Table of Contents
Introduction
Many organizations use maintenance windows in SCCM as part of their Software Update deployment strategy. The most common usage of maintenance windows is to control how servers are allowed to be patched using software updates.
As of SCCM 1802, it is possible to configure Automatic Deployment Rules’ deployment with a defined day offset from Patch Tuesday.Â
Read more about it here:
https://docs.microsoft.com/en-us/sccm/sum/deploy-use/automatically-deploy-software-updates
SCCM Maintenance Windows Explained
Maintenance windows are used to control when deployments may occur. Maintenance windows in SCCM are often compared to traditional service windows where you manually patch servers during the weekend. The service window should be the only time when software updates are applied.
Maintenance windows are often used for maintenance tasks such as server patching when you want to patch the servers within a specific period outside of business hours.
It is possible to configure maintenance windows on the following objects:
- Software Updates
- Software (applications and packages)
- Compliance Settings and Evaluation
- Operating Systems
- Task Sequences
Why would you deploy maintenance windows, you might ask?
Yes, you can configure different deployments with different deadlines for Software Updates. Maintenance windows, however, allow you to add a layer of security, preventing accidental deployments.
Theoretically, you could deploy all software updates to all devices and then configure installation time using maintenance windows.
However, deploying software updates to all clients in one go is not something that many organizations do.
Some facts about maintenance windows:
- Maintenance windows target device collections.
- Maintenance windows have precedence over deadline times.
- If a device is a member of a device collection with an active maintenance window, all installations will only happen during this time.
- When several maintenance windows exist, all maintenance windows take effect.
What is the difference between business hours and maintenance windows?
To summarize, business hours is controlled by the user from Software Center and defines when the user wants to receive a deployment ahead of the deadline, to minimize impact to the user’s work.
Maintenance windows are used to prevent deployments from installing.
How to find out which maintenance windows are applied on a device
As far as I am aware, there is no built-in way of finding out which maintenance windows are applied to a device.
Maintenance windows are configured on SCCM collections. If you want to see which maintenance windows are applied to a collection, right-click the collection and press the maintenance windows tab.
All machines in this collection will receive the above maintenance window.
I recommend checking out Nickolaj Andersen’s tool if you want to find all maintenance windows applied on a machine.
Can I see in the logs if a maintenance window is applied?
Yes! Check in the log file UpdateDeployment.log on an SCCM client, and you will see the following if the machine has maintenance windows configured:
No current service window available to run updates assignment with time required = 1800
Best practices for SCCM Maintenance Windows
Make sure to abide by the following best practices for SCCM maintenance windows:
- Always make the maintenance windows period longer than the run time of the installation.
How to configure maintenance window Patch Tuesday offset
When deploying Software Updates to servers, you most likely want to do this during non-office or low-production hours. Sometimes, this may also apply to Windows clients.
On the 2nd Tuesday of every month, Microsoft releases updates, generally referred to as Patch Tuesday. Out of band, or Critical Patches are deployed during the month as required.
If I want to deploy the patches on the weekend, one week after Patch Tuesday, it would be reasonable to configure the Maintenance Window to be available on the 3rd Saturday and 3rd Sunday.
As you can see in the below calendar, the Patch Tuesday (2nd Tuesday of the month) date does not match the expected time.
If I configure that it should be available every 2nd Saturday or 3rd Saturday, it is not the same every month.
I have created a Powershell script for creating SCCM maintenance windows with an offset from Patch Tuesday to ease this.
I took inspiration from Octavian Cordos’ script created in 2015: https://gallery.technet.microsoft.com/scriptcenter/Setting-Maintenance-71f47c77.
How to configure SCCM maintenance windows
The components of the maintenance windows solution
There are a few components to my SCCM maintenance window solution:
- The Powershell scripts
- A Windows service account
- Role-Based Access in SCCM
- A Scheduled Task
The Powershell scripts
The solution uses the following Powershell scripts:
- Invoke-MaintenanceWindows.ps1
- Set-MaintenanceWindows.ps1
Download the Powershell scripts here.
Invoke-MaintenanceWindows.ps1
The service account
When creating the Windows scheduled task, a regular user should not run the Windows scheduled task.
Running the Windows scheduled task as a service account is a general recommendation for many scenarios, as you should not configure Windows service accounts in the same way as standard accounts:
- The password should not change.
- The account needs the rights to “logon as batch account” on the server.
The administrative role in SCCM
The Windows service account requires access to SCCM to be able to create and remove SCCM maintenance windows. IT administrators should follow the “law” of minimum permissions.
I have created a role named Maintenance Window Admin.xml that I have exported that you can import in your environment to simplify things.
Giving minimum permissions should always be top of mind when implementing a successful Role-Based Access Control strategy.
Implementation of the maintenance window solution
Download the SCCM maintenance window solution
You can find the solution here.
The Powershell script
The Powershell scripts come with two maintenance windows defined as examples. If you want to configure more or less, you will need to modify the script.
Requirements
The Powershell script requires local access on the server where it runs.
The service account
Requirements
Create a new account in Active Directory, and follow the below requirements:
- Set password never to expire.
- Give permissions in SCCM to the service account. The easiest way is to import the role provided in the solution called Maintenance Window Admin.xml. You may need to log in to the SCCM console once and connect with Powershell to make a successful Powershell connection.
- It requires the “log on as batch account” permission on the server.
You can find more information about how to import an SCCM role here: https://docs.microsoft.com/en-us/sccm/core/servers/deploy/configure/configure-role-based-administration.
Add the Windows service account to the pre-defined SCCM maintenance window role.
The scheduled task
Open Task Scheduler in Windows and go to the Configuration Manager folder:
Right-Click on the folder where you want to create the Windows scheduled task. Press Create Basic Task.
Give the Basic Task a Name.
Select which Months the Windows scheduled task should run.
Define which Days the Windows scheduled task should run.
Select Start a program.
| Program/script | Powershell.exe |
| Add arguments | -ExecutionPolicy Bypass -File “E:_TMPSet Maintenance WindowInvoke-MaintenanceWindows.ps1” -CollID1 P01000AB -CollID2 P01000AC |
| Start in | (Empty) |
Enter the information from the table above.
Finalize the wizard.
Configure the Windows scheduled task to run with a Windows service account.
Common issues with maintenance windows in SCCM
Some common issues with maintenance windows in SCCM include:
- Maintenance windows are too short.
- A mismatch between maintenance window time and deadline time for software updates
- SCCM clients showing as Unknown for software update deployments
Maintenance windows are too short
When configuring maintenance windows in SCCM, you need to configure them to be long enough to finalize. If not, you will see the following in the Monitoring pane in the SCCM console:
No current or future service window exists to install software updates
A mismatch between maintenance window time and deadline time for software updates
This happens if you configure the deadline time for software updates after the time of the maintenance window. I have seen this many times at different customers.
SCCM clients showing as Unknown for software update deployments
If you suddenly see many clients as Unknown as part of your software update reporting, it might be due to the devices being targeted by a maintenance window, which blocks the installation of updates.
Conclusion
In summary, using SCCM maintenance windows is a powerful way of controlling when software updates may install. It is just essential to understand how SCCM maintenance windows work.
References
- Microsoft Docs – Automatically deploy Software Updates
- Microsoft Docs – What’s new in SCCM 1802
- Microsoft Docs – About the Task Scheduler – Windows applications
- Microsoft Docs – Use Maintenance Windows – Configuration Manager
- Microsoft Docs – Configure role-based administration for Configuration Manager
- Maintenance Windows vs. Usiness Hours – Tech Community
Related posts
- How to configure deadlines for Automatic Deployment Rules
- How to import the SCCM Powershell Module
- Powershell script to export all SCCM Task Sequence dependencies
- Check for model-specific settings using SCCM configuration baselines
- Manage Software Update Groups in SCCM using Powershell
Thanks Daniel this is great. The only thing that doesn’t seem to work is the deleting of the old Maintenance Windows, is there something I need to change to get that to work? Also the script calls Set-MaintenanceWindow.ps1 and not Set-MaintenanceWindows.ps1, I removed the s from the PS1 name and it worked fine.
Hi Edwin,
Thanks for your feedback! I will look into this and update the post :). You should not need to make any changes to the script for the deleting of the old Maintenance Windows.
/Daniel
Hi Daniel,
Do you have a copy of the https://gallery.technet.microsoft.com/Create-Maintenance-Windows-19518ec7, the page seems to be gone! It was just there a month ago.
Please help.
Thank you,
Eric
Hi Eric,
Thanks for the comment! I have updated the post and placed the scripts here: https://www.danielengberg.com/wp-content/uploads/2021/02/Set-MaintenanceWindows.zip
/Daniel
Hello, Absolutely fantastic article Daniel! Can i ask a question/advise?
My environment is pretty big so our windows updates collections are split into 4 depending on severity of servers. i.e The first test collection is the weekend after patch Tuesday and then a further 3 collections the following 3 weekends. Can your script help me for creating the 4 collections? Thank you 😀
For this item “As far as I am aware, there is no built-in way of finding out which maintenance windows are applied to a device.”
there is a built-in report “Maintenance windows available to a specified client” which will show all maintenance windows. It is under “Software Distribution – Collections”
We use this if asked for server patch windows, or to confirm changes for example if a line of business asks to exclude their server from patching, to verify the maintenance window has been removed.
Sorry, I meant from the console. Thanks for the information!