Deploy and update existing drivers via WSUS the smart way
Keeping your client PC drivers updated is an important part of both reliability and security. Drivers routinely have critical security vulnerabilities that can allow an attacker to gain admin permissions. Using outdated drivers can also have far-reaching impacts that cause terrible issues, including things like leading Outlook to crash. Driver updates are a seriously overlooked area in keeping your users happy. [Article last updated 2017-08-11]
Some manufacturers have special update tools you can leverage, but they eventually abandon updating them, and require their own special administration by IT. But, you've probably noticed that if you check Windows Update on a consumer machine, Microsoft provides certain kinds of driver updates. Don't you wish WSUS could do that? It actually can, for some of them.
Unfortunately, the most backwards and arcane part of WSUS is drivers. You probably saw the Classification during WSUS configuration. Don't enable it! You'll break the database. The problem is that driver packages can support tens or hundreds of different device variants across many Windows versions. However, WSUS isn't quite as flexible.
Take, for example, the Intel display driver. Check out the number of entries in the Microsoft Update Catalog for version 188.8.131.5227. There are 92 in the list! And each one is there for a reason - because Microsoft can't consolidate all the variants and OS combinations into one specific update. Some of this is architectural limitation, some of this is because you can't approve updates per OS version. Either way, this isn't very helpful to you.
You're probably asking, "Okay, so I found the drivers to import. But if all I see is the driver name when I update computers from Windows Update, how do I know which driver to import?"
The display names of updates in Windows Update and WSUS are actually just cosmetic. The real magic is the GUID behind them - called the "Update ID." You can see this ID in the update details in Update Catalog, or in the bottom pane in WSUS.
The secret is, you can search Microsoft Update Catalog for those Update ID's. That's exactly what we're going to do. But how do you find them?
Let's say you want to get a snapshot of all deployable drivers in Windows Update that you can add to WSUS for a computer model.
- Reinstall Windows 10 from installation media for the Windows 10 version you're deploying drivers to.
- Install the network driver if required to get Internet connectivity.
- On the machine, under Windows Update, check Microsoft for updates. They should automatically install.
- Open PowerShell as Administrator and run the following command: Get-WindowsUpdateLog
- On your desktop will be a file named "WindowsUpdate.log"
- Look for the lines that say "Added update [GUID].### to search result"
The GUID, without the trailing numbers, is the update ID your computer detected. Be aware that there may be multiple groups of these Update IDs in the log.
Using the Update ID to import compatible drivers
Open the Microsoft Update Catalog. If possible, you should do this on the WSUS server by clicking the "Updates" category on the left of the console, and clicking "Import Updates" on the right.
For each Update ID you've found, copy and paste it, without brackets, into the search field, and hit Enter.
You can then add each update to your basket, and import them into WSUS. On the next check-in, each computer will scan itself for that driver update, and show it as Needed in the WSUS console, ready for installation.
For some reason, WSUS will sometimes import multiple old versions of a driver, so you will need to Decline them in WSUS if you see multiple drivers named the same, with different Release Dates.
Complications and caveats
This is not a replacement for central driver deployment and management. This is a bonus method to ensure extra coverage. Not every driver update you see in Windows Update is available to load in WSUS, and some drivers will just not install properly. This is expected; Unfortunately Microsoft does not really test this kind of scenario when certifying drivers.
Use a test group before approving each update on your server.