Introduction
Many organizations use maintenance windows in SCCM as part of their Software Update deployment strategy. One common usage of maintenance windows is to control at what times servers are allowed to be patched using software updates.
As of SCCM 1802, it is possible to configure the deployment of Automatic Deployment Rules with a defined day offset from Patch Tuesday.
Read more about it here:
https://docs.microsoft.com/en-us/sccm/sum/deploy-use/automatically-deploy-software-updates
Unfortunately, the ability to offset the date from Patch Tuesday is not available for maintenance windows, which causes an issue that I describe in this blog post.
SCCM Maintenance Windows Explained
Maintenance windows are used to control when deployments may occur. Maintenance windows in SCCM are often compared to traditional service windows where you would manually patch servers during the weekend. The service window should be the only time when software updates are applied.
It is possible to configure maintenance windows on the following objects:
- Software Updates
- Software (applications and packages)
- Compliance Settings and Evaluation
- Operating Systems
- Task Sequences
Why would you deploy maintenance windows you might ask?
Yes, you can configure different deployments with different deadlines for Software Updates. Maintenance windows, however, allow you to add a layer of security, preventing accidental deployments.
Theoretically, you should be able to deploy all software updates to all devices and then configure when they are installed using maintenance windows.
Deploying software updates to all clients in one go is not something that many organizations do though.
Some facts about maintenance windows:
- Maintenance windows target device collections.
- Maintenance windows have precedence over deadline times.
- When several maintenance windows exist, all maintenance windows take effect.
How to configure Patch Tuesday offset
When deploying Software Updates to servers, you most likely want to do this during non-office or low-production hours. Sometimes, this may also apply to Windows clients.
On the 2nd Tuesday of every month, Microsoft releases updates, generally referred to as Patch Tuesday. Out of band, or Critical Patches are deployed during the month as required.
If I want to deploy the patches on the weekend, one week after Patch Tuesday, it would be reasonable to configure the Maintenance Window to be available on the 3rd Saturday and 3rd Sunday.
As you can see in the below calendar, the Patch Tuesday (2nd Tuesday of the month) date does not match the expected time.
If I configure that it should be available every 2nd Saturday or 3rd Saturday, it is not the same for every month.
To ease this, I have created a Powershell script for creating SCCM maintenance windows with an offset from Patch Tuesday.
I took inspiration from Octavian Cordos’ script created in 2015: https://gallery.technet.microsoft.com/scriptcenter/Setting-Maintenance-71f47c77
How to configure SCCM maintenance windows
The components of the maintenance windows solution
There are a few components to my SCCM maintenance window solution:
- The Powershell scripts
- A Windows service account
- Role-Based Access in SCCM
- A Scheduled Task
The Powershell scripts
The solution uses the following Powershell scripts:
- Invoke-MaintenanceWindows.ps1
- Set-MaintenanceWindows.ps1
The Powershell scripts are located in the TechNet Gallery.
Invoke-MaintenanceWindows.ps1
The service account
When creating the Windows scheduled task, the Windows scheduled task should not be run in a regular user context, but as a service account.
Running the Windows scheduled task as a service account is a general recommendation for many scenarios, as Windows service accounts should not be configured in the same way as standard accounts:
- The password should not change
- The account needs the rights to “logon as batch account” on the server
The administrative role in SCCM
The Windows service account requires access to SCCM to be able to create and remove SCCM maintenance windows. The “law” of minimum permissions should be followed.
I have created a role named Maintenance Window Admin.xml that I have exported that you can import in your environment to simplify things.
Giving minimum permissions should always be top of mind when implementing a successful Role-Based Access Control strategy.
Implementation of the maintenance window solution
Download the SCCM maintenance window solution
You can find the solution here: https://gallery.technet.microsoft.com/Create-Maintenance-Windows-19518ec7
The Powershell script
The Powershell script comes with two maintenance windows defined as examples. If you want to configure more or less, you will need to modify the script.
Requirements
The Powershell script requires local access on the server where it runs.
The service account
Requirements
Create a new account in Active Directory, and follow the below requirements:
- Set password to never expire
- Give permissions in SCCM to the service account. The easiest way is to import the role provided in the solution called Maintenance Window Admin.xml. You may need to log in to the SCCM console once and connect with Powershell, to make a successful Powershell connection.
- It requires the “log on as batch account” permission on the server
You can find more information about how to import an SCCM role here: https://docs.microsoft.com/en-us/sccm/core/servers/deploy/configure/configure-role-based-administration
Add the Windows service account to the pre-defined SCCM maintenance window role.
The scheduled task
Open Task Scheduler in Windows and go to the Configuration Manager folder:
Right-Click on the folder where you want to create the Windows scheduled task. Press Create Basic Task.
Give the Basic Task a Name.
Select which Months the Windows scheduled task should run.
Define which Days the Windows scheduled task should run.
Select Start a program.
| Program/script | Powershell.exe |
| Add arguments | -ExecutionPolicy Bypass -File “E:_TMPSet Maintenance WindowInvoke-MaintenanceWindows.ps1” -CollID1 P01000AB -CollID2 P01000AC |
| Start in | (Empty) |
Enter the information from the table above.
Finalize the wizard.
Configure the Windows scheduled task to run with a Windows service account.
Conclusion
In summary, using SCCM maintenance windows is a powerful way of controlling when software updates may install. It is just important to understand how SCCM maintenance windows work.
References
- Microsoft Docs – Automatically deploy Software Updates
- Microsoft Docs – What’s new in SCCM 1802
- Microsoft Docs – About the Task Scheduler – Windows applications
- Microsoft Docs – Use Maintenance Windows – Configuration Manager
- Microsoft Docs – Configure role-based administration for Configuration Manager
Related posts
- How to configure deadlines for Automatic Deployment Rules
- How to import the SCCM Powershell Module
- Powershell script to export all SCCM Task Sequence dependencies
- Check for model-specific settings using SCCM configuration baselines
- Manage Software Update Groups in SCCM using Powershell
Subscribe to newsletter:
If you want to receive the latest news for MEMCM, Windows 10, and Powershell, please subscribe to my monthly newsletter!