I developed a PowerShell module that will scan for update compliance or launch a task sequence to install required security updates (or any advertised task sequence) on either a single machine, or multiple machines using multithreading.
The OnDemand module is a supplemental tool for our automated patching service. Our automated patching solution of enrolling a server in a monthly maintenance window and having ConfigMgr patch it works for most of our servers but there are times when a server owner needs more control over when a server is patched. For example, a critical business process may require a server to be patched outside of the scheduled maintenance window. Likewise, there are servers that can’t us a routine monthly maintenance window because they require downtime approvals from their customers. The OnDemand Patch Management module fills this gap.
I have blogged about individual components that are the foundation of module in previous posts:
PowerShell Script to Check ConfigMgr Agent Software Update Compliance
PowerShell Script to Run ConfigMgr Task Sequence On-Demand
I’ve wrapped updated versions of the code in these posts (and some new code) into a pipeline-friendly module with a function that controls the processing options.
To get started you’ll need to us the PowerShell command [Import-Module ConfigMgr-OnDemandPatchManagement.psm1].
The function [Invoke-OnDemandPatchManagement] is the main method of interacting with the module; it has parameters and switches available to process an input list of machines (ComputerName), launch selected actions (Scan | Patch | Test) and switch options for enabling multithreading (Fast) , which uses a slightly modified version of Split-Job. There are also filters (Compliant | NonCompliant) available to further limit the processing. Additionally, the module can be used to launch any advertised task sequence by name via the (CustomTaskSequenceName) parameter.
Use the Get-Help function on the module to view options, parameters and syntax examples
Things you’ll need to configure in Configuration Manager:
- Inside the ConfigMgr console you will need to create a task sequence to handle the security update patching. The task sequence names I chose in the module are “OnDemand Security Update Patching” for the patch action and “OnDemand Test Package” for the test action. The download link below contains xml exports of example task sequences that can be imported. Else you can update the package name specified in the global variables to match what you already have deployed or use the CustomTaskSequence parameter.
- In order for client’s to access the task sequence they will need to have an advertisement targeted at them; the least impactful way to accomplish this is to create an advertisement that has a mandatory date that client’s will never hit, like some random date in the year 2020.
- Software Update Deployment Policy
- Client’s will need to be targeted with one or more software update deployment policies that contain required security updates (assume you already have this in place…).
A couple of notes about the actions performed by this module:
- The module uses a slightly modified version of Get-WMICustom to interact with WMI.
- The Patch action will always perform the Scan action first and only initiate the patching task sequence if a machine is found NonCompliant.
- If no ComputerName value is passed in the selected action will happen on the local machine running the module.
- If the ComputerName input only contains a single machine name Split-Job is skipped; likewise, multithreading is not used by default so the list of machines is processed serially. Split-Job will be used if the count of machines is greater than one but it will be limited to a single thread. The Fast switch will enable multithreading and uses ten threads by default.
- By default the module will monitor the task sequence execution until it finishes, even if the machine being monitored reboots; will not work on local machine executions cause the process will be terminated on reboot (future design change). The NoWaitForFinish switch will override this behavior and the module will only wait for the task sequence to start before returning; useful to blast out task sequence executions on a list of machines as fast as possible.
- If the Patch action launches the task sequence after the execution finishes another Scan action is performed and the object will return a state message of “Patched” if the machine is found compliant after patching.
OnDemand Patch Management Module v1.95 - Link
I hope you find this module useful; happy patching OnDemand!