Setting maintenance windows for Windows and Linux endpoints
Maintenance windows control when Windows and Linux patches can be applied to a computer group. A maintenance window is separate from the deployment start and end time. After a maintenance window is applied to an endpoint, that endpoint does not install patches or restart to complete patch installation, unless it is currently in an open maintenance window. To install a patch, the maintenance window must be open during the configured deployment time.
A maintenance window is different from a scan window. For more information about limiting scan activity to a designated scan window, see Scan windows.
If endpoints do not have a maintenance window assigned, you might unintentionally install patches on those endpoints when there is an active deployment. To prevent endpoints from being patched accidentally, you can set a blocking maintenance window that never occurs for the computer group that contains the endpoints. To set a blocking maintenance window, create a maintenance window that does not repeat, with start and end dates in the past. With the blocking maintenance window in place, the endpoint computer group will be patched only during active maintenance windows. This type of setup is useful if you want to prevent servers from being patched on the same schedule as end-user machines. For more information about the different options available to prevent server patching, see Improve Your Automated Patch Workflow: Preventing Server Patching.
Ensure that maintenance windows are at least four hours long, repeat at least once each month, and properly overlap with deployment times and change control process timelines.
Maintenance window options
You can configure maintenance windows for the times that are best for your environment. Apply maintenance windows by enforcing them against computer groups. Multiple maintenance windows can affect a computer group, creating several times that
| If you want . . . | After the date and time, select . . . |
|---|---|
| A one-time window | Does Not Repeat |
| A window that repeats every few days | Daily and the number of days between windows |
| A window that repeats on the same days of the week | Weekly, the number of weeks between windows, and which days of the week it opens on |
| A window that repeats on the same date each month | Monthly, the number of months between windows, and Day of the Month |
| A window that repeats on the same day each month | Monthly, the number of months between windows, and Day of the Week |
| A window that repeats on the same day of the year | Yearly and the number of years between windows |
If a maintenance window does not repeat and it is the only one enforced against a computer group,
Create a maintenance window
You can open multiple maintenance windows to customize when
- From the Patch menu, go to Maintenance Windows and then click Create Window.
- Name the window
- Configure the window options.
- (Optional) Select the recurrence time frame.
If you chose to repeat the window, set additional options, such as how often the window repeats, day of the week, or day of the month. Choose from the local time on the endpoint or UTC time.
Use the date and time pickers to set the start and end time of the window.
If a maintenance window repeats, it does not have an end date. You must remove the enforcement against the target computer groups to stop the maintenance window.
- If you chose to repeat the window, set the duration of the window.
For example, to account for Patch Tuesday, you could use these settings for the Wednesday a week after patch updates are typically released by Microsoft.
- (Optional) Select the recurrence time frame.
- Configure the window options.
(Optional) Select the recurrence time frame.
If you chose to repeat the window, set additional options, such as how often the window repeats, day of the week, or day of the month.Choose from the local time on the endpoint or UTC time.
Use the date and time pickers to set the start and end time of the window.
If a maintenance window repeats, it does not have an end date. You must remove the enforcement against the target computer groups to stop the maintenance window.
If you chose to repeat the window, set the duration of the window.
For example, to account for Patch Tuesday, you could use these settings for the Wednesday a week after patch updates are typically released by Microsoft.
- Click Create Window. Review any informational messages that appear and perform any updates that are necessary to the maintenance window. Click Create Window. Click Yes to confirm that you want to create a maintenance window.
- Add one or more target computer groups. Maintenance windows can only target management-rights enabled computer groups. Filter groups and targeting filters are not supported. Click Save. Click Yes to confirm that you want to create a maintenance window.
Maintenance window computer groups must be assigned RBAC permissions for the user or group to appear in the list. For more information, see Tanium Console User Guide: RBAC overview.
Edit a maintenance window
- From the Patch menu, go to Maintenance Windows.
- Click the name of a window and click Edit.
- Make your changes and click Update Window.
Override a maintenance window
You can apply a patch outside of a maintenance window by configuring the Override Maintenance Windows option during a patch deployment. For more information, see Deploying patches for Windows and Linux endpoints. Note that if you also choose to restart the endpoint in the deployment options, the endpoint restarts immediately after the patch is installed.
Delete a maintenance window
After the enforcements have been removed, you can delete a maintenance window.
- From the Patch menu, go to Maintenance Windows.
- Click the name of a window.
- If the window is enforced against computer groups, remove all groups.
- Click Delete
.
Last updated: 9/11/2023 9:28 AM | Feedback