Microsoft Configuration Manager vs. Intune key comparisons

What is Microsoft Configuration Manager?

Microsoft Configuration Manager has had several name changes. From 1994 to 2006, it was called Systems Management Server. Microsoft switched the name to System Center Configuration Manager (SCCM) in 2007. That was the longstanding name for the product until 2019 when Microsoft changed the name to Microsoft Endpoint Configuration Manager. However, in 2023, Microsoft changed the name once again, this time to Microsoft Configuration Manager. Many admins still use either the old acronym SCCM or ConfigMgr when they refer to the product.

Microsoft designed Configuration Manager for the on-premises management of Windows devices -- both client and server systems -- in enterprise environments.

Configuration Manager includes the following administrative capabilities:

• Co-management with Microsoft Intune.
• Real-time querying of client devices with CMPivot.
• OS deployment with imaging and in-place upgrades.
• Automation via task sequences for OS deployment.
• Software update management.
• Configuring and enforcing compliance settings.
• Resource access management by using Wi-Fi, VPN and certificate profiles.
• Application management.
• Remote control by using built-in functionality.
• Endpoint protection via integration with Microsoft Defender Antivirus and more.
• Inventory insights with hardware inventory and software inventory.
• Device power management.
• Reporting with the advanced capabilities of SQL Server Reporting Services.
• Role-based access control (RBAC) for access to Configuration Manager.

IT administrators can work with devices either via the Configuration Manager console or the Microsoft Intune admin center portal when using the tenant-attached configuration.

What is Intune?

Microsoft released Intune in 2011 as an MDM service, but the company gradually expanded its abilities to also manage Windows systems. Its strengths are its direct integration with Microsoft Entra ID for conditional access policy functionality, and being cloud-based, it does not require on-premises IT infrastructure to operate. Besides that, it provides cross-platform support and introduces new features on a monthly cadence.

In its early days, Intune lacked many features compared to the leading MDM vendors, such as AirWatch and MobileIron. But rapid development by Microsoft has given Intune the edge, and organizations now look at its competitors for specific use cases. Intune's tight integration with the Microsoft ecosystem, including the identity and access management tool Entra ID, is one of the reasons enterprises are attracted to this endpoint management product.

Intune's other key features include the following:

• Co-management with Microsoft Configuration Manager.
• Real-time access to devices via device query.
• Device provisioning via Windows Autopilot.
• Software update management via Windows Update client policies, formerly Windows Update for Business.
• Automatic update management via Windows Autopatch.
• Compliance management.
• Resource access management by using Wi-Fi, VPN and certificate profiles.
• Application management.
• Remote control by using Remote Help -- part of the Intune suite.
• Endpoint security with Microsoft Defender Antivirus and more.
• Mobile application management, including app protection policies.
• Inventory insights via device inventory.
• Endpoint analytics for insights.
• RBAC for access to Intune.

IT administrators can manage enrolled devices from the Microsoft Intune admin center portal.

Configuration Manager vs. Intune: A feature comparison

For several years, rumors spread among IT circles that Microsoft would stop the development of Configuration Manager in favor of Intune. At one point, organizations had to choose which product to use, but in 2017, Microsoft added co-management capabilities to use both products for Windows client management.

Then, at its 2019 Ignite show, Microsoft unveiled Microsoft Endpoint Manager, which made Intune and Configuration Manager part of the same product family. That family is now rebranded to the Microsoft Intune product family. This chart shows how closely the two products match up in terms of their main features.

When to select Microsoft Configuration Manager for your IT needs

Organizations should consider Microsoft Configuration Manager when they require one or more of the following:

• Bare-metal installations with complex installation sequences.
• Complicated application installations.
• Air-gapped environment.
• Detailed reporting.

For organizations that want to minimize their on-premises footprint, migrating the whole Configuration Manager infrastructure to Azure is an option.

When Configuration Manager might not be the best administrative tool

Microsoft Configuration Manager may not be the best endpoint management option for an organization when any of the following are true:

• No plan to employ or contract skilled personnel for regular maintenance of systems.
• Only internet-connected users.
• Most users with no complicated application installations.
• Fewer than 300 devices.
• Directly applying conditional access policies.
• Managing mobile devices.

When to choose Intune for administrative work

When there is a need for the following management features, then organizations should look at using Intune:

• Cloud-based product.
• Direct access to the latest features.
• Managing mobile devices.
• Directly applying conditional access policies.

When Intune might not be the best management choice

Organizations should not consider management with Intune when any of the following statements are true of the organization:

• Advanced deployment and configuration options of Windows systems.
• Software metering to measure application usage.
• Air-gapped environment.
• Managing servers.

Microsoft Configuration Manager vs. Intune: Licensing differences

Configuration Manager can be used in a traditional volume licensing format. It can be included as part of Software Assurance (SA) and License and Software Assurance (L&SA). SA is for renewing customers; L&SA is for customers buying new licenses. Besides that, Microsoft Configuration Manager is also included in the following licensing plans:

• Intune user subscription license (USL).
• Enterprise Mobility + Security (EMS) E3.
• EMS yh E5.
• Microsoft 365 E3.
• Microsoft 365 E5.
• Microsoft 365 F3, formerly Microsoft 365 F1.

The core functionality of Intune is available with different licensing subscriptions, depending on the type of institution: school, small business, enterprise customer and government. Most of the licenses for Microsoft Intune also give organizations the right to use Microsoft Configuration Manager.

Organizations need to have one of the following licenses to use Intune:

• Microsoft 365 E3.
• Microsoft 365 E5.
• EMS E3.
• EMS E5.
• Microsoft 365 Business Premium.
• Microsoft 365 F1.
• Microsoft 365 F3.
• Microsoft 365 Government G3.
• Microsoft 365 Government G5.
• Microsoft Intune for Education.

Intune is also included in the following educational licenses: Microsoft 365 Education A3 or Microsoft 365 Education A5.

Intune can also be licensed via a specific device license or via a standalone product license.

Can an organization use both Microsoft Configuration Manager and Intune?

Organizations can use both Intune and Configuration Manager to manage Windows 10 and later devices using a configuration that Microsoft calls co-management. Those products have some capabilities that overlap, but organizations will most likely use them in a complementary fashion.

With co-management, the IT administrator can select the management tool that handles certain workloads; by default, Microsoft Configuration Manager runs management workloads unless otherwise specified.

Co-management licensing vs. standalone Intune license

Organizations with Microsoft Configuration Manager and SA can opt in for the co-management license that provides PC management with Intune without the need to assign licenses to each user.

This co-management license only applies to devices already managed by Microsoft Configuration Manager; it is not available for machines enrolled in any other way. Windows Autopilot, the deployment and provisioning feature used in conjunction with Intune, is not available because it requires a full Intune license.

When an organization wants to manage mobile devices or macOS devices, a standalone Intune license is required, such as an EMS or Microsoft 365 E5 license.

This chart compares co-management licensing and full Intune licensing.

Organizations can use co-management in two main ways:

1. Existing clients. The IT administrator already configured clients using Microsoft Configuration Manager and registers them with Entra ID and enrolls them into Intune.
2. New clients on the internet. The IT administrator installs the Configuration Manager client when the device is enrolled into Intune.

How to use co-management

The main benefit of enabling co-management is that organizations can benefit from the strengths of both Microsoft Configuration Manager and Intune. With co-management, organizations have access to the most powerful Configuration Manager features, such as OS deployment, advanced application installations and system configuration, and combine that with the strengths of Intune, including MDM and conditional access capabilities.

The IT administrator determines which workloads should be handled by Configuration Manager and which Intune should handle.

What are the co-management requirements?

In addition to the proper licensing, using co-management also requires Configuration Manager 1710 or later, Entra ID, at least one Intune license and the correct setup for permissions and roles based on this documentation.

Which option should your organization consider?

In the end, the choice between Microsoft Configuration Manager or Intune -- or both -- depends on the requirements for managing Windows devices within your organization.

When there are no specific requirements for features that are only available in Configuration Manager, the common advice is to use Intune, which provides cross-platform support and gets new features regularly.

Peter van der Woude works as a mobility consultant and knows the ins and outs of the Configuration Manager and Intune tools. He is a Microsoft MVP and a Windows expert.

Daniel Engberg is principal consultant and partner at Agdiwo, an IT services company based in Gothenburg, Sweden.