Full Report
Microsoft has fixed a Windows Autopatch bug that caused driver updates restricted by administrative policies to be deployed on some Autopatch-managed Windows devices in the European Union. [...]
Analysis Summary
# Vulnerability: Windows Autopatch Driver Deployment Policy Bypass
## CVE Details
- **CVE ID**: Not Assigned (Service-side Logic Error)
- **CVSS Score**: N/A (The vendor addressed this as a service-side bug rather than a security vulnerability with a CVE identifier)
- **CWE**: CWE-648: Improper Privilege Management (Policy Bypass)
## Affected Systems
- **Products**: Microsoft Windows (managed via Windows Autopatch)
- **Versions**:
- Windows 11 25H2
- Windows 11 24H2
- Windows 11 23H2
- **Configurations**: Devices located in the European Union (EU) region managed by Windows Autopatch where administrative policies were set to restrict or manually approve driver updates.
## Vulnerability Description
A logic error occurred in the Windows Autopatch service backend specifically affecting the EU region. The flaw caused the service to ignore administrative policies that restricted driver deployments. Consequently, recommended driver updates were pushed to client devices and installed without the required user approval or IT admin authorization. Technically, this represents a failure in the orchestration layer of the Autopatch service to honor "manual approval" flags within the deployment ring configuration.
## Exploitation
- **Status**: Not exploited (Functional bug resulting in unauthorized software deployment)
- **Complexity**: Low (Occurred automatically due to service-side failure)
- **Attack Vector**: Network (Service-to-Client communication)
## Impact
- **Confidentiality**: None
- **Integrity**: Low (Unauthorized system changes/driver installations)
- **Availability**: Moderate (Reports of unexpected reboots and system failures/BSODs depending on the specific drivers deployed)
## Remediation
### Patches
- **Service-Side Fix**: Microsoft has implemented a fix on the backend servers. No client-side patches or updates are required for end-user devices.
### Workarounds
- No manual workarounds are necessary as the fix was pushed automatically by Microsoft. IT admins may wish to audit the "Update History" on managed devices to identify any drivers installed between late April and May 13, 2026.
## Detection
- **Indicators of Compromise**: Unintended driver updates appearing in Windows Update history that were not approved in the Microsoft Intune/Autopatch console.
- **Detection methods**: Reviewing Windows Autopatch reports and device event logs for unexpected reboots or driver installation events (Event ID 114 or 121 in the System log).
## References
- **Vendor Advisory**: Microsoft Service Alert (Reference via Microsoft MVP Susan Bradley)
- **Relevant Links**:
- hxxps[://]www[.]bleepingcomputer[.]com/news/microsoft/microsoft-fixes-windows-autopatch-bug-installing-restricted-drivers/
- hxxps[://]learn[.]microsoft[.]com/en-us/windows/deployment/windows-autopatch/overview/windows-autopatch-overview