Scripting SCOM Registry key tweaks


Time to tune!



Had some requests to script the registry tweaks for SCOM


Starting off with Holman’s blog entry …


TechNet Gallery download here


Save .txt file as .ps1


On SCOM Management server(s)

Close out any SCOM Console session (to prevent SDK errors)

Run as administrator in PowerShell window

Restart SCOM services

restart-service omsdk; restart-service healthservice; restart-service chost

Verify services running

get-service omsdk; get-service healthservice; get-service chost

Workflow Manager Addendum MP for SQL Aliases


A SQL Alias is kinda like wearing disguise glasses…


From a security perspective, you can make things difficult for attackers by specifying a SQL alias and different port for SQL.




Symptom – discovery fails for WFM pack


Trying to monitor and figure out what the real database name, instance, etc. can be a challenge.

A couple of years ago, I was able to find an example for one customer where the registry key shed light on the alias.


The workflow manager management pack has a DataSourceModuleType “Microsoft.WorkflowManager.Addendum.v1.WFCommandExecuterDataSource”, where this change successfully retrieved the sql server name.

This datasource uses the PowerShell script (WorkflowPSDiscovery.ps1)


This function was changed in one example

# Get computer name from splitted dataSource
function GetPrincipalName {

#$ssWithoutPort = $ss[0].split(‘,’)
#if (-not $ssWithoutPort[0].Contains(‘.’))
# $ssWithoutPort[0] = $ssWithoutPort[0] + “.” + $ADDomain.Name
#$principalName = $ssWithoutPort[0]

$key = ‘HKLM:\SOFTWARE\Microsoft\MSSQLServer\Client\ConnectTo’
$sqlfromalias = (Get-ItemProperty -Path $key -Name $ss).$ss
$sqlserverstr = $sqlfromalias.Split(‘,’)
$sqlserver = $sqlserverstr[1]
$principalName = $sqlserver

return $principalName



Ran into this discovery issue a second time, and the function didn’t solve the failure.

Real quick – a shout out and my thanks to Chuck Hughes and Mike Sadoff, for their time and testing this more robust discovery method.




Added logic to fix the assumed InstanceName ($instname) – Most likely why my first function worked (configuration had default SQL instance name of MSSQLSERVER )

Added GetSqlAlias function to help decode the disguise



Gallery download here


Don’t forget to override the original workflow manager discovery!


Test fire any event on any server from any application

Golden Oldies – always popular (tools vs music)

Old Holman blog that’s still relevant, even more powerful than EventLog Explorer

Basically anyone who wants to test fire events off a SCOM MP should use this tool.

Event Create, write-eventlog all have limitations (certain event sources that can be used to create events, or event ID number limitations)

First, download the 2007 R2 Admin ResKit here

MomTeam blog reference

Double click the downloaded MSI

I prefer to move extracted files under my SCOM tools/Management pack directory structure under MonAdmin (Monitoring Admin)

Copy extracted files to gold depot

Move to gold depot – SCOM \ tools \ <toolname here>

Go into the MPEventAnalyzer directory

Run the exe

MP Event Analyzer

Click on Investigate Event Sources Tab (bottom middle)

Don’t forget you can use the search bar (where I typed apm)

For my example, double click on APM Agent

Search Events on right hand pane

Check checkbox to select the 1319 APM event for configuration error (right hand pane)

Click the ‘Add selected events to execution list’

Once event verified in bottom box, click the green box to fire selected event(s)

Verify event in Event Viewer

Validate Management Pack

Stay tuned… this did not complete the validation process.

Re-learn an old but still relevant tool – EventLog Explorer


Sometimes we forget about tools that can make things easier.


Time to talk about EventLog Explorer.


Need to repro and test events for an installed program, to see what SCOM will handle?

Read this old mom team blog, courtesy of Kevin Holman blog



I wanted to try it to test fire some events, had a use case where we needed to test Skype events from the SCOM MP


Testing on my SCOM 2016 Management server


Download file, run EventLog Explorer

The Paste icon next to the X is ‘Add to Execution List’ and fills out the bottom pane

The Green Arrow is ‘go’ or execute (similar to PowerShell ISE)


Navigate through the Event Log and Event Source on the left hand pane

Mark events with the checkbox  


Add to Execution


Verify events added to bottom pane

(see my test yesterday for fired, and not fired events from today)




Click Green box with white arrow to fire events, and check Event Viewer



Yesterday’s test




Today’s test



Verify alerting occurred as expected!

Adding Management Solutions in Azure

Decoder ring applies!


OMS is Log Analytics is Azure Management Solutions.




Do you want to add solutions to your Azure subscription?

Pre-packaged visuals and insights on your data, whether azure or hybrid.




Adding Management Solutions

Login to the Azure Portal

Click on All Services

Type ‘solutions’, hit enter

Click star icon to favorite Solutions



Drag Solutions higher in your preferences (wasn’t in above screenshot)



Click Solutions





Click + to Add

Click on Security and Compliance



Click Create



Don’t forget solutions require MMA agents connected to a workspace to render any data/insights!






The Docs article lists how to use the management solutions


MMA Agent and SCOM Agent version numbers


FYI – Updated 24 June 2022


What are the MMA Agent and SCOM Agent version numbers?

This idea sprung from a discussion with Sr. PFE Brian Barrington, and it got me wondering…See below for more details on OMS/MMA, and SCOM agent versions, as well as how to verify agent from PowerShell.



FYI – If you’re running a SCOM agent, 2016 or above, various Log Analytics solutions may have pre-reqs.

The Content Dev team under Brian Wren added this to the site

SCOM 2022

SCOM 2019

SCOM 2016



Azure Monitor Agent

AMA (Azure Monitor Agent)/ALA/OMS/MMA Agent can run on Windows/Linux operations systems.  Name has changed over the years, where AMA (Azure Monitor Agent) will be the name going forward for the cloud based offer.  See docs article here.

This also has been updated on the Docs site

Download installer files here

Review what operating systems are covered here

Previously known as Windows OMS/ALA/MMA agent

Unfortunately, there’s no github repo that I’ve found.


As of 6 Sep 2018, MMA agent = 8.0.11103.0

As of 17 Oct 2018, MMA agent = 8.0.11136.0

Skipping forward to 2020, the MMA agent is 10.20.18040.0

[!WARNING] The Log Analytics agents are on a deprecation path and will no longer be supported after August 31, 2024.



OMS Gateway

Older product published in 2016 – Download link here

OMS Gateway requires Microsoft Monitoring Agent (MMA)

(agent version – 8.0.10900.0 or later)

Simple English, that means SCOM2016 RTM agent or above




OMSAgent for xPlat


(Linux/Universal Linux)

Sep 16, 2021      OMSAgent_v1.13.40-0
Mar 08, 2021      OMSAgent_v1.13.35-0
Nov 16, 2020      OMSAgent_v1.13.33-0
Support for Red Hat Enterprise Linux 8, CentOS 8, Oracle 8, Ubuntu 20.04, SLES…
Nov 14, 2019       OMSAgent_v1.12.15-0
Jun 17, 2019      OMSAgent_v1.11.0-9
Apr 23, 2019      OMSAgent_v1.10.0-1
Feb 12, 2019      OMSAgent_v1.9.0-0
Nov 05, 2018     OMSAgent_v1.8.1.256
Oct 30, 2018      OMSAgent_1.8.0-256
Sep 03, 2018      OMSAgent_v1.6.1.3



Windows SCOM Agent Version numbers 


Build NumberKBRelease DateDescriptionStep-by-Step
8.0.10918.0EvaluateOct 2016SCOM 2016 RTMLink
8.0.10931.0KB3190029Feb 2017SCOM 2016 Update Rollup 1Link
8.0.10949.0KB3209591March 2017SCOM 2016 Update Rollup 2Link
8.0.10970.0KB4016126May 2017SCOM 2016 Update Rollup 3Link
8.0.10977.0KB4024941Oct 2017SCOM 2016 Update Rollup 4Link
8.0.10990.0KB4090987April 2018SCOM 2016 Update Rollup 5None
8.0.11004.0KB4459897Oct 2018SCOM 2016 Update Rollup 6Link
8.0.11025.0KB4492182April 2019SCOM 2016 Update Rollup 7Link
8.0.11037.0KB4514877Sept 2019SCOM 2016 Update Rollup 8Link
8.0.11049.0KB4546986April 2020SCOM 2016 Update Rollup 9Link
8.0.11000.0KB4580254Dec 2020SCOM 2016 Update Rollup 10Link
7.2.12335.0KB5006871Oct 2021SCOM 2016 Update Rollup 10 HotfixLink

8.0.13053.0 RTM


8.0.13067.0      General Availability release



Build NumberKBRelease DateDescriptionStep-by-Step
10.19.10050.0EvaluateMarch 2019SCOM 2019 RTMLink
10.19.10311.0KB4533415Feb 2020SCOM 2019 Update Rollup 1Link
10.19.10407.0KB4558752Sept 2020SCOM 2019 Update Rollup 2Link
10.19.10505.0KB4594078March 2021SCOM 2019 UR3Link
10.19.10550.0KB5006871Oct 2021SCOM 2019 UR3 HotfixLink



  • @Larry LeBlanc – thank you for the SCOM Agent version updates!


Verify what version is installed

Via SCOM – use Holman’s Agent Version Addendum management pack


If you don’t have SCOM

From PowerShell

$Agent = get-itemproperty -path “HKLM:\SOFTWARE\Microsoft\Microsoft Operations Manager\3.0\Setup”









SCOM Agent Version Addendum pack

SCOM Agent build numbers

Linux Agent can be downloaded from GitHub –

Installing and configuring the MMA agent via Command line

Command prompt


GUI install option, see blog

PowerShell Agent configuration, see blog

Updated 1 Feb 2023

Pre-reqs to build out an install script/package

MMA agent executable

ALA Workspace ID

ALA Workspace Primary Key



Download MMA agent

Click on Windows Servers from Connected Sources to download Windows Agent

Click on Linux Servers from Connected Sources to download Linux Agent





Obtain WorkspaceID

From the Azure Portal (

Click on Log Analytics, <your subscription >

Click on Advanced Settings

My view defaulted to Connected Sources > Windows Servers


Save the workspace ID and workspace key to notepad/OneNote for later






Build out command line for setup file

(optionally to include in Application Deployment package)


Grab pre-reqs above: (saved from above to build the command line)

Exe/msi file

Workspace ID

Workspace key


Craft out your command line (MECM super installer code updated by Neal Smith

SCOM MECM Agent Package Installer Command Line

The setup.exe or MSI command line parameters to pass are:

MMA-specific optionsNotes
NOAPM=1Optional parameter. Installs the agent without .NET Application Performance Monitoring.
ADD_OPINSIGHTS_WORKSPACE1 = Configure the agent to report to a workspace
OPINSIGHTS_WORKSPACE_IDWorkspace Id (guid) for the workspace to add
OPINSIGHTS_WORKSPACE_KEYWorkspace key used to initially authenticate with the workspace
OPINSIGHTS_WORKSPACE_AZURE_CLOUD_TYPESpecify the cloud environment where the workspace is located

0 = Azure commercial cloud (default)

1 = Azure Government

OPINSIGHTS_PROXY_URLURI for the proxy to use
OPINSIGHTS_PROXY_USERNAMEUsername to access an authenticated proxy
OPINSIGHTS_PROXY_PASSWORDPassword to access an authenticated proxy






Other helpful links

Docs site

Daniel Orneling Blog

TechNet gallery

Service Map SCOM pack configuration errors

Look for 6400 Event ID’s in the Operations Manager log on the management server if you do not have the correct information


Event ID 6400 in Operations Manager log helps show what’s missing with Azure AD error events


Follow steps outlined in the ‘Set up Azure Service Principal’ blog here



Sample 6400 event


Message: Microsoft.IdentityModel.Clients.ActiveDirectory.AdalServiceException: AADSTS90002: Tenant XXXXXXXXX not found.

This may happen if there are no active subscriptions for the tenant. Check with your subscription administrator.

Trace ID: 89abf27f-4884-4191-b577-de2fce100600

Correlation ID: c8a2470e-2383-4325-b91f-86b5e20ade57

Timestamp: 2018-08-06 20:34:49Z —> System.Net.WebException: The remote server returned an error: (400) Bad Request.

at System.Net.HttpWebRequest.GetResponse()

at Microsoft.IdentityModel.Clients.ActiveDirectory.HttpWebRequestWrapper.<GetResponseSyncOrAsync>d__2.MoveNext()

— End of stack trace from previous location where exception was thrown —

at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()

at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)

at Microsoft.IdentityModel.Clients.ActiveDirectory.HttpHelper.<SendPostRequestAndDeserializeJsonResponseAsync>d__0`1.MoveNext()

— End of inner exception stack trace —

at Microsoft.IdentityModel.Clients.ActiveDirectory.AuthenticationContext.RunAsyncTask[T](Task`1 task)

at Microsoft.SystemCenter.ServiceMap.REST.Credentials.AdCredentials.GetToken()

at Microsoft.SystemCenter.ServiceMap.UI.SubscriptionData.TestConnection()

ErrorCode: invalid_request

StatusCode: 400


Inner Exception

Message: The remote server returned an error: (400) Bad Request.

Response URI:


Pragma: no-cache

Strict-Transport-Security: max-age=31536000; includeSubDomains

X-Content-Type-Options: nosniff

client-request-id: c8a2470e-2383-4325-b91f-86b5e20ade57

x-ms-request-id: 89abf27f-4884-4191-b577-de2fce100600

x-ms-clitelem: 1,90002,0,,

Cache-Control: no-cache, no-store

Content-Type: application/json; charset=utf-8

Expires: -1


Set-Cookie: esctx=AQABAAAAAADXzZ3ifr-GRbDT45zNSEFEzFrPhp_xcoXIlYw2iOqAFXkz7NO-Hm1hJdVAn6298A0ylDD5VvX2VosFiRVxTDzmRz24sbVUbhiTuyHJsmeIkR47y1MU3SafDlFp6xPo91BwZhRqoDPtP6YTBi5D6mHGqy2lkSAEVQtg9D4lsWTmKipm9iLaB2twBZcYR0VkDhIgAA;; path=/; secure; HttpOnly,x-ms-gateway-slice=004; path=/; secure; HttpOnly,stsservicecookie=ests; path=/; secure; HttpOnly

Server: Microsoft-IIS/10.0

Date: Mon, 06 Aug 2018 20:34:48 GMT

Content-Length: 508

MMA Agent, cross platform, and Azure

Things that make you go hmmm….



Ran across a scenario where we were trying to connect Azure Cross-platform (Linux) VM’s and MMA/SCOM agents to SCOM management group.


Management group was 2012R2, discovery wizard from SCOM console, failed to install agent, certificate errors.


Researching, found this article first

Windows Azure VM monitoring blog

There’s a version history for the Azure Monitor VM extension here


SCOM2012R2 after UR12 or SCOM 2016 UR2+ deprecated the SHA1 certificate


Deprecating SHA1 certificates
Tech Community blog


Product team nicely published a TechNet gallery script to help!

Gallery download – Script to update SHA1 certificates to SHA256 on cross-platform agents – SCOM

TechNet Gallery Download



Service Map SCOM pack errors and events

Running Service Map SCOM management pack and getting errors?




Gotta love holidays

Good family time

Not at work if we’re lucky.

When you come back, do you have to go investigate some new/weird errors?



This was one of those holidays for me 🙂




Figured I’d document SCOM errors, indicate what Event Sources, event ID ranges that aid troubleshooting.


Event Source = MS ServiceMap OMS

Event ID range = 46649-46652


Long story short, the root cause for my case, my azure workspace was disabled (fun part with a lab is trying to see how much you can do before it disables!)


Digging in my inbox, found this over the weekend

Email subject: Your services were disabled because you reached your spending limit



SCOM Alerts seen:


Service Map Unknown Exception


SCOM Console alert example


Cause:    May point to Network Connectivity, proxy, or subscription disabled

REST request failed, so did name resolution (may indicate DNS issues)


Rule details

Operations Manager Event Log

Event Source = MS ServiceMap OMS

Event ID 46651


Operations Manager Event log




No Machines Alert

Rule Name = Microsoft System Center ServiceMap No Machines Alert

Event Source = MS ServiceMap OMS

Event ID = 46652

Event ID also seen is 46649 – Error in getting machine details


SCOM Console alert





Event ID 46649