Microsoft recently Microsoft announced a new feature to manage Windows driver and firmware updates with Microsoft Intune. A very welcome addition to the Windows Updates features we have had for a long time in Microsoft Intune. This new feature gives us more options to manage the deployment of drivers and firmware for our Windows devices. We are now able to deploy drivers in a more controlled manner by deploying them in deployment rings and first testing them on our own devices before deploying them to our end users.
I’m not going into detail on this new feature, but in the new driver update profiles we have the option to approve and deploy the drivers automatically or manually, depending on our needs.
If we chose to approve the drivers manually this means regularly visiting the Intune portal to manually review the available drivers.
To help you with this task and don’t forget this task I created an Azure Logic Apps flow to send out a report on a scheduled base to a mailbox.
Attached to that email is an Excel sheet with an overview of all recommended drivers that need to be reviewed. The drivers are listed per driver update profile on a separate sheet.
This blog post is part of the MEM (Intune) Monitoring series. An article with a short explanation of every MEM Monitoring flow I shared and links to the related articles can be found here.
The solution in short
Information regarding Driver updates for Windows is available via Microsoft Graph, as I also showed in this recent post. We can query this information using HTTP actions in an Azure Logic Apps flow, which we can run on an occurrence. We first query Microsoft Graph for all the driver update queries, which is followed by querying every single driver update profile for its recommended drivers (we can also query only the other drivers or all drivers per profile). Next, we filter out only the drivers that have a status of needs review to be further processed.
The data we now have is stored in an Excel sheet on SharePoint, after which it is attached to an email, ready to get sent out to a mailbox of choice.
The bicep files and deployment script for easy deployment can be found on my GitHub repository.
Requirements
To create this solution, we have some requirements. To query Microsoft Graph we need to have permission to perform this job. There are different options to authenticate to MS Graph and assign permissions, but I prefer an Azure Managed Identity.
The required Graph (Application) permission we need is:
DeviceManagementConfiguration.Read.All
To create an Excel sheet before we can send it via email, we (temporarily) need to save it to a SharePoint documents library. So a requirement is a document library and a (service) account with read-write permissions to the library.
And last, we need to have a mailbox. I used a service account with permission to send an email from a shared mailbox.
Setup the first part of the Logic App flow
When the requirements are in place, we can start creating the Logic Apps flow.
In the first part, we add a trigger, add actions to create an empty Excel sheet and query Microsoft Graph for the Windows driver update profile we have in our Intune tenant.
Sign in to the Azure portal and open the Logic App service. I created a blank Logic App of type Consumption.
When the flow is created, click on the name of the flow at the top of the screen, open the Identity section, and on the tab User assigned add your Managed Identity.
Open the Overview tab, which shows a few templates, and choose Recurrence.
Change the interval settings to your needs.
First, we need to compose an Excel file, otherwise, we end up with an empty sheet.
We do this by using a Compose action, which is found under the Data Operations actions. We can search for Compose or for Data Operations.
This is the input from an empty Excel sheet, you can just copy-paste this into the inputs field of the Compose action. Otherwise, you need to create an empty Excel sheet yourself and import it once in a flow to retrieve this information.
{
"$content": "",
"$content-type": "application/vnd.openxmlformats-officedocument.spreadsheetml.sheet"
}
This should look like the Compose action below.
After the Compose action, we add a Create file action, which is a SharePoint action. With this action, we create an Excel sheet on a SharePoint library, as file content we use the outputs from the Compose action.
First sign in with your (service) account.
Select the Site Address from the drop-down list or choose Enter custom value and manually enter the site address.
Via the folder icon, you can browse the folder path to where the Excel sheets need to be stored.
You can manually enter a File name, ending on .xlsx. But I want it to hold the current date and time. We can do this by entering an Expression. Place your cursor on the correct place in the file name field and add the below expression:
formatDateTime(utcNow(), ‘yyyy-MM-dd-HH-mm’)
As you can see the expression is added to the file name field.
As File content, we want to add the output from the compose action. We add this as Dynamic content.
Select Outputs from the Dynamic content list.
And this is our Create file action.
Now it’s time to add our first HTTP action to the flow, with which we pull data from Microsoft Graph.
Add the first HTTP action.
As Method select GET.
As URI enter:
https://graph.microsoft.com/beta/deviceManagement/windowsDriverUpdateProfiles
Choose Add Parameter and select Authentication.
As Authentication type select Managed identity.
Select your Managed identity from the list.
And add https://graph.microsoft.com as Audience.
Next, we need to add a Parse JSON action. We parse the output of the HTTP action, to be able to use the values later on in the flow.
As Content, we select Body from the Dynamic content list that body is from our HTTP action.
We could manually create our Schema, but it’s much easier to create a schema using the Use sample payload option. To create an example payload we can save and run the current flow, open the run via runs history, and grab the body from the HTTP action. Then add it via the Use sample payload option to create the schema. We can also grab the same information from the Response Preview field when we run the same query via Graph Explorer.
No matter which one you chose, add the data in the sample payload pop-up.
And this is the Parse JSON action in the first part of our flow.
Add the second part of the Logic Apps flow
In the second part of the flow, we are going to query every Driver Update profile for its driver inventory. We filter on the approval status of the driver and add worksheets and tables to the previously created Excel sheet.
We add a second HTTP action to our flow. With this query, we query every Driver profile for its driver inventory.
As Method select GET.
As URI enter:
https://graph.microsoft.com/beta/deviceManagement/windowsDriverUpdateProfiles/[ID]/driverInventories?$filter=category%20eq%20%27recommended%27
Replace [ID] with the ID we can find as dynamic content.
If you want to query all drivers instead of only the recommended drivers, remove the whole filter (everything behind the question mark).
If you want to query other drivers instead of recommended drivers, replace recommended with other.
When adding the ID, the HTTP action is automatically added to a For Each action.
Choose Add Parameter and select Authentication.
As Authentication type select Managed identity.
Select your Managed identity from the list.
And add https://graph.microsoft.com as Audience.
Again the HTTP action is followed by a Parse JSON action.
Next, we add an action to create worksheets in the Excel sheet. One sheet, per driver update profile.
For this add a Create Worksheet action, which is an Excel Online (Business) action.
Choose the SharePoint site as Location where we in one of the first actions created the Excel sheet.
Select the Document library.
In the File field, we add the ID, found in the dynamic content of the Create file action.
We need to provide a name for the sheets in the Name field. But we can’t add the same name for multiple sheets, therefor we need to come up with something dynamic as most likely we have multiple driver update profiles. Therefore I add a random number behind the sheet name, by using an expression:
rand(1,100)
This is what the Create worksheet action looks like.
After the sheets are created, we need to add a table to the sheets. Without a table, the flow can’t process data from an Excel sheet.
Add a Create table action, which is also an Excel Online action.
Select the location, Document library, and add ID of the Create file action in the File field.
We also need to add a table range. Which range depends on the number of columns the table gets to store its data.
As we need to add the table range to every previously created sheet, we need to add the name of the sheet to the table range.
We can’t just add the name of the sheet to the Table range field, it needs to be in between quotes.
Add ”! (a single quote and an exclamation mark) to the Table range field before the actual table range.
The dynamic content Name of the Create worksheet should be added in between the single quotes.
We also need to add a Table name. The table name also needs to be unique, so again I added an expression to add a random number:
rand(1,100)
And we need to add the Column names.
The second part of the Logic Apps flow is ready.
Add the third part to the Logic Apps flow
In the first parts of the flow, we queried Microsoft Graph for the Windows driver update profile, and for every driver, we retrieved the recommended drivers. We also created an Excel sheet and for every driver profile, we added a sheet and table to the Excel sheet.
In the next part, we filter out all drivers that have an approval status of needs review. Only the drivers that have this needs review status are added to the table in the Excel sheet.
We add a Condition action to the flow, which is a Control action.
In the left field, we add approvalStatus from the last Parse JSON action.
We choose is equal to from the dropdown list and add needsReview to the left field.
When the condition is true the data needs to be further processed. Therefore we add the next actions under the True box. We don’t put any action under False.
We can’t directly the retrieved data to the Excel sheet. We need to first compose a row with the data we want to add to the Excel sheet.
Add a Compose action to the flow with the below JSON in the inputs field:
{
"name":,
"version":,
"manufacturer":,
"releaseDateTime":,
"applicableDeviceCount":,
"approvalStatus":,
"ProfiledisplayName":
}
Now we need to make sure the values we retrieved with the HTTP action are added in the Compose action.
Add the corresponding dynamic content (values) from one of the two Parse JSON actions, like below.
Most items are from the last Parse JSON action, the displayName is from the first Parse JSON action.
The Compose action should look like the below example.
Now that we have composed the rows, we can add the rows to the Excel sheet.
Add an Add row into a table action.
Select the Location and Documents library.
Add the ID from the Create file action and Name from the Create table action.
As the body, we add the Outputs from the Compose action.
This is the third part of our flow.
Add the last part to the Logic Apps flow
With the previous parts of the flow, we have created our Excel sheet with the Windows driver update info we want to have. But I want to receive this sheet per e-mail, as that’s also my reminder to review the drivers that need to be reviewed. This part is added in the last part of the flow.
We first add a Delay action to the flow, which delays the flow for a few minutes before it sends out the e-mail. We do this because sometimes not all data is already processed and available in the sheet when we immediately send out the e-mail. This means without the delay, you would receive an Excel sheet that doesn’t hold all data we retrieved.
We first need to retrieve the content of the Excel sheet with a Get file content action before we can attach it to the e-mail.
Select the SharePoint site address and add the ID of the Create file action.
The last action is a Send an email from a shared mailbox action, which is an Office 365 Outlook action.
Enter an email address for the sender and recipient. Add a subject and some text to the body.
Choose Add new parameter and select Attachments so we can add the attachment to the email. Add Name from the Create file action and add File content from the Get file content action.
The end result
The end result is we have this Azure Logic Apps flow created!
But more important we now receive a reminder per e-mail that we need to review our Windows drivers that are not yet approved.
In that e-mail, we find, as an attachment, an Excel sheet with different sheets and an overview of those drivers.
That’s it for this blog post.
Thanks for reading.
One small note; I don’t know how to remove the default shit with a flow, thus the first sheet is empty in the Excel sheet.
2 Comments
Hey Peter, this is great work. I’ve been messing around with this reporting for use within the environment I work in. One thing I’m finding is that the filter doesn’t seem to filter out only recommended like it seems to be written to work. Are you seeing the same thing in your experience? I can’t see a property that is included in the object that I’m able to pull this way.
Hi Thor,
When I use this filter, it filters out only the recommended drivers in my environment:
?$filter=category%20eq%20%27recommended%27