Manage Windows driver and firmware updates with Microsoft Intune

I have the case of a driver release since 04/4/2023 but not installing on computers identify in the driver policy.

The policy is in automatic with just a delay of 3 days.

This driver was never install, so this morning I pause this driver and approuved again. Then the driver was install on a the computer.

Did you already see this?

@David_Guyer within "Driver updates for Windows 10 and later", sorting by "Last modified" does not order the dates correctly. 

@IndiaYankee I am also in a same situation where Driver updates are installed through Intune however in reports, it still shows offering. Did you get any resolution on it?
@David_Guyer - Could you please confirm whether "Windows Data" have to be enabled to get the report of driver update?
We have set diagnostic data as required, Allowed Telemetry and Data Collection Policy with Profile type of Windows health monitoring.
Setting named DisableOneSettingsDownloads is not configured anywhere.
Still machine is not replying back to intune that driver update is installed. Intune is still showing status a "Offering"

@David_Guyer When using the reporting for Windows Update for Business Driver deployment we are able to see a count of devices that are applicable for specific drivers, but not the details on which devices exactly. is there any future roadmap to see the device details.

Also, When using Windows Update for Business, when we pause the driver deployment and than scanning stops reporting for the devices.  If it pause for longer than 7 days there are no scan dates for 7 days. Is this expected behavior?

I had a new driver (Dell firmware) in my Automatic configuration that I need to pause and approved. Otherwise the driver would not install.

For the moment it's in test so I could see wich driver are not installing but in production it will be complicated.

@David_Guyer i would like to know if there is fully support when you are using configuration manager? im getting mixed information from microsoft support. They said i need to move the workload to intune to get it to work. But in this blog and the doc, its says that i can use config manager still.

Plus the reporting dose not work, and im not seeing all the drivers that i would normaly sees. 

So is there or is there not support for config manager ??

Seems I am in the same boat as some others where 0 drivers to review since weeks ago.

Windows 10 22H2 clients only.

We are using SCCM (MECM) for deploying Windows updates.

Update ring setting in Intune set to "Allow" Windows Drivers and "Block" product updates.

Diagnostic Data set to "Enhanced"

Update Reg keys we have:

DisableDualScan = 0

DoNotConnectToWindowsUpdateInternetLocations = 0

SetPolicyDrivenUpdateSourceForDriverUpdates = 0

We do not have this: DisableOneSettingsDownloads

What About reg key "NoAutoUpdate" we have it set to "1". But is that correct?

What else yo check?

Logs? 

We use SCCM for deploying our Updates. We have Driver Updates working with the following Configuration (Hopefully it will help).

Initially it seemed like a week with testing different Configurations before I actually seen something. (Combination of the incorrect settings, and MS had issues).

Intune Config
Tennant Administration -> Connectors and Tokens -> Windows Data
Enable features that require Windows diagnostic data in processor configuration = ON

Configuration Profile (Settings Catalog)
System -> Allow Telemetry = Basic

Driver Policy Manual (Until we work out how this all works in our environment)

Client GPO:
Administrative Templates\

Windows Components/Windows Update/Legacy Policies
Do not allow update deferral policies to cause scans against Windows Update = Disabled

Windows Components/Windows Update/Manage updates offered from Windows Server Update Service
Allow signed updates from an intranet Microsoft update service location = Enabled

Leave it for a few days for the clients to pick up the configuration, you should start seeing Driver Updates. Once you do I then set the following configuration so the clients can get the updates. The reason for this is if you do all the configaration at the same time the client may just get the update from MS bypassing the Intune Config, You can read up about it here: Learn about Windows Driver updates policy for Windows 10 Windows 11 devices in Intune | Microsoft Le...

How do I use driver management if I’m currently using Configuration Manager for updates?
You can continue to use Configuration Manager for updates other than Drivers, or to start to move other update types to cloud management in Intune one at a time. First, ensure you're using cloud attach or co-management, so that your devices are enrolled in Intune. Then, configure your driver policies in Intune to enroll devices and get them ready for management. After approximately one day, set the policy SetPolicyDrivenUpdateSourceForDriverUpdates to a value of 0, to scan for driver updates from Windows Update.

Administrative Templates\
Windows Components/Windows Update/Manage updates offered from Windows Server Update Service
Specify source service for specific classes of Windows Updates
Driver Updates = Windows Update

Great questions about Config Manager.   Overall, I think the community here as put together some great info that should work.   I'm working internally to get clearer guidance we can update in our docs, but the key factors are here:   Ensure the device is scanning Windows Updates for drivers, by ensuring normal automatic updates are occurring (AllowAutoUpdate), the device is scanning WU (DisableDualScan is not enabled,

@AntunB I did get the updates offered, but when manually approving nothing ever comes down to the client.

Do you mind sharing your registry keys for:

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate

and

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU

thanks,

i have an unusual issue that all my driver installs are stuck "in progress" with some in cancelled state yet spot checking clients locally i can see the drivers installed in windows history, anyone else experiencing anything similar? every other process on intune appears to report back it's status correctly  (i.e. config profiles, app deployments etc) and clients meet all the requirements i'm aware of.

@Vern Bateman 

I find if I approve the update it takes a day or so to appear on the client,

As a test you can "Check Online for updates from Microsoft Update" to confirm WU is working and there is no firewall issues.

Here are my client settings,

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate]
"DoNotConnectToWindowsUpdateInternetLocations"=dword:00000000
"AcceptTrustedPublisherCerts"=dword:00000001
"DisableDualScan"=dword:00000000
"SetPolicyDrivenUpdateSourceForDriverUpdates"=dword:00000000
"SetPolicyDrivenUpdateSourceForFeatureUpdates"=dword:00000001
"SetPolicyDrivenUpdateSourceForOtherUpdates"=dword:00000001
"SetPolicyDrivenUpdateSourceForQualityUpdates"=dword:00000001
"SetProxyBehaviorForUpdateDetection"=dword:00000000
"DoNotEnforceEnterpriseTLSCertPinningForUpdateDetection"=dword:00000000
"WUServer"="https://zzzz"
"WUStatusServer"="https://zzzz"
"TargetReleaseVersion"=dword:00000001
"ProductVersion"="Windows 10"
"TargetReleaseVersionInfo"="22H2"

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU]
"UseWUServer"=dword:00000001
"UseUpdateClassPolicySource"=dword:00000001

Hello @David_Guyer, we have the same issue as @Ian55 and @Smart-VS (0 drivers) in one policy. Other driver policies look better. But this certain policy - there is no drivers for the assigned devices more than a couple of weeks. We tried to move devices into another policy, but there is no effect: no new drivers to review, no drivers to install on the devices.
Any ideas very appreciated. 

Thank you.

@patroklos  The first thing to check is that the devices are sucessfully scanning Windows Updates, and that the Allow Drivers setting in Update Rings (which maps to ExcludeWUDriversinQualityUpdate policy) is set to allow drivers.  Scanning Windows Updates is how we get the list of applicable driver updates.  And if the ExcludeWUDrivers   setting is enabled/configured, it will block drivers from being downloaded and installed at the client.   This is working for other devices in other policies, so I'm guessing these are configured correctly, but it's worth checking.  If that's not it, please open a support ticket, or DM me so I can get your tenant info and we can investigate a bit more.

@LDR2688  Make sure you've enabled the Windows data collection setting in Intune.  Without this being configured, we are unable to collect and process client diagnostic data, which we use to show when devices are downloading, installing, complete, or even if there's an error.

@David_Guyer thanks for the reply - Windows data collection setting is enable in intune and intune health monitoring with windows updates config profile is assigned to all devices - we're getting endpoint analytics (startup performance etc) absolutely fine, it's just driver update status that is not working:

@LDR2688   The next thing to do is to make sure that there aren't any other Windows Diagnostic data settings that are blocking telemetry that got there via Settings Catalog, Group Policy, or other channels.  These are listed today in our documentation at Use Windows Update for Business reports for Windows Updates in Microsoft Intune - Microsoft Intune |..., but in short check that you have the Windows Diagnostic Data setting to Required or Basic or higher, Configure Windows diagnostic data in your organization (Windows 10 and Windows 11) - Windows Privacy... ,  also check that "DisableOneSettingsDownload" isn't enabled.   These are other settings we know about that can also block client telemetry from being sent for reporting.  The defaults for these settings work fine, so it's only if somehow these were configured sometime in the past that it becomes an issue.

If it's not those, please DM me so I can get your tenant information and we can look closer into this and see if we can't troubleshoot and get your reports working for you.

-David

@David_Guyer , thanks for your reply. We checked on the endpoints and registry key ExcludeWUDriversInQualityUpdate and its sets to 0 - enable. But could you confirm one more time this setting in Update ring - Windows drivers - it is only for downloading and installing drivers or for scanning too. I saw the block about it in documentation but it's still confusing.

I mean if it's set block in Update ring but device has driver policy assigned - drivers will be scanned and shown in the driver policy as Need to review for instance.

Thank you.

The Allow Drivers setting in Update Rings affects the actual install of drivers, not the ability for the Drivers policies to get the applicable driver updates.  But, when you approve a driver, if Allow Drivers in Update Rings is set to Block, then the drivers will not be installed.   

The reason is that the Allow Drivers setting is a client setting that is applied at the client, and causes the client to remove offered drivers.  

HTH!

Hi Guys. We are actively using the driver and firmware update feature and besides that a lot of recommended drivers are vastly outdated it's mostly working fine for us.

We do have one question. Sometimes we need to reinstall the OS by means of USB install (or simular method) due to corrupt recovery partition or other ussues that might want us to make sure the installation is without issues. After installation and Autopilot process we regularly see that a lot of drivers are being installed after the user is logged in. This sometimes results in issues when for example the display or network (wifi/nic) drivers are being installed.

Is there any way possible to have this happening during autopilot process? Is MS planning on adding driver installation to the autopilot process? We are not always able to install all drivers during OS install.

When searching online i see several solutions where people are running a win32 script to install windows update drivers during Autopilot. For example: https://www.linkedin.com/pulse/intune-advanced-automation-part-2-installing-pavel-mirochnitchenko

Could this be a temporary solution until MS is able to incorporate this into autopilot?

@Summa040 , including approved driver updates during Autopilot is something we are looking at and would like to deliver for all the reasons you highlighted.  Another change we are looking at is how to better handle driver updates so that the network/bluetooth/video and other stuff like that doesn't create the issues while the user is actively using the device.

Be very careful with trying to deploy drivers as a script during Autopilot, it can cause timing issues.  For example, it could cause the network to blip while an app is installing and getting bits from the web.  If that app isn't robust to handle a network blip, it could fail, and depending on your Autopilot settings could cause issues.  More reasons we'd like to integrate it into Autopilot, but there are some interesting technical problems we need to solve to make that happen first.

Hope that helps.

Hi @chrlau80, thanks for the question. Having also received a private message from you, please expect a follow-up response so we can discuss your scenario in more detail. Thanks!

@David_Guyer Thx for your reply, it's really appreciated!

We do have an issue while testing the installation of other drivers. For one of our testdevices (HP ZBook 15 G5) we have an Automatic approval driver update policy with a 14 days delay. We see that the recommended drivers get installed, but we also approved a couple of Other Drivers that are way more recent and fixes a couple issues we are facing with that model. The issue is that the newer other drivers are not getting installed, only the recommended drivers are.
When we approve a more recent version of a driver that is listed under other drivers, do we also need to pause the older recommended driver or is that not necessary? At this moment we are not able to install the more recent driver that is listed under Other Driver. Any ideas?

@Summa040 

You do not need to pause older approved drivers, whether recommended or other.  Windows Update will install the newest approved driver automatically, and skip the older one.  I'm sorry for any delays you are seeing in drivers being deployed... we are monitoring and working to make the system faster every day.  Do keep an eye on this and you should see those drivers installed before too long.

Hi @David_Guyer Many thanks for the info here!

I do have an additional question about the scanning for drivers. Do every device need to scan for drivers and report back before it gets its drivers. For example if a device is of the same model/make/type that has already checked in reported back the scan result, will it receive the available drivers instantly or does every device go through the same scan/report/receive cycle?

Good question, @Summa040 .  The Windows Update for Business deployment service communicates driver approvals only for the applicable devices.  This avoids a tremendous amount of "over approvals" that would affect every deployment service enrolled device checking to Windows Update.  So, you are correct in your latter thinking...   when a device scans for updates, Windows Update then communicates all the applicable driver updates to the deployment service, then the deployment service processes that, adds the device-driver combo to the policy, and then finds any existing approvals that apply to that device and sends those to the Windows Update service.  As a result, a device needs to scan once for the applicable driver update to be discovered, and then again for it to be offered.   In most cases, that approval should be available pretty quickly after the first scan.

HTH,
-DG

Hey David,

I'm having one heck of a time getting this to work - this must be my 4th or 5th time trying. I do use Configuration Manager.

Intune Windows Data is set (Enable features that require Windows diagnostic data in processor configuration)

GP is set Allow diagnostic data (Optional)

I have the GP settings configured. With the specify source set to Windows update for drivers.

All registry settings on client match to what they should show.

I then approved 2 drivers (10/11). But the drivers have never come down for what I approved. 

One other thing we do have a Group policy in place that MDM wins over GP - so I did an MDM Diagnostic report on the client to see what was showing. And it looks like its setting some stuff even though there are no policies set. Or is this normal

Any ideas?

Would really like to get this working.

@Vern Bateman , please stay tuned.  We are doing some internal testing and developing clearer documentation for Configuration Manager users, hopefully I can share that here soon.

In the meantime... here are some things we know (probably not new to you either) that can help:
1)  I think that using Domain Group Policy for the SetPolicyDrivenUpdateSourceForDriverUpdates policy may be the key to ensuring this value stays set the way you expect when only wanting to move Drivers to Intune, and leave other update types in Configuration Manager.

2) We think most people having trouble are trying to use #1 above...  moving the Windows Updates co-management slider to Intune is more likely to work... though if you only want drivers, you can set the other SetPolicyDrivenUpdateSources* back to WSUS using Settings Catalog.  We are going to validate this as well.

Note that MDMoverGP doesn't apply for Windows Updates policies... it's counter-intuitive, and has been that way for a long time, so changing it now would be pretty impactful to anyone depending on the current behavior.

I hope that helps a bit today, and I'll bring more specific details as soon as we have them.

-David

David,

Thanks for the info

Yes, I'm trying to use the GP settings for the "SetPolicyDrivenUpdateSourceForDriverUpdates" and leaving the slider to stay with Configuration Manager. I see the only way to set the Intune settings for this setting is through deployment rings - which I'm not sure is what I want.

I look forward for more detail when using Configuration Manager.

I'm also circling back to what @AntunB had to say about how he did it.

thanks,

@Vern Bateman I'm in the same boat as you, trying to get this working for co-managed clients for Drivers only with the updates workload still set to ConfigMgr. After a week of playing about with policies in GPO and Intune I've got drivers showing for review but like you nothing seems to be appearing on my target devices once I approve them.

@David_Guyer Similarly to Vern I'll eagerly await the findings from your internal testing and some official docs for this scenario. One setting in particular I'd like some clarity on, that I've seen mentioned in some of the community articles I've found is DisableWindowsUpdateAccess=0 being a requirement. This setting seems to allow a standard user to click the button to 'Check online for updates from Microsoft Update' and the device immediately pulls down a bunch of unapproved drivers. It proves the policy driven update source is working correctly as I only see drivers offered but obviously that's a gap I'll need to ensure is closed before I can think about using this in production.

Thanks

Hi there,

I also try to configure Driver updates via Intune and I also have MECM with cloud attach and co-management workload which are not used ( in the left position).

Configuration is:

Hybrid AD Join

MS account Sign-in Assistant : Manual (Triggered)

Windows Data : On

Intune Update ring for Drivers : Allow Drivers Update, Decline Windows Update

Health Monitoring - Enable for Update events

GPO on-premise:

Telemetry - set as  required 

Drivers update -> from Windows Update

"DisableDualScan"=dword:00000000 (was added today)

Do not allow update deferral policies to cause scans against Windows Update = Disabled (was added today)

Allow signed updates from an intranet Microsoft update service location = Enabled (was added today)

Drivers Update Policy:

Configured for manually approve and deploy driver updates

In my case, I do not see any drivers for review after more then one week.

Update ring policy is in "Not applicable" state on all devices.

According to my configuration do I have to see drivers in Intune? why the Update ring policy is not applied?

Which configuration/setting have I lost? 

Thank for you your answer.

Hi @elizarov .   We are doing some final testing so that we can update our documentation on the scenario of using Drivers in Intune without moving the entire Windows Update co-management workload over to Intune.   Currently, the solution appears to be to use "domain" group policy to set the scan source policy to Windows Update for Drivers, and also keeping DisableDualScan = 0, false, disabled.    The reason is that the CM agent is resetting that value back to WSUS when co-management is enabled, but the Windows Update workload is still set to Configuration Manager, and Domain Group Policy overrides that.   There is a change being worked on to add the scan source policy setting to Configuration Manager, so that the agent knows which way to set that, and Domain Group Policy will no longer be needed, so it's a temporary workaround for now.   I hope that his helpful...  would love to hear if this works for you!   -David

@David_Guyer I'm doing both those things and while I eventually got drivers available in Intune after three days I don't get anything offered to my endpoints when I approve them.

Hi @David_Guyer 

In a nut shell : Drivers become available. 

What I have done:

I returned the Windows Drivers source to WSUS, waited for one day, and the drivers became available for reviewing.

I changed the source for drivers to Windows Update once again.

Am I understanding correctly that, firstly, you need to apply all the settings without switching the source for drivers? The source for drivers has to be switched to Windows Update after one day, is that correct?

Hi @David_Guyer 
Is it possible for us to use the PSWindowsUpdate module to force install drivers and/or updates, preferably during device setup phase when installing through autopilot?

Thx!

@Summa040 ,  it's really not something we recommend for a couple of reasons.  The main one is that you don't have a way to know if all the update management policies are in place yet, so that when you scan for updates you get only the approved updates.  The other is that we've seen cases when the download channel gets overwhelmed and results in some apps failing to install during Autopilot.   Windows Update does it's first scan ~ 3H after existing the device setup process, and so devices do get current fairly quickly, so that is currently our recommended approach... while exploring options to enable the scenario you are trying to achieve!   HTH  -DG

@elizarov   Actually, you don't need to apply all settings before changing the scan source setting.  I think you came across a coincidence of timing, and have it configured correctly now.  Great to hear!

@stewpollock I hope things are working correctly for you by now... if not, please DM me and we can do a deeper dive into your driver approvals.

Hi colleagues,

Does anyone face the issue with export option from Monitor | Windows Driver update failures? 
We have an error "Something went wrong. Try again later." in any driver policy. 

Thanks.

Dear @David_Guyer ,

I see the drivers for reviewing however the "Update rings for Windows 10 and later" for Drivers with the following settings:

Microsoft product updates :Block
Windows drivers :Allow

Is in "Not applicable state"

Your comment will be really appreciated. Thank you.

@elizarov  the Not Applicable is happening because you haven't moved co-management for Windows Update workload to Intune, so Intune can't set the client policies.  That's essentially what that workload slider does, is control which management tool has the authority to set client policy.  Use CM for those settings if you aren't ready to move the slider to Intune.

@Petrokl  I've seen that happen when there are too many report requests in your tenant at a specific time... waiting should clear that up, and if not, please let me know via DM so we can investigate further.

@David_Guyer 

According to the information from https://learn.microsoft.com/en-us/mem/intune/protect/windows-driver-updates-overview#how-do-i-use-dr...,

we can continue to use Configuration Manager for updates other than drivers. My purpose sounds exactly like this—I want to use CM for MS updates and Intune for driver updates.

I thought that I do not need to move the workload slider, but now I am not sure now.

David, could you please clarify this moment?

One more question : I'm afraid I might not have a complete understanding of the meaning behind this. "Use CM for those settings if you aren't ready to move the slider to Intune." How can I use CM for driver updates? 

@elizarov  What I was trying to say is that if you want to set any client settings on the device, and you haven't moved the slider to Intune, you can set those settings using CM.   You need to move the workload slider to get Update Ring policies in Intune to work.   Otherwise, what you are doing by using CM first, and then setting the scan source policy for Drivers to Windows Update enables the Driver policies in Intune to work without moving the workload slider over.   Does that help?

@David_Guyer I think @elizarov and I are in the same position and I'm also confused with what you mean when you say that you can set those settings using CM. How do you target the drivers to devices using CM?

@stewpollock   The Update Rings policies do not provide driver management (aside from the all or nothing setting we've had since well before the new driver polices), so what I'm saying is the other client settings, like the Quality Update deadline settings, or any of those, can be done from CM.   Then, use the driver policies in Intune to manage them, once the configurations discussed above are in place.  HTH.

Is there any update on when the following features are going to be released?

• Seeing all devices for which a driver is applicable
• Knowing the device model that a driver supports

I have been testing deploying drivers to a very small group of computers but really need this information before I will be comfortable deploying at scale.

@David_Guyer Just wondering if you have any news on the documentation, you were putting together with using Configuration Manager for this solution. I know a lot of us have tried with the different settings, and nothing ever seems to come down to the endpoints.

@Vern Bateman I'm about to finalize the doc update for this (hopefully tomorrow) and will get it published hopefully next week.

@Jason_Sandys 

Thanks for the update - looking forward to it.

Dear collegues, @David_Guyer  @Jason_Sandys 

I hope you find this message well.

Could you please clarify and confirm whether the Intune Update Ring policy won't be applicable to the devices because the workload was not moved? Is this expected behavior?

• Windows update ring policy: Ensure the Windows driver setting is set to Allow.

After reading the article I have added new policy

• Settings catalog policy: In the Windows Update for Business category, ensure that Exclude WU Drivers in Quality Update is set to Allow Windows Update drivers.

Note:

I see that the Windows Driver Updates report shows the information only for one device (there are 13 devices in my test collection).

This device located in the Internet not in Intranet.

Unfortunatly, I do no see any changes with drivers intallation. Will keep you posted.

Your recommendation will be really appriciated.

Thank you.