Hi All,
I have been working on a new process for maintenance windows on Windows and thought I would share.
How this started was by trying to mimic the old process that the company was using with WSUS. This process worked by assigning systems to an AD group which was used to schedule the deployment of patches along with the reboot.
At a high level, this process works by doing the following:
- Add the server to an AD group
- BigFix action runs every 12 hours to set a client setting (PCM_BigFix_Group)
- BigFix action runs every 15 minutes to evaluate the client setting and set a client setting (Change_Window) to either “Open” or “Closed”. Based on our rules, the window stays open for 3 hours.
- A managed property was created (Change Window Status) to return the value of “Change_Window”.
- Patch and/or reboot action uses the constraint “Run only when” with the “Change Windows Status” matches “Open”
For the AD group, we set it up so that we could define the day of the week and the time of the day that the window was open. We also added a field to define which week of the month that the window would open.
As an example, the group “PCM_BigFix_Saturday_A_2300” would translate to:
- PCM_BigFix - This was just a standard name to use at the start of the AD group
- Saturday - Well…means it opens on Saturday
- A - This means “All” or every Saturday of the month. Other values would be “1, 2, 3, 4”. Now I did not get to the point of validating this number as the current requirement for me was to see if we could run it every first or second instance of the day of the month. This could be enhanced more.
- 2300 - this would be 11:00pm of the desired day.
So for the above the window would open from 23:00 on Saturday to 02:00 on Sunday. Just a note though, this is not exact, but so far the window seems to open and close within 15 minutes of the start and end time. This has been okay for our environment.
I have attached the following files
- Change Window Status.bes - This is the managed property file
- Deploy_ Set Change Window v1.4.bes - This is the fixlet for the action to open and close the windows
- Deploy_ Set PCM_BigFix_Group Setting v1.4.bes - This is the fixlet for the action to retrieve the value from AD and populate the “Change_Window” client setting.
At first we were using this setting with the deployment of the patch baselines to say when the baseline would execute and the action would restart the server. We were then asked by the clients to try to narrow down the time the server was being rebooted, so now we have the baseline executing on Thursday/Friday evening and a policy action that runs to reboot the server. The reboot uses the “Change_Window” as the constraint.
We have been using this process for about 6 months and it has been meeting our requirements.
I hope this helps someone.
Change Window Status.bes (333 Bytes)
Deploy_ Set PCM_BigFix_Group Setting v1.4.bes (5.1 KB)
Deploy_ Set Change Window v1.4.bes (13.0 KB)
