Endpoint Services, SCCM, client policy and group policy interaction in SCCM

What are recommended uses for SCCM and group policy objects (GPOs)?


System Center Configuration Manager (SCCM) Current Branch

Affected Customers

University of Illinois IT Pros leveraging Technology Services Endpoint Service SCCM Current Branch

General Information

Group Policy Objects (GPOs) remain unchanged by SCCM; your joined endpoints can continue to use GPOs. In fact, you can use a GPO to distribute the SCCM client (which runs as admin on an SCCM-managed endpoint). The SCCM team recommends that you deploy content via SCCM instead of GPOs.

Group Policy is also used to apply settings and this does not have to change; you can continue to apply configuration settings or restrictions for software via GPOs.

Group Policy lets you deploy software in a basic way: if you want to do anything other than making every joined Windows system in an OU install a program, you'll need a script to handle other conditions determining which endpoints install a program (these conditions include dealing with dependencies, checking if a program is already installed, or installing something on a schedule to control when an installation occurs). This approach quickly becomes complex and is not recommended.

SCCM allows for fine-grained decision-making including dependency handling, not installing a program where that program is already installed, installing something on a schedule, and letting users decide when and if a program is installed on the endpoint they're using. SCCM helps save IT Pros time and effort, rendering it unnecessary to develop complex installing scripts as would be needed to do the same task with only Group Policy.

SCCM can also manage compliance via Configuration Items and Configuration Baselines:

  • Configuration Items are often (but not always) scripts that evaluate whether an endpoint is set up properly for a particular purpose. For example: is the endpoint set up to behave in compliance with University policy? Does the endpoint have required programs installed?
  • Configuration Baselines are collections of Configuration Items. Configuration Baselines are useful for summarizing compliance with a set of more detailed requirements, such as determining if a set of applications used in a unit or college are installed on the endpoint.

Microsoft has published a step-by-step guide to writing Configuration Items and creating configuration items in System Center Configuration Manager.

Related discussion:

Contact the EPS team

Keywords:compliance GPO policy "configuration item" "configuration baseline" EPS SCCM windows endpoint TechS-EPS-SCCM MECM   Doc ID:75315
Owner:EPS Distribution List .Group:University of Illinois Technology Services
Created:2017-08-04 15:38 CDTUpdated:2020-03-16 16:17 CDT
Sites:University of Illinois Technology Services
Feedback:  0   0