SCCM Review

Enables us to set up schedules, according to security needs, to automate server and desktop patching


What is our primary use case?

Systems management, inventory, pushing out deployment, and patching. It has multiple purposes.

How has it helped my organization?

It helped our internal IT get ahold of all the applications that we are actually running out there. With the SCCM inventory, we found a lot of rogue applications. We were able to identify them, find out who was running them, and either put them on our application list or remove them.

One of our goals with the patching of systems was to automate it so we wouldn't have to manually push out patches anymore. It gave us the ability to set up schedules, set up all the groups and collections and, according to what our security requirements are, to automate the patching of our servers and desktops. Everybody knows now exactly what days it will happen and what is going to get patched, on a schedule. That was a huge culture shift.

What is most valuable?

What's valuable is the basic management of the systems, being able to control who can access the systems.

You can remote control or RDP. That has been the most valuable because we can go into one console and can get to anything we want. Instead of going to all these different consoles, we centralized everything. That's the big one that we really are enjoying, that we have a central console for everything.

What needs improvement?

We run into little stuff all the time. There is a reboot issue with the patching. Sometimes, if patching runs into any issue whatsoever, it doesn't reboot but it doesn't tell you it errored out. It just sits there and we don't find out until the next day whether it patched or not. That was a big issue for us. We're working through that. They added some stuff in there now where you can actually tell reboot is pending. At least that tells us which ones didn't reboot, but before that got put in the 2018 version, it was really tough because management wanted a report of what patched and what wasn't, we couldn't give it to them.

We went into the feedback site and added our feedback and voted on it. The reboot pending was a big step forward, but we still need some kind of notification that if something fails or is pending, we know. We shouldn't have to go in and look. They don't have anything for that right now.

I would also love to be able to patch Linux servers. I would love that ability to be on one console and patch my environment. I know they're doing it with the Azure piece right. I saw that at Ignite last year, where they're looking to almost have SCCM as part of the cloud, and they will supposedly let you patch your Linux boxes from the cloud. Being a law firm, that is not going to happen for us. We are not cloud-friendly.

Finally, their compliance reporting is not accurate, and they admitted it on the phone when we had a call with them. We were trying to understand why their numbers didn't match on our compliance reports. Our security really liked the idea of being able to get compliance reports themselves, on patching etc. However, it is not accurate and you cannot depend on the compliance reports. The numbers just don't match, and we can't figure out why. We called Microsoft and they said, "Yeah, that's a known issue." But there is no word that they're working on it or anything like that. That's all they said, "It's a known issue."

For how long have I used the solution?

One to three years.

What do I think about the stability of the solution?

We've had no stability problems at all. Things have been running great for a year, we haven't had any real issues with the system itself. We've had to tweak some things like everybody does, some registry keys here and there, but there has not been a stability problem at all.

What do I think about the scalability of the solution?

It scales, but it gets expensive. If you're looking to do - and this is something I hear they're changing in one of the future versions - built-in HA, high-availability, right now you have to use Microsoft clustering. So you have to buy Microsoft clustering to make it highly available. 

As far as load balancing across, they don't have that support yet, so that you can actually build multiple primaries and have it load balance across. They don't have any of that functionality yet. That would be a nice feature, to scale that way. The way they have designed SCCM is to put the load in the offices. You put secondary sites out there where you put DPs on the sites and they pull from the local site, not from across the LAN. That helps with the load, it doesn't really hit the primary server.

How is customer service and technical support?

We had to escalate our issue because you always get that person at first-level support who reads off a script. Then, after a couple hours, you say, "Escalate this." Once we got to the second person, we were able to figure our issues out. I would rate tech support at seven out of 10, based on our experience.

Which solutions did we use previously?

We used ZENworks for years. I used to work for Novell, so I was biased toward it too. We switched because we weren't sure where they were going. With Novell going away, Micro Focus taking over, and somebody taking over the whole umbrella corporation, we had no idea. They couldn't give us a real roadmap out for a long period of time. We were a little worried about being on a product that might not be around in five years.

We had no problems with ZENworks. It was fine, we loved it, but we were worried about the future.

How was the initial setup?

I did a lot of research before I set it up. I watched a lot of YouTube videos, talked to Microsoft, demos, etc. I did enough homework so that when we set it up it was pretty simple. You just have to understand the SCCM infrastructure and how it works. If you don't understand that it might be confusing when you first install it. You have to understand your primary site, your secondary site, your distribution points and how they work, so you know how to set it up correctly.

After that, installing it was easy. Just understanding what connects to what. What has to go first, what has to go second, what services you need installed and set up, and how to set them up. Once you do your research on that it is pretty simple. But if you go in blind, I can see how it could be rather difficult.

What's my experience with pricing, setup cost, and licensing?

Pricing and licensing are a downside of SCCM. It's expensive. I'd have to confirm this, but I think they changed the licensing to core-based instead of socket-based. It's not cheap, because you have to buy the software, you have to buy SQL. Another thing we learned from talking to Microsoft is that they provide you a license for SQL if you run it on the same box as the primary server. If you run it outside that box, you have to buy SQL. Microsoft does recommend you running it on the same box because of performance. But then, in order to run SQL, SCCM, and everything on the same box, you better have some resources.

It's an expensive solution. There's no doubt about it.

Which other solutions did I evaluate?

We looked at some small-time vendors, third-party stuff. No major names. There was one that we looked at that was really small and it actually seemed pretty powerful. It was called PDQ. But it turned out to be more for small business than enterprise-ready. 

The only enterprise solutions we came across were SCCM, ZENworks, and BigFix from IBM. Even though BigFix did Linux, it did everything, the price point was really expensive. It was something that wasn't even in our ballpark, and they didn't seem to want to deal with us.

We were already on ZENworks and we knew how it worked. We knew everything about it, but again, we didn't know its future. When it came down to having discussions with our team, myself, and other architects, we decided the more we keep with a single solution - we are mainly a Microsoft shop, Windows on the desktop, and mostly Microsoft servers - the more we keep the stack together. That's why we went with SCCM.

What other advice do I have?

Do your homework. Understand the basics of it, how it works between services. When you go to install it's going to ask you specific questions, and you might not know what the question is unless you did your homework ahead of time.

Microsoft offers architectural sessions. Right before we installed it, we went to Microsoft and they sat down with us and did a session with us to understand how to architect it, how do design it. I would definitely advise doing that. I don't know who they offer it to, but that was very helpful. We met with their architects at Microsoft and they helped us understand how to architect it.

I give SCCM an eight out of 10. It's powerful. It's not a 10 because it has little bugs here and there. It has little issues that are annoying. For example, you may want to do something on a maintenance window. There's no way to say, "I want this maintenance window to be on the second Tuesday of the month." It's strict. This window is this and that's it. You can't fluctuate. There are little intricacies that are a little annoying. Sometimes we find the flexibility is not there in certain circumstances.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
1 Comment
Russ RimmermanReal User

SQL standard license is included whether it’s colo’d or remote as long as it is only used for ConfigMgr. https://docs.microsoft.com/en-us/sccm/core/understand/product-and-licensing-faq#product-and-licensing-faq

28 June 19
Guest
Sign Up with Email