Windows Keeps Reinstalling Bad Drivers: Stop It for Good

Nothing says “productive day” like Windows politely replacing your stable driver with the exact one that just crashed your graphics stack, killed your Wi‑Fi, or broke your storage controller. You roll back, you reboot, you breathe. Then it returns. Like a boomerang with admin rights.

This isn’t mysterious. It’s policy, ranking, driver packages in the Driver Store, and Windows Update doing what it thinks is best—based on rules you can override if you’re willing to be specific and slightly stubborn.

How Windows decides to “help” you (and why it keeps reinstalling)

Windows doesn’t “install a driver.” It selects a driver package that matches your hardware IDs, then stages it in the Driver Store, then binds it to the device. The selection is based on ranking. Ranking considers hardware ID match specificity, signature trust, date, version, and sometimes vendor-provided metadata. The system is trying to converge on a “best” driver, not preserve your feelings.

When Windows keeps reinstalling a bad driver, it’s almost never a single cause. It’s usually one of these patterns:

• Windows Update is delivering a driver and it ranks higher than your preferred one.
• The bad driver package remains in the Driver Store so Plug and Play can rebind it during rescans or device re-enumeration.
• OEM utilities (Lenovo Vantage, Dell Command Update, HP Support Assistant, vendor GPU suites) are “helping” on their own schedule.
• MDM/Intune/WSUS is approving or targeting drivers centrally.
• Feature updates or repair operations re-stage inbox or “better ranked” drivers.

The fix is not “roll back again.” The fix is: identify the delivery path, remove or demote the package you hate, and enforce a policy boundary so it can’t return.

One operations quote that belongs on a sticky note near your monitor (paraphrased idea): “Hope is not a strategy.” — often attributed to engineering leadership circles; paraphrased

Fast diagnosis playbook

When you’re on-call (for yourself or for a fleet) you don’t start with philosophy. You start with “what changed, what installed, what source, what package.” Here’s the fast path that finds the bottleneck quickly.

First: confirm what driver is active right now

• Device Manager → device → Properties → Driver tab (version, provider, date).
• Then verify in CLI (because GUIs lie by omission): use pnputil and dism (see tasks below).

Second: identify the delivery channel

• Was it installed by Windows Update? Check Windows Update history and Event Viewer logs (SetupAPI, WindowsUpdateClient).
• Was it installed by an OEM agent? Check installed programs/services/scheduled tasks.
• Enterprise? Check Group Policy / MDM policy and whether drivers are coming from WSUS/Microsoft Update.

Third: decide your containment level

• Workstation / single device: hide the specific update + remove the driver package from Driver Store + stop automatic driver updates.
• Small office: Group Policy to block driver updates, or device installation restrictions by hardware ID.
• Enterprise: stop approving drivers in WSUS, lock policy in Intune, and use a controlled driver ring with known-good packages.

Fourth: validate it stays fixed after re-enumeration

• Reboot.
• Disable/enable device.
• Scan for hardware changes.
• Check Driver Store again. If the bad package is still present and ranked well, it will be back.

Interesting facts and historical context

Some context helps because driver behavior is the result of decades of “ship hardware at scale without lighting the support desk on fire.” A few concrete points:

1. Windows Driver Store became central in the Vista era, enabling driver staging and easier rollback, but also making “remove the driver” a two-step problem (device vs package).
2. Plug and Play ranking isn’t random: a more specific hardware ID match can beat a newer driver version, depending on INF targeting and rank calculations.
3. WHQL signing (and later attestation signing) massively increased driver trust at scale, but it also gave Windows Update the confidence to push drivers broadly.
4. Windows Update began distributing more drivers aggressively in the Windows 10 era, aiming to reduce “unknown device” states and improve out-of-box success.
5. Feature updates behave like in-place upgrades and may re-evaluate drivers, sometimes preferring “inbox” compatibility drivers to avoid upgrade failures.
6. OEMs can publish drivers to Windows Update via Microsoft’s hardware ecosystem pipeline, which is why “Microsoft” shows up as the provider for vendor silicon sometimes.
7. Driver rollback typically restores the previous driver for that device instance, but it does not necessarily evict the newer package from the Driver Store.
8. Windows has separate policies for “quality updates” vs “driver updates”, and enterprises often block one but accidentally allow the other.
9. Device installation restrictions by hardware ID have existed for years and remain one of the most deterministic ways to block a specific device’s driver from changing.

Joke #1: Drivers are like interns with root access: mostly fine until they discover “optimization.”

The real root causes (not vibes)

1) The bad driver is still in the Driver Store

If the package remains staged, Windows can rebind it during:

• device re-enumeration (docking stations, USB NICs, GPU resets)
• “scan for hardware changes”
• Windows Update detection cycles
• feature update migration

Deleting the device from Device Manager isn’t enough if you ticked “Delete the driver software for this device” and it still didn’t remove the package (common when in use or when multiple devices use the same package).

2) Windows Update has a driver that outranks yours

Windows chooses based on the best match. If Microsoft Update offers a driver with a tighter hardware ID match or a better rank, it can win even if you manually installed something else—especially if your preferred driver is a generic vendor package and the offered one is specifically targeted to your subsystem ID.

3) You’re fighting the wrong update source

Enterprises often assume Windows Update is the only source. It isn’t. OEM tools schedule driver pushes. MDM policies can enforce drivers. Endpoint management suites can “patch” drivers like they’re Chrome. If you block Windows Update but Dell Command Update keeps pushing, you’ll keep losing.

4) Policy conflict: “do not include drivers” isn’t applied where you think

There are multiple levers: Local Group Policy, domain GPO, MDM CSP policies, WSUS approvals, and Windows Update for Business rings. If you set one locally but domain policy overwrites it, your local change is decorative.

5) Feature update / in-place upgrade resets the board

During an upgrade, Windows prioritizes bootability and compatibility. Storage, chipset, and display drivers may be swapped to known-good baselines. If your “known-good” is newer but not considered safe for the upgrade, it can be replaced. Afterward, Windows Update may “improve” it again—with the same bad version you were avoiding.

Practical tasks: commands, outputs, decisions (12+)

All tasks below are designed to be runnable on Windows. I’m formatting them in a bash-styled block as requested, but the commands are PowerShell/CMD you can run in an elevated prompt unless stated otherwise.

Task 1: Identify the currently bound driver for a device (PnP view)

cr0x@server:~$ powershell -NoProfile -Command "Get-PnpDevice -PresentOnly | ? {$_.FriendlyName -like '*Wi-Fi*'} | ft -AutoSize Status,Class,FriendlyName,InstanceId"
Status Class    FriendlyName                     InstanceId
------ -----    ------------                     ----------
OK     Net      Intel(R) Wi-Fi 6 AX201 160MHz    PCI\VEN_8086&DEV_06F0&SUBSYS_00748086&REV_00\3&11583659&0&A3

What it means: You have the device instance ID. That ID is your anchor for everything else.

Decision: If the device isn’t present/OK, you’re not debugging “reinstall,” you’re debugging detection or hardware failure.

Task 2: Get the driver version/provider bound to that device

cr0x@server:~$ powershell -NoProfile -Command "Get-CimInstance Win32_PnPSignedDriver | ? {$_.DeviceID -like 'PCI\\VEN_8086&DEV_06F0*'} | select DeviceName,DriverVersion,DriverDate,DriverProviderName,InfName | fl"
DeviceName         : Intel(R) Wi-Fi 6 AX201 160MHz
DriverVersion      : 22.250.1.2
DriverDate         : 2024-03-18T00:00:00.0000000
DriverProviderName : Intel
InfName            : oem42.inf

What it means: The binding is through oem42.inf. You now have the INF name to target.

Decision: If the provider is “Microsoft” but you expected Intel/NVIDIA/AMD, it may be a repackaged Windows Update driver.

Task 3: List Driver Store packages and find the culprit INF

cr0x@server:~$ pnputil /enum-drivers | findstr /i "oem42.inf Provider Class Version"
Published Name : oem42.inf
Driver Package Provider : Intel
Class : Net
Driver Version And Date : 22.250.1.2 03/18/2024

What it means: The driver package exists in the Driver Store as oem42.inf.

Decision: If multiple OEM INFs show similar versions, you may need to remove several competing packages to stop rebinding.

Task 4: See if Windows Update recently installed a driver (Update history)

cr0x@server:~$ powershell -NoProfile -Command "Get-WindowsUpdateLog -LogPath $env:TEMP\WindowsUpdate.log; Select-String -Path $env:TEMP\WindowsUpdate.log -Pattern 'Driver' -SimpleMatch | Select-Object -First 5"
2026/02/03 21:14:09.1234567  1234  5678  Agent  * Title = Intel - Net - 22.250.1.2
2026/02/03 21:14:09.1237890  1234  5678  Agent  * UpdateId = {GUID}
2026/02/03 21:14:09.1240000  1234  5678  Agent  * Revision = 201

What it means: Windows Update offered and likely installed a driver matching what you see bound.

Decision: If update history shows it, block/hide that update and stop driver updates via policy. If it doesn’t, look at OEM tools and MDM.

Task 5: Check SetupAPI device install logs for who did what

cr0x@server:~$ powershell -NoProfile -Command "Select-String -Path $env:windir\inf\setupapi.dev.log -Pattern 'oem42.inf' | Select-Object -Last 8"
>>>  [Driver Install (UpdateDriverForPlugAndPlayDevices) - PCI\VEN_8086&DEV_06F0...]
>>>  Section start 2026/02/03 21:15:02.100
     inf:       Opened INF: 'C:\Windows\INF\oem42.inf' ([strings])
     dvi:       {DIF_SELECTBESTCOMPATDRV} 21:15:02.180
     dvi:       Selected driver installs from section [Install.NT]
     dvi:       {DIF_INSTALLDEVICE} 21:15:02.650
<<<  Section end 2026/02/03 21:15:06.900

What it means: The driver was installed via a PnP update path. SetupAPI logs are the closest thing Windows has to an audit trail for driver binding.

Decision: If timestamps align with Windows Update activity, focus on WU controls. If it aligns with OEM task schedules, kill the OEM updater.

Task 6: Disable automatic driver downloads (the user-friendly switch)

cr0x@server:~$ reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\DriverSearching" /v SearchOrderConfig
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\DriverSearching
    SearchOrderConfig    REG_DWORD    0x1

What it means: 0x1 is “Yes, do this automatically” in many builds; 0x0 is “No.”

Decision: On managed machines, this may be ignored. Treat it as a convenience setting, not a guarantee.

Task 7: Enforce “Do not include drivers with Windows Updates” (policy-backed)

cr0x@server:~$ reg query "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" /v ExcludeWUDriversInQualityUpdate
ERROR: The system was unable to find the specified registry value or key.

What it means: Policy is not set (or set elsewhere via MDM). You can set it via GPO or registry (prefer GPO/MDM in fleets).

Decision: If you’re in a domain, check resultant set of policy before editing local registry.

Task 8: Set the policy registry value (local test, then do it properly)

cr0x@server:~$ reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" /v ExcludeWUDriversInQualityUpdate /t REG_DWORD /d 1 /f
The operation completed successfully.

What it means: This instructs Windows Update not to include driver updates in quality updates.

Decision: If a specific driver is mission-critical and you rely on WU to update it, don’t use this globally—use per-driver blocking instead.

Task 9: Remove the bad driver package from Driver Store (the real eviction)

cr0x@server:~$ pnputil /delete-driver oem42.inf /uninstall /force
Microsoft PnP Utility

Driver package deleted successfully.
Deleted driver package: oem42.inf

What it means: The package is gone, and Windows can’t rebind it unless it’s reintroduced.

Decision: If deletion fails due to “in use,” disconnect dependent hardware, boot Safe Mode, or remove competing devices using that INF.

Task 10: Confirm it’s actually gone

cr0x@server:~$ pnputil /enum-drivers | findstr /i "oem42.inf"

What it means: No output means the INF is not present in the Driver Store.

Decision: If it still appears, you didn’t remove it. Stop and fix that before you chase policies.

Task 11: Install a known-good driver and validate binding

cr0x@server:~$ pnputil /add-driver "C:\Drivers\WiFi\Netwtw06.inf" /install
Microsoft PnP Utility

Driver package added successfully.
Published name: oem77.inf
Driver package installed on matching devices.

What it means: You staged and installed the known-good driver; it’s now oem77.inf.

Decision: Record oem77.inf and the version/date. This is what you will defend.

Task 12: Block driver updates for a specific device by hardware ID (deterministic)

cr0x@server:~$ powershell -NoProfile -Command "$id='PCI\VEN_8086&DEV_06F0&SUBSYS_00748086'; $id"
PCI\VEN_8086&DEV_06F0&SUBSYS_00748086

What it means: You captured the hardware ID to use in Device Installation Restrictions (GPO) so Windows can’t install matching drivers except those already present/allowed.

Decision: If the device is storage or boot-critical, be careful: blocking installs can make recovery harder if you later need a replacement driver.

Task 13: Check which GPOs are actually applied (because “I set it” is not evidence)

cr0x@server:~$ gpresult /r
COMPUTER SETTINGS
------------------
    Applied Group Policy Objects
    -----------------------------
        Workstation Baseline
        Windows Update Control

What it means: You can see whether a policy object that should control drivers is applied.

Decision: If your expected GPO isn’t listed, your fix is in Active Directory, not the registry.

Task 14: Inspect Windows Update policy values that often conflict

cr0x@server:~$ reg query "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" /s
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate
    ExcludeWUDriversInQualityUpdate    REG_DWORD    0x1
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
    UseWUServer    REG_DWORD    0x1

What it means: Drivers excluded, and the machine is pointed at WSUS (UseWUServer=1).

Decision: If you use WSUS, fix approvals there; hiding updates locally won’t help if WSUS keeps forcing them.

Task 15: List installed third-party drivers via DISM (useful in incident reviews)

cr0x@server:~$ dism /online /get-drivers /format:table | more
Published Name   Original Name  Inbox  Class Name  Provider Name  Date       Version
-------------   -------------  -----  ----------  -------------  ---------  -------------
oem77.inf       netwtw06.inf   No     Net         Intel          2023-11-10  22.220.0.4
oem13.inf       nv_dispi.inf   No     Display     NVIDIA         2024-01-05  551.23

What it means: This gives you a fleet-friendly view: what’s inbox vs third-party, provider, date, version.

Decision: If you see an unexpected provider/date bump after Patch Tuesday, you have a driver drift problem.

Task 16: Force a rescan and observe whether the bad driver returns

cr0x@server:~$ pnputil /scan-devices
Microsoft PnP Utility

Scanning devices completed.

What it means: The machine re-evaluated device-driver matches. This is a safe way to test whether your block/eviction holds.

Decision: If the bad driver comes back immediately, your block isn’t in place or the package is still staged somewhere.

Blocking strategies that actually stick

You have three levels of control. Pick based on blast radius and how much you trust your future self.

Level 1: Block driver updates broadly (fast, blunt)

Use ExcludeWUDriversInQualityUpdate via GPO/MDM. This stops Windows Update from pushing drivers as part of quality updates. It doesn’t stop manual installs, OEM updaters, or feature update behavior. It’s still worth doing in environments where driver stability beats novelty.

When to use: office fleets, VDI endpoints, kiosks, systems with validated hardware stacks, audio workstations, industrial devices.

When not to use: laptops that depend on frequent vendor driver fixes (Wi‑Fi/BT regressions happen), or when you have no alternative driver distribution process.

Level 2: Hide/block a specific driver update (surgical, but source-dependent)

If a particular driver is offered through Windows Update, you can hide it so WU won’t reinstall it. In consumer environments this is often done via the “show or hide updates” troubleshooter. In managed environments, you do this with update approvals (WSUS) or driver targeting controls (MDM). The point is the same: stop delivery at the source.

Gotcha: Hiding works until the update is republished as a new revision or slightly different package. Then it’s a “new” update and you’re back in the loop.

Level 3: Device Installation Restrictions by hardware ID (most deterministic)

This is the grown-up solution when you must keep a device on a specific driver version. You block installation of devices that match hardware IDs unless the driver is already installed, or you explicitly allow only certain classes.

In plain terms: you create a bouncer for that device’s driver changes.

Gotcha: If you block too broadly (like class “Display” in a GPU-heavy environment), you will eventually sabotage upgrades and hardware swaps.

Evict the bad package from the Driver Store (non-negotiable)

If you want “stop it for good,” you remove the package that Windows keeps selecting. Otherwise you’re relying on rank and chance. Use pnputil /delete-driver with /uninstall and /force when appropriate. Then confirm it’s gone.

Also: if multiple versions exist, remove the ones you don’t want. Windows can and will pick a different “bad” one if it’s still in the store and ranks well.

Deal with OEM updaters (they mean well; they still break things)

On business-class laptops, OEM tools are common culprits. They push BIOS, firmware, and drivers. They can be useful—until they fight your desired state. If you run a managed fleet, decide who owns drivers:

• If IT owns drivers: remove/disable OEM updaters or configure them to only notify.
• If OEM owns drivers: accept drift and build monitoring plus rollback automation.

Joke #2: Windows Update is the world’s most confident coworker—always “fixing” the one thing you finally got stable.

Three corporate mini-stories from the trenches

Mini-story 1: The incident caused by a wrong assumption

They ran a hybrid fleet: engineering workstations in the office, remote laptops on VPN, and a handful of shared lab machines running expensive measurement hardware. Someone noticed a flaky USB-to-Ethernet adapter driver on a subset of laptops—random disconnects, especially after sleep.

The assumption was clean and wrong: “It’s Windows Update pushing a bad driver.” So they blocked drivers broadly via policy, patted themselves on the back, and moved on.

Two weeks later the lab machines started dropping off the network during long-running tests. Not laptops. Not remote. Only lab. The vendor blamed cabling. The network team blamed spanning tree. The lab blamed everyone.

The root cause turned out to be an OEM utility running as SYSTEM on the lab image. It had been configured months earlier to “auto-apply recommended updates.” It didn’t care about the Windows Update driver exclusion policy because it wasn’t Windows Update. It downloaded a newer driver directly from the OEM catalog and installed it during a maintenance window.

Fix: they removed the OEM updater from the lab image, moved BIOS/firmware to a controlled monthly process, and used device installation restrictions for the specific USB NIC hardware IDs. The wrong assumption wasn’t malicious; it was just incomplete threat modeling. Driver delivery has multiple mouths.

Mini-story 2: The optimization that backfired

A desktop engineering group wanted faster provisioning. They built a “golden image” with a stuffed Driver Store: chipset, GPU, audio, NIC—everything pre-staged. The idea was solid: first boot, zero missing devices, minimal user pain.

It worked beautifully, until it didn’t. A subset of machines began picking an older-but-more-specific GPU driver that had been staged months earlier for a slightly different subsystem ID. It ranked well, it matched tightly, and it was sitting right there in the store like a loaded mousetrap.

The symptoms were weird: certain CAD apps crashed, but only on certain hardware revisions. Rolling back helped for a day. Then after a dock/undock cycle or a Windows Update scan, the older driver returned. Their “optimization” created a bigger candidate set, increasing the odds of Windows choosing something they didn’t intend.

Fix: they changed the imaging process to stage only the drivers required for that model SKU, not the entire vendor universe. They also added a post-provision validation step that enumerated Driver Store packages and removed known-bad INFs. Provisioning got slightly slower. Mean time to sanity improved dramatically.

Mini-story 3: The boring but correct practice that saved the day

A finance department ran Windows desktops connected to an ancient-but-critical receipt scanning system. The scanner depended on a very specific USB controller driver version—newer versions “worked” but produced intermittent corruption that was hard to detect until audits. Everyone hated this setup, which is how you know it was important.

Instead of playing whack-a-mole, the endpoint team did three unsexy things. First, they documented the exact hardware IDs for the controller and scanner. Second, they created a driver baseline package and stored it internally with the imaging pipeline. Third, they enforced device installation restrictions so the controller couldn’t switch drivers without an explicit change window.

Then a Windows feature update rolled through the organization. Predictably, it tried to modernize drivers. On most devices, that was fine. On these, it failed to replace the restricted device’s driver, and the devices kept running with the approved version.

No incident. No scramble. No executive email thread full of “any updates???” The boring practice—explicit allow/block rules and a known-good package—didn’t make them popular, but it made them correct. In operations, correct wins.

Common mistakes: symptom → root cause → fix

1) Symptom: “I roll back the driver, but it returns after reboot”

Root cause: The newer/bad package is still in the Driver Store and ranks higher. Rollback changes binding, not the candidate set.

Fix: Remove the bad INF from Driver Store with pnputil /delete-driver ... /uninstall. Then install the known-good package and validate with a rescan.

2) Symptom: “I disabled driver updates, but the driver still changes”

Root cause: An OEM updater or MDM policy is installing the driver outside Windows Update, or a feature update is swapping drivers.

Fix: Identify source via SetupAPI logs + scheduled tasks/services. Remove/disable OEM updater or adjust MDM/WSUS policy. Use device installation restrictions for truly sticky control.

3) Symptom: “Device Manager says one version, but behavior matches the broken version”

Root cause: Multiple components: driver package vs firmware vs companion software; or the device is actually using a different instance (e.g., dock NIC vs internal NIC).

Fix: Confirm InstanceId and hardware IDs. Enumerate Win32_PnPSignedDriver by DeviceID. Verify which device is failing by event logs.

4) Symptom: “pnputil delete-driver fails: driver is in use”

Root cause: The driver is bound to a currently active device, or another device uses the same package.

Fix: Uninstall the device(s), disconnect removable hardware, reboot, or use Safe Mode. Then delete-driver again. Confirm with pnputil /enum-drivers.

5) Symptom: “After feature update, drivers reverted to older ones”

Root cause: Upgrade compatibility process picked “safe” drivers to ensure boot and display.

Fix: Re-apply your known-good driver package post-upgrade, and enforce a policy boundary if the system keeps drifting. For fleets, bake this into post-upgrade task sequences.

6) Symptom: “Only some machines are affected”

Root cause: Different subsystem IDs, different OEM images, or different driver candidates already staged in Driver Store.

Fix: Compare hardware IDs and Driver Store contents. Do not assume “same model” means “same IDs.” It often doesn’t.

Checklists / step-by-step plan

Single machine: stop the bleeding in 30 minutes

1. Identify the device instance (Task 1) and the current INF (Task 2).
2. Confirm the bad INF exists in Driver Store (Task 3).
3. Check whether Windows Update delivered it (Task 4) and confirm via SetupAPI (Task 5).
4. Evict the bad package with pnputil /delete-driver (Task 9), then confirm (Task 10).
5. Install the known-good driver (Task 11).
6. Disable driver delivery via Windows Update using policy (Task 8), at least temporarily.
7. Force a rescan (Task 16) and reboot. Re-check driver version/provider.

Small fleet: stabilize without creating a new problem

1. Pick a known-good driver version and document it (provider, version, INF, hardware IDs).
2. Stop driver updates via Windows Update policy (GPO preferred). Validate with gpresult (Task 13).
3. Remove the bad driver from Driver Store via script (pnputil) during maintenance windows.
4. Disable OEM updaters or set them to notify-only.
5. Add monitoring: periodically run DISM driver inventory (Task 15) and flag drift in provider/date/version.

Enterprise: make it boring, repeatable, and auditable

1. Decide ownership: Windows Update vs OEM vs IT-packaged drivers. Mixed ownership causes drift.
2. Implement driver rings: pilot group first, then broad deployment after validation.
3. Use WSUS/MDM controls to prevent unwanted driver deployment. Don’t rely on endpoint hiding.
4. Use device installation restrictions for critical peripherals and known-problem devices.
5. Build a rollback playbook that includes Driver Store eviction, not just device rollback.
6. During feature updates, schedule a post-upgrade remediation step to reapply approved drivers and remove disallowed ones.

FAQ

1) Why does Windows keep reinstalling the same bad driver after I roll it back?

Because rollback changes the active binding, but the newer driver package often remains in the Driver Store and still ranks as the “best” match. Evict the package with pnputil /delete-driver and block delivery.

2) Is “Do not include drivers with Windows Updates” enough?

Sometimes. It blocks driver delivery via quality updates, but it doesn’t stop OEM updaters, MDM pushes, or feature-update driver swaps. If you need guarantees, add Driver Store eviction and device installation restrictions.

3) Will removing the device in Device Manager delete the driver?

Not reliably. It may uninstall the device instance, but the driver package can remain staged. Use pnputil /enum-drivers to confirm whether the INF still exists.

4) What’s the difference between “provider Microsoft” and “provider Intel/NVIDIA/AMD”?

“Microsoft” often indicates the driver was distributed through Microsoft’s pipeline (or an inbox driver). It can still be vendor code. Don’t infer quality from the provider string—verify version, INF, and source.

5) Can I block only one specific driver update and still allow others?

Yes, but the mechanism depends on your environment. On managed networks, block it in WSUS/MDM targeting. On a standalone PC, hiding the update can work, but republished revisions may bypass that hide.

6) Is it safe to force-delete drivers with pnputil?

It can be safe if you understand dependency. Don’t force-delete storage, chipset, or boot-critical drivers unless you have recovery media and a tested rollback path. For GPUs and NICs it’s usually lower risk, but still plan downtime.

7) Why do only some machines get the bad driver?

Hardware IDs differ more than people expect—subsystem IDs, revisions, and OEM customizations change matching and ranking. Also, different machines accumulate different Driver Store contents over time.

8) How do I prove where the driver came from?

Correlate SetupAPI timestamps in C:\Windows\inf\setupapi.dev.log with Windows Update logs and with OEM updater schedules. It’s not perfect attribution, but it’s good enough to find the actor.

9) Does blocking drivers hurt security?

Sometimes. Drivers can have security fixes. The right approach is controlled driver updates: test, approve, deploy—rather than “never update drivers.” Stability and security can coexist if you run a process instead of a hope.

10) What about firmware updates that look like drivers?

Firmware (especially for storage, docks, and Thunderbolt) can be distributed as updates and can change behavior like a driver regression. Treat firmware as part of the stack: inventory it, control it, and don’t let three tools update it independently.

Conclusion: practical next steps

If Windows keeps reinstalling a bad driver, stop negotiating with it. Do three things in order:

1. Identify the device instance, current driver version, and INF name (Tasks 1–3).
2. Evict the unwanted driver package from the Driver Store and install your known-good version (Tasks 9–11).
3. Enforce the boundary: block driver delivery via policy and/or lock the device with installation restrictions (Tasks 8, 12–14).

Then test like a pessimist: rescan devices, reboot, dock/undock, and run Windows Update. If it stays stable through that, it will probably stay stable through next week’s surprises too.