Automated Operating System Patch Management Tools

I am looking into CIS/SANS top 20 security controls, which recommend enterprises "Deploy Automated Operating System Patch Management Tools" (and likewise for applications). When you push out updates via system center/WSUS, what exactly needs to be on the end user devices (workstation/server) to receive the updates? Do specific patch management tools need installing on the machines, if so can detailed be provided? I appreciate such tools may be required for non Microsoft OS and software, but had never heard of such a tool required when WSUS/SCCM is pushing out the updates.
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Cliff GaliherCommented:
SCCM/WSUS technically doesn't push updates.  It uses a database that the native windows update client on the workstation already knows how to read and understand.  But instead of talking to a Microsoft server, it talks to your WSUS server and "pulls" approved updates.  So no extra agent is required because it uses the built-in windows update technology.  Other 3rd party management solutions may require an agent to do their job.  That's a situation you'd want to research with any product you are considering.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
With WSUS, nothing needs to be installed. The internal update service will be pointed to your company's wsus, that's all. That is done via GPOs.
Giridhara Raam MDigital Marketing SpecialistCommented:
Try using ManageEngine Desktop Central, which can already satisfy 10/20 CIS critical security controls. You can use Desktop Central completely free for 25 computers.

Works independently, No need for WSUS.

Try now-
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Operating Systems

From novice to tech pro — start learning today.