Guest Nir_Froimovici Posted November 2, 2021 Posted November 2, 2021 Today I am excited to announce the public preview for the Windows Update for Business deployment service will be available in Microsoft Graph and in Microsoft Endpoint Manager in the first half of 2022! Don't miss our Microsoft Ignite depth on demand session for a closer look at the deployment service, and read on for valuable insights, including: Drivers 101 – How do drivers and firmware updates make it to Windows Update? How does Windows Update identify the best drivers and/or firmware for your device? Management and reporting with Windows Update for Business and Microsoft Graph – How did we build the service? How does Microsoft Graph empower application builders to create management experiences for admins, to approve and schedule drivers and firmware updates? A roadmap update – A look at what's to come and an invitation to join our engineering neighborhood and the preview! Note that while I will be using the term drivers exclusively from here, firmware updates are included in this definition, as they are published to Windows Update, target Windows devices, and offered to devices in the exact same way as non-firmware driver updates. Drivers 101 How do drivers and firmware updates reach Windows Update? Drivers are primarily built by independent hardware vendors (IHVs) like Intel or Realtek and original equipment manufacturers (OEMs) like Dell and Lenovo. The hardware ecosystem for Windows devices includes hundreds of partners who continuously build new drivers and deliver updates to existing ones. All drivers must be certified by the Windows Hardware Dev Center and signed by Microsoft for Windows to install them, and most are published to Windows Update. How drivers submitted by IHVs and OEMs make their way to Windows Update Through flighting and gradual rollout, the Microsoft Drivers and Firmware Shiproom validates all drivers before making them generally available on Windows Update. Driver flighting in the Partner Center enables hardware partners, including IHVs and OEMs, to distribute drivers within defined Windows Insider rings, while providing automatic monitoring and evaluation. Be sure to review the driver validation program for more details on this program. When driver validation is complete, Microsoft gradually rolls out drivers over 30 days while applying monitoring and scrutiny. At the first sign of concern, rollout is stopped, and further investigations quickly determine if the update can resume rollout or if it must be removed from Windows Update. How do IHVs and OEMs configure drivers and firmware updates to target devices? Drivers are built for specific hardware components that are identified by unique IDs: A Hardware ID (HWID) is a vendor-defined identification string that Windows reads from the hardware component itself, locally on a system, and uses to match a device to an INF file that is part of any driver package authored by a hardware vendor. Hardware vendors use the INF file to define which hardware components the driver is designed for, and the same IDs are used for targeting these components when drivers are published to Windows Update. A Computer Hardware ID (CHID) is part of a set of hardware ID values for a computer that specify a combination of the System Management BIOS (SMBIOS) field data. CHIDs provide several levels of specificity to help identify systems. Driver publishers can add an additional layer of targeting by including CHIDs on top of HWIDs to target specific system models with the hardware components the driver was designed for. Publishers can manage how Windows Update offers drivers by specifying whether an update should be offered during the automatic daily scan or offered only when an end user manually initiates a scan. Accordingly, these publishing options are called Automatic and Manual: Automatic publishing, previously known as Critical, instructs Windows Update to immediately offer any such update to applicable devices as soon as possible, usually during the automatic daily scan. Publishing a driver as automatic will ensure the fastest delivery to many more scanning systems, pushing drivers that meet the HWID and/or CHID targeting applicability requirements to systems. Manual publishing, previously known as Optional, instructs Windows Update to offer such updates to applicable devices when the end user checks for updates in the Settings App. Publishers use this option to deliver the driver to Windows Updates while controlling the flow of offering to devices by limiting it to pull requests. How does Windows Update identify the best drivers and/or firmware for my device? When a Windows device scans Windows Update, it sends the service the HWIDs that identify all hardware components in the device, CHIDs for the system, and a complete list of the drivers that are already installed on the device for each hardware component. Windows Update then goes through a two-step applicability and ranking process to determine if a better driver exists on the service. During the applicability process, Windows Update gathers the complete list of published drivers that target HWIDs and/or CHIDs in a system. When these drivers are identified, Windows Update ranks them. During ranking, Windows Update sorts applicable updates by version and publication date and identifies the placement of the drivers that are already installed for the component on the sorted list. This is repeated for each hardware component in the system, based on the set of applicable drivers. If there are no drivers that rank higher than the one currently on the device, then no better driver exists, and Windows Update will not offer an option. However, if there are newer drivers on the list, Windows Update will pick the highest ranking one—normally by version number or version date—and will offer that better driver. Generally, Windows Update only considers automatic drivers for its ranking process. Manual drivers that are either newer or of a most recent version are not considered better than what is already installed on the scanning system during the automatic scan. The only exception is when the end user scans manually, which allows Windows Update to consider the best ranked driver across automatic and manual publications. Management and reporting in Windows Update for Business and Microsoft Graph The Windows Update for Business deployment service is already part of Microsoft Graph, and it enables app developers who integrate with our platform to create management experiences for Windows Update servicing. In March of 2021, we announced the deployment service at Microsoft Ignite and I offered an initial walkthrough of its capabilities, using Microsoft Intune to illustrate how a managed device experience changes when it is enrolled in the deployment service. In this week's Microsoft Ignite session, I offer a deeper look at how the deployment service is integrated with Windows Update and how Graph is used by Intune to provide browsing, approval, and scheduling capabilities in the portal. Don't miss the November Microsoft Ignite session for more details and for demos by David Guyer on live code in the Intune portal and Aria Carley on how Configuration Manager devices can access driver management in the cloud by turning on dual-scan group policy for drivers. This leaves Configuration Manager in Windows Server Update Services unchanged while the deployment service provides net-new driver management capabilities. How the driver and firmware servicing service interacts with Microsoft Graph Just as Intune integrates with Graph to build management experiences, any app developer can do so too. We built a web application that integrates with Graph to provide admins early access to these capabilities whether during the current private preview or the upcoming public preview. The web application allows admins to create new driver policies, browse applicable drivers, and take approval and scheduling actions. It will be open source during the public preview, and you'll have insight into the integration with Graph. We're also excited to share a first look at the management reporting that will support driver servicing capabilities when they reach public preview. These reports will be available as Workbooks in our analytics product for Windows Update for Business: Update Compliance. Reporting will be launched for: Approved updates, including drilldowns to show individual device impact. Recommended updates that require attention, including drilldowns to show individual device impact. Suspended updates will also be reported. Roadmap The public preview for Microsoft Graph kicks off at the beginning of 2022. We'll make the web app repository available publicly and release the management reporting in Update Compliance. Mark your calendars for the public preview of the deployment service in Intune coming in first half of 2022. Join the community and enroll in the private preview Want to stay informed and to engage with other IT admins in the community? Be sure to join our engineering neighborhood in the Windows Customer Connection Program (select the option in question 5). Regular updates, including timing for all preview phases will be provided via Microsoft Teams. Continue reading... Quote
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.