Setting maintenance windows for Windows and Linux endpoints

Maintenance windows control when Windows and Linux patches can be applied to a computer group. A maintenance window is separate from the deployment start and end time. After a maintenance window is applied to an endpoint, that endpoint does not install patches or restart to complete patch installation, unless it is currently in an open maintenance window. To install a patch, the maintenance window must be open during the configured deployment time.

A maintenance window is different from a scan window. For more information about limiting scan activity to a designated scan window, see Scan windows.

If endpoints do not have a maintenance window assigned, you might unintentionally install patches on those endpoints when there is an active deployment. To prevent endpoints from being patched accidentally, you can set a blocking maintenance window that never occurs for the computer group that contains the endpoints. To set a blocking maintenance window, create a maintenance window that does not repeat, with start and end dates in the past. With the blocking maintenance window in place, the endpoint computer group will be patched only during active maintenance windows. This type of setup is useful if you want to prevent servers from being patched on the same schedule as end-user machines. For more information about the different options available to prevent server patching, see Improve Your Automated Patch Workflow: Preventing Server Patching.

Ensure that maintenance windows are at least four hours long, repeat at least once each month, and properly overlap with deployment times and change control process timelines.

Maintenance window options

You can configure maintenance windows for the times that are best for your environment. Apply maintenance windows by enforcing them against computer groups. Multiple maintenance windows can affect a computer group, creating several times that activity is permitted.

If you want . . . After the date and time, select . . .
A one-time window Does Not Repeat
A window that repeats every few days Daily and the number of days between windows
A window that repeats on the same days of the week Weekly, the number of weeks between windows, and which days of the week it opens on
A window that repeats on the same date each month Monthly, the number of months between windows, and Day of the Month
A window that repeats on the same day each month Monthly, the number of months between windows, and Day of the Week
A window that repeats on the same day of the year Yearly and the number of years between windows

If a maintenance window does not repeat and it is the only one enforced against a computer group, after the window closes.

Create a maintenance window

You can open multiple maintenance windows to customize when your endpoints. For example, you can create windows that allow deployments during periods of low network activity or outside of core working hours.

  1. From the Client Management menu, go to Maintenance Windows and then click Create Window.
  2. Name the window.
  3. Configure the window options.

    1. Choose from the local time on the endpoint or UTC time.

  4. Configure the window options.

    1. (Optional) Select the recurrence time frame.
      If you chose to repeat the window, set additional options, such as how often the window repeats, day of the week, or day of the month.

    2. Choose from the local time on the endpoint or UTC time.

    3. If you chose to repeat the window, set the duration of the window.

  5. Click Create Window. Review any informational messages that appear and perform any updates that are necessary to the maintenance window. Click Create Window. Click Yes to confirm that you want to create a maintenance window.
  6. Add one or more target computer groups. Maintenance windows can only target management-rights enabled computer groups. Filter groups and targeting filters are not supported. Click Save. Click Yes to confirm that you want to create a maintenance window.

    Maintenance window computer groups must be assigned RBAC permissions for the user or group to appear in the list. For more information, see Tanium Console User Guide: RBAC overview.

Edit a maintenance window

  1. From the Client Management menu, go to Maintenance Windows.
  2. Click the name of a window and click Edit.
  3. Make your changes and click Update Window.

Override a maintenance window

Delete a maintenance window

After the enforcements have been removed, you can delete a maintenance window.

  1. From the Client Management menu, go to Maintenance Windows.
  2. Click the name of a window.
  3. If the window is enforced against computer groups, remove all groups.
  4. Click Delete .