Intune vs. WSUS – Costs, Benefits, Ease of Use, and Deployment
Patching & Updating Feasibility with WSUS and Intune
Patching has certainly gained a lot of momentum ever since research has proven that ‘unattended’ apps and software can quickly lead to a data leak. Patching is the new ‘kid’ on the block and already has it shown great potential in averting what can only be described as a corporate nightmare; surely, it’s not an accolade to see confidential data flaunted around the dark web, screaming for users with open pockets.
From a sysadmin’s standpoint, the patching process is the very embodiment of a thankless job – even now, there are companies (mostly startups) out there that are still relying on manual patching/updating. That shouldn’t be too much of a hassle if your organization operates a small network, but it becomes a tad problematic when you’re dealing with hundreds of endpoints.
Automation is the key to solving this sysadmin Catch-22. Which brings us to the topic “WSUS or Intune?”; yay or nay? If you’re new to the patching automation game, then I encourage you to read on. Seasoned sysadmins may also find something of value in my digression, beyond the PTSD-inducing title (no disrespect intended).
What is WSUS? An overview
First, let’s talk about the elephant in the room which, in this case, is WSUS; short for Windows Server Update Services, it’s Microsoft’s answer to automatic patching and deployment process. Built upon SUS (Software Update Service), WSUS can enable corporate system administrators to quickly unroll and install updates, patches, hotfixes, drivers, and service packs.
An interesting thing about WSUS is that this service works in tandem with SCCM (System Center Configuration Manager) to deploy, import, and install third-party security updates. In WSUS, the software downloads the latest patches and/or updates from the Microsoft-owned Update Server before distributing them throughout your network of endpoints. Besides, clients can always hook up to the server hosting WSUS to download updates and patches.
However, in most scenarios, the system admin would have put into place an approval and denial flow, which effectively limits users’ interaction with the patch and updating process. For instance, using the Group Policies, the administrator can force-update certain critical apps and even bar said apps from updating above a certain version ‘threshold’ (i.e. video card driver updates which can be notoriously unstable if the GPU does not support newer technologies such as Vulkan, Ray Tracing or DirectX 12).
Although WSUS requires an active Internet connection to deploy patches and updates, the same result can be achieved even if the machine or group is offline. Offline patching and updating can be performed by establishing a connection to an Internet-facing WSUS server, exporting the patches to thumb driver or portable hard-disk, and importing them to the WSUS server that manages the disconnected network.
As far as the client-side configurations are concerned, WSUS doesn’t need A.D. (Active Directory) to manage permissions and access to resources located on the corporate network. Instead, WSUS makes use of Local Group Policies and even Windows registry to curate the client-facing rights and permissions.
WSUS employs some basic ‘anti-tampering’ mechanism which prevents users from making modifications to the corporate updates policies.
- WSUS covers the following types of updates: critical updates, definition updates, features packs, security updates, service packs, tools, update roll-ups, firmware drivers (only for Microsoft apps), firmware updates, and upgrades.
- Multi-action support for system administrators. Once the approval/denial flow is in place, sysadmins will be able to perform several client-oriented actions: install (rather force-install a chosen update or patch), remove (you can only remove updates or patches if they support uninstall), detect-only (scans machines for software to determine the versioning), and decline (self-explanatory).
- Auto-determine patching/updating applicability. The detect-only action allows the system administrator to measure the impact a patch or update will have on the targeted machine or group. This feature is extremely useful when dealing with untested patches and/or updates.
- “Targeting-enabled tasks”. This function allows the system administrator to analyze the network environment to determine which machines should receive updates or patches. Configuration can be done on the client-side by making modifications to the Windows registry or on the WSUS server directly. “Targeting-enabled tasks” enables system administrators to perform the following tasks: deploy & eval new updates on test-machines or group, ‘encapsulating’ or protecting machines against patching incompatibilities, and scheduling updates/ patches.
- With WSUS, sysadmins can gather info regarding the following aspects: update/patching status, endpoint status, computer compliance status, update compliance status, sync & download statues, general WSU configuration settings.
- Microsoft has made an SDK (Software Development Kit) available for system administrators. The kit can be used to create WSUS-integrated management apps and write custom code for WSUS servers and auto-updates management.
WSUS integration – pros and cons
Microsoft’s WSUS is designed to accommodate a high number of patching and updating requests. Coupled with the fact that it is free of charge – provided that you own a Windows Server license – it would seem to be the appropriate choice for sysadmins curating a corporate network spanning hundreds of endpoints. WSUS does have its share of advantages but twice the same disadvantage.
- Free of charge.
- Multi-OS support. WSUS is compatible with Service Pack 3, later versions of Windows 2000 Server, Windows 2000 Professional, Windows XP Professional, Windows Server 2003 Family, Windows Server Datacenter Editions, Windows XP family (64-bit).
- Multi-app support. WSUS supports Microsoft Exchange 2003, Microsoft Exchange 2000, Microsoft Office 2003, Office XP Service Pack 2.
- Manual and auto-downloads of new content (updates and patches from Microsoft).
- Advanced scheduling (days, weeks).
- Filtering for patches and updates. The admin can instruct WSUS which products should receive the latest patches and/or updates.
- Multi-patch type support. The list includes security updates, non-security updates, feature packs, critical driver updates, connectors, drivers, and more.
- Generate reports on settings summary, sync results, or updating/patching status.
- Setup is time-consuming. The infrastructure takes very long to set up. A WSUS manual is available, but only for the Beta version. Also, the user must browser through 84 pages of technical documentation to find the answer to any WSUS-related issue.
- Long-winded list of requirements. To set up WSUS, you must meet many demands, both on the Client and Server side.
- Resource intensive. WSUS needs at least 8GB of free space on the server and an additional 30 GB to store the downloaded patches.
- To populate the Server with machines, the user needs to go through the whole documentation.
- Pre-requisites are not automatically installed. WSUS requires IIS, .Net, and Bits 2.0 to run on the Server machine. These are not installed automatically on the WSUS setup.
- The Admin console can run on machines with Internet Explorer version 6.0 or later.
- Limited app coverage. According to the tech documentation, WSUS covers 50% less compared to other automatic patching and updating software such as HFNetchkPro.
- Limited format support. WSUS does not support Microsoft XML Services, Office 200, MSDE, Commerce Server 2003 and 200, BizTalk Server, Content Management Server, MDAC, Java Virtual Machine, ISA Server, Host Integrations Server, IE, IIS, NT 4.0 SP4 and below.
- Poor patch/update flow management. Patches need to be manually approved before they can be downloaded and installed by the target machine. Also, the machine is required to scan and request the necessary patch.
- No reboots support.
- Limited reporting tools. WSUS cannot export to different formats. No GUI, meaning that all the reports are printed directly on the screen.
- Poor scanning accuracy.
What is Intune? An overview
WSUS is not the only patch and endpoint management solution offered by Microsoft. Since WSUS is an on-premises solution, it does not offer cover for corporate policies such as BYODs (Bring Your Device). Microsoft’s answer was Intune, a cloud-based endpoint management tool that was specifically designed for BYODs and mobile devices. Intune builds upon Microsoft’s System Center Configuration Manager (SCCM), effectively extending its patch management capabilities by migrating every functionality to the Windows Azure cloud.
Intune can be distributed via a web-based portal, being fully compatible with Windows 8 (Professional & Enterprise), Windows 7 (Professional, Enterprise, and all Ultimate editions), Windows Vista, and Windows XP Professional (only supports Service Pack 3).
Concerning functionality, Microsoft’s Intune has facilitated the administrative flow by introducing the more visual Web console tool. In a review posted on Business Computing World Alan Stevens called out Intune for its “deceptively simple management interface”.
Disambiguation: Mr. Stevens’ slightly salty remark was in regards to the way Intune has been positioned in the market.
He goes on saying that “despite being easy to navigate, proved less than intuitive, requiring us to search around to work out how to perform even quite simple management tasks.” As compared to WSUS, working with Intune is a breeze, but not even Microsoft’s wunder product could not stack up with the critics.
Indeed, there have been instances where Intune’s ‘highly intuitive’ interface was anything but intuitive. For instance, adding a new endpoint to the admin-curated network, one of the most basic tasks, created tons of confusion. In some regards, Intune can be (become) just as problematic as WSUS.
As I’ve already mentioned, the main difference between WSUS and Intune is the cloud component. Intune is cloud-native, which means fewer resources are allocated towards setting up and maintaining an Intune network. Since everything’s cloud-hosted you needn’t keep anything on the machine (i.e. patches, updates). Interestingly enough, according to the product’s manual, Intune tends to ramp up your RAMs. For instance, Intune’s second Beta version requires at least 2GB of RAM to work properly.
The good news is that, compared to WSUS’s list of prerequisites, Intune’s ‘list seems like a fortune cookie note. In fact, the list’s so short that I’m going to include it in my article. So, to set up (integrate) Intune, you will need to check all of the items on this list:
- The administrator requires permission. For Intune integration, your admin needs access to the Azure A.D. Furthermore, he or she also requires permission to include enterprise apps. Be sure your admin also has Group.ReadWrite.All and Group. Read. All permissions. Keep in mind that the Azure Multi-Factor Authentication has to be disabled.
- Adding the AirWatch by VMWare. You will need to the AirWatch by VMware into your Azure A.D. Now, for those of you wondering about OOB enrollment, the answer’s “yes”. You can still add AirWatch, but don’t mess around with the configurations, lest you risk messing up the enrollment process.
- Use the licenses for the Intune Protection App Protection and the Enterprise Mobility and Security E3 and/or E5.
That’s all – conveniently easy and, in Mr. Stevens’ words, “deceptively simple.” Up next, we’re going to take a closer look at Intune’s features.
- MDM cross-compatibility. Despite being a Mobile Device Management platform, Intune is also compatible with non-mobile formats. The complete list of supported devices includes Mac, ISO, Android, and Microsoft Windows. Moreover, Intune also covers both company-owned devices and BYODs.
- Data protection compliance. Intune enforces encryption, MFA, antivirus, and can force-remote all organization-related data if the device (company-owned or BYOD) is lost, stolen, or not used in a while. As far as BYODs are concerned, employee-owned devices are preconfigured before being allowed to access company data.
- Deploy software, updates, and patches. From Intune’s Admin console you can deploy software packages, updates, and patches. The tool also allows for push-update scheduling, define update/patch deploy strategies, and much more. Microsoft boasts silent patching and updating, meaning that the user should not experience any interruption while these processes are performed. Supported software package formats: .msp, .msi, and .exe.
- Data loss prevention. Intune has several safeguards in place to prevent data loss or theft. The admin can force-retire or force-wipe company-critical data should the device get lost, stolen, or not used in a while. These commands can be remotely-issued directly from Intune’s Company Portal.
- Office mobile apps management. You can set custom policies to control or log Office 365 applications. Intune permits you to approve or deny access to documents stored on OneDrive or to a specific email address. Optionally, you can enforce various policies for Skype, Exchange, and SharePoint.
Intune Integration – Pros and Cons
Intune should have been the more refined sibling of WSUS. Microsoft’s MDM solution is stunning, as far as visuals are concerned. And seeing how it has been positioned, operating Intune should be pretty straightforward. Coupled Intune’s full support for mobile devices and BYODs, it should be the best thing that has happened to sysadmins. Or is it? Let’s take a look at the pros and cons of integrating Intune into your network environment.
- Covers mobile devices, BYODs, and company-owned machines.
- Powerful pre-defined policies to manage your security settings.
- EMS integration (available on demand).
- Malware defense. Intune has integrated MTD (3rd party Mobile Threat Defense) into its unified endpoint management platform for malware detection. Intune’s malware detection engine is supported by MSE (Microsoft Security Essentials).
- Off-premises ‘gatekeeping’. Device enrollment, management, and control can is achieved via a centralized portal.
- Integration with other patching and endpoint management tools such as WSUS and SCCM.
- Device location not applicable. Although wipe and retire commands are available, there’s no option to effectively track the device. This would have been useful in case of theft.
- Fixed dashboard. There’s no way to customize or reconfigure the dashboard’s setup.
- License issues. If the sysadmin misses on assigning an Intune license to the user, activity logging will not be possible.
- Limited support. Microsoft’s Intune support team will not help you troubleshoot issues related to Gmail or 3rd party apps, although they offer some support in Outlook-related issues.
- Missing security features. Some seasoned Intune users pointed out that Intune left out some very basic (and vital) security features such as auto-quarantine for all devices harboring malicious apps, security countermeasures for parasitic applications, or safety measures for tunneling.
WSUS vs. Intune – The Outline
|Software, Patching, and Updating||Supports patches, updates, drivers, proprietary software, and 3rd (only if you SCCM)||Supports updates, patches, and software. Cannot deploy drivers.|
|Internet-facing server||Updates, patches, software, and drivers can be downloaded locally. Does not require an Internet-facing server to apply packages.||Web-based tool. Requires access to an Internet-facing server.|
|Additional features||Limited feature in areas other than patching, updating, and endpoint management||Boast of hosts of other facilities such as volume license management, remote assistance, and malware protection.|
|Interaction||Accessible via the Admin console. Steep learning curve.||Browser-based dashboard. Highly interactive and somewhat intuitive.|
|Resources||Needs at least 40 GB of free space to store patches, updates, and drivers.||Cloud-native. Requires at least 2GB of RAM to function properly.|
|Remote features||Remote patch, upgrading, updating deployment is available.||Remote deployment is available. Intune allows remote actions such as wipe. No tracking available.|
(*) Per the product’s technical documentation, WSUS should be free of charge, provided that the user has a valid Windows Server license. However, it does mention anything about the man-hours involved. According to a Tolly whitepaper published in 2019, the owners of the WSUS license have to shell out a considerable sum each year.
The paper, which compares WSUS with Lumension’s VMS from a cost of ownership standpoint, concludes that WSUS is anything but free – Tolly’s estimates show that the average cost of using WSUS amounts to over $100,000. How did Tolly ‘conjure up’ these figures?
The math’s pretty straightforward: if we assume that an IT employee earns about $50 per hour and that a WSUS network takes about $2,400 hours per year to maintain, then we arrive at the figure of $120,000 per year paid for WSUS maintenance.
Any alternatives to WSUS and Intune?
WSUS and Intune, despite their caveats, are some very valuable client and asset management tools. Still, that doesn’t necessarily mean that they are irreplaceable. There are various other tools out there that can help you streamline the network administration process.
For instance, Heimdal’s patch management software will allow your system administrators to roll out updates, patches, drivers, and critical security packages without the need to use another tool. Remember when we talked about WSUS? Microsoft’s WSUS can also cover 3rd party updates, patches, or drivers if it’s associated with SCCM.
Heimdal™ Patch & Asset Management moves beyond WSUS, SCCM, and even Intune. With Infinity Management, you will be able to gain a granular view of what happens on your machines.
HEIMDAL™ ENDPOINT PREVENTION - DETECTION AND CONTROL
- Next-gen Antivirus & Firewall which stops known threats;
- DNS traffic filter which stops unknown threats;
- Automatic patches for your software and apps with no interruptions;
- Privileged Access Management and Application Control, all in one unified dashboard
Use the interface to inventory your assets, deploy updates and patches, remove users from A.D, create new groups, enforce custom security policies, set updating/patching delays, and more. You can also use our dashboard to create stunning reports and see how much the product has helped you save in terms of funds and man-hours.
Compared to WSUS, SCCM, and even Intune which only cover a limited number of venues, Heimdal’s Patch Management expands on all the available patching and updating technologies. Going beyond SCCM and WSUS means automated (and silent) updates/patches deployment, on-the-fly updating, version management, 3rd party and proprietary software, and A.D. integration. Furthermore, all of the updates and patches are encrypted prior to distribution (uses a Global Deployment and LAN P2P system). And with the Infinity Management dashboard in place, you will gain granular control over your digital inventory. MDM is also available via our Mobile Security Agent. Other features include:
- Scheduling and force-rebooting.
- HTTPS Micro-downloads from the Heimdal™ CDN with LAN P2P.
- Vulnerability inventory and CVSS scoring system.
- Short TTM (time-to-market) <4 hours.
- Uninstalling supported software.
- Full compliance and CVE\CVSS audit trail.
If you’re looking for an in-between solution, you can check out these open-source tools. Keep in mind that integrating them into your network may raise some compatibility issues. Some tweaking may be in order.
- Oracle IT Management Suite
- Goverlan Reach
- IBM Service Management Suite
- BMC Truesight Capacity Optimization
- Kaseya VSA
- Cireson Asset Management
- vRealize Operations
WSUS and Intune Frequently Asked Questions (FAQ)
Q: No clients show up in the WSUS Console after creating several Group Policies. What should I do?
A: On the client-side, the A.D. Group Policy updates every 90 minutes. If the allotted time has passed and the clients still haven’t shown up, paste or type in the following line:
Gpupdate.exe /force - Windows XP and Windows Server 2003 Secedit.exe /refreshpolicy machine_policy /enforce for Windows 2000
Q: How can your force-install a critical update?
A: Start by modifying the deadline option. After that, you will need to force the client’s machine to detect the changes. To do that, paste or type in the following command line:
Q: Some clients show up in the console, while others disappear. What should I do?
A:Please follow this procedure:
- Go to RegEditand delete these registry keys:
- Reset the local client cookie by using this command:
exe /resetauthorization /detectnow
Q: Is there any way to detect jailbroken devices?
A: Yes, Intune can detect jailbroken devices for most operating systems.
Q: Can I switch to another MDM authority?
A: You can switch at any time from Intune to O365 or Configuration Manager. Contact support to change your MDM. Note: you can only change from Intune to Config Manager, O365 to Intune, or from Intune to O365. You cannot change from Config Manager to Intune.
WSUS or Intune? From where I stand, both have some share of ups and downs. However, in terms of costs, neither seem should be considered prime choices. Has your company used WSUS, SCCM, or Intune? If so, head to the comments section and tell me about your experiences.