Merge pull request #10332 from MicrosoftDocs/main

Auto Publish – main to live - 2025-12-09 18:00 UTC

Author: learn-build-service-prod[bot]

support/azure/azure-monitor/app-insights/availability/availability-monitoring-common-issues-faq.yml

@@ -4,7 +4,7 @@ metadata:
   description: Review a list of frequently asked questions (FAQ) about common issues that occur when you use Application Insights availability monitoring.
   ms.topic: faq
   ms.date: 07/09/2025
-  ms.reviewer: v-leedennis, toddfous, v-weizhu
+  ms.reviewer: toddfous
   ms.service: azure-monitor
   ms.custom: sap:Availability Tests
 

support/azure/virtual-machines/windows/windows-vm-wureset-tool.md

@@ -9,13 +9,13 @@ ms.date: 11/18/2025
 ms.custom: sap:Cannot create a VM, H1Hack27Feb2017
 ms.reviewer: macla, scotro, glimoli, jarrettr, azurevmcptcic
 ---
-# Azure Virtual Machine (VM) Windows servicing stack reset tool
+# Azure Virtual Machine (VM) Windows Update Reset Tool
 
 **Applies to:** :heavy_check_mark: Windows VMs
 
 ## Overview
 
-This article covers steps to run a PowerShell script that resets the Windows servicing stack for a VM running in Azure. Running the tool can fix most problems that prevent Windows Updates from installing successfully. 
+This article covers steps to run a PowerShell script that resets the Windows Update servicing stack for a VM running in Azure. Running the tool can fix most problems that prevent Windows Updates from installing successfully. 
 
 > [!NOTE]
 > This article is intended for use with support agents and IT professionals. If you're a home user and looking for more information about fixing Windows update errors, see [Fix Windows Update errors](https://support.microsoft.com/help/10164).
@@ -31,7 +31,7 @@ This article covers steps to run a PowerShell script that resets the Windows ser
 - Restarts services.
 - Generates a summary of actions performed.
 
-For more information, see [Resetting Windows Update servicing stack script](https://github.com/Azure/azure-support-scripts/blob/master/RunCommand/Windows/Windows_WUA_Update_Reset?).
+For more information, see [Azure VM Windows WUA Update Reset Tool](https://github.com/Azure/azure-support-scripts/blob/master/RunCommand/Windows/Windows_WUA_Update_Reset?).
 
 
 :::image type="content" source="media/windows-vm-wureset-tool/windows-vm-wureset-tool.png" alt-text="Azure portal view Run Command example." lightbox="media/windows-vm-wureset-tool/windows-vm-wureset-tool.png":::   
@@ -50,12 +50,12 @@ For more information, see [Run scripts in your Windows VM by using action run co
 
 ## Recommended workflow
 
-1. Run `Windows_Update_Reset` to reset the servicing stack.
+1. Run `Windows_Update_Reset` to reset the Windows Update servicing stack.
 2. Try to install the Windows Update that previously failed.
 
 ## Additional resources
 
-- [Resetting Window Update servicing stack script](https://github.com/Azure/azure-support-scripts/blob/master/RunCommand/Windows/Windows_Update_Reset).
+- [Azure VM Windows WUA Update Reset Tool](https://github.com/Azure/azure-support-scripts/blob/master/RunCommand/Windows/Windows_Update_Reset).
 
 
 [!INCLUDE [azure-help-support](~/includes/azure-help-support.md)]

support/includes/azure/virtual-machines-runcmd-wu-tools.md

@@ -4,8 +4,8 @@
 >Trying to diagnose and resolve Windows Update or Windows OS upgrade issues for your Azure VM? Try one of the following tools:
 >
 >* [Azure VM Windows Update Error Detection Tool](../../azure/virtual-machines/windows/windows-vm-ipu-tool.md) to diagnose specific Windows Update errors.
->* [Azure VM Windows Servicing Stack Reset Tool](../../azure/virtual-machines/windows/windows-vm-wureset-tool.md) to reset the Windows servicing stack.
->* [Azure Virtual Machine (VM) Windows OS Upgrade Assessment Tool](../../azure/virtual-machines/windows/windows-vm-osupgradeassessment-tool.md) to validate the OS upgrade path and any known issues.
+>* [Azure VM Windows Windows Update Reset Tool](../../azure/virtual-machines/windows/windows-vm-wureset-tool.md) to reset the Windows servicing stack.
+>* [Azure VM Windows OS Upgrade Assessment Tool](../../azure/virtual-machines/windows/windows-vm-osupgradeassessment-tool.md) to validate the OS upgrade path and any known issues.
 >
 >If you're experiencing performance problems with VMs, run these tools first before contacting support.
 

support/system-center/scom/use-ca-certificate-on-scx-agent.md

@@ -2,7 +2,7 @@
 title: Convert self-signed SCX certificates to CA certificates
 description: Introduces how to convert a self-signed certificate on an SCX agent to a Certificate Authority (CA) signed certificate.
 ms.date: 04/15/2024
-ms.reviewer: alexkre, blakedrumm, edpaca, stparker, udmudiar, v-weizhu
+ms.reviewer: alexkre, blakedrumm, edpaca, stparker, udmudiar, v-weizhu, v-ryanberg
 ms.topic: how-to
 ms.custom: linux-related-content
 ---
@@ -76,65 +76,108 @@ On a CA server in your SCOM environment, follow these steps to create a certific
 
 ## Copy and edit the certificate on the Unix/Linux server
 
+Use one of the following methods to configure the certificate on the the Unix/Linux server:
+
+### Method 1: Configure certificate manually
+
 1. Copy the certificate to the Unix/Linux server for which the certificate was issued.
 1. Export the private key by using the following command:
 
     ```console
-    openssl pkcs12 -in <FileName>.pfx -nocerts -out key.pem
+    openssl pkcs12 -in <FileName>.pfx -nocerts -out /etc/opt/omi/ssl/omikey.pem -nodes -passin pass:"pfxpassword"
     ```
 
-    While exporting the private key from the certificate store, a new password has to be set for the new key file.
-
-    :::image type="content" source="media/use-ca-certificate-on-scom-linux-agent/command-export-private-key.png" alt-text="Screenshot that shows the command to export the private key.":::
-
-    After the export is completed, you should see a *key.pem* file:
-
-    :::image type="content" source="media/use-ca-certificate-on-scom-linux-agent/command-get-key-dot-pem-file.png" alt-text="Screenshot that shows the command to get the private key file.":::
+While exporting the private key from the certificate store, include the `-nodes` paramter (which stands for no Desktop Environments (DEs)). This instructs OpenSSL to output the private key in an unencrypted format. Otherwise a new password has to be set for the new key file. 
 
 1. Export the certificate by using the following command:
 
     ```console
-    openssl pkcs12 -in <FileName>.pfx -clcerts -nokeys -out omi.pem
+    openssl pkcs12 -in <FileName>.pfx -clcerts -nokeys -out /etc/opt/omi/ssl/omi-host-$(hostname).pem -passin pass:"pfxpassword"
     ```
 
-    While exporting the certificate from the certificate store, you have to enter the password for the *\<FileName>.pfx* file.
+1. Delete and create a new symbolic link:
 
-    :::image type="content" source="media/use-ca-certificate-on-scom-linux-agent/command-export-certificate.png" alt-text="Screenshot that shows the command to export the certificate.":::
+    ```console
+    rm -f /etc/opt/omi/ssl/omi.pem
+    ln -s /etc/opt/omi/ssl/omi-host-$(hostname).pem /etc/opt/omi/ssl/omi.pem
+    ```
+   
+1. Set the correct permissions and ownership on the private key, certificate, and symbolic link:
 
-    After the export is completed, you should see an *omi.pem* file:
+    ```console
+    chmod 600 /etc/opt/omi/ssl/omikey.pem
+    chmod 640 /etc/opt/omi/ssl/omi-host-$(hostname).pem /etc/opt/omi/ssl/omi.pem
+    chown omi:omi /etc/opt/omi/ssl/omikey.pem
+    chown root:omi /etc/opt/omi/ssl/omi-host-$(hostname).pem /etc/opt/omi/ssl/omi.pem
+    ```
 
-    :::image type="content" source="media/use-ca-certificate-on-scom-linux-agent/command-get-omi-dot-pem-file.png" alt-text="Screenshot that shows the command to get the certificate file.":::
+1. Restart the SCX agent by running the following command:
 
-1. Remove the password from the private key by using the following command:
+    ```console
+    scxadmin -restart
+    ```
+
+1. Make sure the Open Management Infrastructure (OMI) processes are running after restarting the agent:
 
     ```console
-    openssl rsa -in key.pem -out omikey.pem 
+    ps -ef | grep omi | grep -v grep
     ```
 
-    :::image type="content" source="media/use-ca-certificate-on-scom-linux-agent/command-remove-password-from-private-key.png" alt-text="Screenshot that shows the command to remove password from the private key.":::
+    :::image type="content" source="media/use-ca-certificate-on-scom-linux-agent/command-validate-omi-processes.png" alt-text="Screenshot that shows the command to validate omi processes running." lightbox="media/use-ca-certificate-on-scom-linux-agent/command-validate-omi-processes.png":::
 
-    This action is needed since the Linux agent doesn't know the password for the file.
+### Method 2: Configure certificate with bash script
 
-1. Move the *omikey.pem* file to the Open Management Infrastructure (OMI) directory by using the following command:
+1. Save the following bash script: `extract_scx_cert.sh`
 
     ```console
-    mv omikey.pem /etc/opt/omi/ssl/omikey.pem 
+    #!/bin/bash
+    
+    # Usage: sudo ./extract_scx_cert.sh /path/to/certificate.pfx <pfx_password>
+     
+    PFX_FILE="$1"
+    PFX_PASS="$2"
+    SSL_DIR="/etc/opt/omi/ssl"
+    KEY_FILE="$SSL_DIR/omikey.pem"
+    CERT_FILE="$SSL_DIR/omi-host-$(hostname).pem"
+    SYMLINK_FILE="$SSL_DIR/omi.pem"
+     
+    if [[ -z "$PFX_FILE" || -z "$PFX_PASS" ]]; then
+      echo "Usage: $0 /path/to/certificate.pfx <pfx_password>"
+      exit 1
+    fi
+     
+    echo "Extracting private key..."
+    openssl pkcs12 -in "$PFX_FILE" -nocerts -out "$KEY_FILE" -nodes -passin pass:"$PFX_PASS"
+     
+    echo "Extracting certificate..."
+    openssl pkcs12 -in "$PFX_FILE" -clcerts -nokeys -out "$CERT_FILE" -passin pass:"$PFX_PASS"
+     
+    echo "Creating symbolic link..."
+    rm -f "$SYMLINK_FILE"
+    ln -s "$CERT_FILE" "$SYMLINK_FILE"
+     
+    echo "Setting permissions..."
+    chmod 600 "$KEY_FILE"
+    chmod 640 "$CERT_FILE" "$SYMLINK_FILE"
+    chown root:omi "$CERT_FILE" "$SYMLINK_FILE"
+    chown omi:omi "$KEY_FILE"
+     
+    echo "Restarting omid service..."
+    systemctl restart omid
     ```
 
-1. Restart the SCX agent by using the following command:
+1. Change the script permissions to be run:
 
     ```console
-    scxadmin -restart
+    chmod +x /home/user/extract_scx_cert.sh
     ```
 
-1. Make sure the *omi* processes are running after restarting the agent:
+1. Run the following command to run the script with these two parameters: the path to the PFX file and the password for it.
 
     ```console
-    ps -ef | grep omi | grep -v grep
+    sudo ./extract_scx_cert.sh /path/to/certificate.pfx pfx_password
     ```
 
-    :::image type="content" source="media/use-ca-certificate-on-scom-linux-agent/command-validate-omi-processes.png" alt-text="Screenshot that shows the command to validate omi processes running." lightbox="media/use-ca-certificate-on-scom-linux-agent/command-validate-omi-processes.png":::
-
 ## Validate that the certificate is signed by the CA
 
 1. Run the following command on the agent to verify that the certificate is signed by the CA:
@@ -159,6 +202,8 @@ On a CA server in your SCOM environment, follow these steps to create a certific
     notAfter=Jul 25 12:12:14 2033 GMT
     ```
 
+    > The path `/etc/opt/microsoft/scx/ssl` contains a symbolic link `scx.pem -> /etc/opt/omi/ssl/omi.pem` that's used by the SCX agent in order to use the OMI certificate created earlier.
+
 1. Run a network trace on one of the management servers/gateways in the UNIX/Linux resource pool.
 1. Run the following `WinRM` command against the agent and make sure you get the instance output: