The Microsoft Windows Security Blog recently made it clear that WannaCrypt ransomware was leaving systems vulnerable to infiltration because of poor patch management. Despite this often-repeated truth, far too many organizations are still leaving vulnerabilities that fall short of preventing malware.

Managing patch updates doesn’t have to be complicated for an enterprise or for an SMB. However, many become confused when making the choice between WSUS (Windows Server Update Service) and Microsoft’s SCCM (System Center Configuration Manager). In order to help make an informed decision, here is a broad comparison of the two solutions and what each brings to the table.

The Bigger Picture of WSUS and SCCM

Windows Server Update Service (WSUS) provides a central management point for Microsoft Update that eliminates the need for server connections in order to download patches and hotfix. The WSUS rules engine for distribution and download encompasses parameters such as classification, languages, or products.

In addition to keeping your OS secure, it does not require its own server and it comes at no cost to the user. Its primary drawback—if it can be considered as such—is that it does not patch third-party products, which can be even more vulnerable to malware.

Microsoft’s SCCM (System Center Configuration Manager) is also a centralized application designed to ostensibly provide patch management, but it is also so much more. SCCM provides true end-to-end lifecycle management for Windows desktop with extensive reporting architecture, to understand vulnerabilities while also going beyond OS malicious attacks.

SCCM also provides the ability to tie into AD groups for discipline-based software while also allowing update installation to nearly limitless numbers of machines from a single dashboard.

By adding Orchestrator, admins can do even more with automation.

SCCM also works with BYOD situations by providing data on any users who have not updated their OS. Clearly this is a far more inclusive suite of solutions that is far from overkill for all but the smallest environments that can (potentially) handle patching everything manually. In a breakdown of its capabilities, SCCM provides greater flexibility and control on patching by enabling:

• Central location patch management and RDP (remote desktop protocol) capability that enables login to any machine in your environment, directly from your SCCM console
• Infinite patch deployment choice in terms of machine and patch scheduling
• Like WSUS, SCCM provides compatibility with Microsoft Windows Servers
• Reports are available to show compliance both overall and by machine
• Virtual desktop image updating
• Prevention of third-party apps from opening your network to vulnerabilities
• Third-party product patching capabilities
• SCCM has been around for a long time so there is a huge community with support and management
• Program flaw discovery (such as in Java or Adobe) that can pinpoint the system running the flawed program

Because this blog post is all about preventing malware, the fact that SCCM can also detect executables (such as malware, running software that shouldn’t exist) is a very big deal among many big deals. This positions it as a solution that is of high value to SMBs as well as enterprises.

The Bottom Line on Preventing Malware

Endpoint Protection, which is part of the SCCM software, is the heart of its ability to prevent malware via management of antimalware policies and Windows Firewall security for client computers in your Configuration Manager hierarchy. This also provides a host of other benefits including:

• Malware and spyware detection and remediation
• Rootkit detection and remediation
• Critical vulnerability assessment and automatic definition and engine updates
• Network vulnerability detection through Network Inspection System
• Cloud Protection Service Integration for malware reporting as well as downloading of the latest definitions from the Malware Protection Center upon malware identification on a system computer
• Endpoint Protection client installation capability on a server that runs Hyper-V and on guest virtual machines with supported operating systems
• Integrated randomized delay to prevent simultaneously running protection services that can strain CPU usage

WSUS vs. SCCM: Which is Right for Your Business?

This breakdown shows how SCCM is the far superior solution for preventing malware as part of a robust, agile, and flexible patch management automation system that is crucial to any business with more than a few servers, desktops, and other endpoints. Much has been made of the financial aspects of WSUS being free, but that is because of its being essentially geared to the smallest organizational systems.

WSUS is a wonderful solution for the smallest environments, in which manual patching is reasonable and there is no need for a highly granular deployment scheduler for updates. While SCCM does come at a price, this is because it provides an entire suite of integrated solutions. It also requires a substantial SQL server (and WSUS does not), which also adds to the costs.

What businesses must realize is that with SCCM they are paying for vital flexibility in terms of patch management as well as robust endpoint security for preventing malware. That flexibility extends to the fact that SCCM leverages WSUS for metadata by scanning the WSUS DB for what patches are applicable; communicates this to the SCCM Agent, which in turn uploads the data back to SCCM; and then you can create your patch deployment to match your requirements. Clearly both solutions play their part, but in all but the smallest environments, SCCM is the better choice.