SCCM vs. Intune: A closer look at the capabilities of each
Microsoft Endpoint Manager packages the two well-known administration tools, which have grown closer in functionality but still have some unique capabilities.
In the increasingly complex world of IT, no single management tool does it all. But using two Microsoft products in tandem might bridge most administrative gaps.
Since 1994, System Center Configuration Manager (SCCM) has been the gold standard to manage workstations, servers and mobile devices. Microsoft released Intune in 2011 for mobile device management (MDM), but it has steadily accumulated functionality to make it another viable alternative to administer Windows client devices. Microsoft recently combined both products in the Microsoft Endpoint Manager suite to cover a range of complicated scenarios, including traditional on-premises platforms, such as Active Directory, and more modern arrangements that involve hybrid-joined devices in Azure Active Directory. So, what's the best way to use this management product?
Get back to basics: What is SCCM?
Microsoft released SCCM, also called ConfigMgr in IT circles, in 1994, but its name has changed over time. From 1994 to 2006, it was called Systems Management Server. Microsoft switched the name to System Center Configuration Manager in 2007.
SCCM focuses on the management of Windows devices -- both client and server systems -- in enterprise environments, which some define as sites with more than 300 devices.
SCCM includes the following administrative capabilities:
- operating system deployment;
- task sequences for OS deployment and additional features;
- patch management;
- compliance management;
- Windows 10 servicing;
- application deployment;
- remote control;
- integration with Microsoft Endpoint Protection antivirus; and
- role-based configuration access.
You can work with devices either via the SCCM console or the Microsoft Endpoint Manager admin portal -- endpoint.microsoft.com -- if you use the tenant-attached configuration.
Get back to basics: What is Intune?
Microsoft released Intune in 2011 as an MDM service, but it has gradually expanded its abilities to also manage Windows systems. Its main strengths are its conditional access policy functionality and, being cloud-based, does not require on-premises IT infrastructure to operate.
In its early days, Intune lacked many features compared to its MDM competitors, such as AirWatch and MobileIron. But rapid development by Microsoft has given Intune the edge, and organizations now look at its competitors for specific use cases. Intune's tight integration with the Microsoft ecosystem, such as Azure Active Directory, is one of the reasons enterprises are attracted to this management product.
Intune's other key features include:
- patch management via Microsoft Update for Business;
- compliance management;
- application deployment;
- app protection policies; and
- Defender Antivirus (in preview).
You manage enrolled devices from the Microsoft Endpoint Manager portal at the endpoint.microsoft.com URL.
SCCM vs. Intune: A feature comparison
For many years, it was rumored that Microsoft going to stop development of SCCM in favor of Intune. At one time, you had to choose which product you wanted to use, but in 2017 Microsoft added "co-management" capabilities to use either tool for Windows client management.
Then, at its 2019 Ignite show, Microsoft unveiled Microsoft Endpoint Manager that packaged Intune with SCCM. In most cases, you do not use one product to replace the other. The chart below shows how closely the two products match up in terms of features.
When you should use SCCM
You should consider SCCM when you require one or more of the following:
- bare-metal installations with complex installation sequences;
- complicated application installations; or
- detailed reporting.
If you want to minimize your on-premises footprint, it is possible to migrate your whole SCCM infrastructure to Azure.
When SCCM might not work for you
SCCM may not be the best management tool for your organization if any of the following are true:
- you do not plan to employ or contract skilled personnel for regular maintenance of your systems;
- you only have internet-connected users;
- most users do not have complicated application installations;
- you have fewer than 300 devices;
- you want to apply conditional access policies; or
- you want to manage mobile devices.
When Intune might be the right administration option
If you need the following management features, then you should look at Intune for your organization:
- if you want to use a cloud-based tool;
- if you want to manage mobile devices; and
- if you want to use conditional access policies.
When Intune might not be the best management choice
You should not consider management with Intune if any of the following statements are true your organization:
- you require advanced configuration of Windows systems;
- you require software metering to measure application usage;
- you require role-based configuration access; or
- you want to manage servers.
SCCM vs. Intune: How licensing differs
SCCM uses a traditional volume licensing format. The number of clients managed with the product is not a factor with the cost.
SCCM is included as part of Software Assurance and with any of the Management License Equivalent Licenses: Intune user subscription license, Enterprise Mobility and Security E3, Enterprise Mobility and Security E5, Microsoft 365 E3, Microsoft 365 E5, or Microsoft 365 F3 (formerly Microsoft 365 F1).
Intune is available with different licensing, depending on the type of institution: schools, small businesses and enterprise customers. Most of the licenses for Microsoft Intune also gives you rights to use SCCM.
You will need to have one of the following licenses to use Intune: Microsoft 365 E3, Microsoft 365 E5, Enterprise Mobility and Security E3, Enterprise Mobility and Security E5, Microsoft 365 Business Premium, Microsoft 365 F1, Microsoft 365 F3, Microsoft 365 Government G3, or Microsoft 365 Government G5.
Intune is also included in the following educational licenses: Microsoft 365 Education A3 or Microsoft 365 Education A5.
Can I use both SCCM and Intune?
You can use both Intune and SCCM to manage Windows 10 systems using a configuration Microsoft calls co-management. The tools have some capabilities that overlap, but you will most likely use them in a complementary fashion. With co-management, you select the management system that handles certain workloads; by default, ConfigMgr will run management workloads unless otherwise specified.
Co-management licensing vs. a standalone Intune license
Customers with SCCM and Software Assurance can opt-in for the co-management license that provides PC management with Intune without the need to assign licenses to each user.
This co-management license only applies to devices already managed by SCCM; it is not available for machines enrolled any other way. Windows Autopilot, the deployment and provisioning feature, is not available because it requires a full Intune license.
If you want to manage mobile devices or macOS systems, you need a standalone Intune license, such as an Enterprise Mobility and Security or Microsoft 365 E5 license.
The following chart compares co-management licensing and full Intune licensing.
You use co-management in two main ways:
- Existing clients. You already configured clients using SCCM, but you register them with Azure AD and enroll them into Intune.
- New clients on the internet. Enroll them in Intune and install the SCCM client.
How to use co-management
The benefit of enabling co-management is that you can benefit from the strengths of both SCCM and Intune. With co-management, you can benefit from ConfigMgr features, such as OS deployment, advanced application installations and system configuration, or you can go with the strengths of Intune, including mobile device management and conditional access capabilities.
In SCCM, you can configure which workloads should be handled by ConfigMgr and which Intune should handle.
Requirements for co-management
In addition to the proper licensing, using co-management also requires: Configuration Manager 1710 or later, Azure AD Premium, at least one Intune license, and the correct setup for permissions and roles based on this document.