Close Menu
    Wednesday, November 20

    Migrating Windows Update Workloads from SCCM to Intune: How to Verify Management Tool

    Eswar KonetiBy 2 Mins Read configmgr 1,204 Views

    In a recent project, I was involved in migrating endpoint workloads from SCCM/ConfigMgr to Microsoft Intune. A key part of this migration was transferring the Windows Update for Business (WUfB) workload to Intune, with the goal of managing Windows updates exclusively through Intune.

    However, after migrating the WUfB workload to Intune, I noticed that some devices continued to receive patches from SCCM. This discrepancy occurs because you will need to configure and assign update rings in Intune otherwise, SCCM will still manage the Windows update patching.

    To determine whether a device’s Windows patching is controlled by SCCM or Intune, you can use a simple PowerShell script. This method is effective because there's no direct UI on the client to show this information, and logs might only confirm that WUfB is managed by Intune without clarifying the active update management tool.

    Identifying Windows Update Management Tool with PowerShell Script:

    PowerShell Script to Identify Update Management Tool

    Here’s a PowerShell script that helps identify whether Windows updates are managed by SCCM/WSUS or by Intune/WUfB:

    <#
    Description: This script will help you to determine whether the default Automatic Update service on a machine is managed by SCCM/WSUS or WUfB/Intune based on the service name.
    Name:WhoManagesWindowsUpdate.ps1
    #>
    #Get the default Automatic Update service
    $data = (New-Object -ComObject "Microsoft.Update.ServiceManager").services | Where-Object {$_.IsDefaultAUService -eq $true}
    #Check the name of the default Automatic Update service and output the corresponding management tool
    if ($data.Name -eq "Windows Server Update Service") {
    Write-Host "SCCM/WSUS"
    } elseif ($data.Name -eq "Microsoft Update")
    {
    Write-Host "WUfB/Intune"
    }
    elseif ($data.Name -eq "Windows Update")
    {
    Write-Host "Not SCCM or Intune"
    } else
    {
    Write-Host "Unknown update service: $($data.Name)"
    }

    Summary Table

    The table below summarizes which management tool controls the Windows update patching based on the service name:

    Sl
    No    		 Service Managed
    by
    1 Windows
    Server Update Service    		 SCCM/WSUS
    2 Microsoft
    Update    		 Intune/WUfB
    3 Windows
    update    		 Not
    SCCM/Intune (Default)

    Output Examples

    • Device Managed by Intune: The output will show WUfB/Intune.
    • Device Managed by SCCM: The output will show SCCM/WSUS.
    • Device Managed by Default Update (without SCCM/Intune): The output will show Not SCCM or Intune.
    • image

    By running this script, you can quickly determine the update management tool for any device and ensure that the migration to Intune is fully complete.

    Share.

    Related Posts

    Leave a Reply

    This site uses Akismet to reduce spam. Learn how your comment data is processed.