Windows agent-based monitoring

By far the most time consuming and difficult parts of onboarding a customer into our managed services is getting servers onboarded.

We advise customers use Group Policy to push out settings for Windows Firewall and add the monitoring users to some groups.  We also advise using it to run a PowerShell script on each server to implement least priv access.  This is based largely on the same code LM uses in the Non-Admin script with a bunch of extra features we've added ourselves.  Getting this GPO implemented though often requires jumping through a lot of change control and security related questions.  In larger organisations, it often requires several levels of approval before it can be implemented.  Then we have the non-domain joined machines, which need this all run manually.

It's often not practical to install collectors in each subnet, so we also need to get a whole host of firewall rules opened up across the network to allow the collectors to reach each server to be monitored.  Again, time consuming to explain the requirements, get approval and get implemented.

In cases where we need to monitor applications, like SQL Server, this requires a more ports being opened - sometimes custom ports depending on how it's been setup and additional permissions for user accounts, which again we always try to do with 'least priv' in mind.

I know LM is all about "agentless" but it would be great if we could have a lightweight agent for Windows (and maybe Linux) that could collect data for a machine then forward it to a local collector for onward transmission to LM.  It would reduce requirements for a lot of network changes.  I'm not sure if this could also reduce the need for running scripts etc for "least priv" access.  Possibly not as I guess running this agent thing as system wouldn't be ideal either.

I'm talking out loud here a little, but wondering if others have similar frustrations with getting servers into monitoring.