What is SCCM & How Does it Work?

What is SCCM?

Microsoft Endpoint Configuration Manager, formerly known as System Center Configuration Manager (SCCM), is a Windows-centric endpoint management tool for devices within an Active Directory domain. Historically deployed on prem on a Windows Server, SCCM can now also be deployed as cloud-hosted within Azure.

The paid lifecycle management solution from Microsoft keeps track of a network’s inventory, assists in application installation, and deploys updates and security patches across a network.

How does SCCM work?

At the highest level, SCCM is installed on a Windows Server to help organizations manage endpoints. Generally, it requires an agent on the managed endpoints to work. And typically devices outside the corporate network need to connect back via VPN to receive patches, configuration updates, software, and more (unless the organization has also set up cloud management gateway (CMG) servers to help reduce VPN dependence with SCCM).

Underneath SCCM, WSUS helps cache and distribute patches to managed devices. Also, an SQL database is needed to store information for SCCM. If you want to learn more about WSUS, review our first blog in the tooling series.

Which operation systems are covered under SCCM?

  • Windows 8.1, 10, 11
  • Windows Server 2012-2022 (including core)
  • Windows devices in Azure Virtual Desktop
  • Windows embedded devices (IoT), think point of sales and other types of lightweight devices
  • macOS Mojave, Catalina, and Big Sur – Deprecated in January 2022 in favor of migrating management to Intune.

Pros & Cons of SCCM

While SCCM uses Microsoft’s WSUS patching system to check for and install updates, it gives users additional patch management control over when and how patches are applied and includes many more features that make it an attractive option for large enterprise networks. 

However, Microsoft SCCM presents several challenges for organizations looking for one solution to provide patch management across all devices, operating systems, and third-party applications, so it’s important to evaluate the pros and cons of patching with SCCM.

Pros of SCCM

Part of a full lifecycle management system for Windows 

SCCM includes a wide range of functions that provide flexibility over how patches are applied, generate system-wide reports, and allow for control over any Windows machine in the network from one central console. 

SCCM provides a suite of endpoint protection tools and with the correct configuration can be a full lifecycle management system for IT departments with a high percentage of Windows systems. 

Integrates with Windows systems

Being a Microsoft product, SCCM integrates very well with Windows systems and other Microsoft products. In recent years, SCCM has tried to adapt to the trend of employee-provided devices connecting to company networks, and now supports Bring Your Own Device (BYOD) policies, meaning that devices added to a network by individual employees can be controlled via SCCM and flagged if they are not updated.

Control via GUI and support via Microsoft

SCCM is controlled via a relatively simple GUI, which means it is easier to learn and implement than self-deployed tools such as Chef and Puppet. Because SCCM is an established and paid Microsoft service, it also has good support via community channels and Microsoft itself.

There’s no doubt SCCM offers an array of features. But there’s a wide range of cons and hidden risks associated with its use as well. Learning how to avoid the risks will help ITOps managers and admins get effective results in the end. 

Deploy operating systems to bare metal machines

SCCM is capable of deploying a golden image of Windows to devices without an operating system. This commonly is done using PXE. Preboot execution environment (PXE) is a set of standards that allows a computer to install or load an OS over just a network connection.

Hardware and software inventory of devices

SCCM allows you to see the hardware a device has and what software it’s running.

Compliance and device configuration management

With SCCM, you can configure device settings and monitor what devices are in or out of compliance.

Cons of SCCM 

First off, if you care to use SCCM, you’ll need to purchase and load a heap of precursor infrastructure to make it work – and then you’ll need to preinstall databases. The result of having to do all this? Your team will spend a lot of added time installing and maintaining the tools you need to use SCCM. It should go without saying that, depending on your organization, the severity of these hidden hazards will differ: 

High costs to acquire and run

SCCM is usually sold as part of a larger suite of tools from Microsoft and is prohibitively expensive for non-enterprise companies. Pricing for SCCM is opaque and can include separate costs for endpoints and servers. SCCM is also an on-premise solution which requires an SQL server to run, resulting in high ongoing operating costs and resource requirements to maintain.

Difficulty patching third-party applications

Microsoft continues to prioritize applications within their ecosystem, and most organizations must purchase other tools to patch non-Microsoft system software. While SCCM offers more support for third-party applications than WSUS does, its ability is still quite limited and the source of much frustration among IT managers. On Microsoft’s SCCM feedback page, improvements to third-party patching are the top request, which is no surprise considering that third-party software accounts for up to 76% of vulnerabilities on the average PC. The difficulty of configuring SCCM to automatically patch third-party applications can put your infrastructure at risk.

Incomplete management of non-Windows system

Organizations with non-Windows systems, such as Linux or macOS, often find themselves purchasing additional products to supplement SCCM’s limited feature set for non-Microsoft products. Furthermore, SCCM systems are costly. So choosing SCCM is like paying for a bus ticket to go south when you’re really trying to go north and east and west, too. (Note that if your enterprise contains more non-Windows systems than Windows ones, you should choose another system manager that works better with an array of platforms.)

To illustrate this point further, Automox recently teamed up with AimPoint Group to conduct a survey of the state of IT operations in 2022. The report offered several useful insights, one of which was that 60% of organizations use ten or more applications to manage endpoints

This sort of tool sprawl creates a lack of visibility and adds complexity that requires extensive training. Moreover, it can increase your company’s administrative overhead.

Inevitably, enterprises adopt emerging technologies, and the use of cloud services, IoT, and mobile devices is growing. The inherent complexity of IT ecosystems is only increasing. Choose a management option that meets the needs of your exceedingly complex environment.

Lack of cloud support 

SCCM typically uses on-premise infrastructure. In other words, you won’t easily get cloud management support with SCCM. Boo. You can get there eventually, but it will require a handful of other tools. Why?

If you host SCCM in Azure, you’ll need a gateway so SCCM can communicate with your devices. It’s yet another tool you’ll need to build, configure, and maintain. Cloud-hosted solutions don't scale easily like cloud-native software. It’s like buying an electric car and knowing you’ll have to mine the lithium for the battery yourself.

Also, as competition increases in the market, you’ll have to be more diligent about protecting your company from a litany of unseen threats. 

VPN requirement for remote workforce management

Finally, SCCM uses an old methodology of software deployment that assumes devices will talk to your domain often. But the truth is, with remote workforces on the rise, devices don’t check in as often as they should. Fewer check-ins with your legacy patching appliance results in more devices on outdated and potentially vulnerable software versions.

Relying on VPNs, as SCCM does, is a risky endeavor in and of itself. Connecting requires human effort. VPNs slow down work and are tedious to use, which means employees often avoid using them. Even if teams have moved past on-prem servers and are using a cloud instance for SCCM, there’s still management overhead that requires human intervention. Because humans are fallible, errors are likely.

The more legacy software you use, the higher the chances of security threats to your system. Using old software not only affects your business but can also tank your market reputation. Breaches and potential incidents represent real risks to your business’ reputation and could damage customer trust in your brand. It’s bad news.

Further Disadvantages to Using SCCM

Unfortunately, SCCM background software installations come with a slew of other drawbacks and hidden risks:

  • It can be impossible to know whether or not you’ve installed certain software. Until you stumble on it, you may not even detect installed SCCM software. 
  • During a software installation failure, you won’t receive pop-up warnings. Moreover, you won’t get immediate notices of failure. 
  • New applications silently pushed into your system signal malware or viruses. 
  • If the SCCM server isn’t responding effectively, no user can install anything. This could damage your operations and affect your business’s bottom line. 
  • When one user’s computer is corrupted, they’ll fail to receive updates or installations.
  • Unless you patch everything in an automated fashion, there’s simply no way to keep up with threat actors.
  • Even if you manually patch vulnerabilities fast, humans are prone to error. Only automation ensures the highest level of security.
  • You can’t patch mobile devices like iOS, Android, etc. Another solution would absolutely be required to effectively provision and manage such devices.
  • There’s no touchless deployment option (e.g. Windows Autopilot). However, touchless deployment is a critical component of a modern, holistic device management approach. 
  • SCCM requires a steep learning curve for the administrator. You’ll need to invest large amounts of time and effort to take full advantage of SCCM’s capabilities.
  • Other dependencies will require substantial additional time and expertise. For instance, you must have team members that can effectively run Active Directory, WSUS, and an SQL Database – at a minimum.

What are SCCM’s requirements?

  • Infrastructure and other software requirements
    • Active Directory (AD) or Azure AD domain
    • SQL database
    • WSUS
    • If you want no VPN requirement, need to create a manage a cloud management gateway (CMG)
  • Licensing
    • Included in Microsoft 365 E3, E5, F5 or Enterprise Mobility and Security (EMS) E3 and E5, or with an Intune user subscription license (USL)

Is SCCM right for you?

Large organizations heavily invested in Windows may already use SCCM to manage their Windows devices and workstations. However, if you aren’t already using SCCM, you may want to look elsewhere. 

Microsoft is modernizing their toolset for device management, and tools like Intune may make more sense for most use cases (look for our next tooling blog to learn more about Intune). That said, managing servers with Intune isn’t possible yet. So, you may need to use a tool like SCCM to manage them. 

If you’re not using 100% Windows in your organization, you’ll need several other tools outside of the Microsoft ecosystem to manage your devices and workstations effectively. A better bet for your org would be an all-in-one endpoint management platform that provides visibility through a single pane of glass. 

Avoid the Risks of SCCM by Choosing Automox

SCCM is a viable solution only for enterprises that can both afford it and have Windows-only infrastructures. However, with mixed operating systems becoming the norm, SCCM is less valuable in terms of patching capabilities and efficiency. Frankly, the risks of relying on SCCM are just too high. As an alternative, Automox helps ensure there are no added threats to your organization. 

With Automox, you’ll gain effective results for remote, on-premise, and virtual endpoints without having to deploy highly-priced infrastructure. Plus, you’ll save time, increase your IT team’s productivity, and automatically fix vulnerabilities fast – across all your endpoints.

In the end, the answer might just be saying goodbye to SCCM and seeking out better management and protection.

Endpoint Management Tooling Series

This series is designed to give you a primer on what tools are available from Microsoft and to help you understand where they work well or where they may fall short.

This series covers the following tools:

Dig in to learn how these tools intertwine, and how they’re used in an enterprise setting.

Automox for Easy IT Operations

Automox is the cloud-native IT operations platform for modern organizations. It makes it easy to keep every endpoint automatically configured, patched, and secured – anywhere in the world. With the push of a button, IT admins can fix critical vulnerabilities faster, slash cost and complexity, and win back hours in their day. 

Demo Automox and join thousands of companies transforming IT operations into a strategic business driver.

Dive deeper into this topic