Setting maintenance windows for Windows and Linux endpoints

Maintenance windows control when Windows and Linux patches can be applied to a computer group. A maintenance window is separate from the deployment start and end time. After a maintenance window is applied to an endpoint, that endpoint does not install patches or restart to complete patch installation, unless it is currently in an open maintenance window. To install a patch, the maintenance window must be open during the configured deployment time.

A maintenance window is different from a scan window. For more information about limiting scan activity to a designated scan window, see Scan windows.

If endpoints do not have a maintenance window assigned, you might unintentionally install patches on those endpoints when there is an active deployment. To prevent endpoints from being patched accidentally, you can set a blocking maintenance window that never occurs for the computer group that contains the endpoints. To set a blocking maintenance window, create a maintenance window that does not repeat, with start and end dates in the past. With the blocking maintenance window in place, the endpoint computer group will be patched only during active maintenance windows. This type of setup is useful if you want to prevent servers from being patched on the same schedule as end-user machines. For more information about the different options available to prevent server patching, see Improve Your Automated Patch Workflow: Preventing Server Patching.

Ensure that maintenance windows are at least four hours long, repeat at least once each month, and properly overlap with deployment times and change control process timelines.

Maintenance window options

You can configure maintenance windows for the times that are best for your environment. Apply maintenance windows by enforcing them against computer groups. Multiple maintenance windows can affect a computer group, creating several times that patch activity is permitted.

If you want . . . After the date and time, select . . .
A one-time window Does Not Repeat
A window that repeats every few days Daily and the number of days between windows
A window that repeats on the same days of the week Weekly, the number of weeks between windows, and which days of the week it opens on
A window that repeats on the same date each month Monthly, the number of months between windows, and Day of the Month
A window that repeats on the same day each month Monthly, the number of months between windows, and Day of the Week
A window that repeats on the same day of the year Yearly and the number of years between windows

If a maintenance window does not repeat and it is the only one enforced against a computer group, patches cannot be applied after the window closes. However, if endpoints do not have a maintenance window assigned, you might unintentionally install patches on those endpoints when there is an active deployment. To prevent accidental patching, you can apply a blocking maintenance window to a computer group.

Create a maintenance window

You can open multiple maintenance windows to customize when patches are applied to your endpoints. For example, you can create windows that allow deployments to install patches during periods of low network activity or outside of core working hours.

  1. From the Patch menu, go to Maintenance Windows and then click Create Window.
  2. Name the window, add an optional description, select an operating system, and select a content set.
  3. Configure the window options.
    1. (Optional) Select the recurrence time frame.
      If you chose to repeat the window, set additional options, such as how often the window repeats, day of the week, or day of the month.
    2. Choose from the local time on the endpoint or UTC time.

    3. Use the date and time pickers to set the start and end time of the window.

      If a maintenance window repeats, it does not have an end date. You must remove the enforcement against the target computer groups to stop the maintenance window.

    4. If you chose to repeat the window, set the duration of the window.

    For example, to account for Patch Tuesday, you could use these settings for the Wednesday a week after patch updates are typically released by Microsoft.

  4. Configure the window options.
    1. (Optional) Select the recurrence time frame.
      If you chose to repeat the window, set additional options, such as how often the window repeats, day of the week, or day of the month.

    2. Choose from the local time on the endpoint or UTC time.

    3. Use the date and time pickers to set the start and end time of the window.

      If a maintenance window repeats, it does not have an end date. You must remove the enforcement against the target computer groups to stop the maintenance window.

    4. If you chose to repeat the window, set the duration of the window.

    For example, to account for Patch Tuesday, you could use these settings for the Wednesday a week after patch updates are typically released by Microsoft.

  5. Click Create Window. Review any informational messages that appear and perform any updates that are necessary to the maintenance window. Click Create Window. Click Yes to confirm that you want to create a maintenance window.
  6. Add one or more target computer groups. Maintenance windows can only target management-rights enabled computer groups. Filter groups and targeting filters are not supported. Click Save. Click Yes to confirm that you want to create a maintenance window.

    Maintenance window computer groups must be assigned RBAC permissions for the user or group to appear in the list. For more information, see Tanium Console User Guide: RBAC overview.

Edit a maintenance window

  1. From the Patch menu, go to Maintenance Windows.
  2. Click the name of a window and click Edit.
  3. Make your changes and click Update Window.

Override a maintenance window

You can apply a patch outside of a maintenance window by configuring the Override Maintenance Windows option during a patch deployment. For more information, see Deploying patches for Windows and Linux endpoints. Note that if you also choose to restart the endpoint in the deployment options, the endpoint restarts immediately after the patch is installed.

Delete a maintenance window

After the enforcements have been removed, you can delete a maintenance window.

  1. From the Patch menu, go to Maintenance Windows.
  2. Click the name of a window.
  3. If the window is enforced against computer groups, remove all groups.
  4. Click Delete .