Patch Automation Comparison: SCCM Orchestration Groups vs. Beekeeper
In version 1909 of Configuration Manager, Microsoft implemented Orchestration Groups as a Pre-Release feature.
Orchestration Groups enable a few basic patching automation features, such as setting the patch installation order and specifying scripts to run before or after the patch is installed. These are very basic options that our Beekeeper Patching Automation software for System Center has been doing for years.
How does Beekeeper stack up in comparison to these pre-release features introduced in the newer versions of SCCM? Let's compare apples to apples.
PATCH ORDER AND SCHEDULING
In native Configuration Manager, Orchestration Groups allow some options for patching order, including the percentage of nodes to patch simultaneously, a hard number of machines that may be patched simultaneously, or a specific patching order to sequentially patch machines as desired.
Beekeeper offers the same features, with full configuration of patching order and the ability to decide between parallel or sequential patching of your custom groups -- not just individual machines.
When it comes to scheduling your patches, Configuration Manager Resource Groups require you to launch your patch cycle manually:
Beekeeper patch automation allows you to schedule the patching cycle for a future date and time, naming your batch for reporting purposes. You can also choose to execute immediately.
You can even configure a schedule in Beekeeper to run at a relative offset from Patch Tuesday. By setting the day offset to four, you have a schedule that runs on the Saturday after Patch Tuesday!
Pre- and Post- Patching Scripts
Configuration Manager Orchestration Groups have Pre-Scripts and Post-Scripts, but no out-of-the-box validation funcationality. You'll have to build that into your script if you want to check a specific port or confirm an SQL backup.
You are also limited to only running the script immediately before or after the patch installation. You can't trigger a script at a specific event during the patch, such as a reboot.
In contrast, Beekeeper allows a full range of validation tasks. It can even run PowerShell scripts, as well as DSC, Check a Port, Check a Process, Check a Service, Check last SQL Backup, Check a URL, Run IISReset, Run an Orchestrator Runbook, Run a Program, and Run a SQL Query.
Beekeeper also allows you to run the various Validation Tasks at various phases during the patching process:
You can choose to run a Validation Task during any of these phases, or even sequence multiple Validation Tasks during a single phase.
As you can see, Beekeeper Patch Automation offers a much wider range of capabilities when it comes to scheduling and validation compared to Orchestration Groups. Patching Exchange DAGs, Windows Failover Clusters, and SQL Availability Groups is seamless and easy with Beekeeper.