Like hardware drivers, you also need to adapt and stay current with your administrative approach to keep devices running properly.
Applications and operating systems require constant vigilance to make sure the latest versions get installed for stability and security. One area that tends to get overlooked is drivers. Management of device drivers and firmware is even more critical now that remote work is more commonplace. Deploying these updates requires some planning for proper execution. One way to deliver content to remote workers is to tap into the flexibility of the cloud with System Center Configuration Manager (SCCM), Windows Update for Business (WUfB) and the cloud management gateway. Using these products together gives you control over content delivery through SCCM with the cloud providing the binaries.
Most hardware vendors supply their tools to complement SCCM’s out-of-the-box features for driver management. This article will focus on using HP tools, but the main concepts of driver management are generally the same among vendor utilities.
How are drivers typically deployed and managed with SCCM?
In the enterprise, driver installation occurs during two phases of the lifecycle of a machine: during the bare-metal installations via driver packages in an SCCM task sequence and when a machine is up and running.
The latest versions of drivers are often installed during operating system deployment. But, in my experience, most organizations fail when it comes to driver servicing once the device is in the user’s hands. Many times, the drivers are only updated when IT identifies critical security or stability issues. It’s a reasonable practice to keep tight control of driver versions on devices, but this can lead to outdated drivers on many devices, which can open the organization to vulnerabilities or cause stability problems on the machine.
[embedded content]
To help with driver management, you should divide your machines into different categories:
- Office computers. Microsoft Office applications and web-based services are the most important programs on these machines; and
- Sensitive computers. Machines that should not receive continuous servicing updates. Examples of these devices include factory machines and computers in health services. You might want to consider a long-term servicing channel approach and deploy driver updates every two or three years on these machines.
You should consider additional precautions the following types of driver categories, due to the impact on the end users:
- Network drivers. Potential problems include loss of connectivity during the upgrade. Also, a mismatch of network drivers and firmware on network hardware, such as switches, can cause issues.
- Video drivers. Some applications, such as computer-aided design software, require specific versions of video drivers to function properly. It’s essential to keep these drivers updated, but it might require additional communication with your business.
How do you handle BIOS updates?
Traditionally, deploying a BIOS update is risky. An interrupted installation can corrupt the BIOS and “brick” the PC, leaving it unable to boot.
Hardware vendors have developed ways to avoid this and perform BIOS consistency checks when a computer starts. Another problem that has plagued administrators is patching a BIOS that has an admin password configured. WUfB delivers BIOS updates via UEFI capsule, which does not require entering the password to deploy the automatic update.
Which options do you have for SCCM driver management?
There are many ways to handle driver servicing in SCCM. This article will focus on three:
- third-party driver management in SCCM
- WUfB
- for organizations with HP Windows devices, the HP client management tools: HP Image Assistant (HPIA), HP Manageability Integration Kit (HP MIK) and HP Client Management Script Library (HP CMSL)
How to set up third-party driver management in SCCM
Microsoft’s recent development efforts in SCCM include the integration of third-party patching in the console. This functionality has its roots in System Center Updates Publisher, a popular custom update tool for many organizations.
The early implementation of this feature had some problems; for example, SCCM would download all drivers and firmware updates after the first software update synchronization, which resulted in a heavy network load when SCCM would pull in several thousand updates to your infrastructure. Microsoft has resolved this issue and made it possible to specify which models you want to sync.
The default configuration in SCCM version 2010 and later supports deployment of third-party updates. If you are using an earlier version of SCCM, you will need to set this manually.
When you use third-party driver management in SCCM, you deploy drivers and firmware updates the same way as a Windows update. Some of the partner catalogs are free, but there is a charge to use others. To use this functionality via the internet, one option is to distribute the content to a cloud management gateway.
If you run your software update point remotely from your top-level site server, you will need to configure the software update point to run SSL. Regular maintenance of the software update point and Windows Server Update Services database is also crucial to avoid synchronization problems and other issues.
The process to configure SCCM and distribute third-party updates is:
- enable third-party updates;
- enable third-party updates in client settings;
- sync the catalog;
- approve the updates; and
- deploy the updates to the clients.
There are two places where you enable third-party updates, the software update point and the client settings. Microsoft provides a complete guide for the SCCM configuration at this link.
To configure third-party updates on the software update point, check Enable third-party software updates. This setting is found under the Third Party Updates tab in the software update point properties.
Next, run a software update sync, and you should see the drivers coming into the SCCM console.
For clients to receive the third-party drivers and firmware updates, you also need to select Yes in the Enable third-party software updates settings under the client configuration under Software Updates.
How to set up Windows Update for Business
Windows Update for Business is a managed version of Windows Update with settings to configure update channels and rings to plan your feature update deployment.
You can use WUfB to deliver drivers to machines with a hands-off approach. However, this method also means that it’s impossible for in-depth control of driver deployment.
You control WUfB via Group Policy or a mobile-device management platform. For Group Policy, the settings are located at Computer Configuration > Administrative Templates > Windows components > Windows Update > Windows Update for Business.
HP tools for managing driver updates in SCCM
For organizations with HP products, the vendor offers several driver tools. The one you choose depends on your requirements.
HP Image Assistant. This tool automates the process that checks IT’s custom images to ensure Windows machines get the correct drivers, patches and BIOS settings. By default, HPIA uses HP’s servers to provide the data, if not explicitly told to use a local copy. HPIA also supports sync from an offline repository. This tool works in conjunction with SCCM, Intune, Windows Autopilot or as a standalone application.
HP Manageability Integration Kit. During the installation process, HP MIK adds multiple plugins used for different administrative tasks, including driver updates. HP MIK uses a separate agent that extends the Windows Management Instrumentation class for SCCM to manage HP hardware. SCCM integration lets you create driver packages and boot images with the latest drivers via the SCCM console.
HP Client Management Script Library. HP CMSL is a collection of six PowerShell modules used to automate many hardware management tasks, such as driver package updates. You can use these scripts with a SCCM task sequence to handle tasks related to HP device firmware and drivers. Some of the modules require other modules to function, so installing all the modules is advised.
Leave a Reply