How much longer do you think sccm will be around?
Posted by Abject_Serve_1269@reddit | sysadmin | View on Reddit | 258 comments
I know in this field there are ancient systems and such but im curious as to how long sccm will be around in corporations vs flipping to azure/intune.
Firerain@reddit
The market for SCCM SMEs used to be enormous. Now it’s tapered back to mainly defense customers in the cleared field. And those jobs are hard to come by unless you know people.
Anyone still administering SCCM that hasn’t started looking at reclassifying their skillset to something else is going to end up cooked.
I say this as one of those remaining SMEs. It’s time to jump ship before it sinks entirely. SCCM may still be around in a few years, but it will get fully folded into the EUC umbrella and a general EUC sysadmin will be expected to manage it with all their other systems
GoldyTech@reddit
I'd disagree. MECM is still the only answer for bare metal deployments and it's feature set is huge. There are options out there to deploy an image, but nothing like task sequences. There's even fewer options out there for servers.
It does more than any other endpoint management platform. When you need absolute control of your environment, nothing else even comes close.
I've had jobs in higher education, Fintech, and the energy sector that still use it.
Intune is solid, and I'm actually the autopilot lead at my company, but it's still not mature enough to replace a 250 step task sequence that covers all your requirements. I'm not even going to mention the lack of reporting in intune/autopilot when compared to mecm.
For small to mid size companies, intune would probably work fine. When you're dealing with a company that has 8 subsidiaries that all have different requirements on patching, regulatory compliance, app requirements, and you have 200 sites with network speeds ranging for a T3 to 10Gbps, mecm is the only answer.
Firerain@reddit
Agreed. But try telling that to the bean counters that get wowed by sales execs pushing “cheaper cloud” solutions, and the decision makers that listen to them.
Autopilot is useful, but it’s nowhere near a good task sequence. To the decision makers though, autopilot looks like an all singing all dancing all in one solution from 0 to deployed
GoldyTech@reddit
That leans towards a company culture problem and it's one I'm familiar with.
From the time I started the Autopilot POC to when we launched it (About a year), I had to consistently mention that Autopilot is an alternative to OSD, not a replacement.
The higher ups wanted to cut the spend on MECM hardware, and they really kept trying to push the narrative that autopilot is going to be what we use going forward, and that all techs need to know how to use it.
I got tired of hearing it, so eventually I just told them what they wanted to hear.
During a rollup meeting that Intune would be a workable replacement for MECM but we'd need a few things to reach parity with MECM. We'd need to upgrade every site with at least 30 users to 100Mbps minimum to support the increased internet usage. We also need to purchase reeady image or something similar to replace bare metal imaging. Same issue for servers. We need a replacement for reporting because intune is limited in its capabilities, and doesn't exist for servers. We also needed a new patching solution, because Intune doesn't allow you to specify exactly what updates you want to deploy to what groups. We also needed to purchase a remote assistance tool to replace MECM's remote assist.
I stopped hearing about it after that, and we now use both systems side by side.
Firerain@reddit
That's the problem though. You're now administering 2 ecosystems that should realistically be managed by 2 individual people. At some point, SCOM and the rest of the System Center stack will get grouped and companies will expect a generalist to manage all of them. And the pay won't increase exponentially despite what is effectively an exponentially multiplied workload. Then things start breaking because one person is wearing far too many hats.
Contrast that to Azure and AI mid-senior roles right now that are niche and paying even more than what SCCM SMEs used to make back in the golden days.
If I was a junior sysadmin, i wouldn't even bother trying to learn SCCM at this point. It's solely the domain of graybeards (that are comfortable at their current company and have no plans to quit) and offshore MSPs. Unfortunately both of those options mean stagnation in the market for anyone else looking to find a job specializing in it.
GoldyTech@reddit
I'm part of a decent sized team and there are 5 of us who manage MECM. There are only 2 engineers who are dedicated to MECM alone. I also handle Intune as well as a few other things. I understand that's not the norm though.
The way I see it, Intune is part of our DR plan for MECM. If something catastrophic does go wrong, we still have the ability to push policies and applications via Intune. We're also migrating away from GPO's where possible to configuration profiles in Intune. Not having to deal with group policy has been great.
We also don't keep our entire stack of applications in Intune for Autopilot. We have our security stack and our productivity stack. The rest of it will come down eventually once the MECM client comes online or users are expected to self service via software center. I honestly spend a few hours at most per month maintaing autopilot at this point.
As for pay, I can't say much. I've been working with MECM for 8 years now and I've managed to reach mid 6 figures in my current role. I do think it'll be a COBOL type skill at some point though.
I do believe it'd be valuable to learn the skills you mentioned, but I don't think it's either or. I work a good bit with automation via ansible and rundeck. I also work in the AI space building agents for troubleshooting and answering questions from our techs that have already been answered 100 times.
I think it's a mentality thing right? If you're comfy at your job and just want a paycheck, that's fine. If you want to learn more and you have a good boss, you can reach out to new areas.
TaiGlobal@reddit
Could you elaborate more on the agents?
GoldyTech@reddit
It's actually easier than I expected.
Copilot studio has the ability to use teams channels as a tool in a semi knowledge source capacity. My company has a teams channel that all techs and the MECM admins are part of. Questions get asked and answered in this channel.
Create a prompt that directs it properly and tell it to use the teams channel to find similar questions that were asked in the past. Find the replies to those questions and summarize the info, including what the solution ultimately was.
From there, have it post it's response to the user who asked the question with generic "this is an AI response that may not be 100% accurate" disclaimer.
Bam. You've got an AI agent that answers questions before an admin even gets a chance to look at it and it's usually right, because you disable it's ability to check the Internet and tell it not to use it's own knowledge, only use the teams channel info.
Another way to do this would be to export all data from a similar teams channel using purview, tell an AI to summarize every unique question and the answer to every question, and feed that new FAQ into copilot studio as a knowledge source.
There's a lot less API calls with this approach, and it might be able to be automated, but I haven't tried it because I'd have to work with compliance to get the exports and they're kind of stingy.
Firerain@reddit
Sounds like you're doing things right at your company. I'm on the defense side so I have job security for at least a few more years with airgapped SCCM consulting, but i'm seriously considering reclassing into something else because the writing on the wall is getting clearer every year.
As much as I like how versatile SCCM is, I just don't see it or the System Center stack being a stable career platform anymore. Especially for newbies. If I could go back and do things all over again, i'dve gotten into project management instead.
ErikTheEngineer@reddit
I think I'm one of the only systems engineers out there who likes SCCM/MECM. It gets a horrible reputation because, yes, it's super-complex. But, I haven't run into a better-documented Microsoft product with more comprehensive logging and deterministic behavior than this tool, and it's a shame it's being dumped for Intune. One thing I've seen too much is that it's considered an afterthought product, the admins just do a next next next setup and wonder why everything's so slow/doesn't work. You need a super-solid DNS, AD and PKI infrastructure and MECM needs to be configured to use them appropriately. People get turned off because there are so many standalone components passing messages back and forth...but that componentization makes it very easy to pinpoint issues if you approach it logically.
Intune will likely take over all of the client-side management, especially in organizations that are hybrid or have a ton of remote employees. But, I think MECM will be around for at least a little longer for Microsoft's shrinking base of on-prem customers. It'll probably get as much love as on-prem Windows Server and AD are getting. But, I don't think the on-prem workload is going to zero. I'm in NYC and there are still a ton of finance firms, small and large, who run at least the core of their business in house. These places (well, some of them) are willing to invest the money and time in managing a "big-boy/girl" Windows Server fleet because it runs their business. It's just like the mainframe. There are 3 legitimate "nothing's better yet" use cases left for mainframes - airlines/travel reservations, finance/insurance and government recordkeeping. On prem compute is probably going to distill down to something like that.
randomman87@reddit
Compartmentalization of logs is actually it's biggest issue imo. SCCM admins have no problems generally but most of your L2s are going to struggle to follow the logs. It's been a while for me but isn't it like 5+ just for patching alone?
ipreferanothername@reddit
Yeah about that many.
The logging is both great and terrible...It's very tedious to follow a process in them, and there's a few things you manage in the console that aren't really represented on the client like collection membership.
Also change auditing in sccm sucks. You can see something was changed, but not often in detail.... Just that something with 30 properties was updated. And in some cases you can't find out by who iirc
I use it at work and both love and hate it.
ErikTheEngineer@reddit
Agreed...but that's an issue with a lot of pre-IaC concepts (AD can audit everything too, but good luck tracing through a GPO change by following the AD audit logs.) Intune has something interesting I found a while ago - their "multi-admin approval" in the portal actually does a diff of any config change in the graph API when submitting a change for approval. So they're getting there kinda, but I'm actually surprised no one's written a first-party Terraform module or similar.
Unseeablething@reddit
Any younger sys admin is hopefully wise enough to be preferring Intune. I can see deep SCCM experience being like COBOL experience in ten years.
There's plenty of weird niche businesses that SCCM has the ability to handle their dumb level of apps or infrastructure.
ValeoAnt@reddit
Sometimes it's better to be the niche SME though, everyone will know Intune and because it's more accessible, you'll get paid less
Drywesi@reddit
Just look at COBOL. People've been declaring its imminent death since the early 90s.
ValeoAnt@reddit
My uncle has earned a lot of money doing purely COBOL for 30 years
man__i__love__frogs@reddit
My Intune environment has PowerShell scripts to install every app. I do things like stop/restart processes, set reg keys or env variables, check dependencies, I use try and catch with logging, and PowerShell output logging to log files in temp folders, you name it. What can SCCM do that you can't with PowerShell?
Some-Platypus5271@reddit
sccm pricing is it's worst enemy.
A-New-Creation@reddit
COBOL has entered the chat…
sirachillies@reddit
I would agree but I know a billion dollar company just started implementing MECM about 2 months ago. And this company is HUGE global organization. I'm not apart of the team there. But knowing that tells me it probably won't go anywhere for a little while. I hope to retire before it goes away.
Unseeablething@reddit
Hard to say, it's definitely been getting neglected. That said some of its features are still not in Intune in any way.
I would not be surprised if SCCM goes through another rebrand and outlives Intune. But slowly getting more clunky.
JayTechTipsYT@reddit
Oh really? What sort of features does SCCM have that Intune doesn’t?
deonisfun@reddit
Does InTune provide bare-metal zero-touch OS deployment? I genuinely don't know the answer... but that's a big part of SCCM for us. Shipping a brand new device from the manufacturer to a remote site, powering it on and it pulling down the WIM and task sequence and building end-to-end with no user interaction at all is game-changing for us.
TaiGlobal@reddit
No it does not. You take the factory OS and use autopilot to create enrollment profile and configuration profiles for it.
Cooleb09@reddit
Intune uses autopilot, its not bare metal/oxe, but instead assume there will be a blank oem image that will phone home.
Overdraft4706@reddit
Task Sequences are a big plus for SCCM.
Sp33d0J03@reddit
Yes.
FrenchFry77400@reddit
I'd say actually being able to manage server OS for one.
screamtracker@reddit
Oh snap 😲
randomman87@reddit
I'm not sure if this is a genuine question or sarcasm
FanClubof5@reddit
Server management.
Cooleb09@reddit
Support for server os.
sirachillies@reddit
Maintenance windows are a big one for my org that doesn't exist in intune today. It's extremely helpful for a business that is 24/7 operations. The dynamic groups are garbage in comparison to device collections...
These are the two big ones for us
JayTechTipsYT@reddit
Ooooo fair enough ! How are device collections better tho?
sirachillies@reddit
We can literally make a device collection based on virtually anything. CPU speed, devices with certain USB attached items, devices with up time of over 20 days as an example, devices with certain applications installed or missing. These are just some examples.
taukki@reddit
Didn't know that intune doesn't have them. There were probably the most important part of it in a univerdity I worked for. Cant imagine how else they can handle which apps are installed on which computer classroom
altodor@reddit
GroupTag and dynamic group would be my go-to for that scenario. But you have to build it hierarchically and that becomes a pain in the ass.
sirachillies@reddit
Pretty big for my organization too. Honestly the MWs are the biggest thing we need the most.
Kuipyr@reddit
I wonder if the new Intune Properties catalog is the start of them trying to replicate that.
Just-a-waffle_@reddit
You can make a “additional requirements” script for any app, and filter devices by anything you can put in a powershell script.
So the plumbing is a bit different, and you don’t get a group of computers in a collection, but the end result can be basically the same
I think we have a couple apps that apply registry tweaks via PSADT in a win32 app, we have a requirement script that checks the specific Dell model number. Fixes things like setting the default scaling for a specific laptop model, or briefly Dell had a bad bios that labeled non-touchscreen laptops as “convertible” so the touch controls in windows would show up.
sirachillies@reddit
Yeah that makes sense. I suppose that is one way to do it. We would just have tons of reporting stating an application wasn't applicable though. Essentially you're targeting everything and "filtering" via intunes equivalent of "Global Conditions" in MECM.
While this could work for some orgs. It wouldn't work for us unfortunately. We have to be able to present at our change control meeting how many devices will be impacted before releasing applications.
sirachillies@reddit
I've looked at it but it's fairly limited from what I've seen. Unless we're talking about different things.
Kuipyr@reddit
It's pretty useless at the moment, but the hope is we could use it with something like device filters in the future.
sirachillies@reddit
I really hate to shit on M$ but... Those are basically useless. Has like 9 options which is less options than properties.
JayTechTipsYT@reddit
TIL ! I had no idea, that would actually be so handy
sirachillies@reddit
Device collections are fairly versatile. There may be some workarounds but because we can't move our org to it yet we just haven't explored enough. Also, as of today, Autopilot isn't a good solution for an org that has a culture where the field services team has to deploy a fully configured device and ready to use before it even touches the hands of the users.
We are working towards it but unfortunately the team that packages applications is small. Then the application ownership is not good either. We will take years before we get there. Oh and since we use a computer naming convention and no desire to get away from that.. yeah it'll take a while for us unfortunately. IMO, use your asset management tool correctly and ensure accuracy, change some processes to be able to accomplish this and with automation we could do it. But it's "extra work".. I'm ranting at this point... But you get the point I'm making.
Jimmyv81@reddit
SCCM supports servers, Intune doesn't. MS are pushing ARC for server patching, but it still doesn't really have an easy way to push out apps or 3rd party patches.
Pacers31Colts18@reddit
Collections
Patching (GCC)
Reporting
Good logging
Just to start
rdldr1@reddit
God I hate Microsoft sometimes.
Lagkiller@reddit
It's pretty easy to say. It will be around as long as governments keep secrets. Because without SCCM you're not going to have patch deployments to networks that can't access the internet.
spin81@reddit
So I know next to nothing about Windows but what you're saying is that there's no way to do this without SCCM and that kind of sets my BS detector off to be quite frank. Surely patch management is not some kind of dark sorcery that for some reason only SCCM works for? Why should it be literally impossible to implement a solution for this any other way than with SCCM?
Lagkiller@reddit
I like that I tell you how it works and your first instance is not to ask clarity, but to outright say it isn't true. If you aren't using windows update, then you have to download the packages which are for SCCM. Those are the options for updates.
Because Microsoft isn't Linux. They want to control the entire OS from top to bottom. If there aren't third party distribution sites, then you can't compromise the OS or allow it to be reverse engineered easily. There's no place in the MS ecosystem to download individual OS updates. Only SCCM or their internet based updater.
Complex_Shopping_627@reddit
I feel like you can do this with other toolsets though with still achieving the fully offline server scenario, WSUS can defo do it, obvs this is not a major difference and also a deprecated MS toolset.
I think you could "maybe" do it with PDQ Deploy & Inv and use the variables to accurate track OS versions automatically, your PDQ could push into your isolated VLANs in this case, unless I'm totally missing the point and this is some true physical air-gap setup with the SCCM server within that air-gap, not sure how it's being supplied update files then except for USB transfers.
Lagkiller@reddit
SCCM and WSUS are the same thing. One is paid with support, the other isn't.
Cl3v3landStmr@reddit
Just....stop. You obviously don't know what you're talking about. You've already deleted one post where you've been educated about the differences between these two.
Lagkiller@reddit
I've deleted no posts?
spikeyfreak@reddit
This is silly and untrue.
SCCM uses WSUS.
WSUS has a bit of functionality SCCM doens't have, and SCCM has a ton of functionality that WSUS doesn't have.
GiveMeTheBits@reddit
They are not the same thing. WSUS is a windows feature and just does Microsoft patching from the catalog. SCCM is a licensed enterprise application that does package management, deployment and patch management using wsus as the backend.
charleswj@reddit
That guy has no clue what he's talking about. He's arguing me down that the government doesn't use cloud services in classified networks, the same networks in which I work for the vendor providing these very services in these very classified networks, and the same networks and cloud services that my company and the government publicly detail for anyone who wants to look.
Redacted_Reason@reddit
Agreed. It's comical, and I wish I could explain how wrong he is as a DoD sysadmin myself. People really don't seem to understand how large these networks are and how many resources we have.
TheDawiWhisperer@reddit
they're really not
spin81@reddit
I didn't say it wasn't true. Maybe BS was too strong a word there. What I meant to say is that it sounds wildly implausible to me.
I mean clearly MS is phasing out SCCM, but doesn't that mean they're plausibly looking at other ways of doing the same thing? There are tons of orgs out there who want to install patches without connecting to the internet.
The way you were phrasing it made it sound like: well only SCCM can do that so it will be impossible if SCCM goes away! And that still sounds weird to me, admins may be stuck with SCCM but it's not like MS is stuck with SCCM. They can just make a new implementation if they want. It might not be easy! But it's not literally impossible.
Lagkiller@reddit
They've extended support for it for years past when they said they weren't because it's the only way to do offline.
And as it currently stands, this is true. There is no package system in place to do offline updates except through SCCM.
MS has no desire to. They want to be fully online and fully in control of updates. The only reason that SCCM/WSUS is still alive and kicking is because of government agencies which have whole networks designed to never connect to the internet. If, by some chance, governments declared that they'd create a communication channel to their air gapped networks for only updates, they'd retire the whole thing.
Redacted_Reason@reddit
You're so close to understanding it.
dab70@reddit
"They want to be fully online and fully in control of updates."
Microsoft keeps trying to sell me on auto patching and I can't even trust Microsoft to put out monthly cumulative patches that won't break something we rely alone, so I'm not sure why I'd ever trust them to patch my devices in a way that is harmonious with my business requirements.
InTheSharkTank@reddit
You can use Microsoft update catalog without SCCM
TitoMPG@reddit
We use pdq and manual deployment, I looked into batchpatch but couldn't get it approved yet and sccm required a direct connection to my understanding unless someone has a cool tidbit to correct me on. Cause I'd love to get sccm running.
Fine-Finance-2575@reddit
Pdq is not scalable and the fact you have to use a clunky GUI ruins the experience.
Lagkiller@reddit
PDQ uses WSUS, a component of SCCM.
TitoMPG@reddit
Then I guess I need clarification to the idea of SCCM, I understood it to be the setup on a server where you build out and manage the update repo and which nodes the updates will apply to. A component like wsus i wouldn't initially pair directly with sccm changes as I would see it easier for Microsoft to initially remove sccm to push people to other options and let wsus just fall off and slowly depreciate as a separate item.
Lagkiller@reddit
SCCM is the commercial implementation of WSUS. It does mostly what PDQ does, but less effectively and with the stellar MS support that doesn't do anything when you need help.
Sp33d0J03@reddit
What are you babbling on about?
ipreferanothername@reddit
This is false and absurd..sccm leverages wsus, and offers a lot of other functionality. Like hardware and software inventory, automated task sequences for installing software and operating systems, configuration baseline management, application deployment. It's way more than just windows updates.
hld-ohn@reddit
PDQ makes zero use of WSUS. Ive got it on two fully gapped networks.
Sudden_Office8710@reddit
WSUS is on its last leg too
BananaSacks@reddit
Trye, but it will still be around longer than most gigs' first "temporary" deployment.
Cl3v3landStmr@reddit
WSUS is a built-in component of Windows Server. SCCM uses it for the Software Update Point (SUP) role.
You can use WSUS by itself without SCCM.
MelonOfFury@reddit
WSUS is no longer being developed by Microsoft and is pretty much abandonware at this point
AHrubik@reddit
https://learn.microsoft.com/en-us/windows-server/administration/windows-server-update-services/get-started/windows-server-update-services-wsus
Hardly abandonware. WSUS is a part of Server 2025 so it will get security support for at least another 10 years baring a direct decision to excise it.
randomman87@reddit
Confidently incorrect. WSUS is not a component of SCCM. It's its own standalone product that SCCM happens to use.
Redacted_Reason@reddit
There's a lottt of misinformation here, but I'm not going to specify how classified govt networks work. I'll just say this: the DODIN is the largest for a reason, and SCCM might not be the thing we use to deploy patches anymore. People seem to underestimate just how many resources are available on a private network of that scale.
hld-ohn@reddit
I started working on SIPR and OT networks in the last five years and was pretty surprised to see how many vendors have fully to partially offline sku’s. The only thing we struggle with is identity but otherwise, everything can be done in partially or fully disconnected environments.
mangeek@reddit
The whole concept of "connected to the internet" vs "only connects laterally to one of our own things" I think is a bit outdated.
There are so many controls you can use to let a thing get safely to a particular resource on the internet without giving it "internet access". IMO, using local RSYSLOG and WSUS boxes to achieve this is starting to be more risky than adopting them.
Where I work, we just added this to the logging standard, letting the log agent reach the cloud log service, and letting the update agent reach the cloud update service aren't interpreted as "connecting those systems to the internet" anymore. Instead, there is a series of redundant controls that pinpoint the access and make sure it's audited & logged.
Think about it. On Windows you can: 1. Block outbound by default, but allow specific binaries to reach specific destinations. 2. That destination could be the Windows Update site, or maybe you want extra protection, so you only allow it to reach a proxy server that has it's own controls on it (proxy config and infrastructure firewall) that allow the proxy service to reach only the update service. 3. Audit and externally collect changes to that config and changes to logging config.
caffeine-junkie@reddit
Sure, I've even brought that up. However where I work, there must be certain networks that are a darknet with zero outside (Internet) access, this is written into the contract. Even access to other networks within the company must be tightly controlled and limited to only what is to the minimum necessary.
Allowing these darknet machines access to the Internet, even just for patching, would make my life so much easier, but it's never going to happen.
redeuxx@reddit
I think he is talking about classified networks, not that there aren't ways to secure your civilian network. An example of this is SIPRNet with the DoD where systems never sniff the public Internet, but certainly are on a global network.
Lagkiller@reddit
Tell that to the DOD, not me. It's their requirement.
plump-lamp@reddit
No lol. There are plenty of solutions that work without internet
AutisticToasterBath@reddit
Lol sccm is not going to out live Intune unless you mean by getting rebranded.
SevaraB@reddit
I think the two will get merged,, the way Cisco did with DNAC and Viptela to create the new Catalyst.
VaderJim@reddit
I've never used SCCM, went straight to intune, any examples of some features/functionality that SCCM has and intune doesn't? Just for my own curiosity.
ASlutdragon@reddit
That’s what I asked about wsus 15 years ago lol
theomegachrist@reddit
A long time. At least 10-15 years.
yrpus@reddit
Our Corp is phasing it out, 01/01/2025, they are banning any new deployments via SCCM, Autopilot or bust. Deadline will most likely be extended, but that's the goal
eatmynasty@reddit
People are still using SCCM?
Dharkcyd3@reddit
Wait until you find out some are still using WSUS
jpnd123@reddit
Intune doesn't replace server patch functions and still has some features that Intune does not have for endpoints.
eatmynasty@reddit
People are still running Windows Server?
jpnd123@reddit
Yes
soggybiscuit93@reddit
AUM + ARC
Expensive_Finger_973@reddit
MS wants you going with Azure Arc for on-prem server patching these days.
TheDocKlopek@reddit
Yep, and it manages all 600k of our endpoints. We also use InTune.
vdday@reddit
I work IT at a hospital and that's exactly what we use.
mailman19@reddit
Same. We use sccm for our servers. Our servers are not in intune.
itsam@reddit
no servers are in intune, it’s not supported
endbit@reddit
I'm in a large school environment. It's either SCCM or handing over control to the education department who does no give a rats arse about our needs as a site let alone our tech environment. I'd be looking to move away from Windows if I was moving away form SCCM.
Unseeablething@reddit
Plenty.
FartingSasquatch@reddit
a lot of government agencies use it for server administration, where anything cloud is a no go.
Nonaveragemonkey@reddit
This. Also any company that wants a gapped network, mainly government contractors - but there's a shit load of them.
charleswj@reddit
What do you mean by gapped? Government contractors,.even the government and military are all using the cloud and "air gapped" doesn't almost ever actually mean air gapped. They're all in the cloud or moving there. Yes, even on "those" networks.
junkytrunks@reddit
True air-gapped networks do exist to control the power grid and things of that nature.
The question is whether Microsoft cares about the ever-shrinking air-gapped business.
I doubt they do.
charleswj@reddit
That's incredibly rare.
Not even the government air gaps almost ever, and definitely not on large networks. The place where they keep the most sensitive Top Secret documents? Besides technical controls (firewalls, etc) that prevent it, you could walk a cable from the Internet to the bin laden files.
Realistically, air gapping causes more problems than it fixes.
Lagkiller@reddit
It's not. It's incredibly common in the government space. Pretty much all development is done in air gapped networks with no outside communication. I've worked in that exact environment before. Hundreds of network in each location, none of which connect to the internet or each other. Removable storage is banned in each room, along with anything that has wireless communication.
The US military heavily uses this technology as well. These is a lot of air gapping in government work.
charleswj@reddit
I just responded to someone else so I'll just link it here.
https://www.reddit.com/r/sysadmin/s/2pvynzw50L
But you're wrong. The development network that you're referring to is called...dang it I can't remember the name, but there is a dedicated development and testing network separate from NIPR/SIPR/JWICS. It also can communicate with the others.
Fun fact: SIPR (not sure about JWICS) actually runs as a VPN on top of NIPR. Only once it's split off and in a secure location is it decrypted.
I mentioned them in the other comment, but a great example of a CDS is DOD SAFE, which is a file transfer tool. You usually see it used to transfer from the Internet to NIPR and vice versa, but it can actually transfer to SIPR as well.
https://www.electronicdesign.com/technologies/industrial/article/21265747/digistor-air-gapped-networks-part-2-moving-information
Lagkiller@reddit
Yup and it doesnt change a damn thing I said. You have no experience in this space and are convinced that you are the only one with knowledge. It's hilarious
charleswj@reddit
I work in this space today. I support high side customers right now. What do you think I'm wrong about?
Speaknoevil2@reddit
There are far, far more networks and programs in play in the classified space than SIPR and JWICS. Ever work in a SAP? Plenty of those systems have never touched SIPR or JWICS, let alone the Internet at large. And they never will.
charleswj@reddit
I'm aware of those networks. First of all, while they don't "touch" SIPR/JWICS, that what you see. They are very rarely truly physically air gapped.
The gov/DOD decided long ago that building out wholly separate physical infrastructure to move data is costly and wasteful, and entirely prevents legitimate cross domain access when necessary. So, 100% those networks are not gapped.
Just to clarify, what I mean is, if you unplugged the power to all NIPR/SIPR/JWICS/SCIF/SAP computers and network equipment in a building, but left all their network cables (CAT 5/fiber) plugged in, and there was a lightning strike that touched only a NIPR box, it's possible that all those devices could be damaged.
There isn't a totally physically separated infrastructure.
And while it's not necessarily pervasive, and you don't always know what exists, cross domain solutions are all around you for when data does need to move (usually up toward higher side, but not always).
Well, yea, obviously. But I'm not talking about commercial clouds. Microsoft runs at least 7 distinct "clouds".
Keep thinking that. Remember 15 years ago when they said gov/DOD would never go to the cloud? Remember ten years ago when they said "well, never SIPR"? And then "never top secret"? And now "never SAPs"?
Hmm what's this?
https://learn.microsoft.com/en-us/azure/compliance/offerings/offering-jsig
https://defensescoop.com/2024/05/28/space-force-cloud-based-classified-environment-project-enigma-industry/
"We’ve been doing a lot of work to make Microsoft Azure great for Special Access Programs." https://washingtonexec.com/2021/11/pinnacle-award-finalist-tom-keane-my-role-is-to-create-an-organizational-culture-in-which-people-feel-empowered/#:~:text=We%E2%80%99ve%20been%20doing%20a%20lot%20of%20work%20to%20make%20Microsoft%20Azure%20great%20for%C2%A0Special%C2%A0Access%C2%A0Programs.
Speaknoevil2@reddit
Yes, plenty of it will move to gov clouds, and yes, some of my networks do use a CDS. But I have seen more than enough programs and networks that are decades old, with the infrastructure to be managed independently having been put in place long before I was even born and still being given essentially blank checks to be maintained that way. Or how many local-only development efforts still exist where the only way data gets on and off the network is old school sneakernet with approved media.
I've seen point-to-point lines connecting sites directly and not just riding some NIPR or commercial line with encryptors on each end. They have been operated as independent domains with independent management and will continue to do so until the program is sun-setted.
A new program or development network that requires massive effort will almost certainly not be built out to be entirely independent, but its naive to think every program will eventually move to a connected space. Doing so may also require a massive expansion of personnel checks and PID rework if you wanted to connect something with unique PIDs to a wider space. That's not going to be given blanket approval. I've seen more than a handful of requests to conjoin networks and programs ultimately fail because enough people on either or both ends won't be able to be read in.
I know where you're coming from, but I also don't like your blanket statements about gov networks when none of us can claim to know how all of them work. We still operate as a silo in a vast array of DIB efforts.
charleswj@reddit
In fairness, not everything will move to the cloud in almost any large enterprise. In that context, the government is a huge enterprise and some things won't move, but on a long enough timescale, that's more a function of the inertia and of existing systems/programs and general government bureaucracy than necessity.
On one hand, given enough time, almost everything on-prem, particularly things like "IT infrastructure" (identity, configuration, patching, security, compliance) will move. On the other, I know my employer has stopped positioning our products as part of a future cloud only world and instead as some variation of hybrid.
Lagkiller@reddit
If you did you wouldn't say that air gapped doesn't exist
charleswj@reddit
Is SIPR and JWICS truly air gapped?
charleswj@reddit
Oh, and to my original point: these places you worked? Guess where their email lives today? A Microsoft data center.
Nonaveragemonkey@reddit
Nope, and they can not plan a migration. You have to control the servers, physically control a server for sensitive information to be stored there. If Microsoft kills on prem, government would decide to move on eventually, eventually . They'd run shit into the ground first.
charleswj@reddit
Are you actually saying "classified government networks don't and can't connect to Microsoft for any cloud services"?
Nonaveragemonkey@reddit
They should not. Especially with the drama at Microsoft https://www.propublica.org/article/microsoft-digital-escorts-pentagon-defense-department-china-hackers https://www.propublica.org/article/microsoft-tech-support-government-cybersecurity-china-doj-treasury
charleswj@reddit
I know you're an outsider, so you can only go by what you read there, but that is not an accurate representation of how things worked. But that's moot because those policies have changed since.
Those articles also were not even referring to classified networks. That was about the IL5-level offering, which is for data up to and including CUI (the U stands for unclassified) and NSS data. IL6 and 7 are for classified networks and can only be staffed and supported by cleared (as in security clearance) US nationals.
But what would you suggest they (the government) use?
Nonaveragemonkey@reddit
The incidents that did occur, can be enough to end their contracts.
charleswj@reddit
What incidents do you think occurred and what did they violate?
Lagkiller@reddit
Uh no, we had a local exchange.
charleswj@reddit
Do you see the problem? And in the case that they haven't migrated yet, they're either in process or planning to.
Lagkiller@reddit
No, because everything was internal, for each air gapped network.
Per DOD regulations, no they are not and will not be.
charleswj@reddit
What regulation are you referring to that says DOD can't use the cloud?
Some-Platypus5271@reddit
Not as rare as you think. Whole industries run on Purdue model and one of my contracts takes it to another level. (10+ bil company)
charleswj@reddit
Fully physically air gapped and large enough segments to make maintaining an entire AD and MECM environment worth it vs other options?
Nonaveragemonkey@reddit
Yes... That's quite normal.
Finn_Storm@reddit
Basically the only thing a fully air gapped system is vulnerable to is a person with malicious intent that is on-site. Such systems already can't access the Internet and will have access to them restricted (no active USB ports, cameras, etc, so security patches aren't strictly needed.
Interestingly, there are still vulnerabilities that can never be patched due to the nature of the vulns. Supposedly if you have control of a system, you can make the ram run at exactly 900MHz, which creates an antenna for cellular data to pick up from a nearby phone (or something like that), allowing for data exfiltration. You can also use Hdd LED's to exfiltrate data, if they are sending data in morse for example
charleswj@reddit
Insider threats are serious threats, whether intentionally or as useful idiots. Unless everyone is fully trusted, you need to be patched and secured. It's not exactly "zero trust", but it has some similarities: assume breach, assume your hard perimeter is effectively breached.
On one hand, that's only a concern if someone has a significant foothold. Then again, an insider could potentially do that. Then again, if a malicious insider has a foothold, they can just carry the data in/out. If you can mess with hardware at low levels, you can plug a flash drive.
These are not actual real life attacks. They're theoretical attacks that researchers have performed in an incredibly controlled environment. Proof of concepts. Similar to the outlandish outfits on a fashion runway. They're ideas, not useful. Hard drive lights? What year is this? And you need line of sight. And know which device is the one you are controlling. This is basically one of Bruce Schneier's movie plot threats. They sound good, and it would be cool to see Ethan Hunt use one...but it ain't happening at PG&E or an NSA SCIF.
Nonaveragemonkey@reddit
Oh there's quite a few networks where there is no communication outside the facility. Zero. It's a lot more common than many think.
But yes, some have minimal connection or proxy for things like email. But even those in my experience won't use cloud anything, it's on prem email.
charleswj@reddit
You're being very imprecise, so it's hard to respond. Most government networks that we colloquially call "air gapped", are, for all intents and purposes. You can't browse the Internet, access (commercial) M365, Gmail and Facebook, etc. But they are not actually air gapped, as there are devices that can allow data to pass in both directions. They are severely limited and very little data can pass, particularly "down" from a higher classification to a lower (i.e. SIPR to NIPR).
But even these networks, Microsoft (and AWS, Google, Oracle, etc) have cloud presences. Microsoft, for example, has secret-level (IL6) Azure and M365. This isn't new. The NSA has famously been using AWS for well over a decade.
Nonaveragemonkey@reddit
Yes yes, oracle Microsoft, Google and AWS are all used in selective capacity and in their own segregated clouds. They aren't used extensively for managing on prem devices and how data is stored on them is carefully managed. They're not likely to contain AD, or unencrypted data or handle deployment with something like sccm.
And yes air gapped networks exist at multiple contractors that have nothing in the cloud. Not even email.
charleswj@reddit
Those clouds are fully accessible on classified networks.
This is simply a maturity and timing issue. I don't know the status of intune on SIPR for example, but it will absolutely be used, just as it's currently used extensively on unclass DOD networks.
What does this mean? Active Directory? As in putting domain controllers in Azure? That's an on-prem product, so while you can put a DC in Azure, it's generally not something you want widespread. That's what Entra (fka AAD) is for. Which is currently already in use.
Appropriate encryption is just part of the baseline functionality for any cloud service. On a classified network, that doesn't really change.
Give it time. Everyone said the government would never go to the cloud. Then they said the military wouldn't. Then they said classified networks wouldn't.
Some-Platypus5271@reddit
OT networks.
No internet.
charleswj@reddit
The question isn't whether you can access the Internet or not, it's whether any device (computer/server/network) "inside" has any communication capability to any device "outside"
Abject_Serve_1269@reddit (OP)
Not at my last contract job. They still use on prem Cant even afford due to budget to go aws. But that's a story in itself.
charleswj@reddit
What government agencies can't/won't use cloud?
OkDimension@reddit
any piece of critical infrastructure (electricity, gas, telecoms, ...) usually has an airgapped control network
charleswj@reddit
Those aren't agencies, those are small operationally critical environments. And while not even the government truly air gaps (as in literally there is a gap of air separating the network) their most classified networks. For all intents and purposes, they do, but there are paths, albeit severely restricted.
OkDimension@reddit
Yeah I know they have ways around, but tell them they have to enroll all their workstations and servers into Azure, I don't think that will get approved.
charleswj@reddit
Why do you think it wouldn't get approved? I'm truly not understanding what you're (I think) disagreeing with me about.
Are you saying gov/DOD endpoints on classified networks wouldn't be allowed to be managed by intune? If so, I don't know if you know how this plays out, but Microsoft (in this case) specifically builds out the capabilities from the public M365/Azure clouds that the government requests and approves. So if intune exists and is available in one of those clouds (which it is), it's because the government wanted it to be and because it will use it.
OkDimension@reddit
They're disconnected and there is no direct path to public internet or cloud to avoid disasters like Crowdstrike or anything else that might have an uncontrollable impact on their operation. Yeah I know MS has a gov only cloud, but it's still in a remote datacenter, relying on Microsoft's processes and security measures. Tying everything into a central Microsoft cloud and trusting that Microsoft never messes up isn't really feasible in that kind of environment. They rather wait a while until a policy or patch has been thoroughly tested and deemed safe.
charleswj@reddit
They are not physically disconnected. They are logically disconnected. Respectfully, you don't know what you're talking about. Crowdstrike can be avoided by simply not onboarding a device. The fact that you can trace your finger from a classified system, down its network cable to various network equipment and to a NIPR machine (which you can absolutely do, does not mean that patches can be deployed willy nilly.
And things like crowdstrike have happened on DOD and classified networks, you just don't hear about them. But some things are out there if you search.
No, they have a few. The gov cloud is referred to as GCC in some contexts, but is not what we're talking about here. They have a dedicated DOD IL5 cloud that manages all email, provides SharePoint and OneDrive, Teams, Intune, Defender, etc. All cloud based, Microsoft data centers,
Yes, just as I said. Exactly this.
On higher classification networks, things lag because it takes time to get capabilities onboarded and approved. But they are there, and more are turning on every month.
No, they rather modernize.
Why is it so hard for you to believe it when someone tells you "I'm actively doing this thing you're saying no one is doing"?
Lagkiller@reddit
Any network that has secret or higher level clearance can't have external access.
charleswj@reddit
I'm not sure what you're saying or how it relates to what I said.
No, obviously you can't go to facebook dot com on your SIPR or JWICS device 😅, but that's not what I was suggesting.
Microsoft already provides cloud services to the government and DOD on SIPR (secret) and JWICS (top secret). Both M365 and Azure are available in various states of parity with the commercial cloud and GCC (IL2), GCCH (IL4), and DOD (IL5), the latter two with some, but lesser, lag in parity.
This isn't hidden information, it's openly announced:
https://learn.microsoft.com/en-us/office365/servicedescriptions/office-365-platform-service-description/office-365-us-government/gcc-high-and-dod
https://www.microsoft.com/en-us/microsoft-365/blog/2023/01/25/office-365-secret-cloud-now-available-for-us-national-security-missions/
AWS, Google, Oracle, OpenAI, Akamai, and others all have presence on classified networks.
And while those environments are closed and isolated, they're not actually air gapped in the literal sense. There are systems called Cross Domain Solutions (CDS) or CDES that facilitate data transfer "up" (to higher classification) and "down" (lower) between various classified and unclass networks.
Again, this is all (well not all) publicly available
https://www.cyber.mil/cdes/
https://www.nsa.gov/Cybersecurity/Partnership/National-Cross-Domain-Strategy-Management-Office/
Lagkiller@reddit
You asked what government agencies cant use cloud. I was pointing out to you what ones.
They offer it. No one stores that there.
I've worked on them. I can guarantee you that in a literal sense they do
Redacted_Reason@reddit
Again, you're wrong. Those networks DO use cloud. They use it all the time for all kinds of things. Remember, there is such a thing as private cloud. If you ever did work on them, you'd know this.
Source: am a sysadmin in the DoD working on those systems that use classified cloud.
charleswj@reddit
They can, you didn't point out any that can't.
They do. Let me explain how I know: I work for the very company supporting these very customers using these thrse very services.
Then how is it I'm able to pass data between them? Secret Wi-Fi???
realged13@reddit
Aircraft Carriers, lot of Navy ships.
Source: Dad installs systems for them.
charleswj@reddit
That's not an agency, though. The Navy uses cloud services on NIPR, SIPR, etc. Ships and subs are a special case because it's simply not practical to connect at all times. But, it's a good point.
Exotic_Call_7427@reddit
Answer: as long as businesses have a need for on-prem solutions.
Fabulous_Winter_9545@reddit
I have seen many companies looking for SCCM / MECM alternatives. The client management has been moved to Intune and the server teams now have to manage the "giant "beast" SCCM for the little value of patching and some OS / App management for Windows Servers.
Personally I assume that with WSUS being at the end of the lifecycle we will see more companies moving to Azure Arc & Azure Update Manager or looking for 3rd party options to standardize patching across their servers, so they can decomission their SCCM environment.
ThimMerrilyn@reddit
When do you think Intune will be able to be run on an airgapped network ?
Redacted_Reason@reddit
It already can.
flimspringfield@reddit
From scratch, it took me on an off 6 months to learn SCCM just to put a package with an updated installation of Windows.
I wasn't a fan. Maybe because my boss just threw the program on me.
RustySpoonyBard@reddit
I don't even think windows server will be around in a decade.
fata1w0und@reddit
Intune is terrible. Machines only check in once every 24 hours and it does not push out windows patches. It just configures the windows update settings on the endpoints.
I got Tanium and within a week I found nearly every machine was missing critical patches from months ago, despite the settings were correct in intune. In that same week, we went from 85% patch compliance to 99%.
RCTID1975@reddit
At least another 10 years. That's how long it'll take to execute a command you push today
ahk057@reddit
This is my guess. 2035 at the absolute earliest.
enforce1@reddit
you should see how intune gets around to getting things done sometimes!
UWPVIOLATOR@reddit
There are many large companies that will probably never move away from it so as hard as they push for Intune and all its issues and limitations keep that in mind.
dpf81nz@reddit
Until they can make intune deploy an app or a config etc as soon as possible, not in 'intune time' which could be anywhere between 1 minute and 1 week
floatingby493@reddit
SCCM doesn’t exactly deploy immediately either
IWantsToBelieve@reddit
Sccm time enters the chat.
r_keel_esq@reddit
SCCM Is a process, not an event
-c3rberus-@reddit
It is on life support, we moved to Intune for endpoint management, and we still keep it around for patching servers because no one has time for Azure Arc.
InspectorGadget76@reddit
It's too deeply embedded in multiple orgs to go anywhere soon. MS will keep on giving it 'food and water' to able to deploy/manager newer OS's, but forget any new features.
It will hang around as long as there are still orgs wishing to manage on-prem only fleets. Until every Windows machine is sitting on a good internet connection with an Intune license, SCCM will still be around
Unseeablething@reddit
This is ultimately the issue. Until we get some weird twilight dream and blazing fast internet is a right, SCCM handles that niche gap too well. There are well too many companies that have the infrastructure for on prem distribution but not the desire to pipe in massive pipes for internet.
man__i__love__frogs@reddit
Those orgs will just be pushed into options like delivery optimization with in network caches. There are already server roles for that sort of thing that work with Intune.
trobsmonkey@reddit
I use to work for an org that had a lot of remote locations. And I mean REMOTE.
SCCM is a god send for keeping those remote locations updated. One on-prem server updating every system is the fucking MVP when you have very little bandwidth.
deonisfun@reddit
Same here. We have devices in gas stations in the desert with dogshit 128kbps WAN links. Sending a 1GB file takes days. Having a local distribution point means we can bare-metal reimage a device remotely in an hour
CARLEtheCamry@reddit
Similar issue but not SCCM, but my company in their infinite wisdom decided to deploy a handheld product to the tune of hundreds for 1.5Mb line into our remote locations.
We did the math, and it would take 3 months for the average site to download monthly updates for every device.
So then they started sending desktop PC's running Linux to every site to act as a cache server. With no one supporting them who knows Linux. So now it's my problem.
trobsmonkey@reddit
That was a HUGE part of it too.
InspectorGadget76@reddit
Again. Only if you're fully licenced to manage all your devices with Intune.
svb1972@reddit
Also intune support for Microsoft servers is dog crap and it's missing so much.
Pioneer1111@reddit
Maybe my org is just doing something funky, but we've got it working with VPNs, so even on-prem isn't needed for it.
Unless you're talking systems that don't even need VPNs?
dbergman23@reddit
Isnt VPN just an extension of on-prem?
archiekane@reddit
On-prem with tentacles.
dtm1017@reddit
WSUS going away will probably kill SCCM faster than SCCM going away.
MFKDGAF@reddit
I've heard from colleagues that itune sucks and is horrible. Especially why trying to create install packages. It is just convoluted. Also, it takes for ever do machines to check in to intune or check in saying version X of software was installed.
arrozconplatano@reddit
Intune is great (but slow)but autopilot is terrible.
Hotdog453@reddit
AutoPilot I'd say is about the 'best' thing Intune does. There is, quite literally, no other way to deliver an Un provisioned device to a user, have them sign in, and your settings come down: Hard stop.
It's the fact that AutoPilot, in and of itself, doesn't cover all the use cases that OSD does. If it was viewed as 'in addition to on premise imaging, the Intune Management Suite allows for a full breadth of options; including home provisioning...."
But instead, they've just sort of assumed it's the 'only' thing needed, and have shown no effort to backfill the loss of bare metal imaging.
arrozconplatano@reddit
Sure, autopilot is needed. It also is super temperamental and failure requires a reset before you can try again
norcalscan@reddit
But my nested GPO’s managing the user’s mouse speed and when dark mode is allowed! (clutches pearls)
Sh1rvallah@reddit
And how exactly does that have anything to do with SCCM
norcalscan@reddit
SCCM is complimentary to all other on-prem infra like local AD, DC’s, and GPO’s. Autopilot compliments off-prem Intune, Azure/EntraID, and typically GPO’s are abandoned for the MDM approach from Intune. #explainthejoke
Sh1rvallah@reddit
Bit of a stretch, your effort to mock sccm fell pretty flat imo
Ghost2268@reddit
We got rid of SCCM. We patch with qualys and arc. But we are also a massive company and have what seems like endless resources.
CactusJ@reddit
I’d love to know what you think about Qualys and patching servers. It seems so…clunky …to me
Ghost2268@reddit
It’s pretty great but you have to make sure you have an update policy that disables windows updates. Let qualys manage it fully. We use arc for azure servers and 2012R2 ESU
CactusJ@reddit
Thx.
cloudAhead@reddit
the product group seems hellbent on intune being a workstation os onlu feature, so there's no clear alternative. ARC isnt it.
SGalbincea@reddit
There will always be large, air-gapped environments that won’t ever talk to “the cloud.” Whatever solves for that is what will be around.
Eastpetersen@reddit
As per a conversation with ms last week, it’s viewed as feature complete but support is not going away anytime soon.
Gatt_@reddit
I suspect that one of the first signs is that support for Client OSes will start to be dropped as they force people to use Intune and AutoPilot
Server OS support will probably be around for a while until they can find a way to come up with a paid version of Intune & AutoPilot that is only for server (Looking at you Azure Arc!)
My SCCM setup is primarily used now to manage my servers (Apps, patching, Deployments, etc) and moved all the client management to Intune. The only exception being OS Deployment - I still use SCCM to deploy Windows 11 - because AutoPilot is just pants compared to the power of the SCCM Task Sequence.
night_filter@reddit
Random guess, but I’d say it’ll be fully supported for about 10 years, and then get some legacy support for another 5 years.
Microsoft is trying to push toward the cloud and will want to get rid of it sooner or later, but they move slow, especially when it comes to deprecating something that large businesses want.
If it’s not gone in 15 years, it’ll be a different product by then.
urjuhh@reddit
Take puter out of box, boot from network, run task sequence, come back in 30mins and its done... OS and apps
With intune... Barf ..
deonisfun@reddit
Same here. We ship a brand new box to a remote site and tell them to plug in Ethernet, press F12 and walk away. An hour later they've got a perfectly working machine.
FantasticMrFox1884@reddit
Not sure. But my job uses SCCM and it’s so old. I’m hoping it will be decommed
Sandfish0783@reddit
Until it becomes Copilot Configuration Manager (CCCM)
IMCHillen@reddit
Super Copilot Configuration Manager
jfarre20@reddit
we use sccm pretty much exclusively for the remote control viewer at this point.
XanII@reddit
Byzantine things tend to stand tall a long time. I doubt this one will go away very soon.
_R0Ns_@reddit
WSUS is gone after Windows 2025.
codylc@reddit
Came to say this. WSUS is 10 years from death and when that happens, ConfigMgr is severely crippled at that point.
Combine that with MSFT’s resource posturing to barely keep the lights on and the righting is on the wall. My bet is ConfigMgr will be officially EOL by 2035. Third party on prem solutions will need to fill the void MSFT is walking away from.
Admittedly, that’s not a short runway by any means but there are cracks in the armor.
dab70@reddit
They've been saying it's going away for years, but I work in an enterprise where both SCCM and Intune is used in separate business units and Intune simply does not have feature parity with SCCM, starting with the lack of Maintenance Windows. The lack of meaningful maintenance window features alone precludes my shop from using Intune alone in any serious way. I would also argue that Intune performance is something less than robust in my experience compared to SCCM.
I think we will likely co-manage in the next year or so to maybe realize some sort of gain or control over some of our mobility devices, but I can't see Intune outright replacing SCCM in our shop right now.
Sore_Wa_Himitsu_Desu@reddit
I’m being told I should plan to be off of it within 5 years.
We’re in the process of transitioning things to Intune and Tanium. The only thing I see a problem with is bare metal imaging. Tanium does it but slower and not as well as SCCM.
When my director told me to plan to be off of it within 5 years I almost laughed as I mentally calculated the 3.5 years left until I plan to retire. I’ll let him know in 3 years to plan for me to retire in 6 months.
Diligent_Sundae7209@reddit
Hasn't it already been rebrand as mecm?
butterbal1@reddit
I give it another 50-70 years at absolute max.
It is one of those things that is old and crusty already but it is the underpinnings for so many other things and I can't imagine it will be going away completely any time in my career.
jeffrey_f@reddit
I am sure this can be implemented better, but it works. As long as it does work, it will be here.
Witte-666@reddit
As long as "everything on-prem" is not dead, which will be a while I would guess, because some companies still need to keep everything local for security or privacy reasons.
ColdFury96@reddit
I think they're in the same category as Public Folders... Microsoft will keep them barely running for as long as they have to.
LinuxPhoton@reddit
Working From Home due to Covid mostly led to different connectivity requirements for most businesses and SCCM will not scale well here. The SaaS ecosystem is now rich and literally all a small business needs to operate is an Internet connection. Microsoft will continue to push their customers to EntraID/M365/Intune/Azure and only niche entities such as large enterprises and governments will justify SCCM level of on-prem complexity. For small-medium businesses, it does not make much sense having a distributed workforce and running on-prem infrastructure when most of your apps are SaaS.
It’s how we used to do things in IT but change is constantly introducing new efficiencies and in about 10 years, I wouldn’t be surprised if SCCM is a relic of the past.
Our company deployed SSCM/SCOM for about two years and it was a pain. Maybe it wasn’t implemented right for us but I found it too tedious and a time sink. The supposed benefits simply were clouded by cost and complexity plus needing expertise to run it. Didn’t make sense for a small-medium size business 14 years ago so I figure the widespread use of it now is relegated to those who can and must use it.
hobovalentine@reddit
It will definitely be phased out for sure and I will miss it in a way because I loved troubleshooting SCCM issues although to be fair it is a very bloated and complex product to implement.
Microsoft doesn't even use it internally since they've largely moved completely to Entra joined machines for their endpoints.
Hotdog453@reddit
Well, it wasn't them 'moving to Entra'; that signifies ConfigMgr can't manage Entra. They did heavily move to Intune, though, for obvious reasons. I don't even blame them for that; they SHOULD dogfood.
watcan@reddit
Until the heat death of the universe at my place.
Tyzorg@reddit
Anyones company start managing windows in BIGFIX? (We manage RHEL and (REDACTED) and have windows CAPABILITY but don't use it for winderz... yet my team keeps pushing to do so)
WaldoSupremo@reddit
It’s the B-52 of device management tools
ArieHein@reddit
5-10 years. Its always bell curve with early migrators and late migrators usually due to maturity of IT and mgmt focis on oriorities and budget.
smoothvibe@reddit
Every MSP we talked to said it is EOL. Currently transitioning to Intune, which is heaven compared to the user-unfriendly SCCM hellhole. What Intune isn't able to do yet we will cover via GPO/scripts.
TDSheridan05@reddit
It’s a dead product to Microsoft. They moved configmanager to intune for free.
kissmyash933@reddit
I wish that pile of trash would die. I get downvoted to oblivion every-time I hate on it, and I will continue to collect downvotes.
Abject_Serve_1269@reddit (OP)
Why do you hate it?
kissmyash933@reddit
I wrote it up a long time ago, here’s a snippet of that post.
It’s positively infuriating to use, it just is. It’s almost like Microsoft set out from the beginning to make the world’s least usable product from a UX perspective. NOTHING is obvious.
Things that I’d think would be a two step, 10 second thing turn into to a 30 minute research sesh every goddamn time.
Troubleshooting it is sometimes an immense undertaking; why in the everloving fuck must I absolutely have to know exactly which of the 10 million log files I need to go rifle thorough because some random, seemingly insignificant component is having a problem? Can we just aggregate that shit up into: “Here you can sort out all the major problems with your configman installation like event viewer has done since 1993?” I swear the poor suckers on my team that take care of it are in a constant cycle of fix something, something else breaks so fix that too.
The SCCM client is simple and when it works, great! But with the random systems all of a sudden not checking in, showing offline when they’re working just fine, refusing to pull updates or get a configuration item or XYZ, how can I trust it? We have to run around and fix clients all the time. Because of this, I never really trust that the information it has given me is 100% accurate.
It tries to do everything under the sun, and because of that, it fails to be truly excellent at any of the things it does.
If you are in it all day long, know everything about it, and have seen its evolution since the beginning then maybe one has learned to not hate it, but if you spend maybe ten minutes a month in it and need to hop in there real quick, good luck.
takeitezsteve@reddit
sounds like a skill issue
kissmyash933@reddit
I have no doubt that it is, and i’m fine with not being skilled up on it. I step in and help fix it when it’s necessary but I’m thankful it’s not my responsibility.
upcboy@reddit
Im a bit worried our days are numbered unless I missed it there has been no news of a 2509 release. Which has me concerned.
Abject_Serve_1269@reddit (OP)
Honestly last.time I used sccm qas to deploy patches for windows server 2016. Siloed govt job and another team prepped them for infrastructure to deply(us). Prior was to imahe laptops which was like 10 uears ago.
Im used to intune. Part of me glad they renamed azure ad to entra id.
badaccount99@reddit
What is SCCM?
I've been doing IT mostly on Linux since 1993 or so. Windows thing? Super glad I don't have to deal with Microsoft.
guydogg@reddit
Hopefully 12-13 years. That'd be great
PedanticDilettante@reddit
SCCM already is gone. It's MECM now.
grygrx@reddit
I think the death of intel and the rise of ARM might take it out. The support seems basic at best
centizen24@reddit
From what I've gathered, SCCM is already gone in terms of viability. There are still orgs that use it, but that' technical debt and more and more places are flipping to Azure/Intune. It's not something I even put on my resume anymore and I wouldn't recommend a greener to spend any time on it.
fraiserdog@reddit
As someone who built my entire career on SCCM, I think it will get incorporated into Intune, and Microsoft will push it as a cloud offering.
WorldsBestPapa@reddit
I was absolutely shocked (I’m a network engineer at a top 10 hospital system) today to find that, while troubleshooting at a site with an “sccm imaging server” ,after I replaced the meraki with an ISR and updated the entire IP scheme and worked with the “sccm engineer” that it actually was SCCM. I really thought we were using intune and sccm just stuck around because everyone always called it that.
Abject_Serve_1269@reddit (OP)
I'll be honest. It's been nearly a decade since I last used sccm and even then, limited use(images and apps deployment via software center) Job I interviewed for uses it and if I land it, im asking tjem to give me a crash course refresher. Im used to intune/autopilot these days.
Firerain@reddit
It’s insanely versatile when configured right. There’s a reason it’s still the preferred tool for airgapped environments.
Unfortunately everyone pushing for “cloud everything” has pretty much killed its future. Intune still doesn’t have half of the stuff SCCM does. And it probably never will because Microsoft are getting lazy with everything that isn’t Copilot, Azure, and whatever their new cloud buzzword project is
BrianKronberg@reddit
A short time after Intune can replace it fully.
OneSeaworthiness7768@reddit
I’m sure it will be around for years to come. However I’ll say that in my recent job search, sccm came up quite a bit less in job postings than Intune.
MinnSnowMan@reddit
Do the sccm distribution servers just stop syncing for no reason still?
norcalscan@reddit
No reason?! Event Viewer and CMM logs clearly point to the Mayan Calendar displaying a holiday today.
PitcherOTerrigen@reddit
I had to use SCOM for a month a few years ago, between jobs, but it was between a full connectwise/forti stack and a synchro/intune stack.
Fucking sucks man. Idk how you in-house guys do it. Pretty sure limewire had a more modern gui.
drewshope@reddit
Fucking forever. SCCM is proof that a loving god does not exist
Professional_Ice_3@reddit
The loving gods are over in r/ShittySysadmin with DSL and dial up
largos7289@reddit
LOL i know of at least three state departments that still use NT 4.0.
Kindly_Revert@reddit
Most major orgs with a large on-prem footprint still use it. As long as they are willing to pay, it won't go away any time soon. These are orgs large enough to twist the arm of Microsoft, and they pay enough in support contracts to allow Microsoft to keep devs working on the product, or at least maintaining it.
BK_Rich@reddit
Probably anytime soon, its used in massive organizations, it just works for them, these type of places aren’t looking to brag at their next drinking event that they “moved to cloud” without a serious business reason to do so.
RandomGen-Xer@reddit
For as long as there is no software that will do *everything* sccm does, as well as it does.
Xibby@reddit
Until Microsoft provides sufficient leverage to overcome inertia.