23 | Add/remove Azure AD devices to your policies
24 |
25 |
26 | Browse driver and firmware updates that are available for your devices
27 |
28 |
29 | Approve and schedule driver updates
30 |
31 |
32 | Suspensions of approvals
33 |
34 |
35 | Unenroll devices from driver management
36 |
37 |
38 |
39 |
40 |
41 |
42 |
Known Issues for Web Application
43 |
44 | "Refresh" required after large batch device add/remove to accurately
45 | portray device count
46 |
47 |
48 |
49 |
50 |
Batch Device Add/Remove CSV File Format
51 |
52 | Easily create a list of devices in Excel using the following format
53 |
54 |
55 |
56 |
57 | All fields need to be included (@odata.type, id, #microsoft.graph.windowsUpdates.azureADDevice)
58 |
59 |
60 | Add Azure AD device Ids - all values are case sensitive
61 |
62 |
63 | Save file as CSV - only CSV files can be uploaded for batch changes
64 |
65 |
66 | Limit each CSV to less than 200 devices - create multiple files if needed
67 |
68 |
69 |
70 |
71 |
72 |
73 |
74 |
Support
75 |
76 | For issues, please send email to wufbdrivers@microsoft.com with
77 | the following information:
78 |
79 |
80 |
81 |
82 | Description of the issue
83 |
84 |
85 | AAD Device ID (this can be found by issuing this
86 | command locally through PowerShell: dsregcmd /status)
87 |
88 |
89 | After checking for updates in Windows Update,
90 | please attach the log generated by the
91 | Windows Update Log Collection Tool
92 |
93 | . These logs contain information that will allow us to search for
94 | related service events and device settings.
95 |
96 |
97 | Policy ID created in the web application
98 |
88 | setShowConfirmModal(false)}
91 | deviceId={selectedDeviceId}
92 | policyId={selectedPolicyId}
93 | refreshPolicy={refreshPolicy}
94 | messageToDisplay="This action will remove the device from the service entirely. If it
95 | was added to other Drivers policies it will be removed from them as
96 | well."
97 | />
98 |
99 |
100 | );
101 | }
102 |
--------------------------------------------------------------------------------
/src/pages/UpdatePage/UpdatePage.js:
--------------------------------------------------------------------------------
1 | import { Button, Col, Container, Nav, Row } from "react-bootstrap";
2 | import { IoChevronBackCircleSharp } from "react-icons/io5";
3 | import "./UpdatePage.css";
4 |
5 | import React, { useEffect, useState } from "react";
6 | import { UpdatesTable } from "../../components/table/UpdatesTable";
7 | import { useUpdateData } from "../../hooks/useUpdateData";
8 | import { useParams } from "react-router-dom";
9 | import SpinnerCommon from "../../components/SpinnerCommon";
10 | import { BsFileBreak } from "react-icons/bs";
11 | import { ToastContainer } from "react-toastify";
12 | export default function UpdatePage() {
13 | const { id } = useParams();
14 | const [
15 | updatesInfoData,
16 | isAutomaticPolicy,
17 | catalogIdToApprovals,
18 | catalogIdToRevokedContentApproval,
19 | catalogIdToApprovedContentApproval,
20 | isLoading,
21 | refreshUpdatesData,
22 | ] = useUpdateData(id);
23 | const [driversUpdates, setDriversUpdates] = useState([]);
24 | const [isRecommendedUpdatesSelected, setIsRecommendedUpdatesSelected] =
25 | useState(false);
26 |
27 | const handleNavigationClick = (isRecommendedUpdates) => {
28 | const recommendedUpdates = [];
29 | const otherUpdates = [];
30 | // filter out the updates that are recommended by Microsoft
31 | for (let i = 0; i < updatesInfoData.length; i++) {
32 | if (updatesInfoData[i].matchedDevices.length > 0) {
33 | if (
34 | updatesInfoData[i].matchedDevices[0].recommendedBy.includes(
35 | "Microsoft"
36 | )
37 | ) {
38 | recommendedUpdates.push(updatesInfoData[i]);
39 | } else {
40 | otherUpdates.push(updatesInfoData[i]);
41 | }
42 | } else {
43 | otherUpdates.push(updatesInfoData[i]);
44 | }
45 | }
46 | setIsRecommendedUpdatesSelected(isRecommendedUpdates);
47 | setDriversUpdates(isRecommendedUpdates ? recommendedUpdates : otherUpdates);
48 | };
49 |
50 | useEffect(() => {
51 | // When the page is loaded, the recommended updates are selected by default
52 | handleNavigationClick(true);
53 | }, [updatesInfoData]);
54 |
55 | if (isLoading) {
56 | return ;
57 | }
58 |
59 | return (
60 |
61 | {/* First row contain the title and back button */}
62 |
63 |
331 | );
332 | };
333 |
334 | export default EditPolicyModal;
335 |
--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
1 |
2 | # [Archived] Windows Update for Business Deployment Service Web App
3 | # Important
4 | **This sample has been archived and is no longer being maintained. As part of the archival process, we're closing all open issues and pull requests.**
5 |
6 | # Introduction
7 | Welcome to the Windows Update for Business deployment service Web Application. The Web Application was designed to teach you how to interact with our API and is meant to be a sample implementation for driver management. We chose to use React for our implementation but it can be done in many ways, please note that we do not support using React to integrate with our API. The Web Application also provides an opportunity to help you manage cloud-based updates for enterprise devices.
8 |
9 | Current functionality includes:
10 | - Create manual and automatic cloud-managed driver update policies
11 | - Add/remove Azure AD devices to your policies
12 | - Browse driver and firmware updates that are available for your devices
13 | - Approve and schedule driver updates
14 | - Suspensions of approvals
15 | - Unenroll devices from driver management
16 |
17 | ## Prerequisites
18 |
19 | 1. Download and install Node.js LTS package [here](https://nodejs.org/en/download/)
20 |
21 | > **Note**
22 | > **Ensure that the LTS version is selected**
23 | 
24 |
25 | 2. Download and install code editor of your choice (We recommend Visual Studio Code, free download link [here](https://code.visualstudio.com/download))
26 | 3. To work with the deployment service, devices must meet all these requirements:
27 | - Devices must be [Azure AD joined](https://learn.microsoft.com/en-us/azure/active-directory/devices/concept-azure-ad-join) or [hybrid Azure AD joined](https://learn.microsoft.com/en-us/azure/active-directory/devices/concept-azure-ad-join-hybrid)
28 | - Run one of the following operating systems:
29 | - Windows 11, verify supported versions [here](https://learn.microsoft.com/en-us/windows/release-health/windows11-release-information).
30 | - Windows 10, verify supported versions [here](https://learn.microsoft.com/en-us/windows/release-health/release-information).
31 | - Have one of the following Windows 10 or Windows 11 editions installed:
32 | - Pro
33 | - Enterprise
34 | - Education
35 | - Pro Education
36 | - Pro for Workstations
37 | - Additionally, your organization must have one of the following subscriptions:
38 | - Windows 10/11 Enterprise E3 or E5 (included in Microsoft 365 F3, E3, or E5)
39 | - Windows 10/11 Education A3 or A5 (included in Microsoft 365 A3 or A5)
40 | - Windows Virtual Desktop Access E3 or E5 Microsoft 365 Business Premium
41 |
42 | ## Resources
43 |
44 | - API Reference Docs can be found [here](https://learn.microsoft.com/en-us/graph/api/resources/adminwindowsupdates?view=graph-rest-beta) and conceptual documents [here](https://learn.microsoft.com/en-us/graph/windowsupdates-concept-overview)
45 |
46 | - Conceptual overview of [driver management](https://learn.microsoft.com/en-us/graph/windowsupdates-manage-driver-update) utilizing our API in Microsoft Graph
47 |
48 | - Code examples for how the Web Application integrates with our API in Microsoft Graph can be found in the src > api folder
49 | - createPolicy.js - Create an [update policy](https://learn.microsoft.com/en-us/graph/api/resources/windowsupdates-updatepolicy?view=graph-rest-beta)
50 | - getMembers.js - Get members of a [deployment audience](https://learn.microsoft.com/en-us/graph/api/resources/windowsupdates-deploymentaudience?view=graph-rest-beta)
51 | - getPolices.js - Get a [list of all policies](https://learn.microsoft.com/en-us/graph/api/adminwindowsupdates-list-updatepolicies?view=graph-rest-beta)
52 | - getUpdates.js - Get all [driver updates available](https://learn.microsoft.com/en-us/graph/windowsupdates-manage-driver-update#get-inventory-of-driver-updates) for devices in a policy.
53 | - updateDeploymentAudience.js [Add or remove members](https://learn.microsoft.com/en-us/graph/api/windowsupdates-deploymentaudience-updateaudience?view=graph-rest-beta) from a deployment audience.
54 | - createApproval.js - Create an [content approval](https://learn.microsoft.com/en-us/graph/api/windowsupdates-updatepolicy-post-compliancechanges-contentapproval?view=graph-rest-beta) for devices in a deployment audience.
55 | - suspendApproval.js - [Suspend Approval](https://learn.microsoft.com/en-us/graph/windowsupdates-manage-driver-update#during-a-driver-deployment) for a driver deployment.
56 | - deletePolicy.js - [Delete an update policy](https://learn.microsoft.com/en-us/graph/api/windowsupdates-updatepolicy-delete?view=graph-rest-beta).
57 | - removeDeviceFromService.js - [Unenroll](https://learn.microsoft.com/en-us/graph/api/windowsupdates-updatableasset-unenrollassets?view=graph-rest-beta) a device from driver management
58 |
59 | - Driver Deployment workbook in Windows Update for Business Reports - Track the status and progress of all your driver deployments through our new workbook. Find out more and how you can get started by [enrolling in Windows Update for Business Reports](http://aka.ms/wufbreportsGA).
60 |
61 | ### Troubleshooting and Tips
62 | > **Note**
63 | > **Ensure devices are first enrolled in driver management before making policy changes**
64 |
65 | - **Approved content not installing on my device**
66 |
67 | It is possible for the service to receive scan events from Windows Update, make an approval, but the content not get installed on the device because of a Group Policy or Registry setting on a Windows 10 device with version 1607 and later.
68 | - Group Policy setting: If *Computer Configuration\Administrative Templates\Windows Components\Windows update\Do not include drivers with Windows Updates* is set to enabled, driver updates will be dropped by the device.
69 | - Registry key: Under path *HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WindowsUpdate\ExcludeWUDriversInQualityUpdate* with a REG_DWORD set to 1 will also drop driver updates offered by Windows Update.
70 | - Intune policy setting under *Devices | Update rings for Windows 10 and later* controls the above registry value. Make sure that Windows drivers is set to Allow for approved driver and firmware content to be installed on your devices.
71 | 
72 |
73 | - **Getting drivers and firmware from Windows Update for Business deployment service while using WSUS**
74 |
75 | Windows update [scan source policy](https://learn.microsoft.com/en-us/windows/deployment/update/wufb-wsus) enables you to choose what types of updates to get from either WSUS or Windows Update for Business service. The scan source policy allows you to specify whether your device gets updates from Windows Update or WSUS for each update type (Feature updates, Quality updates, Driver and Firmware Updates, and Other Microsoft product updates). To enable the deployment service to control the driver content offered to your devices, Driver Updates must be set to Windows Update. This policy can be configured using two methods:
76 | - Group Policy Path: Computer Configuration\Administrative Templates\Windows Components\Windows Update\Manage updates offered from Windows Server Update Service\Specify source service for specific classes of Windows Updates
77 | 
78 |
79 | - Configuration Service Provider (CSP) Policies: [SetPolicyDrivenUpdateSourceForDriverUpdates](https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-update#setpolicydrivenupdatesourcefordriverupdates) to 0
80 |
81 | > **Note**
82 | > **Once a device is enrolled in drivers management through the Windows Update for Business deployment service, enabling this policy and choosing to receive Driver updates through Windows Update achieves the same results as turning off driver updates. The service will not offer any driver content unless approved and you have the benefit of browsing applicable driver content that is available to your managed devices.**
83 |
84 | ### Support
85 |
86 | This sample is no longer being maintained and supported.
87 |
88 | ## Application Onboarding
89 |
90 | ### Azure App Registration
91 | This section walks through the one time registration process with Azure in order to generate an Application (client) ID and Directory (tenant) ID needed during the installation of the web application. Global admin role is required to complete these steps.
92 |
93 | 1. Sign in to the [Azure portal](https://portal.azure.com/) using an account with administrator permission. You must use an account in the same Microsoft 365 subscription (tenant) as you intend to register the app with.
94 |
95 |
96 | 2. Select Azure Active Directory.
97 |
98 | 
99 |
100 |
101 | 3. Under Manage, select App registrations > New registration
102 |
103 | 
104 |
105 |
106 | 4. Register an application
107 | - Provide the user-facing display name for this application.
108 | - For Supported account types, select Accounts in this organization directory only.
109 | - Select Register.
110 |
111 | 
112 |
113 |
114 | 5. After registering a new application, you can find the application (client) ID and Directory (tenant) ID from the overview menu option. **Make a note of the values for use later.**
115 |
116 | 
117 |
118 |
119 | ### Configure Authentication and Permissions
120 | This section is for a one time configuration of the redirect URI and tokens for the web application. It will also walk you through granting consent and authorizing permissions to access our API in Microsoft Graph.
121 |
122 | 1. Under Mange, select Authentication > Add a platform> Single-page-application
123 | 
124 |
125 |
126 | 2. Configure Single-page application
127 | - For Redirect URIs enter http://localhost:3000.
128 | - Check Access tokens and ID tokens.
129 | - Select Configure.
130 |
131 | 
132 |
133 |
134 | 3. Under Mange, select API permissions > Add a permission > Microsoft Graph
135 |
136 | 
137 |
138 |
139 | 4. Request API permissions
140 | - Select Delegated permissions.
141 | - For Select permissions, enter Windows.
142 | - Select arrow next to WindowsUpdates (1).
143 | - Check WindowsUpdates.ReadWrite.All.
144 | - Select Add permissions.
145 |
146 | 
147 |
148 |
149 | 5. Grand admin consent
150 | - Select Grand admin consent for
151 | - In the Grant admin consent confirmation pop up, select Yes
152 |
153 | 
154 |
155 |
156 | ### Access Control
157 | This section is where you configure the web application to only allow access to assigned users and select users or groups that will have access. Follow steps 3 and 4 for continued management of user access to the web application.
158 |
159 | 1. Navigate to your web app resource > Overview > select the hyperlink next to Managed application in local directory.
160 |
161 | 
162 |
163 |
164 | 2. Under manage, select Properties, select Yes next to Assignment required, and save.
165 |
166 | 
167 |
168 |
169 | 3. Under manage, select Users and groups > Add user/group
170 |
171 | 
172 |
173 |
174 | 4. Select None Selected > select users for access to the Web Application (users should have either Intune Admin role or Global Admin role which can be set in Azure AD) > users will be added to the Selected Items > Select Select > Select Assign
175 |
176 | 
177 |
178 |
179 | ## Installing and Running the Web Application
180 | This section covers modifying the Web Application to use your application (client) ID and Directory (tenant) ID, how to install the Web Application, and then how to run it.
181 |
182 | 1. Download this code repo as a ZIP file
183 | 2. Extract ZIP
184 | 3. Open root folder in your code editor (e.g. Visual Studio Code)
185 | 3. Navigate to src > config > and open authConfig.js. Replace placeholders under msalConfig with your Application (client) Id and Directory (tenant) Id from your Azure App Registration
186 | 
187 |
188 | 4. Open terminal and navigate to your root folder (if using VS Code, you can do this by easily clicking View > Terminal in the top-left menu bar)
189 | 5. Once in terminal, run `npm install`.
190 | 
191 |
192 | 6. Once install is completed, run `npm start`.
193 | 7. An Edge window will automatically open to http://localhost:3000. Sign In to begin using the web app
194 |
195 | *After this initial onboarding, simply navigate to your root folder and run `npm start` to use the app*
196 |
197 | ## How To Use the the Web Application
198 | This section walks through using the web application to manage driver updates along with some insights on how it is integrating with our API. It will provide an explanation of some of the terminology and nuanced behavior going on behind the scenes.
199 |
200 | ### Sign In
201 |
202 | The Windows Update for Business deployment service Web Application loads into a browser at URL localhost:3000. At the top right, select Sign in and provide credentials for a user that has been granted access to the web application.
203 |
204 |
205 | 
206 |
207 |
208 | On the Polices page, you can verify that that the credentials have been authenticated and the user has access to utilize the Microsoft Graph API.
209 |
210 | 
211 |
212 |
213 | ### Create a driver update policy
214 |
215 | To create a driver policy, select New. A Create Policy modal will appear allowing you to create an Automatic or Manual policy. Enter a friendly name for the policy and select Create. Friendly names are stored in the browser cache on the device where the policy was created. The policy Id GUID will be shown instead of the friendly name if the Web Application is accessed on another device or the browser cache is cleared. During policy creation, the web application first creates a deployment audience and then creates the update policy with the newly created deployment audience assigned to the policy.
216 | - Manual policy - All driver updates require manual approval.
217 | - Automatic policy - Recommended drivers are automatically approved.
218 |
219 | > **Note**
220 | > **A recommended driver means that it is the highest ranking driver that was published as Automatic**
221 |
222 | 
223 |
224 |
225 | ### Adding Devices to a policy and enrolling them driver management
226 | At the top of the modal, the Policy's friendly name is displayed and right below that is the Policy Id created in the previous step. Devices can be added to a policy either with Batch Add or Single Device. The deployment audience is updated with the Azure Active Directory device Id of each device, a window will appear at the top right of the screen notifying users that the deployment audience was updated successfully or it will return an error if the request was not successful. Once the device is added to the deployment audience it will be added to the list of devices under Device ID near the bottom of the modal. Select close at the bottom right of the modal once all devices have been added to the policy.
227 |
228 | When devices are added to a driver policy for the first time, the web application automatically calls the enrollment API to enroll that device in the service for driver management. We have documented [explicit enrollment](https://learn.microsoft.com/en-us/graph/windowsupdates-manage-driver-update#step-1:enroll-devices-in-driver-management) but the web application performs this implicitly today. We recommend using explicit enrollment for implementing enrollment capabilities with our API.
229 |
230 | - Batch Add: A CSV file (formatting requirements are documented in the about section of the web application for easy reference) with up to 200 devices can be used by selecting Choose File > select the CSV file > select Add. Create multiple files if more than 200 devices need to be added. A refresh is required after large batch device adds to accurately portray devices and device counts.
231 |
232 | **Formatting Requirements:**
233 | - All fields need to be included: @odata.type, id, #microsoft.graph.windowsUpdates.azureADDevice
234 | - Add Azure AD device Ids - all values are case sensitive
235 | - Save file as CSV - only CSV files can be uploaded for batch changes
236 | - Limit each CSV to less than 200 devices - create multiple files if needed
237 | > **Note**
238 | > **Adding or removing up to 200 devices at a time with batch is an illustration of how to utilize the API and not a limitation**
239 |
240 | 
241 |
242 | - Single Device: Individual devices can be added one at a time by entering the Azure Active Directory device Id and selecting Add.
243 |
244 | 
245 | > **Note**
246 | > **Devices can take up to 2 hours to populate after being added to a policy**
247 |
248 | ### Browse driver content
249 | From the Policies page, the web application shows the Policy Name, Device Count, and the Type of Policy that was created. To edit the Policy name or add/remove devices, select Edit under the Action column. Once devices are added to the policies deployment audience, the Windows Update for Business deployment service will start collecting scan results from Windows Update to build a catalog of applicable drivers to be browsed, approved, and scheduled for deployment. To browse drivers that are available for the devices in a policy, select View.
250 |
251 | 
252 |
253 |
254 | Drivers are displayed in two different tabs, Recommended Updates and Other Updates. Only drivers that are better than what is currently installed on devices in the policy will be cataloged to browse. The web application shows the Update Name of the driver, its Release Date, the number devices in the policy that the driver is applicable for, and the Driver Class.
255 |
256 | - Recommended Updates: Only the highest ranking drivers that are published as Automatic will be shown in the Recommended Updates tab. Microsoft recommends that content only be approved for drivers in the recommended tab unless you have a good reason to approve a driver in the Other Updates tab. See the Drivers 101 content at [aka.ms/drivers-as-a-service](https://aka.ms/drivers-as-a-service) for more information about driver publishing. Automatic policies automatically approve all drivers from the Recommended Updates tab.
257 | - Other Updates: All lower ranking drivers that are published as Automatic and all drivers that are published as manual will be cataloged in the Other Updates tab.
258 |
259 | >**Note**
260 | > **The Other Updates tab is grayed out in an Automatic Policy. To make approvals on drivers in the Other Updates tab a manual policy is required.**
261 |
262 | To see more information about each driver, select the driver and then select View MetaData. This modal provides additional information provided by the drivers publisher, including driver Description and Manufacturer.
263 |
264 | 
265 |
266 |
267 | ### Approving a driver update
268 |
269 | Select a driver to approve and then select Approve. In the Approval Settings modal, enter the date you want the service to start offering the driver to devices and then select Submit Approval. Drivers approved in the Recommended Updates tab will only be offered to devices where the driver is seen as recommended. Drivers approved from the Other Updates tab will be offered to any applicable device in the policy and be auto promoted so devices will automatically install the update when the driver is offered.
270 |
271 | 
272 |
273 | Drivers that have been approved will show the Approval Start Date in the Updates page for as long as there are devices in the policy that the driver is applicable for. Once all applicable devices have received the driver update, the approval will no longer be visible in either Updates tab. A record of all content approvals is kept in the complianceChanges document for the driver policy. For easy navigation back to the Policies page, select the back button.
274 |
275 | 
276 |
277 | ### Suspending a driver approval
278 |
279 | While a deployment is in progress, you can prevent the content from being offered to devices if they haven't already received the update by suspending the approval. Select the driver you want to suspect, then select Suspend. In the Suspend Update modal, confirm the suspension by selecting Submit Suspension. The web application is setting the the [isRevoked](https://learn.microsoft.com/en-us/graph/windowsupdates-manage-driver-update#during-a-driver-deployment) property to true in the content approval. This is the auditable way to pause a deployment and will automatically populate the revokedBy and revokedDateTime properties. To resume offering the content, a new approval will need to be created.
280 |
281 | 
282 |
283 |
284 | ### Deleting devices from a Policy and Unenrolling devices from driver management
285 |
286 | Select Edit from the Policies page to make changes to the devices. Selecting Delete next to a Device ID will remove that device from the policy, the deployment audience associated to that policy, and any deployments created for that device in the policy. This will not impact any other policy the device is a member of. Selecting Remove will unenroll the device from driver management in the service. The device is no longer managed by the deployment service and may start receiving other updates from Windows Update based on its policy configuration. The unenrolled device is removed from **all** audiences and deployments that contains driver content. The device remains registered with the service and is still enrolled and receiving content for other update categories (if applicable).
287 |
288 |
289 |
290 | ### Trademarks
291 |
292 | Trademarks This project may contain trademarks or logos for projects, products, or services. Authorized use of Microsoft trademarks or logos is subject to and must follow [Microsoft’s Trademark & Brand Guidelines](https://www.microsoft.com/en-us/legal/intellectualproperty/trademarks/usage/general). Use of Microsoft trademarks or logos in modified versions of this project must not cause confusion or imply Microsoft sponsorship. Any use of third-party trademarks or logos are subject to those third-party’s policies.
293 |
--------------------------------------------------------------------------------