Microsoft’s SCCM (System Center Configuration Manager) is a paid lifecycle management solution from Microsoft that keeps track of a network’s inventory, assists in application installation, and deploys updates and security patches across a network. Mid- to large-enterprise organizations use SCCM because of its integrated status with Windows-based services and OS and its tried-and-true workflows for companies of this size.
SCCM includes a wide range of functions that provide flexibility over how patches are applied, generate system-wide reports, and allow for control over any Windows machine in the network from one central console. SCCM provides a suite of endpoint protection tools and with the correct configuration can be a full lifecycle management system for IT departments with a high percentage of Windows systems.
What is WSUS in SCCM?
As a standalone offering, WSUS is an easy and inexpensive solution for centralized patching, with some device grouping and basic patch approval options. WSUS is a free service provided with a Windows server license. This service introduces smaller organizations to patching and is limited to Windows only or Windows-centric shops.
Advantages of WSUS are control and caching. Users have greater control to approve patches that they want in their environment versus just relying on Windows updates. WSUS acts like a local file caching server that connects to the internet to pull the Windows patches that you need down to a system on your environment once. Then, that system can be used to distribute patches internally into your network. WSUS can help organizations manage their bandwidth impact from patching.
SCCM uses Microsoft’s WSUS patching system to check for and install updates, but SCCM offers additional patch management control over when and how patches are applied. SCCM includes many more features which make it an attractive option for large enterprise networks, such as asset inventory, the ability to deploy OSs or gold images, some third party application patching, and scripting.
However, Microsoft SCCM can be a bear to deal with which is why it’s a better fit for larger organizations with more mature programs that have dedicated resources to manage SCCM implementation and deployment. SCCM presents several challenges for organizations looking for one solution to provide patch management across all devices, operating systems, and third party applications, so it is important to evaluate the pros and cons of patching with SCCM.
Advantages of SCCM
Being a Microsoft product, SCCM integrates very well with Windows systems and other Microsoft products. It works well for a geographically dispersed organization better than WSUS. In recent years, SCCM has tried to adapt to the trend of BYOD and employee-provided devices connecting to company networks, and now supports “Bring Your Own Device,” meaning that devices added to a network by individual employees can be controlled via SCCM and flagged if they are not updated.
SCCM is controlled via a relatively simple GUI, which means it is easier to learn and implement than self-deployed tools such as Chef and Puppet. Because SCCM is an established and paid Microsoft service, it also has good support via community channels and Microsoft itself.
Disadvantages of SCCM
Despite the advantages of being an established Microsoft service, SCCM has some disadvantages that you might or might not expect.
Built for Windows-Dominated Systems
SCCM is built first and foremost for Windows systems and therefore its functionality and updates are focused around Windows. Microsoft has gotten better about keeping up-to-date with upgrade cadences for legacy Windows support. That being said, they are actually letting operating systems retire and go end of life. This includes both legacy Windows operating systems like Windows 7 as well as early versions of Windows 10.
Non-Windows systems including Mac and Linux can be managed in a limited way through SCCM as end-clients, however, the process is a kludge as SCCM still requires a Windows server to run and the functionality for non-Windows systems is reduced. For mixed-OS environments, patching with SCCM still requires some manual work or an additional purchase from a third-party vendor to extend SCCM functionality to these operating systems, which is a major downside for companies that are already paying a large sum for SCCM.
Limited Ability to Patch Third Party Applications
While SCCM adds more support for third party applications than WSUS, the ability for SCCM to patch third party applications is very limited and the source of much frustration among IT Managers.
On Microsoft’s SCCM feedback page, improvements to third party patching are the top request. Which is no surprise, considering that third party software accounts for up to 76% of vulnerabilities on the average PC, the difficulty of configuring SCCM to patch third party applications automatically can put your infrastructure at risk.
High Costs to Acquire and Run SCCM
SCCM is usually sold as part of a larger suite of tools from Microsoft, and is prohibitively expensive for non-enterprise companies. Pricing for SCCM is opaque and can include separate costs for endpoints and servers. SCCM is also an on-premise solution which requires an SQL server to run, resulting in high ongoing operating costs and resource requirements to maintain.
Organizations need to consider the additional licensing requirements of SCCM as well as, for some, the need to hire personnel that are specialized in SCCM to maintain and manage the service, adding additional cost to your payroll. These hidden costs start to add up adding a lot more expense over the course of years to maintain and manage the infrastructure. The total cost of ownership of WSUS and SCCM can look something like this:
Advantages of Cloud-Based Patch Management
In order to reduce your total cost of ownership of managing your patching servers, you should consider moving your patch management to the cloud. Some advantages of moving to the cloud are:
- Reduce time manually deploying patches: Cloud-based patch management solutions allow you to reduce time deploying updates with fully automated patching and configuration. Automox customers have reduced the overall burden of time to patch by up to 90%.
- Eliminate need to invest in costly on-prem infrastructure: With cloud-based solutions you are not required to purchase, license, or maintain the patch management infrastructure, meaning you can substantially reduce the total costs to purchase and maintain on-prem hardware and software.
- Come up-to-speed on using tools more quickly: Cloud-native patch management solutions, like Automox, can be simpler to use, allowing you to reduce the time to train employees to become certified in operating the systems.
About Automox Automated Patch Management
Facing growing threats and a rapidly expanding attack surface, understaffed and alert-fatigued organizations need more efficient ways to eliminate their exposure to vulnerabilities. Automox is a modern cyber hygiene platform that closes the aperture of attack by more than 80% with just half the effort of traditional solutions.
Cloud-native and globally available, Automox enforces OS & third-party patch management, security configurations, and custom scripting across Windows, macOS, and Linux from a single intuitive console. IT and SecOps can quickly gain control and share visibility of on-prem, remote and virtual endpoints without the need to deploy costly infrastructure.
Experience modern, cloud-native patch management today with a 15-day free trial of Automox and start recapturing more than half the time you're currently spending on managing your attack surface. Automox dramatically reduces corporate risk while raising operational efficiency to deliver best-in-class security outcomes, faster and with fewer resources.