In this guide, we shall discuss how to “Prevent Automatic Driver Updates in Windows and Xen-Orchestra”. Keeping systems patched and secure is critical in every virtualized environment. However, blindly allowing automatic driver updates on production workloads can introduce instability, and sometimes could cause outages as we have seen severally. This becomes especially important in environments using virtualization platforms such as Xen Orchestra running Microsoft Windows. Please see A-Z of XCP-ng and Xen Orchestra setup and VM Creation, and How to extend Proxmox Local Container Storage.

Preventing automatic driver updates in Windows ensures stability for your connected virtual machines. Thereby, avoiding conflicts between standard Windows drivers and specialized virtualization software. See this guide for the steps to Update Windows PV drivers automatically with Group Policy.

While operating system updates are often necessary, uncontrolled driver updates can create unexpected changes inside virtual machines (VMs). Especially when virtualization-specific drivers are involved. Because of this, I will recommend setting up a WSUS environemnt for controlled testing.

Also see How to install WSUS on Windows Server 2022, how to disable automatic Windows updates via Windows Settings, and how to Configure SSL connection for WSUS Upstream and Downstream Servers.

What Are Citrix PV Drivers?

Citrix drivers are virtualization-aware drivers installed inside guest operating systems running on Citrix-based hypervisors such as Citrix Hypervisor (formerly XenServer). These drivers are commonly delivered through:

• Citrix VM Tools
• Xen guest tools
• Paravirtualized (PV) drivers

Tying this to physical environments, hardware drivers are responsible for enabling communication between the operating system and physical devices such as network adapters, storage controllers, and GPUs.

In virtualized environments, special virtualization-aware drivers are installed to improve VM performance and integration with the hypervisor. This includes:

• Paravirtualized network drivers
• Storage optimization drivers
• Memory ballooning drivers
• Guest agent tools
• Time synchronization drivers

These drivers are tightly coupled with the virtualization platform version and configuration. If Windows Update or another update mechanism automatically installs a newer or incompatible driver version, it can lead such as VM boot failures, and performance degradation etc.

Please see “PXE Boot Failure: “Access Denied or Aborted” with Secure Boot on [Part 4]“, how to update Printer Drivers on your Windows device, and AWS Network Adapter: Redhat to Citrix PV and AWS PV Driver.

Drawback of Uncontrolled Driver Updates

1: Version Mismatch Between Hypervisor and Guest Drivers: Citrix drivers are often designed for specific hypervisor builds. If Windows Update installs a newer driver than the hypervisor supports, compatibility problems may appear immediately or during failover and migration operations. Potential symptoms include:

• Blue Screens (BSOD)
• VM crashes
• Loss of network connectivity via Remote Desktop Connection as well.
• Failed live migrations
• Backup processing failures etc.

2. Automatic Updates Can Replace Stable Drivers: Windows Update may classify virtualization drivers as “recommended” or “optional” updates. This can silently replace a fully validated production driver with a newer untested version. In enterprise environments, this breaks change management and introduces configuration drift.

3. Backup and Recovery Risks: This is especially risky in mission-critical workloads as backup products rely heavily on stable storage and network communication. A problematic storage or network driver update can cause:

• Snapshot failures
• Backup corruption
• VSS communication issues
• Guest processing failures
• Restore inconsistencies

Please see How to automate Windows Update with PowerShell, and how to Start, Stop and Restart Windows Server Update WSUS Services via PowerShell and CMD.

Why WSUS-Based Driver Management Is Safer

Updating virtualization drivers should never be automated. It should always be a controlled, manual process initiated by an administrator during maintenance (patch) day. Using Windows Server Update Services (WSUS) allows organizations to:

• Test drivers before deployment
• Approve only validated updates
• Prevent incompatible driver rollouts
• Maintain standardized VM configurations
• Roll back problematic updates safely

Instead of allowing direct internet-based updates from Microsoft. WSUS provides controlled and staged deployment. This ensures production VMs receive only approved drivers verified against the virtualization stack

Please see What is ADK, MDT, Microsoft Endpoint Configuration Manager (SCCM), Intune, Autopilot, and WSUS, and Add and remove IIS Web Server on Windows Server 2019 via the Server Manager and PowerShell.

Disable “Manage Citrix PV Drivers” in Xen Orchestra

To control Citrix PV and Windows PV driver updates in XCP-ng, you can manage this from either the hypervisor level in Xen Orchestra or at the individual Windows Guest level using Group Policy which we will see very shortly after this step.

This prevents Windows Update from automatically overwriting or destabilizing your Paravirtualized (PV) network and disk drivers. If you previously enabled Xen Orchestra to auto-manage drivers, you can turn it off to stop Windows from auto-pulling them.

To do this, launch the Xen Orchestra web interface, and navigate to your specific Windows VM.

Next, click the Advanced tab. Locate the parameter Manage Citrix PV drivers via Windows Update. Ensure to toggle this feature OFF as shown below.

Please see “Printer Driver Information: How to determine the version and type of a Printer Driver, and Unable to locate the account: Fix call to DsGetDcNameWithAccount failed with return value 0x0000054B.

Disable Automatic Driver Updates in Windows Guest OS

Even with the Xen Orchestra feature disabled, Windows might still attempt to pull driver updates. You can block this via Group Policy inside the VM.

Since I manage manage multiple VMs via Active Directory and I want a reliable system-level block. I will proceed and disable automatic driver updates via the Local Group Policy Editor.

From Search, type gpedit.msc or press Win + R on your keyboard and type gpedit.msc. Then hit Enter to open the Local Group Policy Editor and navigate to the below:

Computer Configuration > Administrative Templates > Windows Components > Windows Update > Manage updates offered from Windows Update

To do this from Active Directory,from the Server Manager, click on Tool and select Group Policy Management as shown below. You can create a new policy or modify and existing one as shown below.

In the group policy editor, navigate to the following path as shown below.

Computer Configuration > Administrative Templates > Windows Components > Windows Update > Manage updates offered from Windows Update

Double-click the policy named Do not include drivers with Windows Updates.

Set it to Enabled and click Apply and OK.

Please see Handy WSUS Commands: Windows Server Update Services Commands, WAUACLT, PowerShell and USOClient, and Windows 2016 Servers do not show up on the WSUS console.

Block Automatic Updates via the Windows Registry

For a quick scripted deployments, you can apply a registry hack to forcefully shut off driver searching. This will ensure the VM itself never attempts to pull Xen updates from Microsoft:

To do this, open the VM and press Win + R. Then, type regedit, and hit Enter and navigate to the key below.

To prevent all hardware drivers from being installed. That is “Do not search Microsoft’s hardware catalog for any hardware drivers during regular updates. Then naviagte to the follwng key below.

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate

If the WindowsUpdate key doesn’t exist as you can see below. Please right-click the WindowsUpdate folder, select New > DWORD (32-bit) Value, and name it ExcludeWUDriversInQualityUpdate.

Then, double-click your new DWORD and set its value data to 1 and restart your VM

By executing the dual-layer lockdown as discussed above “disabling the vendor device update flag in Xen-Orchestra”. And “configuring Windows” to ignore drivers during regular patch cycles. You are adequately protecting your environment from sudden, catastrophic driver drift, and cnnectivity issues.

I hope you found this guide very useful on “Prevent Automatic Driver Updates in Windows and Xen-Orchestra”. Please feel free to leave a comment below.