SCOM 2012 Web Console Configuration “NO LONGER Required!”

 

I have worked with a few customers that are annoyed with the user configuration required to use the new Silverlight SCOM web console.  The web console is often used for one-off application owners or IT staff that are not regularly using SCOM.  It was is a great way to give these users quick access to view the SCOM console so they can get more information about an alert they have received.

SCOM 2012 has extra steps that an end user has to take to get the web console to work.  Users see the “Web Console Configuration Required” screen and are often confused as to what do to. 

To fix this we can automate the configuration process.  This will remove the configuration screens and the end user can access the SCOM web console easily.

 

Here are my sample GPOs with instructions on how to install them. 
Download: http://www.scom2k7.com/downloads/SCOM_Web_Console.zip

 

The instructions below will walk you through creating your own GPOs to automate the process.

Here are the high level steps.

  1. Automate Install of Microsoft Silverlight
  2. Export Client Certificate
  3. Export Registry Key(s)
  4. Automate Install of Client Certificate
  5. Automate Install of Registry Key(s)
  6. Verify it works on Windows XP, Vista, 7, and 8

1.  Automate Install of Microsoft Silverlight

The first page users are presented with is to install Microsoft Silverlight
 image

 

There are multiple ways to automate this install.  I recommend creating a SCCM package or login script to push the install out to the clients that need it. 

To do an unattended installed, the command(s) you need.

Silverlight_x64.exe /q  or Silverlight.exe /q

Download Silverlight -  http://go.microsoft.com/fwlink/?LinkID=149156&v=5.0.61118.0

My next challenge is the Web Console Configuration Required screen.  This is the screen that throws off end users as they think the web console is not working and something need to be configured on the backend.

image

 

2.  Export Client Certificate

First I  click configure and download the SilverlightClientConfiguration.exe.

I run the tool once.
image

The tool does two things.  Creates a certificate and creates a registry key.

Now I need to export the client certificate.

I run MMC
image

Click Add/Remove Snap-in
image

Add the Certificates
image

I select Computer account, Local computer, Finish, OK
image

Then I expand down to Trusted Publishers, Certificates
image

I right click on the Microsoft Code Signing PCA certificate and export it.

I save it as a DER encoded binary 
image

I pick a location to save the file and Finish.
image

3.  Export Registry Key(s)

I open the registry editor

image

I go to “HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Silverlight” and export the Key
image

I open the file in notepad and remove everything but

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Silverlight]
"AllowElevatedTrustAppsInBrowser"=dword:00000001

image

I also create the same key but for 32-bit systems by removing the Wow6432Node

image

You can download my copy here. Link

If you know how to add the cert and registry key into AD you can stop reading here.  I will go though the process for anyone who doesn’t know how.

4.  Automate Install of Client Certificate

To automate the install of the client certificate and registry keys I will use Active Directory Group Policy Objects. 

I log into my domain controller and launch the Group Policy Management Console
image

I right click on my domain and create a OU called SCOM Web Console. (If you already have a OU that contains the computers want to deploy to you can skip this step)
image

 

I right click on the OU I created and choose Create a GPO in this domain, and link it here..
image

I call the GPO SCOM Web Console Components x64.  I will need two GPOs.  One for 32-bit machines and one for 64-bit machines.
image

I then right click on the GPO and edit it.
image

In the navigation pane, I open Computer Configuration\Policies\Windows Settings\Security Settings\Public Key Policies\Trusted Publishers

I right click and Import
image

I click next and browse to the certificate I exported earlier
image

I leave the default Trusted Publishers
image

I click next, and Finish

I use repeat the process to create a GPO for 32-bit systems
image

Now I have two GPOs with the same certs and configuration
image

5.  Automate Install of Registry Key(s)

I go back to the same policies I created earlier and edit them.

I start with the 64-Bit policy and go to Computer Configuration\Preferences\Windows Settings\Registry
image64-

I create a New, Registry Item.
image

In the Key Path for the 64-bit GPO I add

SOFTWARE\Wow6432Node\Microsoft\Silverlight

For the Value name I type

AllowElevatedTrustAppsInBrowser

I change the Value type to Reg_DWORD

Then I change the Base to Decimal and for Value data I type in 1
image

I click ok.

I repeat the process for the 32-bit one but I add this registry key.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Silverlight

image

Now I need to create some WMI filters to filter if it’s a 32-bit or 64-bit system.  (Wow this more work then I thought!)

I go back into my Group Policy Management console.

Under WMI Filters I right click and select New..
image

I call the first one 64-Bit Systems.  For the Description I use the same.

I click add.  Then I Add this query.

Select * from Win32_Processor where AddressWidth = ’64’

image

I click OK and it looks like this.
image

I click Save and I repeat the process for the 32-Bit Filter.

But I use this query

Select * from Win32_Processor where AddressWidth = ’32’

image

I have two WMI filters
image

I next attach the filters to the GPOs I created earlier.

I go back to the SCOM Web Console Components x64 GPO and click on it
image

At the bottom of the screen I go to WMI Filtering
image

I select 64-Bit Systems and click Yes
image

I repeat the process to attach the 32-Bit filter to the 32-Bit GPO

I now have the filters set and I am done.
image

Now I just add my clients to OU and they will get the new policy.
image

5.  Verify it works on Windows XP, Vista, 7, and 8

I log into one of my clients, open a command prompt and type gpupdate /force to force the group policy down.
image

I type in the address of the SCOM 2012 web console and it works without any prompts!
image

 

I have tested this on Win8, Win7 SP1 (64-Bit), Win7 SP1(32-Bit), Vista SP2(32-Bit), and XP SP3 (32-bit)

*Note with Windows XP SP3 I had to install the Group Policy Preference Client Side Extensions for Windows XP – http://www.microsoft.com/en-us/download/details.aspx?displaylang=en&id=3628.  In SP3 these are supposed to be already installed but I couldn’t get the registry group policies to work without reinstalling the GPO extensions.

10 Responses to SCOM 2012 Web Console Configuration “NO LONGER Required!”

  1. Kitaab September 27, 2012 at 3:43 am #

    This is good information, i have been struggling with this issue for a month now

  2. LP November 2, 2012 at 4:39 pm #

    This is really good; thanks for sharing the info!

  3. SuperMan (no really) November 27, 2012 at 8:12 pm #

    A bit more information from TechNet on the registry values: Enable Trusted Applications to Run Inside the Browser http://msdn.microsoft.com/en-us/library/gg192793(VS.95).aspx

    Specifically: Ensure that you do not set conflicting registry keys. For more information, see the AllowInstallOfElevatedTrustApps and AllowLaunchOfElevatedTrustApps registry keys in Group Policy Settings. Specifically, you can disallow the installation of trusted applications without affecting their in-browser use. However, disallowing the launch of trusted applications will cause them to run in partial trust, even inside the browser.

  4. Jay November 29, 2012 at 9:43 am #

    Thank you! You turned what I thought was going to be another packaging job (which I hate) into a simple GPO deployment (which I “not hate” ) 🙂 You’re a Boss…

  5. -Jess December 19, 2012 at 5:58 pm #

    Used this today and it worked out great!

  6. Curtiss June 4, 2013 at 12:47 pm #

    just curious why you chose to have two separate GPOs with WMI filters instead of a single GPO using item-level targeting on each registry preference. item-level targeting would let you check to see if the SOFTWARE\Wow6432Node exists in the registry, or you could still do the same wmi query.

  7. Curtiss June 4, 2013 at 1:26 pm #

    also I note that you posted this on 9/2012 and the certificate was set to expire 1/2013. do we need to manually keep importing updated versions of that certificate into the GPO?

  8. David November 20, 2013 at 6:17 pm #

    The Silverlight Web Console Configuration tool (SilverlightClientConfiguration.exe) primarily installs a registry key (HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Silverlight), sets the AllowElevatedTrustAppsInBrowser to 1, and loads a cert under Trusted Publishers/Certificates. Since we are deploying this tool to hundreds of workstations, there does not appear to be an Add/Remove option to remove the tool. Manually is possible, but is not the preferred method, please advise.

  9. carlsjr July 31, 2017 at 11:51 am #

    what a bunch of horshit hoops to jump through to get this to work.

Trackbacks/Pingbacks

  1. How to access to SCOM 2012 SP1 Web Console from Windows Server 2003 SP2 / Windows Xp / … | Christopher's System Center Blog - March 19, 2013

    […] Tim has a really good solution to automate that task by GPO, just use the certificate that I provided in step 6.http://www.scom2k7.com/scom-2012-web-console-configuration-no-longer-required/ […]

Leave a Reply