Introduction

Here it is! Windows driver and firmware updates with Intune 🥳 This post will be a brief kick-off and concept summary of this new feature.

Previously, Windows Update for Business only allowed for a all-or-nothing setting. Driver updates could be blocked or allowed. Now we have the capability to monitor and deploy driver updates granularly and natively with Intune policies.

You should regularly update drivers and firmware to address and mitigate vulnerabilities from outdated driver and firmware packages.

Official sources:


Components

  • Windows Update (WU) - cloud service which is providing update sources through CDN
  • Windows Update for Business Deployment Service (WUfB-DS) - another WU cloud service which provides control over the approval, scheduling, and safeguarding of updates to managed devices including an API and reporting
    -> it identifies applicable driver updates for your devices from the WU inventory
  • Intune - configure driver update policies for enrolled devices

Features

  • Let Microsoft automatically identify applicable driver updates for your devices
  • Benefit from the trusted inventory of WU catalog where vendors and OEM's publish their drivers
  • Approve, decline/pause updates
  • Control visibility of optional updates
  • Profit from detailed reporting within Intune

Prerequisites

Category Requirement
OS Windows Pro/Enterprise/Education 10/11 (no LTSC support)
Licenses Intune Plan 1
Azure AD Free or higher
Windows 10/11 Enterprise E3/A3, M365 Business Premium
Device Run supported Windows version
Enrolled in Intune and (Hybird) Azure AD joined
Telemetry level of required (default)
Microsoft Account Sign-In Assistant wlidsvc must be able to run
Access network endpoints
Intune Don’t block driver updates in Windows update rings
Enable Windows data collection for reports

Deployment strategy

Before you create the Intune profiles, you should think about the deployment strategy:

🛑 “Red button” – assumes all good until proven bad, IT admin explicitly stops manually
✅ Green button – assumes all bad until proven good, IT admin validates and pushes new content

⚠️
Consider that the green button strategy will need manual effort to review and approve driver updates.

Deployment rings

I would generally recommend to leverage multiple policies, to create a ring-based approach. This means that certain users/devices receive driver updates earlier to test their functionality and verify everything works as expected. If some negative impact is detected, the driver update can be paused for the current ring and declined for the later rings.

My recommendation is to create 1-4 update rings in which you add different device/user groups. If you go for automatic approval, make sure you add enough deferral time, the bigger the ring gets. For manual approval, you need to approve every single driver update. Both have advantage and disadvantage.

Membership approaches

To build the policies, you need to think about the memberships and the deployment rings. Multiple approaches possible:

  • Same rings and deployment as from the Windows Update rings
  • One policy per hardware model (Assign to all devices and make a filter on model)
  • Build an automation to add differrent hardware models in a ring deployment
  • Use Windows Autopatch

How it works

  1. In Intune you configure a profile and choose an approval method:
    • Manually approve and deploy driver updates ⚒️
    • Automatically approve all recommended driver updates 🚀
  2. Devices check-in to WU within 24 hours on their daily update scan and report to WUfB-DS and Intune
  3. Intune and WUfB-DS sync daily to process the data from the endpoints and show the results in the Intune admin center
  4. Either you approve a driver update or it gets automatically approved - this will tell the device to install the driver update silently on the next Windows update search

Automatic approval

If you want to have fully automated workflow, you can consider to automatically approve all recommended driver updates. In short, the following process will take place continuously

  1. An independent hardware vendor or OEM marks a driver update as required or recommended
  2. WUfB-DS syncs the inventory to Intune for applicability checks on devices
  3. Driver updates are automatically approved
  4. On the next Windows Update scan (daily) the device will install that driver update
  5. As soon as a newer version of the update is released, the older version will get moved to the 'Other drivers' section
  6. The older version will get removed from the list in Intune as soon as all devices have the newer version installed

Driver update lifecycle

This flowchart shows the lifecycle of a driver update.
lifecycle-1.png

Setup

  1. Go to Intune admin center
  2. Navigate to Devices>Windows 10 and later updates>Driver updates
  3. Create a profile, name it and choose the approval method
  4. Assign to a group
  5. Regularly review and approve updates (if approval method is manual)

ezgif.com-gif-maker.gif

Opt-in to this new feature

Every organization who wants to start using the driver update feature with Intune, I advice to opt-in with the following steps:

  1. Get yourself an overview of your device types
  2. Plan deployment strategy and the rings
  3. Create one dev policy with manual approval mode and include some different device models (this allows you to get an idea of how much driver updates your devices would receive, without deploying anything. ⚠️ Once a driver update policy is assigned to a device, you stop the existing driver update deployment from WU only.)
  4. Create a policy for a limited amount of devices to opt-in to the feature (choose your approval method, I would start with automatic)
  5. Once you have collected your experience, prepare a general roll out concept and create more policies

Important notes

  • Seach the Windows Update catalog
  • Deadline and grace period settings apply from quality update settings
  • Driver updates in Autopilot are not supported
  • Roll back a driver update is not possible as of now
  • Assigning a device to two driver update policies is not recommended (⚠️ status approved always wins)
  • Firmware updates published in WU do not require the BIOS/UEFI to be unlocked

Looking for more contents on Windows Update (for Business) and Intune? Here you go:

Windows updates - write up
Introduction Windows update is seen on all Windows operating systems (OS) so that endpoints stay up to date with the newest features, run high-performing, without bugs and stay secure. This post aims to clarify different update methods, release channels, update types, support durations and focus on the modern way to
Endpoint Management with Microsoft Intune
Welcome to this coast! Learn everything on Endpoint Management with Microsoft Intune to deploy, manage, secure and monitor endpoints from all platforms through the cloud. Introduction, experience and thoughts Introduction to the Microsoft Intune product familyIntroduction This post is recommended for any reader who is new to Intune or would
You’ve successfully subscribed to Oceanleaf
Welcome back! You’ve successfully signed in.
Great! You’ve successfully signed up.
Success! Your email is updated.
Your link has expired
Success! Check your email for magic link to sign-in.