Endpoint Services, MECM, Software Updates

Overview

How to use MECM to manage Windows Updates on your endpoints.

Systems

Microsoft Endpoint Configuration Manager (MECM)

Affected Customers

University of Illinois IT Pros leveraging MECM, hosted by Technology Services' Endpoint Services team

General Information

MECM can be used to deploy Windows Updates to endpoints as an alternative to Campus WSUS. IT Pros can request which updates get deployed to which device collections, the schedule on which they run, and their installation behavior. 

Some considerations:

  • As deployments will be configured according to provided criteria, IT Pros will be responsible for monitoring compliance and notifying EPS of any issues. As such, it is recommended that additional deployments to test collections with their own configurations also be requested.

  • While deployed updates can be canceled, they cannot be uninstalled via this feature. When requesting a deployment schedule, consider offsetting update availability/deadlines from the release date. 

  • Any changes to active deployments need to be requested through EPS. You may still view the deployment configurations in your console.

In order to leverage this service the following steps must be taken:

  • The MECM client must be installed on targeted endpoints

  • Maintenance windows must be configured on the targeted endpoints.

  • Client Policy must be configured to allow MECM to manage updates. Under "\Administration\Overview\Client Settings", either create or modify an existing policy and ensure that "Enable software updates on clients" under "Software Updates" is set to "Yes". Configure other settings as desired, then deploy this policy to the target collection(s). 

  • Targeted endpoints must not be receiving any Group Policy that governs Windows Updates, such as Campus WSUS, as Group Policy supersedes MECM policy. Please ensure that any conflicting Group Policy is removed or disinherited prior to using this feature.
    • This includes Windows Update GPO settings that are set to "Disabled." Instead, relevant GPOs must be set to "Not configured."

  • Local Group Policy should not be set to "Disabled", as it may interfere with MECM Software Updates.
The following updates are currently available as ADRs
Windows 11 Cumulative Update
Windows 10 Cumulative Update
Windows Server 2012 Monthly Quality Rollup
Windows Server 2012 Security-Only Quality Update
Windows Server 2012 R2 Monthly Quality Rollup
Windows Server 2012 R2 Security-Only Quality Update
Windows Server 2016 Cumulative Update
Windows Server 2019 Cumulative Update
Windows Server 2022 Cumulative Update
SQL Server Cumulative Updates
.NET Framework Cumulative Updates for Workstations
Office 365 Updates
Office 2016 Updates
Windows Malicious Software Removal Tool

Windows Feature Updates (i.e. 23H2) can be delivered via ADRs but require additional considerations. Please contact EPS using the EPS Support Request Form.

Setting up Deployments

Once ready, please fill out a MECM support request for Microsoft/Windows Updates and EPS will work with you on the final steps.

Reporting

Reporting ("\Monitoring\Overview\Reporting\Reports\Useful Reports") and Monitoring ("\Monitoring\Overview\Deployments") are available for update deployments.
To view monitoring data:
  • Navigate to \Monitoring\Overview\Deployments in the MECM console
  • Select the 'Add Criteria' dropdown to the right of 'Search' button and select 'Feature Type'
  • Select the dropdown next to 'AND Feature Type' below the search bar and select 'Software Update'
  • Click empty space in the search bar and press Enter
  • Select the relevant software update from the results, then select 'View Status' under the completion pie chart in the bottom-right
  • The Error tab provides an error description for the respective error codes
Certain updates that are not applicable to any endpoints in your targeted collections, such as non-English feature updates, will show as 100% compliant in the Software Updates Status for Specific Update report. Upon clicking on the article, an additional state of "Update is not required" will be displayed.


Contact the EPS team



Keywords:
EPS, SCCM, Updates, WSUS, SUP, ADR, "automatic deployment rule", MECM TechS-EPS-SCCM "windows updates" "cumulative update" "feature update" "365 update" "office update" 
Doc ID:
91859
Owned by:
EPS Distribution List in University of Illinois Technology Services
Created:
2019-05-20
Updated:
2024-10-07
Sites:
University of Illinois Technology Services