Microsoft Configuration Manager is a comprehensive management solution that helps IT teams track, configure, and manage endpoints and devices on your network. It can automate common tasks, like distributing patches, installing software, and enforcing security configurations across every endpoint that connects to the network.
What Is Microsoft Endpoint Configuration Manager?
Microsoft Endpoint Configuration Manager has had multiple names over the years:
- Systems Management Server (SMS); 1994 - 2007
- System Center Configuration Manager (SCCM): 2007 - 2019
- Microsoft Endpoint Configuration Manager (MECM): 2019 - 2023
- Microsoft Configuration Manager: 2023 - present
When MECM was SCCM, some people nicknamed it ConfigMgr, and the name stuck. No matter what you call it, MECM is part of a larger suite of Microsoft products that helps IT teams manage, configure, and improve endpoint protection using a centralized platform.
While MECM is mainly for endpoints using Microsoft Windows operating systems, it does offer some capabilities for managing devices running Linux or macOS operating systems. It also provides support for mobile devices, including bring-your-own-devices (BYOD), and can be used on laptops, desktops, smartphones, tablets, and servers.
New versions of Microsoft Endpoint Configuration Manager were released every 18 months, but beginning in 2023, Microsoft changed that to two releases every calendar year and uses branch updates instead of versions.
What Does Microsoft Endpoint Configuration Manager Do?
As the name implies, Endpoint Configuration Manager helps IT teams manage endpoints connected to the corporate network or the internet. A centralized dashboard gives IT more visibility into every endpoint, automating tasks and enforcing compliance with security configurations across devices. As a tool, MECM can help the team:
- Provision devices. MECM prepares and configures devices and endpoints for employee use, making it easier to onboard employees quickly and at scale.
- Configuration enforcement. MECM checks all devices to ensure they comply with your current configurations and specifications. If a device has drifted out of compliance, MECM can automatically enforce changes, like installing a missing security patch or encrypting the hard drive.
- Deploy updates. Any time a device connects to the network, MECM can deploy patches and software updates, install applications, and even upgrade the entire operating system (OS).
- Inventory management. MECM can create a detailed hardware and software inventory for every endpoint, helping IT track assets, identify unauthorized software, and plan lifecycle upgrades.
- Remote assistance. MECM gives admins remote control over a device, allowing them to take over the machine and resolve issues without needing to be on-site.
- Limit applications. MECM allows the team to create an approved store that limits which applications users can install on their device, ensuring every endpoint complies with your configurations and restricting the number of unauthorized third-party apps on machines.
- Personal policies. Companies with a BYOD policy can create additional configuration and security policies for any device employees connect to the network, ensuring your network remains secure even when someone uses their personal device.
How Does Endpoint Configuration Manager Work?
MECM requires two things to work: a server and an agent (also known as a client).
Each device has an agent, which communicates with an on-site server. When the device connects to the network, it tells the server its status and receives instructions, like installing a security patch. The server hosts the Configuration Manager infrastructure and manages endpoint communications. It stores everything from configuration policies to reports to inventory data. While some companies need one server, larger companies or those with complex endpoint management needs may require additional servers.
While on-premise infrastructure is required, Configuration Manager also supports some hybrid cloud-based installations. For example, Configuration Manager allows companies that run virtual machines in Azure to use cloud-based services, like the cloud management gateway. Configuration Manager also integrates with Microsoft Intune through co-management, allowing companies to maintain their on-premises infrastructure where they need it while shifting processes and workloads to the cloud when necessary.
Pros of MECM
Microsoft Endpoint Configuration Manager may not be the right endpoint manager for every organization, but for companies that primarily use Microsoft operating systems and products, it offers an array of features that simplify and centralize endpoint management.
Flexible
Configuration Manager gives IT teams more control over how and when endpoints check for and install software updates and security patches. Admins can configure maintenance windows to schedule updates outside of normal business hours and allow users to delay a restart to minimize disruptions.
It also allows IT to stagger deployments so the team can test updates with a small number of endpoints to ensure the update is stable before deploying it to every device in the company.
Centralized Control
MECM has two user interfaces: the Configuration Manager Console and the Software Center.
The Configuration Manager console allows admins to handle administrative and management tasks on multiple devices from a single endpoint. The admin can deploy updates, run reports, and even check up on a specific endpoint from a centralized dashboard, giving IT full control and a single, integrated view into every device.
The Software Center allows end users to manage and install software, patches, and updates that IT has tested, approved, and deployed. Users can also view their history and compare what’s on their device against company policies to ensure their endpoint is in compliance with current configurations.
Access Control
While installing MECM on a single device limits access and preserves control, large teams likely need MECM on more than one device. However, you likely don’t want to give everyone with access to those devices the same level of access to MECM. Fortunately, MECM allows admins to assign roles to users, and each role has multiple permission levels that allow or limit what a user can do.
If the native settings don’t meet your needs, MECM allows you to create custom roles and permissions to fit your security and operational requirements.
Full Application Deployment
MECM helps IT automate the deployment and provisioning process, making it easier for the team to prepare new devices with the software, security configurations, and permissions new staff need from day one. Companies that frequently hire large cohorts can quickly set up new devices at scale, streamlining the provisioning process from start to finish.
Compliance Baseline
One of the main reasons companies use configuration managers is to ensure endpoints comply with current security configurations. MECM gives IT teams the ability to establish, check, and enforce compliance baselines across all devices, strengthening endpoint protection and reducing attack vectors.
IT can set a policy, and as MECM checks devices, noncompliant devices are flagged. MECM can generate a report to notify IT, automatically deploy and apply the update or patch to bring the device into compliance or restrict access until the device is up to date.
Cons of MECM
For companies that use Microsoft Windows operating systems and associated products, using MECM to manage and configure endpoints is a logical choice. But it’s not the right endpoint device manager for every situation.
Expensive
Like many software products, you’ll need a license to use MECM. However, the price may be cost-prohibitive for smaller companies. While you can purchase a license for MECM, it’s possible to get MECM as part of a subscription to a Microsoft product (like some versions of Office 365). However, those require a per-user fee, which can add up.
What’s more, MECM must be installed on a server that meets the minimum OS requirements. Depending on your current setup, you may need to purchase and install an upgrade.
Lack of Third-Party Support
Microsoft Endpoint Configuration Manager is an excellent product for deploying and installing patches for Windows operating systems and associated products. However, MECM isn’t as good at deploying and installing patches for third-party software, which could leave endpoints unpatched, increasing your attack surface and leaving your network vulnerable to hackers.
While you can add a patching tool for third-party software, this requires additional configuration and maintenance.
Difficult to Protect Non-Managed Devices
Many companies allow employees to use their own device sinstead of issuing company-owned ones. These BYOD policies allow employees to connect and use their mobile device or laptop on the company network. Companies can use Microsoft Endpoint Configuration Manager to set up policies for these unmanaged devices, but enforcing configurations and updates isn’t as easy or seamless as it is for managed devices. One solution is to enroll these devices in MECM, but users may not want their personal devices managed by your IT department.
On-Premises Solution
MECM is primarily an on-premises device that relies on LAN protocols to deploy and install updates and patches. While this works for local devices, it’s much harder to manage remote devices. Users have to connect using a VPN, which may not happen reliably or consistently, leaving that endpoint unpatched and vulnerable to attack.
Is MECM Right for Your Business?
MECM is a powerful, centralized tool that helps companies manage endpoints at scale. The flexibility, compliance features, and integrations with Intune make it a good option for larger companies with complex IT needs.
However, it may not be the right fit for smaller or remote-first organizations. As an on-premises solution, ensuring endpoint protection for distributed teams or companies with a hybrid model can be slow and inefficient, increasing your attack surface, and the lack of cloud-based solutions can make it difficult to implement MECM.
No matter how large or small your company is, if MECM isn’t the right solution for you, Adaptiva may be the better fit. Contact us today and schedule a demo to learn how our platform can help your IT team patch and manage endpoints at scale.
