💀 SCCM Is Dead. Long Live the Cloud Overlord Intune.

aka: How Microsoft replaced Task Sequences, PXE and sanity with Graph APIs, JSON logs and Azure blobs

🦴 SCCM: the glorious beast of bare metal and BIOS-level mayhem

🧠 Architecture recap:

SCCM (System Center Configuration Manager) is the lovechild of legacy infrastructure and deep surgical control:

  • SQL Server — the brain of everything: device state, deployments, compliance

  • Management Point / Distribution Point — the artery and warehouse

  • PXE + WDS — the imaging cult, letting you rebuild machines from boot

  • WSUS integration — for those who like patching to feel like trench warfare

  • Client Agent — fat, powerful, self-healing (ccmrepair.exe for life)

You could deploy a driver pack, BIOS settings, a full OS image, a language pack, an app bundle, and a branded wallpaper — in one Task Sequence. While playing Doom on the side.

SCCM didn’t need internet. It needed grit.

☁️ Intune: cloud-native, JSON-fueled, and spiritually allergic to MSI

Microsoft Intune is not SCCM 2.0 — it’s a different religion:

  • Based on Azure AD and MDM channels

  • Uses Configuration Service Providers (CSPs) to apply policies

  • Runs Intune Management Extension (IME) for Win32 deployments

  • Wraps everything in .intunewin, because MSI was apparently “too simple”

  • Logs to JSON files that live in C:\ProgramData\Microsoft\IntuneManagementExtension\Logs\

Everything is wrapped in layers of “compliance,” “remediation,” and “hope it worked.”

💣 Deploying software: it’s not plug-and-play, it’s plug-and-pray

In SCCM:

powershell
New-CMApplication -Name "CoolApp" -DeploymentType MSI -InstallationProgram "msiexec /i cool.msi /qn"

Assign to a dynamic device collection, schedule it, boom — done.

In Intune:

  1. Package your app via IntuneWinAppUtil.exe

  2. Upload to the MEM portal

  3. Configure detection logic

  4. Define return codes

  5. Assign to Azure AD group

  6. Wait… and maybe it installs

If it doesn’t install, you get “Error (0x87D1041C)” and a lesson in humility.

There is no rollback, no pre-caching, and every edit means repackaging the whole damn thing.

🧬 Intune Management Extension: your fragile cloud agent overlord

IME runs as a Windows service. It:

  • Polls the Intune service for assignments

  • Downloads blobs over WinHTTP

  • Executes scripts and installers

  • Logs events in 3 different places

  • Frequently gets stuck, silently fails, and doesn’t retry

The AgentExecutor.log is your only friend. And it speaks in riddles.

🚫 PXE is dead. Welcome to Autopilot, your new not-quite-OSD friend

Windows Autopilot is not imaging. It’s “cloud onboarding”:

  • Uses hardware hashes or PKIDs

  • Pulls enrollment profiles from Intune

  • Boots into a vanilla Windows image, then starts ESP (Enrollment Status Page)

  • Installs apps via IME + policies + prayers

It’s slick on paper, useless on an airgapped network, and terrifying when Wi-Fi cuts mid-onboarding.

There’s no support for:

  • BIOS flashing

  • Driver staging

  • Offline deployment

  • Customized partitioning

In short: Autopilot is for the Surface Pro generation, not warehouse floors.

⚙️ Co-Management: the diplomatic hell between old and new

Microsoft’s “co-management” lets you run SCCM and Intune simultaneously:

  • Assign certain workloads (apps, updates, compliance) to Intune

  • Keep Task Sequences and on-prem stuff in SCCM

  • Requires Cloud Attach, Azure AD Join, token juggling, and a 300-page onboarding doc

It’s a band-aid, not a bridge. And it will break in the worst possible moment.

💸 What about pricing?

  • SCCM: Covered under Core CAL Suite or standalone

  • Intune: Requires Microsoft 365 E3/E5 or Intune Suite

  • Intune Suite: Add-ons like Endpoint Privilege Management, Remote Help, advanced analytics

  • Deployment of your own app with admin elevation? That’ll be $5/user/month, sir.

Microsoft turned right-click “Run as admin” into a subscription feature.

🧠 Final Breakdown

Feature SCCM Intune
OS Deployment PXE, Task Sequence, offline Autopilot only, online
App Deployment MSI, Script, EXE, TS .intunewin, Store, LOB, web apps
Logs & Diagnostics SSRS, CMTrace, WQL, SQL JSON, Kusto, guesswork
Deployment Speed Fast, local DP, cacheable Slow, cloud only
Rollback / Reinstall Yes (TS/CI) Not really
Offline support Yes ❌
Network controls Rate limits, DP boundaries ❌
Script flexibility Full PowerShell CSP-based + some PS, no logic chains

🧨 Summary:

SCCM is a flamethrower.
Intune is a scented candle in a hurricane.

Microsoft isn’t replacing SCCM. It’s dismembering it, wrapping the limbs in Graph APIs, and selling them back to you as individual cloud services.

If your job was deploying custom apps via PXE in 17 steps — it’s time to learn YAML, become friends with AgentExecutor.log, and cry in Azure Monitor.