When we are using modern management on our devices that are running Windows 10 – then we are updating them with WUfB (Windows Update for Business), and that is a good thing, we can manage it so we have control over when a Windows 10 device is getting quality updates and feature update by creating internal update rings.

Feature Updates: previously referred to as upgrades, Feature Updates contain not only security and quality revisions, but also significant feature additions and changes; they are released semi-annually.
Quality Updates: these are traditional operating system updates, typically released the second Tuesday of each month (though they can be released at any time). These include security, critical, and driver updates. Windows Update for Business also treats non-Windows updates (such as those for Microsoft Office or Visual Studio) as Quality Updates. These non-Windows Updates are known as Microsoft Updates and devices can be optionally configured to receive such updates along with their Windows Updates.
Non-deferrable updates: Currently, antimalware and antispyware Definition Updates from Windows Update cannot be deferred.

In some cases we want more control over driver updates when using Windows Update for Business – to do this we need to disable driver update as part of the WUfB.

The real reason I started looking into this was,  a customer with a lot of Windows 10 modern devices managed devices and they got a display driver from Windows Update that resulted in BSOD on over 2.000 devices  so we needed a solution to be more in control over the driver updates.

First of all we have to have a plan for how to use WUfB and like in any other Enterprise environment we need some kind of control – so I have created a update ring plan.

Here is the big overview on how it can be deployed. I will not into how to do WUfB in this blog post.


So when we have control over the updates in our Enterprise environment we also what some kind of control over the driver updates, and yes we what to update drivers on our devices.

We need 3 simple things to get this working:

  1. Devices that are modern devices managed – create dynamic device groups based on hardware model
  2. Windows Update for Business configured – and disable driver update
  3. Driver packs as MSI files – at this moment it is only Microsoft that is delivering driver packs as MSI (so devices from any other vendors you need to create the MSI with the drivers your self)

Create dynamic device groups

To get total control of what we are doing I create dynamic devices groups with each hardware model.

Here is an example of a dynamic AzureAD device group for SurfaceBook

Dynamic group

The dynamic device group can also be created with Powershell

New-AzureADMSGroup -Description “All Microsoft Surface Book” -DisplayName “All Microsoft Surface Book” -MailEnabled $false -SecurityEnabled $true -MailNickname “Win” -GroupTypes “DynamicMembership” -MembershipRule “(device.deviceModel -match “Surface Book”)” -MembershipRuleProcessingState “On”

Disable Driver update

In the Software Update part of Intune we can configure Windows Update for Business

Driver update with Intune - 01

Create a new Windows 10 Update Ring

Driver update with Intune - 02

Give et a name : WUfB Disable Driver Update

Set Windows drivers to Block

Driver update with Intune - 03

Assign WUfB Disable Driver Update

Driver update with Intune - 04

Assign it to the dynamic hardware model specific groups you need to control the driver updates for.

Create Driver Packages as LOB application

First download the latest firmware and drivers for Surface devices :

In this example the MSI for Surface Book

Surface Book Drivers.png

When we have the MSI from Microsoft or have created on for other hardware vendors we have to create it as a LOB application in Intune.

Start by going into mobile apps

Driver pack - 01.png

Click on Apps and Add to create the driver pack

Driver pack - 02

Select Line-of-business app as app type

Driver pack - 03

Click Select File – and browse for the driver MSI packages

Driver pack - 04

Then you need to enter a description and Publisher

Driver pack - 05

And the MSI file will start uploading to Intune

And you can see when it is done in the notification area

Driver pack - 07

Assign the LOB App to the previous created dynamic AzureAD group

Driver pack - 06.png

Now to have total control over your driver update – in this case on Surface Book