Add untrusted computers to SCOM 2019 – Part 2: Install Certificates and SCOM Agent on Untrusted Computer

To add untrusted computers to SCOM 2019 for monitoring, you need deploy CA and Client Certificate on a domain server. Then install Certificates and SCOM Agent on Untrusted Computers. This article will show you how to install SCOM Client Certificate on a untrusted computer.

A. Export and import Certificate of CA

In some situations, you may need to export and import certificate of CA. For example, when you install Microsoft System Center Operation Manager (SCOM) Agent on untrusted computers, you need to add the certificates to SCOM, gateway servers (communication between management servers and untrusted computers), untrusted computers so that they can trust each other.

Step 1: Deploy Microsoft Windows Server Active Directory Certificate Services (AD CS) Certificate Authority (CA) on a domain server. Please refer to this video: How to install a Trusted Root CA certificate on Windows – https://www.youtube.com/watch?v=Ddsrk68TGI0 or How to install Certification Authority in Windows Server 2019

Step 2: Export Certificates of CA

1. Login the server which acts as Issuing CA.

2. On the Server Manger, click Tools and then Certification Authority.

3. Right click on the Certification Authority name and select Properties.

4. In the Certification Authority Properties page click View Certificate button.

5. In the Certificate properties page, click on Details tab.

6. Click Copy to file… button

7. In the Welcome to the Certificate Export Wizard click Next.

8. In the Export File Format page, check Cryptographic Message Syntax Standard – PKCS #7 Certificate (.P7B) and Include all certificates in the certification path if possible.

9. In the File to Export page,  specify path and file name you want to export, and then click Next.

10. In the Completing the Certificate Export Wizard page, review your export settings. If they are correct, click Finish.

11. In Completing the Certificate Export Wizard, click Finish.

12. If exporting is successful, you will see The export was successful. Click Ok to close Certification Authority.

Step 3: Import Certificates of CA

Note: You need to import the Certificate of CA to each managed and untrusted computers. 

1.Login managed or untrusted computer.

2.Type mmc in Search bar and click mmc icon to open it .

3. In the Console1 page, click File, and then Add/Remove Snap-in.

4. Highlight Certificates, and then click Add.

5. Check Computer account, and then click Next.

6. With Local computer: (the computer this console is running on) selected, and then click Finish.

7. Click OK to close Add or Remove Snap-ins.

8. In the Console1 page, navigate to Certificates (Local Computer)>Trusted Root Certification Authorities.

9. Right-click Certificates, select All Tasks, and then click Import.

10. In the Certificate Import Wizard, click Next.

11. On the File to Import page, browse the CA certificates file you exported before, and then click Next.

12. On the Certificate Store page, check Place all certificates in the following store and make sure that Trusted Root Certification Authorities appears in the Certificate store box, and then click Next.

13. On the Completing the Certificate Import Wizard page, click Finish.

14. When The Import was successful message popup, click OK.

Note: You may not see the CA under Trusted Root Certification Authority immediately. It takes a few minutes or re-open MMC to see it.

15. Re-open MMC to check the status of the CA.

16. You ca double click on it to check the certificate status.

B. Generate SCOM Client Certificate and install it on all managed server and Untrusted computer(s)

To trust an untrusted computer, we need to create the client Certificate for both managed server and untrusted computer.

Step 1: Request and Enroll New Certificate

1.On the Managed or SCOM Server, go to MMC>Certificate (local computer)>Personal.

2.Right click on Certificate and select All Tasks>Request New Certificate.

3. In Certificate Enrollment, highlight the Policy, and click on Next.

4. In Request Certificates, click blue text under the policy, CA02 in our example.

5. On the Certificate Properties window under the Subject page, select Common Name and DNS name and add your server’s name, in my case “W2019-02”

6. Select the General Page and add your server’s name there as well.

7. Click OK, then finish the wizard with defaults

8. Highlight the Active Directory Enrollment Policy and click Enroll.

9. The Status should shows Succeeded. Click on Finish

9. Under Personal Certificates you should now have a certificate named after your server’s name, in my case “W2019-02”

10. Double click on the Certificate you juts enrolled to check the status.

Step 2: Export Client Certificate for Untrusted Computer

1. Right click the certificate you just enrolled and click export

2. Select Yes, export the private key, and then click Next.

3. In Export File Format, check Personal Information Exchange – PKCS #12(.PFX) with Enable certificate privacy. Others are the options.

4. In Security, enter the password, and then click on Next.

5. Save it somewhere that is accessible from the untrusted server.

6. Click Finish.

Step 3: import SCOM Client Certificate to Untrusted Computer

1.On the untrusted computer, copy the certificate you just created to the local computer.

2.Open MMC and load the Certificates snapin for local computer.

3.On Personal right click and select All Tasks -> Import

5. Browse and select the certificate you just exported on Managed Server.

6. Select Next and enter your password on the Private key protection.

7. Check Place All Certificates in the following Store, and make sure Certificate store is Personal.

8. Click Finish on Completing the Certificate Import wizard.

9. You should have the Certificate installed. Double click on it to check the status. 

C. Install SCOM Agent to untrusted computer

Assuming you have imported CA and client certificates on the managed server and untrusted computers.

Step 1: Install SCOM Agent on the untrusted computer

1.Copy Momagent.msi from SCOM installation location or DVD into the untrusted computer.

2.Run Momagent.msi, and click Next on Welcome to the Microsoft Monitoring Agent Setup Wizard.

3. Click Agree on Important Notice.

4. Click Next on Destination Folder.

5. Check Connect the agent to System Center Operation Manager and click Next.

6. Enter your Management Group Name and your FQDN of your Management Server.

7. Check Local System and then click Next.

8. Click Install.

9. Click on Finish.

Step 2: import SCOM Certificate using MomcertimportTool.exe on the untrusted computer .

1.Copy the Momcertimporttool.exe from the Support Tools folder on the SCOM installation media to the untrusted computer.

2.Open a command prompt as administrator and change the directory to the folder where MomcertimportTool.exe is located.

3.Run this command:

momcertimportool.exe /subjectname yourservername, for example,

momcertimport.exe /subjectname W2019-02

Or

MOMCertImport /SubjectName %computername%

4. Restart SCOM services and check the status of Agent Monitoring on SCOM Server.

Please view this step by step video:

Published by

Bob Lin

Bob Lin, Chicagotech-MVP, MCSE & CNE Data recovery, Windows OS Recovery, Networking, and Computer Troubleshooting on http://www.ChicagoTech.net How to Install and Configure Windows, VMware, Virtualization and Cisco on http://www.HowToNetworking.com