What are the differences Between WSUS Vs WUfB Intune Vs SCCM Patching Methods? Let’s find out more details about Windows Patch Management using Intune vs ConfigMgr. We shall try to check the differences between Windows software updates using Intune vs SCCM.
Windows Update Management solution with Windows Update for Business and WSUS are explained in this post. As per Microsoft (Ignite presentation by Aria Carley), there are three primary ways to manage Windows Updates.
- Windows Server Update Service (WSUS)
- Windows Update for Business.
Let’s look at how WSUS works. Let’s look at how WSUS works. You have the WSUS server, and you’ve got a management tool (SCCM, etc.), Microsoft Endpoint Manager Configuration Manager, WSUS standalone console, or any third-party tool.
The WSUS server is next to Microsoft’s endpoint (WSUS is getting Windows Updates from Microsoft’s endpoint?)and gets the updates that it wants to sync from there. I thought WSUS is receiving the updates from the Windows Update service, the same as WUfB.
It seems WSUS is getting updates from some service called Microsoft Endpoint. Later in the session, she confirmed that:
Microsoft Endpoint = Microsoft’s Endpoint in the cloud or Windows Update or WU
This is the high-level design diagram of Windows patch management using Intune and Configuration Manager. The following diagram is not up to date, but it will give you a quick and dirty overview of Intune Patch Management Vs. SCCM Patch Management.
Difference Between WSUS Vs WUfB Intune Vs SCCM Patching Methods
This section will get more details about the difference Between WSUS Vs WUfB Intune Vs SCCM Patching Methods. Let’s check out the very high-level differences between Windows Updates or Windows patch management using Intune vs. Configuration Manager (a.k.a SCCM).
|Intune | WUfB||SCCM | ConfigMgr | WSUS|
|Windows Update for Business (WUfB)||Microsoft Endpoint – Windows Update|
|Client Scans against Windows Update in the cloud||Client Scan against WSUS|
|Intune talks to WU to provide the Device ID and Target Feature Update||Don’t send any Device ID to Microsoft Endpoint or Windows Update|
|The client sends Quality Update deferral, OS version, Revision (LCU and optional updates), App compatibility information, and Device ID to Windows Updates.||The client doesn’t send any information to Windows Update.|
|Safeguards protecting the client device from Windows Updates | Safeguard Holds||No Safeguards available|
|No Content Stored Client Directly download the content from Windows Update or Peers||Content is stored with SCCM DP*|
|Policies are configured||Policies are configured|
|Easy to Use & Setup||More Granularity|
|Uninstall Options – Software Update||No Out of Box Solution|
|Pause Options – Software Update||No Out of Box Solution|
|Can’t select & Deploy Individual KBs||Individual KB selection option is there|
|Settings – Windows Updates||Software Center|
The following WSUS Vs WUfB schema diagram gives a bit more details and clarity. I have not used the correct terminologies in this diagram. However, I think you will get the difference between WSUS Vs WUfB Intune Vs SCCM Patching Methods.
WSUS SCCM Process
The WSUS server syncs with Microsoft’s endpoint and gets the updates that are configured to obtain from products and categories. The metadata of all these updates is stored in WSUS and then later downloaded using the SCCM update process. SCCM is going to tell the WSUS server which updates are approved for each of those devices. The client will download the content approved by the admin in this scenario and try to install those updates.
The following are the high-level prerequisites that should be in place before you start creating the Software Update Patch Package using SCCM.
- ConfigMgr Infrastructure and healthy clients (WUA & SCCM).
- WSUS is installed for SCCM usage.
- SCCM Software Update Point (SUP) is configured and synced with Microsoft Windows Update services.
- Select the appropriate products from the WSUS products list. More details – Do Not Setup SUP With Default WSUS Product Selection ConfigMgr SCCM.
- Appropriate access right to create and deploy software update patch package. More details – about RBAC roles.
- Group policy settings for software updates for Windows clients
Intune WUfB Experience
The first difference between WSUS Vs WUfB is the client scanning process. In Windows Update for Business (aka WUfB) scenario, the clients scan against Windows Update in the cloud. However, in the WSUS scenario, all the clients scan against the updates available in WSUS.
Management tools like Endpoint Manager Intune help configure the Windows Update policies on Windows 10 or Windows 11 client devices. Endpoint Manager Intune talks to WU to provide the Device ID and Target Feature Update to which the device should be targeted.
The client sends the details like Quality Update federal, OS version, Revision (LCU and optional updates), App compatibility information, and Device ID to Windows Update in the cloud. And this client will get Safeguards protecting from Windows Updates. The Safeguard Holds are applicable only for Windows Update for Business(WUfB). The built-in protection you get from using the cloud using WUfB.
Offering Logic of Updates Highest Rank Update for Windows Update Server
Let’s look at the Offering Logic of Updates which Windows update will get offered to the client as the first update. The WU server will look at the highest rank update left, and it will offer that to the device. The feature updates are always going to be higher ranking updates than quality updates. The more recently released update is another ranking criteria of updates.
- Most Recenly Released Feature Updates
- Feature Updates
- Most Recently Released Quality Updates
- Quality Updates
There are certain differences in End-user experience also in terms of Windows patch management using Intune vs SCCM. The main difference is:
- Intune Patch Management (WUfB) – Uses Default Windows 10 framework to show the patch details.
- Settings – Update & Security – Windows Update.
- SCCM Patch Management – Uses Software Center to show which are patched deployed to the devices.
- Custom OMA-URI Policy to Disable Windows Updates UX for End-Users Using Intune Custom Policy
- Video Ignite 2021 Nov Edition – Managing Windows updates in the cloud (The Blueprint Files) (microsoft.com)
About Author -> Anoop is Microsoft’s Most Valuable Professional Award winner from 2015 on the technologies! He is a Solution Architect on enterprise device management solutions with more than 20 years of experience (calculation done in 2021) in IT. He is Blogger, Speaker, and Local User Group Community leader. His main focus is on Device Management technologies like Configuration Manager, Windows 365 Cloud PC, Intune, Azure Virtual Desktop, Windows 10, and Windows 11.