Recently Microsoft announced the general availability of a very anticipated feature in Intune:
Manage Windows driver and firmware updates with Microsoft Intune – Microsoft Community Hub
Check out the Microsoft blog post above for information about what it is and how it works.
More details about the feature, its prerequisites and how it works can be found at Microsoft Learn:
Learn about Windows Driver updates policy for Windows 10 Windows 11 devices in Intune | Microsoft Learn
A couple of things to point out that I’ve seen people been asking about:
- Windows Drivers needs to be set to Allow In your Windows 10 Update ring policy for the approved drivers/firmware to be able to be installed.
Configuring the setting to Block should still show the applicable drivers in the Driver Update policy but they won’t be installed on the device, as stated in docs:
Troubleshoot the Windows Update for Business deployment service – Windows Deployment | Microsoft Learn
Also note that the row below (and in the picture above) probably is a typo and should say Block instead of Allow.
“Intune: Windows Drivers update setting for the update ring set to Allow.“
A pull request to fix this has been submitted so the docs should hopefully be updated soon.
- It is possible to only manage driver/firmware this way but continue to manage feature updates and quality updates with MECM/ConfigMgr/SCCM for those that want to do that. It requires the devices to be co-managed (of course) but the Windows Update workload does not need to be set to Intune. This also requires that SetPolicyDrivenUpdateSourceForDriverUpdates is set to 0.
Remember to check for and remove any policies or leftover registry entries that somehow blocks access to Windows Update otherwise this won’t work.
These settings, among others, may and most likely will block the device from searching and installing drivers/firmware from Windows Update:
Configure Automatic Updates set to Disabled (NoAutoUpdate = 1)
Turn off access to all Windows Update features (DisableWindowsUpdateAccess = 1)
Anyway, this post is about how you can script the creation of dynamic Azure AD groups and Driver Update profiles for every device model that you have in Intune and assigning those profiles to those dynamic AAD groups. The idea came from a twitter post by Johan Arwidmark @jarwidmark and the discussion in that thread about using one Driver Update policy per model for a Total Control approach.
I liked the idea and wanted to play around with it but without having to create AAD groups, Driver Update profiles and assigning those manually, hence this script or snippets that will automate just that.
There are plenty of comments in the script, it can be run as-is but primarily meant for some kind of scaffolding or code snippets to use if you want to play around with automating this.
Script is available at GitHub:
CodeDump/IntuneDriverUpdatePerModelSnippets.ps1 at main · suazione/CodeDump (github.com)