Endpoint Services, MECM, Software Updates
Overview
How to use MECM to manage Windows Updates on your endpoints.Systems
Microsoft Endpoint Configuration Manager (MECM)
Affected Customers
University of Illinois IT Pros leveraging MECM, hosted by Technology Services' Endpoint Services team
General Information
MECM can be used to deploy Windows Updates to endpoints as an alternative to Campus WSUS. IT Pros can request which updates get deployed to which device collections, the schedule on which they run, and their installation behavior.
Some considerations:
- As deployments will be configured according to provided criteria, IT Pros will be responsible for monitoring compliance and notifying EPS of any issues. As such, it is recommended that additional deployments to test collections with their own configurations also be requested.
- While deployed updates can be canceled, they cannot be uninstalled via this feature. When requesting a deployment schedule, consider offsetting update availability/deadlines from the release date.
- Any changes to active deployments need to be requested through EPS. You may still view the deployment configurations in your console.
In order to leverage this service the following steps must be taken:
- The MECM client must be installed on targeted endpoints
- Maintenance windows must be configured on the targeted endpoints.
- Client Policy must be configured to allow MECM to manage updates. Under "\Administration\Overview\Client Settings", either create or modify an existing policy and ensure that "Enable software updates on clients" under "Software Updates" is set to "Yes". Configure other settings as desired, then deploy this policy to the target collection(s).
- Targeted endpoints must not be receiving any Group Policy that governs Windows Updates, such as Campus WSUS, as Group Policy supersedes MECM policy. Please ensure that any conflicting Group Policy is removed or disinherited prior to using this feature.
- This includes Windows Update GPO settings that are set to "Disabled." Instead, relevant GPOs must be set to "Not configured."
- This includes Windows Update GPO settings that are set to "Disabled." Instead, relevant GPOs must be set to "Not configured."
- Local Group Policy should not be set to "Disabled", as it may interfere with MECM Software Updates.
The following updates are currently available as ADRs
Windows 11 Cumulative Update |
Windows 10 Cumulative Update |
Windows Server 2012 Monthly Quality Rollup |
Windows Server 2012 Security-Only Quality Update |
Windows Server 2012 R2 Monthly Quality Rollup |
Windows Server 2012 R2 Security-Only Quality Update |
Windows Server 2016 Cumulative Update |
Windows Server 2019 Cumulative Update |
Windows Server 2022 Cumulative Update |
SQL Server Cumulative Updates |
.NET Framework Cumulative Updates for Workstations |
Office 365 Updates |
Office 2016 Updates |
Windows Malicious Software Removal Tool |
Windows Feature Updates (i.e. 23H2) can be delivered via ADRs but require additional considerations. Please contact EPS using the EPS Support Request Form.
Setting up Deployments
Once ready, please fill out a MECM support request for Microsoft/Windows Updates and EPS will work with you on the final steps.
Reporting
Reporting ("\Monitoring\Overview\Reporting\Reports\Useful Reports") and Monitoring ("\Monitoring\Overview\Deployments") are available for update deployments.
To view monitoring data:
- Navigate to \Monitoring\Overview\Deployments in the MECM console
- Select the 'Add Criteria' dropdown to the right of 'Search' button and select 'Feature Type'
- Select the dropdown next to 'AND Feature Type' below the search bar and select 'Software Update'
- Click empty space in the search bar and press Enter
- Select the relevant software update from the results, then select 'View Status' under the completion pie chart in the bottom-right
- The Error tab provides an error description for the respective error codes
Certain updates that are not applicable to any endpoints in your targeted collections, such as non-English feature updates, will show as 100% compliant in the Software Updates Status for Specific Update report. Upon clicking on the article, an additional state of "Update is not required" will be displayed.