Manual SCOM Agent Installation Server Core – Different Forest, No Gateway

Maybe you face a situation where you must install a SCOM agent on a Windows server core e.g. Hyper-V host. Let’s assume the server core is in a different forest and in the target forest you don’t have a gateway server in place. This means you have to get a certificate for each machine/agent and install this by using the command shell…wh00h00…

I won’t talk about getting the certificates from the CA here is a excellent article about getting the certificate using a batch file or if you use you will find many hints.

I assume you have a copy of Windows 2008 R2 x64 server core and also got all certificates from your PKI. In the first place I would copy all certificates (*.pfx, Root CA / SubCa Cert) and momcertimport.exe to the c:\Program Files\System Center Operations Manager 2012\Server\AgentManagement\amd64 directory. This is the place where the x64 SCOM agent placed. Of course you could copy all the stuff to another directory but for simplicity I’ll abuse this directory Smiley

There are just a few commands you need to know.

The first step is to map your directory containing all your certs, momcertimport and the agent files from the SCOM directly (you will be ask for domain user1 password):

   1: net use z: "\\\c$\Program Files\System Center Operations Manager 2012\Server\AgentManagement\amd64" /user:domain\user1 <Enter>

Change to the mapped network drive z: by entering:

   1: z: <Enter>

After that you could call msiexec.exe to install the SCOM agent manually:


Now import the *.pfx agent certificate for that particular server by calling certutil (Note: you can not import a PFX file from a GUI based server by calling the certificates mmc and connecting to the server core server ):

   1: z:\certutil -importpfx

Next import the Root CA certificate and if you have a Subordinate CA import also the certificate from the Subordinate CA into the “Trusted Root Certification Authorities” local computer store:


   2: certutil -f -addstore "Trusted Root Certification Authorities" RootCA.cer <Enter>


   4: certutil -f -addstore "Trusted Root Certification Authorities" SubCA.cer <Enter>

Register/Import the server certificate using the momcertimport.exe utility:


   2: z:\momcertimport.exe <Enter>

As last step restart the SCOM Agent Service (HealthService):


   2: net stop healthservice <Enter>


   4: net start healthservice <Enter>

After you see your agent in SCOM remove the z: drive from your monitored server by running this command:


   2: z:\net use z: /delete <Enter>


Don’t forget to remove the certificates and momcertimport.exe from the agent \amd64 directory on the SCOM Server .

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.