Manage Windows driver and firmware updates with Microsoft Intune

Source: Manage Windows driver and firmware updates with Microsoft Intune – Microsoft Community Hub

Microsoft announce the general availability of Windows driver and firmware update management policies and reports in Microsoft Intune!

This new functionality in Intune makes it easier to keep drivers on your Windows devices up to date in two main ways. First, you’ll no longer have to do the manual work of downloading, repackaging, and deploying drivers using generic tools. Instead, you can take advantage of driver update management policies and reports built on the Windows Update for Business deployment service.

These new capabilities are part of our Windows Enterprise offerings, providing you with multiple benefits:

  • Intelligent servicing helps identify which driver updates are available for devices in the policy.
  • Trusted quality is brought to you by prior certification and validation by many device manufacturers.
  • More granular controls allow you to pause a deployment of a particular driver.
  • Optional drivers and firmware are also available to complement recommended updates.
  • Detailed reporting is built into Intune to help you monitor device status, alerts, and recommendations for remediation.
  • Windows Autopatch automatically creates driver policies that allow you to roll out drivers and firmware across your deployment rings (unless you opt out of the service), with more granular controls coming later this year.

Let’s explore how you can create and manage driver update policies and reports today!

Create and manage driver update policies

Step 1: Create a driver update profile and deployment rings

When you create a new driver policy, you have some choices:

  • Automatically approve all recommended drivers and set how long after discovery to start offering them.
  • Manually approve drivers and select the day to start offering the update when you approve them. With this option, no drivers are offered until manually approved.
Screenshot of Intune settings to create driver update profile, with a 3-day deferral and an automatic approval method selected

To create a set of deployment rings, we recommend using the following combination of settings:

  • Approval method: Automatically approve all recommended driver updates
  • Make updates available after (days)

This way, driver updates can automatically deploy to your rings without needing to be manually approved. You can still monitor driver updates for quality in your unique environment and pause them in subsequent rings, just like feature and quality updates. For more information about deployment rings, see Create a deployment plan.

After configuring these settings, complete the policy creation wizard by assigning the devices to include in this policy.

Step 2: Review available drivers

Once you’ve created the policy, let devices scan for updates for about a day or so. Then the Drivers to review column will include the count of new recommended driver updates ready to review for manual approval.

IMPORTANT: In an automatic policy, Drivers to review will stay at 0 since recommended drivers are automatically approved. This is a great indicator that new drivers have been discovered and are awaiting a decision whether to approve or decline deploying those drivers.

Screenshot of Drivers to review by policy and approval method in Intune

Step 3: Approve drivers

When you open the policy, you can see both Recommended drivers and Other drivers. To approve a driver, follow these steps:

  1. Select the driver from the Driver name column.
  2. Select the Approve option under Actions in the flyout to Manage driver.
  3. Specify the date to make the driver available to devices when they scan Windows Update.

Note: A recommended driver is Microsoft’s best match and is often the newest driver marked by the driver publisher as “automatic” (previously referred to as “required”). Other drivers include drivers that are older than the best match or drivers marked as “manual” (previously referred to as “optional”) by the driver publisher. Only drivers that are currently applicable to one or more devices in the policy are shown. This helps keep the list of drivers focused on the drivers that you can actually install.

Step 4: Optionally pause driver updates

Whether you choose automatic or manual approvals, you can pause any approved driver. Do this to prevent any devices that haven’t yet received the update from being offered that update. Find this option for Actions in the same Manage driver flyout as above.

Monitor and remediate issues with built-in reporting

The report you’ll probably use the most is the Windows Driver Update report. Like the Windows Feature Update and Windows Expedited Update reports, this report provides a summary of installed, in-progress, and error devices, along with the per-device detailed status. The state of a device shows as downloading, installing, or other. You can find this report under Reports > Windows Updates:

  1. Select the Reports tab.
  2. Open the Windows Driver Update Report.

The Windows Driver Update report shows if the device has an alert or problem preventing the update. To discover more details about the failure cause and possible remediations, use the Windows Driver Update Failures report. Find this report under Devices > Monitor. As with the Feature Update and Expedited Update failures reports, clicking the Alert message will open a context panel that includes a more detailed description of the alert and also a recommendation for how to fix or remediate that issue.

Note: To see detailed update status and errors for devices in your reports, Windows diagnostic data must be enabled in your tenant. Toggle this setting on for Intune under Tenant administration > Connectors and tokens > Windows data.

The journey’s just beginning

Try drivers and firmware update management with Intune today and get ready to take full advantage of everything else that’s coming! For a short demo of this capability, and answers to recent questions from the community, I encourage to watch our recent Tech Community Live AMA on Windows updates in Intune: drivers, firmware, and Autopatch.

We’re already working on the next big improvements to driver management. While plans may change, this year, we’re hoping to deliver the following capabilities:

  • Seeing all devices for which a driver is applicable
  • Knowing the device model that a driver supports
  • Bulk editing
  • Aligning driver approvals with patch Tuesday. Note: this would ensure that if a reboot is required, it reboots along with the monthly security update.

Also coming later this year– deeper driver controls in Windows Autopatch, including the ability to deploy optional drivers, maintain manual control over driver approvals at the ring level, and to use these functions for your custom Autopatch groups. Read more about groups in this blog post: What’s new in Windows Autopatch: May 2023. More information will be available through the Autopatch blog in the coming months.

Want to learn more about the benefits and new capabilities? Check out Coming soon to Intune: Windows driver and firmware updates.

For more information, please see the Intune documentation at