Recently Microsoft announced the general availability of a very anticipated feature in Intune:
Manage Windows driver and firmware updates with Microsoft Intune – Microsoft Community Hub
Check out the Microsoft blog post above for information about what it is and how it works.
More details about the feature, its prerequisites and how it works can be found at Microsoft Learn:
Learn about Windows Driver updates policy for Windows 10 Windows 11 devices in Intune | Microsoft Learn
A couple of things to point out that I’ve seen people been asking about:
- Windows Drivers needs to be set to Allow In your Windows 10 Update ring policy for the approved drivers/firmware to be able to be installed.
Configuring the setting to Block should still show the applicable drivers in the Driver Update policy but they won’t be installed on the device, as stated in docs:
Troubleshoot the Windows Update for Business deployment service – Windows Deployment | Microsoft Learn
Also note that the row below (and in the picture above) probably is a typo and should say Block instead of Allow.
“Intune: Windows Drivers update setting for the update ring set to Allow.“
A pull request to fix this has been submitted so the docs should hopefully be updated soon.
- It is possible to only manage driver/firmware this way but continue to manage feature updates and quality updates with MECM/ConfigMgr/SCCM for those that want to do that. It requires the devices to be co-managed (of course) but the Windows Update workload does not need to be set to Intune. This also requires that SetPolicyDrivenUpdateSourceForDriverUpdates is set to 0.
Remember to check for and remove any policies or leftover registry entries that somehow blocks access to Windows Update otherwise this won’t work.
These settings, among others, may and most likely will block the device from searching and installing drivers/firmware from Windows Update:
Configure Automatic Updates set to Disabled (NoAutoUpdate = 1)
Turn off access to all Windows Update features (DisableWindowsUpdateAccess = 1)
Anyway, this post is about how you can script the creation of dynamic Azure AD groups and Driver Update profiles for every device model that you have in Intune and assigning those profiles to those dynamic AAD groups. The idea came from a twitter post by Johan Arwidmark @jarwidmark and the discussion in that thread about using one Driver Update policy per model for a Total Control approach.
I liked the idea and wanted to play around with it but without having to create AAD groups, Driver Update profiles and assigning those manually, hence this script or snippets that will automate just that.
There are plenty of comments in the script, it can be run as-is but primarily meant for some kind of scaffolding or code snippets to use if you want to play around with automating this.
Script is available at GitHub:
CodeDump/IntuneDriverUpdatePerModelSnippets.ps1 at main · suazione/CodeDump (github.com)
Hi,
Do you know if it’s mandatory to also have an Windows Update ring pre-configured to get Driver and Firmware updates working?
We’re still using SCCM for updates but wan’t to get the driver and firmware servicing up and running…
Haven’t tested that extensively but I think you at least need to make sure that Driver are not excluded from Windows Update. But you should be able to set that with GPO/regsitry, as shown in one of the pictures in the post. This should only be needed to actually be able to install the driver updates. It should still populate applicable drivers in Intune even if you don’t set this if you have a driver update policy assigned to your devices.
You also need to configure SetPolicyDrivenUpdateSourceForDriverUpdates just as in the (other) picture in the post to just get driver updates from Windows update and the rest from WSUS which in your case would be SCCM.
Great idea to group devices in model.
One thing. Running the script in our environment creates 296 unique AAD groups, though there seems to be a max of creating 100 driver policies. Just a note if implementing in large environments 🙂
Yeah I did not account for that 🙂
You would probably want to group those per manufacturer or something else in that scenario.
Good call out, thank you.
I use Tenant Attach for ConfigMgr sync of query collections to AAD groups for use with Intune Driver policy per model
Hi, I have the same question. It looks like the Update ring is required, I am going to create it and test, did you already do this?