What Is SCCM & How Does It Work?
What Is SCCM?
Microsoft’s SCCM (System Center Configuration Manager, now known formally as Configuration Manager and existing as a branch of Microsoft Endpoint Manager) is a paid lifecycle management solution from Microsoft that keeps track of a network’s inventory, assists in application installation, and deploys updates and security patches across a network.
Pros & Cons of SCCM
While SCCM uses Microsoft’s WSUS patching system to check for and install updates, it gives users additional patch management control over when and how patches are applied and includes many more features that make it an attractive option for large enterprise networks.
However, Microsoft SCCM presents several challenges for organizations looking for one solution to provide patch management across all devices, operating systems, and third-party applications, so it’s important to evaluate the pros and cons of patching with SCCM.
- Part of a full lifecycle management system for Windows
SCCM includes a wide range of functions that provide flexibility over how patches are applied, generate system-wide reports, and allow for control over any Windows machine in the network from one central console.
SCCM provides a suite of endpoint protection tools and with the correct configuration can be a full lifecycle management system for IT departments with a high percentage of Windows systems.
- Integrates with Windows systems
Being a Microsoft product, SCCM integrates very well with Windows systems and other Microsoft products. In recent years, SCCM has tried to adapt to the trend of employee-provided devices connecting to company networks, and now supports Bring Your Own Device (BYOD) policies, meaning that devices added to a network by individual employees can be controlled via SCCM and flagged if they are not updated.
- Control via GUI and support via Microsoft
SCCM is controlled via a relatively simple GUI, which means it is easier to learn and implement than self-deployed tools such as Chef and Puppet. Because SCCM is an established and paid Microsoft service, it also has good support via community channels and Microsoft itself.
There’s no doubt SCCM offers an array of features. But there’s a wide range of cons and hidden risks associated with its use as well. Learning how to avoid the risks will help ITOps managers and admins get effective results in the end.
First off, if you care to use SCCM, you’ll need to purchase and load a heap of precursor infrastructure to make it work – and then you’ll need to preinstall databases. The result of having to do all this? Your team will spend a lot of added time installing and maintaining the tools you need to use SCCM. It should go without saying that, depending on your organization, the severity of these hidden hazards will differ:
- High costs to acquire and run
SCCM is usually sold as part of a larger suite of tools from Microsoft and is prohibitively expensive for non-enterprise companies. Pricing for SCCM is opaque and can include separate costs for endpoints and servers. SCCM is also an on-premise solution which requires an SQL server to run, resulting in high ongoing operating costs and resource requirements to maintain.
- Difficulty patching third-party applications
Microsoft continues to prioritize applications within their ecosystem, and most organizations must purchase other tools to patch non-Microsoft system software. While SCCM offers more support for third-party applications than WSUS does, its ability is still quite limited and the source of much frustration among IT managers. On Microsoft’s SCCM feedback page, improvements to third-party patching are the top request, which is no surprise considering that third-party software accounts for up to 76% of vulnerabilities on the average PC. The difficulty of configuring SCCM to automatically patch third-party applications can put your infrastructure at risk.
- Incomplete management of non-Windows system
Organizations with non-Windows systems, such as Linux or macOS, often find themselves purchasing additional products to supplement SCCM’s limited feature set for non-Microsoft products. Furthermore, SCCM systems are costly. So choosing SCCM is like paying for a bus ticket to go south when you’re really trying to go north and east and west, too. (Note that if your enterprise contains more non-Windows systems than Windows ones, you should choose another system manager that works better with an array of platforms.)
To illustrate this point further, Automox recently teamed up with AimPoint Group to conduct a survey of the state of IT operations in 2022. The report offered several useful insights, one of which was that 60% of organizations use ten or more applications to manage endpoints.
This sort of tool sprawl creates a lack of visibility and adds complexity that requires extensive training. Moreover, it can increase your company’s administrative overhead.
Inevitably, enterprises adopt emerging technologies, and the use of cloud services, IoT, and mobile devices is growing. The inherent complexity of IT ecosystems is only increasing. Choose a management option that meets the needs of your exceedingly complex environment.
- Lack of cloud support
SCCM typically uses on-premise infrastructure. In other words, you won’t easily get cloud management support with SCCM. Boo. You can get there eventually, but it will require a handful of other tools. Why?
If you host SCCM in Azure, you’ll need a gateway so SCCM can communicate with your devices. It’s yet another tool you’ll need to build, configure, and maintain. Cloud-hosted solutions don't scale easily like cloud-native software. It’s like buying an electric car and knowing you’ll have to mine the lithium for the battery yourself.
Also, as competition increases in the market, you’ll have to be more diligent about protecting your company from a litany of unseen threats.
- VPN requirement for remote workforce management
Finally, SCCM uses an old methodology of software deployment that assumes devices will talk to your domain often. But the truth is, with remote workforces on the rise, devices don’t check in as often as they should. Fewer check-ins with your legacy patching appliance results in more devices on outdated and potentially vulnerable software versions.
Relying on VPNs, as SCCM does, is a risky endeavor in and of itself. Connecting requires human effort. VPNs slow down work and are tedious to use, which means employees often avoid using them. Even if teams have moved past on-prem servers and are using a cloud instance for SCCM, there’s still management overhead that requires human intervention. Because humans are fallible, errors are likely.
The more legacy software you use, the higher the chances of security threats to your system. Using old software not only affects your business but can also tank your market reputation. Breaches and potential incidents represent real risks to your business’ reputation and could damage customer trust in your brand. It’s bad news.
Further Disadvantages to Using SCCM
Unfortunately, SCCM background software installations come with a slew of other drawbacks and hidden risks:
- It can be impossible to know whether or not you’ve installed certain software. Until you stumble on it, you may not even detect installed SCCM software.
- During a software installation failure, you won’t receive pop-up warnings. Moreover, you won’t get immediate notices of failure.
- New applications silently pushed into your system signal malware or viruses.
- If the SCCM server isn’t responding effectively, no user can install anything. This could damage your operations and affect your business’s bottom line.
- When one user’s computer is corrupted, they’ll fail to receive updates or installations.
- Unless you patch everything in an automated fashion, there’s simply no way to keep up with threat actors.
- Even if you manually patch vulnerabilities fast, humans are prone to error. Only automation ensures the highest level of security.
Avoid the Risks of SCCM by Choosing Automox
SCCM is a viable solution only for enterprises that can both afford it and have Windows-only infrastructures. However, with mixed operating systems becoming the norm, SCCM is less valuable in terms of patching capabilities and efficiency. Frankly, the risks of relying on SCCM are just too high. As an alternative, Automox helps ensure there are no added threats to your organization.
With Automox, you’ll gain effective results for remote, on-premise, and virtual endpoints without having to deploy highly-priced infrastructure. Plus, you’ll save time, increase your IT team’s productivity, and automatically fix vulnerabilities fast – across all your endpoints.
In the end, the answer might just be saying goodbye to SCCM and seeking out better management and protection.
- What's the difference between SCCM and WSUS?
- What is SCCM/WSUS costing you?
- What is the true cost of "free" patch management?
Automox for Easy IT Operations
Automox is the cloud-native IT operations platform for modern organizations. It makes it easy to keep every endpoint automatically configured, patched, and secured – anywhere in the world. With the push of a button, IT admins can fix critical vulnerabilities faster, slash cost and complexity, and win back hours in their day.