When you need to deploy drivers with Intune, you might find yourself asking: What’s the most efficient method for my situation? Whether it’s updating a single driver or deploying multiple drivers across an entire fleet of devices, Intune provides several options to help you get the job done. In this blog, we’ll explore these methods—focusing on how to use a Win32 app package for deployment.
The Scenario: Deploy Driver Update with Intune
I recently received a private message on the TechNet community asking for help with a driver update. The challenge? Updating the WLAN driver across 100 devices. These devices were running the built-in Microsoft driver but needed the Intel WLAN driver instead—specifically, the 2020 version. Why 2020? I forgot to ask, but hey, we’re here to solve problems, not ask too many questions.
So, how do you deploy the correct driver to these devices using Intune? Let’s break it down.
Deploy drivers with Intune Option 1: PnPUtil
PnPUtil is a straightforward tool for installing a single driver, and it integrates nicely with Intune when wrapped as a Win32 app package.
Here’s how to use it:
Step 1: Download and Extract the Driver
Start by downloading the driver package (e.g., sp111695.exe from HPE).
Install it locally to extract the files into a folder, typically C:\swsetup.
Step 2: Verify the INF Files
Ensure the extracted folder contains the .inf files required for the installation. These files are critical for PnPUtil to process the driver.
Step 3: Create the PowerShell Script
To automate the driver installation, create a PowerShell script that copies the necessary files and uses PnPUtil to install the driver. I browsed to the src folder and removed the install.drv.cmd and created a new and very simple PowerShell Script
New-Item -Path "C:\" -Name "temp" -ItemType "directory" -Force
cmd.exe /C copy /Y .\IntelWLANdriver.dll "C:\Windows\System32\drivers" > c:\temp\hpwlandrivercopy.txt
C:\Windows\Sysnative\Pnputil.exe /add-driver ".\driver\*.inf" /install > c:\temp\hpwlandriverpnputil.txt
Note: Make sure to specify the full path to C:\Windows\Sysnative\Pnputil.exe, as skipping this step will cause the script to fail on 64-bit systems.
If you’re curious why it fails when you are not using the Sysnative path, check out my Sysnative blog.
Step 4: Package as a Win32 App
Use the IntuneWinApp tool to wrap the driver files and script into a single deployable package. This approach ensures the deployment process is smooth and scalable.
Step 5: Deploy via Intune
After packaging everything into a Win32 app, upload the package to Intune. You can target a dynamic device group to ensure only the required devices receive the update or make the app available for self-service installation via the Company Portal. Giving end-users control over when to install the update can help avoid negative feedback, especially if the driver update disrupts ongoing work.
Once the package is uploaded, defining detection rules is critical to ensure that devices with the correct driver version are skipped and only those needing the update proceed. Here’s an example detection rule using PowerShell:
$DriverShouldBe = '21.10.2.2'
$InstalledDriver = Get-WmiObject Win32_PnPSignedDriver | where {$_.devicename -like "*Intel Wifi 6 AX201*"} | Select -expandproperty DriverVersion
if($InstalledDriver -ge $DriverShouldBe)
{
write-host "$_ Driver OK"
exit 0
}else{
Write-Host "$_ Driver Version is $InstalledDriver"
exit 1
}This script checks the installed driver version for a specific device (e.g., Intel Wi-Fi 6 AX201) against the desired version ($DriverShouldBe). If the version doesn’t match, the script signals Intune that the app should install the correct driver.
By including a robust detection rule, you minimize unnecessary installations and ensure the deployment only targets devices that need the update. This not only improves efficiency but also prevents potential compatibility issues caused by overwriting perfectly functional d
Step 6: How It should look like
Option 2: PnPUnattend Bulk Driver Deployment with Intune
For scenarios where multiple drivers need to be installed, PnPUnattend is an excellent choice. Why? Because, besides installing drivers (Parameter /L), you could also use it to audit the system (Parameters /s /L) if those drivers match. Here’s how it works:
Step 1: Prepare the Drivers
Extract all the required drivers into a folder (e.g., C:\install\drivers).
Step 2: Configure the DriverPaths Registry Key
PnPUnattend needs to know where to look for the drivers. Use the following PowerShell script to set up the registry key:
powershellCopy code$Drivers = "C:\install\Drivers"
New-Item -ItemType Directory -Force -Path C:\install\Drivers
Copy-Item -Path ".\drivers\*" -Destination "C:\install\drivers" -Recurse
New-Item -Path "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\UnattendSettings\PnPUnattend\DriverPaths" -Name 1 -Force
New-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\UnattendSettings\PnPUnattend\DriverPaths\1" -Name Path -Value $Drivers -Force
C:\Windows\Sysnative\PnpUnattend.exe auditsystem /l
Step 3: Package and Deploy
Wrap the drivers and script as a Win32 app package and deploy via Intune. PnPUnattend will loop through the specified folder to install all compatible .inf files.
Option 3: Windows Update for Business – A Mixed Bag
Using Windows Update for Business to manage driver updates is another option, but it comes with limitations. Currently, you can only allow or block driver installations from Windows Update—you can’t control which drivers are installed or schedule updates.
For precise driver management, this option isn’t ideal. However, Microsoft’s upcoming Driver and Firmware Deployment Service promises to solve this issue by allowing IT admins to control, approve, and schedule driver updates. Until this service becomes generally available, stick with options like PnPUtil or PnPUnattend for better control.
More info: Driver and Firmware Deployment Service.
Why Win32 Apps Are the Game-Changer
The flexibility of Win32 app packaging makes it the most reliable way to deploy drivers via Intune. Whether you’re working with a single driver or an entire suite, wrapping everything into a Win32 app ensures a streamlined deployment process. Plus, it gives you the ability to:
- Assign deployments to specific groups of devices.
- Make apps available for self-service installation.
- Ensure a repeatable, consistent process for driver updates.
Conclusion: Choose Wisely
If you’re deploying a single driver, PnPUtil is your go-to tool. For bulk installations, PnPUnattend offers a scalable solution. And while Windows Update for Business is an option, its current limitations mean it’s not the best choice for critical driver updates.
Whatever you choose, always test before deploying. Driver updates might seem routine, but a poorly planned rollout can lead to BSODs or frustrated users. By leveraging Intune Win32 apps, you’re taking the safest and most efficient approach to driver management.
So, what’s your preferred method for deploying drivers in Intune? Let me know your thoughts or questions! You can also find me on Bluesky.
Thanks Rudy. Very helpful.
I think there is an extra brace in the detection script at the end.
And I modified your script to try to handle if an installed driver is newer than the one you are looking for:
$DriverShouldBe = ‘5.14.14.6’
$InstalledDriver = Get-WmiObject Win32_PnPSignedDriver | where {$_.devicename -like “*Dell ControlVault w/ Fingerprint Touch Sensor*”} | Select -expandproperty DriverVersion
if($InstalledDriver -ge $DriverShouldBe)
{
write-host “$_ Driver OK”
exit 0
}else{
Write-Host “$_ Driver Version is $InstalledDriver”
exit 1
}
Oww whoops a copy paste mistake π … thanks for spotting it and the improvement (-ge) makes sense π