Speaking at System Center Universe Europe 2016 – Berlin

I’m really excited that I will have two sessions at this years SCU Europe in Berlin, August 24th – 26th. System Center Universe Europe is a really great community conference that focuses on Cloud, Datacenter and Modern Workplace Management, covering technologies like Microsoft System Center, Microsoft Azure, Office 365 and Microsoft Hyper-V. Read more about SCU Europe here: http://www.systemcenteruniverse.ch/about-scu-europe.html

I have been visiting all SCU Europe Conferences since the inaugural start in Bern 2013. I met some amazing MVPs, sponsors and community leaders already then, in fact it inspired me even more to share more of my own workings and knowledge by blogging, using social media and eventually speaking at technical  and community conferences myself.  The following two years SCU Europe were held in Basel, both the great conference venue at Swissotel and lest not forget Bar Rouge had its fair share of memorable moments🙂

This years SCU Europe will be held in Berlin from the 24th to the 26th of August. Moving the conference to Berlin is a smart move I think, it will make the conference even more accessible to most European and overseas travelers, and attract the attendance it deserve.

A few months ago I received some great news, I had two sessions accepted for SCU Europe, and received my first Microsoft MVP Award for Enterprise Mobility. I’m really happy to not only go and learn and enjoy the conference sessions and community, but also to contribute myself along with over 40 top, top speakers from all over the world!

My first session will cover “Premium Management and Protection of Identity and Access with Azure AD”:

image

In the session I will focus on Azure AD Identity Protection, Azure AD Privileged Identity Management for controlling role and admin access, how to monitor it all will Azure AD Connect Health, and how Azure Multi-Factor Authentication works with these solutions. The session will cover the recent announcements regarding Enterprise Mobility + Security.

The second session will be a deep dive on “Publish Applications with Azure AD”:

image

In this demo-packed session I will go deep into what you need to get started on publishing the different types of applications, and how to configure and troubleshoot user access to these applications. The session will cover Azure AD Single Sign-On and Password Single Sign-On, integrating Azure AD SSO with your internally developed applications, and publishing applications with Azure AD App Proxy that either use pre-authentication or pass through.

Hope to see you at the conference, and if you haven’t registered yet there is still time: http://www.systemcenteruniverse.ch/registration.html

image_thumb.png

New look coming to Azure Active Directory Access Panel #AzureAD

A quick update on coming changes to the Azure Active Directory Access Panel at https://myapps.microsoft.com.

When I log in with my Azure AD work account I see that there is a notification that a new look is coming soon and I can try it out:

image

The new applications look:

image

The new groups look, where I can see which groups I own and which I am member of:

image

For groups I can join or leave, change settings for groups I own and see members.

Looking at my logged in user in the right top corner, I see that I have a notification for pending actions, in this case I have an approval waiting to join a group I own:

image

Looking more at my profile I can change my associated Azure AD Organizations, or go to my Profile page:

image

The Profile page has a new look as well, where I can see my information, manage my account with password change or reset setup (depending on Azure AD Premium or EMS license and configurations), and I can view my devices and activity status.

image

This new look seems to be out there for everyone to try out now, and looks great so far.

And by the way: There is still no support for Edge browser when trying to run a published application that use Password SSO and require the Access Panel Extension:

image

image.png

Trigger Azure AD Connect Sync Scheduler with Azure Automation

In this blog post I will show how you can trigger the Azure AD Connect Sync Scheduler with an Azure Automation Runbook PowerShell Script. Since the Azure AD Connect build 1.1.105.0 was released February 2016, a new scheduler is built-in that per default sync every 30 minutes (previously 3 hours). For more detail on Azure AD Connect Sync Scheduler, see https://azure.microsoft.com/en-us/documentation/articles/active-directory-aadconnectsync-feature-scheduler/.

Normally a sync schedule of 30 minutes is sufficient for most use, but sometimes you will need to do an immediate sync. So I thought it was a good idea to create a PowerShell script that creates a remote session to the Azure AD Connect Server, and then triggers a delta sync.

Now, this PowerShell script can of course be used with any of your favorite automation solutions, for example Orchestrator or SMA on-premises. But why not just use Azure Automation and a Hybrid Worker to run this script. This way you can trigger the script in a number of ways including in the Azure Portal, via Webhooks, remediating alerts in OMS and more.

Requirements

Lets first take a look at the requirements for this solution:

  • You will have to have an Azure Subscription, so that an Azure Automation Account can be created (or use your existing account), and that a runbook script with the related assets can be created.
  • You will need to have an OMS Workspace for the Azure Subscription, and have a Hybrid Worker set up that can communicate with the Azure AD Connect Server. The Hybrid Worker will use a credential asset and variable asset created in the first part.

In the following two parts I will look at these two requirements and how you can set it up to start triggering Azure AD Connect Scheduler with your Azure Automation Runbook.

Part 1 – Set up the Azure Automation Runbook and Assets

To set up the Azure Automation part of the solution, I have created a GitHub Repository  where you can deploy the solution directly from https://github.com/skillriver/Trigger-AzureADSyncScheduler. This repository contains the Azure Resource Manager deployment template and PowerShell script that you need to get started.

You can also click this deploy button directly:

 

Lets step through what you experience when you click to “Deploy to Azure”. Please make sure that you are logged in to your correct Azure Subscription first.

Deploying with the Template

I will not go through how I created the ARM based JSON templates, but I will quickly show the user experience when doing the deployment.

The custom deployment will ask you for some parameter values:

  • AUTOMATIONACCOUNTNAME. If you specify an existing Automation Account, this will be used, or else a new one will be created with the Free pricing tier.
  • AAHYBRIDWORKERCREDENTIALNAME. There is a default value there, this will be used as a Credential Asset in the PowerShell script. You can change the value, but then you must remember to change it in the script as well.
  • AAHYBRIDWORKERDOMAIN. The NETBIOS Domain Name for where the Azure AD Connect Server belongs to.
  • AAHYBRIDWORKERUSERNAME. This is this the user name for the service account or other user account that has permission to connect to the Azure AD Connect Server and trigger the sync schedule.
  • AAHYBRIDWORKERPASSWORD. The password for the user above.
  • AADSSERVERNAME. The server name of the Azure AD Connect Server.

You will have to select the correct subscription, and either create a new Resource Group, or an existing one (please note that Azure Automation is not available in every region).

image

After saving the parameters, and reviewing and accepting legal terms, you are ready to create the custom deployment.

If everything went OK, you should see a confirmation:

image

You will have an Automation Account:

image

You will have a PowerShell Script Runbook with the name Trigger-AzureADSync:

image

The script can be viewed as shown below. This script is short and simple, it will get the Asset Variable for Azure AD Connect Server name, and get the Credential Asset for the Hybrid Worker Account. It will the create a remote session, and run the delta sync cycle:

image

Lets take a look at the Assets created with the deployment as well, the Variable:

image

The Credential:

image

That’s the whole solution for this first part. If you for any reason could not or would not deploy the template directly, and would prefer to create this manually, you should be fine just following the images above. Just follow these steps:

  1. Create a Azure Automation Account (Free tier, and in your chosen supported Azure Region).
  2. Create a Variable Asset, with the name of the Azure AD Connect Server.
  3. Create a Credential Asset, with the DOMAIN\UserName of the account you will use to remote session to the Azure AD Connect Server.
  4. Create a new PowerShell Script Runbook, typing the CmdLets from above and using your variable assets.

By now you should be ready for the next step, because you cannot run this Automation Runbook just yet. You have to have in place OMS and a Hybrid Worker first, and that will be shown in the next part.

Part 2 –  Set up the Hybrid Worker and Remote session permission

To be able to run Azure Automation Runbooks in your own datacenter, you will need to have an OMS workspace and at least one Hybrid Worker configured that will be able to execute the Runbook locally and connect to the Azure AD Connect Server.

Hybrid Runbook Worker Components

I will not go through the details here on how to set up an OMS workspace and a Hybrid Worker if you don’t have this from before, you can just follow the documentation here https://azure.microsoft.com/en-us/documentation/articles/automation-hybrid-runbook-worker/.

After setting up and registering your Hybrid Worker, you will have a Hybrid Worker Group with at least one Hybrid Worker.

image

Now, running the Runbook with the right security is going to be essential here, after all the Runbook is going to connect to the Azure AD Connect Server and initiate the sync cycle. Lets first check the settings of the Hybrid Worker Group. We can either select a Default Run As account as I have here:

image

Or you can select a Custom Run As, specifying a credential Asset to use for all Runbooks running on this Hybrid Worker Group:

image

In my example here, I will use the Default Run As Account, because I specify my own credentials in the PowerShell Runbook, as shown earlier in Part 1 of this blog post:

image

Next, I will have to create a domain account in my local Active Directory. I have created a service account to be used for Azure Automation Hybrid Workers. This is the same account you specified when creating the credential asset in Part 1 in Azure Automation:

image

This account will need permission to remote PowerShell to the Azure AD Connect Server. In Computer Management and Local Users and Groups on the Azure AD Connect Server, add this service account to the Remote Management Users group:

image

And add the account to the ADSyncOperators group, so that the user has permission to Azure AD Connect operations:

image

That should be it, we are now ready to start the Runbook and verify that it works.

Starting the Runbook

From the Automation Account and the Trigger-AzureADSync Runbook, select Start and under Run Settings select Hybrid Worker and your Hybrid Worker Group:

image

You can verify that the job completed and with no errors:

image

Looking into the Synchronization Service on the Azure AD Connect Server, I can verify that the sync cycle has been running:

image

That concludes this blog article, hope it has been helpful!

image.png

How to reset Mobile Device Management Authority from Config Mgr to Intune

I have a demo/test environment for Intune enrollment where I have configured Configuration Manager as the Mobile Device Management Authority. I have been thinking about a change in approach, as most of my test devices are either lightly managed PC’s or mobile devices. So I wanted to change and use Microsoft Intune only as the MDM Authority.

Referring to the official documentation for setting Mobile Device Management Authority, https://technet.microsoft.com/en-us/library/mt346013.aspx, this can only be set initially when configuring the tenant, and cannot be changed later!

But, there is a way. You can create a Service Request ticket with Microsoft, and request a reset of the mobile device authority.

There are some caveats to this reset request though:

  • You will have to retire and delete all registered mobile devices
  • You will have to delete all MDM related configurations in Configuration Manager

Basically, this is a real start over with clean sheets. If that is what you want, read on, if not, stop here Winking smile.

In this blog article I will show the steps I went through to reset my MDM authority.

Step 1 – Create a Service Request

The first step is to create the Service Request, requesting a reset. Identify the issue by selection feature Intune Service Administration, and symptom Reset mobile device authority. Provide a summary and issue details, like for example below:

image

Review and continue:

image

Add details if needed:

image

Confirm and submit:

image

Service Request is now pending, awaiting response:

image

Step 2 – Await response on Service Request on next steps

After a couple of hours I got a response with a checklist to be completed:

image

Here’s the checklist:

·  Retire all Modern Devices (mobile devices) from within the Configuration Manager Console. It is important that you do not attempt to retire a device from the device itself for this procedure to be executed.
Let us Know if any devices are in a “pending state’

·  Point the Intune Subscription to an empty user collection, or, remove all users from the targeted collection.  and confirm in the CloudUserSync.log that all users are removed.

· Remove all users from the Intune User Group.

·  Run the following SQL Procedure on the CM server to ensure all licenses are removed from the DB:
Insert into MDMCloudUserNotification Select ItemKey, 3, 0 from User_Disc where CloudUserId is not null

·  Then restart the CloudUserSync thread in ConfigMgr (or restart SMS_Executive if easier) and then when CloudUserSync starts up, it should deprov the users.

Restart SMS Executive

To reset the SMS_COLLECTION_EVALUATOR thread through registry, Open Registry console, navigate till below mentioned registry
–> Right click Requested Operation –> Modify –> type ”Stop” and click on ok.

Do refresh till data value reset to “None” and then again edit it with “start” data value
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\SMS\Components\SMS_EXECUTIVE\Threads\SMS_COLLECTION_EVALUATOR | Requested Operation

Confirmed users are removed from cloudusersync.log

Open cloudusersync.log from C:\Program Files\Microsoft Configuration Manager\Logs and look for messages that users are removed

Please ask customers to provide a couple of sample UPNs after they remove all user licenses and confirm in Viewpoint the sample users no longer have SCCM licenses.

· Delete the iOS APNs certificate

· Delete any and all published applications that are for MDM Devices

· Delete any and all polices that are for MDM Devices

·  Remove the Windows Intune Connector from within the Configuration Manager Console

Provide info:

Tenant ID: xxx.onmicrosoft.com

Global administrator email: xxx.domain.com

Step 3 – Do the checklist

Lets step through the main parts of the checklist.

Retire all Modern Devices

All Clients of Type Mobile must be retired:

image

Depending on the Device Type you can either select to only wipe company content or the device completely:

image

Or for typically a Windows 10 computer managed as a Mobile Device, you can only remove company content:

image

Warning notification:

image

After that the clients are in a status of “Pending Retire”, they will eventually be removed when they sync again. Some of my devices are inactive test devices, so I just turn them on and initiate a sync.

image

After a while I have still some devices left in a pending state. I know that these devices are not existing anymore, so they will not be able to sync. I will let the service request technician know about these, as instructed in the checklist.

In this case, the service request technician instructed me to remove the devices registered for the users in question in the Azure AD management portal (http://manage.windowsazure.com), select the user and removing any mobile devices registered.

You can also remove the devices from the user with MSOnline PowerShell module:

Get-MsolDevice -RegisteredOwnerUpn yourupn@domain.com | Remove-MsolDevice

Or for all users that have workplace joined devices:

Get-Msoldevice -All | Where {$_.DeviceTrustType -eq ‘Workplace Joined’} | Remove-MsolDevice

Point the Intune Subscription to an empty user collection and remove cloud synced users

I created a User Collection with a query that I know will not return any users, for example a non existing domain:

image

After that I update the Intune Subscription to use that collection:

image

Connect to the SQL site database, and run the following SQL query to ensure all licenses are removed from the DB:

Insert into MDMCloudUserNotification Select ItemKey, 3, 0 from User_Disc where CloudUserId is not null

After that, restart the “SMS Executive” service, and look in the CloudUserSync.log to confirm that all users are removed.

image

Reset the SMS_COLLECTION_EVALUATOR thread through registry, Open Registry console, navigate to HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\SMS\Components\SMS_EXECUTIVE\Threads\SMS_COLLECTION_EVALUATOR

–> Right click Requested Operation –> Modify –> type ”Stop” and click on ok.

Do a refresh till data value reset to “None” and then again edit it with “start” data value

Take another look in cloudusersync.log from <configuration manager install dir>\Logs and look for messages that users are removed.

The service request technician might ask customers to provide a couple of sample UPNs after they remove all user licenses and confirm in Viewpoint the sample users no longer have SCCM licenses.

Remove MDM configurations from Config Mgr

After the users are removed, MDM configurations must be removed from Configuration Manager.

Delete the iOS APNs certificate:

How?

image

Delete any and all published applications that are for MDM Devices:

Under Software Library, find all applications for the Mobile Devices. Before the applications can be deleted, any deployments must be removed first.

Delete any and all polices that are for MDM Devices:

Under Asset and Compliance, delete all related to Mobile Devices..

  • Compliance Settings|Configuration Baselines and Deployments
  • Compliance Settings|Configuration Items
  • Compliance Settings|Compliance Policies
  • Company Resource Access|Certificate Profiles
  • Company Resource Access|Email Profiles
  • Company Resource Access|VPN Profiles
  • Company Resource Access|Wi-Fi Profiles

Finally, remove the Windows Intune Connector from within the Configuration Manager Console.

Step 4 – Update the Service Request

After I cleaned up, I provided my info to the service request technician and confirmed that I had completed the checklist:

Tenant ID: xxx.onmicrosoft.com

Global administrator email: xxx.domain.com

After a few days, I got the response that I should keep my hands off the subscription during the reset process:

image

Step 5 – MDM Authority Reset Confirmation

A couple of days later I got the confirmation that the MDM authority was now reset:

image

Checking in the Intune Management Portal (http://manage.microsoft.com), I can now select to set Microsoft Intune as the Mobile Device Management Authority:

image

Summary

All in all the whole process for me took 9 days. Some of these days was for me to complete the checklist, the rest was basically waiting for responses on questions, updates and the confirmation.

End result was as expected, I can now register my mobile devices with Microsoft Intune the MDM authority.

If I later want to go back to Configuration Manager as MDM Authority, I would have to do basically the whole reset process again, except that the cleanup will be in Microsoft Intune. A service request will provide details on that as well, and if I do it on a later time, I will put up a blog article on that as well!

Missing groups prevents upgrade of Azure AD Connect

This is just a short blog article on a problem I experienced when upgrading Azure AD Connect from a previous version. This was a small environment where the Azure AD Connect server was running on the Domain Controller.

When starting the upgrade process I noticed that a message was displayed that a “Group with name ADSyncAdmins was not found in the Machine context”. When I clicked to Upgrade anyway, an error message was displayed that it was “Unable to upgrade the Synchronization Service”:

image

Looking into the event log, I found this error:

Product: Microsoft Azure AD Connect synchronization services — Error 25037.The groups entered do not all exist or cannot be found. Verify that each group name is correct, and then try again.

image

Since this was a Domain Controller, and there is no Local Users and Groups, I created the ADSyncAdmins group in Active Directory, as a Domain Local Security group. Trying the upgrade again, I got a new group that was missing:

image

So I ended up creating these 4 groups that was missing:

  • ADSyncAdmins
  • ADSyncBrowse
  • ADSyncOperators
  • ADSyncPasswordSet

After that I was able to successfully finish the upgrade of Azure AD Connect.

Awarded MVP Enterprise Mobility! Introducing myself to the community.

On Friday April 1th I got one of the best e-mails in my professional IT career so far, Awarded MVP for Enterprise Mobility for 2016!

image

This is my first MVP Award, and I’m incredibly proud and honored to be part of such as amazing community and network of professionals.

I thought this was a good opportunity to introduce myself to the community, so in this blog post I will write a little more about myself and what I do.

Some personal info

I’m from Norway, a town called Sarpsborg some 100 kilometers south of Oslo. I work as a Architect for Cloud and Datacenter solutions at Skill AS, a Microsoft Partner with offices in both Oslo and Sarpsborg. My company has received numerous partner prizes and finalist awards over the last years, embracing the Cloud and Microsoft especially.

I’m born in 1971, at an age where I’m old enough to know how and when to use my experience when I need to, and young enough to eagerly learn new stuff and use technology to solve challenges and use solutions creatively. When I’m not working I spend time with my family, I’m married and have two boys at the age of 10 and 12. Its all about football (soccer) in the spare time, and at least 3 of us are huge Arsenal fans. You can guess who😉 We also spend a lot of time in our cabin in the mountains, where we ski (cross country) a lot. This is where we recharge our batteries, a very needed window of family quality time in a mostly hectic work and activity filled weeks.

Work and career

I’ve been in the IT industry for over 20 years now. When I started I did IT support on IBM OS/2 machines, my first internet e-mail experience was using 3270 terminals and if I remember correctly something called Office Vision. I wrote documents using Lotus Ami Pro, Later I achieved my first Microsoft MCP certifications on Windows 95 and Word 6.0. From there on it has been mainly Microsoft products and solutions for me!

A large part of my first career I spent at a private educational institution, and was an instructor for Microsoft Official Curriculum courses. I kept my Microsoft Certified Trainer certification from 1997-2012. I have spent thousands of hours teaching students and business IT pros on MCSE certifications for NT 4.0, Windows 2000, 2003 and beyond. For a few years I was even a Citrix Certified Instructor. While working as an instructor I started to get more in to consulting as well, working at customer sites and presenting company seminars.

I remember that I could hold the BackOffice 4.5 CD folder in my hand, and say that I had knowledge of all Microsoft management, productivity and server solutions! Try to say that today😉 The first “System Center” product I worked on was SMS 2.0, later I started working with Microsoft Operation Manager (MOM) from 2000 and up, I have been working with e-mail and productivity from Microsoft Mail via Exchange 5.0 to todays Exchange Online and Office 365, identity solutions from “User Manager of Domains” to Azure Active Directory. It has really been a great journey, but nothing compares to how rapid Microsoft and Cloud solutions evolve these days,

After leaving the educational institution, I worked for a few years as a consultant and freelance training, before I worked some years at an Application Service Provider. I was working with the Datacenter and Infrastructure, moving into virtualization slowly by using Virtual Server 2005! Exchange 2007 was my first meeting with PowerShell, love at first sight, and offered Hosted Exchange as a Service. If only we had something called Office 365 and Azure Stack etc..😉

In 2010 and till today I have been with my current employer, Skill. In these years I have been working more and more with Azure, Office 365, Enterprise Mobility Suite and System Center, while at the same time been working closely with Microsoft, being a P-TSP for Cloud OS and Datacenter management.

Community

Over the last years I have been more and more engaged in the community of IT-professionals, visiting conferences, using social media, blogging and networking with other MVP’s and other community influencers. I have also been a speaker at local events and at conferences like Experts Live, Nordic Infrastructure Conference and will also be speaker at this years System Center Universe in Berlin, August.

It is with huge pride my contributions has led me to receiving the MVP award, and I can only look forward to contributing more in the years to come. While Enterprise Mobility and especially Azure AD is an area I focus greatly on, I will also continue to contribute in areas related to Azure, Cloud and Datacenter Management (CDM) with OMS, Service Manager, Operations Manager and more as these are solutions I work a lot with in my daily work as well. I will especially look for contributions where EMS, CDM and Azure can work together and play to each others strengths🙂

Thanks for reading, looking forward to engage with you all. In addition to this blog, you can follow me at social media using:

Twitter: @skillriver

LinkedIn: linkedin.com/in/jvelven

Notifying End Users that Incident is Closed When They Reply by Exchange Connector

A common challenge by using Exchange Connector and Service Manager is that when the Incident is set to status Closed, users still can reply to the Incident Record by using E-mail. Even though the Incident is Read-Only when Closed, it is still possible to create related End User Comments via the Exchange Connector.

While the Exchange Connector cannot be configured in a way that it will not create those End User Comments based on Status, it would be nice to at least inform the user that the Incident is now Closed, and that they must create a new Incident record either via E-mail or the HTML portal.

There have been some solutions to this in the community. Some use different Incident Templates that sets the Incident to Active whenever users reply, and the re-Close them with another template (https://itblog.no/3192). Some extends the Incident Work Item Class by adding an UpdatedByEndUser property, and use that to control their notification subscriptions (http://www.scsm.se/?p=564).

I have been using another solution for a while at different implementations, and it seems to work fine. So I thought I would write a short blog post on that.

Overview

My solution will use a periodic notification subscription, targeting the Incident class, and using some criteria that will check that:

  • The Incident Status is Closed
    AND
  • The End User Comment Entered Date is >= Incident Closed Date

    AND

  • Incident Closed Date >= yyyy-MM-ddThh:mm:ss

I will get more into why I use these criteria later in the post.

In addition to this notification subscription, I also have “normal” subscriptions like sending e-mails to End Users when the Incident is created and resolved, as well as sending e-mails to End User when the Assigned User provides Analysts Comments, and sending e-mails to Assigned User when the End User Comments. I will not get into those here.

So let’s start to set this up.

Creating a New Management Pack

I will create a new Management Pack to store this notification subscription and the e-mail template I will use.

After creating the Management Pack, I export it and give it a more meaningful ID and file name.

Usually I do this by using search and replace on the generated ID with my own ID name as shown below:

After, save the MP as SkillSCSM.NotifyClosedIncident.xml, and delete the original MP and re-import this one.

Closed Incident E-Mail Notification Template

Next I will create the E-Mail Notification Template that will be used by the subscription to notify end users that the Incident is Closed and instruct them to create a new Incident.

This Notification Template will target the Incident Class, and I will use my new MP:

I specify a subject and HTML body:

After this I am ready to start creating the subscription.

Notification Subscription for End User Comments on Closed Incidents

I will create the Notification Subscription by specifying to “Periodically notify when object meet a criteria” and target the class to Incident.

By using this periodic subscription, there are some risks, that I will mitigate with my criteria. The risks are that this will backtrack and fire for all old incidents from before the subscription was created, and that changes to the criteria later could mean that it will send out notifications once more to users that already have received it. But, as long as the criteria is defined correctly, this should not be a problem.

When specifying criteria, there are something I cannot achieve with the wizard and have to do in the XML later.

For now, you would have to add these criteria via the wizard:

  • [Incident] Status equals Closed
    AND
  • [Trouble Ticket] Closed Date greater than or equal to (your date today)
    AND
  • Has User Comment [Work Item Comments Log] Entered date greater than or equal to (your date today)

For testing purposes, you could also add criteria for ID so that you set it to a fixed Incident ID while you are testing.

Later, in the XML I will change one of the criteria so that: Has User Comment Entered date >= Trouble Ticket Closed Date.

I will select to Notify once:

Specify my E-Mail Notification Template:

Finish and Create.

Editing the Management Pack XML

Exporting my MP XML I now can see the following criteria in the image below:

  • First, Status are set to Equal the Enumeration GUID for Closed
  • The second and third expressions are the ClosedDate and Comment EnteredDate, which are set to static. I will change these to evaluate to each other in the next step
  • The fourth expression is just for testing, as I have specified a single Incident ID, this I will remove later.

In the XML, edit the 3rd expression, to an expression like this. I want the EnteredDate for the End User Comment to be later (GreaterEqual) than the Incident ClosedDate. Note also that I keep the manual ClosedDate to today’s date. This is because I don’t want this rule to affect old Incidents, as when I import this MP, all incidents will be evaluated!

After this change, I can reimport the MP XML, and wait for it to start processing.

Verifying and Testing

At the Administration Pane in Service Manager Console, under Workflows and Status, I can find the workflow in question. I can see that it has triggered for an Incident where there has been an End User Comment on the Closed Incident:

The Affected User gets this email:

Let’s try to reply once more with an End User Comment by replying to this email again. From the History I can see that after the Incident was closed, there are two End User Comments. But the Notification will only occur once per Incident. So after the first time I send emails with End User Comments to the Closed Incident, I will get only one notification.

Setting the solution from Test to Production

The next step is to set this solution into production. In my XML I had a criteria for just one Incident ID:

I will remove that now and re-import the XML MP. On the other hand, I will keep the fixed ClosedDate expression. The reason is of course to not send notifications for old Incidents that have had comments after their closed dates.

To summarize, my criteria expressions will be:

  • Status Equal Closed (Enum GUID)
  • ClosedDate GreaterEqual (Date) (This Fixed Date should be the date you import the Management Pack, and updated every time you do maintenance on the MP XML)
  • (Comment) EnteredDate GreaterEqual (TroubleTicket) ClosedDate

Maintenance and important things to note

There are some situations that are important to note with this solution. As this is a periodic notification subscription, with an “only once” recurrence, Service Manager will keep track of which Incidents for which the workflow engine sends Closed Incident notifications based on the criteria defined.

But there is an important exception to be aware of:

  • Changing and re-importing the MP XML. When you do that you risk that all subscriptions will run again. Therefore, remember to update the Fixed Date criteria, so that older Incidents that are closed are not sending out notifications to the users that have commented.

For example, changing my MP XML above resulted in a second notification to the end user:

Editing the Notification Subscription must now be done in XML from now on. Trying to edit it in the Console will result in a greyed out dialog:

To summarize, I now have a solution for sending out e-mails to End Users that send comments to Incidents after it is Closed. They will only get that notification once, not every time they comment on Closed Incidents.

Thanks for reading, hope it has been helpful!