Microsoft System Center Configuration Manager (SCCM) is a systems management tool designed for monitoring network devices that was recently updated by a new tool called Microsoft Endpoint Configuration Manager (MECM)
The decision to redesign SCCM surprised many given the number of enterprises that relied on the program.
In this article, our main goal is to look at what SCCM is, and while we’ll briefly take a look at the Microsoft Endpoint Configuration Manager rebrand, the main focus will be on the original SCCM most enterprises are familiar with.
What is SCCM?
Before SCCM was rebranded as Microsoft Endpoint Configuration Manager, it was an application designed for managing Windows and Mac OS computers, Linux/Unix servers, and mobile devices using Windows/iOS/Android.
Some of the features SCCM could be used for include:
- OS deployment Create images of operating systems and deploy them.
- Remote Control An administrator can take control of a remote device to troubleshoot if a device experiences performance issues.
- Maintenance Windows A user can define a time when configuration management can be completed on a collection of devices (i.e. carry out updates when they won’t affect productivity).
- Integration with Microsoft Intune Manage mobile devices for iOS, Android, and Windows with Microsoft Intune.
- Scheduling Schedule updates to make sure that your network infrastructure is periodically updated (useful for minimizing vulnerabilities).
- Reporting Create reports on systems for further information on patch status. For example, you can create a report on systems that have missed patches.
- Endpoint protection Manage anti malware policies and firewall security from one location to protect computers.
For example, you could distribute updates to Windows 10 devices throughout your entire network. SCCM is a staple for many enterprises because it offers an efficient means of updating multiple devices.
SCCM is part of the System Center family of products, which includes tools such as:
- System Center Operations Manager
- System Center Data Protection Manager
- System Center Virtual Machine Manager
- System Center Service Manager
- System Center Capacity Planner
- System Center Mobile Device Manager
- System Center Essentials
SCCM is sometimes mistaken for Microsoft System Center Operations Manager (SCOM), a platform used for monitoring the health and performance of systems. The main difference between the two is that SCCM is used for configuration management and SCOM is used to monitor applications and services.
Why Do I Need to Use SCCM?
Using SCCM is a good idea if you’re in need of a solution for configuring and managing systems in an enterprise network environment. SCCM provides you with a single tool to deploy installations to multiple devices which streamlines the hardware management process.
Overseeing the updates and configurations of devices from a top-down viewpoint saves you from having to manage devices individually on every single device. There’s manual work to do as you can manage everything from one location.
Creating an inventory of hardware and software, updating OS’s, deploying applications, monitoring configurations, and managing endpoint protection (anti-malware) are just some of the things that you can use the software for.
Windows Management / Patch Management
Windows management or patch management is one of the main use cases offered by SCCM. With SCCM you can manage Windows devices and remotely update software. The program uses Microsoft WSUS to check for updates and deploy patches to devices.
Through one console you can maintain multiple Windows devices, and schedule/deploy patches to devices periodically. From a security standpoint, deploying patches is essential for keeping your software updated and reducing the likelihood of a cyber attacker exploiting a vulnerability.
Patches run in the background to minimize disruption. However, it is important to note that the patch management capabilities offered by SCCM do have limitations. One of the most significant is the limited support for third-party patching.
The inability to patch third-party applications leaves open vulnerabilities that can be exploited by attackers. Issues like this can be fixed by using external tools, such as SolarWinds Patch Manager or ManageEngine Connect Plus, which extend SCCM’s patching for third-party applications.
Endpoint protection is another main function of SCCM. SCCM enables you to configure anti-malware policies and firewall settings, set automatic deployment rules for software updates, configure Endpoint Protection client configurations, send notifications, and more.
Essentially you can create anti-malware policies and then deploy them to devices throughout your network. From then onward you can monitor endpoints with activity reports. For example, you can create an Antimalware Activity Report that tells you about the security status of your infrastructure (see the next section for more information on reports).
There are also malware alerts. Alerts notify you about the presence of malicious activity in the network and can be seen through the dashboard or sent to individual users. You can configure your own alert conditions to determine when notifications will be generated and set the severity of the alerts.
Another key function of SCCM is report creation. SCCM comes with out-of-the-box reports for monitoring devices throughout the network. The default reports cover everything from asset management to vulnerability assessments and user data. In order to run reports, you need to have the appropriate permissions. Reports are customizable so you can pick which information to monitor.
You can edit reports with the Report Builder. The Report Builder gives you the option to add visual elements like charts, maps, sparklines, and data bars for greater clarity. It is important to note that the Report Builder must be installed from SSRS or Microsoft websites.
The reporting features offered by SCCM are extremely valuable from a regulatory compliance perspective and display that systems have been updated. Once you’ve completed a report you can export it in a PDF, CSV, or Microsoft Excel format.
Why is SCCM now Microsoft Endpoint Configuration Manager? And What is Microsoft Endpoint Manager?
Recently, Brad Anderson, Corporate Vice President for Microsoft 365 announced the decision to rebrand SCCM and combine it with Microsoft Intune, a mobile management solution to form Microsoft Endpoint Manager.
SCCM has now been renamed to Microsoft Endpoint Configuration Manager and is one of several services that make up Microsoft Endpoint Manager including Device Management Admin Center (DMAC) and Desktop Analytics.
The rebrand took place in an attempt to provide users with a complete endpoint management solution for cloud environments with intelligence features. In other words, the update was designed to give enterprises the features they need to thrive in the modern workplace with all the range of devices making their way into the workplace.
The Benefits of Using SCCM
Using SCCM brings to the table a number of benefits for enterprises managing a network full of devices:
- Unified management of Windows endpoints
- Integration with Windows systems
- Simple to administrate (compare to other tools like Chef and Puppet)
Perhaps the biggest advantage is that SCCM unifies the management of Windows endpoints. An administrator can manage dozens of devices through a single platform, push updates to devices, and update configurations remotely. Having a configuration management tool saves time that would be lost manually updating devices.
Overall administration is also much easier. An administrator has access to an inventory of IT assets without having to create one manually. Having a clear inventory enhances visibility and enables the user to keep systems compliant more easily.
From a security standpoint, being able to identify and fix non-compliant systems reduces cybersecurity risks and helps to ensure compliance with industry regulations. As the WannaCry outbreak showed enterprises in 2017, unpatched devices can have a devastating impact on a company’s operations.
The Limitations of SCCM
While SCCM is a very useful tool it does have some substantial limitations:
- Support is limited for non-Windows devices
- Limited support for third-party application patches
- Pricing is complex and expensive
Given that SCCM was designed for Windows devices there is limited support for Mac and Linux tools. You must have a Windows server to run the platform, which immediately rules out many cross-platform environments. SCCM is recommended to users whose infrastructure is dominated by Windows devices unless you want to do additional manual patching.
As we noted further above, there’s also limited support for third-party application patching. SCCM is largely ineffective at patching third-party applications. This is a substantial weakness given that third-party software still needs to be secured, and can be used as an entry point to a network by cyber attackers.
Finally, the pricing of SCCM can be costly for enterprise users. Individual client licenses range from $41 (£33) for the Client ML to $430 (£353) for the Enterprise ML version. When you can consider the cost alongside the limitations in third-party patching and limited support for non-Windows devices, it’s a lot of money for incomplete coverage.
Microsoft Intune vs SCCM
One solution that’s often compared with SCCM is Microsoft Intune. Before Microsoft Intune was merged into Endpoint Manager alongside SCCM, the former was a cloud-based mobile device management and system management solution. The intention behind the program was to equip customers to manage cloud-based infrastructure.
- Bring Your Own Device (BYOD)
- A central admin portal
- Application Level Management
- Integration with SCCM
- Microsoft Malware Protection Engine
The key difference between SCCM and Intune is that the former was aimed at managing on-premises infrastructure, while the latter was aimed at cloud-based services. SCCM has some key advantages over Intune:
- You can manage systems that aren’t connected to the internet
- You don’t need to use Microsoft Cloud
- You can manage Windows Servers
In contrast, Intune has a number of advantages over SCCM:
- Mobile device management (MDM) for mobile devices
- You don’t need local infrastructure
- You don’t need to maintain the program or infrastructure
It’s important to note that you don’t need to choose between the two, even though it’s useful to have an idea of each solution’s strengths. Combining the two gives users a lot more co-management options to work with. The user can combine both to manage on-premise and cloud-based infrastructure from computers to mobile devices, and applications.
Is SCCM Dead?
SCCM has a long way to go before it’s obsolete. Microsoft still supports the software and while the rebranding to MECM may have changed the nature of endpoint management with a new cloud-based console, the SCCM capabilities enterprises are familiar with are still there. The addition of intelligent features and analytics will only serve to enhance the device management process.
For now, SCCM or MECM still has a significant role to play in managing configurations and OS deployments. As more updates roll out in the foreseeable future we can expect to see configuration management capabilities grow with the needs of enterprises.