I wrote a script to install the scom agent on some DMZ servers. Those servers are not in domain, so I have to request certificates from a stand alone server for them. SCOM-01 is both the SCOM server and the stand alone server.
32 bits: install32.bat
@ECHO OFF
REM SCOM INSTALLATION SCRIPT
FOR /F “tokens=1-3” %%A IN (‘REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /v Domain 2^>nul’) DO (
set DOMAIN=%%C
)
IF DOMAIN == “” (
SET FQDN=%COMPUTERNAME%
) ELSE (
SET FQDN=%COMPUTERNAME%.%DOMAIN%
)
ECHO %FQDN%
REM update the host file
ECHO Adding SCOM-01 into hosts file
ECHO #For SCOM >> C:\Windows\System32\drivers\etc\hosts
ECHO 172.29.26.52 scom-01.test.com scom-01 >> C:\Windows\System32\drivers\etc\hosts
ECHO done!
ECHO **********************************
REM check the connection
ECHO Checking connection to scom-01, Please wait…
PING scom-01|find “Reply from ” >NUL
IF %ERRORLEVEL% == 0 (
ECHO Successful!
ECHO **********************************
REM add scom-01 as trusted CA
ECHO Adding scom-01 into trusted root CA
certutil.exe -addstore root scom-01-CA.cer
ECHO done!
ECHO **********************************
REM generate new CertRequest file
ECHO Generating CertRequest.inf file
ECHO [NewRequest] > CertRequest.inf
ECHO Subject=”CN=%FQDN%” >> CertRequest.inf
ECHO Exportable=TRUE >> CertRequest.inf
ECHO KeyLength=2048 >> CertRequest.inf
ECHO KeySpec=1 >> CertRequest.inf
ECHO KeyUsage=0xf0 >> CertRequest.inf
ECHO MachineKeySet=TRUE >> CertRequest.inf
ECHO [EnhancedKeyUsageExtension] >> CertRequest.inf
ECHO OID=1.3.6.1.5.5.7.3.1 >> CertRequest.inf
ECHO OID=1.3.6.1.5.5.7.3.2 >> CertRequest.inf
ECHO done!
ECHO **********************************
REM generate .req file
ECHO Generating %FQDN%.req file
Certreq.exe -New -f CertRequest.inf %FQDN%.req
ECHO done!
ECHO **********************************
ECHO Copying %FQDN%.req to \\scom-01\CertEnroll\targets
copy %FQDN%.req \\scom-01\CertEnroll\targets\
ECHO done!
ECHO **********************************
REM issue the cert on scom-01
ECHO Please login to SCOM-01 to issue the CA now
ECHO MAKE SURE THE CERTICATE HAS BEEN ISSUED!!
PAUSE
ECHO Copying %FQDN%.cer to local
copy \\scom-01\CertEnroll\targets\%FQDN%.req.cer .
ECHO done!
ECHO **********************************
REM import cert to local
ECHO Importing %FQDN%.cer
Certreq -Accept %FQDN%.req.cer
ECHO done!
ECHO **********************************
REM install scom agent
ECHO Installing SCOM Agent, please wait…
cd ./x86
msiexec /passive /i MOMAgent.msi USE_MANUALLY_SPECIFIED_SETTINGS=1 MANAGEMENT_GROUP=TEST MANAGEMENT_SERVER_DNS=scom-01.test.com SECURE_PORT=5723 ENABLE_ERROR_REPORTING=0 QUEUE_ERROR_REPORTS=0 ACTIONS_USE_COMPUTER_ACCOUNT=1
cd ..
ECHO done!
ECHO **********************************
REM install cert for SCOM
REM ECHO Importing %FQDN%.scom.pfx
REM MOMCERTIMPORT.EXE %FQDN%.scom.pfx /Password Welcome!
ECHO Choose the %FQDN% certificate in the pop up Window
MOMCERTIMPORT32.EXE
ECHO done!
ECHO **********************************
REM confirm the reg key
ECHO Confrim AuthenticationName is scom-01.test.com
REG QUERY “HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft Operations Manager\3.0\Agent Management Groups\TEST\Parent Health Services” /v AuthenticationName
PAUSE
ECHO Confrim NetworkName is scom-01.test.com
REG QUERY “HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft Operations Manager\3.0\Agent Management Groups\TEST\Parent Health Services” /v NetworkName
PAUSE
ECHO **********************************
REM restart the service
ECHO Restaring SCOM agent service
NET stop HealthService
NET start HealthService
ECHO You have finished all steps!!
PAUSE
EXIT
) ELSE (
REM exit if failed
ECHO Failed, Please check the connection to scom-01.
PAUSE
EXIT )
64 bits: install64.bat
@ECHO OFF
REM SCOM INSTALLATION SCRIPT
FOR /F “tokens=1-3” %%A IN (‘REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /v Domain 2^>nul’) DO (
set DOMAIN=%%C
)
IF DOMAIN == “” (
SET FQDN=%COMPUTERNAME%
) ELSE (
SET FQDN=%COMPUTERNAME%.%DOMAIN%
)
ECHO %FQDN%
REM update the host file
ECHO Adding SCOM-01 into hosts file
ECHO #For SCOM >> C:\Windows\System32\drivers\etc\hosts
ECHO 172.29.26.52 scom-01.test.com scom-01 >> C:\Windows\System32\drivers\etc\hosts
ECHO done!
ECHO **********************************
REM check the connection
ECHO Checking connection to scom-01, Please wait…
PING scom-01|find “Reply from ” >NUL
IF %ERRORLEVEL% == 0 (
ECHO Successful!
ECHO **********************************
REM add scom-01 as trusted CA
ECHO Adding scom-01 into trust root CA
certutil -addstore root scom-01-ca.p7b
ECHO done!
ECHO **********************************
REM generate new CertRequest file
ECHO Generating CertRequest.inf file
ECHO [NewRequest] > CertRequest.inf
ECHO Subject=”CN=%FQDN%” >> CertRequest.inf
ECHO Exportable=TRUE >> CertRequest.inf
ECHO KeyLength=2048 >> CertRequest.inf
ECHO KeySpec=1 >> CertRequest.inf
ECHO KeyUsage=0xf0 >> CertRequest.inf
ECHO MachineKeySet=TRUE >> CertRequest.inf
ECHO [EnhancedKeyUsageExtension] >> CertRequest.inf
ECHO OID=1.3.6.1.5.5.7.3.1 >> CertRequest.inf
ECHO OID=1.3.6.1.5.5.7.3.2 >> CertRequest.inf
ECHO done!
ECHO **********************************
REM generate .req file
ECHO Generating %FQDN%.req file
Certreq.exe -New -f CertRequest.inf %FQDN%.req
ECHO done!
ECHO **********************************
ECHO Copying %FQDN%.req to \\scom-01\CertEnroll\targets
copy %FQDN%.req \\scom-01\CertEnroll\targets\
ECHO done!
REM ECHO Submiting cert request to CA
REM certreq -submit -f -config scom-01\scom-01-CA %FQDN%.req
ECHO **********************************
REM issue the cert on scom-01
ECHO Please login to SCOM-01 to issue the CA now
ECHO MAKE SURE THE CERTICATE HAS BEEN ISSUED!!
PAUSE
ECHO Copying %FQDN%.req.cer to local
copy \\scom-01\CertEnroll\targets\%FQDN%.req.cer .
ECHO done!
ECHO **********************************
REM import cert to local
ECHO Importing %FQDN%.req.cer
Certreq -Accept %FQDN%.req.cer
ECHO done!
ECHO **********************************
REM export cert from local
REM ECHO Exporting %FQDN%.scom.pfx
REM Certutil.exe -p Welcome! –exportpfx %FQDN% %FQDN%.scom.pfx
REM ECHO done!
REM ECHO **********************************
REM install scom agent
ECHO Installing SCOM Agent, please wait…
cd ./AMD64
msiexec /passive /i MOMAgent.msi USE_MANUALLY_SPECIFIED_SETTINGS=1 MANAGEMENT_GROUP=TEST MANAGEMENT_SERVER_DNS=scom-01.test.com SECURE_PORT=5723 ENABLE_ERROR_REPORTING=0 QUEUE_ERROR_REPORTS=0 ACTIONS_USE_COMPUTER_ACCOUNT=1
cd ..
ECHO done!
ECHO **********************************
REM install cert for SCOM
REM ECHO Importing %FQDN%.scom.pfx, and pleaes type Welcome!
REM MOMCERTIMPORT64.EXE %FQDN%.scom.pfx
ECHO Choose the %FQDN% certificate in the pop up Window
MOMCERTIMPORT64.EXE
ECHO done!
ECHO **********************************
REM confirm the reg key
ECHO Confrim AuthenticationName is scom-01.test.com
REG QUERY “HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft Operations Manager\3.0\Agent Management Groups\TEST\Parent Health Services” /v AuthenticationName
PAUSE
ECHO Confrim NetworkName is scom-01.test.com
REG QUERY “HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft Operations Manager\3.0\Agent Management Groups\TEST\Parent Health Services” /v NetworkName
PAUSE
ECHO **********************************
REM restart the service
ECHO Restaring SCOM agent service
NET stop HealthService
NET start HealthService
ECHO You have finished all steps!!
PAUSE
EXIT
) ELSE (
REM exit if failed
ECHO Failed, Please check the connection to scom-01.
PAUSE
EXIT )
getcert.bat: This script is used on the CA to generate certificate, all files are saved in \\scom-01\CertEnroll\targets
@ECHO OFF
REM getcert.bat <request file> <cert ID>
ECHO Submitting request…
certreq -submit -f -config localhost\scom-01-CA %1
Echo done!
ECHO Please issue the ticket in the CA console
pause
ECHO Retrieving the certificate
certreq -retrieve -f -config localhost\scom-01-CA %2 %1.cer
ECHO done!
Jackie Chen's IT Workshop 
Hey Jackie, I was thinking about using this for a deployment, however -I was wondering what:
REM add scom-01 as trusted CA
ECHO Adding scom-01 into trust root CA
certutil -addstore root scom-01-ca.p7b
ECHO done!
ECHO **********************************
Where does the scom-01-ca.p7b come from?
It is the certificate of scom-01 which is issued by a internal CA.