Difference Between WSUS Vs WUfB Intune Vs SCCM Patching Methods

What are the differences Between WSUS Vs WUfB Intune Vs SCCM Patching Methods? Let’s find out more details about Windows Patch Management using Intune vs ConfigMgr. We shall try to check the differences between Windows software updates using Intune vs SCCM.

Windows Update Management solution with Windows Update for Business and WSUS are explained in this post. As per Microsoft (Ignite presentation by Aria Carley), there are three primary ways to manage Windows Updates.

  • Media
  • Windows Server Update Service (WSUS)
  • Windows Update for Business.

Let’s look at how WSUS works. Let’s look at how WSUS works. You have the WSUS server, and you’ve got a management tool (SCCM, etc.), Microsoft Endpoint Manager Configuration Manager, WSUS standalone console, or any third-party tool.

The WSUS server is next to Microsoft’s endpoint (WSUS is getting Windows Updates from Microsoft’s endpoint?)and gets the updates that it wants to sync from there. I thought WSUS is receiving the updates from the Windows Update service, the same as WUfB.

It seems WSUS is getting updates from some service called Microsoft Endpoint. Later in the session, she confirmed that:

Microsoft Endpoint = Microsoft’s Endpoint in the cloud or Windows Update or WU

This is the high-level design diagram of Windows patch management using Intune and Configuration Manager. The following diagram is not up to date, but it will give you a quick and dirty overview of Intune Patch Management Vs. SCCM Patch Management.

Difference Between WSUS Vs WUfB Intune Vs SCCM Patching Methods
Difference Between WSUS Vs WUfB Intune Vs SCCM Patching Methods

Difference Between WSUS Vs WUfB Intune Vs SCCM Patching Methods

This section will get more details about the difference Between WSUS Vs WUfB Intune Vs SCCM Patching Methods. Let’s check out the very high-level differences between Windows Updates or Windows patch management using Intune vs. Configuration Manager (a.k.a SCCM).

Intune | WUfBSCCM | ConfigMgr | WSUS
Windows Update for Business (WUfB) Microsoft Endpoint – Windows Update
No WSUSWSUS
Client Scans against Windows Update in the cloudClient Scan against WSUS
Intune talks to WU to provide the Device ID and Target Feature UpdateDon’t send any Device ID to Microsoft Endpoint or Windows Update
The client sends Quality Update deferral, OS version, Revision (LCU and optional updates), App compatibility information, and Device ID to Windows Updates.The client doesn’t send any information to Windows Update.
Safeguards protecting the client device from Windows Updates | Safeguard HoldsNo Safeguards available
No Content Stored Client Directly download the content from Windows Update or PeersContent is stored with SCCM DP*
Policies are configuredPolicies are configured
Easy to Use & SetupMore Granularity
Uninstall Options – Software UpdateNo Out of Box Solution
Pause Options – Software UpdateNo Out of Box Solution
Can’t select & Deploy Individual KBsIndividual KB selection option is there
Settings – Windows UpdatesSoftware Center
*You can also get the content from the internet if you configure SCCM to do that.

The following WSUS Vs WUfB schema diagram gives a bit more details and clarity. I have not used the correct terminologies in this diagram. However, I think you will get the difference between WSUS Vs WUfB Intune Vs SCCM Patching Methods.

Difference Between WSUS Vs WUfB Intune Vs SCCM Patching Methods
Difference Between WSUS Vs WUfB Intune Vs SCCM Patching Methods

WSUS SCCM Process

The WSUS server syncs with Microsoft’s endpoint and gets the updates that are configured to obtain from products and categories. The metadata of all these updates is stored in WSUS and then later downloaded using the SCCM update process. SCCM is going to tell the WSUS server which updates are approved for each of those devices. The client will download the content approved by the admin in this scenario and try to install those updates.

The following are the high-level prerequisites that should be in place before you start creating the Software Update Patch Package using SCCM.

More details – How To Create Deploy New Software Update Patch Package Using SCCM | ConfigMgr HTMD Blog (anoopcnair.com)

Difference Between WSUS Vs WUfB Intune Vs SCCM Patching Methods
Difference Between WSUS Vs WUfB Intune Vs SCCM Patching Methods

Intune WUfB Experience

The first difference between WSUS Vs WUfB is the client scanning process. In Windows Update for Business (aka WUfB) scenario, the clients scan against Windows Update in the cloud. However, in the WSUS scenario, all the clients scan against the updates available in WSUS.

Management tools like Endpoint Manager Intune help configure the Windows Update policies on Windows 10 or Windows 11 client devices. Endpoint Manager Intune talks to WU to provide the Device ID and Target Feature Update to which the device should be targeted.

The client sends the details like Quality Update federal, OS version, Revision (LCU and optional updates), App compatibility information, and Device ID to Windows Update in the cloud. And this client will get Safeguards protecting from Windows Updates. The Safeguard Holds are applicable only for Windows Update for Business(WUfB). The built-in protection you get from using the cloud using WUfB.

Intune Monthly Patching Guide Software Update Patching Options with Intune WUfB

Windows 11 Monthly Patch Deployment using Intune

Upgrade to Windows 11 using Intune Feature Update Deployment Policy

Difference Between WSUS Vs WUfB Intune Vs SCCM Patching Methods
Difference Between WSUS Vs WUfB Intune Vs SCCM Patching Methods

Offering Logic of Updates Highest Rank Update for Windows Update Server

Let’s look at the Offering Logic of Updates which Windows update will get offered to the client as the first update. The WU server will look at the highest rank update left, and it will offer that to the device. The feature updates are always going to be higher ranking updates than quality updates. The more recently released update is another ranking criteria of updates.

  • Most Recenly Released Feature Updates
    • Feature Updates
  • Most Recently Released Quality Updates
    • Quality Updates
  • ??

End-User Experience

There are certain differences in End-user experience also in terms of Windows patch management using Intune vs SCCM. The main difference is:

  • Intune Patch Management (WUfB) – Uses Default Windows 10 framework to show the patch details.
    • Settings – Update & Security – Windows Update.
  • SCCM Patch Management – Uses Software Center to show which are patched deployed to the devices.
Difference Between WSUS Vs WUfB Intune Vs SCCM Patching Methods
Difference Between WSUS Vs WUfB Intune Vs SCCM Patching Methods

Video Recording

Watch this video on YouTube.
Windows Patch Management

Resources

Author

About Author -> Anoop is Microsoft’s Most Valuable Professional Award winner from 2015 on the technologies! He is a Solution Architect on enterprise device management solutions with more than 20 years of experience (calculation done in 2021) in IT. He is Blogger, Speaker, and Local User Group Community leader. His main focus is on Device Management technologies like Configuration Manager, Windows 365 Cloud PC, Intune, Azure Virtual DesktopWindows 10, and Windows 11.

2 thoughts on “Difference Between WSUS Vs WUfB Intune Vs SCCM Patching Methods”

  1. You list SCCM/WSUS as not having a solution to Pause updates, but in fact it does because if you want to “pause” updates you just don’t deploy them!
    Also your description “SCCM is going to tell the WSUS server which updates are approved for each of those devices” is not accurate. The SCCM client determines which updates are applicable to it and downloads them from the DP. No update content is ever acquired by clients from the WSUS server itself.

Leave a Comment

Your email address will not be published. Required fields are marked *