Microsoft has resolved a bug in Windows Autopatch that improperly bypassed manual driver approval policies for Windows 11 devices located in the European Union. The flaw caused a subset of Autopatch-managed endpoints to receive driver updates automatically, even when administrators had explicitly configured a manual approval workflow. The issue impacted systems running Windows 11 versions 23H2 through the yet-to-be-released 25H2, though the bulk of affected devices were on 23H2 and 24H2. The fix, deployed via a backend service update, restores the expected policy behavior and has already rolled out to all Autopatch tenants.

IT administrators first noticed the anomalous behavior in early March 2025 when driver update reports showed unexpected installations on devices that should have been gated behind an approval ring. The bug, tracked internally by Microsoft under the designation AP-2025-03-001, was acknowledged in a support bulletin and on the Windows release health dashboard. While limited in scale—Microsoft estimates fewer than 5,000 devices actively exhibited the issue—the incident raised concerns about the integrity of Autopatch as a compliance tool, particularly in tightly regulated EU environments.

What Happened?

The core symptom was straightforward: driver updates marked for manual approval in Microsoft Intune were installing without any administrator action. Under normal operation, Windows Autopatch relies on Intune policies to manage driver deployment. Admins can create rings such as Preview, Broad, and Critical, and enforce manual approval for any ring. Once a driver syncs from the Windows Update catalog, it remains in a pending state until an admin explicitly approves it. The bug caused the Autopatch service to treat these pending drivers as approved, effectively skipping the ring’s approval step.

The rogue behavior was first observed on March 2, 2025, when several EU-based organizations reported that a Realtek audio driver update (version 6.0.9621.1) had been deployed to Broad ring devices overnight, despite no approval from their IT teams. Subsequent audits revealed that multiple other driver packages—including Intel Bluetooth and AMD chipset drivers—had also slipped through. The common factor: all affected tenants had their Autopatch instances configured for EU data residency, a feature required for GDPR compliance.

Understanding Windows Autopatch Driver Management

Windows Autopatch, part of the Microsoft Intune suite, automates update orchestration for Windows, Microsoft 365 Apps, and Microsoft Edge. For driver updates, Autopatch hooks into the Windows Driver Update Management (WDUM) service, which sources drivers directly from the Windows Update for Business catalog. The service applies deployment rings and rollout schedules defined by IT, offering two modes: automatic and manual approval.

Manual approval, the recommended model for high-risk or compliance-bound environments, allows admins to review driver metadata, release notes, and hardware compatibility before pushing an update. Once approved for a ring, the driver stages gradually across the ring’s devices, with automatic rollback if failure thresholds are exceeded. The broken policy logic meant that the service skipped the review queue entirely, treating the drive’s arrival as an implicit approval.

Critically, the bug only manifested when the Autopatch tenant was associated with an EU-located data center—Amsterdam, Dublin, or Frankfurt—and when the tenant processed driver updates through the EU-specific endpoints. Tenants hosted in North America, Asia-Pacific, or other regions were not affected. Microsoft confirmed that the root cause was a misconfigured feature flag in the EU regional Autopatch microservice that governs policy enforcement. The flag, intended to enable a new compliance telemetry pipeline, inadvertently disabled the manual approval check.

Scope of the Bug

The bug impacted Windows 11 devices enrolled in Autopatch and subject to manual approval driver policies. Affected builds included all cumulative updates for 23H2 (build 22631.xxx) and 24H2 (build 26100.xxx), as well as Insider Preview builds of 25H2 (build 275xx). The geographical restriction meant that devices physically located outside the EU but managed by an EU-region tenant were also vulnerable, as the policy decision was tenant-side, not client-side. Microsoft’s post-incident analysis showed that roughly 4,800 devices across 220 tenants received at least one unauthorized driver update during the incident window, which spanned from February 28 to March 10, 2025.

The drivers that slipped through varied by device model but predominantly included Realtek audio, Intel Wi-Fi, and AMD chipset drivers. No security-only drivers (firmware updates containing CVEs) were deployed without approval, as those are handled through a separate security update channel. Nevertheless, the non-security drivers still posed a risk: a bad audio driver could break conferencing tools, and a rogue chipset driver could destabilize entire fleets. Microsoft reported no widespread crashes or rollbacks, but several admins on community forums reported isolated BSOD incidents on HP EliteBook 840 G10 devices after the unauthorized Intel RST driver installation.

Administrators spotted the issue through the Intune Advanced Reporting interface, where driver update compliance reports showed “Installed” status with an empty “Approved by” field. The Autopatch activity log also contained entries with error code 0x80072EFE, which normally indicates a network issue but in this case signaled a policy lookup failure.

Root Cause and Resolution

On March 12, 2025, Microsoft engineers identified the faulty feature flag and rolled back the configuration change within two hours. An interim mitigation was pushed on March 13 that forced a policy re-evaluation for all PDQ (pending driver queue) items, effectively reinstating the manual approval requirement. However, already-installed drivers were not rolled back unless they triggered a failure threshold; admins had to manually uninstall problematic drivers if needed.

The permanent fix arrived on March 18 via a server-side hotfix, which rewired the policy enforcement chain to use a redundant approval check. Microsoft also implemented a new monitoring rule that alerts the Autopatch service team if the manual approval check ever returns a false positive again. No client-side update was required, but Microsoft recommended that all affected tenants run the Get-WindowsAutopatchDeploymentStatus PowerShell script to validate that their current driver policies are being honored.

A detailed post-incident report (PID: AP20250312-01) was published to the Microsoft Security Response Center and linked from the Windows release health dashboard. The report acknowledged that the bug was not security-related but constituted a compliance gap, and it outlined that the feature flag had been introduced during the sprint 25.03.1 rollout for telemetry enhancements. The flag was never intended to affect policy logic; a copy-paste error in the deployment manifest had pointed the policy service’s approval module to a null endpoint.

Recommendations for IT Administrators

Organizations using Windows Autopatch in the EU should immediately verify their driver update history for the February 28–March 10 window. Microsoft has published a Kusto Query Language (KQL) snippet that scrutinizes Intune DriverUpdateReadiness logs for unauthorized installations. The query filters for driver installs where the ApprovalState is 0 (autoapproved) but the assigned deployment ring requires manual approval.

For devices where problematic drivers were installed, admins can use the Windows Update Troubleshooter to roll back the driver via the Device Manager or deploy a script that leverages pnputil to remove the driver package by INF name. Microsoft also recommends temporarily disabling the “Include drivers with Windows Updates” policy in Intune for critical rings until the fix is fully validated—this setting moves driver updates back into the broader Windows Update flow where manual approval rings do not apply.

Longer-term, Autopatch customers should review their ring configurations and consider implementing a double-gated approval process. One approach is to use a Preview ring with an empty membership as a manual approval gate: any driver must be approved for Preview, and then—after testing—it can be copied to Broad. The bug bypassed this model, but with the fix in place, the gate is now reliable.

Microsoft has also enhanced visibility: the Autopatch blade in the Intune admin center now includes a “Driver approval failures” chart under Reports > Windows Autopatch > Update compliance. This chart tracks instances where the service attempted to auto-approve a driver but was blocked by policy, giving admins a positive signal that the fix is active.

Looking Ahead

This incident highlights the delicate interplay between regional compliance requirements and cloud-based update orchestration. The EU’s Digital Markets Act and NIS2 directive are pushing Microsoft to maintain strict data isolation, but regional feature branches can introduce inconsistencies. Microsoft has committed to running a parallel test ring for EU tenants that mirrors the exact configuration of production tenants, with the goal of catching similar regressions before they reach customers. The company also plans to extend the manual approval safeguard to Windows feature updates in the second half of 2025, allowing admins to require explicit approval for Windows 11 version upgrades deployed via Autopatch.

For now, the fix appears solid. No further unauthorized driver installations have been reported since March 18. Administrators who lived through the three-week fire drill are left with a renewed appreciation for granular monitoring and the importance of verifying cloud promises. As one Intune engineer commented on a tech forum, “Autopatch is automation with guardrails—this bug removed one guardrail. We need to keep checking that the guardrails are still in place.” The takeaway is clear: trust but verify, even when the service comes from Redmond.