Patching has certainly gained a lot of momentum ever since research has proven that ‘unattended’ apps and software can quickly lead to a data leak.  Patching is the new ‘kid’ on the block and already has it shown great potential in averting what can only be described as a corporate nightmare; surely, it’s not an accolade to see confidential data flaunted around the dark web, screaming for users with open pockets.

From a sysadmin’s standpoint, the patching process is the very embodiment of a thankless job – even now, there are companies (mostly startups) out there that are still relying on manual patching/updating. That shouldn’t be too much of a hassle if your organization operates a small network, but it becomes a tad problematic when you’re dealing with hundreds of endpoints.

Automation is the key to solving this sysadmin Catch-22. Which brings us to the topic “WSUS or Intune?”; yay or nay? If you’re new to the patching automation game, then I encourage you to read on. Seasoned sysadmins may also find something of value in my digression, beyond the PTSD-inducing title (no disrespect intended).

What is WSUS? An overview

First, let’s talk about the elephant in the room which, in this case, is WSUS; short for Windows Server Update Services, it’s Microsoft’s answer to automatic patching and deployment process. Built upon SUS (Software Update Service), WSUS can enable corporate system administrators to quickly unroll and install updates, patches, hotfixes, drivers, and service packs.

An interesting thing about WSUS is that this service works in tandem with SCCM (System Center Configuration Manager) to deploy, import, and install third-party security updates. In WSUS, the software downloads the latest patches and/or updates from the Microsoft-owned Update Server before distributing them throughout your network of endpoints. Besides, clients can always hook up to the server hosting WSUS to download updates and patches.

However, in most scenarios, the system admin would have put into place an approval and denial flow, which effectively limits users’ interaction with the patch and updating process. For instance, using the Group Policies, the administrator can force-update certain critical apps and even bar said apps from updating above a certain version ‘threshold’ (i.e. video card driver updates which can be notoriously unstable if the GPU does not support newer technologies such as Vulkan, Ray Tracing or DirectX 12).

Although WSUS requires an active Internet connection to deploy patches and updates, the same result can be achieved even if the machine or group is offline. Offline patching and updating can be performed by establishing a connection to an Internet-facing WSUS server, exporting the patches to thumb driver or portable hard-disk, and importing them to the WSUS server that manages the disconnected network.

As far as the client-side configurations are concerned, WSUS doesn’t need A.D. (Active Directory) to manage permissions and access to resources located on the corporate network. Instead, WSUS makes use of Local Group Policies and even Windows registry to curate the client-facing rights and permissions.

WSUS employs some basic ‘anti-tampering’ mechanism which prevents users from making modifications to the corporate updates policies.

WSUS features

  1. WSUS covers the following types of updates: critical updates, definition updates, features packs, security updates, service packs, tools, update roll-ups, firmware drivers (only for Microsoft apps), firmware updates, and upgrades.
  2. Multi-action support for system administrators. Once the approval/denial flow is in place, sysadmins will be able to perform several client-oriented actions: install (rather force-install a chosen update or patch), remove (you can only remove updates or patches if they support uninstall), detect-only (scans machines for software to determine the versioning), and decline (self-explanatory).
  3. Auto-determine patching/updating applicability. The detect-only action allows the system administrator to measure the impact a patch or update will have on the targeted machine or group. This feature is extremely useful when dealing with untested patches and/or updates.
  4. “Targeting-enabled tasks”. This function allows the system administrator to analyze the network environment to determine which machines should receive updates or patches. Configuration can be done on the client-side by making modifications to the Windows registry or on the WSUS server directly. “Targeting-enabled tasks” enables system administrators to perform the following tasks: deploy & eval new updates on test-machines or group, ‘encapsulating’ or protecting machines against patching incompatibilities, and scheduling updates/ patches.
  5. With WSUS, sysadmins can gather info regarding the following aspects: update/patching status, endpoint status, computer compliance status, update compliance status, sync & download statues, general WSU configuration settings.
  6. Microsoft has made an SDK (Software Development Kit) available for system administrators. The kit can be used to create WSUS-integrated management apps and write custom code for WSUS servers and auto-updates management.

WSUS integration – pros and cons

Microsoft’s WSUS is designed to accommodate a high number of patching and updating requests. Coupled with the fact that it is free of charge – provided that you own a Windows Server license – it would seem to be the appropriate choice for sysadmins curating a corporate network spanning hundreds of endpoints. WSUS does have its share of advantages but twice the same disadvantage.


  • Free of charge.
  • Multi-OS support. WSUS is compatible with Service Pack 3, later versions of Windows 2000 Server, Windows 2000 Professional, Windows XP Professional, Windows Server 2003 Family, Windows Server Datacenter Editions, Windows XP family (64-bit).
  • Multi-app support. WSUS supports Microsoft Exchange 2003, Microsoft Exchange 2000, Microsoft Office 2003, Office XP Service Pack 2.
  • Manual and auto-downloads of new content (updates and patches from Microsoft).
  • Advanced scheduling (days, weeks).
  • Filtering for patches and updates. The admin can instruct WSUS which products should receive the latest patches and/or updates.
  • Multi-patch type support. The list includes security updates, non-security updates, feature packs, critical driver updates, connectors, drivers, and more.
  • Generate reports on settings summary, sync results, or updating/patching status.


  • Setup is time-consuming. The infrastructure takes very long to set up. A WSUS manual is available, but only for the Beta version. Also, the user must browser through 84 pages of technical documentation to find the answer to any WSUS-related issue.
  • Long-winded list of requirements. To set up WSUS, you must meet many demands, both on the Client and Server side.
  • Resource intensive. WSUS needs at least 8GB of free space on the server and an additional 30 GB to store the downloaded patches.
  • To populate the Server with machines, the user needs to go through the whole documentation.
  • Pre-requisites are not automatically installed. WSUS requires IIS, .Net, and Bits 2.0 to run on the Server machine. These are not installed automatically on the WSUS setup.
  • The Admin console can run on machines with Internet Explorer version 6.0 or later.
  • Limited app coverage. According to the tech documentation, WSUS covers 50% less compared to other automatic patching and updating software such as HFNetchkPro.
  • Limited format support. WSUS does not support Microsoft XML Services, Office 200, MSDE, Commerce Server 2003 and 200, BizTalk Server, Content Management Server, MDAC, Java Virtual Machine, ISA Server, Host Integrations Server, IE, IIS, NT 4.0 SP4 and below.
  • Poor patch/update flow management. Patches need to be manually approved before they can be downloaded and installed by the target machine. Also, the machine is required to scan and request the necessary patch.
  • No reboots support.
  • Limited reporting tools. WSUS cannot export to different formats. No GUI, meaning that all the reports are printed directly on the screen.
  • Poor scanning accuracy.

WSUS is not the only patch and endpoint management solution offered by Microsoft. Since WSUS is an on-premises solution, it does not offer cover for corporate policies such as BYODs (Bring Your Device). Microsoft’s answer for this, was Intune.

What is Intune? An overview

Intune is a cloud-based endpoint management tool that was specifically designed for BYODs and mobile devices. Intune builds upon Microsoft’s System Center Configuration Manager (SCCM), effectively extending its patch management capabilities by migrating every functionality to the Windows Azure cloud.

Intune can be distributed via a web-based portal, being fully compatible with Windows 8 (Professional & Enterprise), Windows 7 (Professional, Enterprise, and all Ultimate editions), Windows Vista, and Windows XP Professional (only supports Service Pack 3).

Concerning functionality, Microsoft’s Intune has facilitated the administrative flow by introducing the more visual Web console tool. In a review posted on Business Computing World Alan Stevens called out Intune for its “deceptively simple management interface”.

Disambiguation: Mr. Stevens’ slightly salty remark was in regards to the way Intune has been positioned in the market.

He goes on saying that “despite being easy to navigate, proved less than intuitive, requiring us to search around to work out how to perform even quite simple management tasks.”  As compared to WSUS, working with Intune is a breeze, but not even Microsoft’s wunder product could not stack up with the critics.

Indeed, there have been instances where Intune’s ‘highly intuitive’ interface was anything but intuitive. For instance, adding a new endpoint to the admin-curated network, one of the most basic tasks, created tons of confusion. In some regards, Intune can be (become) just as problematic as WSUS.

As I’ve already mentioned, the main difference between WSUS and Intune is the cloud component. Intune is cloud-native, which means fewer resources are allocated towards setting up and maintaining an Intune network. Since everything’s cloud-hosted you needn’t keep anything on the machine (i.e. patches, updates). Interestingly enough, according to the product’s manual, Intune tends to ramp up your RAMs. For instance, Intune’s second Beta version requires at least 2GB of RAM to work properly.

The good news is that, compared to WSUS’s list of prerequisites, Intune’s ‘list seems like a fortune cookie note. In fact, the list’s so short that I’m going to include it in my article. So, to set up (integrate) Intune, you will need to check all of the items on this list:

  1. The administrator requires permission. For Intune integration, your admin needs access to the Azure A.D. Furthermore, he or she also requires permission to include enterprise apps. Be sure your admin also has Group.ReadWrite.All and Group. Read. All permissions. Keep in mind that the Azure Multi-Factor Authentication has to be disabled.
  2. Adding the AirWatch by VMWare. You will need to the AirWatch by VMware into your Azure A.D. Now, for those of you wondering about OOB enrollment, the answer’s “yes”. You can still add AirWatch, but don’t mess around with the configurations, lest you risk messing up the enrollment process.
  3. Use the licenses for the Intune Protection App Protection and the Enterprise Mobility and Security E3 and/or E5.

That’s all – conveniently easy and, in Mr. Stevens’ words, “deceptively simple.” Up next, we’re going to take a closer look at Intune’s features.

Intune features

  1. MDM cross-compatibility. Despite being a Mobile Device Management platform, Intune is also compatible with non-mobile formats. The complete list of supported devices includes Mac, ISO, Android, and Microsoft Windows. Moreover, Intune also covers both company-owned devices and BYODs.
  2. Data protection compliance. Intune enforces encryption, MFA, antivirus, and can force-remote all organization-related data if the device (company-owned or BYOD) is lost, stolen, or not used in a while. As far as BYODs are concerned, employee-owned devices are preconfigured before being allowed to access company data.
  3. Deploy software, updates, and patches. From Intune’s Admin console you can deploy software packages, updates, and patches. The tool also allows for push-update scheduling, define update/patch deploy strategies, and much more. Microsoft boasts silent patching and updating, meaning that the user should not experience any interruption while these processes are performed. Supported software package formats: .msp, .msi, and .exe.
  4. Data loss prevention. Intune has several safeguards in place to prevent data loss or theft. The admin can force-retire or force-wipe company-critical data should the device get lost, stolen, or not used in a while. These commands can be remotely-issued directly from Intune’s Company Portal.
  5. Office mobile apps management. You can set custom policies to control or log Office 365 applications. Intune permits you to approve or deny access to documents stored on OneDrive or to a specific email address. Optionally, you can enforce various policies for Skype, Exchange, and SharePoint.

Intune Integration – Pros and Cons

Intune should have been the more refined sibling of WSUS. Microsoft’s MDM solution is stunning, as far as visuals are concerned. And seeing how it has been positioned, operating Intune should be pretty straightforward. Coupled Intune’s full support for mobile devices and BYODs, it should be the best thing that has happened to sysadmins. Or is it? Let’s take a look at the pros and cons of integrating Intune into your network environment.


  • Covers mobile devices, BYODs, and company-owned machines.
  • Powerful pre-defined policies to manage your security settings.
  • EMS integration (available on demand).
  • Malware defense. Intune has integrated MTD (3rd party Mobile Threat Defense) into its unified endpoint management platform for malware detection. Intune’s malware detection engine is supported by MSE (Microsoft Security Essentials).
  • Off-premises ‘gatekeeping’. Device enrollment, management, and control can is achieved via a centralized portal.
  • Integration with other patching and endpoint management tools such as WSUS and SCCM.


  • Device location not applicable. Although wipe and retire commands are available, there’s no option to effectively track the device. This would have been useful in case of theft.
  • Fixed dashboard. There’s no way to customize or reconfigure the dashboard’s setup.
  • License issues. If the sysadmin misses on assigning an Intune license to the user, activity logging will not be possible.
  • Limited support. Microsoft’s Intune support team will not help you troubleshoot issues related to Gmail or 3rd party apps, although they offer some support in Outlook-related issues.
  • Missing security features. Some seasoned Intune users pointed out that Intune left out some very basic (and vital) security features such as auto-quarantine for all devices harboring malicious apps, security countermeasures for parasitic applications, or safety measures for tunneling.

What is SCCM? An overview

Microsoft’s System Center Configuration Manager (SCCM) was an asset-oriented solution used for patch and update deployment across a larger digital ecosystem. SCCM would lose its standalone status in Windows 10 build 1960, now becoming a part of Microsoft Endpoint Manager. Functionality-wise, SCCM extends WSUS’s patch deployment capabilities, especially in the area of third-party software and BYOD management. The solution does indeed provide increased flexibility for third-party software patching and updating, but not to the full extent. In some cases, manual package deployment is necessary to sort out compatibility, versioning, and (infrastructure) upscaling issues.

SCCM does not actively replace WSUS, being designed to work on top or in tandem with it. In a nutshell, the System Center Configuration Manager unlocks additional patch management and deployment options. Despite being more expensive compared to WSUS, SCCM is still used in organizations spanning thousands of devices which, preponderantly run Microsoft software or environments, alongside third-party software.

SCCM Features

  1. Integration with Microsoft 365 Cloud. Co-Management, as Microsoft has coined the feature, allows the user to ‘attach’ SCCM (i.e., Configuration Manager) to the 365 cloud. The integration further grants the admin access to Intune features for increased device control.
  2. Business Intelligence. SCCM’s Desktop Analytics feeds various info about device availability, update status, compatibility issues, mitigations, and Microsoft pilot programs.
  3. Operating System deployment services. SCCM can mediate OS deployment via PXE (Pre-boot Execution Environment), bootable media or multicast approaches. The process allows for further configuration – image capturing, redeployment, OS repairing and maintenance.
  4. Endpoint security. SCCM’s integrability with Windows Endpoint Security grants access to security features such as Windows Defender Antivirus, Window Defender Firewall, Window Defender Application Control, Windows Defender Exploit Guard, and Windows Defender Application Guard.
  5. Remote location access to company resources and assets. Leverages VPN, Wi-Fi, and certificate profiles for remote access to the company’s applications, digital assets, and server-hosted data.

SCCM Integration – Pros and Cons

Configuration Manager aka SCCM enriches WSUS’s third-party patch/update deployment functionalities, making it ideal for companies looking for 3rd party support. On top of that, the solution brings numerous additions to the table such as PXE OS deployment, desktop analytics, integrations to similar Microsoft products, endpoint security via Windows defender, and remote access through Wi-Fi, certificate profiles, and VPN. Below, you will find a short list of prost and cons associated with SCCM deployment.


  • Microsoft Windows integration. Can work in tandem with all Microsoft Windows’ applications and systems. Better BYOD support compared to Intune.
  • Unlocks more patch management features. SCCM provides various patch management improvement such logging and reporting, remote access from a server-hosted console, and more.
  • Comprehensive GUI. Simple to understand and use interface. Community support available.


  • SCCM implies higher costs compared to Intune and WSUS, especially in the operation and maintenance areas. Since SCCM requires on-premises SQL server(s) to operate, maintenance costs are added to the ones associated with licensing.
  • Limited to no support for non-Windows native systems. SCCM can, in extremis, support non-Windows systems (e.g. Linux or Macintosh), but with limited results due to cross-compatibility issues.
  • Partial 3rd party coverage. Although SCCM was designed to counter WSUS’s 3rd party limitations, the solution is not all-encompassing, user reporting patch deployment issues or no support for certain third-party apps.


WSUS vs. SCCM vs. Intune – The Outline





Positioning On-premises On-premises Cloud
Cost Free* Subscription-based Subscription-based
Software Patching and Updating Supports patches, updates, drivers, proprietary software, and 3rd (only if you SCCM) Supports updates, patches, and software. Additional support for 3rd party updates and patches. Supports updates, patches, and software. Cannot deploy drivers.
Internet-facing server Updates, patches, software, and drivers can be downloaded locally. Does not require an Internet-facing server to apply packages.  

Local SQL server required to operate SCCM



Web-based tool. Requires access to an Internet-facing server.
Additional features Limited feature in areas other than patching, updating, and endpoint management Local SQL server required to operate SCCM  

Boast of hosts of other facilities such as volume license management, remote assistance, and malware protection.

Interaction Accessible via the Admin console. Steep learning curve. Browser-based dashboard. Highly interactive and somewhat intuitive. Browser-based dashboard. Highly interactive and somewhat intuitive
Resources Needs at least 40 GB of free space to store patches, updates, and drivers. See Documentation Cloud-native. Requires at least 2GB of RAM to function properly.
Remote features Remote patch, upgrading, updating deployment is available VPN, Wi-Fi, certificate profiles. Remote deployment is available. Intune allows remote actions such as wipe. No tracking available.

(*) Per the product’s technical documentation, WSUS should be free of charge, provided that the user has a valid Windows Server license. However, it does mention anything about the man-hours involved. According to a Tolly whitepaper published in 2019, the owners of the WSUS license have to shell out a considerable sum each year.

The paper, which compares WSUS with Lumension’s VMS from a cost of ownership standpoint, concludes that WSUS is anything but free – Tolly’s estimates show that the average cost of using WSUS amounts to over $100,000. How did Tolly ‘conjure up’ these figures?

The math’s pretty straightforward: if we assume that an IT employee earns about $50 per hour and that a WSUS network takes about $2,400 hours per year to maintain, then we arrive at the figure of $120,000 per year paid for WSUS maintenance.

Any alternatives to WSUS, SCCM and Intune?

WSUS and Intune, despite their caveats, are some very valuable client and asset management tools. Still, that doesn’t necessarily mean that they are irreplaceable. There are various other tools out there that can help you streamline the network administration process.

For instance, Heimdal’s patch management software will allow your system administrators to roll out updates, patches, drivers, and critical security packages without the need to use another tool. Remember when we talked about WSUS? Microsoft’s WSUS can also cover 3rd party updates, patches, or drivers if it’s associated with SCCM.

Heimdal™ Patch & Asset Management moves beyond WSUS, SCCM, and even Intune.  With Infinity Management, you will be able to gain a granular view of what happens on your machines.

Heimdal Official Logo
Automate your patch management routine.

Heimdal® Patch & Asset Management Software

Remotely and automatically install Windows, Linux and 3rd party application updates and manage your software inventory.
  • Schedule updates at your convenience;
  • See any software assets in inventory;
  • Global deployment and LAN P2P;
  • And much more than we can fit in here...
Try it for FREE today 30-day Free Trial. Offer valid only for companies.

Use the interface to inventory your assets, deploy updates and patches, remove users from A.D, create new groups, enforce custom security policies, set updating/patching delays, and more. You can also use our dashboard to create stunning reports and see how much the product has helped you save in terms of funds and man-hours.

Compared to WSUS, SCCM, and even Intune which only cover a limited number of venues, Heimdal’s Patch Management expands on all the available patching and updating technologies. Going beyond SCCM and WSUS means automated (and silent) updates/patches deployment, on-the-fly updating, version management, 3rd party and proprietary software, and A.D. integration. Furthermore, all of the updates and patches are encrypted prior to distribution (uses a Global Deployment and LAN P2P system).  And with the Infinity Management dashboard in place, you will gain granular control over your digital inventory. MDM is also available via our Mobile Security Agent. Other features include:

  • Scheduling and force-rebooting.
  • HTTPS Micro-downloads from the Heimdal™ CDN with LAN P2P.
  • Vulnerability inventory and CVSS scoring system.
  • Short TTM (time-to-market) <4 hours.
  • Uninstalling supported software.
  • Full compliance and CVE\CVSS audit trail.


WSUS Frequently Asked Questions (FAQ)

Q: No clients show up in the WSUS Console after creating several Group Policies. What should I do?

A:  On the client-side, the A.D. Group Policy updates every 90 minutes. If the allotted time has passed and the clients still haven’t shown up, paste or type in the following line:

Gpupdate.exe /force - Windows XP and Windows Server 2003 Secedit.exe 
/refreshpolicy machine_policy /enforce for Windows 2000

Q: How can your force-install a critical update?

A: Start by modifying the deadline option. After that, you will need to force the client’s machine to detect the changes. To do that, paste or type in the following command line:

wuauclt.exe /detectnow

Q: Some clients show up in the console, while others disappear. What should I do?

A:Please follow this procedure:

  1. Go to RegEditand delete these registry keys:

HKLM\SOFTWARE\Mkrosoft\Windows\CurrentVerswn\WindowsUpdate\ AccountDomainSid

HKLM\SOFTWARE\Mkrosoft\Windows\CurrentVerswn\WindowsUpdate\ SusClientID

HKLM\SOFTWARE\Mkrosoft\Windows\CurrentVerswn\WindowsUpdate\ PingID

  1. Reset the local client cookie by using this command:
exe /resetauthorization /detectnow

Intune Frequently Asked Questions (FAQ)

Q: Is there any way to detect jailbroken devices?

A: Yes, Intune can detect jailbroken devices for most operating systems.

Q: Can I switch to another MDM authority?

A: You can switch at any time from Intune to O365 or Configuration Manager. Contact support to change your MDM. Note: you can only change from Intune to Config Manager, O365 to Intune, or from Intune to O365. You cannot change from Config Manager to Intune.


WSUS, SCCM or Intune? From where I stand, all have some share of ups and downs. However, in terms of costs, neither seem should be considered prime choices. Has your company used WSUS, SCCM, or Intune? If so, head to the comments section and tell me about your experiences.

What Is Patch Management? Definition, Importance, Key Steps, and Best Practices

8 Free and Open Source Patch Management Tools for Your Company [Updated 2023]

Patch Management Policy: A Practical Guide

Patch Management vs Vulnerability Management: A Comparison

Windows Patch Management: Definition, How It Works and Why It Helps

Understanding the Automated Patch Management Process

What Is a Software Patch?

Leave a Reply

Your email address will not be published. Required fields are marked *