Microsoft
MicrosoftGood question, Summa040 . The Windows Update for Business deployment service communicates driver approvals only for the applicable devices. This avoids a tremendous amount of "over approvals" that would affect every deployment service enrolled device checking to Windows Update. So, you are correct in your latter thinking... when a device scans for updates, Windows Update then communicates all the applicable driver updates to the deployment service, then the deployment service processes that, adds the device-driver combo to the policy, and then finds any existing approvals that apply to that device and sends those to the Windows Update service. As a result, a device needs to scan once for the applicable driver update to be discovered, and then again for it to be offered. In most cases, that approval should be available pretty quickly after the first scan.
HTH,
-DG