Just wanted to write up some thoughts about Microsoft’s recent announcement that old drivers will be removed from Windows Update.
The short version of it is that “legacy drivers that have newer replacements” will soon be hidden from Windows Update, and in 6 months’ time, depending how the industry responds to this, they may be fully deleted. As you might imagine, that “legacy” keyword has brought some curious questions my way.
There is some real ambiguity to what Microsoft is trying to do here. Here is how I understand the timeline of what will be happening with drivers. This is only my interpretation, and I can be wrong about any or all of this.
- At some point in the near future, Microsoft will perform a soft deprecation of all versions other than the latest of each driver, such that they are no longer offered in WSUS as an option to deploy to devices. The drivers will likely still be accessible by manually finding and downloading them on the Microsoft Update Catalog.
- Hardware manufacturers will then have a 6 month window to raise concerns with Microsoft. A manufacturer can suggest that Microsoft reinstate old versions of a driver, but they should be prepared to give a really good reason for it.
- After 6 months, any remaining drivers that did not get reinstated will be removed forever. It’s not clear whether this means they will only cease to be offered by WSUS, or if they will also disappear from the Microsoft Update Catalog, or if the files will also be deleted.
- At some later time, a policy will be instated that old drivers will expire on a continuous basis, the exact details not discussed yet. They may also consider removing drivers that are not considered “legacy drivers that have newer replacements already on Windows Update”.
I don’t have any reason to believe this will affect old devices. You should still be able to automatically receive drivers for something like an Nvidia 700 series GPU, or a Wi-Fi PCMCIA card - including from Legacy Update, which relies on the public Windows Update service.
But why is this being done? As I posted in a quick first reaction, I think two things are true here:
First, what Microsoft is actually saying: that this is an initiative to improve security. This is valid, because of “bring your own vulnerable driver” attacks. This is a malware tactic that takes advantage of an outdated driver that is already installed, or is easy to trick the victim into installing, to gain full unrestricted kernel privileges. If you don’t know operating system design: malware finding its way into the kernel is game over. It has access to everything the infected system has access to, and can take measures to hide itself to hang around as long as possible. In the past few years, Microsoft has been stepping up defences against BYOVD attacks, particularly through the Vulnerable Driver Blocklist. Vulnerable drivers Microsoft has blocked include ones for Realtek audio, VirtualBox, Nvidia NVFlash, and something from Asus. They also recently took the unpopular major step of blocking WinRing0, a fundamentally flawed and vulnerable driver, yet still widely used to access hardware such as RGB and fan controllers.
While Windows Update itself will only ever install the latest version of a driver (sometimes even against your wishes), businesses can choose which updates they roll out to their devices. This tends to be done with Windows Server Update Services (WSUS), or one of Microsoft’s numerous replacements of it. Sometimes you just need an old version of a driver or update. The new version breaks something, or your business requires the utmost software stability, or is legally obligated to audit all software running on systems exposed to sensitive data. As far as I’m aware, since Windows Update v4 (2001), Microsoft has never deleted old drivers or updates, except where they needed to stop the rollout of a seriously broken update. Despite potential security concerns, an old release could be better for your needs, and it is assumed that your IT department has made the risk assessment decision. With this change, if you require an outdated driver, it must be deployed through some means other than Windows Update.
Second, what Microsoft isn’t saying, or rather, what they were saying up until a few months ago. Let’s go back to WSUS. The current generation of it started off as version 3.0, which released not long after Windows Vista in 2007. A lot has changed, but a lot has also stayed the same. If you’ve reinstalled Windows 7 sometime since 2015, you might know that its Windows Update servicing system is straight up broken in its out-of-box state, and requires a manual update - that, even then, doesn’t properly solve the problem, just makes it more tolerable. Windows Update has a pretty cool system of describing whether an update is necessary to be installed on the current system, or if it is already installed. It also builds a relationship graph between updates, to indicate when they have been replaced by a newer update that includes all changes from the previous update. That system is also its downfall, causing the Windows Update service to be incredibly slow in checking for updates, possibly never completing the check at all. This issue also applies to WSUS, which despite being based on the very robust SQL Server, struggles with the number of drivers Microsoft hosts on Windows Update. As of April, we know that Windows Update hosts 1,799,339 drivers, and this creates a 138 GB database that requires almost 16 days to synchronise down from the main servers. The WSUS server is brought to its knees, with frequent timeouts while it furiously tries to complete database queries. (The PC used is a Ryzen 5700G with 32 GB of 3600 MHz RAM and 500 GB of NVMe, running Windows Server 2025 and SQL Server 2022.)
The reason we have those numbers is because, in June 2024, Microsoft announced the deprecation of WSUS’s driver synchronisation, then in September 2024 announced the deprecation of WSUS, indicating that it will no longer be supported after Windows Server 2025, then in April 2025, backtracked at the eleventh hour and decided drivers are staying around after all. To preserve the data for use by Legacy Update and the community, I jumped to sync it all down right before it was due to go away. I can respect that Microsoft is trying to move on from software that hasn’t had a major update since forever ago, but this timeline of events is crazy, and comes off mildly tone-deaf that they don’t understand how their customers are using their products. Or, that they perhaps do know, but don’t consider a 34% response to a survey as important enough to register.
Under the announcement, a commenter, ItsADave, made a suggestion that Microsoft should consider sharing the to-be-deleted drivers with Legacy Update or the Internet Archive. First, I’m flattered that our project is in such a respected and trusted position. I never expected it to be mentioned adjacent a Microsoft announcement that’s being linked back to from major tech news outlets. But to be realistic, I don’t expect this to happen, because the drivers are owned by the hardware manufacturers that wrote them, and they likely only license them to Microsoft for redistribution to end-users and IT administrators. Even if the agreements they have with Microsoft are lenient, the lawyers are very likely not comfortable with handing over other companies’ work to a small project, or even drawing any attention to us, which can be seen as an endorsement to continue running old vulnerable software. Unless proven otherwise, this is entirely for us to deal with as a community. As for the Internet Archive, I would mention that this is a considerable amount of data (at least 5 TB - will update this with a precise number soon), and the optics of one of the most valuable companies of all time deferring a problem to a non-profit library that already has enough battles to fight aren’t particularly positive.
As a side note, I’ve found the Microsoft announcements made on their Tech Community website to be kinda weird, because as we just explored, they come off unclear, vague, and often filled with jargon. They tend to read like nobody has proofread them - the announcement we started this post with blatantly refers to “windows update” in all lowercase four times! The announcement about backtracking on WSUS drivers also interchangeably refers to them as being both “deprecated” and “removed”, while correctly reminding the reader that the terms have very different meanings. The reason there has been confusion and concern about changes like this is because, besides poor discussion with the community, it’s just plain missing the extra attention to wording and clarity from someone good with PR.
The high resolution Windows XP icons in the banner image come from the excellent Windows XP High Resolution Icon Pack. Thanks, marchmountain!