Windows Server Update Services (WSUS) and System Center Configuration Manager (SCCM) are both patch management solutions that assist IT teams with keeping systems up to date. Though both have the capability to manage operating system, software, and system updates, they are not the same thing, and there are situations in which one solution is much more appropriate than the other. Knowing when each should be used will help your organization put the best management solution in place to help protect your organization against a variety of attacks.
Windows Server Update Services (WSUS)
WSUS is a software application provided by Microsoft to enable administrators to manage the distribution of updates and patches for the Microsoft software products to the computers in their network. WSUS analyses the current system and determines the required updates and helps users to manage the downloads in a corporate environment. It is supported by a wide range of Microsoft products and in Microsoft Windows Server 2012, it is integrated with the operating system as a server role.It is particularly useful for SMBs as it acts an intermediate between the simpler Windows Update used in individual PCs and the more robust Systems Management Server used in larger enterprises. Some of the features provided by WSUS are:
- Bandwidth management and network resource optimization
- Automatic download of updates and category-wise downloads
- Targeted download of updates to specific computer or sets of computers
- Enhanced reporting capabilities
- Multiple language support
Some of the updates provided by WSUS include critical updates, definition updates, drivers, feature packs, security updates, service packs, tools, update rollups and regular enhancements. The group policy of WSUS allows admins to direct the workstations connected in their network to the WSUS server and restrict the end users’ access to Windows Update, thus giving the administrators full control over the network. The automatic downloads are enabled with the help of BITS and helps in optimizing the bandwidth usage. WSUS uses .NET Framework, Microsoft Management Console and Internet Information Service for its operations.
System Center Configuration Manager (SCCM)
System Center Configuration Manager, SCCM is a software management suite provided by Microsoft that allows users to manage a large number of Windows-based computers. SCCM features remote control, patch management, operating system deployment, network protection, and other various services. Users of SCCM can integrate with Microsoft InTune, allowing them to manage computers connected to a business, or corporate, network. SCCM allows users to manage computers running the Windows or macOS, servers using the Linux or Unix, and even mobile devices running the Windows, iOS, and Android operating systems. SCCM is available from Microsoft and can be used on a limited-time trial basis. When the trial period expires, a license needs to be purchased to continue using it.
Packages are created in the SCCM console which contains the executable files and the command lines for the application to be installed. These packages are then replicated on Distribution Points. Distribution points are nothing but sort of File Servers that are used to store the content of the packages for a particular region. Therefore, if a bunch of machines are remotely located then they can locally download the application from a Distribution point, rather than connecting all the way to the SCCM Primary Server. All the machines in an SCCM environment will have an SCCM Client agent installed on them, which essentially helps a machine to be able to communicate with the SCCM Servers. Therefore a deployment is created by the SCCM admin where an application is targeted on a bunch of machines. With the help of the SCCM client agent installed on the end-users machine, it keeps checking for new policies or deployments. Once the policy has reached the end machine, it will be evaluated and it will reach out to its respective regional Distribution Point for downloading the Content of the package. Once the executable files are downloaded in a temp folder (C:\Windows\ccmcache) they are installed locally and the status for the same is sent back to the SCCM server to be updated in the database. This is a very brief set of steps and there are a lot of other things involved in the background. Also not every infrastructure is the same so for some of them, there can be a lot of additional steps to be taken. But the core components used in Software Distribution (Packages/Application, Programs, Distribution Points, Client Machine) will remain the same.