Windows Update for Business (WUfB) driver deployment policy installing broken touchpad drivers across a fleet of company laptops

Jian Wong 0 Reputation points
2026-06-09T04:05:16.4+00:00

Hey desktop management, we have Intune configured to manage our business workstation updates, and we left "Include drivers from Windows Update" turned on. This morning, a cumulative OEM driver deployment went live, and now dozens of corporate users are flooding our service desk because their built-in laptop touchpads have completely stopped responding.

Windows for business | Windows Client for IT Pros | Devices and deployment | Install Windows updates, features, or roles
0 comments No comments

3 answers

Sort by: Most helpful
  1. Domic Vo 25,675 Reputation points Independent Advisor
    2026-06-20T06:17:11.5666667+00:00

    Hi Jian Wong,

    Has your issue been resolved yet? If it has, please consider accepting the answer as it helps others sharing the same problem benefit too. Thank you :)

    Domic V.

    Was this answer helpful?

    0 comments No comments

  2. Domic Vo 25,675 Reputation points Independent Advisor
    2026-06-09T05:11:41.8233333+00:00

    Hi Jian Wong,

    Your strategy to halt the driver rollout by configuring the Windows Update ring to block drivers is the correct immediate containment measure. You should verify that the policy ExcludeWUDriversInQualityUpdate is being enforced via your Intune CSP configuration to ensure the Windows Update client ignores driver payloads in subsequent scan cycles. Because this policy does not trigger a driver rollback, machines already exhibiting the touchpad failure must be remediated locally. You can perform this by targeting the Device Manager to roll back to the previous driver version or by deploying a script that executes a driver rollback command via the pnputil /rollback-driver utility, which is the standard Windows command-line tool for managing driver packages.

    For long-term stabilization, you must shift your management architecture to the Intune Driver Updates node. This allows you to set driver approvals to Manual, ensuring that future OEM updates remain in a pending state until your team validates them against a pilot ring. This granular control moves your environment away from the "Include drivers" toggle, which is often too broad for corporate fleets, and instead enforces a strict, validated deployment cadence that minimizes disruption. By isolating specific hardware IDs, you can ensure that critical firmware and HID drivers are never pushed to production without prior testing.

    Domic V

    Was this answer helpful?

    0 comments No comments

  3. AI answer

    2026-06-09T04:05:31.0433333+00:00

    Take the following actions to stop the bad touchpad driver rollout and regain control using Intune and Windows Update for Business driver policies.

    1. Stop further driver installs immediately
      • In the Intune admin center, review existing Windows update ring policies that govern these devices.
      • For each affected update ring, set the Windows Drivers update setting to Block so Windows Update stops installing drivers as part of quality updates.
      • Also review any Settings catalog policies that configure Windows Update client policies and ensure they are not forcing driver installs while you stabilize the environment.
      Relevant settings to check:
      • Windows update ring policy: Windows driver setting should be set to Block temporarily to prevent further installs.
      • Settings catalog policy: In Windows Update client policies, verify Exclude WU Drivers in Quality Update is configured appropriately while you mitigate.
    2. Move to controlled driver management with Intune driver update policies
      • Implement Windows driver update policies in Intune so driver deployments are no longer “all or nothing” via the generic “Include drivers from Windows Update” setting.
      • Driver update policies provide a dedicated surface to:
        • View all applicable driver and firmware updates for targeted devices.
        • Approve, pause, or decline individual driver updates.
        • Use phased deployments (rings) for safer rollout.
      Key capabilities:
      • Policies can run in Automatic or Manual approval modes:
        • Automatic: Automatically approves recommended drivers after a configurable delay.
        • Manual: No drivers are installed until an admin explicitly approves them.
      • For a fleet where a bad driver has just caused an outage, use Manual mode for the affected hardware models so every new touchpad (and other critical) driver is reviewed and tested before deployment.
    3. Create driver update profiles and rings
      • Create a driver update profile for the affected laptop models.
      • Choose Manual approval mode for now.
      • Define deployment rings (for example: Pilot → Pre‑production → Broad) and assign a small test set of devices to the pilot ring.
      • Ensure each device is targeted by only one driver update policy to avoid conflicting approvals.
    4. Use approvals, pauses, and “Other drivers” to control the bad driver
      • In Intune, go to Devices → Manage updates → Windows update → Driver Updates.
      • Review the list of drivers applicable to the affected devices.
      • Locate the problematic touchpad driver:
        • If it appears as a recommended driver, set its status to Paused or Declined for all relevant policies/rings so it is no longer offered.
        • If it appears under Other drivers, explicitly Decline it for all unreviewed policies or for the specific policies that target the affected models.
      • For any newer, fixed touchpad driver that the OEM publishes:
        • Approve it first for the pilot ring only.
        • Validate on a small set of machines.
        • Then gradually approve it for additional rings.
    5. Ensure no conflicting policies are blocking or forcing drivers
      • If using Windows Autopatch or other programmatic controls, verify there are no conflicting policies:
        • Group Policy: Do not include drivers with Windows Updates.
        • CSP: ExcludeWUDriversInQualityUpdate.
        • Registry: ExcludeWUDriversFromQualityUpdates.
        • Intune update ring: Windows Drivers set to Block.
      • For devices that should receive drivers via the new Intune driver update policies, ensure these exclusion settings are not preventing installation once a fixed driver is approved.
    6. Long‑term strategy to avoid repeat incidents
      • Keep “Include drivers from Windows Update” disabled or tightly controlled for production rings; rely instead on Intune driver update policies for:
        • Centralized review of OEM driver content.
        • Manual approval of high‑risk drivers (touchpad, storage, display, network).
        • Phased deployments with the ability to pause or decline any problematic driver quickly.
      • Align driver rollout with existing quality/feature update cadences to reduce user disruption and coordinate restarts.

    This approach stops the immediate spread of the broken touchpad driver and moves driver servicing into a controlled, ring‑based approval model using Intune’s Windows driver update policies.


    References:

    AI-generated content may be incorrect. Read our transparency notes for more information.

    Was this answer helpful?

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.