Otto  background

On-Prem SCCM & WSUS Patch Management Solutions - What Is the True Cost Burden?

Many organizations are caught unaware of the actual cost of their software and solutions. Oftentimes, the sticker price of the software is the assumed cost, but low and behold you get home with your oil-leaking British software to find a host of hidden maintenance costs. Let’s look at Microsoft System Center Configuration Manager and WSUS, for example.

What is SCCM Microsoft patch management?

SCCM, as it is more commonly called, is a complex systems management solution that is often mistaken as free to use due to its inclusion in most enterprise Microsoft license bundles and Enterprise Agreements.

Microsoft’s SCCM is a lifecycle management solution from Microsoft that keeps track of network inventory, assists in application installation, and deploys updates and security patches across a network.

SCCM uses Microsoft’s WSUS patching system as a content caching and distribution tool. WSUS downloads updates from Windows Update, then distributes them to managed endpoints after admin approval, policies in SCCM may help to automated the distribution of patches after admin approval.

However, if you break down the total cost of your “free” SCCM deployment, it quickly shows that SCCM is anything but free – and given WSUS’s clunky nature (more on that in a bit) it’s not entirely effective, either.

SCCM can cost anywhere from $1M over three years for a typical 5,000 endpoint deployment and up to $14M a year for 200,000 endpoints according to IBM. This greatly outweighs the initial cost of an SCCM license, which costs $1,323 or is even included in Microsoft Software Assurance licensing. Where does this additional cost come from?

Microsoft SCCM patch management - hidden costs

There are three main areas where hidden costs arise with SCCM patch management: hardware costs, software costs, and operational costs.

SCCM Patch Management Cost Burden

Hardware costs can include servers, storage space, network infrastructure, data backup, and hardware redundancy. Naturally, if you are using an on-premise solution like SCCM, you will bear the burden of deploying and maintaining the physical servers  (and even virtual servers in Azure) on which it will run. You can’t run a legacy software solution without good old iron to run it on, of course. A typical deployment will require at least one central management server as well as a server at each physical site to distribute patches.

The second major area is software costs. Once you rack your pile of gear, it’s time to get your operating systems, databases, management, performance, reliability, and security software deployed. Each of those components carries its own extra costs. Costs can quickly top $200 per endpoint over three years, even with ideal conditions.

Finally, once you get your hardware and software squared away, it’s time to get busy actually putting it all together and running it. This comes with a host of new costs. Operational costs can quickly become the single largest line item in the TCO for an on-premise SCCM solution. You will need to consider the cost to design the system, deployment, testing, hardware maintenance, software maintenance, rack space, heating, and cooling costs just to maintain the infrastructure needed for your SCCM deployment.

And then, of course, there are the costs and clunkiness associated with Microsoft’s WSUS patching system, WSUS.

WSUS: Clunky and ill-suited to meet today's ITOps needs

WSUS struggles to manage modern working practices, such as working from home. Endpoint management from WSUS is rudimentary at best, and requires a connection to an organization’s network from inside the firewall or a VPN. These limitations are both inefficient and time-consuming.

Finally, WSUS is simply clunky. It’s difficult to set up and properly configure, with multiple system requirements and well-known issues like failing to sync to certain machines. It suffers from update issues, which is not only a hassle but introduces serious vulnerabilities. Lack of reporting and very limited infrastructure visibility make it hard to see and understand what’s been patched, which also opens up vulnerabilities as well as presents compliance challenges.

These drawbacks not only make WSUS an inadequate choice for modern cyber hygiene and patch management, but they also negate its value as a “free” tool. The real costs of WSUS include:

WSUS hardware

Servers, storage space, network infrastructure, data backup, hardware redundancy, and more all add up with an on-premise solution like WSUS.

WSUS software

Software costs for WSUS, including operating systems, databases, management, performance, reliability, VPNs, and security software — including patch management for the OSs and third-party applications WSUS can’t handle — add up fast too. Costs can top $200 per endpoint over three years, which gets expensive quickly in today’s landscape. Microsoft Client Access Licenses (CALs), another not-so-hidden cost in the Microsoft ecosystem, go in this category too and can add thousands of dollars per year.

WSUS Operational Costs

Operational costs are the biggest bucket of add-on WSUS expenses. As an outdated tool that is ill-suited to IT’s current complexities, WSUS requires a tremendous amount of time and manpower to run. Operating costs run the gamut from maintenance and configuration of the on-premise platform to the time required to set up and run other patch management solutions for unsupported systems to troubleshooting the root cause of the tool’s frequent issues — and they can quickly spiral out of control.

In fact, a report from the Sedulo Group (TCO Study of WSUS and SCCM) found that the total cost of ownership for WSUS over five years was $6,658,441.60, a full 50% more expensive than cloud-native IT operations from Automox.

Are SCCM and WSUS built for today’s diverse infrastructure? Nope.

Modern infrastructure is diverse and complex. While SCCM handles non-Windows operating systems marginally better than WSUS, it still requires a Windows server to run and functionality for non-Windows systems is dramatically reduced. Same story for third-party applications: SCCM works better than WSUS, but third-party patching is still very limited and manual. That means organizations must further invest in additional patching solutions to meet all of their requirements.
Where do the extra costs come from? Once again, hardware, software, and most of all, operational costs. System design, deployment, testing, hardware maintenance, software maintenance, rack space, heating, and cooling all play a role in the cost burden of SCCM.

WSUS and SCCM may have made sense ten or fifteen years ago, but the days of mostly-Windows infrastructure and limited endpoints are behind us. Organizations today need efficient, sophisticated, easy-to-use IT operations tools that not only fully protect the business, but cost less too. Cloud-native tools reduce your total cost of ownership by slashing labor costs as well as on-prem requirements. They also deliver greater operational efficiency. With Automox, you dramatically reduce corporate risk to deliver best-in-class security outcomes, faster and with fewer resources.

How cloud-based patch management helps

You can take the sass out of your patch management budget with a SaaS solution.

Automox reduces your total cost of ownership with our cloud-native, easy-to-use patch management and endpoint hardening platform. Automox dramatically reduces corporate risk while raising operational efficiency to deliver best-in-class security outcomes, faster and with fewer resources.


Automox for Easy IT Operations

Automox is the cloud-native IT operations platform for modern organizations. It makes it easy to keep every endpoint automatically configured, patched, and secured – anywhere in the world. With the push of a button, IT admins can fix critical vulnerabilities faster, slash cost and complexity, and win back hours in their day. 

Demo Automox and join thousands of companies transforming IT operations into a strategic business driver.

Dive deeper into this topic

loading...