SCOM STIG V-237439 - Do Audit and compliance leave you squinting and looking at documentation with a magnifying glass. — SCOM STIG V-237439 – Do Audit and compliance leave you squinting and looking at documentation with a magnifying glass.

SCOM STIG V-237439: Achieving FIPS 140-2 Compliance in System Center Operations Manager

Published: June 30, 2025
Author: Kevin Justin

System Center Operations Manager (SCOM) environments in US Sovereign government entities must comply with STIG V-237439 for FIPS 140-2 cryptographic standards. This post provides a deep technical walkthrough for achieving compliance, referencing the latest SCOM core addendum blog and the official GitHub repository for scripts and automation.

🔗 Reference Links

- Previous blog STIG V-237439 on https://kevinjustin.com/blog/2023/07/31/stigs-for-scom-fips-compliance-on-windows/
- GitHub: SCOM Core addendum for pack, FIPS STIG Scripts & Resources

🛡️ Satisfying SCOM STIG V-237439 for FIPS Compliance

STIG V-237439 requires all SCOM servers to be configured for FIPS 140-2 compliance. This involves registry changes, .NET cryptography settings, DLL imports, and web.config edits across SCOM Management Servers, Web Console, Reporting roles, and SQL SSRS servers.

Snapshot of vulnerability from SCOM STIG:

SCOM STIG V-237439 for FIPS compliance from DISA/STIG website.

Step 1: Verify and Enable FIPS Registry Key

On all SCOM Management Servers and SSRS/Reporting role servers, verify the FIPS registry key:

HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\FIPSAlgorithmPolicy

PowerShell verification:

$RegPath = "HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\FipsAlgorithmPolicy"
[string]$FIPSEnabled = (Get-ItemProperty -Path $RegPath -Name Enabled).Enabled
if ( $FIPSEnabled -eq 0 ) {write-host "FIPS disabled"}

If FIPS is disabled, set the registry value to 1 and reboot.

Step 2: Update .NET machine.config for Cryptography

Backup and edit machine.config files for .NET Framework versions used by SCOM:

cd "C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG"
copy machine.config machine.config.backup
notepad .\machine.config

Add the following XML between

In Windows Notepad, see example below for empty line at the bottom of the screen shot, between </system.web> and </configuration>:

machine.config windows notepad example with an empty line at the bottom of the notepad, between /system.web and /configuration

Add the following XML

Cryptography XML settings. Does not paste with XML wordpress blog.Proper addition of the cryptography section:

Opened PowerShell as admin > cd directory > then 'notepad machine.config' screenshot of updated XML — Opened PowerShell as admin > cd directory > then ‘notepad machine.config’ screenshot of updated XML

Save file

Repeat update on all relevant .NET Framework versions and architectures (x86/x64).

Step 3: Import FIPS DLL to SCOM Web Servers

Install Microsoft.EnterpriseManagement.Cryptography.dll using gacutil.exe:

gacutil.exe /i "D:\path\to\Microsoft.EnterpriseManagement.Cryptography.dll"

Ensure the DLL is present on all SCOM Management Servers with Web Console role, Reporting role, and SQL SSRS servers.

If DOTNET Windows SDK is installed on server, the default path for GACUTIL is: C:\Program Files\Microsoft SDKs\Windows\v6.0A\bin

Example PowerShell to determine path

Open PowerShell as admin

if ( test-path “C:\Program Files\Microsoft SDKs” ) { write-host “Windows SDK NOT installed” }

Example Output

PS C:\Program Files> if ( ( test-path “C:\Program Files\Microsoft SDKs\Windows\v6.0A\bin” ) ne “True” ) { write-host “Windows SDK NOT installed” } Windows SDK NOT installed PS C:\Program Files> cd gacutil.exe /i “D:\\Microsoft.EnterpriseManagement.Cryptography.dll”

Step 4: Edit Web Console `web.config` Files

Edit both WebHost\web.config and MonitoringView\web.config:

- 1. Locate the <encryption> tag (not commented out) and add:
```
<symmetricAlgorithm iv="SHA256" />
```
  2. Replace <connection> and <session> lines with:
    For MonitoringView\web.config, ensure the <session> tag is properly closed.
  3. Under <system.web>, add:

Step 5: Reboot and Validate

- - Reboot servers to apply changes.
  - Log in and check for Server Manager errors.
  - Verify SCOM Web Console (https://<SCOMMS>/OperationsManager) and Reporting (https://<SCOMMS>/ReportServer).
  - If issues arise, roll back changes and engage Microsoft support.

Warning – Watch for smart quotes and double quotes!

Server Manager error seen when added after the </Configuration> element — Server Manager error seen when added after the element

Machine.config file missing Server manager error when added above the element

Machine.config file missing Server manager error when added above the </Configuration> element — Machine.config file missing Server manager error when added above the
element

🧑‍💻 Expert Commentary & Troubleshooting

FIPS compliance in SCOM is not just a checkbox—it’s a critical requirement for federal and DoD environments. The registry, .NET, and DLL steps ensure cryptographic operations meet FIPS 140-2 standards. Editing web.config files is nuanced; always avoid editing commented sections and ensure XML tags are properly closed to prevent server errors.

For automation, leverage scripts from the GitHub repository and review the SCOM core lessons learned.

💡 Pro Tips for SCOM FIPS STIG Compliance

- - Always backup configuration files before making changes.
  - Test changes in a non-production environment first.
  - Use PowerShell and automation scripts for registry and DLL deployment.
  - Monitor event logs and SCOM health after changes.
  - Engage with the SCOM community for support and updates.

🤝 Community Engagement

Have you implemented SCOM STIG V-237439 for FIPS compliance?

Please share your experience, tips, or challenges in the comments below.

Join the discussion on the SCOM core addendum blog and contribute scripts or feedback to the GitHub repository SCOMCoreAddendum for more deep dives.

Share this post with your team to ensure your SCOM environment is secure and compliant!