The excepted text below was taken from Chapter 8 of Creating the Secured Managed Desktop: Using Group Policy, SoftGrid, Microsoft Deployment Toolkit, and Other Management Tools, written by Jeremy Moskowitz and contributed to by Greg Shields. Get your copy on Amazon here, or from Jeremy's web site here.

...continuing from yesterday's discussion on the components that make up patch management...

WSUS (Windows Server Update Services)

Because WU and MU are primarily meant for "individual" users rather than corporate ones, WSUS was implemented as a tool to centralize and localize the download, storage, and assignment of patches. WSUS solves two major problems not available in WU and MU. First, it provides a centralized management to the approval and distribution of patches. This means that you, the administrator, choose which patches to deploy and when. Second, it provides a single place on the local network from which patch code is stored and distributed. If every computer on your network attempted to contact Microsoft Update on a regular basis, the resulting network traffic could be a problem. With WSUS only one computer needs to download patches from locations off the local network. All other computers can then get their update installations from that server using high-speed LAN connections.

SCE and SCCM (System Center Essentials and System Center Configuration Manager)
WSUS alone, however, is only a tool for managing Microsoft patch installation. The only code available for installation via a WSUS instance is that which is provisioned through Microsoft. This means that third-party code and patches not distributed by Microsoft aren't available. For cases like these, other tools are necessary. System Center Essentials and System Center Configuration Manager are two very similar tools that allow for more rich management of individual systems within the IT environment. SCE is designed for smaller environments with less than 30 servers and 500 desktops, while SCCM is designed for larger environments. Though these tools both use the WSUS engine for deploying patches and other code, they also augment WSUS's capabilities with the ability to fully manage essentially all system configurations. This includes the ability to deploy third-party applications, drivers, and patches. I include them here as a counterpoint to WSUS's capabilities. If you expect that you'll need to deploy other types of applications, configuration changes, or non-Microsoft patches to your environment, consider implementing one of these two tools instead of WSUS. One important point is that unlike WSUS, neither of these tools is free.

MBSA (The Microsoft Baseline Security Analyzer)
WSUS alone is an excellent tool for managing the composition of installed and not-installed patches on servers and Desktops. But securing these machines involves more than simply ensuring its patches are up-to-date. Elements like password composition, administrative vulnerabilities, and IIS and SQL configurations are all critical to preventing outside entities from exploiting a machine. MBSA goes a step beyond WSUS in that it provides information about the security configuration on targeted machines. We'll talk more about these elements at the end of this chapter.

Tomorrow, we'll discuss the Windows Update Agent and how Microsoft's unification of patch management under a single agent makes easy the movement between patching utilities...