Set up SCOM 2016 for TLS1.2

Security bugging you about SCOM using TLS1.0 ?

 

Have questions on the TLS1.2 Protocol Support Deployment guide link?

If using ACS, please review ACS steps to configure from the guide above

 

It’s time to update SCOM 2016 to TLS1.2!

 

Pre-requisites

.Net and SQL native client, ODBC must be updated to TLS1.2 compliant version

HTTPS Endpoints must be CA signed certificates using SHA1 or SHA2

 

 

 

Ensure .Net version 4.6 is installed on all SC components

Determine which .Net is installed https://docs.microsoft.com/en-us/dotnet/framework/migrationguide/how-to-determine-which-versions-are-installed

From PowerShell (run as admin is NOT required)

Get-ChildItem ‘HKLM:\SOFTWARE\Microsoft\NET Framework Setup\NDP’ -recurse | Get-ItemProperty -name Version,Release -EA 0 | Where { $_.PSChildName -match ‘^(?!S)\p{L}’} | Select PSChildName, Version, Release

 

Above commands from StackOverFlow article

Guide to .Net versions and dependencies https://docs.microsoft.com/enus/dotnet/framework/migration-guide/versions-and-dependencies

 

Sample output from win2k8R2 sp1 server (and same from 2016 server)

 

 

 

 

SQL Server updates

Install the required SQL server update supporting TLS1.2

From PowerShell as Administrator
Invoke-Sqlcmd -Query “SELECT @@VERSION;” -QueryTimeout 3

Example Output
PS C:\Windows\system32> Invoke-Sqlcmd -Query “SELECT @@VERSION;” -QueryTimeout 3
Column1

——

Microsoft SQL Server 2016 (RTM-GDR) (KB3210111) – 13.0.1728.2 (X64) …

OR

Microsoft SQL Server 2008 R2 (SP2) – 10.50.4000.0 (X64)

 

Compare to SQL matrix to download and install appropriate version
TLS 1.2 SQL Support https://support.microsoft.com/en-in/help/3135244/tls-1.2-support-for-microsoft-sql-server
NOTE Verify you are running a compliant cumulative update (CU), you will need the patch (SQL2016 natively supports TLS1.2)
SQL Server 2008R2 SP2 is NOT supported for TLS1.2  https://blogs.msdn.microsoft.com/sqlreleaseservices/tls-1-2-support-for-sql-server-2008-2008-r2-2012and-2014/

 

Install the required SQL Native Client
FYI – SQL 2016 uses the SQL 2012 Native client
Download link https://www.microsoft.com/en-us/download/details.aspx?id=50402

 

SQL Native client 11.0 should be installed on ALL MS and SQL servers (SQL 2008-2016)

From PowerShell as Administrator
get-odbcdriver -name “SQL Server Native Client*”

 

Example Output

 

 

From Control Panel, Programs and Features, Installed Programs

 

Stop SQL Server and SQL Server agent services
Stop-service SQLSERVERAGENT

Stop-service MSSQLSERVER

 

Install SQL Native Client MSI

Double click on SQL Native Client MSI file to begin installation

Click on Yes to begin installation

Click Next on the Installer window

 

Click I accept radio button

Click Next

 

Click Next on Feature Selection

 

Click Install

 

Click Yes on User Account Control (UAC) prompt

 

Stop SQL Server and SQL Server agent (if they restarted)

 

Watch installer status

 

Click Finish when complete

 

 

 

Verify SQL Native Client Verification

Verify SQL services are running
Stop SQL Server and SQL Server agent services From PowerShell as Admin
Get-service SQLSERVERAGENT

Get-service MSSQLSERVER

From PowerShell as Admin If necessary, start SQL Server and SQL Server agent services
Start-service SQLSERVERAGENT

Start-service MSSQLSERVER
Verify Installer completed
In Event Viewer, Windows Logs, Application look for event 11728

 

From PowerShell

Get-EventLog -LogName Application | ? { $_.InstanceId -eq 11728 }

Rinse and Repeat for other MS and SQL servers in environment

 

 

Install ODBC on all Management Servers

 

For SCOM & SM, ODBC 11.0 or ODBC 13.0 should be installed on all MS and SQL servers

 

Verify ODBC v11 for server win2k8R2

From Control Panel

Click on Programs

Click on Programs and Features

Search for ODBC

 

Verify ODBC v13 for Server 2016

Verify version from PowerShell (run as administrator NOT required)
get-odbcdriver -name “ODBC Driver * SQL Server”

 

Output

Download and install appropriate version

11.0: https://www.microsoft.com/en-us/download/details.aspx?id=36434 (Version 2.0.5543.11)
13.0: https://www.microsoft.com/en-us/download/details.aspx?id=50420
Verify Installer completed
In Event Viewer, Windows Logs, Application look for event 11728

 

From PowerShell

Get-EventLog -LogName Application | ? { $_.InstanceId -eq 11728 } | ? { $_.Message -like “*Microsoft ODBC*”

 

Output

 

NOTE Please make sure servers are patched with latest Monthly Rollup Updates

Had issue where KB3080079 was NOT installed on server.  Patch applied to Win7, Server 2008,2008R2

From Powershell

get-hotfix -id KB3080079

 

Output

 

 

 

Install SCOM 2016 UR4 update

See Kevin Holman’s UR4 install blog https://blogs.technet.microsoft.com/kevinholman/2017/10/28/ur4-for-scom-2016-step-by-step/

 

Time to enable TLS1.2 Secure Channel messages on MS and SQL server (gateway if installed in your environment)

See Gallery for add/query/remove registry keys

 

Add SCHANNEL path for TLS

$ProtocolList       = @(“SSL 2.0″,”SSL 3.0″,”TLS 1.0”, “TLS 1.1”, “TLS 1.2”)
$ProtocolSubKeyList = @(“Client”, “Server”)
$DisabledByDefault = “DisabledByDefault”
$Enabled = “Enabled”
$registryPath = “HKLM:\\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\”

foreach($Protocol in $ProtocolList)
{
    Write-Host ” In 1st For loop”
foreach($key in $ProtocolSubKeyList)
{
$currentRegPath = $registryPath + $Protocol + “\” + $key
Write-Host ” Current Registry Path $currentRegPath”

if(!(Test-Path $currentRegPath))
{
    Write-Host “creating the registry”
New-Item -Path $currentRegPath -Force | out-Null
}
if($Protocol -eq “TLS 1.2”)
{
    Write-Host “Working for TLS 1.2”
New-ItemProperty -Path $currentRegPath -Name $DisabledByDefault -Value “0” -PropertyType DWORD -Force | Out-Null
New-ItemProperty -Path $currentRegPath -Name $Enabled -Value “1” -PropertyType DWORD -Force | Out-Null

}
else
{
    Write-Host “Working for other protocol”
New-ItemProperty -Path $currentRegPath -Name $DisabledByDefault -Value “1” -PropertyType DWORD -Force | Out-Null
New-ItemProperty -Path $currentRegPath -Name $Enabled -Value “0” -PropertyType DWORD -Force | Out-Null
}
}
}

 

# Tighten up the .NET Framework
$NetRegistryPath = “HKLM:\SOFTWARE\Microsoft\.NETFramework\v4.0.30319”
 New-ItemProperty -Path $NetRegistryPath -Name “SchUseStrongCrypto” -Value “1” -PropertyType DWORD -Force | Out-Null

$NetRegistryPath = “HKLM:\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v4.0.30319”
 New-ItemProperty -Path $NetRegistryPath -Name “SchUseStrongCrypto” -Value “1” -PropertyType DWORD -Force | Out-Null

 

Restart servers

 

 

Verify SCOM Console for alerts and connectivity

 

Get started with OMS Device Health

Anyone need telemetry data for win10 computers?

https://docs.microsoft.com/en-us/windows/deployment/update/device-health-get-started

 

Want the info with better reports and less overhead?

This easily replaces SCOM Agentless Exception Monitoring

 

OMS is technically free, why not get insights into client side problems?

 

 

Overview

Validate Telemetry Setting

Get CommercialID from OMS

Configure Deployment Script

Run Deployment Script

Verify OMS

 

 

Check Win10 Telemetry setting

Configure Telemetry Data link

 

FYI – Telemetry level can be managed via SCCM/MDM/Intune and/or GPO

 

Enhanced Telemetry (2) sends less data (not full crash dumps like Full)

The normal upload range for the Enhanced telemetry level is between 239 KB – 348 KB per day, per device.

 

Settings Explained

 

 

 

Verify Telemetry setting

My default Win10 setting was 3 based on setup wizard options

 

 

 

Retrieve CommercialID from OMS

Go to Settings (Cog at the top right hand corner)

Then Click on Connected Sources, Windows Telemetry

Copy the Commercial ID Key

 

 

 

 

Set up Deployment Script

Download the Deployment Script link

In my lab example, save script to Win10 client in C:\UpgradeAnalytics

 

Update the Deployment RunConfig.bat file

From Docs.Microsoft.com:

The Pilot folder contains advanced logging that can help troubleshoot issues and is intended to be run from an elevated command prompt.

 

Edit RunConfig.bat in Notepad, add your Commercial ID into the ‘set commercialIDValue’ line

Change the logPath as well if you have a preferred logging location

 

Run script and verify Registry keys

Set up command window as system

Don’t forget psexec from sysinternals tool

psexec -s cmd.exe

cd UpgradeAnalytics\Deployment

runConfig.bat

 

Example output

 

Verify Registry

Registry key paths depending on how these are set with SCCM/MDM/Intune vs. GPO

        $vCommercialIDPath = “HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\DataCollection”
        $GPOCommercialIDPath = “HKLM:\SOFTWARE\Policies\Microsoft\Windows\DataCollection”

 

 

 

Add Device Health Solution to OMS

Add Device Health as part of the Windows Analytics suite

NOTE Windows Analytics suite includes Upgrade Readiness and Update Compliance

 

 

Wait 2 days and see what shows up as devices check in

 

Clicking on Device Health pane

 

Added Bonus – once you configure the deployment script, the other two Windows Analytics tools are ready for consumption – Upgrade Readiness and Update Compliance

 

 

Requirements

OMS subscription

Win10 clients have HTTPS access to Microsoft hosts (see Endpoints in Configure Telemetry link below)

 

 

References

Windows Analytics link
Upgrade Readiness link
Upgrade Readiness Script V2 link
Upgrade Readiness Script Original link
Configure Telemetry link

Adding UNIX agents via PowerShell

First, a shout out to Vanessa Bruwer @VanessaBruwer and Tyson Paul for their help!

 

Feel like I was pounding rocks, and had a great find! 🙂

…How to add UNIX agents manually via command line

 

 

 

Required

1. Unix Agent action account and agent maintenance account ID and passwords
2. Unix Resource Pool name (use get-SCOMResourcePool)

Don’t confuse the WSMAN login and use your MSAA ID

BTW, cmdlets exist with 2012R2 and 2016

 

 

From MS running PowerShell as admin

$MyPool = Get-SCOMResourcePool “UNIX/Linux Monitoring Resource Pool”
$SSHCredential = Get-SCXSSHCredential -UserName scom -ElevationType sudo
$WSCredential = Get-Credential scom

# Using MSAA account this fails

$DiscResult = Invoke-SCXDiscovery -Name “ubuntu.testlab.net” -ResourcePool $MyPool -WSManCredential $WSCredential -SSHCredential $SSHCredential

# Alternative Discovery for Network IP range
$DiscResult = Invoke-SCXDiscovery -IPRange 192.168.1.50,192.168.1.75  -ResourcePool $MyPool -WSManCredential $WSCredential -SSHCredential $SSHCredential

 

$DiscResult |fl -property *

 

$installResult = Install-SCXAgent -DiscoveryResult $DiscResult -Verbose
$installResult | fl -property *

 

 

Using MSAA account this fails

 

Using SCOM Agent Maintenance Account

 

Console verified

 

Resources
Old https://blogs.msdn.microsoft.com/scxplat/2009/12/11/cross-platform-powershell-scripts-released/
2012R2 (tested on my 2016 lab) https://operatingquadrant.com/2012/12/06/using-powershell-for-automated-unixlinux-agent-discovery/
PoSH cmdlet reference https://docs.microsoft.com/en-us/previous-versions/system-center/powershell/system-center-2012-r2/hh545212(v=sc.20)

 

 

 

 

FindTime GA in Outlook OWA

If you were fortunate to use the Outlook add-in while it was part of the Outlook client, the functionality went live to the O365 Outlook.com site.

https://outlook.office365.com/owa/

Create a meeting and Poll for other times

Login to Office.com with your credentials

Click on Outlook

Click on Calendar button

Click on dropdown, New

Fill out meeting invite, and don’t forget to propose meeting times

 

Hit send and wait for the attendees to vote

 

High level overview

 

Post your comments to have this added to the Outlook App

UserVoice Forum for Outlook https://outlook.uservoice.com/forums/313228–outlook-on-the-web-office-365/suggestions/31651732-meeting-poll-feature