8/30/24, 1:39 PM (1) New Messages!

Critical Update: Mitigation Steps for CrowdStrike-

LEARN MORE
Induced BSOD

Home > Blog > What is SCCM & How Does it...

What is SCCM & How Does it

Work?
30 Jun 2022

By Fact Checker
Peter Pflaster Jon Levenson

Share

What is SCCM?
Microsoft Endpoint Configuration Manager, formerly known as System Center Configuration
Manager (SCCM), is a Windows-centric endpoint management tool for devices within an Active
Directory domain. Historically deployed on prem on a Windows Server, SCCM can now also be
deployed as cloud-hosted within Azure.

The paid lifecycle management solution from Microsoft keeps track of a network’s inventory,
assists in application installation, and deploys updates and security patches across a network.

How does SCCM work?

Welcome to Automox! 👋 Can I
1

help connect you with an expert?

https://www.automox.com/blog/what-is-sccm 1/11
8/30/24, 1:39 PM (1) New Messages!

Critical
At the highestUpdate: Mitigation
level, SCCM Steps
is installed on afor CrowdStrike-
Windows Server to help organizations manage
LEARN MORE
Induced
endpoints. BSOD it requires an agent on the managed endpoints to work.
Generally,

And typically devices outside the corporate network need to connect back via VPN to receive
patches, configuration updates, software, and more (unless the organization has also set up cloud
management gateway (CMG) servers to help reduce VPN dependence with SCCM).

Underneath SCCM, WSUS helps cache and distribute patches to managed devices. Also, an SQL
database is needed to store information for SCCM. If you want to learn more about WSUS, review
our first blog in the tooling series.

Which operation systems are covered

under SCCM?
Windows 8.1, 10, 11
Windows Server 2012-2022 (including core)
Windows devices in Azure Virtual Desktop
Windows embedded devices (IoT), think point of sales and other types of lightweight devices
macOS Mojave, Catalina, and Big Sur – Deprecated in January 2022 in favor of migrating
management to Intune.

Pros & Cons of SCCM

While SCCM uses Microsoft’s WSUS patching system to check for and install updates, it gives
users additional patch management control over when and how patches are applied and includes
many more features that make it an attractive option for large enterprise networks.

However, Microsoft SCCM presents several challenges for organizations looking for one solution to
provide patch management across all devices, operating systems, and third-party applications, so
it’s important to evaluate the pros and cons of patching with SCCM.

Pros of SCCM

Part of a full lifecycle management system for

https://www.automox.com/blog/what-is-sccm 2/11
8/30/24, 1:39 PM (1) New Messages!

Critical Update: Mitigation Steps for CrowdStrike-

Windows LEARN MORE
Induced BSOD

SCCM includes a wide range of functions that provide flexibility over how patches are applied,
generate system-wide reports, and allow for control over any Windows machine in the network
from one central console.

SCCM provides a suite of endpoint protection tools and with the correct configuration can be a full
lifecycle management system for IT departments with a high percentage of Windows systems.

Integrates with Windows systems

Being a Microsoft product, SCCM integrates very well with Windows systems and other Microsoft
products. In recent years, SCCM has tried to adapt to the trend of employee-provided devices
connecting to company networks, and now supports Bring Your Own Device (BYOD) policies,
meaning that devices added to a network by individual employees can be controlled via SCCM and
flagged if they are not updated.

Control via GUI and support via Microsoft

SCCM is controlled via a relatively simple GUI, which means it is easier to learn and implement than
self-deployed tools such as Chef and Puppet. Because SCCM is an established and paid Microsoft
service, it also has good support via community channels and Microsoft itself.

There’s no doubt SCCM offers an array of features. But there’s a wide range of cons and hidden
risks associated with its use as well. Learning how to avoid the risks will help ITOps managers and
admins get effective results in the end.

Deploy operating systems to bare metal

machines

SCCM is capable of deploying a golden image of Windows to devices without an operating system.
This commonly is done using PXE. Preboot execution environment (PXE) is a set of standards that
allows a computer to install or load an OS over just a network connection.

Hardware and software inventory of devices

https://www.automox.com/blog/what-is-sccm 3/11
8/30/24, 1:39 PM (1) New Messages!

Critical
SCCM allowsUpdate: Mitigation
you to see Steps
the hardware for CrowdStrike-
a device has and what software it’s running.
LEARN MORE
Induced BSOD
Compliance and device configuration
management

With SCCM, you can configure device settings and monitor what devices are in or out of
compliance.

Cons of SCCM
First off, if you care to use SCCM, you’ll need to purchase and load a heap of precursor
infrastructure to make it work – and then you’ll need to preinstall databases. The result of having to
do all this? Your team will spend a lot of added time installing and maintaining the tools you need
to use SCCM. It should go without saying that, depending on your organization, the severity of these
hidden hazards will differ:

High costs to acquire and run

SCCM is usually sold as part of a larger suite of tools from Microsoft and is prohibitively expensive
for non-enterprise companies. Pricing for SCCM is opaque and can include separate costs for
endpoints and servers. SCCM is also an on-premise solution which requires an SQL server to run,
resulting in high ongoing operating costs and resource requirements to maintain.

Difficulty patching third-party applications

Microsoft continues to prioritize applications within their ecosystem, and most organizations must
purchase other tools to patch non-Microsoft system software. While SCCM offers more support for
third-party applications than WSUS does, its ability is still quite limited and the source of much
frustration among IT managers. On Microsoft’s SCCM feedback page, improvements to third-party
patching are the top request, which is no surprise considering that third-party software accounts for
up to 76% of vulnerabilities on the average PC. The difficulty of configuring SCCM to automatically
patch third-party applications can put your infrastructure at risk.

Incomplete management of non-Windows

system
https://www.automox.com/blog/what-is-sccm 4/11
8/30/24, 1:39 PM (1) New Messages!

Critical Update:
Organizations Mitigationsystems,
with non-Windows Steps for CrowdStrike-
such as Linux or macOS, often find themselves
LEARN MORE
Induced
purchasing BSOD products to supplement SCCM’s limited feature set for non-Microsoft
additional
products. Furthermore, SCCM systems are costly. So choosing SCCM is like paying for a bus ticket
to go south when you’re really trying to go north and east and west, too. (Note that if your enterprise
contains more non-Windows systems than Windows ones, you should choose another system
manager that works better with an array of platforms.)

To illustrate this point further, Automox recently teamed up with AimPoint Group to conduct a
survey of the state of IT operations in 2022. The report offered several useful insights, one of which
was that 60% of organizations use ten or more applications to manage endpoints.

This sort of tool sprawl creates a lack of visibility and adds complexity that requires extensive
training. Moreover, it can increase your company’s administrative overhead.

Inevitably, enterprises adopt emerging technologies, and the use of cloud services, IoT, and mobile
devices is growing. The inherent complexity of IT ecosystems is only increasing. Choose a
management option that meets the needs of your exceedingly complex environment.

Lack of cloud support

SCCM typically uses on-premise infrastructure. In other words, you won’t easily get cloud
management support with SCCM. Boo. You can get there eventually, but it will require a handful of
other tools. Why?

If you host SCCM in Azure, you’ll need a gateway so SCCM can communicate with your devices. It’s
yet another tool you’ll need to build, configure, and maintain. Cloud-hosted solutions don't scale
easily like cloud-native software. It’s like buying an electric car and knowing you’ll have to mine the
lithium for the battery yourself.

Also, as competition increases in the market, you’ll have to be more diligent about protecting your
company from a litany of unseen threats.

VPN requirement for remote workforce

management

https://www.automox.com/blog/what-is-sccm 5/11
8/30/24, 1:39 PM (1) New Messages!

Critical
Finally, SCCMUpdate:
uses an Mitigation Stepsoffor
old methodology CrowdStrike-
software deployment that assumes devices will talk to
LEARN MORE
your Induced BSODBut the truth is, with remote workforces on the rise, devices don’t check in as
domain often.
often as they should. Fewer check-ins with your legacy patching appliance results in more devices
on outdated and potentially vulnerable software versions.

Relying on VPNs, as SCCM does, is a risky endeavor in and of itself. Connecting requires human
effort. VPNs slow down work and are tedious to use, which means employees often avoid using
them. Even if teams have moved past on-prem servers and are using a cloud instance for SCCM,
there’s still management overhead that requires human intervention. Because humans are fallible,
errors are likely.

The more legacy software you use, the higher the chances of security threats to your system. Using
old software not only affects your business but can also tank your market reputation. Breaches and
potential incidents represent real risks to your business’ reputation and could damage customer
trust in your brand. It’s bad news.

Further Disadvantages to Using SCCM

Unfortunately, SCCM background software installations come with a slew of other drawbacks and
hidden risks:

It can be impossible to know whether or not you’ve installed certain software. Until you
stumble on it, you may not even detect installed SCCM software.
During a software installation failure, you won’t receive pop-up warnings. Moreover, you won’t
get immediate notices of failure.
New applications silently pushed into your system signal malware or viruses.
If the SCCM server isn’t responding effectively, no user can install anything. This could
damage your operations and affect your business’s bottom line.
When one user’s computer is corrupted, they’ll fail to receive updates or installations.
Unless you patch everything in an automated fashion, there’s simply no way to keep up with
threat actors.
Even if you manually patch vulnerabilities fast, humans are prone to error. Only automation
ensures the highest level of security.
You can’t patch mobile devices like iOS, Android, etc. Another solution would absolutely be
required to effectively provision and manage such devices.
There’s no touchless deployment option (e.g. Windows Autopilot). However, touchless
deployment is a critical component of a modern, holistic device management approach.
SCCM requires a steep learning curve for the administrator. You’ll need to invest large
amounts of time and effort to take full advantage of SCCM’s capabilities.
Other dependencies will require substantial additional time and expertise. For instance, you
must have team members that can effectively run Active Directory, WSUS, and an SQL
Database – at a minimum.

https://www.automox.com/blog/what-is-sccm 6/11
8/30/24, 1:39 PM (1) New Messages!

What are SCCM’s requirements?

Critical Update: Mitigation Steps for CrowdStrike-
Induced BSOD
LEARN MORE

Infrastructure and other software requirements

Active Directory (AD) or Azure AD domain
SQL database
WSUS
If you want no VPN requirement, need to create a manage a cloud management
gateway (CMG)
Licensing
Included in Microsoft 365 E3, E5, F5 or Enterprise Mobility and Security (EMS) E3 and
E5, or with an Intune user subscription license (USL)

Is SCCM right for you?

Large organizations heavily invested in Windows may already use SCCM to manage their Windows
devices and workstations. However, if you aren’t already using SCCM, you may want to look
elsewhere.

Microsoft is modernizing their toolset for device management, and tools like Intune may make
more sense for most use cases (look for our next tooling blog to learn more about Intune). That
said, managing servers with Intune isn’t possible yet. So, you may need to use a tool like SCCM to
manage them.

If you’re not using 100% Windows in your organization, you’ll need several other tools outside of the
Microsoft ecosystem to manage your devices and workstations effectively. A better bet for your org
would be an all-in-one endpoint management platform that provides visibility through a single pane
of glass.

Avoid the Risks of SCCM by Choosing

Automox
SCCM is a viable solution only for enterprises that can both afford it and have Windows-only
infrastructures. However, with mixed operating systems becoming the norm, SCCM is less valuable
in terms of patching capabilities and efficiency. Frankly, the risks of relying on SCCM are just too
high. As an alternative, Automox helps ensure there are no added threats to your organization.

With Automox, you’ll gain effective results for remote, on-premise, and virtual endpoints without
having to deploy highly-priced infrastructure. Plus, you’ll save time, increase your IT team’s

https://www.automox.com/blog/what-is-sccm 7/11
8/30/24, 1:39 PM (1) New Messages!

Critical and
productivity, Update: Mitigation
automatically Steps for CrowdStrike-
fix vulnerabilities fast – across all your endpoints.
LEARN MORE
Induced BSOD
In the end, the answer might just be saying goodbye to SCCM and seeking out better management
and protection.

Endpoint Management Tooling Series

This series is designed to give you a primer on what tools are available from Microsoft and to help
you understand where they work well or where they may fall short.

This series covers the following tools:

Windows Server Update System (WSUS) for patching

Endpoint Configuration Manager (formerly SCCM) for client management
Intune for mobile devices
Endpoint Manager for Unified Endpoint Management (UEM)

Dig in to learn how these tools intertwine, and how they’re used in an enterprise setting.

What is WSUS?
What's the difference between SCCM and WSUS?
What is SCCM/WSUS costing you?

Automox for Easy IT Operations

Automox is the cloud-native IT operations platform for modern organizations. It makes it easy to
keep every endpoint automatically configured, patched, and secured – anywhere in the world. With
the push of a button, IT admins can fix critical vulnerabilities faster, slash cost and complexity, and
win back hours in their day.

Demo Automox and join thousands of companies transforming IT operations into a strategic
business driver.

Dive deeper into this topic

https://www.automox.com/blog/what-is-sccm 8/11
8/30/24, 1:39 PM (1) New Messages!

Critical Update: Mitigation Steps for CrowdStrike-

LEARN MORE
Induced BSOD

The Shrinking Window for Understanding the CVE-2024-6387

Vulnerability Exploitation Vulnerability: A...

Blog Blog

UPDATE: Critical Vulnerability in Vulnerabilities: Better to Be Smart

Upstream... Than Lucky

A significant potential exploit, CVE-2024- Don’t leave the safety of your IT environment
3094 with a CVSS score... to chance. Be...

https://www.automox.com/blog/what-is-sccm 9/11
8/30/24, 1:39 PM (1) New Messages!

Start
Critical Update: Mitigation Steps for CrowdStrike-
LEARN MORE
Induced BSOD

your
free
trial.
Join over 1,250,077
endpoints managed
with Automox.

Book a demo

Get star ted for

free→

PRODUCT C O M PA N Y DOCS CUSTOMERS

Overview About Docs Support

Features Leadership API Community
Worklets News FAQ University
Pricing Careers Developers
Roadmap Diversity in IT Partners
Contact

SOCIAL LEGAL

X/Twitter Terms of Use

Facebook Privacy Policy
Instagram Master Services
LinkedIn Agreement
YouTube
Threads
https://www.automox.com/blog/what-is-sccm 10/11
8/30/24, 1:39 PM (1) New Messages!

Critical Update: Mitigation Steps for CrowdStrike-

Reddit
LEARN MORE
Induced BSOD

Copyright © 2024 Automox. AUTOMOX is a registered trademark in the US and other countries.

https://www.automox.com/blog/what-is-sccm 11/11