INTRODUCTION

Many organizations use Maintenance Windows as part of their Software Update deployment strategy. Maintenance Windows in SCCM are commonly used for controlling when updates are allowed to be deployed to servers.

As of SCCM 1802, it is possible to configure the deployment of Automatic Deployment Rules with a defined day offset from Patch Tuesday. Read more about it here:
https://docs.microsoft.com/en-us/sccm/sum/deploy-use/automatically-deploy-software-updates

Automatic Deployment Rules Patch Tuesday Offset

Unfortunately, this feature is not available for Maintenance Windows, which causes an issue that I describe in this blog post.

WHAT ARE MAINTENANCE WINDOWS?

Maintenance Windows are used to control when deployments are allowed, and can be compared to traditional service windows where you would manually patch servers during the weekend.

Maintenance Windows in SCCM can be configured for the following objects:

  • Software Updates
  • Software
  • Compliance Settings and Evaluation
  • Operating Systems
  • Task Sequences

Why would you deploy Maintenance Windows you might ask? Yes, you can configure different deployments with different deadlines for Software Updates. Maintenance Windows however allow you to add an additional layer of security, preventing accidental deployments. Theoretically, you should be able to deploy all software updates to all devices and then configure when they are installed using Maintenance Windows.

Some information facts about Maintenance Windows:

  • Maintenance Windows are configured on collections.
  • Maintenance Windows will have precedence over Deadline times.
  • When several Maintenance Windows are deployed for a device, all Maintenance Windows will be used.

THE ISSUE

When deploying Software Updates to servers you most likely want to do this during non-office and/or low-production hours.

On the 2nd Tuesday of every month, Microsoft releases updates, which in other words is called Patch Tuesday. Out of band, or Critical Patches are deployed during the month as required.

If I want to deploy the patches on the weekend, one week after Patch Tuesday, it would be reasonable to configure the Maintenance Window to be available on the 3rd Saturday and 3rd Sunday.

As you can see in the below calendar, Patch Tuesday (2nd Tuesday of the month) will be wrong.

SCCM Patch Tuesday calendar offset

If I configure that it should be available every 2nd Saturday or 3rd Saturday, it will not be the same for every month.

In order to alleviate this, I have created a Powershell script for creating Maintenance Windows based on Patch Tuesday.

I took inspiration from Octavian Cordos’ script created in 2015: https://gallery.technet.microsoft.com/scriptcenter/Setting-Maintenance-71f47c77

SOLUTION

OVERVIEW

There are a few components to my Maintenance Window solution:

  • The scripts
  • A service account
  • Role Based Access in SCCM
  • A Scheduled Task

THE SCRIPTS

The solution uses the following scripts:

  • Invoke-MaintenanceWindows.ps1
  • Set-MaintenanceWindows.ps1

The scripts are located in the TechNet Gallery.

Invoke-MaintenanceWindows.ps1

SERVICE ACCOUNT

When creating the Scheduled Task, it should not be run in a regular user context, but as a service account.

This is a general recommendation for many different scenarios, as service accounts should not be configured in the same way as standard accounts:

  • Password should not change
  • Account should not be disabled

SCCM ROLE

The service account will need to have access in SCCM to be able to create and remove Maintenance Windows. The “law” of minimum permissions should be followed.

I have created a role that I have exported that you can import in your environment to simplify things: <link to role>

Giving minimum permissions should always be top of mind when implementing a successful Role Based Access Control strategy.

IMPLEMENTATION

DOWNLOAD THE SOLUTION

You can find the solution here: https://gallery.technet.microsoft.com/Create-Maintenance-Windows-19518ec7

SERVICE ACCOUNT

CREATE ACCOUNT

Create a standard account in Active Directory and make sure that the password doesn’t expire.

ADD ACCESS IN SCCM

Import the role. You can find information on how to do this here: https://docs.microsoft.com/en-us/sccm/core/servers/deploy/configure/configure-role-based-administration

Add the service account to the pre-defined Maintenance Window role.

SCHEDULED TASK

Open Task Scheduler and go to the folder Configuration Manager

Right-Click and press Create Basic Task.

SCCM Maintenance Windows - Create Basic Task

Give the Basic Task a Name.

SCCM Maintenance Windows - Create Basic Task

Select which Months the Schedule Task should run.

SCCM Maintenance Windows - Create Basic Task

Define which Days the Scheduled Task should run.

SCCM Maintenance Windows - Create Basic Task

Select Start a program.

SCCM Maintenance Windows - Create Basic Task
Program/scriptPowershell.exe
Add arguments-ExecutionPolicy Bypass -File “E:_TMP\Set Maintenance Window\Invoke-MaintenanceWindows.ps1” -CollID1 P01000AB -CollID2 P01000AC
Start in(Empty)

Enter the information from the table above.

Finalizethe wizard.

SCCM Maintenance Windows - Create Basic Task

Configure the Scheduled Task to run with a service account.

SUMMARY

In summary, using Maintenance Windows are a powerful way of controlling when Software Updates are allowed to be installed. It is just important to understand how they work.

REFERENCES

RELATED POSTS