Introducing a new deployment service for driver and firmware updates
Published Mar 02 2021 08:00 AM 112K Views

Microsoft is excited to announce a new deployment service for driver and firmware updates, giving you visibility into the drivers hosted in Windows Update that are a match for your enterprise devices and offering you control over both the selection of individual updates and the scheduling of update deployments to devices from Windows Update.

IT admins, we've heard you. You want more support for the ongoing servicing of drivers for the devices you manage. Today’s post informs you how to browse all drivers (we will be using this term going forward to refer to both drivers and firmware) on Windows Update and decide which updates to deploy, to which devices, and in which manner. We also unveil how our new deployment service provides reporting capabilities that will help you monitor driver deployments and outcomes.

To dive deeper into the topics discussed in the post, visit and look for our "Driver updates and servicing in the enterprise" session.

Ongoing servicing leads to ongoing security and functionality

There are many reasons why enterprises want to deploy driver updates regularly from Windows Update. A few are worth calling out:

  • The hardware ecosystem constantly publishes new drivers and fixes to Windows Update.
  • The Windows Update service targets devices with the right drivers just for them.
  • Security incidents are often mitigated with driver updates and require a quick servicing response.

Don’t miss out: new drivers and driver fixes are published frequently to Windows Update

Drivers are primarily built by independent hardware vendors (IHVs) like Intel or Realtek and original equipment manufacturers (OEMs) like Dell and Lenovo. The hardware ecosystem for Windows devices comprises hundreds of partners who continuously build new drivers and deliver updates to existing ones. All drivers must be certified by the Windows Hardware Dev Center and signed by Microsoft in order for Windows to install them, and most are also published to Windows Update.

Drivers are published to Windows Update with specific targeting parameters that identify individual hardware components, computers, operating system (OS) versions, and/or a combination of these items. Microsoft enforces a robust publishing process that aims to grant only the highest quality drivers to Windows Update. Post-publishing rollout monitoring is used to find issues fast and mitigate them with the hardware partner who published the update.


Hardware components benefit from regular software updates, when available, to improve performance and interoperability with other components, and are often required for new OS versions to unlock new functionality.

Windows Update delivers the right driver to the right device

The IT admins we frequently meet with mention how difficult it is to identify the right drivers required for their devices. Windows Update does this automatically by evaluating the information sent by a device when it scans the service and identifying drivers on the service that are better than those already installed on the device. A combination of factors like driver version, driver date, and targeting information such as Hardware ID and Computer Hardware ID is used to inform the selection process. Microsoft continuously collaborates closely with the hardware ecosystem to bring more and eventually all driver updates to Windows Update.

React faster to security incidents with established servicing practices

Firmware and hardware issues are one of the most active areas of enterprise security. We are all familiar with recent incidents that impacted end-users and enterprises around the globe in the past few years. Hackers take advantage of increasingly sophisticated attacks that are often mitigated with drivers.

However, the complexity of driver servicing and the prevalence of parallel servicing practices for drivers and other Windows updates generate additional friction for IHVs, OEMs, and enterprises at a time when mitigations are most urgent. Investments in ongoing servicing for operability optimization and better functionality also set you up for success when the next security incident hits.

Current driver & firmware servicing capabilities and feedback

Over the past two years, we’ve met with hundreds of admins from a wide range of industries, geos, sizes, and servicing infrastructures. The goal was to learn how you think about drivers, how you make servicing decisions, and how you act on these decisions. We are also collaborating with many IHVs and OEMs on the journey to bring ongoing servicing to our joint customers: IT admins and enterprises.

Servicing capabilities for devices that already scan Windows Update

Let’s recap the existing capabilities available to enterprises.

Intune admins, who have adopted cloud servicing and point their devices to scan Windows Update, can choose to accept drivers whenever they become available on the service or instruct Windows Update never to offer these updates. Admins set a policy in Intune that is, in turn, set on each device.

The policy choice is communicated to the Windows Update service as part of the daily scan from the device. Windows Update will only offer drivers it determines to be better than what is on a device only if the policy to allow driver updates stipulates it.


Configuration Manager admins cannot sync drivers from Windows Update to Windows Server Update Services (WSUS) like they do other Windows updates due to the sheer size of the driver’s catalog; recall the explanation of how drivers are published to explain why the catalog is so large. Configuration Manager customers must rely on OEM updaters and other processes to address their driver servicing needs.

We heard you

Configuration Manager admins have little capabilities available, since WSUS doesn’t sync any drivers from Windows Update. This means that admins lack the same level of control over deployments they are used to for all other updates from WSUS. Based on feedback, IT admins need help to learn when updates are available for devices, which ones should be deployed to which devices, and support for the servicing mechanism that is already in place for other Windows updates.

Usually, Configuration Manager admins delay driver servicing until forced, generally during OS upgrades. These tend to be infrequent, so driver servicing is also infrequent with all the benefits of ongoing servicing forgone.

It is encouraging that many of the Configuration Manager admins we’ve spoken with express willingness to leverage co-management and connect to Windows Update in the cloud for driver servicing. However, some admins feel reluctant to move all their Windows updates management to Windows Update in one fell swoop. They want to connect to Windows Update for drivers only, while evaluating a gradual move to Windows Update for all other Windows update when the time is right. Sneak peek: this co-management capability is included in what we are announcing today! Keep reading.

Intune admins have access to a driver’s policy to allow or block all drivers from Windows Update. This approach, when adopted, means that whenever a driver becomes available in Windows Update, it will be offered to scanning devices with no notice to admins. Since the hardware ecosystem publishes drivers on an irregular cadence, there is also no control over the timing of such deployments.

Intune admins need a way to pause the deployment of individual drivers identified to cause potential reliability issues while an investigation is ongoing with drivers flowing whenever they become available. In fact, admins need to control the flow of all drivers, choosing the manner and timing of their deployments. Finally, Intune admins lack reporting to track driver installations and their outcomes.

Meet the commercial deployment service for drivers & firmware

The new deployment service is coming to Intune and the Microsoft Graph in second half of 2021. In preparation, we will be launching a private preview program in the coming weeks.

We collaborate closely with many hardware partners on the success and functionality of the deployment service for drivers and firmware, and some of them wanted to share a personal message with you.

Tom Garrison, Intel VP, Client Security:

Balaji JR "JRB", Director of Product, Dell Technologies:

Joseph R Parker, Principal Engineer, Director, Commercial Deployment Readiness Team, Lenovo:

Control over driver and firmware deployments from Windows Update

Before we share more about the capabilities of the new deployment service, we are excited to announce that we are making it easier for Configuration Manager admins to benefit from all that we are announcing today without changing the way you service Windows updates with WSUS.

When our Private Preview launches, co-management will support configuring a cloud scan for drivers only, knowing that Windows Update will offer only those drivers you approved and at the time you scheduled them. There will be no change to any of your deployments from WSUS.

IT admins can access the deployment service in Intune by creating Driver Update Policies and assigning devices to them. Once a device is under the purview of such a policy, the deployment service allows Windows Update to make its selection decisions, but the results are sent to the admin for review and action instead of simply offering the drivers to the device.

Admins can review available content and then make approval decisions on a per driver basis – no longer all and any drivers are offered by default – and choose the timing when Windows Update should start offering the driver to the devices in the policy. At the right time, Windows Update activates the approval and the next time the device scans it will offer drivers that are the “just right” only if they are approved by the admin. In fact, the deployment service augments the matching logic in Windows Update to also consider admin-approval as one of the targeting parameters for commercial devices.

Let the approval and scheduling of drivers begin!


To see a comprehensive demonstration of how Driver Update Policies are created in Intune and how driver deployments are approved, scheduled, and suspended, visit and look for our "Driver updates and servicing in the enterprise" session.

Join the community and sign up for the private preview

We invite you to join our engineering neighborhood in the Windows Customer Connection Program to stay informed and engage other IT admins in the community (select the Driver and Firmware Updates Private Preview option in question #5). We will continue to provide regular updates via Microsoft Teams, including the timing of all Preview phases.

For a closer look, watch this video:


We look forward to our continued collaboration and to your enterprise’s adoption of the new deployment service and ongoing servicing of driver and firmware updates.


Version history
Last update:
‎Mar 17 2021 02:44 PM
Updated by: