SCCM vs Puppet

By UpGuard on May 9, 2014

Filed under: puppet, devops, Microsoft


Open-source vs. proprietary? In the software universe, this debate has raged on in almost all sub-sectors – OS’s, databases, and even in the CM arena, where SCCM vs. Puppet are two of the heavyweight champs slugging it out. But beyond that philosophical difference in origin, they also take two completely different paths to the destination of easing the sys admin’s life.

SCCM is a Microsoft product, which of course means it ties in very well with Windows environments, especially enterprise environments, but no other platforms (except as client machines on SCCM 2012 – more on that in a bit). Puppet is an open-source product that can manage Linux, Unix, Windows and even and Mac OS environments, though of course it cannot match the abilities of SCCM on Windows. So which one should you choose for managing your data center or multiplicity of servers that’s threatening to get out of hand? Let’s delve a bit more into them to find out.

What They Are

Puppet is the model-driven open-source CM from PuppetLabs. It’s written in Ruby, and has both a well-developed user interface and a CLI that uses either a Ruby-derived DSL or pure Ruby code, although this latter option is being deprecated. PuppetLabs founder Luke Kanies stated that: “One of the benefits of Puppet’s DSL—beyond the simplicity—is that it encourages the mental shift that Puppet requires. To use Puppet effectively, you need to think in resources, not files or commands. If you wrote your configurations in Ruby, you could easily just open files and run commands all the live-long day, but with the DSL, you have to learn to think in resources.” The user describes system resources and their states, and stores this information in files called manifests. Puppet includes a ‘resource abstraction layer’ that enables admins to describe the configs they want to manage and the actions they want to execute in high-level terms using the DSL. And a great benefit of this infrastructure-as-DSL-code approach is that you don’t have to worry about OS-specific commands and keywords. Puppet also has a great browser based UI for limited configuration and setup tasks, but most users will use the GUI as more of a viewing and reporting tool, and most fine-grained work will inevitably require learning how to use the CLI.

Microsoft’s SCCM (Systems Center Configuration Manager), or to use its official title ConfigMgr, was previously known as Systems Management Server (SMS). The latest version is SCCM 2012, and it can manage environments with Windows, Linux, Unix, Mac OS X and even mobile OS’s such as Windows Phone, iOS and Android. But the server console must be installed on a Windows server, and no points for guessing which OS platform it works best in. Also like other Microsoft products, almost all work will be done on the GUI, with some added-on support for programmatic interfaces like VB scripts. This makes it faster to learn and use, but less flexible than a CLI-centric tool like Puppet. One of the major changes in SCCM 2012 is support for BYOD (Bring Your Own Device). Microsoft recognizes that users are increasingly using devices not purchased by their workplaces’ IT, so it has added a way of automatically onboarding such devices into the SCCM-controlled network. SCCM of course uses and integrates very well with Active Directory and Group Policy to keep track of and roll out updates to all devices. Other notable features of SCCM are:

  • End users can search for applications via a self-service Software Center and define the times when installations and upgrades take place.
  • WSUS (Windows Server Update Services) and Network Access Protection for policy and security enforcement and rollout.
  • EndPoint Protection Manager, formerly called ForeFront, for data security and encryption on devices.


Community, Support, Pricing

Open-source platforms typically have a much greater sense of togetherness and product ownership. This is no different in the case of Puppet – an active user community and quick feedback and resolution are there when needed. That said, Puppet is the largest player in the open-source CM marketplace, and with that size comes some inertia to change and loss of agility. There have been some small but vocal protests in discussion forums about stuff like PuppetLabs’ slowness to resolve bugs and their pushing users towards the commercial enterprise version, where they make their money. Puppet also boasts having some large corporate clients on board - Reddit, Dell, PayPal, Oracle, Los Alamos Labs, and Stanford University. When going up against a big-name established behemoth like Microsoft, such clients offer a lot of credibility in the minds of potential clients and users. Like the open-source version, Puppet Enterprise is also free for the first 10 nodes but then after that costs $99 per node per year; tiered discounts are also available up to 2500 nodes. As previously mentioned, Puppet works on almost all platforms, but simply can’t match SCCM’s capabilities on Windows; for instance you cannot use Puppet for provisioning and deploying new Windows servers, and it cannot directly update AD to reflect the status of machines in the network.

With SCCM, many first of all have a problem with its closed-off, proprietary nature. That said, support from the user community is also very good. That’s not surprising given the dominance of Microsoft products, and you also get excellent answers and support from dedicated in-house SCCM pros, á la the Genius bar at the Apple Store. SCCM pricing is convoluted and not as straightforward as Puppet’s, especially if you are adding multiple servers, but this is common in almost all Microsoft products, and is actually easier to understand in the 2012 version compared to the 2007 version. To illustrate this clear-as-mud pricing setup, you need both client managed licenses (ML’s) and server managed licenses. Server ML’s are priced depending on whether you are taking up the ‘Standard’ or ‘Datacenter’ option, and also varies by the number of processors you have. So for example the top of the range 4-processor, datacenter server ML will cost $7230, and then you still need to factor in the cost of client ML’s ($62 - $121). SCCM will generally work out to be much more expensive than Puppet, is what we’re trying to say here. Read more about SCCM pricing here.


If you have to make a choice between Puppet and SCCM, first detail what your needs are, then look for the tool that best fits those needs. And remember, you are lucky to even have such a choice – just 10 years ago there was basically only one CM tool! The pros and cons analysis below may help your decision-making, as well this site that summarizes and compares features of both SCCM and Puppet.

  Pros Cons
  • Integrates very well into Windows environments.
  • Guaranteed support from Microsoft.
  • Easier to learn, so faster to start using.
  • Very expensive.
  • Doesn’t integrate well with mixed Windows -Linux/ Unix setups.
  • Not as powerful as Puppet because of GUI-only interface.
  • Proprietary model, so users cannot change or customize the product.
  • Open-source, so much cheaper and more flexible.
  • Works well with all OS platforms.
  • More complex and difficult to learn and start using.
  • Forces users to learn and use Ruby-based DSL.


The World's First Cyber Resilience Platform

Whether your infrastructure is traditional, virtualized, or totally in the cloud, UpGuard provides the crucial visibility and validation necessary to ensure that IT environments are secured and optimized for consistent, quality software and services delivery.

See how it works at