P3 · Endpoint & Device Management

Windows Driver Failure — BSOD, Device Manager Errors, and Rollback/Reinstall Triage

Driver failures on Windows 10/11 and Windows Server 2016–2022 manifest as yellow exclamation marks in Device Manager, kernel Bug Checks (BSOD) referencing a specific driver module, or services failing to start after an OS update or driver replacement. Root causes include incompatible driver versions, unsigned drivers blocked by Kernel Mode Code Signing or Secure Boot, Windows Update silently replacing validated OEM drivers with generic versions, and corrupted driver binaries. Resolution follows a layered approach: identify the faulting driver via Device Manager, Event Viewer, or WinDbg crash dump analysis; roll back or cleanly reinstall from the OEM source; and prevent recurrence by blocking automatic driver updates via Group Policy. Remediation typically completes in 30 minutes to 2 hours, with an additional 1–2 hours if kernel dump analysis is required.

Indicators

Device appears with a yellow exclamation mark or red X in Device Manager (devmgmt.msc), displaying a Windows error code (e.g. Code 10, Code 43)
System Bug Check (BSOD) with stop codes such as DRIVER_IRQL_NOT_LESS_OR_EQUAL, SYSTEM_THREAD_EXCEPTION_NOT_HANDLED, or PAGE_FAULT_IN_NONPAGED_AREA, referencing a specific .sys module name
Event Viewer System log contains events from source 'Kernel-PnP' (Event ID 219 — driver load failure) or 'Service Control Manager' indicating a driver or service failed to start
Device listed as 'Unknown Device' or 'PCI Simple Communications Controller' in Device Manager due to a missing or uninstalled driver
Application or service dependent on a hardware device fails to start, throws access errors, or produces I/O failures immediately after an OS cumulative update or driver update
Kernel-PnP Event ID 411 logged in System event log indicating a driver package was removed unexpectedly

Likely causes

Driver version incompatible with the installed Windows build or cumulative update level — especially common after Patch Tuesday updates that change kernel interfaces
Windows Update automatically replacing a validated OEM driver with a generic or mismatched Microsoft-provided driver without administrator awareness
Unsigned or test-signed driver blocked by Kernel Mode Code Signing (KMCS) enforcement or Secure Boot, preventing the driver from loading in the kernel
Corrupted driver binaries in the Windows component store due to a failed installation, disk error, or malware activity
Driver conflict between two devices sharing resources or incompatible kernel-mode components loaded simultaneously
Missing INF or co-installer files preventing correct driver installation — often left after a partial uninstall or failed update

Diagnostic steps

Open Device Manager: run 'devmgmt.msc'. Enable View > Show hidden devices. Scan all device categories for yellow exclamation marks, red X markers, or 'Unknown Device' / 'PCI Simple Communications Controller' entries. Right-click the flagged device > Properties > note the Device Status error code (e.g. Code 10, Code 43) and the device instance path.

Identifies which device or driver is failing and surfaces the Windows device error code for targeted investigation, including hidden or recently disconnected devices.
Open Event Viewer (eventvwr.msc). Navigate to Windows Logs > System. Filter for sources: 'Kernel-PnP' (Event IDs 219, 411), 'Service Control Manager', 'disk', and 'Ntfs'. Set the time window to match the onset of the issue. Note exact timestamps and event descriptions.

Correlates driver failures with specific event IDs and timestamps to establish the root cause sequence — particularly whether a driver was removed or failed to load before or after the symptom appeared.
From an elevated command prompt, run: sfc /scannow Wait for completion. If corruption is found, follow with: dism /Online /Cleanup-Image /CheckHealth If issues are detected by DISM CheckHealth, run: dism /Online /Cleanup-Image /RestoreHealth

Detects and repairs corrupted Windows system files including driver binaries. DISM RestoreHealth repairs the component store used as the source for SFC repairs.
From an elevated command prompt, enumerate all third-party drivers in the driver store: pnputil /enum-drivers Review each entry for Published Name (e.g. oem12.inf), Original Name, Provider, Driver Version, and Driver Date. Cross-reference the provider and version against the known-good baseline or OEM documentation.

Provides a comprehensive inventory of installed third-party drivers to identify candidates for removal, rollback, or update — especially useful when Windows Update has silently replaced an OEM driver.
If a BSOD has occurred, open WinDbg or WinDbg Preview (available from Microsoft Store or Windows SDK). Load the crash dump: File > Open Crash Dump > navigate to %SystemRoot%\MEMORY.DMP or %SystemRoot%\Minidump\<filename>.dmp. At the WinDbg command prompt run: !analyze -v Note the MODULE_NAME, IMAGE_NAME, and FAULTING_IP fields in the output.

Pinpoints the exact driver binary (.sys file) responsible for a kernel crash, enabling targeted removal or replacement rather than guesswork.
Review loaded drivers and versions via System Information: run 'msinfo32.exe' > Software Environment > System Drivers. Alternatively, from PowerShell: Get-WmiObject Win32_SystemDriver | Select-Object Name, State, Status, PathName | Sort-Object Name | Format-Table -AutoSize Identify any drivers in a Stopped or Error state.

Provides a secondary view of driver load state independent of Device Manager, useful for identifying drivers that loaded but then failed, or service-layer drivers not associated with a hardware device node.

Resolution path

Roll back the driver in Device Manager: right-click the affected device > Properties > Driver tab > Roll Back Driver. Select a reason when prompted and confirm. Reboot and verify device status reads 'This device is working properly.'
Update from OEM source: download the correct driver version from the hardware vendor's support site. In Device Manager, right-click the device > Update driver > Browse my computer for drivers > point to the extracted driver folder. Alternatively, run the OEM installer package as Administrator. Reboot after installation.
Clean removal and reinstall: in Device Manager, right-click the device > Uninstall device > check 'Delete the driver software for this device'. Reboot to allow Windows to detect the device fresh (it may auto-install a generic driver). Then install the correct OEM driver version manually.
Force-remove a stubborn driver from the driver store using pnputil from an elevated command prompt: pnputil /delete-driver oem12.inf /uninstall /force (Replace oem12.inf with the Published Name shown in 'pnputil /enum-drivers' output.) Reboot after removal.
If Driver Signature Enforcement is blocking a required driver, contact the vendor for a properly WHQL-signed version. As a temporary diagnostic-only measure (not for production): boot into Advanced Startup > Troubleshoot > Advanced Options > Startup Settings > Restart > press F7 (Disable Driver Signature Enforcement). This setting reverts on next normal boot.
Block Windows Update from overriding the validated driver: set Group Policy at Computer Configuration > Administrative Templates > Windows Components > Windows Update > 'Do not include drivers with Windows Updates' to Enabled. Alternatively, use wushowhide.diagcab to hide the specific driver update package from Windows Update.

Prevention

Establish a driver update testing process: validate new driver versions in a representative staging environment before deploying to production fleets — prioritise storage controllers, network adapters, and GPU/display drivers which have the highest BSOD blast radius.
Use Group Policy to prevent Windows Update from silently replacing validated OEM drivers: Computer Configuration > Administrative Templates > Windows Components > Windows Update > 'Do not include drivers with Windows Updates' set to Enabled. Use wushowhide.diagcab to hide specific problem driver update packages.
Maintain a documented driver baseline per hardware model (vendor name, driver version, INF filename, driver date) so deviations introduced by Windows Update or imaging errors are immediately identifiable via 'pnputil /enum-drivers' comparison.
Create System Restore points or VM snapshots before any planned driver update activity so rollback is available without full system reimaging — particularly important before major OEM driver version jumps.
Monitor the Windows System event log for Kernel-PnP Event ID 219 (driver load failure) and Event ID 411 (driver package removal) as part of ongoing operational monitoring — alert on these IDs to detect driver issues before they become user-impacting BSODs.

Tools

devmgmt.msc — Device Manager GUI for driver status, rollback, update, and uninstall
pnputil.exe — Command-line driver store management: enumerate, delete, and force-remove third-party drivers
sfc /scannow — System File Checker: detects and repairs corrupted system and driver files
dism.exe — Deployment Image Servicing and Management: repairs component store used by SFC
WinDbg / WinDbg Preview — Kernel debugger for crash dump analysis and driver fault identification via !analyze -v
eventvwr.msc — Event Viewer: System log analysis for Kernel-PnP Event IDs 219 and 411
msinfo32.exe — System Information: lists loaded drivers, versions, and state
wushowhide.diagcab — Microsoft Show/Hide Updates troubleshooter: blocks specific driver updates from Windows Update
rstrui.exe — System Restore: reverts system to a pre-driver-change restore point

References

driverswindowsdevice-managerbsodkernelpnputilhardwaredriver-conflictdriver-rollbackwindbgsfcdismdriver-signaturewindows-updatetriageendpoint-management