What are the differences between WSUS Vs WUfB and Intune Vs SCCM Patching Methods? Let’s find out more details about Windows Patch Management using Intune vs ConfigMgr.
What are the main differences between modern and traditional patching solutions for Microsoft applications and operating systems? Third-party application patching is another beast that you might need to consider.
There are four pillars of patching or Software Updates solutions. Those four (4) pillars are Vendors, Patching services, Management tools that help configure policies, content, etc., and the client components who do the actual work of patching.
I have covered the Windows 11 Software Update Troubleshooting scenarios and some fixes. Windows Update Management solutions with Windows Update for Business (WUfB) and WSUS are also explained in the below sections of this post.
Read More -> Microsoft is planning to release the preview version of WSUS with enhanced features for Windows client operating systems that are not managed by SCCM.
What is Windows Update?
Windows Update is a free service provided by Microsoft for Windows operating systems to download and install Windows software updates over the Internet automatically. Windows Updates covers various updates to make your Windows device secure and safe with the latest features.
Windows Updated delivers the latest updates of Windows 10 and Windows 11 operating systems (Security or critical or emergency updates), along with the updates of Microsoft applications such as Defender (antivirus), Dot Net, etc. This also provides Driver and firmware updates.
Three Methods to Manage Windows Updates
Windows Update Service is a service that delivers various types of updates to Windows 10 or Windows 11 devices. You don’t have options ( or very limited options) to manage Windows Updates for Windows 10 or Windows 11 non-premium editions such as the HOME edition.
As per Microsoft (Ignite presentation by Aria Carley), there are three primary ways to manage Windows Updates for premium SKUs of Windows 10 and 11. This is applicable for WSUS Vs WUfB and Intune Vs SCCM Patching Methods
- Media
- Windows Server Update Service (WSUS)
- Windows Update for Business
What is Windows Update for Business (WUfB) Deployment Service
The Windows Update for Business deployment service is a cloud service within the WUfB product family. WUfB deployment Service provides control over:
- Approval
- Scheduling
- Safeguarding
WUfB Deployment Service is a free service from Microsoft available to enterprise and education customers to manage and control the delivery and behavior of Windows Update.
This free service (WUfB) deployment service is available for all premium editions, including Windows 10 and Windows 11 Enterprise, Pro for Workstation, and Education editions. The following are the updates that can be managed and controlled through WUfB.
- Feature updates
- Quality updates
- Driver updates
- Microsoft product updates
- Firmware Updates (coming soon)
Read More – Windows Update for Business (WUfB) Policy configuration (server-side) guide using Intune.
4 Pillars of Modern Patch Deployment with WUfB
As discussed in the first few paragraphs of this post, let’s check the 4 Pillars of Modern Patch Deployment with WUfB. Let’s check the following schema where Microsoft explained the very high-level workflow of WUfB based patch deployment.
As per the below schema shared by Microsoft, Windows Update for Business Deployment service is the bridge between Windows Update and MDM (a.k.a server-side solution to configure the policies). The following are the 4 pillars of this WUfB workflow.
- MDM (any policy configuration tool such as Intune). It can be Group Policy or SCCM as well.
- Windows Update for Business (WUfB) Deployment Service – The WUfB cloud component where all the intelligence is in place.
- Windows Update cloud service from Microsoft, where all the Update content is stored.
- Windows Update Agent (WUA) takes care of patching on Windows 11 or Windows 10 end-user device side.
WSUS
Let’s look at how WSUS works with SCCM and other third-party tools to enhance the patching or Software Updates experience for Microsoft and non-Microsoft products.
You have the WSUS server and other management tools such as Microsoft Endpoint Manager Configuration Manager, WSUS standalone console, or any third-party tool to manage and control patching behavior.
We can’t say Windows Update for Business (WUfB) Deployment Service is the cloud version WSUS. However, you can think like that to better understand different technologies.
NOTE! – WSUS and SCCM are tightly integrated services for delivering patches or Software Updates with granular controls over standalone WSUS and Intune with WUfB deployment service.
This is the high-level design diagram of Windows patch management using Intune and Configuration Manager.
The following chart is not up to date, but it will give you a quick and dirty overview of Intune Vs. SCCM Patch Management with WUfB.
WSUS Vs. WUfB and Intune Vs SCCM Patching Method Differences
This section will get more details about the differences Between WSUS Vs WUfB and Intune Vs SCCM Patching Methods. The following table shows a high-level view of WSUS Vs WUfB and Intune Vs SCCM Patching Method Differences.
Check out the very high-level differences between Windows Updates or Windows patch management using Intune vs. Configuration Manager (a.k.a SCCM).
Intune | WUfB Deployment Service | SCCM | ConfigMgr | WSUS |
Windows Update for Business (WUfB) Deployment Service | WSUS |
Windows Update Service | Windows Update Service |
Clients Scan against Windows Update service with deployment service | Clients Scan against WSUS (CAB file) |
Intune talks to WU to provide the Device ID and Target Feature Update | Don’t send any Device ID to Windows Update |
The client sends Quality Update deferral, OS version, Revision (LCU and optional updates), App compatibility information, and Device ID to Windows Update with deployment service. | The client doesn’t send any information to Windows Update. |
Safeguards protecting the client device from Windows Updates | Safeguard Holds | No Safeguards available |
Client Directly download the content from Windows Update or Peers | Content is downloaded with SCCM DP* |
Policies are configured | Policies are configured |
Easy to Use & Setup | More Granularity |
Uninstall Options – Software Update | No Out of Box Solution |
Pause Options – Software Update | No Out of Box Solution |
Can’t select & Deploy Individual KBs | Individual KB selection option is there |
Settings – Windows Update | Software Center |
No support for Server Operating Systems | Fully supported for Server operating systems |
*You can also get the software update content from the internet if you configure SCCM to do that.
The following WSUS Vs WUfB schema diagram is the sample one, and this is not 100% accurate (I used this as part of the YouTube video embedded below).
I also have to admit that I have not used the correct terminologies in this diagram (this is to give a very high-level idea). However, I think you will get the difference between WSUS Vs WUfB and Intune Vs SCCM Patching Methods.
WSUS SCCM Patching Process
The WSUS server syncs with Microsoft’s endpoint and gets the updates that are configured to obtain from products and categories. The metadata of all these updates is stored in WSUS and then later downloaded using the SCCM update process.
SCCM will tell the WSUS server which updates are approved for each device. The client will download the content approved by the admin in this scenario and try to install those updates.
The following are the high-level prerequisites that should be in place before you start creating the Software Update Patch Package using SCCM.
- ConfigMgr Infrastructure and healthy clients (WUA & SCCM).
- WSUS is installed for SCCM usage.
- SCCM Software Update Point (SUP) is configured and synced with Microsoft Windows Update services.
- Select the appropriate products from the WSUS products list.
- Appropriate access right to create and deploy software update patch package.
- Group policy settings for software updates for Windows clients
More details – How To Create Deploy New Software Update Patch Package Using SCCM | ConfigMgr HTMD Blog (anoopcnair.com)
Intune WUfB Patching Experience
The first difference between WSUS and WUfB is the client scanning process. In Windows Update for Business (aka WUfB) deployment service scenario, the clients scan against Windows Update in the cloud. However, in the WSUS scenario, all the clients scan against the updates available in WSUS (CAB file).
Management tools like Endpoint Manager Intune help configure the Windows Update policies on Windows 10 or Windows 11 client devices.
Endpoint Manager Intune talks to WU to provide the Device ID and Target Feature Update to which the device should be targeted.
The client sends the details like Quality Update federal, OS version, Revision (LCU and optional updates), App compatibility information, and Device ID to Windows Update in the cloud. And this client will get Safeguards protecting from Windows Updates.
The Safeguard Holds are applicable only for Windows Update for Business(WUfB). The built-in protection you get from using the cloud using WUfB.
- Intune Monthly Patching Guide Software Update Patching Options with Intune WUfB
- Windows 11 Monthly Patch Deployment using Intune
- Upgrade to Windows 11 using Intune Feature Update Deployment Policy
Offering Logic of Updates Highest Rank Update for Windows Update Server
Let’s look at the Offering Logic of Updates. Which Windows update will get provided to the client as the first update. The WU server will look at the highest rank update left, showing that to the device.
The feature updates will always be higher ranking updates than quality updates. The more recently released update is another ranking criteria of updates.
- Most Recently Released Feature Updates
- Feature Updates
- Most Recently Released Quality Updates
- Quality Updates
- ??
End-User Experience
There are certain differences in End-user experience in Windows patch management using Intune Vs SCCM (and WUfB Vs WSUS). The main difference is:
- Intune Patch Management (WUfB) – Uses Default Windows 10 framework to show the patch details.
- Settings – Update & Security – Windows Update.
- Enhanced Notification with company logo options is also coming soon for WUfB deployment services.
- SCCM Patch Management – Uses Software Center to show which are patched deployed to the devices.
Video Recording WSUS Vs WUfB Patching Methods
Author
Anoop is Microsoft MVP! He is a Solution Architect in enterprise client management with more than 20 years of experience (calculation done in 2021) in IT. He is Blogger, Speaker, and Local User Group HTMD Community leader. His main focus is on Device Management technologies like SCCM 2012, Current Branch, and Intune. He writes about ConfigMgr, Windows 11, Windows 10, Azure AD, Microsoft Intune, Windows 365, AVD, etc……………
Very informative.
Nice article
Thx for the info…we have done the setup and on our test devices (20), only half of them gets the update really quick…the rest keeps in offered state and or scheduled. Reporting is has not that much of info about why a feature update is not installed. Any recommendations ? We are upgrading 1809->21h2
I think the best method most folks use is the reporting features such as update compliancy to track and fix if there is any safeguard or some other issues. More details – https://www.anoopcnair.com/configure-update-compliance-using-intune-patch/
From an enterprise point of view, SCCM/MECM is still the superior way to go for any managed patching scenarios with a decent admin.
I get that the WUfB is less administratively engaging, but you can’t compare a less managed service to a fully managed service if it is only for ‘ease of use’.
If MS is really going down the less managed path, then they should just own it and have a ‘Standard’ monthly maintenance window for workstations that is carved in granite. Of course, that would just allow idiot hackers and malware a-holes to also schedule events around those times.
Servers still need to be managed in groups with reboots managed for scheduled maintenance windows.
To sum this up, patching is an complex/engaging effort that should not be marginalized with ‘ease of use’.
Great Summary. Server patching is another point I have to add to the table.
How about the recently announced autopatch?
https://techcommunity.microsoft.com/t5/windows-it-pro-blog/windows-autopatch-faq/ba-p/3272081
You should add a section for Windows Autopatch.
https://techcommunity.microsoft.com/t5/windows-it-pro-blog/get-current-and-stay-current-with-windows-autopatch/ba-p/3271839
I’m using Microsoft Endpoint Configuration Manager.
Should I be using WUfB policies, Service Plans, or both?
At the moment I’m don’t understand the difference, both only list feature updates to deploy, but the test computers collection did update to the latest build (eventually).
I currently have both deployed to the test collection which seems redundant. Can you give me any pointers, please?
-Martin
You are fabulous …
Looks like Microsoft is abandoning on-prem server patching UNLESS you want to rope them into your SCCM/Intune environment, and oh heck no!!