Introducing a new deployment service for driver and firmware updates
Published Mar 02 2021 08:00 AM 111K Views
Microsoft

Microsoft is excited to announce a new deployment service for driver and firmware updates, giving you visibility into the drivers hosted in Windows Update that are a match for your enterprise devices and offering you control over both the selection of individual updates and the scheduling of update deployments to devices from Windows Update.

IT admins, we've heard you. You want more support for the ongoing servicing of drivers for the devices you manage. Today’s post informs you how to browse all drivers (we will be using this term going forward to refer to both drivers and firmware) on Windows Update and decide which updates to deploy, to which devices, and in which manner. We also unveil how our new deployment service provides reporting capabilities that will help you monitor driver deployments and outcomes.

To dive deeper into the topics discussed in the post, visit https://aka.ms/WindowsAtIgnite and look for our "Driver updates and servicing in the enterprise" session.

Ongoing servicing leads to ongoing security and functionality

There are many reasons why enterprises want to deploy driver updates regularly from Windows Update. A few are worth calling out:

  • The hardware ecosystem constantly publishes new drivers and fixes to Windows Update.
  • The Windows Update service targets devices with the right drivers just for them.
  • Security incidents are often mitigated with driver updates and require a quick servicing response.

Don’t miss out: new drivers and driver fixes are published frequently to Windows Update

Drivers are primarily built by independent hardware vendors (IHVs) like Intel or Realtek and original equipment manufacturers (OEMs) like Dell and Lenovo. The hardware ecosystem for Windows devices comprises hundreds of partners who continuously build new drivers and deliver updates to existing ones. All drivers must be certified by the Windows Hardware Dev Center and signed by Microsoft in order for Windows to install them, and most are also published to Windows Update.

Drivers are published to Windows Update with specific targeting parameters that identify individual hardware components, computers, operating system (OS) versions, and/or a combination of these items. Microsoft enforces a robust publishing process that aims to grant only the highest quality drivers to Windows Update. Post-publishing rollout monitoring is used to find issues fast and mitigate them with the hardware partner who published the update.

publish.gif

Hardware components benefit from regular software updates, when available, to improve performance and interoperability with other components, and are often required for new OS versions to unlock new functionality.

Windows Update delivers the right driver to the right device

The IT admins we frequently meet with mention how difficult it is to identify the right drivers required for their devices. Windows Update does this automatically by evaluating the information sent by a device when it scans the service and identifying drivers on the service that are better than those already installed on the device. A combination of factors like driver version, driver date, and targeting information such as Hardware ID and Computer Hardware ID is used to inform the selection process. Microsoft continuously collaborates closely with the hardware ecosystem to bring more and eventually all driver updates to Windows Update.

React faster to security incidents with established servicing practices

Firmware and hardware issues are one of the most active areas of enterprise security. We are all familiar with recent incidents that impacted end-users and enterprises around the globe in the past few years. Hackers take advantage of increasingly sophisticated attacks that are often mitigated with drivers.

However, the complexity of driver servicing and the prevalence of parallel servicing practices for drivers and other Windows updates generate additional friction for IHVs, OEMs, and enterprises at a time when mitigations are most urgent. Investments in ongoing servicing for operability optimization and better functionality also set you up for success when the next security incident hits.

Current driver & firmware servicing capabilities and feedback

Over the past two years, we’ve met with hundreds of admins from a wide range of industries, geos, sizes, and servicing infrastructures. The goal was to learn how you think about drivers, how you make servicing decisions, and how you act on these decisions. We are also collaborating with many IHVs and OEMs on the journey to bring ongoing servicing to our joint customers: IT admins and enterprises.

Servicing capabilities for devices that already scan Windows Update

Let’s recap the existing capabilities available to enterprises.

Intune admins, who have adopted cloud servicing and point their devices to scan Windows Update, can choose to accept drivers whenever they become available on the service or instruct Windows Update never to offer these updates. Admins set a policy in Intune that is, in turn, set on each device.

The policy choice is communicated to the Windows Update service as part of the daily scan from the device. Windows Update will only offer drivers it determines to be better than what is on a device only if the policy to allow driver updates stipulates it.

service.gif

Configuration Manager admins cannot sync drivers from Windows Update to Windows Server Update Services (WSUS) like they do other Windows updates due to the sheer size of the driver’s catalog; recall the explanation of how drivers are published to explain why the catalog is so large. Configuration Manager customers must rely on OEM updaters and other processes to address their driver servicing needs.

We heard you

Configuration Manager admins have little capabilities available, since WSUS doesn’t sync any drivers from Windows Update. This means that admins lack the same level of control over deployments they are used to for all other updates from WSUS. Based on feedback, IT admins need help to learn when updates are available for devices, which ones should be deployed to which devices, and support for the servicing mechanism that is already in place for other Windows updates.

Usually, Configuration Manager admins delay driver servicing until forced, generally during OS upgrades. These tend to be infrequent, so driver servicing is also infrequent with all the benefits of ongoing servicing forgone.

It is encouraging that many of the Configuration Manager admins we’ve spoken with express willingness to leverage co-management and connect to Windows Update in the cloud for driver servicing. However, some admins feel reluctant to move all their Windows updates management to Windows Update in one fell swoop. They want to connect to Windows Update for drivers only, while evaluating a gradual move to Windows Update for all other Windows update when the time is right. Sneak peek: this co-management capability is included in what we are announcing today! Keep reading.

Intune admins have access to a driver’s policy to allow or block all drivers from Windows Update. This approach, when adopted, means that whenever a driver becomes available in Windows Update, it will be offered to scanning devices with no notice to admins. Since the hardware ecosystem publishes drivers on an irregular cadence, there is also no control over the timing of such deployments.

Intune admins need a way to pause the deployment of individual drivers identified to cause potential reliability issues while an investigation is ongoing with drivers flowing whenever they become available. In fact, admins need to control the flow of all drivers, choosing the manner and timing of their deployments. Finally, Intune admins lack reporting to track driver installations and their outcomes.

Meet the commercial deployment service for drivers & firmware

The new deployment service is coming to Intune and the Microsoft Graph in second half of 2021. In preparation, we will be launching a private preview program in the coming weeks.

We collaborate closely with many hardware partners on the success and functionality of the deployment service for drivers and firmware, and some of them wanted to share a personal message with you.

Tom Garrison, Intel VP, Client Security:

Balaji JR "JRB", Director of Product, Dell Technologies:

Joseph R Parker, Principal Engineer, Director, Commercial Deployment Readiness Team, Lenovo:

Control over driver and firmware deployments from Windows Update

Before we share more about the capabilities of the new deployment service, we are excited to announce that we are making it easier for Configuration Manager admins to benefit from all that we are announcing today without changing the way you service Windows updates with WSUS.

When our Private Preview launches, co-management will support configuring a cloud scan for drivers only, knowing that Windows Update will offer only those drivers you approved and at the time you scheduled them. There will be no change to any of your deployments from WSUS.

IT admins can access the deployment service in Intune by creating Driver Update Policies and assigning devices to them. Once a device is under the purview of such a policy, the deployment service allows Windows Update to make its selection decisions, but the results are sent to the admin for review and action instead of simply offering the drivers to the device.

Admins can review available content and then make approval decisions on a per driver basis – no longer all and any drivers are offered by default – and choose the timing when Windows Update should start offering the driver to the devices in the policy. At the right time, Windows Update activates the approval and the next time the device scans it will offer drivers that are the “just right” only if they are approved by the admin. In fact, the deployment service augments the matching logic in Windows Update to also consider admin-approval as one of the targeting parameters for commercial devices.

Let the approval and scheduling of drivers begin!

deployment-service.gif

To see a comprehensive demonstration of how Driver Update Policies are created in Intune and how driver deployments are approved, scheduled, and suspended, visit https://aka.ms/WindowsAtIgnite and look for our "Driver updates and servicing in the enterprise" session.

Join the community and sign up for the private preview

We invite you to join our engineering neighborhood in the Windows Customer Connection Program to stay informed and engage other IT admins in the community (select the Driver and Firmware Updates Private Preview option in question #5). We will continue to provide regular updates via Microsoft Teams, including the timing of all Preview phases.

For a closer look, watch this video:

 

We look forward to our continued collaboration and to your enterprise’s adoption of the new deployment service and ongoing servicing of driver and firmware updates.

 

30 Comments
Silver Contributor

Drivers and Firmware are really challenging for IT Professionals and especially BIOS and UEFI updates and in case of failure the entire operation will stop and sometimes we will have difficulty to install Windows. 

We have to test this out and hopefully , it would be better for IT Professionals. 

Copper Contributor

This is very promising feature! really looking forward to testing it. However, is there any option for Rollback? Suspend is great and needed, but if the testing goes really wrong, it would be preferable to have a way how to initiate a rollback as well. Similarly to the Edge rollback option applied through GP.

Copper Contributor

Very promising capability and hope it evolves fast and addresses the long standing challenge around updating "Drivers and Firmware", especially in case of large enterprise environments. Reading through the announcement, it say 

"Configuration Manager admins cannot sync drivers from "Windows Update" to "Windows Server Update Services" (WSUS) like they do for other Windows updates due to the sheer size of the driver’s catalog".
To that limitation, our high-level feedback to MS Engineering team is to allow sync of stubs (like it does for M365 updates) to WSUS and thus ConfigMgr. The ConfigMgr admins can then identify & certify the requisite driver updates to deploy. This shall then notify the SoftwareUpdate agent on clients to get it directly from Windows Updates. Such a mechanism if made available, will really make it very useful for larger organisations not having fully transitioned to Co-Management or not exclusively using Windows Update.
Thanks 
Iron Contributor

Looks great for an initial version. One thing to consider in the future - I like that 'hands-off' methodology with WUfB for CUs, where I can simply set deferral policies and know the updates will get approved automatically. Since the CUs are generally released on Patch Tuesday this gives us some predictability when the updates will come out and typically we would only have one reboot per month.

 

I am assuming that new drivers could drop in to Windows Update at any point during the month? If so it would be great to be able still be able to still use that automatic approval policy, but be able to align when they the updates would actually get offered to the devices to be at the same time as the CUs. That way they can hopefully be deployed at the same time and only require the one reboot.

Copper Contributor

I agree with the earlier comments about this looking like a promising start for improved Driver Management. I do have questions about supporting BIOS & Firmware Updates. Not many BIOS/UEFI Firmware updates (which I will refer to hereafter as just BIOS updates) currently get posted into Windows Update, so unless that changes, this would not have a significant impact on that very important part of the solution. Also, most BIOS updates require the BIOS Password if one is set. Will there be a mechanism to allow Admins to manage BIOS passwords if they are required for something to be installed?

@Aria Carley @Nir_Froimovici I welcome this article and the extended possibilities for WU and WuFB customer and already see great benefits.

Some areas are uncovered by OEMs and should be considered:

 

Intel ME drivers + Intel ME Firmware (sometimes bundled in UEFI updates (firmware) but not throughout all vendors (Asus, Asrock etc).

outdated Intel ME drivers with more recent firmware often causes a variety of strange issues such as sleep (power save), weird restart or shutdown behaviour.

Also Intel ME drivers and firmware are crucial in terms of security. Intel ME is one of the most affected parts in modern computers, due their low level access and implementation. 

I would like to plea to talk to the OEMs, vendors / ISV to include Intel ME drivers via Windows Update.

 

 

Similar to this following is often missing or outdated via Windows Update / WuFB

- other Intel components like RST drivers, Intel Security drivers (dunno why these are shipped)

- firmware and drivers for USB-C (docks), USB-C to network adapters (mostly Realtek at DELL) 

- firmware and drivers for Thunderbolt Docks

- Realtek Audio drivers

- Realtek Gigabit drivers 

- SSD and HDD firmware (we have seen various SSDs with FW issues, some models fail at 40.000 hours of operation across different vendors)

 

In many customer environments these are outdated, even though they fix a variety of security and compatibility issues with newer Windows 10 versions.

Speaking for a DELL Titanium Partner, unfortunately, some of these items are NOT delivered via Dell Command Update either but need manual care (download + install).

 

I appreciate your delivery and testing model and kindly ask you to make your vision more complete. Thanks for your feedback and thoughts.

 

- Realtek Gigabit drivers 

in fact on some systems that are upgraded via IPU these drivers are still on Win 7 and never updated, 

find the lastest drivers here, they are frequently updated

Realtek PCIe FE / GBE / 2.5G / Gaming Ethernet Family Controller Software - REALTEK
Realtek Ethernet Controller Driver - Download - ComputerBase

Microsoft

Folks, thanks for your comments and feedback!

 

@Reza_Ameri , @JackS582 , @Karl_Wester-Ebbinghaus , you all touched on firmware updates and the challenges with servicing them, both in terms of having them in Windows Update to begin with and deploying them successfully from the service. We have a lot of good advice and best practices for admins and hardware partners that we'll be sharing in the engineering neighborhood for this program. See below how to join the conversation there and I look forward to chatting more with you about firmware updates. @Karl_Wester-Ebbinghaus , thanks for the details and feedback. We'll include in our next conversations with OEMs and IHVs. 

 

@AndrewT , you will definitely have the ability to continue using the automatic deployment, with the added benefits of deferrals and the ability to to suspend individual updates.

 

@Zman32 , Rollback is on our mind, but will not be part of the initial release. The good news is that the control over approval and scheduling minimizes the need for large scale rollbacks, since admins have the ability to deploy to pilot rings before approving for the entire enterprise.

 

All, please join our engineering neighborhood in the Windows Customer Connection Program, and let's continue the conversation there. 

 

Cheers,

Nir

Thank you for the kind invite @Nir_Froimovici I miss to understand the appropriate category to join for my the point I've brought up.

K_Wester-Ebbinghaus_0-1616334440201.png

 

Microsoft

@Karl_Wester-Ebbinghaus , good question! It's the Driver and Firmware Updates Private Preview option. You will be able to join the Teams Channel and continue getting updates, and joining conversations, even if you end up choosing not to join the actual Preview (although I hope you do!). Once signed up you will be added in no longer than week, but likely much faster.

Copper Contributor

That will be a very nice feature.

Will be the new "update feature" includes software updates for software like:

 

HP Notifications
HP Hotkey Support HP Hotkey Support

 

HP CorporateReady whitepaper

http://h10032.www1.hp.com/ctg/Manual/c06250104

 

For my opinion, that should be a part of driver updates to.

Iron Contributor

When or how can we get access to this feature? Is it in preview yet or can we opt in for Preview?

Brass Contributor

Can we get an update about this feature coming in? We are happy to use this :) 

Copper Contributor

@Nir_Froimovici

 

Hello there, this would be a fantastic addition to Endpoint Manager capabilities and we're looking forward to trialing the feature. Do you have a release date or a preview I could use, please?

 

Thanks

J

Copper Contributor

Looking for a status update as well...

Copper Contributor

Really excited for this feature! Now that it is fall 2021, is there a planned release date?

Copper Contributor

Any update on this?

We are really looking forward to test it either in production or preview.

Copper Contributor

@pehaavin 

 

I joined the pilot program and received the following update:

 

Thus, I’d like to announce that we will be ending the Pilot program on Tues. 9/14 and starting Private Preview mid-October in waves. During this gap, our team will be rigorously testing the approvals and scheduling service internally at Microsoft to validate its performance before releasing it to you all.

Brass Contributor

This looks great and looks like it will simplify management. But how will this address when to suspend Bitlocker when a firmware update is deployed? And second, how will this function with BIOS passwords? 

 

Copper Contributor

Any idea when this will be publicly available?

Copper Contributor

Any news when this will be publicly available?

Copper Contributor

Is anyone actually monitoring this post?

 

there is no mention of this on Public preview overview in Microsoft Intune | Microsoft Docs

 

has this just been mentioned once and then dropped?

sounds like we all need this functionality in Intune

Copper Contributor

I hope Microsoft follows through with this feature.  It's and issue that needs to be addressed and something we really need in our environment.

 

PLEASE MAKE THIS HAPPEN!!!

Microsoft

@Mike_Wyatt it's happening! There is a newer post with more details about the program and the private preview: aka.ms/drivers-as-a-service. Check it out! Join our engineering neighborhood to get all the details from us directly, and also join the Private Preview that's happening right now! 

Copper Contributor

Awesome!  Thank you @Nir_Froimovici !!

Copper Contributor

I am very excited I guess the big question is when this will be out.

 

@Nir_Froimovici 

Copper Contributor

@JRobl610

 

There is a new post about this subject with a roadmap at the bottom - Deployment service for driver updates public preview coming soon - Microsoft Tech Community

Brass Contributor

What licensing will be required for the users/devices targeted by this service? Intune + Windows E3? Or will it be supported on Pro aswell?

Copper Contributor

Hi, I filled out the form to join the engineering neighborhood a week or so ago, does it take time to show up?   I am interested in the drivers updates in intune.

Hello @Nir_Froimovici do you and the team have plans about Integration of your cool solution to Windows Autopatch? 

Co-Authors
Version history
Last update:
‎Mar 17 2021 02:44 PM
Updated by: