With monthly server patching, the process is currently manual due to the number of clusters and very application specific servers that is patched – including an issue with failed updates caused by Trend Officescan – and an issue that has been done manually for months.

It was time to automate this process – and without Orchestrator or SMA I had to use what I already had – a SCCM 2012 R2 Infrastructure, and the use of the Task Sequence and PowerShell.

The Windows Update Task Sequence process goes like this (updates are deployed to the servers as Available): Disables Trend OfficeScan Start-up type to: Disabled, run a Scheduled Task on the server (this could be emailing a business user notifying their server is going down for patching or shutting down an application – this is intended to be Server SPECIFIC so the task sequence doesn’t need to be modified for every new server getting patched), Restart the computer (this is done to make sure OfficeScan is not running and make sure the server is in a clean state for patching), and begin the patching process (see more information on the steps below).

Task Sequence Patching Steps are as follows:

Disable – Trend Office scan Services



This calls a PowerShell script which changes the Startup Type of: Office Scan NT Real-time Scan and Office Scan NT Listener services to Disable. This is changed to prevent the Trend Antivirus solution from interfering with the download and installation of Software Updates. Note: Some servers encountered issues stopping the Trend service, the restart step after this stops the Trend service from starting

Get-Service tmlisten, ntrtscan | Set-Service -StartupType disabled

Run SCHTask



This step starts a Scheduled Task “PreShutdown” that has been setup on the deployed server. This scheduled task allows for server based automation (application shutdown, business communication etc) and is specific to the server. This is a Command Line Step.**

**

schtasks /run /TN "\WinUpdate\PreShutdown"

Restart Computer



This step counts down for 60 seconds and notifies the user “This server is undergoing Windows patching. Please save your work and log off” before then Restarting the computer

This step does a WMI call to do a Software Update re-evaluation to determine if there are any new Windows Updates that are required by the system

WMIC /namespace:\\root\ccm path sms_client CALL TriggerSchedule "{00000000-0000-0000-0000-000000000113}" /NOINTERACTIVE

Wait for the Scan to Finish |



This step is a PowerShell command to sleep the system for 30 seconds. This step is set to allow the Software Update re-evaluation cycle from the previous step to complete

Powershell.exe -command start-sleep 30

Installs all required and available Windows Updates on the Windows server

Restart Computer



This step Restarts the computer after the first batch of patches have been installed

This step does a WMI call to do a Software Update re-evaluation to determine if there are any new Windows Updates that are required by the system

WMIC /namespace:\\root\ccm path sms_client CALL TriggerSchedule "{00000000-0000-0000-0000-000000000113}" /NOINTERACTIVE

Wait for the Scan to Finish ||



This step is a PowerShell command to sleep the system for 30 seconds. This step is set to allow the Software Update re-evaluation cycle from the previous step to complete

Powershell.exe -command start-sleep 30

Installs all required and available Windows Updates on the Windows server

Restart Computer



This step Restarts the computer after the first batch of patches have been installed

This step does a WMI call to do a Software Update re-evaluation to determine if there are any new Windows Updates that are required by the system

WMIC /namespace:\\root\ccm path sms_client CALL TriggerSchedule "{00000000-0000-0000-0000-000000000113}" /NOINTERACTIVE

Wait for the Scan to Finish |||



This step is a PowerShell command to sleep the system for 30 seconds. This step is set to allow the Software Update re-evaluation cycle from the previous step to complete

Powershell.exe -command start-sleep 30

Installs all required and available Windows Updates on the Windows server

Restart Computer



This step Restarts the computer after the first batch of patches have been installed

This step does a WMI call to do a Software Update re-evaluation to determine if there are any new Windows Updates that are required by the system

WMIC /namespace:\\root\ccm path sms_client CALL TriggerSchedule "{00000000-0000-0000-0000-000000000113}" /NOINTERACTIVE

Wait for the Scan to Finish |V



This step is a PowerShell command to sleep the system for 30 seconds. This step is set to allow the Software Update re-evaluation cycle from the previous step to complete

Powershell.exe -command start-sleep 30

Installs all required and available Windows Updates on the Windows server

Restart Computer



This step Restarts the computer after the first batch of patches have been installed

This step forces the SCCM agent to “check in” and run a Compliance check on the Software Update deployment allowing for SCCM have accurate Compliance data at the end of the Task Sequence

WMIC /namespace:\\root\ccm path sms_client CALL TriggerSchedule "{00000000-0000-0000-0000-000000000114}" /NOINTERACTIVE

Enable – Trend Office scan Services



This calls a PowerShell script which changes the Startup Type of: Office Scan NT Real-time Scan and Office Scan NT Listener services to Enable. This PowerShell script also Starts the services.

Get-Service tmlisten, ntrtscan | Set-Service -StartupType automatic -PassThru | Start-Service