Blog Post

Core Infrastructure and Security Blog
4 MIN READ

Orchestration Groups with Microsoft Endpoint Configuration Manager

Paul_Ivey's avatar
Paul_Ivey
Icon for Microsoft rankMicrosoft
May 05, 2020
  With the release of Microsoft Endpoint Configuration Manager (formally SCCM) version 2002 came an exciting and highly-anticipated feature known as orchestration groups. Orchestration groups are a...
Updated Mar 22, 2022
Version 11.0
PaulIvey
SergiiGnidenko's avatar
SergiiGnidenko
Copper Contributor
Aug 20, 2020

Hi Paul_Ivey

thanks for the overview of the function and for raising the voice to improve this option.

Since the server groups were announced, I believe we all, are expecting this function to be heavily utilised to simplify the patching workload, however this is yet at the same place, however it has changed the name 😃

hi FrankMan 

For the moment there is no way to mitigate this kind of the behabiour for the endpoint protection definition updates triggering the pre and post scripts as the orchestration is triggered by any update, however, modifying the pre and post scripts to check if the machine is in a scheduled maintenance window or the script was initiated by the update installation like SCEP definitions - is the workaround

 Logic that is used to identify the scheduled MW has started and is active -  look through the servicewindowmanager.log, where '*The Service Window={*' is present,  because only manualy created MWs do have their SIds in curly brackets being reported in the log (to be more accurate you can use the exact SID of the MW, but for my usecases it was enough), then there is the filter for the MW date, comparing with today and the next is to look if there is already a record about the MW start and MW finish

An example of the Pre script

$log="c:\windows\startSccmMW.txt"
$InMW=0
if (Test-Path -Path $log) {Remove-Item -Path $log}
$error.Clear()
"Script runing time is">>$log
Get-Date >> $log
$error >> $log
$today=get-date -format "MM-dd-yyyy"

$ServiceWindowlog=get-content -path C:\Windows\ccm\logs\servicewindowmanager.log |Where-Object {$_ -like '*The Service Window={*'}

foreach ($line in $ServiceWindowlog)
{
if ($line.Contains($today.ToString()))
 {
      if ($line.Contains('has started at'))
          {
            $InMW=1
            $line >> $log
           }
      elseif ($line.Contains('has ended at'))
           {
             $InMW=0
             $line >> $log
            }
      else
          {
             $InMW=0
          }
  }
}
"">> $log
If ($InMW -eq "1")

{
"Mashine is in scheduled MW now" >> $log
#you should put the code to be executed in the MW only time here
}
else {"There is no active scheduled MW now" >> $log }
$error >> $log


So the Pre script would be actually triggered evey time there is the daily definition update, but the required action would only run when it would be a scheduled Maintenance Window

Hope this may help somebody or put some more interesting idea into smds head.

BR