Menu
CCMEXEC.COM – Enterprise Mobility
  • Home
  • General
  • Configuration Manager
  • Windows 10
  • Windows 11
  • Intune
  • GitHub
  • About
CCMEXEC.COM – Enterprise Mobility

Playing around with Driver Updates in Intune

Posted on July 3, 2023July 3, 2023 by Sassan Fanai

Recently Microsoft announced the general availability of a very anticipated feature in Intune:
Manage Windows driver and firmware updates with Microsoft Intune – Microsoft Community Hub

Check out the Microsoft blog post above for information about what it is and how it works.

More details about the feature, its prerequisites and how it works can be found at Microsoft Learn:
Learn about Windows Driver updates policy for Windows 10 Windows 11 devices in Intune | Microsoft Learn

A couple of things to point out that I’ve seen people been asking about:

  • Windows Drivers needs to be set to Allow In your Windows 10 Update ring policy for the approved drivers/firmware to be able to be installed.

Configuring the setting to Block should still show the applicable drivers in the Driver Update policy but they won’t be installed on the device, as stated in docs:
Troubleshoot the Windows Update for Business deployment service – Windows Deployment | Microsoft Learn

Also note that the row below (and in the picture above) probably is a typo and should say Block instead of Allow.
“Intune: Windows Drivers update setting for the update ring set to Allow.“
A pull request to fix this has been submitted so the docs should hopefully be updated soon.

  • It is possible to only manage driver/firmware this way but continue to manage feature updates and quality updates with MECM/ConfigMgr/SCCM for those that want to do that. It requires the devices to be co-managed (of course) but the Windows Update workload does not need to be set to Intune. This also requires that SetPolicyDrivenUpdateSourceForDriverUpdates is set to 0.

Remember to check for and remove any policies or leftover registry entries that somehow blocks access to Windows Update otherwise this won’t work.

These settings, among others, may and most likely will block the device from searching and installing drivers/firmware from Windows Update:

Configure Automatic Updates set to Disabled (NoAutoUpdate = 1)
Turn off access to all Windows Update features (DisableWindowsUpdateAccess = 1)

Anyway, this post is about how you can script the creation of dynamic Azure AD groups and Driver Update profiles for every device model that you have in Intune and assigning those profiles to those dynamic AAD groups. The idea came from a twitter post by Johan Arwidmark @jarwidmark and the discussion in that thread about using one Driver Update policy per model for a Total Control approach.

I liked the idea and wanted to play around with it but without having to create AAD groups, Driver Update profiles and assigning those manually, hence this script or snippets that will automate just that.

There are plenty of comments in the script, it can be run as-is but primarily meant for some kind of scaffolding or code snippets to use if you want to play around with automating this.

Variables you probably want to configure if running script as-is.

Script is available at GitHub:
CodeDump/IntuneDriverUpdatePerModelSnippets.ps1 at main · suazione/CodeDump (github.com)

6 thoughts on “Playing around with Driver Updates in Intune”

  1. Daniel says:
    July 5, 2023 at 9:39 am

    Hi,

    Do you know if it’s mandatory to also have an Windows Update ring pre-configured to get Driver and Firmware updates working?
    We’re still using SCCM for updates but wan’t to get the driver and firmware servicing up and running…

    Reply
    1. Sassan Fanai says:
      July 10, 2023 at 10:16 am

      Haven’t tested that extensively but I think you at least need to make sure that Driver are not excluded from Windows Update. But you should be able to set that with GPO/regsitry, as shown in one of the pictures in the post. This should only be needed to actually be able to install the driver updates. It should still populate applicable drivers in Intune even if you don’t set this if you have a driver update policy assigned to your devices.

      You also need to configure SetPolicyDrivenUpdateSourceForDriverUpdates just as in the (other) picture in the post to just get driver updates from Windows update and the rest from WSUS which in your case would be SCCM.

      Reply
  2. Thomas L says:
    July 5, 2023 at 2:22 pm

    Great idea to group devices in model.
    One thing. Running the script in our environment creates 296 unique AAD groups, though there seems to be a max of creating 100 driver policies. Just a note if implementing in large environments 🙂

    Reply
    1. Sassan Fanai says:
      July 10, 2023 at 10:20 am

      Yeah I did not account for that 🙂
      You would probably want to group those per manufacturer or something else in that scenario.
      Good call out, thank you.

      Reply
  3. VirtAlloc says:
    October 25, 2023 at 7:48 am

    I use Tenant Attach for ConfigMgr sync of query collections to AAD groups for use with Intune Driver policy per model

    Reply
  4. Alexandr says:
    October 30, 2023 at 1:46 pm

    Hi, I have the same question. It looks like the Update ring is required, I am going to create it and test, did you already do this?

    Reply

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

My name is Jörgen Nilsson and I work as a Senior Consultant at Onevinn in Malmö, Sweden. This is my blog where I will share tips and stuff for my own and everyone elses use on Enterprise Mobility and Windows related topics.
All code is provided "AS-IS" with no warranties.

Recent Posts

  • New settings in Intune Security Baseline Windows 11 24H2 -2504
  • Managing extensions in Visual Studio Code
  • Reinstall a required Win32app using remediation on demand
  • Administrator protection in Windows 11 – First look
  • Remediation on demand script – ResetWindowsUpdate
©2025 CCMEXEC.COM – Enterprise Mobility | WordPress Theme by Superb Themes
This website uses cookies to improve your experience. We'll assume you're ok with this, but you can opt-out if you wish.Accept Reject Read More
Privacy & Cookies Policy

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may affect your browsing experience.
Necessary
Always Enabled
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Non-necessary
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.
SAVE & ACCEPT