🔄🪟💻 DU – Manual Review (Other)
What this profile is for 🔍
The manual-approval profile for drivers Microsoft does not tag as Recommended. These are the spicier ones. Specialized hardware drivers. Vendor preview drivers. Drivers for devices Microsoft hasn't broadly validated. The "this might be fine" drivers.
The default position on the Other bucket is: don't auto-install. Look at it. Decide. Then approve. 👀
Pair with 🔄🪟💻 DU – Automatic (Recommended) for the sane defaults bucket. Together the two profiles cover everything Windows Update can deliver.
Why this matters 🎯
The Recommended / Other split exists because Microsoft and OEMs know that not every driver in their catalog is fleet-ready. The Other bucket typically contains:
- Beta or preview drivers OEMs published but never staged for general rollout
- Drivers for niche hardware that show up in the catalog because some device on the tenant reports needing them
- Cumulative driver updates that bundle multiple components where one is risky
- Vendor-pushed updates for accessories (docks, dongles, specialized USB peripherals) that don't go through the same validation as core platform drivers
Auto-approving the Other bucket has bitten people. A vendor pushes a "driver update" that silently disables the integrated camera. Or replaces the trackpad driver with a worse version. Or breaks a printer. Or breaks a printer. 😭 With manual review, those land in a list waiting for IT to look at, instead of on devices waiting for a restart.
🛠️ Configuration Settings
Configured under Devices → Manage updates → Driver updates for Windows 10 and later in the Intune blade.
| Setting | Value | Why |
|---|---|---|
| Approval method | Manually approve and deploy | Each Other-tagged driver lands in the Intune approval queue. IT picks per driver whether to approve, postpone, or decline. |
| Drivers included | Other | Covers everything Microsoft does not tag as Recommended. The Recommended bucket is handled by the paired Automatic profile. |
| Default device targeting | Same scope as the Automatic profile | Devices appear in both profiles' inventory. They just get different treatment per driver bucket. |
| Notification before install | Default (uses Update Ring active hours) | Driver installs respect the same active hours / restart behavior as Windows Update once approved. |
There is no deferral setting on a Manual profile. By design, "deferral" is the approval delay. A driver sits in the queue until IT acts. ⏳
Caveats ⚠️
License fit. Same as the Automatic profile. Windows 11 Pro/Business + M365 Business Premium.
Operational load is real but bounded. A tenant might see a few Other drivers per week, sometimes none for weeks. The queue is usually short. The first month after enabling driver profiles is the busy one because every previously-installed Other driver appears for retroactive review. After that it settles down. 📥
"Decline" is a decision, not a non-decision. If a driver sits in the queue forever without being approved or declined, devices that need it don't get it. Establish a rhythm. Weekly queue review, decisions logged. Not declining is itself a decision (and the wrong one). 🛑
Reversibility. Like the Automatic profile, this is clean-revert. Pull a device from assignment and further drivers stop entering its queue. Already-approved drivers stay installed; rollback path is per-driver, not per-profile.
Recommended → Other migration. Occasionally Microsoft re-tags a driver from Recommended to Other (usually after a regression report). The driver may already be installed via the Automatic profile by the time that happens. The Manual profile doesn't auto-uninstall it. Handle the rollback explicitly via the Intune blade or device-level driver rollback.
💡 SuperVision tip
Baseline policy. Golden Master → Windows → Windows Updates → Driver Updates. Assigned to All Devices (same scope as the Automatic profile).
Tag candidates: none. Manual approval is policy identity.
Approval routing. SuperVision should surface the approval queue to whoever does Tier 2/3 maintenance for the tenant, usually the same person who reviews monthly patch reports. Weekly cadence works for most tenants. Tenants with unusual hardware (CAD workstations, specialized lab kit) may want twice-weekly.
Audit. Every approval / decline decision is logged in the Intune audit trail. Worth surfacing quarterly: which drivers were approved, which were declined, and which are sitting in the queue past 30 days (those need a decision, not more waiting). 📝
Multi-tenant scaling. Identical policy across every customer. The queue itself is per-tenant because driver inventory is per-fleet. Don't try to batch approvals across tenants. A driver that's fine on tenant A may be wrong for tenant B's hardware.
👥 Assignments
✅ Included groups:
All Devices
❌ Excluded groups:
None. Same scoping as the Automatic profile. If a tenant runs frozen-driver-baseline devices, carve them out per tenant. Not as a blanket Golden Master exclusion.
Standardize like a pro. Configure with intent. And remember: a driver waiting for approval is not a problem. A driver auto-installed without review is. 🚨