How to handle driver updates with Intune when one set of computers can't utilize Intune for the driver updates

Sami Tiainen 61 Reputation points


We just recently bought new devices from a new vendor. For these the recommended way to update drivers is via Intune (WindowsUpdate). For the old units we can't use this, since it messes up things badly.

So for our fleet we have disabled driver updates via Windows Update.

Now I should ensure we get both the new and old devices serviced. How to do this without creating too much administrative overhead?

So far I have had 3 Update pilot rings and 1 Production ring, all managed with user names. This has been handy since then we don't need to keep track who uses which device and we can create the pilot groups based on user names.

I've created MS Entra ID groups that separate the old and new devices, BUT now reading the documentation it seems that you can't use device dynamic group to include and user group to exclude from a ring..

So how to do this in controlled manner, so that we do not need to keep track who has new, who old device..

Or do I really need to switch all update rings to be assigned with device groups?

Windows 11
Windows 11
A Microsoft operating system designed for productivity, creativity, and ease of use.
8,371 questions
Microsoft Intune Grouping
Microsoft Intune Grouping
Microsoft Intune: A Microsoft cloud-based management solution that offers mobile device management, mobile application management, and PC management capabilities.Grouping: The arrangement or formation of people or things in a group or groups.
40 questions
Microsoft Intune Updates
Microsoft Intune Updates
Microsoft Intune: A Microsoft cloud-based management solution that offers mobile device management, mobile application management, and PC management capabilities.Updates: Broadly released fixes addressing specific issue(s) or related bug(s). Updates may also include new or modified features (i.e. changing default behavior).
84 questions
Microsoft Intune
Microsoft Intune
A Microsoft cloud-based management solution that offers mobile device management, mobile application management, and PC management capabilities.
4,457 questions
0 comments No comments
{count} votes

Accepted answer
  1. ZhoumingDuan-MSFT 8,840 Reputation points Microsoft Vendor

    @Sami Tiainen, Thanks for posting in Q&A.

    If you want to assign ring policies only to new devices and exclude old devices, the official documentation recommends assigning policies only to device groups rather than a mix of device and user groups, as this can cause conflicts.

    You can create two groups, one containing new devices and one containing old devices, and when you assign the policy, you can include the new devices and exclude the old ones so that users can perform driver updates without logging in to the device.

    Hope above information can be helpful.

    If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".

    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

    0 comments No comments

4 additional answers

Sort by: Most helpful
  1. Pavel yannara Mirochnitchenko 11,956 Reputation points MVP

    If I get your question right, you want to serve drivers for new devices, but not old ones - one way would be to create model specific device groups, to which you would apply Driver Update policy.

    0 comments No comments

  2. Sami Tiainen 61 Reputation points


    Yes, exactly. But until now I have devided people into rings based on USER names, not computer names. If I understood the documentation correctly, the exclusions do not work accross group types.

    And also I can see this in my pilot for the new device type. Even if I exclude Pilot group X (where I'm a member) the policy will be in conflict when I look in the report..

    I have created groups based on computer vendors, but using these would mean I need to start making the update rings based on computer names, not user names. This is definitely not ideal to maintain in the long run.

    It seems that as the computers and users do not have a reference between each other, you can't include computer group and exclude user group - or wise versa..

  3. Deleted

    This answer has been deleted due to a violation of our Code of Conduct. The answer was manually reported or identified through automated detection before action was taken. Please refer to our Code of Conduct for more information.

    Comments have been turned off. Learn more

  4. Sami Tiainen 61 Reputation points


    Yes, I see the point ofc - it works like in onpremise world. But would be a huge improvement to actually be able to use USER names for such deployments for updates/update rings/software and then make exclusions based on computer brand.

    As we might have cases where computer names are re-used and users might change computers quite frequently, it is all manual work to keep these rings working as desired for the selected pilot users. Also, some users might have more than one computer, and then this deploy per user/exclude per device would be really handy.

    But it is what is is I guess. Thanks for your help and Pavel extra thanks for your 1st of May wishes =)

    0 comments No comments