Three Different Microsoft Reps, Three Different Answers
Configuration Manager rep: "Keep using SCCM for everything, including Azure."
Azure architect: "Use Azure Update Manager, it's cloud-native and free."
Modern Management rep: "Migrate to Intune. SCCM is legacy."
The Actual Answer
You need all of them. Here's why.
What Each Tool Actually Does
SCCM (Configuration Manager)
Best for: On-prem servers, complex patch orchestration
Use when:
- Managing 500+ on-prem Windows servers
- Need staged deployments with approval workflows
- Require detailed compliance reporting for audits
- Have existing SCCM infrastructure
Don't use for:
- Cloud-only VMs (expensive licensing)
- Simple patch-and-reboot scenarios
- Mobile devices
WSUS
Best for: Simple on-prem patching, tight budgets
Use when:
- Small environment (<100 servers)
- No budget for SCCM
- Just need "apply patches monthly"
- Windows updates only (no 3rd party apps)
Don't use for:
- Anything requiring reporting
- Azure VMs (why manage another server?)
- macOS or Linux
Azure Update Manager
Best for: Azure VMs, hybrid Windows + Linux
Use when:
- Patching Azure VMs (Windows or Linux)
- Want cloud-native management
- Need automatic patching schedules
- No SCCM infrastructure in Azure
Don't use for:
- On-prem servers (requires Arc)
- 3rd party app updates
- Complex orchestration workflows
Intune
Best for: Endpoints (laptops, tablets, phones)
Use when:
- Managing user devices
- Remote/hybrid workforce
- Modern cloud-native management
- Windows 10/11 endpoints
Don't use for:
- Servers
- Legacy Windows Server 2012/2016
- Complex patch orchestration
The Decision Matrix
| Workload Type | Tool | Why |
|---|---|---|
| On-prem servers | SCCM or WSUS | Network access, existing infra |
| Azure Windows VMs | Azure Update Manager | Cloud-native, no agent install |
| Azure Linux VMs | Azure Update Manager | Only option for Azure Linux |
| Hybrid Arc servers | Azure Update Manager + Arc | Unified management |
| User laptops/desktops | Intune | Modern management |
| Legacy endpoints | SCCM | Still need complex deployments |
Real-World Example: Our 850-VM Environment
What we use:
SCCM
- 300 on-prem Windows servers
- Why: Existing infrastructure, complex approval workflows for production
Azure Update Manager
- 400 Azure Windows VMs
- 150 Azure Linux VMs
- Why: Cloud-native, no SCCM licensing cost in Azure
Intune
- 1,200 user endpoints
- Why: Modern management, remote workforce
WSUS
- Nothing (deprecated for us)
- Why: SCCM replaced it years ago
Migration Timeline
Don't migrate everything at once. Do it by workload:
Year 1
- Keep SCCM for on-prem servers
- Deploy Azure Update Manager for Azure VMs
- Pilot Intune for 10% of endpoints
Year 2
- Scale Intune to 100% of endpoints
- Migrate hybrid servers to Arc + Update Manager
- Keep SCCM for legacy servers only
Year 3
- Retire SCCM as on-prem servers migrate to Azure
- Full Azure Update Manager + Intune environment
The Cost Comparison
SCCM:
- $100-$200 per server/year (licensing)
- Plus: Infrastructure costs (servers, SQL, management)
WSUS:
- Free (Windows Server license includes it)
- But: Manual effort, limited reporting
Azure Update Manager:
- Free (included with Azure VMs)
- Pay for Arc agent if managing on-prem ($5/server/month)
Intune:
- $6-$8 per user/month (part of M365 bundles)
- Cloud service, no infrastructure
Common Mistakes
❌ Mistake #1: "We'll use Intune for servers"
No. Intune is for endpoints, not servers. Use Azure Update Manager.
❌ Mistake #2: "We'll keep SCCM in Azure"
Expensive. SCCM licensing in Azure costs more than the VMs themselves. Use Update Manager.
❌ Mistake #3: "We'll migrate everything to Intune"
Won't work. SCCM has orchestration capabilities Intune doesn't.
Full Guide
Complete decision matrix, migration timeline, and cost calculator:
👉 SCCM vs Update Manager Complete Guide
Patching Azure VMs? Azure Update Manager. Patching on-prem? SCCM or WSUS. Patching laptops? Intune. Use the right tool for each workload.
Top comments (0)