Microsoft recently released SCCM 1909 version of technical preview. Let’s check what SCCM Orchestration Group (controlled patching) setup guide is. This feature is part of a technical preview version of SCCM and subject to change.
NOTE! – I feel SCCM orchestration groups for server patching is made up of some of the logic from Phased Deployments and Automatic Deployment Rules. But I could be totally wrong.
SCCM Technical Preview LAB
If you don’t have a technical preview lab, I would strongly recommend creating one. The baseline version of SCCM technical preview is 1907. You can download this from Microsoft eval center.
Latest SCCM Preview Baseline version download and install the latest preview baseline version SCCM 1907.
SCCM 1909 Features Walk Through https://howtomanagedevices.com/sccm/ (Coming Soon)
What is SCCM Orchestration Groups
SCCM Orchestration Groups are the evolution of SCCM Server groups. The orchestration groups are for more controlled patching of servers.
Update: What is the difference between SCCM Orchestration groups and Server Groups? As per David James director of SCCM engineering team in Microsoft. There are changes in client side and as well as server side. Also, admin UI is also changes. More details ⏬⏬
I Quote ▶▶ “The server side backend is different. The server side front end is a much better UI. The client side is the same in the tp, but will be changed in the next tp to be different, more realtime controlled from the primary.”
SCCM orchestration groups are the advanced version of server groups in SCCM. I don’t know how many of you are using server groups to Patch the cluster servers and exchange servers domain controllers etc.. if you are using server groups you know there are some issues with those server groups.
With the release of orchestration, groups are the SCCM trying to eliminate those pain points while doing the server patching. So as I mentioned above today installing SCCM 1906 technical preview version and play around orchestration groups for SCCM server patching.
NOTE! – When you enable Orchestration Groups, the site disables the Server Groups feature. This behavior avoids any conflicts between the two features.
Step by Step Orchestration Group Setup
- In the SCCM console, go to the Assets and Compliance workspace, and select the Orchestration Group node.
- Select Create Orchestration Group to open the Create Orchestration Group Wizard.
- On the General page, give your orchestration group a Name and optionally a Description.
New Server Patching Orchestration
NOTE! – Create an Orchestration group to coordinate operations to optimize downtime for your group.
- On the Member Selection page, first, specify the current Site code. Then select Browse to add device resources as members of this SCCM orchestration group.
- Search for devices by name, or you can search by
- Search with Resource Type
- Search in Collection use can use the BROWSE button to check the collections (exciting!)
- Advanced search options to select Orchestration Members/resources
- Once you select the resource, click Add them to SCCM Orchestration Group to perform server patching. Select OK when you finish adding devices to the Selected resources list.
- Click Next to continue once you selected the resources
NOTE! – It seems REMOVE button is not able to remove the resources.
- SCCM Orchestration Group Rules Selection Page gives you an option to set the logic for the orchestration for patching cluster or domain controllers.
- Allow a Percentage of the machines to be updated at the same time
- (Default option) Allow a number of the machines to be updated at the same time (Maximum Supported number is 2000000)
- Specify the maintenance sequence
The above granularity to select the logic of orchestration is amazing to cater to complex environments and requirements of server patching.
- SCCM Orchestration Group PreScript Page – Specify the PowerShell script before running the orchestration on the selected devices.
- Script timeout (in seconds) – Maximum Timeout in second possible is 2000000, and minimum timeout is 1.
NOTE! – The script should return a value of 0 for success or 3010 for success with a restart. You can also specify a Script timeout value, which fails the script if it doesn’t complete in the specified time.
- SCCM Orchestration Group PostScript Page – Specify the PowerShell script After running the orchestration on the selected devices.
- Script timeout (in seconds) – Maximum Timeout in second possible is 2000000, and minimum timeout is 1.
NOTE! – The script should return a value of 0 for success or 3010 for success with a restart. You can also specify a Script timeout value, which fails the script if it doesn’t complete in the specified time.
- Click Next, Next and Finish to complete the creation of SCCM Orchestration Group for server patching.
How to Test Orchestration Group
Now you have to the behavior of the SCCM orchestration group for server patching. This testing of orchestration groups can be performed by Software Update deployment or standard SCCM patching methods.
More details – SCCM Patching Software Update Process Guide
Once you create a software update group, deploy the same to a collection that contains the members of the orchestration group.
SCCM Orchestration Group Logs
Use the following log files on the SCCM site server to help monitor and troubleshoot SCCM Orchestration Group:
- Policypv.log: shows that the site targets the orchestration group to the clients
~Begin processing MachineOrchestrationGroup policy $$<09-28-2019 18:16:27.374-330>
Notifying policy provider about changes in policy content/targeting~ $$<09-28-2019 18:16:27.425-330>
~Policy or Policy Target Change Event triggered. $$<09-28-2019 18:16:27.426-330>
~CPolicyProvider::HandleMachineOrchestrationGroupPolicy: Successfully created Policy for F891D320-AAA6-47DD-A43E-D873368F1382 $$<09-28-2019 18:16:27.426-330>
CPolicyProvider::HandleMachineOrchestrationGroupMembersPolicy:nSuccessfully updated Policy Targeting for Machine (ID:2097152004)
Completed processing HandleMachineOrchestrationGroupMembers Policy Assignments policy
- SMS_OrchestrationGroup.log: shows the behaviors of the orchestration group
Results
Navigate \Assets and Compliance\Overview\Orchestration Group\ to check the members of Orchestration Group and Start Orchestration and verify the log files. Also, verify the end to end Server patching orchestration process.
