SCOM 2012 Web Console Configuration Required

SCOM, System Center, SCOM Tricks, SCOM 2012 Send feedback »

Often after updates of SCOM 2012 / 2012 R2 or after a clean install people go to the SCOM Web Console and they get the following notification:

Web Console Configuration Required.

A user can click the configure button and run the executable and refresh the browser window and you should see a web console login page next.

Strange thing is that I would have sworn that I wrote a blog post about this last year, but I really can not find it online.

There are two reasons why I am writing a post about this.

  1. Some users do not have rights to run this executable on their desktop
  2. The occasional Windows XP user

In my case I ran into both cases last year and currently am in the situation where there is a VDI solution and users do not have rights to run this executable on their desktop and if they did it would be the same error every time they login.

So the easiest way is to figure out what this executable is doing in the first place and next apply it to those machines through another method.

The reason why you can have this more often after upgrades is that there are portions of the code behind this web console which are signed with a code signing certificate from Microsoft. This certificate is valid for a year or a bit longer. After a few Update Rollups suddenly the code signing certificate they used got changed and now when you go to the web console it gives you that Configuration task to do. In my case this happened while applying SCOM 2012 R2 UR3.

What the executable is doing is adjusting some rights for the Silverlight stuff (it sets this entry to true for both 32 and 64 bit for Silverlight: AllowElevatedTrustAppsInBrowser) and importing a code signing certificate in the Trusted Publisher store. All these actions can actually be replicated through the registry, so we are in luck. The rights things are still the same and only the part of the certificate changes. Well, because it's a new certificate again :p

I will provide a registry code below. There is one portion where the certificate is defined and that is the thing that needs to get changed according to your situation. Basically this is the same for everybody using the same version and rollup level of their SCOM installation.

Alright, here we go:

On a desktop where you do have full rights, go to the SCOM web console and run the configuration tool. Refresh your browser window and go to the same website and you should end up at a login page now.

Open up an MMC, add the Certificates Snapin and select Local Computer.

Go to the Trusted Publishers - Certificates folder. Find the Code signing certificate. The above pictures shows you two of them. One with validity until April 2014 and one with validity until July 2015. In my case I was first using the other one and after upgrading SCOM to a new Update Rollup level. And now the other one got added. So open up the properties of that certificate:

Now in the details tab find the Thumbprint entry. We need that string. You can also keep this open and compare it to what you are seeing in the registry next.

Open up the registry with regedit:

Go to:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates
Next find the folder with the same string as the Thumbprint of the certificate you were looking at. In my case there are only 8 folders or something like that, so it was easy to find the correct one. I have it selected here in my case.
Now right-click that specific folder (Key) and export it to a .reg file on your machine. Open up that reg file with Notepad.

What we are looking for is the part where it lists where the Key (folder) is located and that long blob entry. In my case it looks like this:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\67B1757863E3EFF760EA9EBB02849AF07D3A8080]
"Blob"=hex:18,00,00,00,01,00,00,00,10,00,00,00,fe,24,f2,ea,00,13,0a,30,ca,fa,\
and so on and so on.

Take that line and the whole blob entry and paste it into the reg file below in the place of where my entry is for the same. Save it. If you happen to have the same version of SCOM (SCOM 2012 R2 UR3) you might not need to do it, but it is a good check to see if this is in fact the correct certificate loaded (check the Thumbprint of your certificate with the name of the key in my reg file below).

Try to import it into a second workstation where you have not run that configuration tool from the SCOM Web Console. Import the reg file. Next open up Internet Explorer and go to the SCOM Web Console site and see if you get the prompt to run the configurator or if you immediately get transferred to the login prompt. If you see the login prompt it has worked.

Now here is the attached txt file. Rename it to a .reg file.

om2012r2ur3webconsolefix.txt

Update 30 March 2015:

  1. The same reg keys still work for SCOM 2012 R2 UR4 and UR5. I expect UR6 to bring a new code signing certificate in which case the certificate blob would change.
  2. As indicated there are two locations where you can set the Silverlight permissions:
    HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Silverlight
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Silverlight
    However we recently found there might be an override key in place in the same two locations which might still prevent this from working if this is set to zero. It is the entry: AllowLaunchOfElevatedTrustApps
    So if you see that one in the same locations as where you want to add AllowElevatedTrustAppsInBrowser than make sure they have the value 1.

Update 31 August 2015:

  1. SCOM 2012 R2 with UR7 finally came with an updates code signing certificate. A bit too late as the previous certificate had expired 3 weeks before release of UR7. The good thing is this new certificate will carry us to September 2016 again. Will link a tekst file for UR7 version below

Good luck and enjoy!
Bob Cornelissen

I am back

Uncategorized, SCOM, System Center, SCOM 2012 Send feedback »

Just wanted to say I am back. Last few months I have been working mostly behind the scenes for a while due to several reasons. Still doing the System Center stuff and working on some things you will be seeing in the near future though. But now I am back and will be a bit more visible over here and elsewhere in the community again.

Also again a shout out to the MVP's who were renewed yesterday and to those who joined the club! Just to name a few of the new joins: Travis Wright, Dan Kregor, Telmo Sampaio and Tao Yang. It is great to hear you are part of the System Center MVP crew now! All names we have known for years and well deserved.

Orchestrator 2012 PowerShell script fails to run

Windows 2008, SCOM, System Center, Windows 2012, SCORCH 2012 Send feedback »

This week I added an Orchestrator 2012 Runbook server to an existing one for scale-out and high availability reasons. Very soon it was ready to go and I was making some additional runbooks to use together with SCOM. In these runbooks were Run .Net Script activities with PowerShell scripts in there. And I noticed the script activities would refuse to run. Except when I ran them separately as a normal PowerShell script. SO I went in the history and checked what had happened:

File C:\Program Files\System Center Operations Manager 2012\Powershell\OperationsManager\OperationsManager.psm1 cannot be loaded because the execution of scripts is disabled on this system. Please see "get-help about_signing" for more details.

O right! So I opened up a PowerShell prompt using Run As Administrator and I typed "Set-ExecutionPolicy Unrestricted".

And the script failed to run again! Wait a second perhaps it is because I forgot to run the same command on the other runbook server. Oops. OK running that command again and....
Fail!
What?

I went searching for it and I saw a comment in a thread somewhere saying it could be that the same command needs to be done for the 64 bit version of PowerShell as well!

Open:
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
and type:
Set-ExecutionPolicy Unrestricted
Did this on all Runbook servers this time as well B)

And try again. Working fine!

Many big files in System Volume Information

Windows 2008 Send feedback »

Was monitoring an Exchange machine today and got a message that the Log disk contained less than x percent of storage. First thing to check if backups have run on the machine, because if those fail the log disk tends to fill up quickly. But the backups were OK and there was only a few hours of data on the disk. After short investigation it turned out to be the System Volume Information directory causing this and it had a lot of big files in it with a number of several GB each. Thing was most of these files were older than a year. So hereby a few quick commands:

First one to list the shadow copy space reserved and used for each disk:
vssadmin list shadowstorage

This got me some output and lets list here some stuff for the Log disk:

Used Shadow Copy Storage space: 52.481 GB (52%)
Allocated Shadow Copy Storage space: 52.983 GB (52%)
Maximum Shadow Copy Storage space: UNBOUNDED (100%)

Aha, so it had no limit and was already occupying over half the disk space and 52 GB. By the way the data disk was a factor 10 bigger in size and also had well over half the disk size used by only this stuff.

You can also open the Explorer and take the properties of the disk and look for the Shadow Copies tab. Also to make alterations.

In this case I used the available commands though. First I set the amount of disk space to use as maximum to only a few GB, which causes the old files to be deleted. Next I used the same command to raise the maximum space to be used again to a more suitable number.

vssadmin resize shadowstorage /on=E: /For=E: /Maxsize=19GB

So the above command sets the maximum size on the E drive to 19GB.

Sure got rid of the problem of Exchange management pack telling us during each day the Log disk was running below 50% free space already.

Very good, on to the next isue to be solved!
Bob Cornelissen

Getting SQL information from SCOM discovered inventory

SCOM, SQL, System Center, SCOM Tricks, SCOM 2012 Send feedback »

I often get questions for getting SQL info together, such as names, instances, versions, editions and so on for all kinds of purposes. Sometimes as inventory, sometimes to find instances no longer supported, rogue instances, needed for licensing info and so on.

The first thing to understand is that SCOM is not a CMDB. There are tools like SCCM and SCSM for those kind of things. However if a SCOM agent is installed and the SQL management packs are imported they will discover the SQL component and put some info in the discovered inventory for you.

So first thing I usually do for this and other reasons is to go in the monitoring pane all the way to the top in the left hand side menu and find Discovered Inventory. Next on the right hand Actions Menu go for Change Target Type. Next find the SQL DB Engine and select it. Now you should get a list of all SQL database engines and their versions and names and lots of other information. In the case of this management pack it is also possible to go to the Microsft SQL Server management pack folder to the left hand side and expand the server roles folder and select a state view, such as for database engine. It has the same information (could be you use the Personalize View actions item to add columns you are interested in). Keep in mind that the SQL DB Engine is not the only possible SQL component which can be installed. There is also Reporting Services for instance which is very common. The state views here are nice and fast to find your instances of those as well.

Now, lets pull this info into a CSV file using the Operations Manager Shell (these are two lines, enter as separate commands, and note these are SCOM 2012 commands):

$MyDevices = get-scomclass -Displayname "SQL DB Engine" | get-scomclassinstance

$MyDevices | select @{Label="Computer";Expression= {$_.'[Microsoft.Windows.Computer].PrincipalName'}}, @{Label="Instance";Expression= {$_.'[Microsoft.SQLServer.ServerRole].InstanceName'}}, @{Label="ConnectionString";Expression= {$_.'[Microsoft.SQLServer.DBEngine].ConnectionString'}}, @{Label="Version";Expression= {$_.'[Microsoft.SQLServer.DBEngine].Version'}}, @{Label="Edition";Expression= {$_.'[Microsoft.SQLServer.DBEngine].Edition'}} | Export-CSV -notype C:\sqlinstances.txt

And Voila you have a text file with the required info. What happened is that we are looking for a class called SQL DB Engine and we pull in all instances of that class. Next we select for each DB engine the ComputerName (you could have used Path as well there), Instance Name, Connection string, SQL version (as a number) and SQL edition (Standard/Enterprise/Express). Throw the CSV file into Excel and you will have the data in clear format.

This basically works the same way as in a post I did earlier about how to get devices (network device, windows agents, unix/linux agents) out of SCOM through PowerShell.

You can go deeper for instance by trying to find only instances of a certain version or edition and to sort the output. It is very versatile.

Enjoy!
Bob Cornelissen

SCOM 2012 Linux agent update fails with no tty present and no askpass program specified

SCOM, System Center, SCOM 2012 Send feedback »

While I was upgrading a bunch of SCOM 2012 Unix/Linux agents to a higher rollup level the other day I noticed an error on one of them. I need to quickly say that upgrading the agents was otherwise a breeze by just selecting a few of them and using the update agent option and using stored credentials and waiting for about 15 seconds. Was a great experience. However one of them was resisting and threw the following error:

Failed to update the cross platform agent. Exit code: 1
Standard Output: Sudo path: /etc/opt/microsoft/scx/conf/sudodir/
Standard Error: sudo: no tty present and no askpass program specified
Exception Message:

That is strange, because an agent was already installed on that machine so something must have changed somehow. It needs the same rights and settings to upgrade the agent.

So we checked the /etc/sudoers file on the machine.

First we check if the requiretty line is commented out:
#Defaults requiretty

Next we check if the account we are using for the monitoring and updating has the use of a password to elevate to sudo turned off (am using a different account of course):
scom-mon ALL=(ALL) NOPASSWD: ALL

Hmmm, that is set correctly as well. Alright lets test these settings.

Login with this user through ssh. Give the command sudo bash. If it asks for a password something is wrong.
And it did ask for a password in our case.

As it turns out this settings file is read top to bottom and unlike some firewall for instance it doesnt evaluate the first match, it evaluates the last match. Scrolling down there was another line in this config file where the wheel group got sudo rights with the following setting:
%wheel ALL=(ALL) ALL
Aha, so the NOPASSWD setting was different there and because our monitoring/management account was also a member of the wheel group and this line was further down the sudoers file it got evaluated last and won.

Simply move the line with your monitoring account to below the wheel group line in this example and it will work. Simply checked by testing again.

The update of the agent went fine after this.

Happy monitoring!
Bob Cornelissen

Using PowerShell to get agents and devices out of SCOM 2012

SCOM, System Center, SCOM Tricks, SCOM 2012 Send feedback »

Because a customer needed an export of all network devices currently in monitoring and the list was a bit long I decided to use PowerShell for this purpose. However I regularly see questions about retrieving also agents and Linux agents and network devices through this route, so I thought I write some things down here. They all assume this is run from an Operations Manager Shell, otherwise just import-module OperationsManager to get to it.

Getting SCOM Windows Agents

There is a simple command for this purpose:
Get-SCOMAgent

For instance to get a list of all SCOM agents and show the display name:
Get-SCOMAgent | Select DisplayName

Command reference can be found here.

Getting SCOM Unix/Linux Agents
Because the above command does not give you the cross plat agents we will have to pull in the Unix or Linux agents through another route. There is no get-crossplatagent command so we use the generic route for this. We will be looking for instances of a class.

Now assume we do not know exactly which class to look for, but we can have a guess. I am trying the following commands:

get-scomclass -Displayname "Linux*"
get-scomclass -Displayname "Unix*"

This will give us two relatively short lists of classes starting with Linux or Unix. The one on top of the Unix list looks like our preferred target: UNIX/Linux Computer. We use the displayname. So now we have our class we can pull in the instances of that class and show the displaynames of these to get our list of Unix and Linux agents.

get-scomclass -Displayname "UNIX/Linux Computer" |get-scomclassinstance | select Displayname

Command reference for get-scomclass can be found here.
COmmand reference for get-scomclassinstance can be found here.

Getting SCOM monitored network devices

In the same way as the command to find crossplat agents we can also get our network devices. The class we are looking for is Network Device.

get-scomclass -Displayname "Network Device" | get-scomclassinstance

So now we can play around with the set and show certain fields. A posting from Stefan Stranger gives more insight. I will use an adjusted example from there. These two commands combined give us the name and IP address and AccessMode type (ICMP, SNMP or both) of our monitored network devices:

$MyDevices = get-scomclass -Displayname "Network Device" | get-scomclassinstance

$MyDevices | select DisplayName,@{Label="SNMPAddress";Expression={$_.'[System.NetworkManagement.Node].SNMPAddress'}},@{Label="AccessMode";Expression={$_.'[System.NetworkManagement.Node].AccessMode'}}

Well, in this case I wanted to export all the fields and not just these three to a CSV file for playing with. So here goes:

$MyDevices = get-scomclass -Displayname "Network Device" | get-scomclassinstance
$MyDevices | select * | Export-CSV -notype C:\Scripts\networkexport.txt

Alright, now we have an exported CSV for playing with.

Command reference for Export-CSV can be found here.

Conclusion

Getting Windows based SCOM agents is very simple as there is a cmdlet for it already.
Getting monitored network devices and Unix?linux agents requires an additional step, but is still easy to do.

Enjoy!
Bob Cornelissen

Latest information WMUG NL Webinar nr2 2014

SCCM, System Center, Configuration Manager, WMUG NL Send feedback »

Just as a reminder to both Dutch and international community members who have an interest in SCCM and OSD and MDT, we have a webinar upcoming tomorrow evening (European time) with Johan Arwidmark as speaker!!!

All the info can be found here:
http://wmug.nl/2014/05/05/laatste-informatielatest-information-wmug-webinar-2-2014/

I will copy the English translation below:

Below you will find the necessary information in order to participate in our third webinar of 2014 on the 6th of May.

For our second webinar we are proud to announce that Johan Arwidmark will host a session about “OSD – MDT 2013 & ConfigMgr 2012 R2 highlights”. This session will be in English.

You can connect to the live meeting by visiting the following URL:

https://meet.lync.com/wmug/info/MRD9PB26

Also this time we will use Microsoft Lync for hosting our session, more information about the use of Lync can be found here: http://office.microsoft.com/client/helpcategory.aspx?CategoryID=CL102175049&lcid=1033&NS=OCO14&Version=14&CTT=5&origin=HA102621125

We will start at 20:00 sharp, so make sure that you are connected with the live meeting upfront. We will start the session at 19:50 giving you enough time to test connectivity.

If you are in a different timezone from the Netherlands (CET), please make sure you know which time the webinar starts in your timezone:

http://www.timeanddate.com/worldclock/fixedtime.html?msg=OSD+MDT+2013+and+ConfigMgr+2012+R2+highlights&iso=20140506T20&p1=16&ah=1

We hope to welcome you on the 6th !

Come on and join us!
Bob Cornelissen

Orchestrator 2012 R2 Integration Pack for VMware vSphere

System Center Send feedback »

New download available for System Center 2012 R2 Orchestrator to automate things relating to VMWare vSphere. Very nice. Description:

The Integration Pack for VMware vSphere is an add-on for System Center 2012 R2 - Orchestrator that enables you to connect System Center Orchestrator to your VMware vSphere server to automate actions in VMware vSphere to enable full management of the virtualized computing infrastructure.

http://www.microsoft.com/en-us/download/details.aspx?id=40874

Enjoy!

Upcoming WMUG NL session 8 April

SCCM, System Center, WMUG NL Send feedback »

The Windows Management User Group Netherlands (WMUG NL) is organizing another user group meeting in the Netherlands in the evening of 8 April 2014. This time it is an on-site event at a sponsor location in Utrecht sponsored by Conclusion Future Infrastructure Solutions.

We will have Peter Daalmans and Kenneth van Surksum talking about Application deployment across several devices with SCCM 2012, and Steven Duckaert will give a deep dive into the solutions offered by Nutanix, and finally Arie de Haan will show us how Mobile Application Management using Symantec App Center works.

More information on the agenda, location, speakers, and how to register for this event can be found over here on the WMUG site:

http://wmug.nl/2014/03/30/programma-wmug-bijeenkomst-8-april-bekend/

Hope to see you there!
Bob Cornelissen

Contact / Help. ©2017 by Bob Cornelissen. blog software.
Design & icons by N.Design Studio. Skin by Tender Feelings / Evo Factory.