Intune and WSUS: Update Management Functionality

After evaluating the update management features in the Windows Intune beta, some of you will be curious to know how Windows Intune’s update management feature compares with the Windows Server Update Services (WSUS) solution.

The short answer is that Windows Intune’s update workload essentially replaces WSUS for all your Microsoft update distribution needs. Just like WSUS, Windows Intune lets you to centrally manage the deployment of Microsoft updates and service packs to all your PCs.

Windows Intune works over the cloud like Windows Update (WU) and Microsoft Update (MU), but you don’t need on-site infrastructure. Updates are delivered directly to any of your managed PCs that have an Internet connection.


There are a lot of similarities in the update management functionality provided by Windows Intune and WSUS. The following core update management tasks are available in both solutions:

Configure server settings

    • Select products and classifications of interest
    • Configure auto-deployment rules

Configure agent policies

    • Scheduled install for clients/test machines
    • Download and notify for servers

Manage Updates

    • Deploy updates for installation to specific target computer groups
    • Check the status of a previously approved update(s)
    • Determine which computers need updates

Resolve Update deployment issues

    • Determine which computers have failed updates
    • Decline an update

Update status summary

    • System wide status of update deployment
    • Update statistics for each group
    • Update status for each computer

Generate update reports


Because Intune is a cloud service, it has some compelling benefits over an on-premise solution such as WSUS.

No need for On-site infrastructure: Intune has no onsite infrastructure requirements while WSUS solution requires on-site infrastructure to be deployed.

This means that unlike WSUS, Windows Intune:

  • Does not need any on-premise infrastructure (e.g. servers, additional software). As a result there are no maintenance costs associated with upgrades, patching, servicing on-premise infrastructure, and you derive cost savings as a result.
  • Allows you to seamlessly do remote management, i.e. view patch status and compliance of all managed PCs whether they are inside or outside of corporate network.
  • Does need to any internet facing server or DMZ to support this scenario.

Some update configuration notes:

  • In WSUS, admins can choose to download update files locally on the server (on-premise) or have managed PCs pick up the files from Microsoft Update (MU). Windows Intune, being a cloud service, only supports the latter.
  • If your company has a caching web-proxy (e.g. SQUID, Microsoft Forefront TMG etc.) you can achieve update file caching benefits for Intune managed PCs.
  • WSUS allows admins to deploy certain driver updates (available from MU) to managed PCs, while Intune does not currently support driver deployment.
  • Also, Intune admin console has a similar layout and terminology usage as WSUS admin and using similar functionality should not require any additional ramp-up. So, transitioning from WSUS to Intune should be very simple and intuitive.

So, for those of you using WSUS for distributing Microsoft updates & service packs, Windows Intune offers a compelling alternative.

In addition, Intune also offers a host of other PC management capabilities such as malware protection, PC inventory, Microsoft volume license management, alerts, and remote assistance…all for a low monthly subscription fee.  The goal of Windows Intune is to provide a solution that lowers the cost and effort of managing your PCs.  We encourage you to sign up for a trial when it becomes available.  To be notified of availability, please visit this site and we’ll advise you when you can sign up.

Written by Bharathan Venkateswaran, Senior Program Manager on the Windows Intune team.

Comments (7)

  1. Damian says:

    One of the main reasons (well the only reason ) for us deploying WSUS was to have a local cache of windows updates. Is there any plan in the future to possibly have Intune manage WSUS or similar, where WSUS would be configured as a down stream replica of Intune? We have sites on very limited bandwidth and downloading 400 copies of the same update inst very appealing.

  2. Hi Damian,

    Thanks for this feedback.  It is one of a large number of features we are exploring for possible inclusion in future releases.  I'll make sure your comments are forwarded on to the engineering team.

  3. It's a nice tool that certainlly improves our network managment; the only detail I think it would be intersting to have on it is … the possibilite to cache updates on a local server.


    Fernando Frontarolli – Brasil

    Suport Analyst

  4. Thanks for your feedback!  We'll take it into consideration.

  5. Kevin says:

    I too would like to see the ability to have an onsite WSUS server and actually came across this page trying to see if Intune and WSUS can be integrated.

  6. Gary says:

    I Agree, until Intune co-insides with WSUS its not really a full solution.

    It would be a huge benifit to have WSUS integration for caching so that on site workstations pull from the cache, and mobile users can pull them down from where they are. thus not munching all our bandwith on multiple downloads. Also means not having to manage 2 applications.

  7. Note what you guys are asking for (on site caching) is in Intune June 2012 release.   Branch cache is used to locally cache updates and software installtations managed by Intune now.  Check it out!

Skip to main content