As organizations transition from System Center Configuration Manager (SCCM) to Microsoft Intune and Windows Update for Business (WUfB), it’s critical to ensure that legacy configurations don’t interfere with modern update management.
One common issue is the lingering presence of Group Policy (GP) cache and WSUS registry settings that were previously managed by SCCM.
In this blog, we’ll walk through a detection and remediation script pair designed for use with Intune Proactive Remediations.
These scripts identify and clean up outdated Windows Update configurations, ensuring a clean slate for WUfB.
Windows Update Detection Script for SCCM to Intune Migration
This script checks for the presence of legacy Windows Update configurations that may interfere with Intune and WUfB.
Here’s what it looks for:
GP Cache – CacheSet001 and CacheSet002
- Registry Path: HKLM:\SOFTWARE\Microsoft\WindowsUpdate\UpdatePolicy\GPCache\CacheSet001\WindowsUpdate
- Purpose: Stores cached Group Policy settings for Windows Update. These can persist even after GPOs are removed and may cause conflicts with Intune policies.
WSUS Configuration Registry Key
- Registry Path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate
- Purpose: This key is used by Group Policy to configure WSUS settings. If present, it indicates the system may still be trying to use WSUS instead of WUfB.
Local GPO Reset Marker
- Registry Path: HKLM:\SOFTWARE\Intune_Migration\WUfB Local GPO Reset Complete
- Purpose: A custom marker used to indicate whether the local Group Policy registry settings have been reset. If missing, the system may still be influenced by old GPO configurations.
PowerShell Detection Script for Cleaning Legacy SCCM Windows Update Settings:
<#
.DESCRIPTION
Checks for items that need to be cleaned up as part of the conversion from SCCM to Intune/WUfB for Windows updates.
#>
$ad_domain_name = “contoso.com”
# set count variable
$rm_needed = 0
# test for GP Cache 001
if ((test-path -path “HKLM:\SOFTWARE\Microsoft\WindowsUpdate\UpdatePolicy\GPCache\CacheSet001\WindowsUpdate”) -eq $true) {
$rm_needed++
}
# test for GP Cache 002
if ((test-path -path “HKLM:\SOFTWARE\Microsoft\WindowsUpdate\UpdatePolicy\GPCache\CacheSet002\WindowsUpdate”) -eq $true) {
$rm_needed++
}
# test for WSUS configuration folder
if ((test-path -path “HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate”) -eq $true) {
$rm_needed++
}
# if connected to the domain, test for registry key to know if local GP has been deleted and reset
if (((test-netconnection $ad_domain_name -warningaction silentlycontinue).PingSucceeded) -eq $true) {
try {get-itemproperty -path HKLM:\SOFTWARE\Intune_Migration -name “WUfB Local GPO Reset Complete” -erroraction stop | out-null}
catch {$rm_needed++}
}
# exit based on script results
if ($rm_needed -eq 0) {
exit 0}
if ($rm_needed -ne 0) {
exit 1}
READ: Endpoint privilege management with Microsoft Intune
PowerShell Remediation Script for Fixing Legacy SCCM Windows Update Settings
<#
.DESCRIPTION
Cleans up items that need to be cleaned up as part of the conversion from SCCM to Intune/WUfB for Windows updates.
#>
$ad_domain_name = “contoso.com”
# get if is computer connected to the domain
$domain_connection = 0
if (((test-netconnection $ad_domain_name -warningaction silentlycontinue).PingSucceeded) -eq $true) {
$domain_connection = 1
}
# remove GP Cache 001
if ((test-path -path “HKLM:\SOFTWARE\Microsoft\WindowsUpdate\UpdatePolicy\GPCache\CacheSet001\WindowsUpdate”) -eq $true) {
remove-item -path “HKLM:\SOFTWARE\Microsoft\WindowsUpdate\UpdatePolicy\GPCache\CacheSet001\WindowsUpdate” -force -recurse
}
# remove GP Cache 002
if ((test-path -path “HKLM:\SOFTWARE\Microsoft\WindowsUpdate\UpdatePolicy\GPCache\CacheSet002\WindowsUpdate”) -eq $true) {
remove-item -path “HKLM:\SOFTWARE\Microsoft\WindowsUpdate\UpdatePolicy\GPCache\CacheSet002\WindowsUpdate” -force -recurse
}
# remove WSUS configuration folder
if ((test-path -path “HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate”) -eq $true) {
remove-item -path “HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate” -force -recurse
}
# reset local GP registry settings if connected to the domain
if ($domain_connection -eq 1) {
try {
get-itemproperty -path HKLM:\SOFTWARE\Intune_Migration -name “WUfB Local GPO Reset Complete” -erroraction stop | out-null
}
# runs if reg key does not exist, indicating that local GP settings have not been reset
catch {
$file = $env:windir + “\system32\GroupPolicy\Machine\Registry.pol”
$file_old = $env:windir + “\system32\GroupPolicy\Machine\Registry.old”
if ((test-path -path $file_old) -eq $true) {remove-item $file_old -recurse -force}
rename-item -path $file -newname $file_old -force
new-itemproperty -path HKLM:\SOFTWARE\Intune_Migration “WUfB Local GPO Reset Complete” -propertytype string -force | out-null
}
}
# restart Windows Update service
stop-service wuauserv
start-sleep -s 2
start-service wuauserv
# run gpupdate if connected to the domain
if ($domain_connection -eq 1) {
gpupdate /force | out-null
}
READ: Automating Sensitivity Label and Encryption Removal in SharePoint Online with PowerShell
Best Deployment Tips for Intune Proactive Remediations
- Assign the remediation to a pilot group first to validate behavior.
- Monitor results in the Intune portal under Reports > Endpoint analytics > Proactive remediations.
- Customize the domain name (e.g., contoso.com) to match your environment.
Final Thoughts
This script pair is a great example of how Intune Proactive Remediations can be used to surgically clean up legacy configurations that may otherwise go unnoticed. By ensuring a clean update policy environment, you reduce the risk of update failures and improve compliance with modern management practices.
READ: Automating Data Protection with Microsoft Purview Post-Migration
Comprehensive IT Solutions for SCCM to Intune Migration
Windows Management Experts (WME) specializes in SCCM to Intune migration, Windows Update management, and legacy configuration cleanup, among many other services related to M&A, security, Office 365, and whatnot.
Our expertise spans PowerShell scripting, Intune Proactive Remediations, endpoint analytics, and ultimately, we ensure for you a seamless system transition and some really optimal compliance.
We provide custom solutions for Group Policy cleanup, WSUS configuration removal, and cloud-based device management. We make sure the enhanced system has better security and operational efficiency for your business. In fact, we offer all the expertise you need to drive your IT infrastructure forward.
CTA: Contact our Intune & Endpoint Management Experts
Disclaimer
At Windows Management Experts, Inc., we strive to provide accurate, insightful content to help you guide your IT decisions on your own. We work diligently to ensure the information shared here is helpful and accurate but we always encourage you to consult with any of our technical consultants for any personalized advice and to address any specific needs you may have. Your success is our priority and we are here to support your technological troubleshooting and deployments every step of the way.
READ: Implementing Zero-trust across your endpoints
Windows Management Experts
Now a Microsoft Solutions Partner for:
✓ Data & AI
✓ Digital and App Innovation
✓ Infrastructure
✓ Security
The Solutions Partner badge highlights WME’s excellence and commitment. Microsoft’s thorough evaluation ensures we’re skilled, deliver successful projects, and prioritize security over everything. This positions WME in a global tech community, ready to innovate on the cloud for your evolving business needs.
Contact us: sales@winmgmtexperts.com
