Microsoft Endpoint Configuration Manager (MECM) also formerly knows as SCCM, is a software management suite made by Microsoft that is being implemented throughout the university and will be rolled out to the School of Medicine in October 2019. Initially, MECM will primarily be used to ensure that Windows updates are being applied to SOMTech-managed Windows computers. Unpatched systems open the school and university to unnecessary risks, so MECM is a great way to help protect the Windows computers in the environment. MECM has already been tested and implemented in other schools and departments and is being centrally managed by the VCU Technology Services Endpoint Computing team. Besides ensuring that patches are being applied swiftly, MECM will also allow VCU to prevent patches from being applied that have caused issues or otherwise conflicts with computers at the university.
As SOMTech is deploying MECM through a background process that requires an active connection to the VCU servers, some computers may be enrolled later than others and may not be affected during the initial deployment stage in October 2019. To determine if your Windows computer is enrolled, look for the Software Center application in the Start Menu under the Microsoft Endpoint Manager folder. If you do not see the application, then you are not enrolled yet. In this situation, it would be helpful to reboot the computer while connected to the VCU wired network. Please submit a ticket to SOMTech at http://go.vcu.edu/SOMTicket or email SOMTech@vcuhealth.org if you need assistance or have any questions.
In order to ensure patches are being applied, MECM requires that computers be rebooted each month. If a reboot does not occur within a specific time frame, then the computer will be rebooted automatically (after providing a 90-minute warning). SOMTech has been testing the patching process internally for a couple months and we do not expect there to be a negative impact for most faculty and staff, but we realize that there are areas of SOM that will be more impacted more by this requirement.
VCU and SOMTech understand that having computers rebooted without user initiation has the potential to cause problems. In order to help minimize impact, a strict testing and deployment schedule is in place. The specific dates that will affect users are listed in the Schedule section below. If you are concerned that a specific task may need to be running during the scheduled reboot time, it is important that you install the updates and reboot before. To do this, open the Software Center application and verify that all of the updates are installed.
Patch Tuesday is the day that Microsoft releases the Windows Updates for that month.
Patches Deployed represents the day that these updates are released to standard Windows computers in the environment after testing has been done.
Computers Rebooted if Necessary is the day that the computers in the environment will reboot if there hasn't been a reboot since the Patches Deployed date. In rare situations, a second (or multiple) reboots may be required. In those situations, you will receive separate notifications from the MECM software icon in the system tray (near the clock). Computers will only be rebooted on this day if necessary. The default time is 10PM, but is based on the configured Business Hours which can be changed on each PC.
Manually Installing Updates
To manually install the updates, please look for the Update Now icon in the system tray after the patches have been deployed (see schedule below). Click on the icon and then choose View Required Software. You will then get a window where you can apply the updates and reboot when done. After you start the process, you can open Software Center (see below) to see the status. There will likely be a delay while the updates are downloaded and installed. You can safely continue to use your computer during this time. When the computer is ready to be rebooted, you will receive a new prompt to actually reboot the computer. To be on the safe side, look for the icon after the computer reboots to make sure that there are not any more required reboots. If you click on the icon after rebooting, you should see a notification indicating that the "Changes required by your IT department have been made."
SOMTech has developed a notification system to help make people aware of these changes as well as to notify users of the specific dates for the upcoming update reboots. These notifications will look like the window below and are official notifications from SOMTech.
There are some situations where patching using this methodology may not be feasible within SOM. If you would like to talk with SOMTech about requesting an exemption, please email SOMTech@vcuhealth.org.
One way to verify that MECM is configured on your computer is to look for the Software Center application. Within Software Center, you will see all pending Windows Updates (Publisher = Microsoft) and available 3rd-party application updates. Currently, only Adobe and Google application updates are applied automatically, but this may change in the future. It's a good idea to apply any 3rd-party application updates available in order to make sure that your software is up-to-date and any security vulnerabilities have been patched. You can install the Windows Updates through Software Center if you would prefer to see the specific updates being applied. If you only see application updates, then you are up-to-date with your Windows updates.