When we are using modern management on our devices that are running Windows 10 – then we are updating them with WUfB (Windows Update for Business), and that is a good thing, we can manage it so we have control over when a Windows 10 device is getting quality updates and feature update by creating internal update rings.
Feature Updates: previously referred to as upgrades, Feature Updates contain not only security and quality revisions, but also significant feature additions and changes; they are released semi-annually.
Quality Updates: these are traditional operating system updates, typically released the second Tuesday of each month (though they can be released at any time). These include security, critical, and driver updates. Windows Update for Business also treats non-Windows updates (such as those for Microsoft Office or Visual Studio) as Quality Updates. These non-Windows Updates are known as Microsoft Updates and devices can be optionally configured to receive such updates along with their Windows Updates.
Non-deferrable updates: Currently, antimalware and antispyware Definition Updates from Windows Update cannot be deferred.
In some cases we want more control over driver updates when using Windows Update for Business – to do this we need to disable driver update as part of the WUfB.
The real reason I started looking into this was, a customer with a lot of Windows 10 modern devices managed devices and they got a display driver from Windows Update that resulted in BSOD on over 2.000 devices so we needed a solution to be more in control over the driver updates.
First of all we have to have a plan for how to use WUfB and like in any other Enterprise environment we need some kind of control – so I have created a update ring plan.
Here is the big overview on how it can be deployed. I will not into how to do WUfB in this blog post.
So when we have control over the updates in our Enterprise environment we also what some kind of control over the driver updates, and yes we what to update drivers on our devices.
We need 3 simple things to get this working:
- Devices that are modern devices managed – create dynamic device groups based on hardware model
- Windows Update for Business configured – and disable driver update
- Driver packs as MSI files – at this moment it is only Microsoft that is delivering driver packs as MSI (so devices from any other vendors you need to create the MSI with the drivers your self)
Create dynamic device groups
To get total control of what we are doing I create dynamic devices groups with each hardware model.
Here is an example of a dynamic AzureAD device group for SurfaceBook
The dynamic device group can also be created with Powershell
New-AzureADMSGroup -Description “All Microsoft Surface Book” -DisplayName “All Microsoft Surface Book” -MailEnabled $false -SecurityEnabled $true -MailNickname “Win” -GroupTypes “DynamicMembership” -MembershipRule “(device.deviceModel -match “Surface Book”)” -MembershipRuleProcessingState “On”
Disable Driver update
In the Software Update part of Intune we can configure Windows Update for Business
Create a new Windows 10 Update Ring
Give et a name : WUfB Disable Driver Update
Set Windows drivers to Block
Assign WUfB Disable Driver Update
Assign it to the dynamic hardware model specific groups you need to control the driver updates for.
Create Driver Packages as LOB application
In this example the MSI for Surface Book
When we have the MSI from Microsoft or have created on for other hardware vendors we have to create it as a LOB application in Intune.
Start by going into mobile apps
Click on Apps and Add to create the driver pack
Select Line-of-business app as app type
Click Select File – and browse for the driver MSI packages
Then you need to enter a description and Publisher
And the MSI file will start uploading to Intune
And you can see when it is done in the notification area
Assign the LOB App to the previous created dynamic AzureAD group
Now to have total control over your driver update – in this case on Surface Book