Skip to content

Upgrading the Host OS

This runbook covers applying Windows Server updates and rebooting the Application Server (and, when in scope, the SQL Server) in a self-hosted GRC-ITSM deployment. The goal is to patch and reboot cleanly without data loss, without leaving the Halo WebApp down, and without the DB Integrator throwing a "Decryption check failed" error on the way back up.

Overview

Patching the host means taking Halo offline for the reboot. The safe sequence is: drain users, stop the Halo IIS site and app pool, end and disable the integrator scheduled task(s), patch and reboot, then bring everything back and verify. The same shutdown choreography is reused by the Upgrading Halo runbook.

Applies to

Windows Server 2016 / 2019 / 2022 / 2025 hosts running either the Halo Application Server (IIS + DB Integrator) or the SQL Server. See the topology overview for which component lives on which host.

Scope and prerequisites

Prerequisite Detail
Rollback point A VM snapshot (or equivalent) of the host being patched, plus a current database backup if the SQL Server is in scope. «CONFIRM: backup / snapshot location + owner»
Maintenance window An approved window with sign-off. «CONFIRM: maintenance window + change-approval owner»
Access Administrator access to the host, IIS Manager, Task Scheduler, and (for SQL patching) SSMS
Environment values WebApp folder, IIS site/app pool names, integrator task name(s), service account, API certificate status -- see environment variables

Capture a rollback point before touching anything

Take the snapshot/backup before draining users. If the patch wedges the host, reverting the snapshot is the fastest path back to a known-good state.

Pre-flight checklist

Work through this before stopping any services:

  • Change request approved and inside the agreed maintenance window
  • VM snapshot taken of the host(s) being patched
  • Current SQL backup taken (if the SQL Server is in scope)
  • WebApp folder path confirmed: «CONFIRM: WebApp path -- e.g. C:\Halo\Production or C:\Halo\WebApp»
  • IIS site name and app pool name confirmed: «CONFIRM: IIS site + app pool names»
  • Integrator scheduled task name(s) and exe folder confirmed: «CONFIRM: integrator Scheduled Task name(s) + exe folder -- may be more than one»
  • Whether the API certificate is installed on the Application Server confirmed: «CONFIRM: API certificate installed on the Application Server»
  • Users notified of the outage window

Procedure

1. Announce and drain users

Notify your agents and end users that GRC-ITSM will be unavailable for the window. Confirm no critical interactive work is in progress before proceeding.

2. Stop the Halo IIS site and app pool

Remember there is no Halo Windows service -- stopping Halo means stopping the IIS site and its application pool.

  1. Open IIS Manager.
  2. Select the Halo site («CONFIRM: IIS site name») and click Stop under Manage Website.
  3. Select Application Pools, select the Halo pool («CONFIRM: app pool name»), and click Stop.
Import-Module WebAdministration

# «CONFIRM» these names against the deployment
$siteName    = 'CONFIRM-HaloSiteName'
$appPoolName = 'CONFIRM-HaloAppPool'

Stop-Website     -Name $siteName
Stop-WebAppPool  -Name $appPoolName

Get-Website         -Name $siteName    | Select-Object Name, State
Get-WebAppPoolState -Name $appPoolName | Select-Object Value

3. End and disable the integrator scheduled task(s)

The DB Integrator is not a Windows service. It is an executable run on a Windows Scheduled Task on the Application Server (and it can also run interactively as a GUI app via its Processing / Integrations tabs). There may be more than one integrator task. End any running instance, then disable the task(s) so they do not fire during the reboot. If the DB Integrator GUI is open, close it.

The integrator executable is often relocated, so the reliable way to locate the task(s) is to match on the Action's execute path. Adjust the match pattern if the deployment uses a different executable name.

# Find scheduled tasks whose action runs an *Integrator* executable.
# «CONFIRM»: adjust the -like pattern if the exe name differs in this deployment.
$integratorTasks = Get-ScheduledTask | Where-Object {
    $_.Actions.Execute -like '*Integrator*'
}

$integratorTasks | Select-Object TaskName, TaskPath, State

# End any currently running instance, then disable each task.
foreach ($task in $integratorTasks) {
    Stop-ScheduledTask    -TaskName $task.TaskName -TaskPath $task.TaskPath
    Disable-ScheduledTask -TaskName $task.TaskName -TaskPath $task.TaskPath
}

If PowerShell matching finds nothing

Locate the task manually instead: open Task Scheduler > Task Scheduler Library, find the integrator task, and read the executable path from its Actions tab. This is the same lookup used to check the integrator version (per Checking your DB Integrator Version, s5). Note the path so you can re-enable the correct task(s) later.

'Decryption check failed' and the API certificate

Briefly stopping the integrator for a reboot is safe provided the API certificate is installed on the Application Server. The "Decryption check failed" condition is avoided by either the API certificate being installed or the DB Integrator running -- so with the certificate installed, taking the integrator down for the reboot will not trigger it (this reflects the on-prem deployment topology; the HaloITSM DB Integrator guides, s4, are the canonical reference). If the certificate is not installed, the integrator must remain running, which means it cannot be cleanly stopped for the reboot -- escalate before proceeding. «CONFIRM: API certificate installed on the Application Server»

4. If the SQL Server is also being patched, mind the ordering

When both hosts are patched in the same window, bring the Halo WebApp down (steps 2-3) before the SQL Server is taken offline, and bring SQL back before restarting the WebApp. Halo cannot start cleanly against an unavailable database.

SQL compatibility level is unaffected by OS patching

Patching the SQL host does not change the database compatibility level. It must remain >= 130 (>= 140 for Halo v2.220+) -- see the Upgrading Halo runbook if you need to verify or raise it.

5. Apply updates and reboot

Apply the approved Windows updates to the host and reboot. If both hosts are in scope, complete the SQL Server first (or per your agreed ordering), confirm SQL is back, then proceed with the Application Server.

6. After reboot: confirm Halo is back up

  1. Confirm the IIS site and app pool started. The Halo site normally auto-starts with the W3SVC service after a reboot. If it did not, start it manually (reverse of step 2):

    Import-Module WebAdministration
Start-WebAppPool -Name 'CONFIRM-HaloAppPool'
Start-Website    -Name 'CONFIRM-HaloSiteName'

Get-Website -Name 'CONFIRM-HaloSiteName' | Select-Object Name, State

  2. Confirm Backend Services are enabled. In the application, go to Configuration > Advanced Settings > Backend Services and confirm the Event, Incoming, Outgoing, and Scheduling services are enabled. These are application toggles, not services.msc entries.

  3. Re-enable the integrator scheduled task(s) disabled in step 3:

    # Re-enable the same tasks disabled before the reboot.
$integratorTasks = Get-ScheduledTask | Where-Object {
    $_.Actions.Execute -like '*Integrator*'
}

foreach ($task in $integratorTasks) {
    Enable-ScheduledTask -TaskName $task.TaskName -TaskPath $task.TaskPath
}

$integratorTasks | Select-Object TaskName, TaskPath, State

Verification

Confirm the platform is fully healthy before closing the change:

  1. Load the application URL and confirm the login screen renders.

  2. Hit the API info endpoint to confirm the WebApp and API are responding:

    «CONFIRM: base URL»/api/instanceinfo

  3. Clear the cache with Ctrl+F5 after logging in. Unlike an ordinary browser refresh, Ctrl+F5 also clears the server-side cache (per On-Prem Upgrade -- Troubleshooting, s3), so prefer it here.

  4. Confirm the integrator runs on its next scheduled fire (or trigger it manually via Task Scheduler > select the task > Run, or via the DB Integrator GUI's Processing tab). Confirm it completes without a "Decryption check failed" error. If that error appears, the API certificate is likely missing -- see the note in step 3.
  5. Confirm Backend Services processing -- e.g. that incoming mail is being processed and scheduled tickets fire.

Verification checklist

  • Login screen loads
  • /api/instanceinfo returns instance details
  • Ctrl+F5 performed (server-side cache cleared)
  • Integrator runs with no "Decryption check failed"
  • Backend Services processing confirmed

Rollback

If the host fails to come back cleanly, or Halo will not start after the reboot:

  1. Revert the VM snapshot taken in the pre-flight checklist. This is the primary rollback for a host-OS change.
  2. If the SQL Server was patched and the database is suspect, restore from the backup taken in pre-flight.
  3. After reverting, repeat the verification section to confirm the rolled-back state is healthy.
  4. Re-enable the integrator task(s) if the revert left them disabled.

Snapshot age

Reverting a snapshot discards everything written since the snapshot was taken. Because users were drained before the snapshot in this procedure, that window should contain no ticket data -- but confirm before reverting.

Escalation

If you cannot resolve an issue within the maintenance window, escalate to the role/queue owners rather than attempting open-ended fixes inside the outage:

Situation Escalate to
Host will not boot / patch wedged the OS «CONFIRM: infrastructure / platform on-call queue»
Halo WebApp will not start after reboot «CONFIRM: Halo application owner / platform queue»
Integrator "Decryption check failed" and API certificate status unknown «CONFIRM: Halo application owner»
Database unavailable / SQL Server issue «CONFIRM: database administration queue»
Suspected Halo application defect (not specific to your environment) Halo support — support.haloservicedesk.com

Halo vendor support

For problems that point at the Halo application itself rather than your hosts -- the WebApp failing to start with no host-side cause, or unexplained application errors -- raise a ticket with Halo's support team at support.haloservicedesk.com in parallel with your internal escalation.

  • Upgrading Halo -- reuses the IIS-stop and integrator-disable steps from this page before swapping in new application files.
  • On-Prem Maintenance overview -- topology and the full list of «CONFIRM» environment values.