Set up SCOM 2016 for TLS1.2

Security bugging you about SCOM using TLS1.0 ?


Have questions on the TLS1.2 Protocol Support Deployment guide link?

If using ACS, please review ACS steps to configure from the guide above


It’s time to update SCOM 2016 to TLS1.2!



.Net and SQL native client, ODBC must be updated to TLS1.2 compliant version

HTTPS Endpoints must be CA signed certificates using SHA1 or SHA2




Ensure .Net version 4.6 is installed on all SC components

Determine which .Net is installed

From PowerShell (run as admin is NOT required)

Get-ChildItem ‘HKLM:\SOFTWARE\Microsoft\NET Framework Setup\NDP’ -recurse | Get-ItemProperty -name Version,Release -EA 0 | Where { $_.PSChildName -match ‘^(?!S)\p{L}’} | Select PSChildName, Version, Release


Above commands from StackOverFlow article

Guide to .Net versions and dependencies


Sample output from win2k8R2 sp1 server (and same from 2016 server)





SQL Server updates

Install the required SQL server update supporting TLS1.2

From PowerShell as Administrator
Invoke-Sqlcmd -Query “SELECT @@VERSION;” -QueryTimeout 3

Example Output
PS C:\Windows\system32> Invoke-Sqlcmd -Query “SELECT @@VERSION;” -QueryTimeout 3


Microsoft SQL Server 2016 (RTM-GDR) (KB3210111) – 13.0.1728.2 (X64) …


Microsoft SQL Server 2008 R2 (SP2) – 10.50.4000.0 (X64)


Compare to SQL matrix to download and install appropriate version
TLS 1.2 SQL Support
NOTE Verify you are running a compliant cumulative update (CU), you will need the patch (SQL2016 natively supports TLS1.2)
SQL Server 2008R2 SP2 is NOT supported for TLS1.2


Install the required SQL Native Client
FYI – SQL 2016 uses the SQL 2012 Native client
Download link


SQL Native client 11.0 should be installed on ALL MS and SQL servers (SQL 2008-2016)

From PowerShell as Administrator
get-odbcdriver -name “SQL Server Native Client*”


Example Output



From Control Panel, Programs and Features, Installed Programs


Stop SQL Server and SQL Server agent services

Stop-service MSSQLSERVER


Install SQL Native Client MSI

Double click on SQL Native Client MSI file to begin installation

Click on Yes to begin installation

Click Next on the Installer window


Click I accept radio button

Click Next


Click Next on Feature Selection


Click Install


Click Yes on User Account Control (UAC) prompt


Stop SQL Server and SQL Server agent (if they restarted)


Watch installer status


Click Finish when complete




Verify SQL Native Client Verification

Verify SQL services are running
Stop SQL Server and SQL Server agent services From PowerShell as Admin


From PowerShell as Admin If necessary, start SQL Server and SQL Server agent services

Start-service MSSQLSERVER
Verify Installer completed
In Event Viewer, Windows Logs, Application look for event 11728


From PowerShell

Get-EventLog -LogName Application | ? { $_.InstanceId -eq 11728 }

Rinse and Repeat for other MS and SQL servers in environment



Install ODBC on all Management Servers


For SCOM & SM, ODBC 11.0 or ODBC 13.0 should be installed on all MS and SQL servers


Verify ODBC v11 for server win2k8R2

From Control Panel

Click on Programs

Click on Programs and Features

Search for ODBC


Verify ODBC v13 for Server 2016

Verify version from PowerShell (run as administrator NOT required)
get-odbcdriver -name “ODBC Driver * SQL Server”



Download and install appropriate version

11.0: (Version 2.0.5543.11)
Verify Installer completed
In Event Viewer, Windows Logs, Application look for event 11728


From PowerShell

Get-EventLog -LogName Application | ? { $_.InstanceId -eq 11728 } | ? { $_.Message -like “*Microsoft ODBC*”




NOTE Please make sure servers are patched with latest Monthly Rollup Updates

Had issue where KB3080079 was NOT installed on server.  Patch applied to Win7, Server 2008,2008R2

From Powershell

get-hotfix -id KB3080079






Install SCOM 2016 UR4 update

See Kevin Holman’s UR4 install blog


Time to enable TLS1.2 Secure Channel messages on MS and SQL server (gateway if installed in your environment)

See Gallery for add/query/remove registry keys


Add SCHANNEL path for TLS

$ProtocolList       = @(“SSL 2.0″,”SSL 3.0″,”TLS 1.0”, “TLS 1.1”, “TLS 1.2”)
$ProtocolSubKeyList = @(“Client”, “Server”)
$DisabledByDefault = “DisabledByDefault”
$Enabled = “Enabled”
$registryPath = “HKLM:\\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\”

foreach($Protocol in $ProtocolList)
    Write-Host ” In 1st For loop”
foreach($key in $ProtocolSubKeyList)
$currentRegPath = $registryPath + $Protocol + “\” + $key
Write-Host ” Current Registry Path $currentRegPath”

if(!(Test-Path $currentRegPath))
    Write-Host “creating the registry”
New-Item -Path $currentRegPath -Force | out-Null
if($Protocol -eq “TLS 1.2”)
    Write-Host “Working for TLS 1.2”
New-ItemProperty -Path $currentRegPath -Name $DisabledByDefault -Value “0” -PropertyType DWORD -Force | Out-Null
New-ItemProperty -Path $currentRegPath -Name $Enabled -Value “1” -PropertyType DWORD -Force | Out-Null

    Write-Host “Working for other protocol”
New-ItemProperty -Path $currentRegPath -Name $DisabledByDefault -Value “1” -PropertyType DWORD -Force | Out-Null
New-ItemProperty -Path $currentRegPath -Name $Enabled -Value “0” -PropertyType DWORD -Force | Out-Null


# Tighten up the .NET Framework
$NetRegistryPath = “HKLM:\SOFTWARE\Microsoft\.NETFramework\v4.0.30319”
 New-ItemProperty -Path $NetRegistryPath -Name “SchUseStrongCrypto” -Value “1” -PropertyType DWORD -Force | Out-Null

$NetRegistryPath = “HKLM:\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v4.0.30319”
 New-ItemProperty -Path $NetRegistryPath -Name “SchUseStrongCrypto” -Value “1” -PropertyType DWORD -Force | Out-Null


Restart servers



Verify SCOM Console for alerts and connectivity


Get started with OMS Device Health

Anyone need telemetry data for win10 computers?


Want the info with better reports and less overhead?

This easily replaces SCOM Agentless Exception Monitoring


OMS is technically free, why not get insights into client side problems?




Validate Telemetry Setting

Get CommercialID from OMS

Configure Deployment Script

Run Deployment Script

Verify OMS



Check Win10 Telemetry setting

Configure Telemetry Data link


FYI – Telemetry level can be managed via SCCM/MDM/Intune and/or GPO


Enhanced Telemetry (2) sends less data (not full crash dumps like Full)

The normal upload range for the Enhanced telemetry level is between 239 KB – 348 KB per day, per device.


Settings Explained




Verify Telemetry setting

My default Win10 setting was 3 based on setup wizard options




Retrieve CommercialID from OMS

Go to Settings (Cog at the top right hand corner)

Then Click on Connected Sources, Windows Telemetry

Copy the Commercial ID Key





Set up Deployment Script

Download the Deployment Script link

In my lab example, save script to Win10 client in C:\UpgradeAnalytics


Update the Deployment RunConfig.bat file


The Pilot folder contains advanced logging that can help troubleshoot issues and is intended to be run from an elevated command prompt.


Edit RunConfig.bat in Notepad, add your Commercial ID into the ‘set commercialIDValue’ line

Change the logPath as well if you have a preferred logging location


Run script and verify Registry keys

Set up command window as system

Don’t forget psexec from sysinternals tool

psexec -s cmd.exe

cd UpgradeAnalytics\Deployment



Example output


Verify Registry

Registry key paths depending on how these are set with SCCM/MDM/Intune vs. GPO

        $vCommercialIDPath = “HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\DataCollection”
        $GPOCommercialIDPath = “HKLM:\SOFTWARE\Policies\Microsoft\Windows\DataCollection”




Add Device Health Solution to OMS

Add Device Health as part of the Windows Analytics suite

NOTE Windows Analytics suite includes Upgrade Readiness and Update Compliance



Wait 2 days and see what shows up as devices check in


Clicking on Device Health pane


Added Bonus – once you configure the deployment script, the other two Windows Analytics tools are ready for consumption – Upgrade Readiness and Update Compliance




OMS subscription

Win10 clients have HTTPS access to Microsoft hosts (see Endpoints in Configure Telemetry link below)




Windows Analytics link
Upgrade Readiness link
Upgrade Readiness Script V2 link
Upgrade Readiness Script Original link
Configure Telemetry link

Adding UNIX agents via PowerShell

First, a shout out to Vanessa Bruwer @VanessaBruwer and Tyson Paul for their help!


Feel like I was pounding rocks, and had a great find! 🙂

…How to add UNIX agents manually via command line





1. Unix Agent action account and agent maintenance account ID and passwords
2. Unix Resource Pool name (use get-SCOMResourcePool)

Don’t confuse the WSMAN login and use your MSAA ID

BTW, cmdlets exist with 2012R2 and 2016



From MS running PowerShell as admin

$MyPool = Get-SCOMResourcePool “UNIX/Linux Monitoring Resource Pool”
$SSHCredential = Get-SCXSSHCredential -UserName scom -ElevationType sudo
$WSCredential = Get-Credential scom

# Using MSAA account this fails

$DiscResult = Invoke-SCXDiscovery -Name “” -ResourcePool $MyPool -WSManCredential $WSCredential -SSHCredential $SSHCredential

# Alternative Discovery for Network IP range
$DiscResult = Invoke-SCXDiscovery -IPRange,  -ResourcePool $MyPool -WSManCredential $WSCredential -SSHCredential $SSHCredential


$DiscResult |fl -property *


$installResult = Install-SCXAgent -DiscoveryResult $DiscResult -Verbose
$installResult | fl -property *



Using MSAA account this fails


Using SCOM Agent Maintenance Account


Console verified


2012R2 (tested on my 2016 lab)
PoSH cmdlet reference





FindTime GA in Outlook OWA

If you were fortunate to use the Outlook add-in while it was part of the Outlook client, the functionality went live to the O365 site.

Create a meeting and Poll for other times

Login to with your credentials

Click on Outlook

Click on Calendar button

Click on dropdown, New

Fill out meeting invite, and don’t forget to propose meeting times


Hit send and wait for the attendees to vote


High level overview


Post your comments to have this added to the Outlook App

UserVoice Forum for Outlook–outlook-on-the-web-office-365/suggestions/31651732-meeting-poll-feature