SCCM Automation using Azure Runbook Hybrid Worker

Let’s check SCCM Automation using Azure Runbook and Hybrid Worker. This is the next level of automation that the SCCCM team is looking for. I hope we all remember the HTMD virtual conference hosted in 2021 on 20th November.

I delivered a session about SCCM Automation With Azure Hybrid Worker. In this post, we will do a deep dive into the same automation and go over those topics as a refreshment.

You can create several kinds of SCCM automation using hybrid workers with the help of Azure runbook. You can use it for SCCM collection creation, maintenance, etc. You can create SCCM applications (PowerShell) using a runbook.

The SCCM automation capabilities are endless with Azure Runbook with Hybrid worker. You can use any PowerShell script to run these actions. You can see the entire video recording at the bottom of the post.

• FIX SCCM Client Issues Automation Process Resolution
• SCCM Third-Party Patch Management Automation

Who should read this Article?

This article will help IT and Configuration Manager administrators who currently manage a mostly on-premises Server management infrastructure and Azure or any other cloud platform. It will help them automate the cluster patching, Azure VM’s patching, and integration of Azure with SCCM.

So without further delay, let’s begin.

How To Extend Automation To On-Premises Or Other Cloud Providers

This architecture illustrates how to extend automation to on-premises or other cloud providers. It describes the services that must be deployed in Azure to provide automated management and configuration across on-premises or other cloud providers.

The same architecture can be applied on Azure virtual machines (VMs) that reside behind a firewall, with outbound connectivity over the 443 TCP port.

This very high-level architecture helps you understand how Hybrid Runbook worker works, etc.

Architecture – SCCM Automation using Azure Runbook with hybrid worker

The architecture consists of the following components:

Ø Log Analytics Workspace: A Log Analytics workspace is a data repository for log data collected from resources that run in Azure, on-premises, or another cloud provider.
Ø Automation Hybrid Worker solution: With this, you can create Hybrid Runbook Workers to run Azure Automation runbooks on your Azure and non-Azure computers.

• Automation Account: A cloud service that automates configuration and management across your Azure and non-Azure environments.
• Hybrid Runbook Worker: A computer configured with the Hybrid Runbook Worker feature can execute runbooks directly on the computer and against the resources in the local environment.
• Hybrid Runbook Worker Group: Groups multiple Hybrid runbook workers for higher availability and scale to run a set of runbooks.
• A Runbook: A collection of one or more linked activities that together automate a process or operation.
• On-premises machines and VMs. On-premises computers and VMs with Windows or Linux operating systems hosted in a private local-area network.

Recommendations

The following recommendations apply to most scenarios. Follow these recommendations unless you have a specific requirement that overrides them.

The following steps highlight the actual implementation:

• Create a Log Analytics Workspace
• Add an Automation Hybrid Worker Solution
• Create an Automation Account (Azure Management Identity)
• Link an Automation Account with Log Analytics Workspace
• Deploy a Log Analytics agent and connect to a Log Analytics Workspace
• Deploy a Hybrid Runbook Worker Group and Hybrid Runbook Worker on an on-premises Windows computer (optional Linux VM)
• Create a Runbook in Azure Automation
• Create a Run As account for authentication (if applicable)
• Deploy a Runbook on a Hybrid Runbook Worker Group

Create a Log Analytics Workspace

Before you create a Log Analytics Workspace, ensure that you have at least Log Analytics Contributor role permissions. An Azure subscription can contain more than one Log Analytics Workspace for data isolation or a geographic location for data storage, but the Log Analytics agent can be configured to report to one Log Analytics Workspace.

For more information on how to create Log Analytics Workspace. You can also review the Azure Monitor Log design guidance before you create the workspace. Use the following steps to create a Log Analytics Workspace:

• Sign in to the Azure portal at https://portal.azure.com.
• In the Azure portal, select Create a Resource. In the Search, the Marketplace, enter Log Analytics. As you begin entering, the list filters based on your input. Select Log Analytics Workspaces.
• Select Create, and then select choices for the following items:
• Select a Subscription to link to by choosing from the drop-down list if the default chosen is not appropriate.
  • Use an existing resource group or create a new one for the Resource Group.
  • Provide a unique name for the new Log Analytics Workspace, such as Hybrid Workspace-your name.
  • Select the Location for your deployment.
  • Select Pricing Tier to proceed to further customization.

Creating a workspace in a subscription created after April 2, 2018, will automatically use the Per GB pricing plan. The option to select a pricing tier won’t be available.

If you’re creating a workspace for an existing subscription created before April 2, 2018, or a subscription tied to a current Enterprise Agreement enrollment, select your preferred pricing tier.

For additional information about the particular tiers, refer to Log Analytics Pricing Details.

• Select Tags and optionally provide name/value for categorization of the resources.
• Select Review + Create.
• After providing the required information on the Log Analytics Workspace pane, select Create.

Add an Automation Hybrid Worker Solution

Next, prepare the Log Analytics Workspace with the necessary components required for the Hybrid Runbook Worker. We are planning to achieve SCCM Automation using Azure Runbook and hybrid worker. Use the following steps to add Automation Hybrid Worker Solution:

• In the Azure portal, select Create a Resource.
• In the Search, the Marketplace, enter Automation Hybrid Worker. As you begin entering, the list filters based on your input. Select Automation Hybrid Worker.
• Select Create, and then select the Log Analytics Workspace that you created in the previous step. For example, HybridWorkspace-htmd.
• After providing the required information on the Automation Hybrid Worker pane, select Create.

Create an Automation Account

After providing the required information on the Add Automation Account pane, select Create. You must create an Automation Account in the same region and preferably in the same Resource Group as the Log Analytics Workplace.

Use the following steps to create the Automation Account:

• In the Azure portal, select Create a Resource.
• In the Search, the Marketplace, enter Automation. As you begin, the list filters based on your input. Select Automation, and then select Create.

Select Create and then select choices for the following items:

• Ø Provide the Name for the Automation Account, such as hybrid-auto.
• Ø Select a Subscription to link to by choosing from the drop-down list if the default selected is not appropriate.

For Resource Group, choose the same resource group in which you’ve created the Log Analytics Workspace.

• Select the Location to be the same as the Log Analytics Workspace.
• Creating Azure Run As account is optional. This only provides authentication with Azure to manage Azure resources from Automation runbooks.

Automation Account Blade in Azure

Link an Automation Account with Log Analytics Workspace

Automation accounts use the components of Hybrid Runbook Worker that are deployed in Log Analytics Workspace. Integrate those services before you deploy a Log Analytics agent on an on-premises machine.

If you plan to use the same Automation Account for Update Management and Change Tracking, you must map the Log Analytics Workspace and Automation Account. This is one of the important tasks of building an SCCM Automation using Azure Runbook and hybrid worker.

Currently, mappings between Log Analytics Workspace and Automation Account are supported in several regions. For further information, refer to Supported regions for linked Log Analytics workspace.

• In the Azure portal, select All services, and then enter automation. As you begin entering, the list filters based on your input.
• Select Automation Account, and then select your automation account created in the previous step.
• In the Automation Account pane, in the Update Management section, select Update Management.

In the Update Management pane, select choices for the following items:

• Select a Subscription to link to by selecting from the drop-down list if the default selected is not appropriate.
• For the Log Analytics workspace, select the Log Analytics Workspace that you created. For example, HybridWorkspace-htmd.
• After providing the required information in the Update Management pane, select Enable.

Deploy a Log Analytics agent and connect to a Log Analytics Workspace

Install Log Analytics Agent and enroll the VM into an existing Log Analytics Workspace by using VM extension for both Linux and Windows. Deploy the agent using Azure Automation Desired State Configuration (DSC), PowerShell script, or use the Resource Manager template for VMs. For more information, refer to the following article Connect Windows computers to Azure Monitor.

For non-Azure VMs, deploy the agent both on Windows and Linux computers, physical or VMs, using manual or automated processes.

For Windows machines, configure the agent to communicate with Log Analytics Workspace using TLS 1.2 protocol. The deployment procedure is explained in detail in the following article, Connect Windows computers to Azure Monitor.

The Log Analytics Agent must be configured to communicate with Log Analytics Workspace by using the workspace ID and key of the Log Analytics Workspace.

• Deploy Hybrid Runbook Worker Group and Hybrid Runbook Worker on an on-premises Windows machine (optional Linux VM)
• The Hybrid Runbook Worker role requires the Log Analytics agent for the supported operating system.
  · For Windows operating system, refer to the following “prerequisites”

Deploy a Hybrid Worker role on a Windows machine using automated and manual deployment

For automated deployment, Microsoft provides PowerShell scripts New-OnPremiseHybridWorker.ps1 that can be downloaded from the PowerShell Gallery.

For manual deployment: Use the following procedure to manually deploy Hybrid Runbook Worker Group and Hybrid Runbook Worker on an on-premises Windows machine:

• In the Azure portal, search for and select Automation Account.
• In your list of Automation Accounts, select the Automation Account you intend to configure the agent to report to.
• In the Account Settings section, select Keys.
• Copy and paste into your favorite editor the Primary access key and URL.
• Switch on the windows machine, open a PowerShell session in Administrator mode, and then execute the following commands to import the module:

PowerShell
cd "C:\Program Files\Microsoft Monitoring Agent\Agent\AzureAutomation\\<version>\HybridRegistration"
Import-Module .\HybridRegistration.psd1
Now execute the Add-HybridRunbookWorker cmdlet using the following syntax:
PowerShell
Add-HybridRunbookWorker –GroupName <String> -Url <Url> -Key <String>
Note For the URL, use the previously recorded URL, and for the Key, use the previously copied Primary access key.

Create a Runbook in Azure Automation

To manage resources on a local computer or against resources in the local environment where the hybrid worker is deployed, you must create a Runbook. Add a Runbook to Azure Automation by either creating a new one or importing an existing one from a file or the Runbook Gallery.

Note: When the Hybrid Runbook host machine reboots, any open Runbook job restarts from the beginning or from the last checkpoint for PowerShell Workflow Runbooks. This occurs a maximum of three times, and then it is suspended.

Use the following steps to create or import Runbook in Azure Automation:

• In the Azure portal, search for and then select Automation Account.
  • In your list of Automation Accounts, select the Automation Account you intend to configure the agent to report to.
• In the Process Automation section, select Runbooks.
  • Select Create a Runbook or Import a Runbook to configure the automation task that will run on on-premises machines.

Create a Run As Account for Authentication (as applicable)

A Runbook that creates jobs on Hybrid Runbook Worker by default operates under the Local System account on Windows or Linux. Specify a Run As account for a Hybrid Runbook Worker group for accessing local resources using different authentication. Use the following steps to create a Run As Account for authentication:

• In the Azure portal, search for and then select Automation Account.
• In your list of Automation Accounts, select the Automation Account you created previously.
• In the Shared Resources section, select Credentials.
• Select Add a credential to create a credential asset with access to local resources.
• In the Automation account pane in the Process Automation section, select Hybrid Worker Groups, then select the specific group.
• In the Hybrid Worker group settings, select Hybrid worker group settings.
• Change the value of Run As from Default to Custom. Select the Run As credential created before, and then choose Save.

Test Your Runbook with the following:

Deploy a Runbook on a Hybrid Runbook Worker Group

The final step is to deploy a runbook to execute on a Hybrid Runbook Worker Group. The runbook must be published and started using one of the following methods:

• Azure portal, PowerShell, Azure Automation API, Webhooks, Schedule, Respond to Azure Alert, From another Runbook
• Refer to the following article Start a runbook in Azure Automation to determine the method to start a runbook in Azure Automation.
• Test the runbook in a draft version but consider that the runbook still executes normally and performs against any resources in the environment.

To test and deploy the runbook on a Hybrid Runbook Worker Group, use the following steps:

• Ø In the Azure portal, search for an automation account and then select Automation Account. In your list of Automation Accounts, select the Automation Account you have created previously.
• Ø In the Automation account pane in the Process Automation section, select Runbooks. Select your runbook created before and select Edit.
• Ø In the edit runbook, select the Test Pane. In the Test Pane, change the value of Run on from Azure to Hybrid Worker.

In the Choose Hybrid Worker group, select your group created in the previous step. Start the test to observe the result of the runbook.

• Close the Test Pane to return to the Edit section. Select Publish to save the final version of the runbook.
• In the Runbooks pane, select Link to schedule. In the Schedule, create or link the existing schedule to define the startup environment for the runbook.
• In the Schedule Runbook pane, select Parameters and Run Settings, and then change the value of Run On from Azure to Hybrid Worker.
• In the Choose Hybrid Worker group, select your group created in the previous step.
• Confirm the choices by selecting OK to finish publishing the runbook on the Hybrid Runbook Worker.

Azure Blade How the Worker Groups Look.

Azure -> Starting your runbook.

The end screenshot was published.

Video – SCCM Automation using Azure Runbook Hybrid Worker

A full video explanation of SCCM Automation using Azure Runbook with Hybrid Worker is available below the video.

Author

My name is Deepak Rai, and I am a Technical Lead on SCCM and Intune with more than 14 years of experience in IT. My main domain is SCCM (AKA ConfigMgr, CB, MECM, etc.), Intune, and Azure (Runbooks). I have worked on several platforms (Active Directory, Exchange, Veritas NETBACKUP, Symantec Backup Exec, NDMP devices Like Netapp, EMC Data Domain, Quantum using Backup Exec 2010 and 2012, HP storage works 4048 MSL G3, Data Deduplication related troubleshooting.) in these 13 years but at last ended up to the technology from which I started as IT Engineer (SCCM).