Hello Mr. Anderson – I bet you are really tiered of that joke…We use WSUS along with SMS, we do this for a couple of reasons. The main use is to patch machines immediately after they have been OSD’d or setup from CD. In the building where most of our imaging takes place their is also a private subnet that does not connect to the Internet, or the corporate LAN but our WSUS sits on it as well as the corporate LAN. We use a script to set the WSUS server and force it to check for and install updates. The other reason is number 1 on your list. We are a software development company and I have given up on getting our dev team on SMS, I tried for years and they tell me “Microsoft doesn’t force their developers to have SMS so we won’t use it either.” So we are in the planning stages of forcing their OU’s to use WSUS by GP, we currently create a VBS to install the patches and the verify they were installed and send an email with the outcome to a public folder.
I like the hands off approach of approving updates and distributing them via WSUS. If SCCM went this route I would love it instead of having to update and distribute packages each month, or maybe a choice of how to distribute. The interface is much cleaner and I could easily give others access to the WSUS interface to manage patches. With all the new addons for SCCM it will be more difficult to manage all the features so making the de-facto patch management process of SMS/SCCM as simple and easy to manage as possible will get me more time to implement great features like NAP, ZTI, etc.
The Anderson's Blog!
SMS and WSUS - better together??
Hey - we've been seeing a few customers using both WSUS and SMS in the same enterprise. Now, don't get me wrong - I sleep better knowing that your Windows systems are up to date, and I guess as a stock holder I don't mind you buying a few extra Windows Servers , but I also don't want you to tell us that Windows is expensive to manage because you're using a bunch of mgmt tools when 1 may solve all your needs. I'm really curious as to the different reasons you may do this. Here are some to stimulate your comments back:
1. Political - you have some groups that have ownership of certain systems that you don't have permissions to centrally manage through SMS, so they're using WSUS instead so they maintain control.
2. Device types - maybe you use SMS for your servers as it gives you greater control, and WSUS for desktops. Or, maybe you use WSUS for your servers because you need the additional content (Exchange updates, etc) and really only patch them, and SMS for your desktops where you need full asset mgmt, sw dist, and OS deployment. Would love to know if there are device types you prefer managing with WSUS over SMS, and why.
3. Features - There are a few things WSUS does that SMS does not. Byte-level diff'ing on patch downloads, full content from MS Update, and better integrated rollback on certain updates. Is this the reason?
4. Simplicity - is it that you have SMS up/running for inventory/sw dist, but WSUS was so darned easy to deploy and use for patching that you went that direction
5. Redundancy - maybe you want 2 tools to provide redundancy in case one fails.
6. Other. Once again Anderson, you've missed the mark!
Please - post comments on this. We are not competing with WSUS in any way. In fact, we're doing even more to integrate with it in SCCM 07. But, we want to make sure we're providing the lowest cost solution to manage Windows to our customers, so want to make sure we minimize any redundant tools and infrastructure you may need.
Thanks as always!
Bill Anderson
Lead Program Manager - SCCM
Microsoft Corporation