Many organizations use Maintenance Windows as part of their Software Update deployment strategy. Maintenance Windows in SCCM are commonly used for controlling when updates are allowed to be deployed to servers.
As of SCCM 1802, it is possible to configure the deployment of Automatic Deployment Rules with a defined day offset from Patch Tuesday. Read more about it here:
Unfortunately, this feature is not available for Maintenance Windows, which causes an issue that I describe in this blog post.
WHAT ARE MAINTENANCE WINDOWS?
Maintenance Windows are used to control when deployments are allowed, and can be compared to traditional service windows where you would manually patch servers during the weekend.
Maintenance Windows in SCCM can be configured for the following objects:
- Software Updates
- Compliance Settings and Evaluation
- Operating Systems
- Task Sequences
Why would you deploy Maintenance Windows you might ask? Yes, you can configure different deployments with different deadlines for Software Updates. Maintenance Windows however allow you to add an additional layer of security, preventing accidental deployments. Theoretically, you should be able to deploy all software updates to all devices and then configure when they are installed using Maintenance Windows.
Some information facts about Maintenance Windows:
- Maintenance Windows are configured on collections.
- Maintenance Windows will have precedence over Deadline times.
- When several Maintenance Windows are deployed for a device, all Maintenance Windows will be used.
When deploying Software Updates to servers you most likely want to do this during non-office and/or low-production hours.
On the 2nd Tuesday of every month, Microsoft releases updates, which in other words is called Patch Tuesday. Out of band, or Critical Patches are deployed during the month as required.
If I want to deploy the patches on the weekend, one week after Patch Tuesday, it would be reasonable to configure the Maintenance Window to be available on the 3rd Saturday and 3rd Sunday.
As you can see in the below calendar, Patch Tuesday (2nd Tuesday of the month) will be wrong.
If I configure that it should be available every 2nd Saturday or 3rd Saturday, it will not be the same for every month.
In order to alleviate this, I have created a Powershell script for creating Maintenance Windows based on Patch Tuesday.
I took inspiration from Octavian Cordos’ script created in 2015: https://gallery.technet.microsoft.com/scriptcenter/Setting-Maintenance-71f47c77
There are a few components to my Maintenance Window solution:
- The scripts
- A service account
- Role Based Access in SCCM
- A Scheduled Task
The solution uses the following scripts:
The scripts are located in the TechNet Gallery.
When creating the Scheduled Task, it should not be run in a regular user context, but as a service account.
This is a general recommendation for many different scenarios, as service accounts should not be configured in the same way as standard accounts:
- Password should not change
- Account should not be disabled
The service account will need to have access in SCCM to be able to create and remove Maintenance Windows. The “law” of minimum permissions should be followed.
I have created a role that I have exported that you can import in your environment to simplify things: <link to role>
Giving minimum permissions should always be top of mind when implementing a successful Role Based Access Control strategy.
DOWNLOAD THE SOLUTION
You can find the solution here: https://gallery.technet.microsoft.com/Create-Maintenance-Windows-19518ec7
Create a standard account in Active Directory and make sure that the password doesn’t expire.
ADD ACCESS IN SCCM
Import the role. You can find information on how to do this here: https://docs.microsoft.com/en-us/sccm/core/servers/deploy/configure/configure-role-based-administration
Add the service account to the pre-defined Maintenance Window role.
Open Task Scheduler and go to the folder Configuration Manager
Right-Click and press Create Basic Task.
Give the Basic Task a Name.
Select which Months the Schedule Task should run.
Define which Days the Scheduled Task should run.
Select Start a program.
|Add arguments||-ExecutionPolicy Bypass -File “E:_TMP\Set Maintenance Window\Invoke-MaintenanceWindows.ps1” -CollID1 P01000AB -CollID2 P01000AC|
Enter the information from the table above.
Configure the Scheduled Task to run with a service account.
In summary, using Maintenance Windows are a powerful way of controlling when Software Updates are allowed to be installed. It is just important to understand how they work.
- Microsoft Docs – Automatically deploy Software Updates
- Microsoft Docs – What’s new in SCCM 1802
- Microsoft Docs – About the Task Scheduler – Windows applications
- Microsoft Docs – Use Maintenance Windows – Configuration Manager
- Microsoft Docs – Configure role-based administration for Configuration Manager
- How To Install .NET Framework 3.5 on Windows Server 2012-2016 and Windows 10 971,575 views
- Issue with mounting new ISO files from TechNet in Windows 8 and Windows 8.1 Preview 64,140 views
- Solve SCCM Error “sending with winhttp failed; 80072ee7” in Windows PE 32,466 views
- How To Enable PXE on Gen2 Hyper-V VMs for Legacy Boot 110,907 views
- Force Specific Sites to Always Run in Compatibility Mode Using GPO 146,238 views
- How to change between a Full Installation (GUI) and Server Core in Windows Server 2012 64,562 views
- Issue With DHCP and WDS on the Same Server 12,578 views
- Issue Starting Virtual Machine from ISO in Hyper-V 7,677 views
- BitLocker Status Check Using Powershell or the Command Line 121,273 views
- Use Diskpart to Create a Bootable Windows 10 USB 30,592 views
About the author
Daniel Classon works as a Senior Consultant at Mansoft, focusing on Microsoft Configuration Manager, Windows 10 and Powershell
OMG, how did I not know this?!?! https://t.co/EjKcxI9nkB
Are you working with Enterprise Mobility + Security? One stop shop for all the documentation right here. Bookmark now! :-) https://t.co/bf3C1fhoQk #sccm #configmgr #msintune #azuread #MFA #WDATP #AIP #ATA
Check out the new Console Connections node! That's a lot of #ConfigMgr console versions connecting to our site right there!
New Blog Post: Detect Strings in Text Files using Powershell Detection Methods in SCCM: https://t.co/IZNk0Q8tOi #ConfigMgr #SCCM