Category Archives: Configuration Manager

Orchestrator 2012: Start server patching from Service Manager

In my MMS 2015 session “Real world Automation with Service Manager and Azure Automation” with Steve Buchanan I showed how you can patch Servers initialized from a Service Manager Change Request.

The idea behind that is that there are systems which cannot be patched (and rebooted) during normal patch windows because the application owners need to control the outage times by themselves. They only know when production can handle a server outage. With Service Manager they can follow the ITIL Standards and create a Change Request, select a SCCM Collection with its Servers and the Software Updates to be applied. The Change Request will then call an Orchestrator Runbook and implement the Patches on all Servers in the given Collection.

Prerequisites:

  • The Software Updates need to be pre-deployed to all effected Servers through SCCM (Deployment Type: Available).
  • System Center Orchestrator 2012 R2, System Center Service Manager 2012 R2, System Center Configuration Manager 2012 R2
  • Log Database on SQL to store process Information
  • Sync SCCM Collections with SCSM

Temp DB Setup:

tempdb

MMSPatch

serverstatus

SoftwareUpdate

SoftwareUpdateInstall

Service Manager:

Select Template: (Patch Server)
template

Enter Title:
CR

Select Config Items to Change – SCCM Collection (Collection Info):
ConfigItems

Select Related Items – Configuration Items: Computers, Services and People (Software Update):
RelatedItems

Runbook Automation Activity:
Activity

Runbooks:

The following screenshots show the runbooks which are used for this solution.

The main runbook:

Install Software Updates (called from SCSM)MMS - Install Software Updates

Sub runbooks:

Get CR Details (writes all necessary CR information to the DB)

MMS - Get CR Details

Get Software Updates (write Software Update Information to the DB)MMS - Get Software Updates

Get Collection IDs (writes SCCM Collection Information to the DB)MMS - Get Collection IDs

Split Patching by Server (gets all Servers within the Collection)
MMS - Split By Server

Split by Patch (reads all updates from the DB)

SCCM - Split By Patch

Check Updates (checks if the Patch is available on the machine)
MMS - Check Updates

Install Update (installs the update on the machine)
SCCM - Install Updates

Update CR (updates the Change Request)
MMS - Update CR

Improvement ideas:

  • Use Service Request instead of CR
  • Import SCCM Software Update Groups into SCSM and select them

This YouTube-Video shows you the process in action.

The complete solution can be downloaded here.

SCCM 2012: Disable Operations Manager Alerts

The integration between Microsoft System Center products is always one of the marketing promises. A lot has been done in that direction within the last years. One topic is still not working as expected, which is related to the interopability between SCCM and SCOM.

Short explanation: If you install software or software updates through Configuration Manager you normally want to disable the monitoring (alert creation) in Operations Manager. The problem is, that it looks like the function is implemented, but it is not fully implemented. See System Center 2012 Operations Manager Unleashed.

Here are the details.

You can set the option to “Disable Operations Manager alerts…” for applications, package or software updates. Here are the screenshots for it:

Application: SCCM-MMApplication

Package (only 2012 SP1): SCCM-MMPackage

Software Update: SCCM-MMUpdates

The question is, what is happening in the background when you select this option?

The real thing, which happens, is that the System Center Management Service gets paused.

HS-paused

This was already the case in ConfigMgr 2007 with SCOM 2007 R2. See.

What is the effect in SCOM?

The Health Service object gets unavailable, but the Health Service Watcher stays active.

SCCM-MMHealthExplorer

We will not see the alert “Health Service Heartbeat Failure” because the monitor is in a warning state and it only creates an alert when it is in a critical state.

Do we have a problem with that?
Yes. The system is not really in maintenance mode. If the system needs to reboot after the installation minimum one alert will be created: Failed to Connect to Computer. See these posts:

https://support.microsoft.com/en-us/kb/942866

http://thoughtsonopsmgr.blogspot.de/2009/04/maintenance-mode.html (this one is for SCOM 2007 R2, but it is still current.)

Also if you implemented my solution for greyed out agents, then you will get an alert listed with these servers which get the System Center Management service paused, because they are greyed out and no Health Service Heartbeat Failure alert is created!

You can use other options to set the maintenance mode in SCOM for installing software or implement software updates until a better integration for setting this functionality is implemented into SCCM 2012 directly:

Microsoft System Center Reporting Cookbook available soon

A new System Center book is on the horizon which covers the very important reporting topic. It will be published Friday 27th. You can find the link to the book and more information about it on the blog of Steve Buchanan, MVP and technical reviewer of the book.

Why is this book special?

Reporting is essential in the System Center world. What is for example Sccm without patch compliance reports? But where can you find good information about how to design System Center reports besides searching the web? This book gives you guidance with easy to follow recipes and a lot of useful information about setup, report design and other options besides SSRS like PowerPivot.

A big thank from me goes to Sam Erskine, one of the authors, who had the idea for the book. He managed the publication from the beginning to the end and it is really his baby. He made it possible that I was a technical reviewer of this book, that I saw how it grew and I am proud as a nurse which helped to bring a baby to live, that I had a small part in it.

So buy it, read it and share it ;-).

SCCM 2012: Install downloaded Software Update through PowerShell

With the last Patch cycle from Microsoft we had a bigger problem with the patch MS15-018, which failed on a lot of servers. The patch also prevented all other following patches to be installed. It was downloaded correctly, but could only be installed manually by running the downloaded exe-file from the SCCM cache folder.

To automate this a bit, my colleague Mihaly Kolozsi created a PowerShell script based on my design ideas. A big thank to him for borrowing me his brain and time ;-).

You can download it here.

SCCM 2012: Get expired Advertisements

There are some clean up tasks a System Center Configuration Manager 2012 Administrator can perform on a regular basis. One should be to check which advertisements are expired.

Yes, I talk about advertisements in SCCM 2012. I know SCCM 2012 talks about deployments, but if you deploy a Package in SCCM (not an Application) then SCCM internally stores this deployment in the WMI class SMS_Advertisement. See also.

There is no PowerShell Cmdlet for SCCM 2012 SP1 which could give me this information directly, so I have created a script, that can be used in two ways:

  1. document which deployments are expired (only does not document the current assigned schedule) in a CSV format.
  2. delete the expired deployments.

So you can call the script with different parameters.

Command line: Getexpiredadvertisements.ps1 -log [String] -sitecode [String] -siteserver [String] -document [Bool] -delete [Bool]

Example: Getexpiredadvertisements.ps1 -log “c:\it\expiredads.csv” -sitecode “ABC:” -siteserver “SCCM01” -document $True -delete $False

Possible Parameters:

  • Log: Defines name and path of the written CSV file
  • Sitecode: SCCM Site Code, Example ABC:
  • Siteserver: SCCM Site Server Name
  • Document:  Defines, if expired Advertisements get documented to the CSV file, possible values: $True/$False
  • Delete: Defines, if expired Advertisements get deleted in SCCM, possible values: $True/$False

Requirements:

  • Run this script in PowerShell x86
  • The script is tested with PowerShell 2.0 and SCCM 2012 SP1
  • SCCM administrator permissions
  • The Configuration Manager PowerShell Modul must be installed on the machine, where you run the script

The script can be downloaded here.

SCCM 2012: Diskspace Report sorted by Freespace Percentage

System Center admins often get asked for disk space reports.
Depending on the discovery settings the data can be more current in SCOM or SCCM.
So you need to decide which datasource you use.

I have created a report for System Center Configuration Manager 2012, which lists Total Disk Space (MB), Total Free Space (MB), Total Used Space (MB), Total Free Space Percent and Total Used Space Percent.

It sorts by Total Free Space Percent and colour codes the output with this rule:

< 20 %: red
< 40 %: orange
Rest: green

You can select any device collection.

diskspacereport

The report can be downloaded here.

Orchestrator 2012: Patch a server with SCCM 2012

You will perhaps have the question in your mind “Why initialize patching with Orchestrator?”.

We had the request to restart and patch servers on a reoccuring schedule in groups and with pre and post tasks to check. You can do that all in SCCM 2012 through tasks sequences, but Can you also control that SCCM should stop when one of the servers in the group fails and that you get a status at the end? Orchestrator can do that. It can run some general tasks for all servers or special tasks for single servers, so you can control more in there.

I will also create another blog post to describe the reboot runbooks. Here I want to focus on the patching part. This can also separately be initialized outside of the reboot process.

For our reboot szenario we only wanted to check which patches are available. Install them, reboot and after the reboot check which patches are installed successfully and if there are additional missing patches. We did not install those then. You could extend that as you need it.

We use System Center Orchestrator 2012 SP1. For my runbook I do not use the System Center Configuration Manager 2012 SP1 integration pack. I only use WMI queries to check which patches are available. But you still need SCCM 2012 to deploy the patches!

I use the following WMI classes:

CCM_SoftwareUpdate (http://msdn.microsoft.com/en-us/library/jj155451.aspx)
CCM_SoftwareUpdatesManager (http://msdn.microsoft.com/en-us/library/jj155384.aspx)
Win32_QuickFixEngineering (http://msdn.microsoft.com/en-us/library/windows/desktop/aa394391(v=vs.85).aspx)

We have one additional database in the same database instance as our Orchestrator database for logging. It is called OrchestratorTemp.

For this runbook we use a table called SoftwareUpdate to log the patch status.

softwareupdate

In the reboot runbooks we have another table which logs the general server status which also has columns Servername and RBInstance. With these both columns we later can link both tables and clean up the columns at the end of the process.

I use three runbooks to patch the server.

  1. SCCM Dev – Check updates
  2. SCCM Dev – Install updates
  3. SCCM Dev – Check previous updates

SCCM Dev – Check updates

sccm dev - check updates

It has the following initialize data parameters:

  • Servername
  • Patch (in the reboot runbook you can decide if you want to patch or not, Values: “True/False”)
  • Previous Found (needed for the second run after the reboot, should be “False” at the beginning)
  • RBInstance (reference to the main reboot runbook, can be any number if called outside)

I will focus on the interesting details of the main activies.

  • Get Updates/Check for additional updates (Run .Net Activity):
    Runs the following PowerShell script:
    getupdates
    and publishes the following data:
    getupdates-published
  • Write Updates/Write additional Update Status (Write To Database Activity):
    Writes into the OrchestratorTemp database:
    WriteUpdates
  • Install Update (Invoke Runbook): Initializes the “SCCM Dev – Install Update” runbook and waits for its completion. Loops until Finished=True. Given Parameters: Servername, RBinstance.
  • Check previous updates (Invoke Runbook): Initializes the “SCCM Dev – Check previous updates” runbook and waits for its completion. Given Parameters: Servername, RBinstance.

SCCM Dev – Install updates

sccm dev - install updates

The install updates will be initialized for each update which needs to be installed.

  • Get first missing update (Query Database Activity): Runs the following query:
    get first update
  • Install update (Run .Net Activity):
    Runs the following PowerShell script:
    install update
  • Check update (Run .Net Activity):
    Runs the following PowerShell script:
    check update
    and publishes the following data:
    check update - published
    Loops with a delay of 10 seconds and exits loop when these conditions occur:
    check update - loop
    (pattern: 8|9|10|11|12|13|14|15|16|17|18|19|20|21|22|23)
    => waits 2 minutes for the patch to install. Can be extended by increasing the number of attempts!
  • Cancel Update (Run .Net Activity):
    Runs the following PowerShell script:
    cancel update
  • The Write Update activities sets “ComplianceState” to 1 and the “EvaluationState” to the output status when the update was installed successfully. Otherwise it sets different “ComplianceStates” depending on the update status.

SCCM Dev – Check previous updates

sccm dev - check previous updates

This runbook should check if the update is listed in the installed updates after the reboot.

  • Get Compliance State (Query Database Activity): Runs the following query:
    get compliance state
  • Get ArticleID (Query Database Activity): Runs the following query:
    get articleID
  • Check install status (Run .Net Activity):
    Runs the following PowerShell script:
    Check install status
    and publishes the following data:
    Check install status - published
  • Write Update Compliance (Query Database Activity): Runs the following query:
    Write update compliance

Here is the link to the exported runbooks.

That’s it. Have fun!

Orchestrator 2012: Check SCCM maintenance window and set SCOM maintenance mode

Everyone who uses System Center Configuration Manager 2012 and System Center Operations Manager 2012 knows the problem of setting the server into maintenance mode when patching or software deployment needs to take place.

With System Center Orchestrator 2012 you get the integration packs for both systems and the option to create a workflow for this task. My intetion for this was to use the maintenance windows which are defined on the collections. During this timeframe software updates and deployments can be performed on the servers incl. reboots. So it would be good to set the servers into maintenance mode in SCOM. I only focussed on general maintenance mode windows not OSD ones and non recurring windows.

Here is the summary of the workflow I have created:
The workflow runs every 2 minutes. It reads a text file on the runbook server with all collection ids it should check, then checks if the collection has a maintenance window defined, that will start within the next 10-15 minutes. If yes, then it gets the collection members in SCCM, gets the FQDN for the server and starts the maintenance mode in SCOM. If successful it writes a log file otherwise it tries again to set the maintenance mode with the Netbios name.

Diagram:

set sccm maintenance window

Most of the parts are standard activities, so I only describe the “Get Maintenance Window” activity, which runs a PowerShell script on the Runbook server. This activity needs to run with a user that has SCCM permissions, otherwise it will provide no result. It only will have output data, if the maintenance window will occur within the next 10-15 minutes. So the link to the Get Collection Members activity should have the following include entry: Pure Output from Get Maintenance Window matches pattern .+

Here is the command line for the Get Maintenance Window activity:

cmd.exe /c | c:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe –c “function WMI-DateStringToDate($time) {  [System.Management.ManagementDateTimeconverter]::ToDateTime($time);};$collsettings = ([WMIClass] ‘\\SCCM Server FQDN\root\SMS\site_SCCMSiteCode:SMS_CollectionSettings’).CreateInstance();if($collsettings -is [Object]){$collsettings.CollectionID = ‘Link to Line Text of previous activity’;$collsettings.get();$windows=$collsettings.ServiceWindows;if ($windows -is [Object]){$now=Get-Date;Foreach ($window in $windows){$Time=WMI-DateStringToDate($window.StartTime);if (($window.IsEnabled -eq $True) -and ($window.ServiceWindowType -eq ‘1’) -and ($window.RecurrenceType -eq ‘1’)){if (($now.AddMinutes(15).compareto($Time) -eq ‘1’) -and ($now.AddMinutes(10).compareto($Time) -eq ‘-1’)){$Duration=$window.Duration+15;write-host ($Time.ToString(),$Duration) -separator ‘;’}}}}};”

Attention! The command line should not have line breaks! Otherwise it will not work within this activity.
For better readability I post the script here also with line breaks and comments:

param($SMSSiteCode, $SMSManagementServer, $COLLECTION_ID)
# convert WMI date to DateTime format
function WMI-DateStringToDate($time)
{ [System.Management.ManagementDateTimeconverter]::ToDateTime($time)}
# get collection settings (incl. Maintenance Windows)
$collsettings= ([WMIClass] \\$SMSManagementServer\root\SMS\site_$($SmsSiteCode):SMS_CollectionSettings).CreateInstance()
if($collsettings -is [Object])
{
$collsettings.CollectionID =$COLLECTION_ID
$collsettings.get()
$windows=$collsettings.ServiceWindows
if ($windows -is [Object])
{
$now=Get-Date
Foreach ($window in $windows)
{
$Time=WMI-DateStringToDate($window.StartTime)
# only check general maintenance and non recurring windows
if (($window.IsEnabled -eq$True) -and ($window.ServiceWindowType -eq‘1’) -and ($window.RecurrenceType -eq‘1’))
{
# check if starttime is within the next 10-15 min.
if (($now.AddMinutes(15).compareto($Time) -eq‘1’) -and ($now.AddMinutes(10).compareto($Time) -eq‘-1’))
{
# add 15 min to duration as buffer
$duration=$window.Duration+15;
write-host ($Time.ToString(),$Duration) -Separator ‘;’
}
}
}
}
}

Another thing to mention: Please add an exclude to the link between “Get Collection Member” and “Get FQDN” for your Management Servers: Member Name from Get Collection Member equals SCOMMGServerName.
Then they will not be set into maintenance mode if they are members of the checked collections.

Update

I found some problems with the daylight saving settings on the runbook server. We use UTC maintenance windows in SCCM. With daylight saving the local time of the runbook server gets adjusted but the maintenance window stays in standard UTC. The script compares the local time with the maintenance window. With the old version it sets the maintenance window at the wrong time when daylight saving is enabled.

Therefore I had to adjust the script. Here is the new version. The italic entries are new.

cmd.exe /c | c:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe –c “function WMI-DateStringToDate($time) {  [System.Management.ManagementDateTimeconverter]::ToDateTime($time);};$collsettings = ([WMIClass] ‘\\SCCM Server FQDN\root\SMS\site_SCCMSiteCode:SMS_CollectionSettings’).CreateInstance();if($collsettings -is [Object]){$collsettings.CollectionID = ‘Link to Line Text of previous activity’;$collsettings.get();$windows=$collsettings.ServiceWindows;if ($windows -is [Object]){$now=Get-Date;$universal=$now.ToUniversalTime().AddHours(([System.TimeZoneInfo]::Local).baseutcoffset.hours);$diff=($now.subtract($universal)).Hours;Foreach ($window in $windows){$Time=WMI-DateStringToDate($window.StartTime);if (($window.IsEnabled -eq $True) -and ($window.ServiceWindowType -eq ‘1’) -and ($window.RecurrenceType -eq ‘1’)){if (($now.AddMinutes(15).compareto($Time.AddHours($diff)) -eq ‘1’) -and ($now.AddMinutes(10).compareto($Time.AddHours($diff)) -eq ‘-1’)){$Duration=$window.Duration+15;write-host ($Time.ToString(),$Duration) -separator ‘;’}}}}}”

Here is the link to the runbook.