Installing SCOM 2012 agent on a workgroup or DMZ machine using Certificate

How to Install SCOM Agent on an Un-trusted machine

In order for SCOM to communicate with an un-trusted machine like in a WorkGroup / DMZ / different forest, you will have to import a certificate so that SCOM will trust the foreign machine and will be able to communicate with it. The most common example is a SCOM Gateway.
This topic is a bit complicated but if you use a guide like this you should be OK.

I added the files that you will need as well so you dont have to copy-paste it. Additional files: REQconfig.inf certreq

First thing you will need is an inf file that contains the request.

  • Create a REQconfig.inf file in this format:


Subject=”CN=<servername>,OU=<Organizational unit>,O=<organization>,L=<state>,S=<city>,C=<country>”










  • On the SCOM Server, Use certreq utility to create a request for certificate from your organization CA.
    Run certreq (available on your SCOM installation library) utility to accomplish this: certreq -new -f REQconfig.inf binreq.req
  • Send the .req file to your CA admin in order to create a .cer file.
  • Import the .cer file you receive from your organization CA admin into MS SCOM server to create a pfx file using mmc snap-in:
    1. Open mmc (run>mmc>enter)
    2. Click file > Add/remove snap-in > certificates > add > computer account > local computer.
    3. right click container > All tasks > import > Next > browse >  select the .cer file from your CA admin > Place the certificate in personal store.

  • Create a .pfx file:
  • In Certificates > right click the certificate you need to export > all tasks >export…

  • Click next
  • Select yes
  • Mark the two check boxes as seen below

  • Enter a simple password

export to pfx5

  • Save the .pfx file
  • Finish

  • Import the .pfx you created in to the Workgroup machine using mmc snap-in:
  • personal container > all tasks > import

  • click NEXT > Click browse > Select pfx

  • Select the the pfx file
  • Click open


  • Click next

  • Enter a simple password
  • Select ‘mark this key as exportable’.


  •  Click Next
  • select place all certificates…

  • Click finish
  • Certificate was imported to Workgroup machine

  • Install SCOM 2012 agent on the WorkGroup machine.

The SCOM healthservice must be started to proceed to the next step. You might get this error if the SCOM agent is not installed:


Please restart the healthservice to complete this process.

Error description: The specified service does not exist as an installed service.

Error code:80070424


  • Copy MOMCertImport.exe from <Drive>:\Program Files\Microsoft System Center 2012 R2\Operations Manager\Server to the workgroup machine.
  • Open CMD with admin rights and run MOMCertImport.exe:
  • Select the certificate you just imported and click OK.

The end!

I hope this has been helpful.


Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.