Update Rings and Driver Management with Intune

Introduction

In the ever-evolving landscape of modern IT, maintaining a secure and productive Windows endpoint environment is paramount. This often boils down to effective management of operating system updates and device drivers. Microsoft Intune, a cloud-based endpoint management solution, provides robust capabilities to orchestrate these critical processes, ensuring devices are patched, secure, and performant without disrupting user productivity.

This article delves into the intricacies of update rings and driver management within Intune. It's tailored for IT professionals, system administrators, and cloud engineers responsible for endpoint management, security, and compliance in organizations deploying Windows devices. We will explore how to leverage Intune to define, deploy, and monitor update rollouts and ensure device drivers are managed efficiently and effectively across your fleet.

Why this matters

Effective update and driver management is not merely a technical task; it has significant business implications. Timely application of security updates is a cornerstone of a strong cybersecurity posture, directly reducing an organization's attack surface and mitigating the risk of data breaches or operational disruptions caused by unpatched vulnerabilities. From a compliance standpoint, many regulatory frameworks mandate specific patch management policies, making robust update processes essential for avoiding penalties and maintaining certifications.

Furthermore, well-managed drivers ensure optimal device performance, reduce compatibility issues, and enhance user productivity by minimizing downtime due to driver-related errors. Conversely, poorly managed updates or drivers can lead to unstable systems, increased support calls, higher IT operational costs, and ultimately, a negative impact on employee efficiency. Intune streamlines these processes, improving overall security, compliance, and operational efficiency while freeing up IT resources for more strategic initiatives.

Key concepts

• Windows Update for Business (WUfB): A cloud-based service that provides device management over Windows Updates. Intune integrates with WUfB to deliver updates to managed devices.
• Update Rings (Windows quality update policies): Intune policies that define how Windows quality updates (monthly security updates) are deployed to groups of devices. They include settings for deferrals, deadlines, and user experience.
• Feature Update Policies: Intune policies that control the deployment of Windows feature updates (new versions of Windows, e.g., Windows 10 21H2, Windows 11 22H2). They allow organizations to specify a target Windows version and manage rollouts.
• Driver Update Policies: Intune policies specifically designed to manage the deployment of driver updates for Windows 10 and Windows 11 devices. These policies offer granular control over driver categories and approval processes.
• Deployment rings: A strategy involving phased rollouts of updates to different groups of devices (e.g., pilot, early adopters, broad deployment) to minimize risk and identify issues early.
• Microsoft Graph API: A unified API endpoint for accessing data and intelligence from Microsoft 365. Intune integrates with Graph API for programmatic management of policies and monitoring.
• Azure AD (now Microsoft Entra ID): The identity and access management service used to authenticate and authorize users and devices managed by Intune.

Step-by-step implementation

To illustrate the creation of an Intune Update Ring and Driver Update Policy:

1. Sign in to the Microsoft Intune admin center: Navigate to endpoint.microsoft.com.
2. Create a Windows Update Ring (Quality Updates):

Go to Devices > By platform > Windows > Windows update rings. Click + Create profile. Provide a Name (e.g., "Windows 10/11 Quality Update Ring - Pilot"). Set Update settings as follows for a pilot group: Quality update deferral period (days): `3` (Defer updates for 3 days post-release). Feature update deferral period (days): 0 (Feature updates will be controlled by a separate policy). Set feature update uninstall period (2 - 60 days): `10` Automatic update behavior: Auto install and reboot at maintenance time. Restart checks: `Allow`. Windows update notifications: Use default Windows Update notifications. Users can pause Windows updates: `Not allowed`. Users can scan for Windows updates: Allow. Require user approval to restart out of active hours: `Yes`. Grace period for auto-restart (2 - 120 minutes): 60. Auto-restart warning reminder (15 minutes to 24 hours): `240`. Update deadlines: Quality update deadline (days): `5` (Users have 5 days to install quality updates before a forced restart). Feature update deadline (days): None (Managed by a Feature Update policy). Click Next, assign the policy to your pilot group (e.g., an Azure AD security group containing pilot users/devices), then Next and Create*.

1. Create a Driver Update Policy:

Go to Devices > By platform > Windows > Windows drivers update policies. Click + Create profile. Provide a Name (e.g., "Windows 10/11 Driver Updates - Pilot"). In the Basics tab, provide a Description. In the Update settings tab: Manage driver updates: Auto approve and supersede drivers (For a pilot, you might choose Approve recommended, decline optional or Manual approve to be more cautious initially). Enable Driver updates: `Yes`. Click Next, assign the policy to your pilot group, then Next and Create.

1. Monitor Update Compliance:

Go to Reports > Windows updates*. Here, you can monitor the deployment status of your quality, feature, and driver updates, including compliance rates, errors, and device status.

# Connect to Microsoft Graph with necessary permissions
Connect-MgGraph -Scopes "Device.ReadWrite.All", "DeviceManagementManagedDevices.Read.All", "DeviceManagementApps.ReadWrite.All"

# Define parameters for a new Windows Update Ring (Quality Update Policy)
$displayName = "Windows Update Ring - Broad Deployment"
$description = "Standard quality update ring for broad deployment."
$assignments = @(
    @{
        "@odata.type" = "#microsoft.graph.groupAssignmentTarget"
        deviceAndAppManagementAssignmentFilterId = $null # Use $null or an existing filter ID
        deviceAndAppManagementAssignmentFilterType = "none" # or "include", "exclude"
        groupId = "your-azure-ad-group-id-for-broad-deployment" # Replace with your Azure AD group ID
    }
)

$updateRingSettings = @{
    displayName = $displayName
    description = $description
    allowUpdateReboot = $true
    autoInstallMinorUpdates = $true
    automaticUpdateMode = "autoInstallAndRebootAtMaintenanceTime"
    businessReadyUpdatesOnly = $false # applies to older settings, generally managed by deferral
    deferFeatureUpdatesInDays = 0 # Feature updates handled by separate policy
    deferQualityUpdatesInDays = 7 # Defer quality updates by 7 days
    deadlineForFeatureUpdatesInDays = 0 # Feature updates handled by separate policy
    deadlineForQualityUpdatesInDays = 7 # Enforce quality updates within 7 days
    deadlineGracePeriodInDays = 2 # Grace period for forced restart
    rebootNotifications = $true
    scheduledInstallDay = "everyday" # Updates can install any day
    scheduledInstallTime = "00:00:00" # Not directly applicable if using maintenance time
    updateNotificationLevel = "useDefaultWindowsUpdateNotifications"
    allowWindowsUpdateFeatures = $true # Allow users to scan for updates
    allowPauseFeatureUpdates = $false # Do not allow users to pause feature updates
    allowPauseQualityUpdates = $false # Do not allow users to pause quality updates
    qualityUpdateDeferralPeriodInDays = 7
    featureUpdateDeferralPeriodInDays = 0
    postponeFeatureUpdatesInDays = 0
    postponeQualityUpdatesInDays = 0
    uninstallFeatureUpdatesPeriodInDays = 10
    updateInstallTime = "any" # Updated property name for automaticUpdateMode implications
    qualityUpdateDeadline = 7
    featureUpdateDeadline = 0 # No feature update deadline in this policy
    restartNotificationPeriod = 4
    restartWarningPeriod = 240
}

# Create the Windows Update Quality Update Policy
New-MgDeviceManagementWindowsUpdateForBusinessConfiguration `
    -BodyParameter $updateRingSettings `
    -Assignments $assignments

Example configuration

{
  "@@odata.type": "#microsoft.graph.windowsDriverUpdateProfile",
  "displayName": "Windows 10/11 Driver Updates - Production",
  "description": "Auto-approves recommended driver updates for production devices.",
  "assignment": [
    {
      "target": {
        "@odata.type": "#microsoft.graph.groupAssignmentTarget",
        "groupId": "f8a0e1c2-b3d4-c5e6-d7f8-g9h0i1j2k3l4" // Replace with your Production Devices AAD Group ID
      }
    }
  ],
  "deviceManagementDriverUpdatePolicySettings": {
    "blockDrivers": [], // Specific drivers to block (by name)
    "approveDrivers": [], // Specific drivers to approve (by name)
    "driverUpdateManagementEnabled": true,
    "driverUpdateApprovalBehavior": "autoApproveRecommendedAndSupersede", // Automatically approve recommended and supersede older drivers
    "deferralPeriodInDays": 3 // Defer driver updates for 3 days after release
  }
}

Common pitfalls

• Overlapping policies: Deploying multiple update rings or feature update policies to the same device groups can lead to conflicts and unpredictable update behavior.
• Insufficient testing: Rolling out updates directly to a broad production environment without adequate testing in pilot groups can cause widespread issues.
• Ignoring bandwidth constraints: Large feature updates can consume significant network bandwidth, impacting users and network performance if not managed with delivery optimization.
• Lack of communication: Failing to inform users about upcoming updates, required reboots, or changes in update behavior can lead to frustration and decreased productivity.
• Neglecting driver testing: Auto-approving all drivers without a testing phase can introduce instability or compatibility issues, especially for specialized hardware.
• Inadequate reporting: Not regularly reviewing Intune's update compliance reports to identify issues, non-compliant devices, or update failures.

Best practices

• Implement a phased deployment strategy (deployment rings): Aligning with the Microsoft Cloud Adoption Framework's governance principles, use pilot, early adopter, and broad deployment groups for update rollouts to mitigate risk.
• Leverage Microsoft Entra ID security groups: Use dynamic or assigned security groups for assigning update and driver policies to ensure correct targeting and maintainability.
• Combine Update Rings with Feature Update policies: Use update rings for quality updates (monthly patches) and separate feature update policies to control major OS version upgrades, allowing for more granular control and testing.
• Utilize Delivery Optimization: Configure Delivery Optimization settings within Intune to reduce bandwidth consumption during update deployments, especially in distributed environments, aligning with performance aspects of the Well-Architected Framework.
• Automate monitoring and alerting: Integrate Intune reporting with tools like Azure Monitor or Log Analytics to proactively identify and alert on update failures or non-compliant devices.
• Carefully manage driver approvals: For critical or sensitive systems, consider a "manual approve" approach for driver updates after thorough testing, embracing Zero Trust principles of "verify explicitly" before allowing changes.
• Provide clear user communication: Before deploying significant updates, communicate expectations and impacts to users, improving the overall user experience and reducing helpdesk calls.

Further reading

• Windows quality update rings policy for Windows 10/11 in Intune
• Manage Windows driver and firmware updates with Intune
• Use Feature updates for Windows 10 and later policy in Intune
• Monitor Windows updates in Intune
• Windows Update for Business deployment service overview