Task 06: Deploy OMIMSWAC Monitoring
DOCUMENT CATEGORY: Runbook
SCOPE: Dell hardware monitoring via Windows Admin Center
PURPOSE: Configure OMIMSWAC for hardware compliance, alerts, and Azure Policy integration
MASTER REFERENCE: Dell OMIMSWAC Documentation
Status: Active
Dell OpenManage Integration for Windows Admin Center (OMIMSWAC) provides hardware-level monitoring, compliance checking, and Azure Policy integration for Dell AX-series Azure Local clusters. This extension enables hardware alert streaming to Azure Log Analytics and automated compliance remediation.
Prerequisites
| Requirement | Description | Validation |
|---|---|---|
| Windows Admin Center | Version 2410 (GA) or later | Gateway mode recommended |
| OMIMSWAC Extension | Installed and EULA accepted | WAC Settings → Extensions |
| OMIWAC Premium License | Licensed on every node | Mixed licensing not supported |
| Log Analytics Workspace | Created in Step 1 | Workspace ID available |
| iDRAC Firmware | Version 7.xx.xx.xx+ | Redfish enabled |
| iDRAC Service Module (iSM) | Installed and running on each node | Required for alert replication |
| Network Connectivity | Ports 443 (HTTPS), 445 (SMB) | Outbound to Azure, Redfish to iDRAC |
Prerequisites Checklist
| Category | Requirement | Notes |
|---|---|---|
| WAC | Version 2410+ | Gateway mode recommended |
| Extension | OMIMSWAC installed, EULA accepted | WAC Settings → Extensions |
| Licensing | OMIWAC Premium on every node | Mixed licensing not supported |
| Accounts | Deployment user with local admin + WAC gateway admin | Use "Manage as" on connect |
| Connectivity | SMB In (445) on nodes, SMB Out on gateway, HTTPS (443) outbound | Redfish over 443 to iDRAC |
| iDRAC | Firmware 7.xx+, Redfish enabled | Max 8 active sessions |
| iSM | iDRAC Service Module installed and running | Hardware alert replication |
| TPM/BIOS | TPM 2.0 (fw ≥ 7.2.2.0), BIOS meets Secured-core minimum | For Secured-core enablement |
| Azure | Subscription, Resource Group, Log Analytics, Arc rights | Role includes Microsoft.Authorization/* |
Variables from variables.yml
| Variable | Config Path | Example |
|---|---|---|
AZURE_SUBSCRIPTION_NAME | azure.subscription.name | Azure Local Production |
AZURE_RESOURCE_GROUP | azure.resource_group.name | rg-azurelocal-prod-eus2 |
LOG_ANALYTICS_WORKSPACE_NAME | monitoring.log_analytics.workspace_name | law-azl-DAL-prod-01 |
CLUSTER_NODE_01_NAME | nodes[0].name | azl-dal-node-01 |
CLUSTER_NODE_02_NAME | nodes[1].name | azl-dal-node-02 |
Configuration Steps
Step 5.1: Connect Cluster in Windows Admin Center
- Open Windows Admin Center (WAC)
- Add cluster by FQDN (not individual nodes)
- Choose Manage as with deployment user credentials
- Check Use these credentials for all connections
- Launch Dell OpenManage Integration from Extensions
Step 5.2: Run Prerequisite Check
- Navigate to View → Prerequisite Check
- Select all operations
- Review results and resolve any Critical items:
- SMB port availability
- Redfish connectivity
- Execution Policy
- IPMI driver
- CredSSP (if required)
Step 5.3: Configure Cluster Settings
- Navigate to View → Compliance → HCP Compliance
- If prompted, configure:
| Setting | Options |
|---|---|
| Network Topology | Fully-Converged / Non-Converged-Physical / Non-Converged-Set |
| Deployment Model | Scalable / Switchless / Stretch |
| RDMA Protocol (Intel E810 only) | iWARP or RoCEv2 |
- Click Save — These settings drive which Dell policies are applied
Step 5.4: Run HCP Compliance Check
- Click Check Compliance (HCP)
- Address any Critical issues:
- Dell Hardware Symmetry Policy (unsupported drive mix, missing BOSS, HBA mismatch)
- Use Fix Compliance only after symmetry passes:
- Apply & Reboot Now — Cluster-aware sequencing
- Apply at Next Reboot — Plan maintenance; disable Infrastructure Lock before reboot
- Re-run compliance to confirm Compliant/Recommended state
RDMA Warning
If RDMA network adapters show Warning under Dell OS Configuration Policy and you use Network ATC, you can safely ignore that specific check.
Step 5.5: Configure Azure Policy Integration
- Navigate to View → Azure Integration (or Azure tab in OMIMSWAC)
- Sign into Azure (ensure network egress on 443)
- Run Onboarding Checklist — Must pass Microsoft.Authorization permission check
- Onboard Dell policies (HCP/SCP sets) to Azure Arc scope
- Trigger compliance scan from Azure Portal (Policy blade) if immediate visibility needed
Step 5.6: Configure Hardware Alerts to Azure
- Verify on each node in iDRAC:
- Lifecycle Log replication enabled
- Alerts enabled
- In OMIMSWAC Alerts/Diagnostics section:
- Configure Data Collection Rule (DCR)
- Select Log Analytics Workspace
- Map all cluster nodes
- Complete the DCR wizard:
| Setting | Value |
|---|---|
| Subscription | {{AZURE_SUBSCRIPTION_NAME}} |
| Resource Group | {{AZURE_RESOURCE_GROUP}} |
| Log Analytics Workspace | {{LOG_ANALYTICS_WORKSPACE_NAME}} |
| Data Collection Endpoint | Create new or select existing in same region |
- Confirm ingestion in Azure Portal → Log Analytics → Logs
Step 5.7: Create Hardware Alert Rules
- Navigate to Azure Portal → Monitor → Alerts → Alert rules
- Create log-based alerts:
// Dell hardware alert query (adjust table name based on OMIMSWAC)
// Table name shown in OMIMSWAC Tables blade
CustomTable_CL
| where TimeGenerated > ago(1h)
| where Severity_s in ("Critical", "Warning")
| project TimeGenerated, Computer, Message_s, Severity_s, Category_s
- Configure alert rule:
- Evaluation frequency: 5 minutes
- Attach Action Group from Step 4
Optional: Secured-Core Enablement
For enhanced security hardening:
- Navigate to View → Security → Secured Core
- Disable Infrastructure Lock if enabled
- Review BIOS + OS feature statuses:
- Virtualization Technology
- Kernel DMA Protection
- Secure Boot
- TPM
- DRTM/TXT
- Click Enable BIOS Configurations and choose reboot method
CredSSP
CredSSP is temporarily enabled for cluster-aware operations. Disable it post-operation for security.
- Re-enable Infrastructure Lock once stable
Validation
Verify Compliance Status
| Layer | How to Verify | Pass Criteria |
|---|---|---|
| HCP Compliance | Re-run Check Compliance | No Critical; Warnings understood |
| Secured-core | Security page & msinfo32 | All BIOS features Enabled |
| Azure Policies | Azure Portal → Policy → Compliance | Dell definitions present |
| Alerts | Log Analytics query returns rows | Recent hardware events visible |
| Lock State | Overview page shows lock icon | Locked post-change |
Sample Validation Query
// Verify hardware events are flowing
Heartbeat
| where TimeGenerated > ago(1h)
| where Computer in ("{{CLUSTER_NODE_01_NAME}}", "{{CLUSTER_NODE_02_NAME}}")
| summarize LastHeartbeat = max(TimeGenerated) by Computer
iDRAC/iSM Verification
On each cluster node:
# Verify iDRAC Service Module is running
Get-Service -Name "iDRAC Service Module" |
Select-Object Name, Status, StartType
# Check for recent hardware events
Get-WinEvent -LogName "Dell" -MaxEvents 10 -ErrorAction SilentlyContinue |
Select-Object TimeCreated, Message
Troubleshooting
| Symptom | Likely Cause | Resolution |
|---|---|---|
| Policy onboarding fails | Missing Microsoft.Authorization/* | Assign Owner or custom role; retry |
| Symmetry Critical | Mixed drive sizes/model mismatch | Align hardware; re-run HCP |
| Alerts absent in Azure | iSM missing or DCR deleted | Install iSM; recreate DCR |
| Inventory hanging | SMB 445 blocked or USB NIC conflict | Open port; add proxy bypass |
| Secured-core partial | TPM firmware below 7.2.2.0 | Update TPM/server firmware |
Ongoing Maintenance
| Frequency | Task |
|---|---|
| Daily | Review Azure alerts dashboard |
| Weekly | Re-run HCP Compliance after changes |
| Monthly | Confirm lock state; verify Secured-core |
| Quarterly | Firmware/BIOS drift check (Azure portal if LCM-enabled) |
Limitations
- Hardware Updates (CAU): Not supported for freshly deployed Azure Local 23H2/24H2 clusters with LCM component. Use Azure portal lifecycle management instead.
- Infrastructure Lock: Must be disabled for BIOS/iDRAC/NIC remediation and Secured-core enablement.
- Proxy: Add USB NIC (169.254.*) IPs to proxy bypass or Redfish/iDRAC inventory may fail.
Variables Reference
| Variable | Description | Example |
|---|---|---|
{{CLUSTER_NODE_01_NAME}} | First node hostname | azl-dal-n01 |
{{LOG_ANALYTICS_WORKSPACE_NAME}} | Workspace name | law-azl-dal-prod-01 |
Next Steps
After deploying OMIMSWAC monitoring:
- ➡️ Task 6: Configure Network Device Logging — Syslog from switches/firewalls
- Set up regular compliance check schedule
- Document firmware update procedures for maintenance windows
- Create operational runbooks for common hardware alerts
- Manual
- Orchestrated Script
- Standalone Script
When to use: Use this option for manual step-by-step execution.
See procedure steps above for manual execution guidance.
When to use: Use this option when deploying across multiple nodes from a management server using ariables.yml.
Script: See azurelocal-toolkit for the orchestrated script for this task.
Content Pending
Orchestrated script content references the toolkit repository.
When to use: Use this option for a self-contained deployment without a shared configuration file.
Script: See azurelocal-toolkit for the standalone script for this task.
Content Pending
Standalone script content references the toolkit repository.
Toolkit Reference
Scripts for this task are located in the azurelocal-toolkit repository under scripts/deploy/ in the appropriate task folder.
Alternatives
The procedures in this task use the scripted methods shown in the tabs above. Additional deployment methods including Azure CLI and Bash scripts are available in the azurelocal-toolkit repository under scripts/deploy/.
| Method | Description |
|---|---|
| Azure CLI | PowerShell-based Azure CLI scripts for Azure resource operations |
| Bash | Linux/macOS compatible shell scripts for pipeline environments |
Navigation
| Previous | Up | Next |
|---|---|---|
| ← Task 04: Setup Alerting | Phase 02: Monitoring & Observability | Task 06: Configure Network Device Logging -> |
Version Control
| Version | Date | Author | Changes |
|---|---|---|---|
| 1.0.0 | 2025-03-25 | Azure Local Cloud | Initial release |