Sealing MP's
This is an updated version of Kevin Holman's blog, and Jonathan Almquist's blog for SCOM2012R2 and 2016
First why seal?
If you seal the MP – we will be able to use the classes/groups created for overrides in any other override MP.
Unsealed MP - any overrides you use for classes/groups will be forced into this same MP.
If you don't have Visual Studio 2013 and above with VSAE, or have other requirements, you will need to download the SDK to get the SN.exe utility
Download SDK
Win2008 & R2 SDK Download
Win2012 & R2 SDK Download
Win10 SDK Download https://developer.microsoft.com/en-US/windows/downloads/windows-10-sdk
Release blog https://blogs.windows.com/buildingapps/2017/05/11/windows-10-sdk-preview-build-16190-released/
NOTE Install path to go grab the sn.exe file
Install SDK
Copy file to the local machine
Open PowerShell window as administrator
cd $HOME/desktop
.sdksetup.exe # .winsdksetup.exe for Server 2016/win10
Verify SN.exe is found after SDK install completes
Server 2008 - sn.exe located in C:Program FilesMicrosoft SDKsWindowsv6.1Binx64
Server 2012 - sn.exe located in C:Program Files (x86)Microsoft SDKsWindowsv8.1AbinNETFX 4.5.1 Tools
Server 2016 and Win 10 - sn.exe located in C:Program Files (x86)Microsoft SDKsWindowsv8.0AbinNETFX 4.0 Tools
Create the MPSeal folders
Repository where you want to keep the MPSeal.exe, SNK files, and related sealed packs for any MP sealed
C:monadminMPSeal
C:monadminMPSealunsealed
C:monadminMPSealsealed # Reference sealed MP's
C:monadminMPSealkey
C:monadminMPSealoutput
PowerShell as Admin commands to create repository
new-item -itemtype directory -path c:monadmin
new-item -itemtype directory -path c:monadminMPSeal
new-item -itemtype directory -path c:monadminMPSealunsealed
new-item -itemtype directory -path c:monadminMPSealsealed
new-item -itemtype directory -path c:monadminMPSealkey
new-item -itemtype directory -path c:monadminMPSealoutput
Copy MPSeal utility from Support directory on SCOM ISO
On ISO, copy mpseal* from ISO SupportToolsAMD64 directory to c:monadminMPSeal
Let's get the Key file generated and start sealing MP's!
Create SNK files
Note SN.exe only needs to be run once to create the SNK file
***Critical note – you need to keep a backup of this key… because it will be required for making updates to this MP in the future, re-sealing, and keeping the ability to upgrade the existing MP in production.
sn -k <yourDomainNameHere>.snk
Sample syntax from win2k8 server
Copy this SNK file to c:monadminMPSealkey
Copy Referenced MP's
This is a good opportunity to add the MP's referenced in the ISO, UR updates, and/or RTM folder when installing SCOM, Unix MP's, etc.
Copy sealed MP's to c:monadminMPSealsealed
Seal MP
MPSeal.exe c:monadminmpsealunsealed<mpNameHere>.xml /I "c:monadminmpsealsealed" /Keyfile "c:monadminmpsealkeyPairKey.snk" /Company "CompanyName" /Outdir "c:monadminmpsealoutput"
References
How to Seal MP https://technet.microsoft.com/en-us/library/hh457550(v=sc.12).aspx#KeyFile