Add Offer Deferrals to Driver and Firmware Policies

Published On: February 15, 2023Last Updated: January 14, 2024By Tags: , , 3.3 min readViews: 406

It’s been a day or so since the release of the public preview of Driver and Firmware management (SEE PRESS RELEASE HERE), and many of you may have used the GUI to create your policies, and have been left scratching your head as to why you cannot specify a deferral period. Well, let me let you into a secret, IT IS.

If you have looked at my Driver Management via Graph API and PowerShell post, I call it out within the Create an Update Policy section.

So, how do we add this to our policies so you don’t have to re-create your policies? Let’s take a look shall we.

Prerequisites

  • Permissions to connect to the Graph API with the following scopes
    • WindowsUpdates.ReadWrite.All
  • Microsoft.Graph PowerShell Module

Connecting to the Graph API

Connecting via this module could not be easier, follow the below steps after ensuring the Microsoft.Graph module is installed.;

  1. Launch a PowerShell prompt
  2. Enter `Connect-MgGraph -Scopes WindowsUpdates.ReadWrite.All -ContextScope Process`, hit Enter
  3. Sign in, If not already consented, you will be prompted with an image like the below. You can choose to grant for yourself or your organisation if you have the permissions.
mgpsAuthPrompt
mgpsAuthPrompt

Microsoft Graph Profile Selection

The first thing we need to do before running any commands is call `Select-MgProfile -Name beta` to ensure we are using the Beta endpoint of the Microsoft Graph.

Add/Update Deferral Dates

Throughout the rest of this article we will be referring to a script called Update-PatchDeferrals.ps1, this script can be found by using the GitHub Resource link below.

The aim of this script is to simplify the process as much as possible for everyone. I will step through the manual process so the understanding of what is happening is there, but for simplicity, the use of the script (or function within) will be the better option.

To update a policy using the script, it simply needs to be called as follows;

`Update-PatchDeferrals.ps1 -updatePolicyID ‘cc4fbe71-a024-41c2-a99f-559dcde6e916’ -deferralTime ‘PT5D’`

Looking through the Function

The basic premise of this script is to use the current complianceChangeRules, but only modify the durationBeforeDeploymentStart property which will control the deferral date. I thought the simplest way to do this was to pull in the current configuration, and amend only the durationBeforeDeploymentStart property. Let’s take a look at how we achieve this then shall we.

First of all, we have our Mandatory parameters, updatePolicyID and the deferralTime. The update policy ID can be found by looking at the Listing Update Policies section in my original article.

The deferralTime, is the parameter that gives us what we need. This needs to be formatted in the ISO8601 standards for duration (LINK), for example, If we added PT1H, that would defer the update for an hour before offering. If we was to use P10D, that would defer the offer for 10 days.

Copy to Clipboard

The first thing the function then does in the begin section is form the base object for the POST request later in the module, it then fulfils the `$complianceChangeRules` variable with the current settings from the policy.

Copy to Clipboard

In the process section, this is where the object combines the `$paramBody` and the `$complianceChangeRules` objects, and then for each object in the complianceChangeRules array, it will update the deferral time.

Copy to Clipboard

Finally, within the end section, we post the `$paramBody` object to the Graph API to update the deferral on the policy.

Copy to Clipboard
Note

This deferral will only apply to updates approved Automatically after the change has been made. Any current approvals are unaffected.

Closing Thoughts

From what I have been seeing in the community, there seems to be an air of expectation that this would have been released with Intune UI Capability. However, what has been released is the foundations of the building, it is everything that underpins the structural walls of what is to come!, without what we have today, the roof would never be added!

Add Offer Deferrals to Driver and Firmware Policies

Published On: February 15, 2023Last Updated: January 14, 2024By Tags: , , 3.3 min readViews: 406

It’s been a day or so since the release of the public preview of Driver and Firmware management (SEE PRESS RELEASE HERE), and many of you may have used the GUI to create your policies, and have been left scratching your head as to why you cannot specify a deferral period. Well, let me let you into a secret, IT IS.

If you have looked at my Driver Management via Graph API and PowerShell post, I call it out within the Create an Update Policy section.

So, how do we add this to our policies so you don’t have to re-create your policies? Let’s take a look shall we.

Prerequisites

  • Permissions to connect to the Graph API with the following scopes
    • WindowsUpdates.ReadWrite.All
  • Microsoft.Graph PowerShell Module

Connecting to the Graph API

Connecting via this module could not be easier, follow the below steps after ensuring the Microsoft.Graph module is installed.;

  1. Launch a PowerShell prompt
  2. Enter `Connect-MgGraph -Scopes WindowsUpdates.ReadWrite.All -ContextScope Process`, hit Enter
  3. Sign in, If not already consented, you will be prompted with an image like the below. You can choose to grant for yourself or your organisation if you have the permissions.
mgpsAuthPrompt
mgpsAuthPrompt

Microsoft Graph Profile Selection

The first thing we need to do before running any commands is call `Select-MgProfile -Name beta` to ensure we are using the Beta endpoint of the Microsoft Graph.

Add/Update Deferral Dates

Throughout the rest of this article we will be referring to a script called Update-PatchDeferrals.ps1, this script can be found by using the GitHub Resource link below.

The aim of this script is to simplify the process as much as possible for everyone. I will step through the manual process so the understanding of what is happening is there, but for simplicity, the use of the script (or function within) will be the better option.

To update a policy using the script, it simply needs to be called as follows;

`Update-PatchDeferrals.ps1 -updatePolicyID ‘cc4fbe71-a024-41c2-a99f-559dcde6e916’ -deferralTime ‘PT5D’`

Looking through the Function

The basic premise of this script is to use the current complianceChangeRules, but only modify the durationBeforeDeploymentStart property which will control the deferral date. I thought the simplest way to do this was to pull in the current configuration, and amend only the durationBeforeDeploymentStart property. Let’s take a look at how we achieve this then shall we.

First of all, we have our Mandatory parameters, updatePolicyID and the deferralTime. The update policy ID can be found by looking at the Listing Update Policies section in my original article.

The deferralTime, is the parameter that gives us what we need. This needs to be formatted in the ISO8601 standards for duration (LINK), for example, If we added PT1H, that would defer the update for an hour before offering. If we was to use P10D, that would defer the offer for 10 days.

Copy to Clipboard

The first thing the function then does in the begin section is form the base object for the POST request later in the module, it then fulfils the `$complianceChangeRules` variable with the current settings from the policy.

Copy to Clipboard

In the process section, this is where the object combines the `$paramBody` and the `$complianceChangeRules` objects, and then for each object in the complianceChangeRules array, it will update the deferral time.

Copy to Clipboard

Finally, within the end section, we post the `$paramBody` object to the Graph API to update the deferral on the policy.

Copy to Clipboard
Note

This deferral will only apply to updates approved Automatically after the change has been made. Any current approvals are unaffected.

Closing Thoughts

From what I have been seeing in the community, there seems to be an air of expectation that this would have been released with Intune UI Capability. However, what has been released is the foundations of the building, it is everything that underpins the structural walls of what is to come!, without what we have today, the roof would never be added!