReDiscoveryTasks has been imported. It will run a management server side PowerShell script, triggering the SCOM task “Trigger On Demand Discovery Task“. Overrides will be accounted for. Such, changes to an agent’s certificate store will be reflected much more quickly in SCOM. The progress can easily be verified by checking the “Task Status” view.  Note that the ReDiscoveryTasks MP will also attempt to run an OnDemand discovery after Archive and Enable/Disable tasks have been performed.

Added Recoveries

Two disabled recoveries have been added to the certificate monitors:

  • Archive Certificate
  • Disable Monitoring

They do behave exactly the same as the related tasks mentioned above. They will show their effect on the SCOM repository within minutes if the optional ReDiscoveryTasks MP is imported. Otherwise monitoring will not stop until the next discovery cycle has passed.


Added discovery of the Web Hosting store

Windows Server 2012 and 2012 R2 feature a new certificate store called “Web Hosting”. Behind the scenes it provides more load efficient certificate handling and is thought to be used e.g. with IIS in web hosting scenarios (what a surprise). When using the QuickStart override MP, those stores and all signed certificates in them will automatically be discovered.

Monitoring wise it is important to understand that this store is thought to hold hundreds of certificates. Hence thinking about a good filtering strategy for monitoring may crucial. Failing to do so could lead to way too many objects being discovered, causing performance issues on SCOM. Consider making use of the Subject, Issuer and Template filtering capabilities.


Certificate Template information

Certificates issued by Enterprise CAs can now be filtered based on their template name (and OID). Consequently, the template property has been added as an additional property to the certificate and will be listed on inventory reports.

It is important to understand that the names of certificate templates are specific to an AD forest. They cannot be resolved if such a certificates is located on a computer outside of the forest. In that case, the MP will display the template OID value only. To check what the template property of a certificate is, run the following PowerShell commands on an agent computer:

#gets template names (and/or OIDs) of local certificates
get-childitem cert:\LocalMachine\My | ft -Wrap Thumbprint, Subject, Issuer, @{Label="Template"; Expression={
	$templateName = ""
	#TemplateName (Version 1)
	$_.Extensions | where { $_.OID.Value -match "^1\.3\.6\.1\.4\.1\.311\.20\.2$"} | % {
		$templateName = $_.Format($false).trim()}
	#Template (Version 2)
	$_.Extensions | where { $_.OID.Value -match "^1\.3\.6\.1\.4\.1\.311\.21\.7$"} | % {
		#sometimes no actual name but only the OID is contained
		($_.Format($false)) -match 'Template=((?.+)\((?1\.3\.6\.1\.4\.1\.311\.[0-9.]+)\)|(?1\.3\.6\.1\.4\.1\.311\.[0-9.]+))' | Out-Null
		if ($matches.templateName) {$templateName = ($matches.templateName.trim() + "(" + $matches.templateOID.trim() + ")")}
		else {$templateName = $matches.templateOID.trim()}}


Updated Alert Description

The alert description of monitors has been overhauled to be much more verbose. Specifically it is now showing both the subject and the issuer property. It also contains information about the RunAs account used for monitoring and gives details on the validity of the certificate chain.

Alert Description V1.3.0.0

Alert description example: intermediate CA certificate has expired (Level 1)


Such it has become much easier to pinpoint issues when not the end certificate itself but a chain certificate has become invalid; possibly just in the context of the RunAs account of the agent.

An extra hint regarding the latter in case the agent is running under the local system account: Occasionally it can be observed that a certificate chain is reported invalid by the MP but is valid if a certificate is checked with an interactive user account. One possible reason for this can be the SYSTEM account not being able to automatically update CTLs (e.g. due to internet access restriction), while an interactive account can. If the issue cannot be resolved, consider using a tool like SysInternals PSExec.exe to launch the CertMgr.msc in the SYSTEM context to investigate the cause.

Download MP version from

SQL Server Mirroring MP Update V

Today I was able to release an update to the SQL Server DB Mirroring Management Pack.

The update doesn’t bring any new features but fixes a potential issue on larger management groups which would lead to discoveries failing. In order to work around this I have altered the Powershell discovery scripts such that they do no longer make use of any SCOM console cmdlets. Instead direct SDK .NET calls are being used. I recommend to update existing installations specifically if you are using management group connectors, the Exchange 2010 correlation engine or other custom MPs which make use of SDK workflows.

Download of the management pack is available trough the MP Catalog. You need to register but registration is free.

MP Change History

Version – April, 28 2011 (no functional changes)

  • Corrected spelling in language pack.
  • Replaced all SCOM shell cmdlets with .NET calls to overcome a potential issue when several connectors and other MPs share a single SDK connection.
  • Improved discovery script timing behaviour when using desired configuration for a large number of mirrors.

Version – September, 10 2010

  • Support for SQL Server 2005 has been added and compatibility with SQL Server 2008 R2 has been verified. Starting with version, Microsoft SQL Server 2005, 2008 and 2008 R2 are supported.
  • Default Display Names of discovered DB Mirror Groups have been shortened and may optionally be changed to a customized string. See the guide for details.

Version – June, 04 2010

  • Original release – SQL Server 2008 support only

PKI Certificate Management Pack Update V1.0.1.15

After having had very helpful feedback by various users, I was able to incorporate some enhancement requests for the PKI Certificate Management Pack.

Version will deal correctly specific certificates that have somewhat unusual ‘Issued to’ and ‘Issued By’ properties. Furthermore it will only monitor CA certificates if they haven’t been superseded. Download from You need to register but registration is free.

Changes in version
  • Improved discovery of Issued to and Issued by properties: Will use Subject Alternative Name if certificate doesn’t have a subject and will correctly extract the subject if CN= isn’t encountered on the first line of the subject string.
  • Additional certificate property: CA Version (based on extension szOID_CERTSRV_CA_VERSION). If this property holds a value, that certificate is a Windows CA one.
  • Does no longer discover superseded CA certificates. Evaluation is based on the CA Version property. Additional override to change that behavior if required.
  • Monitors will not mark superseded CA certificates as expired if their discovery is enabled.
  • Expose script timeout as an overridable parameter
  • Changed alert priority to ‘Low’.
  • Broke upgrade path to avoid potential agent stale issues when upgrading from V or earlier.

Please study the included release notes and the MP guide carefully, especially when you’re planning to update from a previous version. I did deliberately break upgrade compatibility after some users had reported stale agent conditions during test cycles. You will need to remove any previous version of the MP from your Management Group before importing the latest one.

Geeky background information

The issues after upgrades were caused by moving the overridable timing parameters from the certificate object workflows to the parent certificate store’s properties. This left already discovered certificate objects’ workflows without any timing information until their parents were re-discovered and got their default timing properties added. During my own test all the agents recovered after that and re-enabled the certificate workflows.

Other users had less luck and ended up with a partly stale agent population that could only be corrected by removing the MP from the Management Group. To avoid issues I simply decided to break the upgrade path and force everyone upgrading to remove the previous MP. Breaking was easy by the way. It only took altering the caption of a property on a public class.

I do apologize for having to make go through the process of removing the MP (and it’s override MPs) before being able to upgrade. On the other hand I wouldn’t want anyone to experience stale agent conditions due to that.

Lesson learned: There are indeed rare conditions under which an MP author may write an upgradeable MP that would pass MPVerify and will import without complaints but still causing upgrade issues on the Management Group. Watch out for those! Test, test, test – then test once more.

SQL Server DB Mirroring MP Update

When I published the original release of the SQL Server DB Mirroring Management Pack, I promised that I would provide support for SQL Server 2005 if demand justified the effort. I am almost certain that you have an idea of what follows now: The latest version of the MP does support mirrored databases on SQL Server 2005, SQL Server 2008 and SQL Server 2008 R2.

All improvements over the first release include:

  • SQL Server 2005 database mirror supported
  • tested compatibility with SQL MP 6.1.314.36 (SQL 2008 R2 support)
  • timing improvements in script workflows
  • allow mirror group display name to be configured via Desired Configuration XML file
  • fix alert parameter replacement failures seen occasionally after initial discovery
  • an override pack to make discovery faster in non production environments only

Before importing this management pack I strongly encourage you to carefully read the guide contained in the download. Some features will only work when all prerequisites have been met!

Get the SQL Server DB Mirroring MP from (Version


This update wouldn’t have been possible without the assistance of Dirk Decher who has kindly provided an extended testing environment and taken the time to share his ideas around DB mirroring monitoring with me. And last but not least: I was thrilled to learn that this MP has won the gold medal at the System Center Influencers Program Management Pack Extension Contest 2010. Some of you guys know how much effort goes into writing an MP. A reward like that makes up for some of those many late and wee hours spent tracking down that XPath failure. Do check out the other participant’s entries as well. Some true gems are amongst them.


SQL Server DB Mirroring Management Pack

My latest addition to the community MP catalog augments the SQL Server MP with database mirroring discovery and monitoring. The SQL Server DB Mirroring Management Pack helps you by:

  • discovering db mirror roles and objects on SQL 2008 DB engines
  • automatically creating service components per mirrored database (consider them mini DADs)
  • probe based monitoring of the mirrored DB state with alerting should the mirror no longer run synchronized or loose its witness
  • optionally checking the mirror mode and db roles against a Desired Configuration setting (alerts when the mirror roles are swapped etc.)
  • delivering mirror inventory and availability reports


DB Mirroring Relationships and Health Roll Up

The Management Pack comes with a comprehensive guide which is a must read. The pack will only work as expected if some prerequisites are met. The guide also discusses how to enable Desired Configuration monitoring for your DB mirrors.

 Get the SQL Server DB Mirroring MP from (Version

The download also contains an override MP for the SQL Server Extension MP published on OpsMgr Jam. The extension MP already features useful event and performance collection rules that help monitoring an SQL DB mirror but as it does not contain any discoveries, they are targeting any SQL server. My override MP helps by adjusting their targeting so that those rules are only active on SQL Engines that host mirrored DBs.

2010 Management Pack Extension Contest

South Africa 2010 is about to take off and even on planet SCOM we currently have a great tournament:

The System Center Influencers program has sponsored the Management Pack Extension Contest. Entered Management Packs should extend one of the product’s pack with

  • reporting
  • diagram or service level
  • Visio or Dashboard
  • by tuning it

My own MP does certainly extend the SQL Server Management Pack and it does fit more or less into three of the contest categories. The deadline for entries is June 30, 2010. So why don’t you upload your own entries to compete with me?

Updates to Management Packs

It has been quiet on this blog for a long time. With the community efforts luckily having rapidly picked up grounds, there is much less newly discovered to write about. As I rather not repost knowledge found by other folks, I haven’t had much to place up here lately.

However; I do greatly appreciate feedback, especially on my published Management Packs. Knowing what needs and headaches other OpsMgr users have, gives me a chance to improve the packs. So there are updates for the following MPs:

Adobe Flash Media Server

Version works with FMS 3.5 and OpsMgr 2007 R2. Download from this blog.

PKI Certificate Validation

Version allows improved customization of monitoring frequencies and now contains an example MP that shows how additional certificate stores may be discovered. Download from

Untrusted Active Directory Domain Discovery

Version of that extension Management Pack is compatible with the current product MP 6.0.7065.0. Download from this blog.