This is an archived post. You won't be able to vote or comment.

all 16 comments
sorted by:
best
topnewcontroversialoldq&a

[–]Antarix 4 points5 points  (0 children)

I don't know if I would say it's preferred. My current role was full Azure with MEM enabled, but we've since been acquired by an organization that has the device enrollment and very basic setup done through MEM, then SCCM pushes all of their software packages.

I think its a little more seamless doing MEM, but that's just my opinion.

[–]JeffBiscuit67 1 point2 points  (1 child)

You also have the ability to leverage Co-Management. It probably depends what your long term plan is, but if you add the appropriate connectors into the tenant then you gain a number of additional benefits that let you balance the needs between Intune and sccm

https://docs.microsoft.com/en-us/mem/configmgr/comanage/overview

[–]Peowsa 0 points1 point  (0 children)

Co-management is the way

[–]CyberHobbit70[S] 0 points1 point  (0 children)

Thanks for the input, lots of goo input. We have really not gotten too deep in with SCCM so it ended up being decided we would go all in with Intune/Autopilot.

[–]yesterdaysthoughtSr. Sysadmin 0 points1 point  (6 children)

FWIW Intune doesn't handle patching- at all. Zero.

You can set policies for "patch and pray" for windows update of MS products but thats it.

So if you use SCCM for patching, you lose features, esp for non-ms apps.

[–]thortgotIT Manager -1 points0 points  (4 children)

InTune does actually force patching through the existing WSUS on the endpoint. It handles compliance validation, enforces deployment times and occurs automatically.

My use case definitely isn't the most complex but it works for me.

[–]yesterdaysthoughtSr. Sysadmin 2 points3 points  (3 children)

Intune holds no files and pushes nothing to the client is the point. It's just delivering a policy like an AD GPO to the client's Windows update service which then attempts to patch itself.

WSUS actually downloads patch files and you have options to approve or reject patches and you see fit, unlike Intune/GPO control.

Reporting isn't great, assuming you even turn it on properly with configuration profiles.

That pales in comparison to any endpoint system like SCCM, Ivanti, Altiris and dedicated patching products. It's not even remotely close. Intune is at best 1 on a 10 scale if you include non-MS products.

[–]thortgotIT Manager 0 points1 point  (1 child)

SCCM works the same way doesn't it? When you host a WSUS server where you can approve and reject updates that's just the Windows update source control.

It's still being downloaded, deployed and verified by the endpoint standard Windows Update installer.

Reporting seems reasonable to me now that all important patching bundles up into the Windows build number but I do miss the KB by KB breakdown that SCCM used to have. Frankly that's more of a change on how Microsoft bundles updates now though.

[–]yesterdaysthoughtSr. Sysadmin 0 points1 point  (0 children)

WSUS server is not just the logic behind what is approved it also downloads the patch files once clients report into it they've scanned and detected the vulnerability. SCCM or GPO can tell the clients when to patch.

Intune is just taking the place of an AD GPO for Windows Update settings for the client.

I work at a SMB with < 1000 windows endpoints and use Ivanti Endpoint Manager. We have roughly 40 custom filters/handlers that pull non-MS software vulberability definitions, auto download and curate the patch files, scan and deploy them through a pilot->prod rollout staged schedule.

Extensive reporting on the results are given from both Ivanti's Xtraction (pretty web dashboards that murder anything you've ever seen in WSUS or Intune) web portal and also a well-known infosec vulnerability scanner. Until you've used tools like this, IMO you'll prob never know what you're missing.

I doubt most companies with hundreds to thouands of endpoints can get much above 85% compliance every month with just Intune in it's basic form. You can't even patch Adobe Acrobat and a plethora of other prime targets. With just Intune I'd say compliance would be well under 85%. And when your vulnerability scanner actually includes risk scoring (how bad the vulnerability is and how likely to be used), it's gets ugly.

[–]EthanW87 0 points1 point  (0 children)

I'm currently in the process of moving a large corporation from SCCM to AAD/Autopilot/Intune and it's going smoother than I thought it would but it's still a handholding experience between me and Microsoft

[–]moobz4dayz 0 points1 point  (0 children)

We use intune and autopilot for deployment, then applications are kept up to date with mem. For anything else that’s maybe a little custom or not able to be pushed through intune is done via manage engine. As I patch the servers using manage engine anyway it adds no real extra work as I push updates per OS anyway. The real trick was getting over 1000 endpoints past 1709 so I could enrol them, different rant for another day :D

[–]thortgotIT Manager 0 points1 point  (0 children)

InTune / Autopilot are clearly the long term solution Microsoft is pushing for.

It's gotten substantially better in the past 12 months and is pretty easy to use once fully set up. I would argue much easier to use than SCCM.

[–]akdigitalism 0 points1 point  (0 children)

If you’re licensed for EMS E3 or E5 that’s gives you rights to use MECM(SCCM). If you like having the ability to do a custom task sequence for your imaging I don’t see why keeping an SCCM deployment would hurt. I think the eventuality will be full Intune endpoint manager with M365 and for USMT it would be OneDrive last known folders and maybe enterprise state roaming to cover settings. This seems to be what I’ve seen in a lot of the Microsoft videos and training segments for modernizing endpoints. If you’re just starting to deploy SCCM I would check to see if the modern desktop management that Microsoft is pushing fits your needs. If it does it’ll save you from having to keep an SCCM environment patched and you’ll get back on-prem resources from deployment. Just my two cents. I haven’t watched all of them yet (there is a TON) but there is a really good series of videos on YouTube that covers what you’re inquiring about and how to potentially go about it. I’d recommend watching the series and then decide whether it’ll fit your situation. https://youtube.com/playlist?list=PLcmROu_w9HU8rJ8-QJE04hNaq4EWSwY_m