locked
Should we move to SCCM 2012 (from WSUS) RRS feed

  • Question

  • A little bit of background first...

    I am still in my first month at my new company. They are centrally located (no WANs to deal with - thank God!), have about 200 Windows servers, and are using Active Directory 2008 R2. They currently have WSUS v3.2 and no SCCM presence. Patching responsibilities between computers and servers are pretty well separated between the desktop group and my group (server group). The server team uses WSUS, and the desktop team uses LANdesk. From my understanding, LANdesk and SCCM are competitors. Right now, the two boundaries do not overlap.

    They are considering moving to SCCM 2012 and want me to look into it since I have some experience with it at my last job. I did not install it but I did use it somewhat heavily. We had remote locations, slow WANs, desktops, and more servers to deal with.

    With a much simpler landscape (only 200 clients), I am wondering if SCCM 2012 might be overkill?

    Concerns/Questions:

    • What real benefits would we gain in moving to SCCM with only 200 clients?
    • SCCM is massive, intricate, and loves to be the center of attention - will it be difficult to keep its scope narrowed down to just 200 servers? (I have no idea how many desktops there are; we also have over a 1000 Unix servers that will not be included in the scope)
    • Can I implement/test SCCM patching (via WSUS) in an environment where WSUS is present separately?
    • I would like to add that they do have SCOM 2007 and they are in the middle of moving to SCOM 2012 - how does SCOM 2012 integrate with SCCM 2012?
    • Should we just upgrade to WSUS 4.0 and nix the idea of implementing SCCM 2012?

    Thank you in advance!

    -Adam

    Tuesday, November 5, 2013 3:44 PM

Answers

  • If you are only looking at using it for servers, you can help keep the scope at the servers by only discovering the server OU/containters. 

    You can use SCCM patching on test machines alongside WSUS just fine.  You will just have to put your test machines in an OU that does not have the WSUS GPO applied to it.  You will want WUA to be pointed at the SCCM server.  Then, apply your SUG to a collection with those test computers in it.

    Not much integration between SCOM and SCCM other than when you deploy something to the servers, you can put the SCOM agent into Maintenance Mode.

    I much prefer SCCM patching over the WSUS console and the approval process.

    Why 2 separate patching environments?  You can use SCCM for both servers and workstations and use scopes to keep the sever and workstation environments and admins separate.


    Mike Leach | http://blogs.catapultsystems.com/mleach/default.aspx


    • Edited by Mike H Leach Tuesday, November 5, 2013 6:00 PM
    • Marked as answer by atom_acres Tuesday, November 5, 2013 6:26 PM
    Tuesday, November 5, 2013 6:00 PM

All replies

  • If you are only looking at using it for servers, you can help keep the scope at the servers by only discovering the server OU/containters. 

    You can use SCCM patching on test machines alongside WSUS just fine.  You will just have to put your test machines in an OU that does not have the WSUS GPO applied to it.  You will want WUA to be pointed at the SCCM server.  Then, apply your SUG to a collection with those test computers in it.

    Not much integration between SCOM and SCCM other than when you deploy something to the servers, you can put the SCOM agent into Maintenance Mode.

    I much prefer SCCM patching over the WSUS console and the approval process.

    Why 2 separate patching environments?  You can use SCCM for both servers and workstations and use scopes to keep the sever and workstation environments and admins separate.


    Mike Leach | http://blogs.catapultsystems.com/mleach/default.aspx


    • Edited by Mike H Leach Tuesday, November 5, 2013 6:00 PM
    • Marked as answer by atom_acres Tuesday, November 5, 2013 6:26 PM
    Tuesday, November 5, 2013 6:00 PM
  • Thank you!

    I agree and would prefer to not have 2 separate environments but the lines were drawn before my time - might be an option later down the road after I get settled.

    We are not using a GPO for the WUA settings, they are applied directly to the registry. I assume we just blow those settings away then I am free to use that machine for testing in SCCM? Still might be a good idea to separate them out into a test OU as well.

    I was concerned that SCCM was overkill and might over complicate things in such a small environment/scope, but it sounds like it will give us more options than WSUS.

    I assume just a primary server will do us just fine?

    Tuesday, November 5, 2013 6:12 PM
  • GPO is just registry settings.  So, if they are going to point clients at WSUS, they should be using a GPO.  They are doing the GPO's work manually.  Just a suggestion.

    Yes, a single primary.  With only 200 clients, you may be able to get by without even having a separate DP depending on the resources on your primary server.


    Mike Leach | http://blogs.catapultsystems.com/mleach/default.aspx

    Tuesday, November 5, 2013 6:17 PM