Add Offer Deferrals to Driver and Firmware Policies

David Brook
4 Min To Read
15 Feb, 2023
- Drivers
- Firmware
- Updates
- Driver and firmware

It’s been a days or so since the release of the public preview of Driver and Firmware management (SEE PRESS RELEASE HERE), and many of you may have used the GUI to create your policies, and have been left scratching your head as to why you cannot specify a deferral period. Well, let me let you into a secret, IT IS.

If you have looked at my Driver Management via Graph API and PowerShell post, I call it out within the Create an Update Policy section.

So, how do we add this to our policies so you don’t have to re-create your policies? Let’s take a look shall we.

Prerequisites

Permissions to connect to the Graph API with the following scopes
- WindowsUpdates.ReadWrite.All
Microsoft.Graph PowerShell Module

Connecting to the Graph API

Connecting via this module could not be easier, follow the below steps after ensuring the Microsoft.Graph module is installed.;

Launch a PowerShell prompt
Enter Connect-MgGraph -Scopes WindowsUpdates.ReadWrite.All, hit Enter
Sign in, If not already consented, you will be prompted with an image like the one below. You can choose to grant for yourself or your organisation if you have the permissions.

Microsoft Graph Profile Selection

The first thing we need to do before running any commands is call Select-MgProfile -Name beta to ensure we are using the Beta endpoint of the Microsoft Graph.

Add/Update Deferral Dates

Throughout the rest of this article we will be referring to a script called Update-PatchDeferrals.ps1, this script can be found by using the GitHub Resource link below.

The aim of this script is to simplify the process as much as possible for everyone. I will step through the manual process so the understanding of what is happening is there, but for simplicity, the use of the script (or function within) will be the better option.

To update a policy using the script, it simply needs to be called as follows;

Update-PatchDeferrals.ps1 -updatePolicyID 'cc4fbe71-a024-41c2-a99f-559dcde6e916' -deferralTime 'PT5D'

Looking through the Function

The basic premise of this script is to use the current complianceChangeRules, but only modify the durationBeforeDeploymentStart property which will control the deferral date. I thought the simplest way to do this was to pull in the current configuration, and amend only the durationBeforeDeploymentStart property. Let’s take a look at how we achieve this then shall we.

First of all, we have our Mandatory parameters, updatePolicyID and the deferralTime. The update policy ID can be found by looking at the Listing Update Policies section in my original article.

The deferralTime, is the parameter that gives us what we need. This needs to be formatted in the ISO8601 standards for duration (LINK), for example, If we added PT1H, that would defer the update for an hour before offering. If we was to use P10D, that would defer the offer for 10 days.

[CmdletBinding()]
param (
    # The Update Policy ID
    [Parameter(Mandatory = $true)]
    [string]
    $updatePolicyID,
    # ISO8601 Timeformat for Deferral
    [Parameter(Mandatory = $true)]
    [string]
    $deferralTime
)

The first thing the function then does in the begin section is form the base object for the POST request later in the module, it then fulfils the $complianceChangeRules variable with the current settings from the policy.

begin {
    #The Base Object for the post Body
    $paramBody = @{
        "@odata.type"         = "#microsoft.graph.windowsUpdates.updatePolicy"
        complianceChangeRules = @()
    }
    # Create the param body base
    $complianceChangeRules = (Invoke-MgGraphRequest -Uri "https://graph.microsoft.com/beta/admin/windows/updates/updatePolicies/$updatePolicyID" -Method GET).complianceChangeRules
}

In the process section, this is where the object combines the $paramBody and the $complianceChangeRules objects, and then for each object in the complianceChangeRules array, it will update the deferral time.

process {
    
    $paramBody.complianceChangeRules += $complianceChangeRules
    $paramBody.complianceChangeRules | foreach-object {
        $_.durationBeforeDeploymentStart = $deferralTime
    }

}

Finally, within the end section, we post the $paramBody object to the Graph API to update the deferral on the policy.

end {

    Invoke-MgGraphRequest -Uri "https://graph.microsoft.com/beta/admin/windows/updates/updatePolicies/$updatePolicyID" -Method PATCH -Body $paramBody
}

This deferral will only apply to updates approved Automatically after the change has been made. Any current approvals are unaffected.

Closing Thoughts

From what I have been seeing in the community, there seems to be an air of expectation that this would have been released with Intune UI Capability. However, what has been released is the foundations of the building, it is everything that underpins the structural walls of what is to come!, without what we have today, the roof would never be added!