In a previous post, I answered the question, What is Patch Management? In that post, I noted that Windows environments generally use one of two Microsoft tools to handle their patching needs: Windows Server Update Services (WSUS) or System Center Configuration Manager (SCCM or ConfigMgr). In this post, I address the major differences between these two solutions.

 

The biggest difference (at least in my eyes) is that WSUS is free and ConfigMgr isn't. So that really begs the question of why any IT operation would choose ConfigMgr over WSUS. The short (and somewhat cheeky) answer is that there is nothing you can do with ConfigMgr that you can't also do with some combination of WSUS and other free tools. That said, the following highlights the top three use cases ConfigMgr supports natively that WSUS doesn't.

 

Operating System Deployment

ConfigMgr supports deploying a new or clean operating system to managed computers already running the ConfigMgr agent. This is great when you need to upgrade or re-image a managed computer, but it doesn't do much for fresh hard drives or VMs. The free tool for this use case is Windows Deployment Services (WDS), which Microsoft added with Windows Server 2008. The cool thing here is that WDS also supports OS deployment to computers not already running Windows.

 

Software Packaging

ConfigMgr supports software packaging, which includes packaging non-Microsoft updates to deploy to managed computers. To get support for third-party updates in WSUS, you need some kind of WSUS extension. However, the downside of ConfigMgr's software packaging is after you package the updates, you have to create a separate deployment package to get them to the appropriate computers. The deployment package is loosely comparable to a WSUS approval, except approvals are update-specific, while deployment packages can contain multiple updates.

 

Asset Management

ConfigMgr supports asset management - that is, collecting and reporting managed computers' hardware and software information - through automated discovery tasks. WSUS supports this too, but the functionality is only available in the WSUS API, so you need a WSUS add-on or some extensive developer skills to implement it. I discuss how SolarWinds Patch Manager can supplement WSUS reports in this way in another post, but when it comes to patch management,  Patch Manager's managed computer inventory task is more on-par with what ConfigMgr offers and is the right patch management solution.

 

For those of you interested in implementing ConfigMgr in your environment, I'll address some of these features, along with others, in more detail in another post. So stay tuned. Otherwise, between the patch management tools, you might also want to check out how Patch Manager supplements Microsoft SCCM patch management.