About a year ago I published a script which provided dynamic updates for Dell, HP, Lenovo and Microsoft systems which are managed by Intune. The script uses the Intune Management Extension to run the dynamic driver update process in a autopilot enrollment of a system, ensuring that you have the latest and therefore hopefully the most stable drivers. Recently however I have thought about developing a script or a tool that would always keep your Intune or standalone system up to date, similar to some OEM included applications.

Introducing Drivers as a Service version 1.0.0

This is the first version of what I like to call “Drivers as a Service”, a PowerShell developed solution that provides continuous automatic updating of drivers on supported hardware platforms. The solution consists of the following;

  • Single MSI installation
  • Supports the following environments;
    • Intune
    • Standalone
    • Configuration Manager
  • Two core components;
    • Windows Service
      The Windows service runs under local system context and therefore allows update operations that the client can’t or at least should not be able to perform
    • Tray Application
      The tray application runs under the local user context in order to provide some functions to the Windows service along with presenting toast style notifications to the end user
  • Supported hardware platforms;
    • Dell
    • HP
    • Lenovo
    • Microsoft (coming in version 1.01)
  • Supported Operating Systems;
    • Windows 10

Lets look at the solution and see how it works;

Installing DaaS

Download the DaaS installation MSI from Microsoft Technet (https://gallery.technet.microsoft.com/scriptcenter/Drivers-as-a-Service-ef36f155), in this example we will manually run the installation but of course you can silently deploy the MSI.

  • Launch the installer;

  • Click on next to view the read me and proceed through to complete the installation

  • A restart is required in order to complete the installation

Once installed you will now notice that you have a new service listed in the list of your Windows services;

After restarting your machine the service will start up the tray application will receive status messages from the running service which will be presented to the user. These status messages are not verbose in nature and with feedback I might also introduce an issue to either make these more verbose or remove them entirely with the exception of update events. For now here is the experience for the end user;

  • Initial notification message – Checking for driver updatesZoomed notification;

Driver Update Maintenance Window

When coming up with the idea for this one thing that was an issue with updates is the fact that Intune in its current state does not have maintenance windows. I thought about adding in registry entries to allow you to specify these, however the Windows active hours is an option which the initial version of this tool to will use to prevent the updates applying within “business” hours. If a new version of the driver package is available to install, the end user receives a notification of this and the impending update;

In the above example we can see that the machine is running within the active hours specified in Windows, which by default at 8am to 5pm. After changing the active hours for demonstration purposes, we now can see that the drivers installation process starts;

  • The end user is notified of the update process taking place

  • Driver installation commences

  • Should a restart be required the end user will be prompted, otherwise they will be advised of the next check

Deployment via Intune

Deployment of the tool is very straight forward;

  • Simply log onto your tenant, go to Apps and click on the “+” icon to add an application
  • Select “Line-of-business app”
  • Select the MSI installer;

  • Click on the App Information section and fill in additional required fields;

  • Now deploy the application to a group or make it available as the example below;

Logs

The service by default automatically adds key steps to the application log;

Verbose logs are located at the following path: C:\Program Files\SCConfigMgr\Drivers As A Service\Logs. Below is a sample output from the Run-DriversAsAService log which contains output from the Windows service;

What about ConfigMgr environments?

For environments where ConfigMgr is managing your client estate you can also use the same solution, however the difference is that the administrator must have a task sequence configured to run the modern driver management solution in “DriverUpdate” mode. This value should be set in HKLM:\Software\SCConfigMgr\Drivers As A Servce\ConfigMgrTSID as below;

 

The client will then call the task sequence (which obviously will need to be deployed) in order to start the upgrade process and offload the restarting function to the task sequence / ConfigMgr client.

  • Invoke the Invoke-CMApplyDriverPackage.ps1 with the -DeploymentType “DriverUpdate” switch

  • Restart the computer to apply the updates

  • In this instance the user will be informed of the maintenance but the task sequence will restart the computer;

For more information on the Modern Driver Management solution, please visit – http://www.scconfigmgr.com/modern-driver-management/

Feedback

As always, test in isolation and if you find bugs, or have feedback please send an email through to [email protected]

(5033)

Maurice Daly

Maurice has been working in the IT industry for the past 18 years and currently working in the role of Principal Consultant with TrueSec. With a focus on OS deployment through SCCM/MDT, group policies, active directory, virtualisation and office 365, Maurice has been a Windows Server MCSE since 2008 and was awarded Enterprise Mobility MVP in March 2017.

comments
  • Keith Nail
    Posted at 15:53 November 22, 2018
    Keith Nail
    Reply
    Author

    Thanks Maurice!

  • Meni Adam
    Posted at 16:29 November 22, 2018
    Meni Adam
    Reply
    Author

    How safe is the tool to use in an enterprise environment?

    • Maurice Daly
      Posted at 06:00 November 23, 2018
      Maurice Daly
      Reply
      Author

      If you are managing the tool via SCCM then it is only going to call the task sequence you specify in the registry, if you are using Intune however it will pull content direct from the internet. It is all about testing a roll out and seeing what impact it has on your environment before deploying to the entire enterprise.

      • Jo Janssens
        Posted at 09:28 November 23, 2018
        Jo Janssens
        Reply
        Author

        Is there a way to run this tool in Intune/Stand-alone mode even if there is an SCCM client on the machine?

        • Maurice Daly
          Posted at 12:22 November 26, 2018
          Maurice Daly
          Reply
          Author

          So are you saying you would like the ability for the client to reach out to the vendor sources if the machine is on the internet zone for example?

          • Jo Janssens
            Posted at 13:53 November 26, 2018
            Jo Janssens
            Author

            Yes, actually both intranet and internet mode.

            We currently do not have the webservice needed for modern driver management + the stand-alone mode of modern drive managment (using a fileshare) is not a great solution for internet machines.

          • Maurice Daly
            Posted at 14:43 November 26, 2018
            Maurice Daly
            Author

            Hi Jo,

            I will include a switch you can specify in the BIOS to allow you to do this then in a build I’ll put up this evening. The standalone method is really the only alternative to using the web service as it currently stands due to the fact some form of matching and local repository needs to take place if you want to limit your network traffic. There might be something on the horizon that could cater for the dynamic method without the web service or standalone file share however..

            Maurice

  • Dallan Reilly
    Posted at 18:16 November 22, 2018
    Dallan Reilly
    Reply
    Author

    Excellent stuff Maurice, keep up the great work!

  • Chris
    Posted at 09:58 November 23, 2018
    Chris
    Reply
    Author

    What does it mean the “Supports the following environment” -> Standalone. Is this also running without having a ConfigMgr or a Intune Subscription?

    • Maurice Daly
      Posted at 12:23 November 26, 2018
      Maurice Daly
      Reply
      Author

      Standalone in this instance, means “un-managed”.

      • Chris
        Posted at 16:46 November 29, 2018
        Chris
        Reply
        Author

        thanks for the Reply. i can run the DaaS Client with unmanaged devices and it works fine. for devices managed by sccm i got a Little bit of a Problem while the Service is scanning for the tasksequence. After insert the Reg with the TS ID the DaaS log is not using the TSID (ConfigMgr task sequence package ID for modern driver management: ) the Tasksequence is available for the Client (also shown in the Softwarecenter) and a Manual start of the tasksequence is deploying the Invoke.ps1 as well. the modern Driver Management works fine, but not triggert via the Daas Client

        • Maurice Daly
          Posted at 00:36 December 8, 2018
          Maurice Daly
          Reply
          Author

          Hi Chris,

          I will look into this for you.

          Maurice

  • Richard
    Posted at 19:17 December 3, 2018
    Richard
    Reply
    Author

    Has anyone figured out how to leave ConfigMgr local authority but allow internet based driver updates? I think it’d be a great solution for internet based updates of drivers when required vs micromanaging for all groups.

  • John
    Posted at 03:11 December 4, 2018
    John
    Reply
    Author

    I assume your script uses PNPUtil.exe to install drivers. How do you overcome issues with unsigned drivers requiring user input?

  • Richard
    Posted at 17:38 December 4, 2018
    Richard
    Reply
    Author

    Has anyone been able to leave SCCM as the auth but allowed internet based driver update for machines that don’t need to be micromanaged?

  • Leave a Reply

    This site uses Akismet to reduce spam. Learn how your comment data is processed.