Create SCCM Maintenance Windows Based on Patch Tuesday
Many organizations use Maintenance Windows as part of their Software Update deployment strategy. Maintenance Windows in SCCM are commonly used for controlling when updates are allowed to be deployed to servers.
As of SCCM 1802, it is possible to configure the deployment of Automatic Deployment Rules with a defined day offset from Patch Tuesday. Read more about it here:
Unfortunately, this feature is not available for Maintenance Windows, which causes an issue that I describe in this blog post.
WHAT ARE MAINTENANCE WINDOWS?
Maintenance Windows are used to control when deployments are allowed, and can be compared to traditional service windows where you would manually patch servers during the weekend.
Maintenance Windows in SCCM can be configured for the following objects:
- Software Updates
- Compliance Settings and Evaluation
- Operating Systems
- Task Sequences
Why would you deploy Maintenance Windows you might ask? Yes, you can configure different deployments with different deadlines for Software Updates. Maintenance Windows however allow you to add an additional layer of security, preventing accidental deployments. Theoretically, you should be able to deploy all software updates to all devices and then configure when they are installed using Maintenance Windows.
Some information facts about Maintenance Windows:
- Maintenance Windows are configured on collections.
- Maintenance Windows will have precedence over Deadline times.
- When several Maintenance Windows are deployed for a device, all Maintenance Windows will be used.
When deploying Software Updates to servers you most likely want to do this during non-office and/or low-production hours.
On the 2nd Tuesday of every month, Microsoft releases updates, which in other words is called Patch Tuesday. Out of band, or Critical Patches are deployed during the month as required.
If I want to deploy the patches on the weekend, one week after Patch Tuesday, it would be reasonable to configure the Maintenance Window to be available on the 3rd Saturday and 3rd Sunday.
As you can see in the below calendar, Patch Tuesday (2nd Tuesday of the month) will be wrong.
If I configure that it should be available every 2nd Saturday or 3rd Saturday, it will not be the same for every month.
In order to alleviate this, I have created a Powershell script for creating Maintenance Windows based on Patch Tuesday.
I took inspiration from Octavian Cordos’ script created in 2015: https://gallery.technet.microsoft.com/scriptcenter/Setting-Maintenance-71f47c77
There are a few components to my Maintenance Window solution:
- The scripts
- A service account
- Role Based Access in SCCM
- A Scheduled Task
The solution uses the following scripts:
The scripts are located in the TechNet Gallery.
When creating the Scheduled Task, it should not be run in a regular user context, but as a service account.
This is a general recommendation for many different scenarios, as service accounts should not be configured in the same way as standard accounts:
- Password should not change
- Account should not be disabled
The service account will need to have access in SCCM to be able to create and remove Maintenance Windows. The “law” of minimum permissions should be followed.
I have created a role that I have exported that you can import in your environment to simplify things: <link to role>
Giving minimum permissions should always be top of mind when implementing a successful Role Based Access Control strategy.
DOWNLOAD THE SOLUTION
You can find the solution here: https://gallery.technet.microsoft.com/Create-Maintenance-Windows-19518ec7
Create a standard account in Active Directory and make sure that the password doesn’t expire.
ADD ACCESS IN SCCM
Import the role. You can find information on how to do this here: https://docs.microsoft.com/en-us/sccm/core/servers/deploy/configure/configure-role-based-administration
Add the service account to the pre-defined Maintenance Window role.
Open Task Scheduler and go to the folder Configuration Manager
Right-Click and press Create Basic Task.
Give the Basic Task a Name.
Select which Months the Schedule Task should run.
Define which Days the Scheduled Task should run.
Select Start a program.
|Add arguments||-ExecutionPolicy Bypass -File “E:_TMP\Set Maintenance Window\Invoke-MaintenanceWindows.ps1” -CollID1 P01000AB -CollID2 P01000AC|
Enter the information from the table above.
Configure the Scheduled Task to run with a service account.
In summary, using Maintenance Windows are a powerful way of controlling when Software Updates are allowed to be installed. It is just important to understand how they work.
- Microsoft Docs – Automatically deploy Software Updates
- Microsoft Docs – What’s new in SCCM 1802
- Microsoft Docs – About the Task Scheduler – Windows applications
- Microsoft Docs – Use Maintenance Windows – Configuration Manager
- Microsoft Docs – Configure role-based administration for Configuration Manager
- How to configure deadlines for Automatic Deployment Rules
- Considerations when deploying Office 365 updates using Automatic Deployment Rules
- Create SCCM ADR with multiple deployments
- SCCM Automatic Deadline Configuration
- How to import the SCCM Powershell Module
- Powershell script to export all SCCM Task Sequence dependencies
About the author
Daniel Classon works as a Senior Consultant at Mansoft, focusing on Microsoft Configuration Manager, Windows 10 and Powershell