EPM - Data Collection - Solution -Unexpected Reboots caused by Bluescreens.
Purpose
The Unexpected Restart Monitor generates a lot of noise, as often the shutdown is caused by a power outage rather than an actionable issue. This solution will provide a second level of verification to help reduce notifications of unexpected shutdowns due to normal power issues.
Associated Content
| Content | Type | Function |
|---|---|---|
| EPM - Data Collection - Script - Remote Event Log Monitor - Create | Script | You will use this script to create a remote monitor to look for System events with an ID of 41 or 6008. |
| EPM - Data Collection - Script - Get-CrashDump | Script | Gathers the data from a DMP file that should have been created after a bluescreen issue. |
| SWM - Software Management - Powershell - Invoke-WingetProcessor | Agnostic | Used by Winget - Install to install Winget packages. |
| SWM - Software Installation - Script - Winget - Install | Script | Uses an agnostic script to install BluescreenView. |
| EPM - Data Collection - Custom Table - plugin_proval_crash_dumps | Custom Table | Stores crash dump data, saving the last dump per computer. |
Implementation
Initial Monitor Setup
- Look through your Automate groups and find the ID of the group you wish to monitor for bluescreens.
- Using any computer, run the EPM - Data Collection - Script - Remote Event Log Monitor - Create script with the
groupIdset to that ID, thelogtypeset to System, and theeventidset to 41,6008. - Import the EPM - Data Collection - Script - Get-CrashDump script.
Alert Template Setup
- Select Automation / Templates / Alert Templates.
- Click New Template and name your template.
- Click Add Alerts, then in the next box click New Alert.
- In the Alert Actions section, select the box for Script Error.
- In the script selection box, select the Get-CrashDump script.
- In the Days of the Week, select Every Day.
- Select the appropriate User/Technician.
- Click Save.
- Click Save and Close.
Adding the Alert to the Monitor
- Open the group you selected earlier.
- Select Computers.
- Select Remote Monitors.
- Look for a monitor named System - Event 41,8006 and click on it once.
- Modify the Alert Template to be the template you created in the prior step.
