Remove From My Forums

TLS 1.2 and SCOM 2019.

Question
0

Sign in to vote

Morning, I want to ask if anyone here has installed and is using:

Kevin Holman's SCOM Management Properties and Tasks Pack for Agents and Server Roles v7.0.0.66 Management Pack from Kevin Holman.

I have installed it in our new SCOM 2019(on Windows Server 2016) environment to assist me with identifying TLS settings and getting TLS 1.2 implemented across our environment on the servers. However, after install, the only servers it display TLS info on is the SCOM Management servers. On my agent monitored servers, even the bottom 3-4 lines of the TLS info it is looking for are missing.

I am monitoring Windows Server 2012R2 and Windows Server 2016.

Any assistance, reference is greatly appreciated.

TS.

Friday, January 31, 2020 1:27 PM

Answers

0

Sign in to vote
Hi Tony,

Looking at the Management Pack XML file, it has not been added to the SCOM Agent Management Class, but only the SCOM Server Management Class.

Maybe Kevin forgot it ;-) You can give him the heads up on his blog post:
https://kevinholman.com/2018/05/06/implementing-tls-1-2-enforcement-with-scom/

Best regards,
Leon
Blog: https://thesystemcenterblog.com LinkedIn:
- Marked as answer by Tony Strother Friday, January 31, 2020 1:50 PM
Friday, January 31, 2020 1:49 PM

Actually I don't believe he forgot anything, you just need to read a few lines further :

Additionally, for agents – there is a new property – CertLoaded, for the same reason above.  This will be necessary to know if ANY agents are directly using a certificate to communicate with a Gateway or Management server.  If they are – you must ensure that they support TLS 1.2, and that they have been configured to enable TLS 1.2 protocol, or they will immediately stop communicating with SCOM.  You could easily make a dynamic group of all agents running Windows Server 2003, 2008, or 2008R2 for instance, as all of these will require manual intervention if they depend on a certificate.

To me it means that the only property he added for agents is CertLoaded.

Edited by CyrAz Friday, February 14, 2020 9:49 AM
Marked as answer by Tony Strother Monday, February 17, 2020 6:38 PM

Friday, January 31, 2020 2:00 PM

All replies

0

Sign in to vote
That's simply because there is no "TLS" properties defined for the SCOM Agent Management Class, they only exist for the SCOM Server Management Class.

Said otherwise, nothing exist in that MP to discover TLS state on monitored agents.
- Edited by CyrAz Friday, January 31, 2020 1:37 PM
- Proposed as answer by Leon Laude Friday, January 31, 2020 1:52 PM
Friday, January 31, 2020 1:37 PM
0

Sign in to vote

Morning,

I am confused then. From his blog page:

https://kevinholman.com/2018/05/06/implementing-tls-1-2-enforcement-with-scom/

"I had added some new discoveries on both management servers and SCOM agents – to help with TLS understanding and preparation:".

Have I misread that this is supposed to provide the same details for agents?

Thanks!

TS.

Friday, January 31, 2020 1:44 PM
0

Sign in to vote
Hi Tony,

Looking at the Management Pack XML file, it has not been added to the SCOM Agent Management Class, but only the SCOM Server Management Class.

Maybe Kevin forgot it ;-) You can give him the heads up on his blog post:
https://kevinholman.com/2018/05/06/implementing-tls-1-2-enforcement-with-scom/

Best regards,
Leon
Blog: https://thesystemcenterblog.com LinkedIn:
- Marked as answer by Tony Strother Friday, January 31, 2020 1:50 PM
Friday, January 31, 2020 1:49 PM
0

Sign in to vote

Morning,

Thank you again Leon. I will most certainly do that!

TS.

Friday, January 31, 2020 1:50 PM

Actually I don't believe he forgot anything, you just need to read a few lines further :

Additionally, for agents – there is a new property – CertLoaded, for the same reason above.  This will be necessary to know if ANY agents are directly using a certificate to communicate with a Gateway or Management server.  If they are – you must ensure that they support TLS 1.2, and that they have been configured to enable TLS 1.2 protocol, or they will immediately stop communicating with SCOM.  You could easily make a dynamic group of all agents running Windows Server 2003, 2008, or 2008R2 for instance, as all of these will require manual intervention if they depend on a certificate.

To me it means that the only property he added for agents is CertLoaded.

Edited by CyrAz Friday, February 14, 2020 9:49 AM
Marked as answer by Tony Strother Monday, February 17, 2020 6:38 PM

Friday, January 31, 2020 2:00 PM

0

Sign in to vote

That's a bingo.
Kevin Holman https://kevinholman.com/

Friday, February 14, 2020 9:33 AM
0

Sign in to vote

Afternoon, Thank you all for your time and assistance! You are indeed correct, as usual! Where would we be without all of you!!! :-)

Thank you,

TS

Monday, February 17, 2020 6:40 PM

Products

Resources

Solutions

Updates

Trials

Related Sites

Training

Certifications

Other resources

Support options

More support

Not an IT pro?

Answered by:

TLS 1.2 and SCOM 2019.

Question

Answers

All replies