Microsoft Endpoint Management – Patch Management Strategies – Part 1: MECM – Health and Clean-up of Software Update Points


Here we are again with a brand new series. I have made some articles and blogs in the past around this area but they were in several pieces, so I’m not only going to consolidate some of that information but also provide a basis on an end to end strategy which will indeed cover everything talked about within this series.

As we all know patching is a very fundamental element in order to keep our environments healthy. But sometimes demands can either make us develop a strategy on impulse, quick fix solutions and many other areas which can get ignored. And one of them in my honest opinion is the foundational state of your WSUS servers.  This first part we will cover the basis on how we can keep these areas healthy and regularly maintained as these can have a guaranteed knock on affect to everything within MECM.

Worth noting that this series is going to cover everything from MECM and Intune for all patching areas so we can get things right.

Database Configuration: SQL Database over WID

With the push for Intune and Modern Management going on, you will either find a resurgence of a small consolidated setup of MECM in place to extend the capabilities for Co-Management or simply for more control over patching. In either scenario you shouldn’t ever really go for a WID install in any circumstance in my opinion.

Reason being is because of the performance issues you will indeed face. Cleaning and maintaining a WID database is a lot more difficult than it is for a SQL Database, and the more patching you do the more problematic it will get. It is recommended as best practice to use a SQL Database of course, but I will also go as far to say this would be a mandatory exercise. Taking into consideration your backup and disaster recovery strategies it is absolutely best to use a SQL database as well as better overall security.

Product Synchronization: Wise Configuration and Sync Schedules

Another area of great importance is to of course select ONLY the products you actually are planning to patch. Automatic Deployment Rules would of course filter out whatever you bring into the catalogue anyway, but its great to have this settled beforehand.

Adding more granularity to this we can look at more of the updated and current products around;

  • Windows 10
  • Windows 11
  • Windows Server 2019
  • Windows Server 2022

Depending on the mixed bunch you have with Windows 10 can determine which categories you select. If you have them at a minimum base of 1809 or 1903 then you are better inclined to select the Windows 10 products which grab updates only for those as seen below

Figure 1.1 – Products selection for Software Update Point

The same can also be done for Windows 11 as well. However, if you have a mixed level of build versions then you can proceed to select the top level of just “Windows 10” and “Windows 11” where necessary.

Another area is where you are wanting to bring in Windows Server 2022 updates which can be found here in Figure 1.2

Figure 1.2 – Product selection for Software Update Point

Also worth noting that the majority of these products would not have shown yet until you have performed the very first synchronization with MECM. This is best done by ensuring nothing has been selected on both the Classifications and Products tabs.

Health Analysis and Clean-ups

Perhaps the more complex parts in this guide, however it has been simplified more and more within he releases of newer versions of MECM.

So we will break this down into sections where there are more the basic and more native options and going into advanced areas.


Within your software update points in MECM you now have a few options in which you can select to help the rotation of non-required updates whether they have expired or become obsolete. These help free up the WSUS database as well as the respective catalogues of any unwanted updates that accumulate overtime.

Figure 1.3 – Software Update Point Maintenance Tasks

Will first place this screenshot right here and explain why this is within the advanced section 😊

Below are the clean-up wizard options that you will find within your WSUS.


Why you ask is this in the advanced section? Well reason being is because if you have seriously congested WSUS servers, these options will not work at all in fact they will most likely hang and may need to be brutally killed from Task Manager.

Figure 1.4 – WSUS Server Clean-up Wizard Options

A while back I had made a guide on how you can interrogate the WSUS database with stored procedures which could let you know how congested they are with a semi-automatic way of clearing them out which can be found here on TechNet

There are other guides out there which can simply just drop these tables and have them done more quicker, but the aim for that guide was to be able to understand what was responsible for the congestion.

If you had at least over 1000 updates clogging the unused updates and revisions section, the very first step in Figure 1.3 would take a long time to finish, that’s if it ever actually gets to finishing. So it’s extremely important to maintain the upkeep on your database and WSUS/SUP servers to avoid these issues from happening.

Maintenance and Monitoring

When we speak of maintenance and monitoring, this is more on a report perspective. So when have done many patching schedules we may not have the ability to keep track of all the ones done in the past.

Perhaps you use a dashboard from Power BI or you may have custom reports or native reports within MECM which have historical snapshots configured within your SSRS. These are of course handy.

But what maybe the most beneficial is to utilize the MECM Data Warehouse role which can keep a historical data retention of various areas within your MECM, especially when it comes down to the software update patching.

Figure 1.6 – Database Tables selection for Data Warehouse in MECM filtered by Software Update related tables

My advice would be to choose very carefully not only the tables you want to keep a retention for but also the duration, as much bigger MECM sites which have more frequent and dare say brutal amount of updates to rollout, then this can be very costly to your SQL database and storage.

Next on Part 2

Part 2 will be based around the collection structuring for patch rollouts so that we know how we can create areas for testing, staggered testing and then overall deployment.



Contact Us

On Key

More Posts

WME Security Briefing 27 May 2024

Kinsing Hacker Group Exploits Docker Vulnerabilities Overview Recent investigations have shown that the hacker group Kinsing is actively exploiting Docker vulnerabilities to gain unauthorized access to systems. The modified hacker group targets misconfigured Docker API ports deployed with cryptocurrency mining malware.

Read More »
WME Cybersecurity Briefings No. 010
Cyber Security

WME Security Briefing 20 May 2024

Advanced Persistent Threats: North Korean Hackers Launch Golang Malware Overview A new malware strain, called Titan Stealer, is currently actively circulating in the threat landscape, targeting a variety of personal data and linked to North Korean state-sponsored cyber espionage

Read More »
WME Cybersecurity Briefings No. 009
Cyber Security

WME Security Briefing 08 May 2024

Exploitable vulnerability in Microsoft Internet Explorer, used to deploy VBA Malware Overview Cybersecurity researchers discovered a severe exploitation targeting a bug that had already been patched in the Microsoft Internet Explorer browser. Their report added that

Read More »
Be assured of everything

Get WME Services

Stay ahead of the competition with our Professional IT offerings.