Intune Driver Management

Terminology

Before we start, if you lack knowledge about Azure terminology from this blog, feel free to visit this page, where we try to add terminology from time to time.

List of prerequisites

https://learn.microsoft.com/en-us/mem/intune/protect/windows-driver-updates-overview

Subscriptions

Intune: Your tenant requires the Microsoft Intune Plan 1 subscription.

Azure Active Directory (Azure AD): Azure AD Free (or greater) subscription.

Device & Edition requirements

Windows subscriptions and licenses:

  • Windows 10/11 Enterprise E3 or E5 (included in Microsoft 365 F3, E3, or E5)
  • Windows 10/11 Education A3 or A5 (included in Microsoft 365 A3 or A5)
  • Windows Virtual Desktop Access E3 or E5
  • Microsoft 365 Business Premium

Windows editions:

Driver updates are supported for the following Windows 10/11 editions:

  • Pro
  • Enterprise
  • Education
  • Pro for Workstations

Unsupported versions and editions:

Windows 10/11 Enterprise LTSC: Windows Update for Business (WUfB) does not support the Long Term Service Channel release. Plan to use alternative patching methods, like WSUS or Configuration Manager.

Devices must:

  • Run a version of Windows 10/11 that remains in support.
  • Be enrolled in Intune MDM and be Hybrid AD joined or Azure AD joined.
  • Have Telemetry turned on and configured to report a minimum data level of Basic as defined in Changes to Windows diagnostic data collection in the Windows documentation.

Device configuration profile paths

You can use one of the following Intune device configuration profile paths to configure Telemetry for Windows 10 or Windows 11 devices:

  • Device restriction template: With this profile, set Share usage data to Required. Optional is also supported.
  • Settings catalog: From the Settings catalog, add Allow Telemetry from the System category, and set it to Basic. Full is also supported.

For more information about Windows Telemetry settings, including both current and past setting options from Windows, see Changes to Windows diagnostic data collection in the Windows documentation.

Added requirements

  • The Microsoft Account Sign-In Assistant (wlidsvc) must be able to run. If the service is blocked or set to Disabled, it fails to receive the update. For more information, see Feature updates aren’t being offered while other updates are. By default, the service is set to Manual (Trigger Start), which allows it to run when needed.
  • Have access to the network endpoints required by Intune managed devices. See Network endpoints.

Enable data collection for reports

To support reports for Windows Driver updates, you must enable the use of Windows diagnostic data in Intune. Its possible that diagnostic data is already enabled for other reports, like Windows Feature updates and Expedited Quality update reports.
To enable the use of Windows diagnostic data:

  1. In Microsoft Intune Admin Center, navigate to Tenant Administration -> Connectors and tokens -> Windows data.
  2. Expand Windows data and ensure the setting Enable features that require Windows diagnostic data in processor configuration is toggled to On.

Create and Deploy a Driver Updates Policy

From the Microsoft Intune Admin Center, navigate to Devices > Windows > Driver updates for Windows 10 and later.

Click on Create profile

Enter desired info, in this example for Lenovo models:

Under the Settings step, you need to decide how you want to handle drivers:

Manually approve and deploy driver updates:

This is the granular approach where you have to approve every driver and version that you need for your environment. Here you can also select when the driver gets deployed.

Automatically approve all recommended driver updates:

This is the choice to make if you don’t need granular control of which driver and version to install on your models. With this option, the drivers recommended by the vendors get automatically selected.

I would recommend this for testing and UAT device groups, but for production, it might cause issues.

In our example, we went with the Manual option.

Worth noting from our example image above is that it can take up to 24 hours before device data has been collected, and sometimes it can actually take much longer.

Under the Assignments step, you need to select which group(s) to deploy the policy to.

In our example we decided to send it to a test Device group.

I would suggest that creating Dynamic Device groups per Hardware Model would be a good approach for this type of deployment.

Create Dynamic Device Group in AAD

Log in to the Azure portal

Navigate to Azure AD -> Groups -> All Groups

Create a New Group, select Security from the dropdown list

Name the group, give it a description and select Dynamic Device for the Membership type

 

Use WMIC command to find hardware models:

For most vendors, this query works fine: wmic computersystem get model

For Lenovo computers, try this: wmic csproduct get name

Add dynamic query

In our case we will add a specific model only for testing:

You can also select devices to test your rule against, from the Validate Rules (Preview) part.

If you get green marks from the test, you know that your query works as intended:

At this time, that query had not yet resulted in any new drivers to approve, so to show you how to review and approve new drivers, we’ll be using our ASUS Driver Updates group.

Click on the drivers you want to review, in this case we have 2 to review under Recommended drivers, those are the ones that would be automatically approved if you went with the Automatic option and a bunch more under Other drivers, that you need to test and approve per driver.

As you can see from the Status column, these 2 drivers needs to be reviewed

Click on the specific driver you want to review, then choose how to handle it, either Decline or Approve

If you choose to approve it, you need to enter a date from when it will be available in Windows Update

Enter the desired info and click Save

After that the Driver(s) will show as Approved

On the clients, the drivers will be available from Windows Update, and once installed, it will look something like this:

Since drivers are sometimes known to cause issues, I would recommend to use test groups and once properly tested send the driver to the rest of the client devices.

Once you have approved a driver with a newer version, I would recommend to decline the old version.

Blog post written by Jens Lagnekvist.

<Mandatory legal text>

This information is provided as is without warranties, confers no rights and isn’t supported by the writer(s), or Brickstone IT.

</Mandatory legal text>

Copyright 2024 © All rights Reserved. Hemsida Webbdesign Interwebsite Webbyrå