ππͺπ» DU β Automatic (Recommended)
What this profile is for π§β
The default driver update profile. Microsoft tags every driver in the Windows Update catalog as either Recommended (vendor-validated, broad rollout, generally safe) or Other (specialized, niche, vibes-based). This profile handles the Recommended bucket on autopilot.
Why a dedicated driver profile exists at all? Because the Update Ring policies explicitly block Windows from shipping drivers through the quality update channel (see ππͺπ» UR β Fast (Early Access)). That decision moves driver delivery here, where it can be paced, audited, and rolled back per driver. Instead of arriving whenever Microsoft happens to push a CU. π
Pair this with ππͺπ» DU β Manual Review (Other) for the riskier driver category. Together the two profiles cover everything Windows Update can deliver.
Why this matters πβ
Driver updates have a different risk profile from Windows quality updates. A bad cumulative update breaks Windows for a day. A bad GPU or storage driver can hang devices on boot, and "hang devices on boot" is the kind of call that ruins everyone's afternoon. They also have a different delivery model. Microsoft and OEMs publish on rolling cadences, not on Patch Tuesday.
The Recommended bucket is the boring-and-correct one. By the time a driver carries the Recommended tag, the OEM has staged it for general rollout and Microsoft has signed off. So the default position is: install it, give a 7-day deferral, move on with your life. This profile codifies that. πͺ
The riskier drivers live in the Other bucket and get the manual-review treatment in the paired profile. Splitting these two surfaces means you never accidentally auto-install a half-baked beta GPU driver because it happened to be flagged as a quality update. Which has happened. To people. Don't ask. π¬
π οΈ Configuration Settingsβ
Configured under Devices β Manage updates β Driver updates for Windows 10 and later in the Intune blade. Not a Settings Catalog policy. Driver Update profiles are their own object type.
| Setting | Value | Why |
|---|---|---|
| Approval method | Automatically approve and deploy | Recommended drivers don't need a human in the loop per-driver. The 7-day deferral catches issues that surface in the first week. |
| Deferral period | 7 days | One week after Microsoft publishes a Recommended driver, this profile auto-approves it for the assigned devices. Long enough for OEMs to pull anything that misbehaves on the public catalog. |
| Drivers included | Recommended | Microsoft-tagged Recommended drivers only. The Other bucket is handled by the paired Manual Review profile. |
| Schedule | Default (next available maintenance window) | Driver installs use the same maintenance / active-hours window as Windows Update. No separate schedule needed. |
The actual list of drivers under this profile populates dynamically as Microsoft tags new ones as Recommended. You don't curate the list. Microsoft does. The deferral is your safety net.
Caveats β οΈβ
License fit. Driver Update profiles work on Windows 11 Pro/Business with M365 Business Premium. No Enterprise tier-up needed.
Prerequisites.
- Required diagnostic data. Driver Update profiles depend on Windows Update for Business inventory, which requires
System/AllowTelemetryset to at leastRequired. See βοΈπͺπ»CP - Reporting & Updates - Diagnostic Data. Without this, the profile sits there doing nothing while you wonder why. - Update Ring policy in place. This profile only handles drivers. The Update Ring policies still handle Windows quality and feature updates. Driver Updates without an Update Ring policy = the device receives drivers on this schedule but Windows updates on Microsoft's whim. Worst of both worlds. Don't.
- Devices need to be Microsoft Entra joined or hybrid joined. Workplace-joined devices and personal devices with WIP don't show up in driver inventory.
Reversibility. Driver Update profile assignments are clean-revert. Pull a device from the profile and further driver deliveries stop on the next sync. Drivers already installed stay installed (because they're, well, drivers; uninstalling them is rare and explicit). This profile does not tattoo a CSP value, so no inverse / Reset policy in the paired-policy sense.
Driver rollback is per-driver, not per-profile. If a Recommended driver causes an issue and gets approved by this profile, the rollback path is per-driver via the Intune blade (or via Windows itself: Device Manager β Roll Back Driver). Disabling the profile won't undo an already-installed driver. Plan accordingly. π
No "Fast cohort" variant by default. A version of this profile with 0-day deferral pinned to the Fast Update Ring cohort would catch bad drivers earlier. It's also an extra moving part. Recommendation: don't build it unless a tenant has actually been bitten by a Recommended driver regression. Most MKB tenants don't see enough driver traffic to justify the maintenance.
π‘ SuperVision tipβ
Baseline policy. Golden Master β Windows β Windows Updates β Driver Updates. Assigned to All Devices. No device-class carve-outs. Even kiosks need driver security patches.
Tag candidates: none. Deferral and approval mode are policy identity, not tenant preferences.
Drift detection. Worth a quarterly check that the profile is still assigned and the deferral is still 7 days. Driver profiles don't change values often, but reassignment via SuperVision should be verified after any bulk group restructure.
Monitoring. The Intune blade shows per-driver install state per device. If you wire up WUfB Reports, driver compliance shows up alongside quality and feature update compliance in Azure Log Analytics. Same dashboards, same alert rules. π
Multi-tenant scaling. Identical across every customer. The variable is who's in the assigned group.
π₯ Assignmentsβ
β Included groups:β
All Devices
β Excluded groups:β
None. Drivers under the Recommended tag are safe defaults. W365 Boot devices that don't accept WU-delivered drivers will simply see no work to do (profile assigns harmlessly). If a tenant runs genuine frozen-driver-baseline kiosks (rare in MKB), carve those out explicitly per tenant. Not as a blanket exclusion in the Golden Master.
Standardize like a pro. Configure with intent. And remember: the only thing worse than not patching drivers is patching the wrong driver in the middle of a workday. π¬