What Are Maintenance Windows in SCCM and How Should They Be Configured?

Introduction

Many organizations use maintenance windows in SCCM as part of their Software Update deployment strategy. The most common usage of maintenance windows is to control how servers are allowed to be patched using software updates.

As of SCCM 1802, it is possible to configure Automatic Deployment Rules’ deployment with a defined day offset from Patch Tuesday. 
Read more about it here:
https://docs.microsoft.com/en-us/sccm/sum/deploy-use/automatically-deploy-software-updates

SCCM Maintenance Windows Explained

Maintenance windows are used to control when deployments may occur. Maintenance windows in SCCM are often compared to traditional service windows where you manually patch servers during the weekend. The service window should be the only time when software updates are applied.

Maintenance windows are often used for maintenance tasks such as server patching when you want to patch the servers within a specific period outside of business hours.

It is possible to configure maintenance windows on the following objects:

• Software Updates
• Software (applications and packages)
• Compliance Settings and Evaluation
• Operating Systems
• Task Sequences

Why would you deploy maintenance windows, you might ask?

Yes, you can configure different deployments with different deadlines for Software Updates. Maintenance windows, however, allow you to add a layer of security, preventing accidental deployments.

Theoretically, you could deploy all software updates to all devices and then configure installation time using maintenance windows.

However, deploying software updates to all clients in one go is not something that many organizations do.

Some facts about maintenance windows:

• Maintenance windows target device collections.
• Maintenance windows have precedence over deadline times.
• If a device is a member of a device collection with an active maintenance window, all installations will only happen during this time.
• When several maintenance windows exist, all maintenance windows take effect.

What is the difference between business hours and maintenance windows?

To summarize, business hours is controlled by the user from Software Center and defines when the user wants to receive a deployment ahead of the deadline, to minimize impact to the user’s work.

Maintenance windows are used to prevent deployments from installing.

How to find out which maintenance windows are applied on a device

As far as I am aware, there is no built-in way of finding out which maintenance windows are applied to a device.

Maintenance windows are configured on SCCM collections. If you want to see which maintenance windows are applied to a collection, right-click the collection and press the maintenance windows tab.

All machines in this collection will receive the above maintenance window.

I recommend checking out Nickolaj Andersen’s tool if you want to find all maintenance windows applied on a machine.

Can I see in the logs if a maintenance window is applied?

Yes! Check in the log file UpdateDeployment.log on an SCCM client, and you will see the following if the machine has maintenance windows configured:

No current service window available to run updates assignment with time required = 1800

Best practices for SCCM Maintenance Windows

Make sure to abide by the following best practices for SCCM maintenance windows:

• Always make the maintenance windows period longer than the run time of the installation.

How to configure maintenance window Patch Tuesday offset

When deploying Software Updates to servers, you most likely want to do this during non-office or low-production hours. Sometimes, this may also apply to Windows clients.

On the 2nd Tuesday of every month, Microsoft releases updates, generally referred to as Patch Tuesday. Out of band, or Critical Patches are deployed during the month as required.

If I want to deploy the patches on the weekend, one week after Patch Tuesday, it would be reasonable to configure the Maintenance Window to be available on the 3rd Saturday and 3rd Sunday.

As you can see in the below calendar, the Patch Tuesday (2nd Tuesday of the month) date does not match the expected time.

If I configure that it should be available every 2nd Saturday or 3rd Saturday, it is not the same every month.

I have created a Powershell script for creating SCCM maintenance windows with an offset from Patch Tuesday to ease this.

I took inspiration from Octavian Cordos’ script created in 2015: https://gallery.technet.microsoft.com/scriptcenter/Setting-Maintenance-71f47c77.

How to configure SCCM maintenance windows

The components of the maintenance windows solution

There are a few components to my SCCM maintenance window solution:

• The Powershell scripts
• A Windows service account
• Role-Based Access in SCCM
• A Scheduled Task

The Powershell scripts

The solution uses the following Powershell scripts:

• Invoke-MaintenanceWindows.ps1
• Set-MaintenanceWindows.ps1

Download the Powershell scripts here.

Invoke-MaintenanceWindows.ps1

The service account

When creating the Windows scheduled task, a regular user should not run the Windows scheduled task.

Running the Windows scheduled task as a service account is a general recommendation for many scenarios, as you should not configure Windows service accounts in the same way as standard accounts:

• The password should not change.
• The account needs the rights to “logon as batch account” on the server.

The administrative role in SCCM

The Windows service account requires access to SCCM to be able to create and remove SCCM maintenance windows. IT administrators should follow the “law” of minimum permissions.

I have created a role named Maintenance Window Admin.xml that I have exported that you can import in your environment to simplify things.

Giving minimum permissions should always be top of mind when implementing a successful Role-Based Access Control strategy.

Implementation of the maintenance window solution

Download the SCCM maintenance window solution

You can find the solution here.

The Powershell script

The Powershell scripts come with two maintenance windows defined as examples. If you want to configure more or less, you will need to modify the script.

Requirements

The Powershell script requires local access on the server where it runs.

The service account

Requirements

Create a new account in Active Directory, and follow the below requirements:

• Set password never to expire.
• Give permissions in SCCM to the service account. The easiest way is to import the role provided in the solution called Maintenance Window Admin.xml. You may need to log in to the SCCM console once and connect with Powershell to make a successful Powershell connection.
• It requires the “log on as batch account” permission on the server.

You can find more information about how to import an SCCM role here: https://docs.microsoft.com/en-us/sccm/core/servers/deploy/configure/configure-role-based-administration.

Add the Windows service account to the pre-defined SCCM maintenance window role.

The scheduled task

Open Task Scheduler in Windows and go to the Configuration Manager folder:

Right-Click on the folder where you want to create the Windows scheduled task. Press Create Basic Task.

Give the Basic Task a Name.

Select which Months the Windows scheduled task should run.

Define which Days the Windows scheduled task should run.

Select Start a program.

Enter the information from the table above.

Finalize the wizard.

Configure the Windows scheduled task to run with a Windows service account.

Common issues with maintenance windows in SCCM

Some common issues with maintenance windows in SCCM include:

• Maintenance windows are too short.
• A mismatch between maintenance window time and deadline time for software updates
• SCCM clients showing as Unknown for software update deployments

Maintenance windows are too short

When configuring maintenance windows in SCCM, you need to configure them to be long enough to finalize. If not, you will see the following in the Monitoring pane in the SCCM console:

No current or future service window exists to install software updates

A mismatch between maintenance window time and deadline time for software updates

This happens if you configure the deadline time for software updates after the time of the maintenance window. I have seen this many times at different customers.

SCCM clients showing as Unknown for software update deployments

If you suddenly see many clients as Unknown as part of your software update reporting, it might be due to the devices being targeted by a maintenance window, which blocks the installation of updates.

Conclusion

In summary, using SCCM maintenance windows is a powerful way of controlling when software updates may install. It is just essential to understand how SCCM maintenance windows work.

References

• Microsoft Docs – Automatically deploy Software Updates
• Microsoft Docs – What’s new in SCCM 1802
• Microsoft Docs – About the Task Scheduler – Windows applications
• Microsoft Docs – Use Maintenance Windows – Configuration Manager
• Microsoft Docs – Configure role-based administration for Configuration Manager
• Maintenance Windows vs. Usiness Hours – Tech Community

Related posts

• How to configure deadlines for Automatic Deployment Rules
• How to import the SCCM Powershell Module
• Powershell script to export all SCCM Task Sequence dependencies
• Check for model-specific settings using SCCM configuration baselines
• Manage Software Update Groups in SCCM using Powershell