Using Maintenance Windows While Patching
I got a really good question today on maintenance windows and patching and how they can or cannot work together. Specifically if you had a maintenance window defined, but told the patches to install ignoring the maintenance window but suppress the reboots until the maintenance window will it install the updates and hold off on rebooting the clients until the maintenance window?
First let's go over defining maintenance windows.
Assuming you already have a collection of computers built that you will apply the maintenance window to right click on that collection of computers (never users for maintenance windows).
Select Modify collection settings from the context menu.
On the Maintenance Windows tab click the starburst icon to create a new maintenance window.
Give it a name, and set the reoccurrence pattern, I set mine to daily and left the default time from 1 - 4 AM. Then click OK.
You should now see the maintenance window defined, click OK again and now we have set the maintenance window for these clients from 1 - 4 AM each day, or however you defined yours.
OK now for software updates.
The machine I am going to test on is an XP box that is one of my test machines in my home lab, it has been off for quite some time so it is not fully patched and makes an excellent client.
I have also created a search folder under software updates for critical XP patches in previous testing. This makes deployment much easier and if you don't use search folders I highly recommended it.
Let's look at the different settings for this package of XP Critical updates I have defined.
In the Deployment Management folder there is already the XP Critical Updates package, I am going to right click on the package itself and select properties and then look at the Schedule tab. I want to check the bottom box that tells it to ignore the maintenance windows and install as soon as the deadline comes.
And then on the Restart Settings tab, make sure that the checkbox telling ConfigMgr to restart outside of the maintenance window is not checked. I also have the box to suppress reboots on workstations unchecked.
Now I am going to add the new patches to this package by going to my search folder selecting my search for Critical XP Patches, selecting the new patches
and in the Actions pane clicking Download Software Update under the selected items section which start the Download Updates Wizard and I tell it to add these patches to my XP Critical Patches package.
I finish going through the wizard and wait for the patches to download and about a minute later I get a success telling me that the patches have been downloaded and added to my package.
Meanwhile, back at the ranch or on our client, once the client notices that there are patches to be installed and the deadline for install has passed the patches do get installed on the computer. You can completely hide this from the user now, or you can give them a balloon notification and allow them to watch the progress.
If the user does watch the progress, assuming you allowed this through your configuration, they also have the option to reboot now or close the window. If the users selects the close option we see in the %System32%\CCM\logs\RebootCoordinator.log file that our maintenance window is preventing the client from being rebooted until the maintenance window.
I have adjusted the maintenance window settings for this client to put us inside a maintenance window to see if it will actually reboot the computer. And after I force the client to do a policy refresh a couple seconds later up comes the dialog box telling the user they have five minutes before their computer is restarted.
To answer the original question, yes you can use maintenance windows to only delay the reboots and have the patches install ASAP.
Anthony Clendenen | Solutions Engineer | 1E
Microsoft MVP System Center Configuration Manager
© Anthony Clendenen