Installing driver updates is one of the most impactful maintenance operations that a PC undergoes. While drivers are being updated, core hardware components of the PC may temporarily stop functioning and may continue to be non-functional until a full reboot is performed. Network connections may bounce, displays may flicker, external peripherals (USB, Bluetooth, Thunderbolt, etc.) may disconnect. It's a big deal. Do any of these things at the wrong time on a user's computer and... well it won't be good, let's just say that.
Maybe you're luckier than I am, but in my environment with our modern, mobile workforce, there are no maintenance windows on end user PCs. Administrators can’t even be sure when or where a PC will be online, let alone available for maintenance. "Business Hours" may define when our office doors are unlocked, but our employees work wherever and whenever they choose. Hence, traditional approaches based on performing updates during non-business hours and forcefully rebooting PCs at set times are non-starters.
So, for years now, I've been searching for a way to embrace the new normal and allow end users the ability to update their PCs in a managed and automated way, while ensuring that negligent users are forced into compliance when necessary. There's almost nothing in this space today. Maurice Daly is working on a very cool "Drivers As A Service" tool that may be perfect for many organizations. It hits the low-maintenance bullseye, but in its current form still relies on the concept of maintenance windows. Once you hit a certain time of day, updates just start installing. If one user religiously shuts down her PC at 5:00pm like clockwork, then his tool may never run on her PC. And if another user is participating in a critical VoIP conference call during non-business hours, there's nothing to stop a network driver from installing right at the worst possible moment. I need something more controllable and flexible for the end user, while still being enforceable.
HP has produced some great client management tools of late and is actively developing and improving those tools. HP Image Assistant and the Client Management Script Library are absolute must-haves in your toolbox if you're managing HPs in your environment. But these tools are for admins; they're too powerful and verbose (and PowerShell-y) for end users. My thought was that if there was a way to harness the power of these tools in a user-friendly and accessible way, all wrapped up in a policy-based, manageable package, that would really be something.
And, just in case the bar wasn't already set high enough, I really need something that's as close to zero-maintenance as possible. I'm a one-man SCCM department. I don't have time to manually review/approve/publish/deploy driver updates on an ongoing basis for a regularly changing set of HP models in the org.
HP's client management tools can take care of all the scanning and evaluations, and the CVA files contain all the metadata we could possibly need. So I need to write a custom PowerShell GUI to wrap the functionality of HP Image Assistant and the HP Client Management modules in a way that's accessible to novice end users. And I need to be able to set and enforce deadlines for driver updates while giving the user the opportunity to exert some level of control over when and where those updates take place. I'll also need to be able to provide the user with custom reminder notifications when it's time to run driver updates so that they can take action before a deadline. Combining several existing community sources, I have managed to put together a custom solution that checks all my boxes. These are the key sources that I drew from:
- PowerShell App Deployment Toolkit for the general wrapper functionality and basic toolkit functions (confession: I love this toolkit almost as much as this guy.)
- Select code/concepts from Martin Bengtsson's Windows 10 Toast Notification Script
- Select code/concepts from Ryan Engstrom's HP SoftPaq Repository scripts
- Select code/concepts from Stephen Owen on WPF and PowerShell.
The final product combines one-click simplicity for the end user with policy-based management and multiple deployment modes for IT administrators. It's a driver update solution for a mobile workforce that combines administrator-defined enforceability with user-friendly flexibility.
Low Administrative Overhead
- No need to manually review and approve individual software updates.
- No WSUS/SCUP catalogs to manage or maintain. No publishing process to administer.
- Simple method for blacklisting specific Softpaqs that are known to be problematic in your environment.
- Registry-based policies for customizing the notifications and scheduling (reminder frequency, deadlines, etc.). Easily configure different policies for separate collections of PCs as needed via Group Policy or ConfigMgr compliance policies.
- Utilizes an auto-maintained internal repository of HP Softpaq EXEs. Simply specify the HP models in production and the repo maintenance script does the rest.
- Any given Softpaq file is only downloaded once to each physical office, thereby minimizing WAN utilization.
- Resulting local (LAN) file read performance is drastically superior to FTP/HTTP download routines used natively by HP tools. This results in a significant reduction in the overall time required to patch a PC while avoiding the need to pre-populate PCs with update binaries.
User-Friendly Simplicity and Flexibility
- Detects whether PC is inside corporate WAN and auto-selects update sources. Can seamlessly failover from internal repository to direct HP downloads if necessary. Updates run successfully regardless of PC location or network environment.
- All unnecessary technical detail is removed from the driver update experience. Users are given the least possible information to prevent information overload for novice users.
- No need for the user to review or select which updates to apply.
- Instructions for the user can be customized as needed by the organization, ensuring that critical warnings about PC impacts during the update process are reinforced at the proper time, thus cutting down on helpdesk interactions due to user confusion or misunderstanding.
- At deadlines, a deferral mechanism allows your users to say “Wait, now is not a good time!” (but only for a configurable number of deferrals)
- Set a maximum duration between update checks (via registry values) and the app will take care of the rest. The user gets a series of notifications as the deadline approaches. If the deadline is reached without the user manually running the updates, the app will run automatically in Forced mode.
- When the app is run in Forced mode, the user optionally gets a configurable number of last-chance deferrals (or not). Once the deferrals are exhausted, the user is presented with a countdown timer and is unable to stop the execution of the update process.
- App can also be launched in Forced mode using other management tools/methods, such as group policy or ConfigMgr. This is useful for times when there is a need to require a immediate updates on a specific collection of PCs, outside of the configured deadline intervals.
- A forced reboot with a countdown timer is included after driver updates are applied.
- A local results viewer script/gui is included to allow helpdesk staff easy visibility into the status and actions of previous runs of the update app, to aid in troubleshooting processes.
- Secret keyboard shortcut can be used to abort a countdown to forced updates. Allows helpdesk to successfully comply with VIP requests to “Make this stop NOW!” (Secret keyboard shortcut is registry-defined and can be easily managed/altered via Group Policy or ConfigMgr compliance policy. If your secret keyboard shortcut is no longer a secret, just change it.)
- Local admin rights are not required for end users. The Start Menu shortcut triggers a scheduled task that runs under System context so that the app runs with the necessary elevation. No persistent Windows Service.
- BIOS password (needed for BIOS update operations) is encrypted in registry with a salted key, rather than less secure methods supported natively by HP tools (plain text strings, or locally staged BIN files that can be accessed by any process).
- All actions taken by the app and SoftPaq installation status are inventoried in custom WMI classes on the local PC.
- ConfigMgr Hardware Inventory is easily extended to collect this data and store it in the SQL db.
- Create reports about driver update compliance via SSRS or Power BI that read from the ConfigMgr db.
That's all I've got time for today. In the next entry, I'll share some screenshots of the app in its current form, whatever that looks like. I have my helpdesk team actively testing this now on non-production units, so anything can still change.