"We've received a report of an issue where users' Windows devices that have configured policies to prevent auto updates are installing drivers," Microsoft said when it acknowledged the issue on Tuesday afternoon, June 2.
What Microsoft says went wrong: a caching service misconfiguration
Microsoft traced the problem to a misconfiguration in the Windows Update caching service, according to an admin center incident report (MO1332784). The company said the caching service "temporarily dropped device enrollment information," which caused some Windows devices to be treated as non-enrolled and prevented driver-approval controls from being applied correctly.
To mitigate the impact, Microsoft updated the affected service cache and the enrollment status for affected devices. In a Wednesday update the company said, "We've validated that this issue is resolved following impact remediation confirmation from a subset of previously affected users," and added that it is continuing to review how the caching service dropped enrollment information to better inform detection, prevention, and response to similar service issues in the future.
How the company and support channels responded
The Intune Support Team acknowledged the issue on Twitter and Reddit, saying the company was actively working to mitigate it. When Microsoft first acknowledged the problem, it also noted that "the drivers being installed are Microsoft approved/signed and that they don't pose a security threat." That public messaging framed the immediate priority as halting unintended deployments and restoring correct enrollment state rather than addressing a supply-chain or code-signing compromise.
Operational effects reported by administrators
Microsoft has not released figures for how many regions or customers were affected. Still, Windows administrators reported large-scale effects: administrators told reporters that tens of thousands of devices unexpectedly received BIOS and driver updates, and in many cases those updates caused audio or video devices to stop functioning.
These reports followed a recent run of related update incidents. In April, Microsoft resolved a known issue that caused systems running Windows Server 2019 and 2022 to upgrade to Windows Server 2025 "unexpectedly." Last month the company also addressed a bug that installed driver updates on some Autopatch‑managed Windows 11 devices across the European Union even when administrative policies were configured to restrict driver deployment.
What this means for Windows admins, affected enterprises, and security teams
- Windows admins: Administrators who enforce policies to prevent auto-updates should verify device enrollment status and driver-approval controls after the incident. The reports of large numbers of machines receiving BIOS and driver updates — and consequent audio/video failures — highlight the operational impact of enrollment-state drift.
- Affected enterprises and procurement leaders: Organizations with broad fleets should inventory devices for unintended updates and prioritize remediation where firmware or driver changes caused functional regressions. Microsoft’s remediation steps — service cache updates and enrollment-status corrections — are the immediate actions to watch for and validate.
- Security teams: Microsoft’s statement that the drivers were "Microsoft approved/signed and ... don't pose a security threat" addresses one dimension of risk, but teams will still need to confirm whether the unplanned changes created windows for exploitation or degraded telemetry and alerting tied to device drivers and firmware.
Closing observation
The episode centers on a single technical root: a caching service that dropped enrollment data and allowed controls to be bypassed. Microsoft has remediated the immediate impact for at least a subset of users and says it is reviewing how the service failure occurred to improve detection and prevention. What remains unanswered in the public record is the full scope of the event — how many customers and which regions were affected — and whether follow-up changes to caching logic or monitoring will be deployed to prevent a recurrence.
