Intune Vs SCCM and WSUS Vs WUfB Patching Method Differences

What are the differences between WSUS Vs WUfB and Intune Vs SCCM Patching Methods? Let’s find out more details about Windows Patch Management using Intune vs ConfigMgr.

What are the main differences between modern and traditional patching solutions for Microsoft applications and operating systems? Third-party application patching is another beast that you might need to consider.

There are four pillars of patching or Software Updates solutions. Those four (4) pillars are Vendors, Patching services, Management tools that help configure policies, content, etc., and the client components who do the actual work of patching.

I have covered the Windows 11 Software Update Troubleshooting scenarios and some fixes. Windows Update Management solutions with Windows Update for Business (WUfB) and WSUS are also explained in the below sections of this post.

Patch My PC

Read More -> Microsoft is planning to release the preview version of WSUS with enhanced features for Windows client operating systems that are not managed by SCCM.

4 Pillars of Software Update Mechanism - Credits to Microsoft WSUS Vs WUfB and Intune Vs SCCM Patching Methods 1
4 Pillars of Software Update Mechanism – Credits to Microsoft – Differences Between WSUS Vs WUfB and Intune Vs SCCM Patching Methods 1

What is Windows Update?

Windows Update is a free service provided by Microsoft for Windows operating systems to download and install Windows software updates over the Internet automatically. Windows Updates covers various updates to make your Windows device secure and safe with the latest features.

Windows Updated delivers the latest updates of Windows 10 and Windows 11 operating systems (Security or critical or emergency updates), along with the updates of Microsoft applications such as Defender (antivirus), Dot Net, etc. This also provides Driver and firmware updates.

WSUS Vs WUfB and Intune Vs SCCM Patching Methods 2
WSUS Vs WUfB and Intune Vs SCCM Patching Methods 2

Three Methods to Manage Windows Updates

Windows Update Service is a service that delivers various types of updates to Windows 10 or Windows 11 devices. You don’t have options ( or very limited options) to manage Windows Updates for Windows 10 or Windows 11 non-premium editions such as the HOME edition.

Adaptiva

As per Microsoft (Ignite presentation by Aria Carley), there are three primary ways to manage Windows Updates for premium SKUs of Windows 10 and 11. This is applicable for WSUS Vs WUfB and Intune Vs SCCM Patching Methods

  • Media
  • Windows Server Update Service (WSUS)
  • Windows Update for Business

What is Windows Update for Business (WUfB) Deployment Service

The Windows Update for Business deployment service is a cloud service within the WUfB product family. WUfB deployment Service provides control over:

  • Approval
  • Scheduling
  • Safeguarding

WUfB Deployment Service is a free service from Microsoft available to enterprise and education customers to manage and control the delivery and behavior of Windows Update.

This free service (WUfB) deployment service is available for all premium editions, including Windows 10 and Windows 11 Enterprise, Pro for Workstation, and Education editions. The following are the updates that can be managed and controlled through WUfB.

  • Feature updates
  • Quality updates
  • Driver updates
  • Microsoft product updates
  • Firmware Updates (coming soon)

Read MoreWindows Update for Business (WUfB) Policy configuration (server-side) guide using Intune.

WSUS Vs WUfB and Intune Vs SCCM Patching Methods 3
WSUS Vs WUfB and Intune Vs SCCM Patching Methods 3

4 Pillars of Modern Patch Deployment with WUfB

As discussed in the first few paragraphs of this post, let’s check the 4 Pillars of Modern Patch Deployment with WUfB. Let’s check the following schema where Microsoft explained the very high-level workflow of WUfB based patch deployment.

As per the below schema shared by Microsoft, Windows Update for Business Deployment service is the bridge between Windows Update and MDM (a.k.a server-side solution to configure the policies). The following are the 4 pillars of this WUfB workflow.

  1. MDM (any policy configuration tool such as Intune). It can be Group Policy or SCCM as well.
  2. Windows Update for Business (WUfB) Deployment Service – The WUfB cloud component where all the intelligence is in place.
  3. Windows Update cloud service from Microsoft, where all the Update content is stored.
  4. Windows Update Agent (WUA) takes care of patching on Windows 11 or Windows 10 end-user device side.

More Details: Windows Update for Business (WUfB) Deployment Service Background services are explained using Intune Driver Firmware Update Policies scenario.

Windows Update for Business Deployment Service Schema - WSUS Vs WUfB and Intune Vs SCCM Patching Methods 4
Windows Update for Business Deployment Service Schema – Credits to Microsoft – WSUS Vs WUfB and Intune Vs SCCM Patching Methods 4

WSUS

Let’s look at how WSUS works with SCCM and other third-party tools to enhance the patching or Software Updates experience for Microsoft and non-Microsoft products.

You have the WSUS server and other management tools such as Microsoft Endpoint Manager Configuration Manager, WSUS standalone console, or any third-party tool to manage and control patching behavior.

We can’t say Windows Update for Business (WUfB) Deployment Service is the cloud version WSUS. However, you can think like that to better understand different technologies.

WSUS Vs WUfB and Intune Vs SCCM Patching Methods 5
WSUS Vs WUfB and Intune Vs SCCM Patching Methods 5

NOTE! – WSUS and SCCM are tightly integrated services for delivering patches or Software Updates with granular controls over standalone WSUS and Intune with WUfB deployment service.

This is the high-level design diagram of Windows patch management using Intune and Configuration Manager.

The following chart is not up to date, but it will give you a quick and dirty overview of Intune Vs. SCCM Patch Management with WUfB.

Difference Between WSUS Vs WUfB Intune Vs SCCM Patching Methods 6
Differences Between WSUS Vs WUfB Intune Vs SCCM Patching Methods 6

WSUS Vs. WUfB and Intune Vs SCCM Patching Method Differences

This section will get more details about the differences Between WSUS Vs WUfB and Intune Vs SCCM Patching Methods. The following table shows a high-level view of WSUS Vs WUfB and Intune Vs SCCM Patching Method Differences.

Check out the very high-level differences between Windows Updates or Windows patch management using Intune vs. Configuration Manager (a.k.a SCCM).

Intune | WUfB Deployment ServiceSCCM | ConfigMgr | WSUS
Windows Update for Business (WUfB) Deployment ServiceWSUS
Windows Update ServiceWindows Update Service
Clients Scan against Windows Update service with deployment serviceClients Scan against WSUS (CAB file)
Intune talks to WU to provide the Device ID and Target Feature UpdateDon’t send any Device ID to Windows Update
The client sends Quality Update deferral, OS version, Revision (LCU and optional updates), App compatibility information, and Device ID to Windows Update with deployment service.The client doesn’t send any information to Windows Update.
Safeguards protecting the client device from Windows Updates | Safeguard HoldsNo Safeguards available
Client Directly download the content from Windows Update or PeersContent is downloaded with SCCM DP*
Policies are configuredPolicies are configured
Easy to Use & SetupMore Granularity
Uninstall Options – Software UpdateNo Out of Box Solution
Pause Options – Software UpdateNo Out of Box Solution
Can’t select & Deploy Individual KBsIndividual KB selection option is there
Settings – Windows UpdateSoftware Center
No support for Server Operating SystemsFully supported for Server operating systems
WSUS Vs WUfB and Intune Vs SCCM Patching Method Differences 1

*You can also get the software update content from the internet if you configure SCCM to do that.

The following WSUS Vs WUfB schema diagram is the sample one, and this is not 100% accurate (I used this as part of the YouTube video embedded below).

I also have to admit that I have not used the correct terminologies in this diagram (this is to give a very high-level idea). However, I think you will get the difference between WSUS Vs WUfB and Intune Vs SCCM Patching Methods.

WSUS Vs WUfB and Intune Vs SCCM Patching Method Differences 2
WSUS Vs WUfB and Intune Vs SCCM Patching Method Differences 2

WSUS SCCM Patching Process

The WSUS server syncs with Microsoft’s endpoint and gets the updates that are configured to obtain from products and categories. The metadata of all these updates is stored in WSUS and then later downloaded using the SCCM update process.

SCCM will tell the WSUS server which updates are approved for each device. The client will download the content approved by the admin in this scenario and try to install those updates.

The following are the high-level prerequisites that should be in place before you start creating the Software Update Patch Package using SCCM.

More details – How To Create Deploy New Software Update Patch Package Using SCCM | ConfigMgr HTMD Blog (anoopcnair.com)

WSUS Vs WUfB and Intune Vs SCCM Patching Method Differences 3
WSUS Vs WUfB and Intune Vs SCCM Patching Method Differences 3

Intune WUfB Patching Experience

The first difference between WSUS and WUfB is the client scanning process. In Windows Update for Business (aka WUfB) deployment service scenario, the clients scan against Windows Update in the cloud. However, in the WSUS scenario, all the clients scan against the updates available in WSUS (CAB file).

Management tools like Endpoint Manager Intune help configure the Windows Update policies on Windows 10 or Windows 11 client devices.

Endpoint Manager Intune talks to WU to provide the Device ID and Target Feature Update to which the device should be targeted.

The client sends the details like Quality Update federal, OS version, Revision (LCU and optional updates), App compatibility information, and Device ID to Windows Update in the cloud. And this client will get Safeguards protecting from Windows Updates.

The Safeguard Holds are applicable only for Windows Update for Business(WUfB). The built-in protection you get from using the cloud using WUfB.

WSUS Vs WUfB and Intune Vs SCCM Patching Method Differences 4
WSUS Vs WUfB and Intune Vs SCCM Patching Method Differences 4

Offering Logic of Updates Highest Rank Update for Windows Update Server

Let’s look at the Offering Logic of Updates. Which Windows update will get provided to the client as the first update. The WU server will look at the highest rank update left, showing that to the device.

The feature updates will always be higher ranking updates than quality updates. The more recently released update is another ranking criteria of updates.

  • Most Recently Released Feature Updates
    • Feature Updates
  • Most Recently Released Quality Updates
    • Quality Updates
  • ??

End-User Experience

There are certain differences in End-user experience in Windows patch management using Intune Vs SCCM (and WUfB Vs WSUS). The main difference is:

  • Intune Patch Management (WUfB) – Uses Default Windows 10 framework to show the patch details.
    • Settings – Update & Security – Windows Update.
    • Enhanced Notification with company logo options is also coming soon for WUfB deployment services.
  • SCCM Patch Management – Uses Software Center to show which are patched deployed to the devices.
WSUS Vs WUfB and Intu 5ne Vs SCCM Patching Method Differences
WSUS Vs WUfB and Intune Vs SCCM Patching Method Differences 5

Video Recording WSUS Vs WUfB Patching Methods

WSUS Vs WUfB and Intune Vs SCCM Patching Method Differences

Author

Anoop is Microsoft MVP! He is a Solution Architect in enterprise client management with more than 20 years of experience (calculation done in 2021) in IT. He is Blogger, Speaker, and Local User Group HTMD Community leader. His main focus is on Device Management technologies like SCCM 2012, Current Branch, and Intune. He writes about ConfigMgr, Windows 11, Windows 10, Azure AD, Microsoft Intune, Windows 365, AVD, etc……………

10 thoughts on “Intune Vs SCCM and WSUS Vs WUfB Patching Method Differences”

  1. Thx for the info…we have done the setup and on our test devices (20), only half of them gets the update really quick…the rest keeps in offered state and or scheduled. Reporting is has not that much of info about why a feature update is not installed. Any recommendations ? We are upgrading 1809->21h2

    Reply
  2. From an enterprise point of view, SCCM/MECM is still the superior way to go for any managed patching scenarios with a decent admin.

    I get that the WUfB is less administratively engaging, but you can’t compare a less managed service to a fully managed service if it is only for ‘ease of use’.

    If MS is really going down the less managed path, then they should just own it and have a ‘Standard’ monthly maintenance window for workstations that is carved in granite. Of course, that would just allow idiot hackers and malware a-holes to also schedule events around those times.

    Servers still need to be managed in groups with reboots managed for scheduled maintenance windows.
    To sum this up, patching is an complex/engaging effort that should not be marginalized with ‘ease of use’.

    Reply
  3. I’m using Microsoft Endpoint Configuration Manager.

    Should I be using WUfB policies, Service Plans, or both?

    At the moment I’m don’t understand the difference, both only list feature updates to deploy, but the test computers collection did update to the latest build (eventually).

    I currently have both deployed to the test collection which seems redundant. Can you give me any pointers, please?

    -Martin

    Reply

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.