Endpoint Services, MECM, Software Updates

How to use MECM to manage Windows Updates on your endpoints.


Microsoft Endpoint Configuration Manager (MECM), formerly SCCM

Affected Customers

University of Illinois IT Pros leveraging MECM, hosted by Technology Services' Endpoint Services team

General Information

MECM can be used to deploy Windows Updates to endpoints as an alternative to Campus WSUS. IT Pros can request which updates get deployed to which device collections, the schedule on which they run, and their installation behavior. 

Some considerations:

  • As deployments will be configured according to provided criteria, IT Pros will be responsible for monitoring compliance and notifying EPS of any issues. As such, it is recommended that additional deployments to test collections with their own configurations also be requested.
  • While deployed updates can be canceled, they cannot be uninstalled via this feature. When requesting a deployment schedule, consider offsetting update availability/deadlines from the release date. 
  • Any changes to active deployments need to be requested through EPS. You may still view the deployment configurations in your console.

In order to leverage this service the following steps must be taken:

  • The MECM client must be installed on targeted endpoints
  • Maintenance windows must be configured on the targeted endpoints.
  • Client Policy must be configured to allow MECM to manage updates. Under "\Administration\Overview\Client Settings", either create or modify an existing policy and ensure that "Enable software updates on clients" under "Software Updates" is set to "Yes". Configure other settings as desired, then deploy this policy to the target collection/s. 
  • Targeted endpoints must not be receiving any Group Policy that governs Windows Updates, such as Campus WSUS, as Group Policy supersedes MECM policy. Please ensure that any conflicting Group Policy is removed or disinherited prior to using this feature.
    • This includes Windows Update GPO settings that are "Disabled." Relevant GPOs must be set to "Not configured"
  • Local Group Policy must be enabled for MECM Software Updates to work
The following updates are currently available as ADRs

Windows 10 Cumulative Update
Windows Server 2012 Monthly Quality Rollup
Windows Server 2012 Security-Only Quality Update
Windows Server 2012 R2 Monthly Quality Rollup
Windows Server 2012 R2 Security-Only Quality Update
Windows Server 2016 Cumulative Update
Windows Server 2019 Cumulative Update
.NET Framework Cumulative Updates for Workstations
Office 365 Updates - Monthly Channel
Office 2016 Updates
Windows Malicious Software Removal Tool

Windows 10 Feature Updates (e.g. 20H2) can be delivered via ADRs but require additional considerations. Please contact EPS using the EPS Support Request Form.

Setting up Deployments

Once ready, please fill out a MECM support request for Microsoft/Windows Updates and EPS will work with you on the final steps.


Reporting ("\Monitoring\Overview\Reporting\Reports\Useful Reports") and Monitoring ("\Monitoring\Overview\Deployments") are available for update deployments.

Certain updates that are not applicable to any endpoints in your targeted collections, such as non-English feature updates, will show as 100% compliant in the Software Updates Status for Specific Update report. Upon clicking on the article, an additional state of "Update is not required" will be displayed.

Contact the EPS team

Keywords:EPS, SCCM, Updates, WSUS, SUP, ADR, automatic deployment rule, MECM   Doc ID:91859
Owner:EPS Distribution List .Group:University of Illinois Technology Services
Created:2019-05-20 12:25 CDTUpdated:2021-06-01 07:47 CDT
Sites:University of Illinois Technology Services
Feedback:  0   0