System Center Operations Manager

Private Preview – 2019 Update Rollup 1

User’s Guide

Microsoft System Center

MICROSOFT CONFIDENTIAL | NDA MATERIAL FOR SYSTEM CENTER TECHNICAL EVALUATION PROGRAM ONLY | DO NOT DISTRIBUTE
* Disclaimer: This is not a plan of record. Confidential; may not be posted to public shares *
This document may contain certain security features, including encryption & watermarks.
 System Center Operations Manager

Microsoft System Center

MICROSOFT CONFIDENTIAL | NDA MATERIAL FOR SYSTEM CENTER TECHNICAL EVALUATION PROGRAM ONLY | DO NOT DISTRIBUTE
* Disclaimer: This is not a plan of record. Confidential; may not be posted to public shares *
This document may contain certain security features, including encryption & watermarks.
 Table of Contents
1. New features in SCOM 2019 UR1 ..................................................................................................... 4
2. Multi-language installer for SCOM components ........................................................................... 4
3. One Click Patching Experience for Management Server ............................................................... 4
4. Distro-Agnostic Management Pack for Linux ................................................................................. 7
5. Red Hat Enterprise Linux 8 Support ................................................................................................. 8
6. Performance and Reliability improvements in the Linux agent.................................................. 15
7. Updates to Azure Management Pack ............................................................................................ 16
8. Updates to Storage Spaces Direct Management Pack ................................................................ 16
9. Support for Group Managed Service Accounts ............................................................................ 16
Log-on as a service right ......................................................................................................................... 17
Generate Security Audits ..................................................................................................................... 18
Database Changes ................................................................................................................................... 19
System Center Data Access Service ........................................................................................................ 37
System Center Configuration Service ..................................................................................................... 39
Data Reader Account .............................................................................................................................. 40
Data Warehouse Write Account ............................................................................................................. 43
Action Accounts ...................................................................................................................................... 46
Create Run As Accounts .......................................................................................................................... 51
Discovery and Push Install of the agent .................................................................................................. 51

Microsoft System Center

MICROSOFT CONFIDENTIAL | NDA MATERIAL FOR SYSTEM CENTER TECHNICAL EVALUATION PROGRAM ONLY | DO NOT DISTRIBUTE
* Disclaimer: This is not a plan of record. Confidential; may not be posted to public shares *
This document may contain certain security features, including encryption & watermarks.
 1. New features in SCOM 2019 UR1
System Center Operations Manager (SCOM) 2019 Update Rollup 1 private preview
supports new features/feature updates that are detailed in the following sections:
• Multi-language installer for SCOM components
• One Click Patching Experience for Management Server
• Distro-agnostic Management Pack for Linux
• Red Hat Enterprise Linux 8 Support
• Performance and Reliability improvements in the Linux agent
• Updates to Azure Management Pack
• Updates to Storage Spaces Direct Management Pack
• Support for Group Managed Service Accounts (gMSA)

2. Multi-language installer for SCOM components

The following components now have a single installer each for all supported languages
instead of language specific installers. The installer will auto-pick the language based
upon the system’s language settings.

• Console
• ACS
• Web Console
• Reporting

3. One Click Patching Experience for Management Server

SCOM 2019 Update Rollup 1 introduces a frictionless way of patching the SCOM
management server.

The improvised user interface will guide you through the installation steps which will
patch the management server, update the databases and update the management
packs.

Microsoft System Center

MICROSOFT CONFIDENTIAL | NDA MATERIAL FOR SYSTEM CENTER TECHNICAL EVALUATION PROGRAM ONLY | DO NOT DISTRIBUTE
* Disclaimer: This is not a plan of record. Confidential; may not be posted to public shares *
This document may contain certain security features, including encryption & watermarks.
 Steps to get started with UI Experience:

• Run the file KB4533415-AMD64-Server.exe which is present in the One_Click_UI

folder
• Accept the EULA and wait for the wizard to finish

Microsoft System Center

MICROSOFT CONFIDENTIAL | NDA MATERIAL FOR SYSTEM CENTER TECHNICAL EVALUATION PROGRAM ONLY | DO NOT DISTRIBUTE
* Disclaimer: This is not a plan of record. Confidential; may not be posted to public shares *
This document may contain certain security features, including encryption & watermarks.
 • Click the ‘Setup Log’ link to open the log
• Click the relevant setup log for more information
• Click the ‘Help’ link to get a list of FAQs. This is not present in the preview but will
be present in the GA build of SCOM 2019 UR1.

You may also use the KB4533415-AMD64-Server.msp for interface-less patching

mechanism such as patching via SCCM etc. It shall also patch the server, update the
databases and management packs.

Recommendation:

It is recommended to update the primary server first

FAQs:

Please read through this <KB Article> for more details.

• Will the one click patching experience patch the entire SCOM deployment
including the agents?
Answer: No, it’ll only update the management server, databases and
management packs. All other components need to be patched in the existing
manner.
• What will happen in case of a failure at any step?
Answer: The patch will stop at the first point of failure. You will be shown the links
to view the respective logs so that you may fix the issues and execute the patch
again.
In case you’re not using the UI for patching then you may visit the following
locations to view the logs:
Setup Log: C:\Users\<UserName>\Appdata\Local\SCOM\Logs
SQL Logs: <SCOM install directory>\server\ SQL Script for Update Rollups
\SqlExceptions_{version}.log
MP Import Logs: <SCOM install directory>\server\ Management Packs for
Update Rollups\ManualMPImport_{version}.log

• I, as an admin do not have permissions on the databases. How will the patching
work then?
Answer: The patching does not use admin account
• Will all the management packs will be imported?
Answer: Only the management packs existing in the customer’s environment will
be updated if an update is available for them.
• Will I be able to uninstall the management server patch?
Answer: Uninstallation of the management server patch will not be supported

Microsoft System Center

MICROSOFT CONFIDENTIAL | NDA MATERIAL FOR SYSTEM CENTER TECHNICAL EVALUATION PROGRAM ONLY | DO NOT DISTRIBUTE
* Disclaimer: This is not a plan of record. Confidential; may not be posted to public shares *
This document may contain certain security features, including encryption & watermarks.
 • How do I know that the patch has been successfully applied?
Answer: Navigate to Administration>Operations Manager Products in the SCOM
console and check the ‘Version’ field. Additionally, ‘Update Installed’ and ‘KB
Number’ field will also indicate if a particular component is updated to the latest
version.

4. Distro-Agnostic Management Pack for Linux

As of today, SCOM offers management packs for each supported Linux distribution. This
has led to the existence of several ‘distro and version specific’ management packs which
need regular servicing. Also, with any new Linux distribution support, a new management
pack was being rolled out in the past. The journey to streamline these management
packs and their maintenance starts with SCOM 2019 Update Rollup 1.

The existing universal management packs are being enhanced in SCOM 2019 UR1. Any
new Linux platform support will be made available via these management packs
depending upon the kind of distribution, rpm or deb. These management packs will also
be version and distribution agnostic, which means that for all future Linux platform
support the same management pack will be updated instead of releasing a new
management pack per Linux distribution.

FAQ:

• What Linux platforms will these management packs support?

Answer: These management packs will support discovering and monitoring
RHEL-8 and SLES-15. Any new platforms will also be supported via these
management packs in future.
These management packs will not discover and monitor RHEL-7 and SLES-12.
They will continue to be supported using the existing, respective management
packs for them.

Steps to discover and monitor platforms other than RHEL 7 and SLES 12:

1. Install 2019 UR1 Server and Console Patch.

2. Import following MPs from Microsoft System Center 2019 MP for Unix and Linux
Preview.msi:
i. Microsoft.Unix.Library.mp
ii. Microsoft.Linux.Library.mp
iii. Microsoft.Linux.Universal.Library.mp
iv. Microsoft.Linux.Universal.Monitoring.mp
v. Microsoft.Linux.UniversalR.1.mpb (Discover/Monitor RPM distros)
vi. Microsoft.Linux.UniversalD.1.mpb (Discover/Monitor Debian distros)

Microsoft System Center

MICROSOFT CONFIDENTIAL | NDA MATERIAL FOR SYSTEM CENTER TECHNICAL EVALUATION PROGRAM ONLY | DO NOT DISTRIBUTE
* Disclaimer: This is not a plan of record. Confidential; may not be posted to public shares *
This document may contain certain security features, including encryption & watermarks.
 3. Run Discovery from the Discovery Wizard in Console.

5. Red Hat Enterprise Linux 8 Support

Red Hat Enterprise Linux 8 will be supported from SCOM 2019 UR1 onwards and the
same is a part of this preview.

Please use the universal management pack as outlined in the previous section to
discover and monitor RHEL-8.

To create new workflow or override existing workflows in the universal MP for RHEL-8
groups can be created with dynamic members.

Steps to Create Groups with Dynamic Members:

i. Go to Authoring Pane, right click on “Groups” and select “Create a new Group” to
open “Create Group Wizard”.

ii. Enter General Properties of Group and then click Next

Microsoft System Center

MICROSOFT CONFIDENTIAL | NDA MATERIAL FOR SYSTEM CENTER TECHNICAL EVALUATION PROGRAM ONLY | DO NOT DISTRIBUTE
* Disclaimer: This is not a plan of record. Confidential; may not be posted to public shares *
This document may contain certain security features, including encryption & watermarks.
 iii. We don’t intend to add Explicit Members to this group as we also need to add
objects which will be discovered in future so move to Dynamic Members by
clicking Next and then click on “Create/Edit rules...” button.
iv. In the “Create Group Wizard – Query Builder” pop up select “Universal Linux
Computer” and click on “Add”. In the Property select “Universal Linux Computer
Platform” to define the Linux distro to add to the group. Here we are creating
group which will contain all Red Hat Linux distributions (RHEL-8, RHEL-6 etc.) so
adding value as “Red Hat Distribution”. Alternatively, to add SUSE Linux
Enterprise Server distributions (SLES11, SLES15 etc.) add value as “SUSE
Distribution”

Microsoft System Center

MICROSOFT CONFIDENTIAL | NDA MATERIAL FOR SYSTEM CENTER TECHNICAL EVALUATION PROGRAM ONLY | DO NOT DISTRIBUTE
* Disclaimer: This is not a plan of record. Confidential; may not be posted to public shares *
This document may contain certain security features, including encryption & watermarks.
 v. If specific version of a distro needs to be added to this group, then click on
“Insert” and select “AND”

Microsoft System Center

MICROSOFT CONFIDENTIAL | NDA MATERIAL FOR SYSTEM CENTER TECHNICAL EVALUATION PROGRAM ONLY | DO NOT DISTRIBUTE
* Disclaimer: This is not a plan of record. Confidential; may not be posted to public shares *
This document may contain certain security features, including encryption & watermarks.
 vi. In the Property select “Universal Linux Computer Platform Version” to define the
Linux distro version to add to the group.

vii. Click on “Next” and then click on “Create” to create the group

Microsoft System Center

MICROSOFT CONFIDENTIAL | NDA MATERIAL FOR SYSTEM CENTER TECHNICAL EVALUATION PROGRAM ONLY | DO NOT DISTRIBUTE
* Disclaimer: This is not a plan of record. Confidential; may not be posted to public shares *
This document may contain certain security features, including encryption & watermarks.
 viii. Discover the distro and then check Group Members by selecting the group and
clicking on “View Group Members...” on the right pane

Microsoft System Center

MICROSOFT CONFIDENTIAL | NDA MATERIAL FOR SYSTEM CENTER TECHNICAL EVALUATION PROGRAM ONLY | DO NOT DISTRIBUTE
* Disclaimer: This is not a plan of record. Confidential; may not be posted to public shares *
This document may contain certain security features, including encryption & watermarks.
 ix. Now select any workflow which needs to be overridden and then right-click on it
select “Overrides” -> “Override the Rule” -> “For a Group” and then select the
Group and click on “OK”

Microsoft System Center

MICROSOFT CONFIDENTIAL | NDA MATERIAL FOR SYSTEM CENTER TECHNICAL EVALUATION PROGRAM ONLY | DO NOT DISTRIBUTE
* Disclaimer: This is not a plan of record. Confidential; may not be posted to public shares *
This document may contain certain security features, including encryption & watermarks.
 x. Override the required property and click on “Apply” and then “OK”

Microsoft System Center

MICROSOFT CONFIDENTIAL | NDA MATERIAL FOR SYSTEM CENTER TECHNICAL EVALUATION PROGRAM ONLY | DO NOT DISTRIBUTE
* Disclaimer: This is not a plan of record. Confidential; may not be posted to public shares *
This document may contain certain security features, including encryption & watermarks.
 6. Performance and Reliability improvements in the Linux agent
To improve the reliability, a separate process has been introduced to send the heartbeat.
Earlier the performance and heartbeat collection threads used to run under the same
process context. Due to this, any delay in performance data collection was affecting the
system availability.

With this change now you can see one extra ‘omiagent’ process running under ‘omi’ user
during heartbeat collection.

Microsoft System Center

MICROSOFT CONFIDENTIAL | NDA MATERIAL FOR SYSTEM CENTER TECHNICAL EVALUATION PROGRAM ONLY | DO NOT DISTRIBUTE
* Disclaimer: This is not a plan of record. Confidential; may not be posted to public shares *
This document may contain certain security features, including encryption & watermarks.
 To improve the performance, X-Plat filter variable is being introduced in override. You
may override discovery/monitor behavior for X-Plat MP by introducing SQL queries in
Filter parameter. This will help in restricting monitoring to entities of interest.

Apart from this SCX logging level has also decreased from Info to Warning to avoid
quick filling up of disk space.

7. Updates to Azure Management Pack

The Azure Management Pack’s Community Tech Preview was made available in October
2019 and will be refreshed shortly to include newer capabilities:

Oct 2019 CTP: https://www.microsoft.com/en-us/download/details.aspx?id=58013

8. Updates to Storage Spaces Direct Management Pack

Please hit this link to try out the Community Tech Preview of the latest in the S2D
Management Pack:

https://www.microsoft.com/en-us/download/details.aspx?id=100782

9. Support for Group Managed Service Accounts

Support for Group Managed Service Accounts (gMSA) is being added in SCOM 2019
UR1 and the same is available as a part of this preview.

As of today Operations Manager makes use of the following accounts:

▪ Action Accounts
o Default Action Account-Management Server Action Account
o Agent Action Account
o GW Server Action Account
o Run As Accounts
▪ System Center Configuration Service and System Center Data Access Service (needs
to be a part of local admin group)
▪ Data Reader Account (for SSRS)
▪ Data Warehouse Write Account (for DW)

Microsoft System Center

MICROSOFT CONFIDENTIAL | NDA MATERIAL FOR SYSTEM CENTER TECHNICAL EVALUATION PROGRAM ONLY | DO NOT DISTRIBUTE
* Disclaimer: This is not a plan of record. Confidential; may not be posted to public shares *
This document may contain certain security features, including encryption & watermarks.
 ▪ Agent Installation Account
o MSAA by default, needs admin rights on the target
o machines

The following steps outline the changes are required to be made by the SCOM admin
should they wish to leverage gMSA. The scope of this document is the usage of gMSA in
SCOM, and not creating the gMSA accounts. You may refer to this link for knowing more
about gMSA and their creation.

Verify if managed service accounts can be used on the machine:

Run the following powershell command for each gMSA account. If it returns ‘True’, then
gMSA is ready to be used on the machine.

Test-ADServiceAccount <gMSA_name>

Log-on as a service right

It is important to grant the gMSA, log on as a service right.

Navigate to Computer Configuration\Windows Settings\Security Settings\Local

Policies\User Rights Assignment

Grant Log on as a service to the gMSA as shown below:

Microsoft System Center

MICROSOFT CONFIDENTIAL | NDA MATERIAL FOR SYSTEM CENTER TECHNICAL EVALUATION PROGRAM ONLY | DO NOT DISTRIBUTE
* Disclaimer: This is not a plan of record. Confidential; may not be posted to public shares *
This document may contain certain security features, including encryption & watermarks.
 Generate Security Audits

Navigate to Computer Configuration\Windows Settings\Security Settings\Local

Policies\Generate security audits

Grant access to the gMSA accounts to run security audits:

Microsoft System Center

MICROSOFT CONFIDENTIAL | NDA MATERIAL FOR SYSTEM CENTER TECHNICAL EVALUATION PROGRAM ONLY | DO NOT DISTRIBUTE
* Disclaimer: This is not a plan of record. Confidential; may not be posted to public shares *
This document may contain certain security features, including encryption & watermarks.
 Database Changes
Create the following users and assign the respective roles. These are like the ones usually
done for non-gMSA accounts:

Action Account
System Databases: msdb

In the SQL Server Management Studio, navigate to Databases>System

Databases>msb>Security>Users

Create a new user

Select the user type as Windows User

Select ‘Entire Directory’ in the locations and ‘Service Accounts’ in the object type

Microsoft System Center

MICROSOFT CONFIDENTIAL | NDA MATERIAL FOR SYSTEM CENTER TECHNICAL EVALUATION PROGRAM ONLY | DO NOT DISTRIBUTE
* Disclaimer: This is not a plan of record. Confidential; may not be posted to public shares *
This document may contain certain security features, including encryption & watermarks.
 Check names for the action account ‘momActGMSA’ which is the gMSA for Action
Account in the directory

Microsoft System Center

MICROSOFT CONFIDENTIAL | NDA MATERIAL FOR SYSTEM CENTER TECHNICAL EVALUATION PROGRAM ONLY | DO NOT DISTRIBUTE
* Disclaimer: This is not a plan of record. Confidential; may not be posted to public shares *
This document may contain certain security features, including encryption & watermarks.
 Assign the following roles for the action account:

SQLAgentOperatorRole

SQLAgentReaderRole

SQLAgentUserRole

Operations Manager DB:

In the SQL Server Management Studio, navigate to Databases>Operations Manager

Database>Security>Users

Microsoft System Center

MICROSOFT CONFIDENTIAL | NDA MATERIAL FOR SYSTEM CENTER TECHNICAL EVALUATION PROGRAM ONLY | DO NOT DISTRIBUTE
* Disclaimer: This is not a plan of record. Confidential; may not be posted to public shares *
This document may contain certain security features, including encryption & watermarks.
 Create a new user

Select the user type as Windows User

Select ‘Entire Directory’ in the locations and ‘Service Accounts’ in the object type

Check names for the action account ‘momActGMSA’ which is the gMSA for Action
Account in the directory

Assign the following roles for the action account:

db_datareader

db_datawriter

db_ddladmin

dbmodule_users

Data Access Service Account

Systems Database: msdb

In the SQL Server Management Studio, navigate to Databases>System

Databases>msdb>Security>Users

Create a new user

Microsoft System Center

MICROSOFT CONFIDENTIAL | NDA MATERIAL FOR SYSTEM CENTER TECHNICAL EVALUATION PROGRAM ONLY | DO NOT DISTRIBUTE
* Disclaimer: This is not a plan of record. Confidential; may not be posted to public shares *
This document may contain certain security features, including encryption & watermarks.
 Select the user type as Windows User

Select ‘Entire Directory’ in the locations and ‘Service Accounts’ in the object type

Check names for the action account ‘momDASGMSA’ which is the gMSA for Data Access
Service Account in the directory

Assign the following roles to the account:

SQLAgentOperatorRole

SQLAgentReaderRole

SQLAgentUserRole

Microsoft System Center

MICROSOFT CONFIDENTIAL | NDA MATERIAL FOR SYSTEM CENTER TECHNICAL EVALUATION PROGRAM ONLY | DO NOT DISTRIBUTE
* Disclaimer: This is not a plan of record. Confidential; may not be posted to public shares *
This document may contain certain security features, including encryption & watermarks.
 Operations Manager DB:

In the SQL Server Management Studio, navigate to Databases>Operations Manager

Database>Security>Users

Create a new user

Select the user type as Windows User

Select ‘Entire Directory’ in the locations and ‘Service Accounts’ in the object type

Check names for the action account ‘momDASGMSA’ which is the gMSA for Data
Access Service Account in the directory

Assign the following roles to the account:

configsvc_users

db_accessadmin

db_datareader

db_datawriter

db_ddladmin

db_securityadmin

dbmodule_users

sdk_users

sql_dependency_subscriber

Microsoft System Center

MICROSOFT CONFIDENTIAL | NDA MATERIAL FOR SYSTEM CENTER TECHNICAL EVALUATION PROGRAM ONLY | DO NOT DISTRIBUTE
* Disclaimer: This is not a plan of record. Confidential; may not be posted to public shares *
This document may contain certain security features, including encryption & watermarks.
 OperationsManager DW:

In the SQL Server Management Studio, navigate to Databases>OperationsManager

DW>Security>Users

Create a new user

Select the user type as Windows User

Select ‘Entire Directory’ in the locations and ‘Service Accounts’ in the object type

Check names for the action account ‘momDASGMSA’ which is the gMSA for Data
Access Service Account in the directory

Microsoft System Center

MICROSOFT CONFIDENTIAL | NDA MATERIAL FOR SYSTEM CENTER TECHNICAL EVALUATION PROGRAM ONLY | DO NOT DISTRIBUTE
* Disclaimer: This is not a plan of record. Confidential; may not be posted to public shares *
This document may contain certain security features, including encryption & watermarks.
 Assign the following roles to the account:

apm_datareader

db_datareader

OpsMgrReader

Data Writer Account

Operations Manager Database:

Microsoft System Center

MICROSOFT CONFIDENTIAL | NDA MATERIAL FOR SYSTEM CENTER TECHNICAL EVALUATION PROGRAM ONLY | DO NOT DISTRIBUTE
* Disclaimer: This is not a plan of record. Confidential; may not be posted to public shares *
This document may contain certain security features, including encryption & watermarks.
 In the SQL Server Management Studio, navigate to Databases>Operations Manager
Database>Security>Users

Create a new user

Select the user type as Windows User

Select ‘Entire Directory’ in the locations and ‘Service Accounts’ in the object type

Check names for the action account ‘momDWGMSA’ which is the gMSA for Data Writer
Account in the directory

Assign the following roles to the account:

apm_datareader

apm_datawriter

db_datareader

dwsynch_users

Microsoft System Center

MICROSOFT CONFIDENTIAL | NDA MATERIAL FOR SYSTEM CENTER TECHNICAL EVALUATION PROGRAM ONLY | DO NOT DISTRIBUTE
* Disclaimer: This is not a plan of record. Confidential; may not be posted to public shares *
This document may contain certain security features, including encryption & watermarks.
 OperationsManager DW:

In the SQL Server Management Studio, navigate to Databases>OperationsManager

DW>Security>Users

Create a new user

Select the user type as Windows User

Select ‘Entire Directory’ in the locations and ‘Service Accounts’ in the object type

Check names for the action account ‘momDWGMSA’ which is the gMSA for Data Writer
Account in the directory

Microsoft System Center

MICROSOFT CONFIDENTIAL | NDA MATERIAL FOR SYSTEM CENTER TECHNICAL EVALUATION PROGRAM ONLY | DO NOT DISTRIBUTE
* Disclaimer: This is not a plan of record. Confidential; may not be posted to public shares *
This document may contain certain security features, including encryption & watermarks.
 Assign the following roles to the account:

apm_datareader

db_datareader

db_owner

OpsMgrWriter

Data Reader Account

System Databases: master

Microsoft System Center

MICROSOFT CONFIDENTIAL | NDA MATERIAL FOR SYSTEM CENTER TECHNICAL EVALUATION PROGRAM ONLY | DO NOT DISTRIBUTE
* Disclaimer: This is not a plan of record. Confidential; may not be posted to public shares *
This document may contain certain security features, including encryption & watermarks.
 In the SQL Server Management Studio, navigate to Databases>System
Databases>master>Security>Users

Create a new user

Select the user type as Windows User

Select ‘Entire Directory’ in the locations and ‘Service Accounts’ in the object type

Check names for the action account ‘momRepGMSA’ which is the gMSA for Data Reader
Account in the directory

Assign the following role to the account:

RSExecRole

Microsoft System Center

MICROSOFT CONFIDENTIAL | NDA MATERIAL FOR SYSTEM CENTER TECHNICAL EVALUATION PROGRAM ONLY | DO NOT DISTRIBUTE
* Disclaimer: This is not a plan of record. Confidential; may not be posted to public shares *
This document may contain certain security features, including encryption & watermarks.
 System Databases: msdb

In the SQL Server Management Studio, navigate to Databases>System

Databases>msdb>Security>Users

Create a new user

Select the user type as Windows User

Select ‘Entire Directory’ in the locations and ‘Service Accounts’ in the object type

Microsoft System Center

MICROSOFT CONFIDENTIAL | NDA MATERIAL FOR SYSTEM CENTER TECHNICAL EVALUATION PROGRAM ONLY | DO NOT DISTRIBUTE
* Disclaimer: This is not a plan of record. Confidential; may not be posted to public shares *
This document may contain certain security features, including encryption & watermarks.
 Check names for the action account ‘momRepGMSA’ which is the gMSA for Data Reader
Account in the directory

Assign the following roles to the account:

RSExecRole

SQLAgentOperatorRole

SQLAgentReaderRole

SQLAgentUserRole

Microsoft System Center

MICROSOFT CONFIDENTIAL | NDA MATERIAL FOR SYSTEM CENTER TECHNICAL EVALUATION PROGRAM ONLY | DO NOT DISTRIBUTE
* Disclaimer: This is not a plan of record. Confidential; may not be posted to public shares *
This document may contain certain security features, including encryption & watermarks.
 OperationsManager DW:

In the SQL Server Management Studio, navigate to Databases>OperationsManager

DW>Security>Users

Create a new user

Select the user type as Windows User

Select ‘Entire Directory’ in the locations and ‘Service Accounts’ in the object type

Check names for the action account ‘momRepGMSA’ which is the gMSA for Data
Reader Account in the directory

Assign the following roles to the account:

apm_datareader

db_datareader

OpsMgrReader

Microsoft System Center

MICROSOFT CONFIDENTIAL | NDA MATERIAL FOR SYSTEM CENTER TECHNICAL EVALUATION PROGRAM ONLY | DO NOT DISTRIBUTE
* Disclaimer: This is not a plan of record. Confidential; may not be posted to public shares *
This document may contain certain security features, including encryption & watermarks.
 Report Server Database:

In the SQL Server Management Studio, navigate to

Databases>ReportServer>Security>Users

Create a new user

Select the user type as Windows User

Select ‘Entire Directory’ in the locations and ‘Service Accounts’ in the object type

Check names for the action account ‘momRepGMSA’ which is the gMSA for Data
Reader Account in the directory

Microsoft System Center

MICROSOFT CONFIDENTIAL | NDA MATERIAL FOR SYSTEM CENTER TECHNICAL EVALUATION PROGRAM ONLY | DO NOT DISTRIBUTE
* Disclaimer: This is not a plan of record. Confidential; may not be posted to public shares *
This document may contain certain security features, including encryption & watermarks.
 Assign the following roles to the account:

db_owner

RSExecRole

Report Server Temp Database:

In the SQL Server Management Studio, navigate to

Databases>ReportServerTempDB>Security>Users

Create a new user

Select the user type as Windows User

Microsoft System Center

MICROSOFT CONFIDENTIAL | NDA MATERIAL FOR SYSTEM CENTER TECHNICAL EVALUATION PROGRAM ONLY | DO NOT DISTRIBUTE
* Disclaimer: This is not a plan of record. Confidential; may not be posted to public shares *
This document may contain certain security features, including encryption & watermarks.
 Select ‘Entire Directory’ in the locations and ‘Service Accounts’ in the object type

Check names for the action account ‘momRepGMSA’ which is the gMSA for Data
Reader Account in the directory

Assign the following roles to the account:

db_owner

RSExecRole

Microsoft System Center

MICROSOFT CONFIDENTIAL | NDA MATERIAL FOR SYSTEM CENTER TECHNICAL EVALUATION PROGRAM ONLY | DO NOT DISTRIBUTE
* Disclaimer: This is not a plan of record. Confidential; may not be posted to public shares *
This document may contain certain security features, including encryption & watermarks.
 System Center Data Access Service
The Log On credentials for this service account needs to be changed from services.msc.
Before changing the credentials, the gMSA needs to have logon as a service right as
described here, and should have access to generate security audits as described here

to be added to the local administrators group on the machine on which management

server is installed, like shown below.

Existing data access service account:

Microsoft System Center

MICROSOFT CONFIDENTIAL | NDA MATERIAL FOR SYSTEM CENTER TECHNICAL EVALUATION PROGRAM ONLY | DO NOT DISTRIBUTE
* Disclaimer: This is not a plan of record. Confidential; may not be posted to public shares *
This document may contain certain security features, including encryption & watermarks.
 Change the account to a gMSA from services.msc

Microsoft System Center

MICROSOFT CONFIDENTIAL | NDA MATERIAL FOR SYSTEM CENTER TECHNICAL EVALUATION PROGRAM ONLY | DO NOT DISTRIBUTE
* Disclaimer: This is not a plan of record. Confidential; may not be posted to public shares *
This document may contain certain security features, including encryption & watermarks.
 System Center Configuration Service
The Log On credentials for this service account needs to be changed from services.msc

Validate that both the services are running with gMSA

Microsoft System Center

MICROSOFT CONFIDENTIAL | NDA MATERIAL FOR SYSTEM CENTER TECHNICAL EVALUATION PROGRAM ONLY | DO NOT DISTRIBUTE
* Disclaimer: This is not a plan of record. Confidential; may not be posted to public shares *
This document may contain certain security features, including encryption & watermarks.
 Data Reader Account
The data reader account can be changed in two ways:

1. From services.msc

Please remove the existing password, otherwise an error calling out ‘Please enter a valid
password’ will be prompted.

Validate that the SSRS is running with gMSA

2. From Reporting Service Configuration Manager

Microsoft System Center

MICROSOFT CONFIDENTIAL | NDA MATERIAL FOR SYSTEM CENTER TECHNICAL EVALUATION PROGRAM ONLY | DO NOT DISTRIBUTE
* Disclaimer: This is not a plan of record. Confidential; may not be posted to public shares *
This document may contain certain security features, including encryption & watermarks.
 Microsoft System Center
MICROSOFT CONFIDENTIAL | NDA MATERIAL FOR SYSTEM CENTER TECHNICAL EVALUATION PROGRAM ONLY | DO NOT DISTRIBUTE
* Disclaimer: This is not a plan of record. Confidential; may not be posted to public shares *
This document may contain certain security features, including encryption & watermarks.
 Select Authentication Type as Service Credentials, which is already specified as a gMSA
earlier in the Reporting Services Config Manager

Microsoft System Center

MICROSOFT CONFIDENTIAL | NDA MATERIAL FOR SYSTEM CENTER TECHNICAL EVALUATION PROGRAM ONLY | DO NOT DISTRIBUTE
* Disclaimer: This is not a plan of record. Confidential; may not be posted to public shares *
This document may contain certain security features, including encryption & watermarks.
 For SSRS Execution Account, continue using the non-gMSA accounts

The gMSA account seems to be accepted from the UI, but upon generating a report in
SCOM, failure is observed. This is because the reporting service tries to login interactively
rather than service logon, which is a requirement for gMSA. This experience is yet to be
fixed in SQL.

Until then non-gMSA account needs to be used for reporting services.

Data Warehouse Write Account

SCOM stores the credentials for the Data Warehouse Write account within a Run As
Account called Data Warehouse Action Account.

Microsoft System Center

MICROSOFT CONFIDENTIAL | NDA MATERIAL FOR SYSTEM CENTER TECHNICAL EVALUATION PROGRAM ONLY | DO NOT DISTRIBUTE
* Disclaimer: This is not a plan of record. Confidential; may not be posted to public shares *
This document may contain certain security features, including encryption & watermarks.
 Change the username to a gMSA. The moment the username is edited the password
field becomes blank.

Microsoft System Center

MICROSOFT CONFIDENTIAL | NDA MATERIAL FOR SYSTEM CENTER TECHNICAL EVALUATION PROGRAM ONLY | DO NOT DISTRIBUTE
* Disclaimer: This is not a plan of record. Confidential; may not be posted to public shares *
This document may contain certain security features, including encryption & watermarks.
 Once the gMSA user name is provided succeeded by a ‘$’ the password fields are auto-
filled and grayed out

Microsoft System Center

MICROSOFT CONFIDENTIAL | NDA MATERIAL FOR SYSTEM CENTER TECHNICAL EVALUATION PROGRAM ONLY | DO NOT DISTRIBUTE
* Disclaimer: This is not a plan of record. Confidential; may not be posted to public shares *
This document may contain certain security features, including encryption & watermarks.
 Validate that the monitoringhost.exe uses gMSA credentials for DW Write Account

Action Accounts
In the SCOM Console, navigate to Administration>Run-as configuration>accounts.

Default Action Account

Microsoft System Center

MICROSOFT CONFIDENTIAL | NDA MATERIAL FOR SYSTEM CENTER TECHNICAL EVALUATION PROGRAM ONLY | DO NOT DISTRIBUTE
* Disclaimer: This is not a plan of record. Confidential; may not be posted to public shares *
This document may contain certain security features, including encryption & watermarks.
 Change the credentials of the default action account to gMSA

Microsoft System Center

MICROSOFT CONFIDENTIAL | NDA MATERIAL FOR SYSTEM CENTER TECHNICAL EVALUATION PROGRAM ONLY | DO NOT DISTRIBUTE
* Disclaimer: This is not a plan of record. Confidential; may not be posted to public shares *
This document may contain certain security features, including encryption & watermarks.
 Validate that monitoringhost.exe runs as gMSA

Microsoft System Center

MICROSOFT CONFIDENTIAL | NDA MATERIAL FOR SYSTEM CENTER TECHNICAL EVALUATION PROGRAM ONLY | DO NOT DISTRIBUTE
* Disclaimer: This is not a plan of record. Confidential; may not be posted to public shares *
This document may contain certain security features, including encryption & watermarks.
 Default Action Account Run-as profile
Change the Default Action Account Run-as profile to use the gMSA Run-as default action
accounts

Data Warehouse Report Deployment Account

Microsoft System Center

MICROSOFT CONFIDENTIAL | NDA MATERIAL FOR SYSTEM CENTER TECHNICAL EVALUATION PROGRAM ONLY | DO NOT DISTRIBUTE
* Disclaimer: This is not a plan of record. Confidential; may not be posted to public shares *
This document may contain certain security features, including encryption & watermarks.
 Validate that monitoringhost.exe runs as gMSA for reporting

Microsoft System Center

MICROSOFT CONFIDENTIAL | NDA MATERIAL FOR SYSTEM CENTER TECHNICAL EVALUATION PROGRAM ONLY | DO NOT DISTRIBUTE
* Disclaimer: This is not a plan of record. Confidential; may not be posted to public shares *
This document may contain certain security features, including encryption & watermarks.
 Microsoft Monitoring Agent
To alter the agent action account in the MMA, change the credentials from the target
agent machine.

Create Run As Accounts

While creating a new run as account, enter the gMSA in the user name field followed by
a ‘$’ sign. Do not fill any password and continue to create the Run As Account

Discovery and Push Install of the agent

When a gMSA is provided during the discovery process, leave the password field blank
when you suffix ‘$’ at the end of the user name. The agent should install without issues
on the target machines.

Microsoft System Center

MICROSOFT CONFIDENTIAL | NDA MATERIAL FOR SYSTEM CENTER TECHNICAL EVALUATION PROGRAM ONLY | DO NOT DISTRIBUTE
* Disclaimer: This is not a plan of record. Confidential; may not be posted to public shares *
This document may contain certain security features, including encryption & watermarks.