This one comes from collaboration with my colleague Brian Barrington.
Because of the issues with SCOM 2016 and the default APM modules impacting IIS and SharePoint servers….. (Read more about that issue HERE, HERE, and HERE)
Brian was looking for a way to easily remove the APM components from the deployed agents with minimal impact.
Normally, the guidance would be to uninstall the SCOM agent, then reinstall it from a command line installation using the NOAPM=1 command line parameter. That could be a challenging task if you have hundreds or thousands of agents!
His idea? Use my SCOM Agent Tasks MP here: https://kevinholman.com/2017/05/09/scom-management-mp-making-a-scom-admins-life-a-little-easier/
It has a class property in the state view called “APM Installed” to help you see which agents still have the APM components installed (which are installed by default)
It has a task called “Execute any PowerShell”
In the task – Override to provide the command you want to run – such as:
To repair an existing SCOM 2016 agent, but remove the APM components:
msiexec.exe /fvomus “\\server\share\agents\scom2016\x64\MOMagent.msi” NOAPM=1
To upgrade an agent, such as upgrading the agent from SCOM 2012 to SCOM 2016:
msiexec.exe /i “\\server\share\agents\scom2016\x64\MOMagent.msi” NOAPM=1 AcceptEndUserLicenseAgreement=1
You just need to place the MOMAgent.msi file on a share that your domain computer accounts would have access to. The agent will connect to the share as the Local System account, so you need to ensure these domain computer accounts have access at the share permission and NTFS permission. For something simple like this, I generally just grant Everyone/Read, or Authenticated Users/Read.
The below image example is for a repair:
This performs a lightweight repair or upgrade (depending on which command line you choose) of the agent, but only changes the switch “NOAPM=1” which will result in leaving all other settings alone, and only removing the APM service and components!
We have gotten good feedback on the success of this process across hundreds of agents in a short time frame. You can multi-select a lot of agents and run this task on many at a time.
Removing the APM MP’s
On another note – if you have no plans to use the APM feature in SCOM – you should consider removing those MP’s which get imported by default. They discover by default a LOT of instances of sites, services, and instances of classes where APM components are installed on the agents.
MP’s to remove in SCOM 2016:
- Microsoft.SystemCenter.DataWarehouse.ApmReports.Library (Operations Manager APM Reports Library)
- Microsoft.SystemCenter.Apm.Web (Operations Manager APM Web)
- Microsoft.SystemCenter.Apm.Wcf (Operations Manager APM WCF Library)
- Microsoft.SystemCenter.Apm.NTServices (Operations Manager APM Windows Services)
- Microsoft.SystemCenter.Apm.Infrastructure.Monitoring (Operations Manager APM Infrastructure Monitoring)
- Microsoft.SystemCenter.Apm.Library (Operations Manager APM Library)
- Microsoft.SystemCenter.Apm.Infrastructure (Operations Manager APM Infrastructure)
All of the above can be deleted. However – in order to delete the Microsoft.SystemCenter.Apm.Infrastructure MP, you will need to remove a RunAs account profile association, then clean up the SecureReference library manually by deleting the reference.
In the Admin pane > Run As Configuration > Profiles, in the Data Warehouse Account. On the RunAs accounts, you will need to remove the Operations Manager APM Data Transfer Service:
Then – manually export the Microsoft.SystemCenter.SecureReferenceOverride MP, and edit it using your favorite XML editor. (Make a Backup copy of this FIRST!!!!!)
Delete the reference to the Microsoft.SystemCenter.Apm.Infrastructure MP.
Save this, then reimport the Microsoft.SystemCenter.SecureReferenceOverride MP.
At this point you can delete the final APM MP – Microsoft.SystemCenter.Apm.Infrastructure (Operations Manager APM Infrastructure)
Deleting that MP with manual edits too scary for you?
At a bare minimum – if you are not using the APM feature – you should disable the discoveries:
Then run Remove-SCOMDisabledClassInstance in your SCOM Command Shell, which will remove all these discovered instances that you don’t use.
Excellent post. Thanks Kevin…again..
Thanks for an excelent post.
Do the lightweight repair or upgrade need the servers to be restarted?
No, they don’t. However, to remove the profiler from IIS, if you want that to happen immediately, you’d need to issue an IISreset at the least.
Thanks Kevin, this post was very helpful to me when I deployed SCOM 1807 recently. I deployed all of the agents without APM, and removed the APM management packs.
BUT – I’m still seeing Events 4009 and 4151 on my SCOM management servers, and the Microsoft Monitoring Agent APM service is installed but disabled on the SCOM MS. Is there a way to safely remove APM from the management servers completely?
Not on management servers. We just live with that little artifact.
Is the APM issue resolved in UR9 for SCOM 2016?
We use APM and are migrating to a side by side to 2016. Any recommendations?
The APM “issue” was resolved a long time ago…. if you use APM you can use it in SCOM 2016.
Thank you. What are the minimum requirements for this to be resolved? UR8?
SCOM 2016 UR6 resolved the IIS/Sharepoint crash/exceptions.
Hi Kevin. Is it possible to do a push of multiple agents using the NOAPM=1 switch to new servers?
Or does it need to be a two-step process of deploying agents from the console with defaults, then
running the powershell command(s) on this page once servers are managed?
You can push with NOAPM in SCOM 2019. Other versions will need a two step process if using push, or a special command line install to deploy initially without APM components.
I tried running from the PowerShell task, but the MSI started and ended in under a second. APM not removed. I can run command successfully locally (but only as administrator). Is this something to do with SCOM 2019 action account logon as a service..?? I tried specifying credentials to run the task, but error saying user has not been granted the requested logon type. Any ideas..?
Any task you run in SCOM 2019 as a specific user must have Log On As A Service. However, you should not use a user account, you should run the task as the default agent action account, which is local system. The Computer Account (local system) for any computer you run this one needs rights to the location where you store the MSI.
How do I confirm APM was removed? I still see ‘Microsoft Monitoring Agent APM’ in the Services.msc, although it’s disabled. Is that an indication of APM being removed or not?
Use my MP: https://kevinholman.com/2017/05/09/scom-management-mp-making-a-scom-admins-life-a-little-easier/
The Microsoft Monitoring Agent APM service will not be present if APM is removed from the agent.
Hi Kevin, how do I check if APM is installed on agent using powershell ? I tried checking the registry but I found absolutely nothing. Also Get-SCOMAgent is not returning this information.
My SCOM Management MP does this already. I use:
# Load Agent Scripting Module
$AgentCfg = New-Object -ComObject “AgentConfigManager.MgmtSvcCfg”
# Get Agent AD Integration Setting
# This section depends on AgentConfigManager.MgmtSvcCfg object in previous section
# Check Agent version for 2012 or a later version as these use different commands
IF ($MajorSCOMAgentVersion -lt 8)
# Assume SCOM 2012 agent
$ADIntEnabled = $AgentCfg.GetActiveDirectoryIntegrationEnabled()
# Assume SCOM 2016 agent or later
$ADIntEnabled = $AgentCfg.ActiveDirectoryIntegrationEnabled
Kevin, do I still have to remove the APM feature from the agent if I uninstall / delete the APM MPs? I do not plan to use the feature in the near future.