We are on the journey from SCCM is king managing all to Intune taking over some responsibilities. We are currently in a mixed scenario where updates are coming from Intune but apps are still coming from SCCM.
As I understand it, PMPC works differently on the two platforms.
SCCM - installs are 'applications' and updates are 'software updates'.
Intune - both installs and updates are 'applications'
Now that SCCM is not doing software updates and Intune is not doing app installs, no third party apps are being updated.
Is there a known workaround for this? The only thing I can think is to create dynamic collections in SCCM for every third party app and deploy the PMPC applications as required so the new versions get pushed out as required. (A. Lot. Of. Work!!!)
Thanks :)
Thanks for reaching out here!
In a Co-Managed situation, you have a couple ways you can configure this to work in your environment. Since SCCM is not handling Windows Updates, you can enable the Dual Scan functionality so that WSUS/SCCM will still push out Third-Party Updates while Intune will control your Windows Updates.
Here is the Microsoft Learn Document about the Dual Scan Feature - https://learn.microsoft.com/en-us/windows/deployment/update/wufb-wsus
This will allow you to control both Applications and Third-Party Updates via SCCM. Now when you're ready to switch the Client Apps workload over to Intune, then that will also allow you to deploy and control SCCM apps on a Co-Managed device. You can ALSO push both Apps and Updates from Intune to those Co-Managed machines making the need to enable Dual Scan obsolete.
Hopefully that helps you out here, however if you'd like more information on Co-Management Workloads you can reference this here: https://learn.microsoft.com/en-us/mem/configmgr/comanage/workloads
Also, feel free to respond back and we can always follow-up!
Hey There!
Just to add some extra thoughts to Spencer's reply here.
When you enable co-management, you are may be already aware that all Intune workloads will be blocked, by default, for devices with the ConfigMgr agent installed. In order to move workloads to Intune, you adjust the co-management workload slider.
When you move the Updates workload to Intune, DualScan is automatically enabled. This means that Windows Updates will come from the Windows Update Service and not WSUS/ConfigMgr. Typically, customers would use Intune to create update policies to manage how updates are scheduled and installed from the Windows Update service. Once DualScan is enabled automatically when you move the updates workload, all "non Microsoft" updates will still scan against WSUS. This means you can continue to publish 3rd party updates from PatchMyPC to WSUS/ConfigMgr and those clients will still receive them.
Most customers move the Updates workload because their clients are now on the "internet" more than they are the corporate network. If that is the case, you will need to be aware of that patch content being pulled over your VPN/WAN. An alternative solution here, to avoid bandwidth congestion on your WAN, is to use the Cloud Management Gateway (CMG) for any clients that connect over a VPN. This will require some boundary work to ensure internet clients are trying to pull content from the CMG rather than an internal distribution point.
Finally, you may have also considered the "Client apps" workload in your co-management scenario. When you move the client apps workload you are now allowing applications to be installed from both ConfigMgr AND Intune. This means, as far as Patch My PC is concerned, you can publish 3rd party updates to either Intune or WSUS/ConfigMgr.
More than happy to talk more about this if you wanted to book a review session with us. If you do, please use this link to book a session with me https://calendly.com/ben-whitmore/30min
Thanks both for your help.
Ben, I may well taek you up on that offer in the neear future :)