You will perhaps have the question in your mind “Why initialize patching with Orchestrator?”.
We had the request to restart and patch servers on a reoccuring schedule in groups and with pre and post tasks to check. You can do that all in SCCM 2012 through tasks sequences, but Can you also control that SCCM should stop when one of the servers in the group fails and that you get a status at the end? Orchestrator can do that. It can run some general tasks for all servers or special tasks for single servers, so you can control more in there.
I will also create another blog post to describe the reboot runbooks. Here I want to focus on the patching part. This can also separately be initialized outside of the reboot process.
For our reboot szenario we only wanted to check which patches are available. Install them, reboot and after the reboot check which patches are installed successfully and if there are additional missing patches. We did not install those then. You could extend that as you need it.
We use System Center Orchestrator 2012 SP1. For my runbook I do not use the System Center Configuration Manager 2012 SP1 integration pack. I only use WMI queries to check which patches are available. But you still need SCCM 2012 to deploy the patches!
I use the following WMI classes:
CCM_SoftwareUpdate (http://msdn.microsoft.com/en-us/library/jj155451.aspx)
CCM_SoftwareUpdatesManager (http://msdn.microsoft.com/en-us/library/jj155384.aspx)
Win32_QuickFixEngineering (http://msdn.microsoft.com/en-us/library/windows/desktop/aa394391(v=vs.85).aspx)
We have one additional database in the same database instance as our Orchestrator database for logging. It is called OrchestratorTemp.
For this runbook we use a table called SoftwareUpdate to log the patch status.
In the reboot runbooks we have another table which logs the general server status which also has columns Servername and RBInstance. With these both columns we later can link both tables and clean up the columns at the end of the process.
I use three runbooks to patch the server.
- SCCM Dev – Check updates
- SCCM Dev – Install updates
- SCCM Dev – Check previous updates
SCCM Dev – Check updates
It has the following initialize data parameters:
- Servername
- Patch (in the reboot runbook you can decide if you want to patch or not, Values: “True/False”)
- Previous Found (needed for the second run after the reboot, should be “False” at the beginning)
- RBInstance (reference to the main reboot runbook, can be any number if called outside)
I will focus on the interesting details of the main activies.
- Get Updates/Check for additional updates (Run .Net Activity):
Runs the following PowerShell script:
and publishes the following data:
- Write Updates/Write additional Update Status (Write To Database Activity):
Writes into the OrchestratorTemp database:
- Install Update (Invoke Runbook): Initializes the “SCCM Dev – Install Update” runbook and waits for its completion. Loops until Finished=True. Given Parameters: Servername, RBinstance.
- Check previous updates (Invoke Runbook): Initializes the “SCCM Dev – Check previous updates” runbook and waits for its completion. Given Parameters: Servername, RBinstance.
SCCM Dev – Install updates
The install updates will be initialized for each update which needs to be installed.
- Get first missing update (Query Database Activity): Runs the following query:
- Install update (Run .Net Activity):
Runs the following PowerShell script:
- Check update (Run .Net Activity):
Runs the following PowerShell script:
and publishes the following data:
Loops with a delay of 10 seconds and exits loop when these conditions occur:
(pattern: 8|9|10|11|12|13|14|15|16|17|18|19|20|21|22|23)
=> waits 2 minutes for the patch to install. Can be extended by increasing the number of attempts! - Cancel Update (Run .Net Activity):
Runs the following PowerShell script:
- The Write Update activities sets “ComplianceState” to 1 and the “EvaluationState” to the output status when the update was installed successfully. Otherwise it sets different “ComplianceStates” depending on the update status.
SCCM Dev – Check previous updates
This runbook should check if the update is listed in the installed updates after the reboot.
- Get Compliance State (Query Database Activity): Runs the following query:
- Get ArticleID (Query Database Activity): Runs the following query:
- Check install status (Run .Net Activity):
Runs the following PowerShell script:
and publishes the following data:
- Write Update Compliance (Query Database Activity): Runs the following query:
Here is the link to the exported runbooks.
That’s it. Have fun!
SystemCenterTipps 
Hi Natascia, very nice! Can I ask why you decided to go without the integration pack? Does using WMI come out more reliable?
Hi Graham,
with the SCCM 2012 SP1 integration pack you only have the activity “Perform Client Action” which has the standard client actions. So you can initiate the installation, but you cannot really control it. We had for example an update, which had problems with the download. It avoided that other patches got installed. With WMI I can control each update – so I can cancel it, if it takes too long or even exclude it, if necessary. I can see what was installed successfully and see the status code of the failed ones directly. I can log that locally and create a report at the end and do not need to wait until SCCM updates its information.
That was the reason why I used WMI. If you see other options, then I would be glad to hear about it.
Natascia
No, I’ve got nothing better, just curious if the integration pack was worth messing with. Thanks!
Hi,Natascia
Its possible that u can export the runbbok and send by mail ?
Thanks a lot..
Cem,
I have updated the blog and added the link to the runbooks.
Kind regards,
Natascia
Hi, Natascia
U are my best..
Thanks a lot
Hi again Natascia
On the SCCM Dev – Check previous updates runbook i clicket on Get Compliance State porperties, under Connection tab it ask Server and Initial Catalog.. what must i write on the 2 field ?
thx a lot.
Hi Cem,
it is all the same for the database query/write actions. I use a database to log all the information. I have called it OrchestratorTemp, which is created in the same instance as the Orchestrator database. So you would also need to create a database and the necessary table (see blog) for it.
Fill the fields like this:
Server: Servername\Instancename
InitialCatalog: OrchestratorTemp (or the name of your database, if it is different)
I used variables here, that is why there is only a reference in it.
Kind regards,
Natascia
Hi, Natascia
I have change the field and run thr runbook again, its failed on get update script and return with Access is denied. (Exception from HRESULT: 0x80070005 (E_ACCESSDENIED)) error. let me explain a lil pls.. I start the Check updates runbook, it ask for RBInstance : 1 servername : abc , PreviousFound : False , Patch: True . I write this parameter. abc is my server name. Iahve tested 3 different server and its get the same error, Access is denied. (Exception from HRESULT: 0x80070005 (E_ACCESSDENIED)).
wht can i do ?
One more question pls, its possible the can i only install security patches with your stracture ?
Many Thx for your helping.
Kind regards
Cem
Hi,
I have implemented your runbook with succes and it’s providing us with much more control over updates then SCCM does.
I have one question about patching Server 2003 systems.
In the CCMSKDProvider.log, the client logs the following error ‘The caller is not allowed and/or supported to initiate the update installation.’
Do you know you to fix this ?
Thanks !
Hi,
I am glad, that the runbook helps you.
No, I have not seen this problem before.
Can you send me more details of the log?
Kind regards,
Natascia
I’m actually having the same issue as well. Runs great targeting 2008 servers, but fails when targeting 2003 servers (which is crucial for my project to succeed).
When I isolate the Powershell script and run it remotely in Powershell (elevated or not elevated doesn’t change behavior) I get an error.
———————————————–
Invoke-WmiMethod :
At C:\temp\invoketest.ps1:17 char:1
+ Invoke-WmiMethod -computername $ServerName -Class CCM_SoftwareUpdatesManager -Na …
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [Invoke-WmiMethod], UnauthorizedAccessException
+ FullyQualifiedErrorId : System.UnauthorizedAccessException,Microsoft.PowerShell.Commands.InvokeWmiMethod
———————————————–
And I see the same error as “marcdieters” in the CCMSKDProvider.log of the targeted 2003 server:
<![LOG[Session [0] does not belong to the calling user CORP\, not supported.]LOG]!>
Have you had any luck resolving this error? I am having ths exact same issue on Server 2003 machines.
Any advice is appreciated.
Apparently the 2003 issue “The caller is not allowed and/or supported to initiate the update installation.” Is a by-design “feature” when executing this particular invoke-wmimethod remotely. I can’t verify, but I was told by Microsoft that installing R2 for Server 2003 corrects this. If R2 isn’t possible, then the only work around is executing the powershell command “locally” using something like PSEXEC in you runbook script.
Hi Natascia
The download link to reboot runbooks is broken. Could you take a look at it?
Thanks
Hi, thanks for the information. It should work now.
Kind regards,
Natascia
hi,
i want to thank you for writing this blog, is awesome. i am new to Orchestrator and was hoping you could tell me how can i do this with multiple servers.
thank you for time and help
Hi Emilio,ä
thanks. You only need a top runbook that calls the patch runbook and provides the server name and the other parameters.
You can read a text file in the top runbook or use Get collection members activity from the Sccm Integration Pack.
Kind regards,
Natascia
thank you!!! i use the get collection members from the sccm IP.
thank you
Hi many Thanks for the solution. can you please tell me how to bind your runnbook export file to runnbook designer ? the import doesnt work. Thanks in Advance
Hi, this is super easy. Right click on a Folder in the Runbook tree and click Import. That should work.
Regards,
Natascia
Hi Natascia, thanks for this excellent post and runbooks. We are surrently testing them in our environment to use with your other (Server Reboot) post. They have been working really well!
Hi Natascia
I’m assuming in order to have control over the updates which are deployed that you set the update deployment as ‘available’ to the collection and then use the above runbooks in order to deploy the patches? I’m experimenting with a couple of different methods of deploying updates via Orchestrator and keen to know your thoughts,
Thanks
Alex
Hi,
yes, that is correct.
Regards,
Natascia
Can’t download the runbook can you check the link?