Orchestrator 2012: Patch a server with SCCM 2012

You will perhaps have the question in your mind “Why initialize patching with Orchestrator?”.

We had the request to restart and patch servers on a reoccuring schedule in groups and with pre and post tasks to check. You can do that all in SCCM 2012 through tasks sequences, but Can you also control that SCCM should stop when one of the servers in the group fails and that you get a status at the end? Orchestrator can do that. It can run some general tasks for all servers or special tasks for single servers, so you can control more in there.

I will also create another blog post to describe the reboot runbooks. Here I want to focus on the patching part. This can also separately be initialized outside of the reboot process.

For our reboot szenario we only wanted to check which patches are available. Install them, reboot and after the reboot check which patches are installed successfully and if there are additional missing patches. We did not install those then. You could extend that as you need it.

We use System Center Orchestrator 2012 SP1. For my runbook I do not use the System Center Configuration Manager 2012 SP1 integration pack. I only use WMI queries to check which patches are available. But you still need SCCM 2012 to deploy the patches!

I use the following WMI classes:

CCM_SoftwareUpdate (http://msdn.microsoft.com/en-us/library/jj155451.aspx)
CCM_SoftwareUpdatesManager (http://msdn.microsoft.com/en-us/library/jj155384.aspx)
Win32_QuickFixEngineering (http://msdn.microsoft.com/en-us/library/windows/desktop/aa394391(v=vs.85).aspx)

We have one additional database in the same database instance as our Orchestrator database for logging. It is called OrchestratorTemp.

For this runbook we use a table called SoftwareUpdate to log the patch status.


In the reboot runbooks we have another table which logs the general server status which also has columns Servername and RBInstance. With these both columns we later can link both tables and clean up the columns at the end of the process.

I use three runbooks to patch the server.

  1. SCCM Dev – Check updates
  2. SCCM Dev – Install updates
  3. SCCM Dev – Check previous updates

SCCM Dev – Check updates

sccm dev - check updates

It has the following initialize data parameters:

  • Servername
  • Patch (in the reboot runbook you can decide if you want to patch or not, Values: “True/False”)
  • Previous Found (needed for the second run after the reboot, should be “False” at the beginning)
  • RBInstance (reference to the main reboot runbook, can be any number if called outside)

I will focus on the interesting details of the main activies.

  • Get Updates/Check for additional updates (Run .Net Activity):
    Runs the following PowerShell script:
    and publishes the following data:
  • Write Updates/Write additional Update Status (Write To Database Activity):
    Writes into the OrchestratorTemp database:
  • Install Update (Invoke Runbook): Initializes the “SCCM Dev – Install Update” runbook and waits for its completion. Loops until Finished=True. Given Parameters: Servername, RBinstance.
  • Check previous updates (Invoke Runbook): Initializes the “SCCM Dev – Check previous updates” runbook and waits for its completion. Given Parameters: Servername, RBinstance.

SCCM Dev – Install updates

sccm dev - install updates

The install updates will be initialized for each update which needs to be installed.

  • Get first missing update (Query Database Activity): Runs the following query:
    get first update
  • Install update (Run .Net Activity):
    Runs the following PowerShell script:
    install update
  • Check update (Run .Net Activity):
    Runs the following PowerShell script:
    check update
    and publishes the following data:
    check update - published
    Loops with a delay of 10 seconds and exits loop when these conditions occur:
    check update - loop
    (pattern: 8|9|10|11|12|13|14|15|16|17|18|19|20|21|22|23)
    => waits 2 minutes for the patch to install. Can be extended by increasing the number of attempts!
  • Cancel Update (Run .Net Activity):
    Runs the following PowerShell script:
    cancel update
  • The Write Update activities sets “ComplianceState” to 1 and the “EvaluationState” to the output status when the update was installed successfully. Otherwise it sets different “ComplianceStates” depending on the update status.

SCCM Dev – Check previous updates

sccm dev - check previous updates

This runbook should check if the update is listed in the installed updates after the reboot.

  • Get Compliance State (Query Database Activity): Runs the following query:
    get compliance state
  • Get ArticleID (Query Database Activity): Runs the following query:
    get articleID
  • Check install status (Run .Net Activity):
    Runs the following PowerShell script:
    Check install status
    and publishes the following data:
    Check install status - published
  • Write Update Compliance (Query Database Activity): Runs the following query:
    Write update compliance

Here is the link to the exported runbooks.

That’s it. Have fun!


Published by


* 1974, female, working as a IT Senior System Analyst in a chemical company. Main topics: System Center Operations Manager 2012, System Center Orchestrator 2012, System Center Configuration Manager 2012. Monitoring servers since 2002, started with NetIQ Appmanager. Twitter: @NatasciaHeil

29 thoughts on “Orchestrator 2012: Patch a server with SCCM 2012”

  1. Hi Natascia, very nice! Can I ask why you decided to go without the integration pack? Does using WMI come out more reliable?

    1. Hi Graham,

      with the SCCM 2012 SP1 integration pack you only have the activity “Perform Client Action” which has the standard client actions. So you can initiate the installation, but you cannot really control it. We had for example an update, which had problems with the download. It avoided that other patches got installed. With WMI I can control each update – so I can cancel it, if it takes too long or even exclude it, if necessary. I can see what was installed successfully and see the status code of the failed ones directly. I can log that locally and create a report at the end and do not need to wait until SCCM updates its information.

      That was the reason why I used WMI. If you see other options, then I would be glad to hear about it.


      1. No, I’ve got nothing better, just curious if the integration pack was worth messing with. Thanks!

  2. Hi again Natascia

    On the SCCM Dev – Check previous updates runbook i clicket on Get Compliance State porperties, under Connection tab it ask Server and Initial Catalog.. what must i write on the 2 field ?
    thx a lot.

    1. Hi Cem,

      it is all the same for the database query/write actions. I use a database to log all the information. I have called it OrchestratorTemp, which is created in the same instance as the Orchestrator database. So you would also need to create a database and the necessary table (see blog) for it.
      Fill the fields like this:
      Server: Servername\Instancename
      InitialCatalog: OrchestratorTemp (or the name of your database, if it is different)
      I used variables here, that is why there is only a reference in it.

      Kind regards,

      1. Hi, Natascia
        I have change the field and run thr runbook again, its failed on get update script and return with Access is denied. (Exception from HRESULT: 0x80070005 (E_ACCESSDENIED)) error. let me explain a lil pls.. I start the Check updates runbook, it ask for RBInstance : 1 servername : abc , PreviousFound : False , Patch: True . I write this parameter. abc is my server name. Iahve tested 3 different server and its get the same error, Access is denied. (Exception from HRESULT: 0x80070005 (E_ACCESSDENIED)).
        wht can i do ?
        One more question pls, its possible the can i only install security patches with your stracture ?

        Many Thx for your helping.
        Kind regards

  3. Hi,

    I have implemented your runbook with succes and it’s providing us with much more control over updates then SCCM does.

    I have one question about patching Server 2003 systems.
    In the CCMSKDProvider.log, the client logs the following error ‘The caller is not allowed and/or supported to initiate the update installation.’

    Do you know you to fix this ?

    Thanks !

      1. I’m actually having the same issue as well. Runs great targeting 2008 servers, but fails when targeting 2003 servers (which is crucial for my project to succeed).

        When I isolate the Powershell script and run it remotely in Powershell (elevated or not elevated doesn’t change behavior) I get an error.

        Invoke-WmiMethod :
        At C:\temp\invoketest.ps1:17 char:1
        + Invoke-WmiMethod -computername $ServerName -Class CCM_SoftwareUpdatesManager -Na …
        + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
        + CategoryInfo : NotSpecified: (:) [Invoke-WmiMethod], UnauthorizedAccessException
        + FullyQualifiedErrorId : System.UnauthorizedAccessException,Microsoft.PowerShell.Commands.InvokeWmiMethod

        And I see the same error as “marcdieters” in the CCMSKDProvider.log of the targeted 2003 server:

        <![LOG[Session [0] does not belong to the calling user CORP\, not supported.]LOG]!>

    1. Apparently the 2003 issue “The caller is not allowed and/or supported to initiate the update installation.” Is a by-design “feature” when executing this particular invoke-wmimethod remotely. I can’t verify, but I was told by Microsoft that installing R2 for Server 2003 corrects this. If R2 isn’t possible, then the only work around is executing the powershell command “locally” using something like PSEXEC in you runbook script.

    1. Hi Emilio,ä
      thanks. You only need a top runbook that calls the patch runbook and provides the server name and the other parameters.
      You can read a text file in the top runbook or use Get collection members activity from the Sccm Integration Pack.

      Kind regards,


  4. Hi many Thanks for the solution. can you please tell me how to bind your runnbook export file to runnbook designer ? the import doesnt work. Thanks in Advance

  5. Hi Natascia, thanks for this excellent post and runbooks. We are surrently testing them in our environment to use with your other (Server Reboot) post. They have been working really well!

  6. Hi Natascia

    I’m assuming in order to have control over the updates which are deployed that you set the update deployment as ‘available’ to the collection and then use the above runbooks in order to deploy the patches? I’m experimenting with a couple of different methods of deploying updates via Orchestrator and keen to know your thoughts,



Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s