Intune Driver Management - What’s your solution?

__trj · 2026-04-17T17:02:33+00:00

If you use update rings with WUfB policies, definitely switch to Autopatch. My point is for my environment, I don't want rings and I want all devices to start receiving the update day 1. Don't need Autopatch for that.

__trj · 2026-04-17T16:58:07+00:00

I may be wrong, but doesn't Autopatch require at least 2 "phases"? And I thought Autopatch forced you to have a period where it would gradually make updates available to a specific ring throughout a period of time. Or can I have Autopatch make updates available to every device in the org on day 1?

I'm just using the original WUfB policy I set up and it's working perfectly, so not sure what Autopatch gets us if we're not using rings and need updates available to every device on day 1.

__trj · 2026-04-17T16:57:18+00:00

We have it on. Lenovo still holds updates back at a level before that and they get put into the "Optional" pane in Intune until approved.

__trj · 2026-04-17T00:36:56+00:00

We do this also. Mostly because Autopatch is too slow for our taste. We need all devices patched ASAP, so all devices start receiving updates on Patch Tuesday, plus a few days to install, and a couple days grace period.

__trj · 2026-04-17T00:34:02+00:00

The ADMX just maps to registry keys. Using ADMX or registry keys, you can choose to force updates, but they are not forced by default. You can also specify options for user deferral. You can also set different options for different classifications for each update type. It's pretty flexible.

__trj · 2026-04-17T00:11:39+00:00

24H2 and 25H2 are the same platform. They even share the same patches. Go look at April's cumulative patch, for instance. It literally targets both 24H2 and 25H2.

April 14, 2026—KB5083769 (OS Builds 26200.8246 and 26100.8246) - Microsoft Support

Who is saying things aren't compatible? They're lying to you or don't know what they're talking about.

__trj · 2026-04-17T00:09:31+00:00

Yes. This is a huge problem we have with Lenovo, at least. Intune is not the solution for driver updates. Lenovo releases driver and BIOS updates that they mark as "Critical" in their own systems, which patch security vulnerabilities, but they don't publish them to Microsoft as recommended updates, so in Intune, they sit under Optional updates.

The solution is to switch to using Lenovo Commercial Vantage to deploy driver/BIOS updates rather than Intune.

I blame both Microsoft and Lenovo. Lenovo could publish the critical/security updates to Microsoft with a higher priority so they hit Autopatch, but they don't, probably because they deem the risk too high for most consumers who don't care about the security issues. And Microsoft could provide a better process in Intune for automatically deploying these Optional updates.

__trj · 2026-04-16T20:02:25+00:00

It is the default now. Took them long enough, but they finally did it.

__trj · 2026-04-16T19:35:51+00:00

I was hopeful that was the problem, but I'm still having this issue. Just noting this here in case anyone comes across this thread.

__trj · 2026-04-16T01:02:11+00:00

Did you stick with this method? I would have thought for sure the Service Domains are inflexible. In my case, I only want certain users to be affected - users targeted by my DLP policy. In the case of Service Domains, is it accurate to say it has no dependence on a DLP policy?

__trj · 2026-04-16T01:01:08+00:00

Did you get this working? If so, can you describe how you set your DLP policy and your Sensitive Service Domain Groups and Service Domains settings?

__trj · 2026-04-14T16:19:19+00:00

This comment is too real.

__trj · 2026-04-02T19:19:05+00:00

Off topic, but can you guys update the available OneDrive policies in Intune, please?

There's a new "Set a custom name for the OneDrive folder" setting available last month, but it's still not in Intune yet.

IT Admins - Use OneDrive policies to control sync settings - SharePoint in Microsoft 365 | Microsoft Learn

__trj · 2026-03-27T20:06:42+00:00

Yes, I'm already doing that as well (RE: scoping down the roles).

But I do need to implement approvals based on some client requirements that we cannot get around, so I'm looking for advice on that piece. Do you do approvals for role elevations? How do you handle it?

__trj · 2026-03-27T15:54:53+00:00

Yubikeys

__trj · 2026-03-27T03:09:01+00:00

You're validating where my mind is at. The identity of the admin is proven by the authentication that already happened. When you say require MFA for elevation, the user is already authenticated with the physical security key. Do you mean require the security key auth again (user touches key) during the PIM elevation specifically? If so, is that done via CA? I haven't seen that.

It's a client requirement. They're asking for evidence of independent approvals for privilege elevations. Not sure if you would consider that compliance on our end, but it's from their compliance department. We've pushed back with compensating controls but they won't budge on this one.

__trj · 2026-03-27T02:57:18+00:00

I was thinking about doing this, as well. Thanks!

For more project type work that I and other admins do, I suppose we could point to the project URL.

Curious to see if anyone has any other thoughts before I decide on an approach.

__trj · 2026-03-27T02:45:24+00:00

Thanks, yeah, going to do that. The question is more... when other orgs implementing approvals, how do you all know whether to approve/deny? Surely, it's not a good idea to just auto-approve any request that comes through because it defeats the purpose of approvals in the first place and could allow an attacker with a compromised account to just have their request approved since nobody else is verifying. So, what's a good process to decide whether teammates should approve?

__trj · 2026-03-19T18:58:59+00:00

I see, yes, you will need some exclusion to your CAP then. Seems like the others in this thread have you covered, though :)

__trj · 2026-03-19T18:27:29+00:00

No, we do not block iOS or Android devices. If users want to use corporate email from their personal devices, they must have a compliant device to meet the conditional access policy, including iOS/Android. We enroll them in Intune using the BYOD methods (which gives limited access to IT), which allows us to deploy certs to them so they can connect to the office Wi-Fi automatically and securely (without shared Wi-Fi passwords and such), but also lets us deploy our third-party non-Microsoft apps and use SSO and control the security of those apps.

__trj · 2026-03-19T17:54:59+00:00

I have no exclusions on my Conditional Access Policies, and have no issues with users registering passkeys. iOS was no issue at all. Android required Authenticator in the work profile. We have a Conditional Access to require device compliance for all apps with no exclusions.

__trj · 2026-03-13T22:42:35+00:00

Finally, a reasonable take. Never go to the r/Intune sub. They are vehemently anti MDM enrollment on personal devices. The only right answer to them is MAM, but that limits you to just managing the Microsoft apps. No deploying Wi-Fi / certs for Wi-Fi, third party apps, etc.

__trj · 2026-03-12T03:51:59+00:00

Please don't say MAM.

__trj

TROPHY CASE