SCCM Is A Horrible Windows Deployment Tool And Microsoft Should Be Ashamed

There are thousands, if not millions of companies out there that make use of SCCM as an asset and inventory management tool. Within this use case, I believe SCCM is the best management tool available. It allows you to configure all sorts of hardware and software discovery options, including timelines, log storage limits, and more. With the Hardware and Software History options, it gives you granular control over the amount of changes that are stored during each discovery phase; this allows you to streamline your inventory information to the most relevant information for your inventory management needs.

That's about it.
The power of SCCM lies in inventory management

Where this program completely drops the ball is with Windows Deployment. As a Windows Deployment Server, it is extremely horrible as a solution and still requires additional software to make it as robust as the WDS\MDT\AIK license-included option already available in Server 2012 R2.

There are several issues present with using base SCCM as a Deployment Server:

  • Poor image building and capture operation; runs in LocalSystem account, disallowing user profile configuration
  • Always integrates SCCM client into installation process; no option to disable this
  • High cost of deployment, including licensing costs and software installation; difficult to create test scenarios
  • Limited task sequence customization
  • Limited task sequence variables
  • Limited deployment customization (computer type, BIOS type, etc.)

You can get most of these features by integrating SCCM with MDT and WDS, but it’s still questionable why these features simply weren’t included with SCCM already.

Zero Touch Installation (ZTI), SCCM’s major Windows Deployment feature, is touted as an extremely efficient way to image computers in a large organization (10K+ employees). Combining ZTI with the distributed nature of SCCM is supposed to make managing remote Windows Deployments across continental lines a snap. The problem with ZTI is the lack of a reliable failsafe option in case a computer is accidentally imaged by an end user. I don’t know of too many companies that would want to spend money on additional network-based storage space to backup a computer before you image it, and this seems to be the only failsafe option you can rely on when using such a “robust” deployment methodology behind a “robust” management tool.

ZTI is NOT a deployment methodology I would advocate for ANY company managing a large I.T. infrastructure, unless you like explaining to your end users why their computers were wiped on a daily basis. Even across continental lines you still want to have an I.T. guy there just in case you need a physical hand to fix something. ZTI is not the answer to improving your infrastructure’s efficiency; there are simpler things you can look at first.

Instead of using ZTI, consider using the LiteTouch Installation (LTI) methodology with the Microsoft Deployment Toolkit, Windows Deployment Services and the Automated Installation Kit for Windows 10. The combination of MDT, WDS, and AIK is low-cost and allows you to deploy Windows and applications to client computers using LTI over the network. LTI is the safest methodology for deploying computers because it avoids a big support and security issue with allowing a computer to become fully imaged without prior approval from I.T. Yes, you can configure security groups and all sorts of other options to not only use ZTI more effectively but also secure ZTI deployments even further; why make things more complicated than they need to be?

You don't need SCCM to do this
MDT is not only simpler to use and better at deploying Windows, it’s FREE

As an example of what I’m talking about, the best security invention in the history of security was the lock and key. The lock and key is an extremely simple invention made thousands of years ago; we still use this to secure EVERTYHING. This practice is known as K.I.S.S. (Keep It Simple Stupid). Apply this process to your I.T. infrastructure and let me know if you still make things complicated on purpose.

Do you really need anything else?
The lock and key – The best, easiest to use and time-tested security solution

Some sysadmins will say that SCCM was never meant to be a deployment server or a deployment server replacement; the extra work to make it one is worth it. Maybe that’s true.

However, this product is still sold as a simple, one-size-fits-all solution for businesses looking to manage their entire I.T. infrastructure. It’s important to realize that it’s not as good as it looks for everything it’s supposed to do. There is value in examining each solution, its parts, and its general use case to determine whether or not it’s worth it for your business needs.

In the case of SCCM, it is a wonderful asset and inventory management tool; there’s no doubting that. It just falls flat with everything else it’s supposed to do, especially with Windows Deployment. Microsoft seriously needs to re-work its Windows Deployment modules for the next version of this program. There is little value in using SCCM as a Windows Deployment server when it’s missing several features out of the box, and I would definitely consider lower-cost and easier-to-use alternatives if you need Windows Deployment automation features.