Orchestrator 2012: Patch a server with SCCM 2012

You will perhaps have the question in your mind “Why initialize patching with Orchestrator?”.

We had the request to restart and patch servers on a reoccuring schedule in groups and with pre and post tasks to check. You can do that all in SCCM 2012 through tasks sequences, but Can you also control that SCCM should stop when one of the servers in the group fails and that you get a status at the end? Orchestrator can do that. It can run some general tasks for all servers or special tasks for single servers, so you can control more in there.

I will also create another blog post to describe the reboot runbooks. Here I want to focus on the patching part. This can also separately be initialized outside of the reboot process.

For our reboot szenario we only wanted to check which patches are available. Install them, reboot and after the reboot check which patches are installed successfully and if there are additional missing patches. We did not install those then. You could extend that as you need it.

We use System Center Orchestrator 2012 SP1. For my runbook I do not use the System Center Configuration Manager 2012 SP1 integration pack. I only use WMI queries to check which patches are available. But you still need SCCM 2012 to deploy the patches!

I use the following WMI classes:

CCM_SoftwareUpdate (http://msdn.microsoft.com/en-us/library/jj155451.aspx)
CCM_SoftwareUpdatesManager (http://msdn.microsoft.com/en-us/library/jj155384.aspx)
Win32_QuickFixEngineering (http://msdn.microsoft.com/en-us/library/windows/desktop/aa394391(v=vs.85).aspx)

We have one additional database in the same database instance as our Orchestrator database for logging. It is called OrchestratorTemp.

For this runbook we use a table called SoftwareUpdate to log the patch status.

softwareupdate

In the reboot runbooks we have another table which logs the general server status which also has columns Servername and RBInstance. With these both columns we later can link both tables and clean up the columns at the end of the process.

I use three runbooks to patch the server.

  1. SCCM Dev – Check updates
  2. SCCM Dev – Install updates
  3. SCCM Dev – Check previous updates

SCCM Dev – Check updates

sccm dev - check updates

It has the following initialize data parameters:

  • Servername
  • Patch (in the reboot runbook you can decide if you want to patch or not, Values: “True/False”)
  • Previous Found (needed for the second run after the reboot, should be “False” at the beginning)
  • RBInstance (reference to the main reboot runbook, can be any number if called outside)

I will focus on the interesting details of the main activies.

  • Get Updates/Check for additional updates (Run .Net Activity):
    Runs the following PowerShell script:
    getupdates
    and publishes the following data:
    getupdates-published
  • Write Updates/Write additional Update Status (Write To Database Activity):
    Writes into the OrchestratorTemp database:
    WriteUpdates
  • Install Update (Invoke Runbook): Initializes the “SCCM Dev – Install Update” runbook and waits for its completion. Loops until Finished=True. Given Parameters: Servername, RBinstance.
  • Check previous updates (Invoke Runbook): Initializes the “SCCM Dev – Check previous updates” runbook and waits for its completion. Given Parameters: Servername, RBinstance.

SCCM Dev – Install updates

sccm dev - install updates

The install updates will be initialized for each update which needs to be installed.

  • Get first missing update (Query Database Activity): Runs the following query:
    get first update
  • Install update (Run .Net Activity):
    Runs the following PowerShell script:
    install update
  • Check update (Run .Net Activity):
    Runs the following PowerShell script:
    check update
    and publishes the following data:
    check update - published
    Loops with a delay of 10 seconds and exits loop when these conditions occur:
    check update - loop
    (pattern: 8|9|10|11|12|13|14|15|16|17|18|19|20|21|22|23)
    => waits 2 minutes for the patch to install. Can be extended by increasing the number of attempts!
  • Cancel Update (Run .Net Activity):
    Runs the following PowerShell script:
    cancel update
  • The Write Update activities sets “ComplianceState” to 1 and the “EvaluationState” to the output status when the update was installed successfully. Otherwise it sets different “ComplianceStates” depending on the update status.

SCCM Dev – Check previous updates

sccm dev - check previous updates

This runbook should check if the update is listed in the installed updates after the reboot.

  • Get Compliance State (Query Database Activity): Runs the following query:
    get compliance state
  • Get ArticleID (Query Database Activity): Runs the following query:
    get articleID
  • Check install status (Run .Net Activity):
    Runs the following PowerShell script:
    Check install status
    and publishes the following data:
    Check install status - published
  • Write Update Compliance (Query Database Activity): Runs the following query:
    Write update compliance

Here is the link to the exported runbooks.

That’s it. Have fun!

Advertisements
Post a comment or leave a trackback: Trackback URL.

Comments

  • Graham Davis  On June 19, 2013 at 6:42 pm

    Hi Natascia, very nice! Can I ask why you decided to go without the integration pack? Does using WMI come out more reliable?

    • opsmgrtipps  On June 20, 2013 at 7:46 am

      Hi Graham,

      with the SCCM 2012 SP1 integration pack you only have the activity “Perform Client Action” which has the standard client actions. So you can initiate the installation, but you cannot really control it. We had for example an update, which had problems with the download. It avoided that other patches got installed. With WMI I can control each update – so I can cancel it, if it takes too long or even exclude it, if necessary. I can see what was installed successfully and see the status code of the failed ones directly. I can log that locally and create a report at the end and do not need to wait until SCCM updates its information.

      That was the reason why I used WMI. If you see other options, then I would be glad to hear about it.

      Natascia

      • Graham Davis  On June 20, 2013 at 1:37 pm

        No, I’ve got nothing better, just curious if the integration pack was worth messing with. Thanks!

  • Cem BOZDAG  On August 25, 2013 at 10:54 am

    Hi,Natascia
    Its possible that u can export the runbbok and send by mail ?
    Thanks a lot..

    • opsmgrtipps  On August 26, 2013 at 9:00 am

      Cem,

      I have updated the blog and added the link to the runbooks.

      Kind regards,
      Natascia

      • Cem BOZDAG  On August 26, 2013 at 5:45 pm

        Hi, Natascia
        U are my best..
        Thanks a lot

  • Cem BOZDAG  On August 27, 2013 at 12:24 pm

    Hi again Natascia

    On the SCCM Dev – Check previous updates runbook i clicket on Get Compliance State porperties, under Connection tab it ask Server and Initial Catalog.. what must i write on the 2 field ?
    thx a lot.

    • opsmgrtipps  On August 29, 2013 at 7:16 am

      Hi Cem,

      it is all the same for the database query/write actions. I use a database to log all the information. I have called it OrchestratorTemp, which is created in the same instance as the Orchestrator database. So you would also need to create a database and the necessary table (see blog) for it.
      Fill the fields like this:
      Server: Servername\Instancename
      InitialCatalog: OrchestratorTemp (or the name of your database, if it is different)
      I used variables here, that is why there is only a reference in it.

      Kind regards,
      Natascia

      • Cem BOZDAG  On August 29, 2013 at 7:42 am

        Hi, Natascia
        I have change the field and run thr runbook again, its failed on get update script and return with Access is denied. (Exception from HRESULT: 0x80070005 (E_ACCESSDENIED)) error. let me explain a lil pls.. I start the Check updates runbook, it ask for RBInstance : 1 servername : abc , PreviousFound : False , Patch: True . I write this parameter. abc is my server name. Iahve tested 3 different server and its get the same error, Access is denied. (Exception from HRESULT: 0x80070005 (E_ACCESSDENIED)).
        wht can i do ?
        One more question pls, its possible the can i only install security patches with your stracture ?

        Many Thx for your helping.
        Kind regards
        Cem

  • marcdieters  On September 16, 2014 at 7:26 am

    Hi,

    I have implemented your runbook with succes and it’s providing us with much more control over updates then SCCM does.

    I have one question about patching Server 2003 systems.
    In the CCMSKDProvider.log, the client logs the following error ‘The caller is not allowed and/or supported to initiate the update installation.’

    Do you know you to fix this ?

    Thanks !

    • opsmgrtipps  On September 16, 2014 at 9:18 am

      Hi,

      I am glad, that the runbook helps you.
      No, I have not seen this problem before.
      Can you send me more details of the log?

      Kind regards,
      Natascia

      • William Jenkins  On October 14, 2014 at 8:13 pm

        I’m actually having the same issue as well. Runs great targeting 2008 servers, but fails when targeting 2003 servers (which is crucial for my project to succeed).

        When I isolate the Powershell script and run it remotely in Powershell (elevated or not elevated doesn’t change behavior) I get an error.

        ———————————————–
        Invoke-WmiMethod :
        At C:\temp\invoketest.ps1:17 char:1
        + Invoke-WmiMethod -computername $ServerName -Class CCM_SoftwareUpdatesManager -Na …
        + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
        + CategoryInfo : NotSpecified: (:) [Invoke-WmiMethod], UnauthorizedAccessException
        + FullyQualifiedErrorId : System.UnauthorizedAccessException,Microsoft.PowerShell.Commands.InvokeWmiMethod
        ———————————————–

        And I see the same error as “marcdieters” in the CCMSKDProvider.log of the targeted 2003 server:

        <![LOG[Session [0] does not belong to the calling user CORP\, not supported.]LOG]!>

    • justenh33  On October 30, 2014 at 5:14 pm

      Have you had any luck resolving this error? I am having ths exact same issue on Server 2003 machines.

      Any advice is appreciated.

    • William Jenkins  On November 11, 2014 at 6:44 pm

      Apparently the 2003 issue “The caller is not allowed and/or supported to initiate the update installation.” Is a by-design “feature” when executing this particular invoke-wmimethod remotely. I can’t verify, but I was told by Microsoft that installing R2 for Server 2003 corrects this. If R2 isn’t possible, then the only work around is executing the powershell command “locally” using something like PSEXEC in you runbook script.

  • kadumata  On June 30, 2015 at 6:24 pm

    Hi Natascia
    The download link to reboot runbooks is broken. Could you take a look at it?
    Thanks

  • Emilio Monegro  On February 17, 2016 at 11:04 pm

    hi,

    i want to thank you for writing this blog, is awesome. i am new to Orchestrator and was hoping you could tell me how can i do this with multiple servers.

    thank you for time and help

    • SystemCentertipps  On May 2, 2016 at 1:23 pm

      Hi Emilio,ä
      thanks. You only need a top runbook that calls the patch runbook and provides the server name and the other parameters.
      You can read a text file in the top runbook or use Get collection members activity from the Sccm Integration Pack.

      Kind regards,

      Natascia

      • Emilio Monegro  On May 11, 2016 at 5:50 pm

        thank you!!! i use the get collection members from the sccm IP.

        thank you

  • chame  On August 3, 2016 at 10:22 am

    Hi many Thanks for the solution. can you please tell me how to bind your runnbook export file to runnbook designer ? the import doesnt work. Thanks in Advance

    • SystemCentertipps  On September 2, 2016 at 7:28 am

      Hi, this is super easy. Right click on a Folder in the Runbook tree and click Import. That should work.
      Regards,
      Natascia

  • Naren Kher  On October 14, 2016 at 3:20 am

    Hi Natascia, thanks for this excellent post and runbooks. We are surrently testing them in our environment to use with your other (Server Reboot) post. They have been working really well!

  • Alex Marsh  On February 8, 2017 at 9:26 am

    Hi Natascia

    I’m assuming in order to have control over the updates which are deployed that you set the update deployment as ‘available’ to the collection and then use the above runbooks in order to deploy the patches? I’m experimenting with a couple of different methods of deploying updates via Orchestrator and keen to know your thoughts,

    Thanks

    Alex

  • Cory  On March 21, 2017 at 4:10 pm

    Can’t download the runbook can you check the link?

Trackbacks

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: