Windows has required user input for Autorun for quite some time now - Any USB plugged in with an autorun.inf will need manual user input to run whatever the file says.
But what about USB drivers? If someone with malicious intent was to install a driver that was malware, wouldn't it auto-run and even have UAC permissions? Or do USBs not install their own drivers? I've never done anything with drivers so I don't know much about them.
There are certain well known classes of USB devices that have preinstalled drivers on most operating systems, such as HID devices and storage devices.
Technically a driver doesn't load when a device of this class is detected, the driver is already present.
Since Windows Vista or 7, Windows will check Windows Update for a driver when detecting a new USB device. These drivers pull from Microsoft and are unlikely to be malicious. Windows does try to search for a "better" device driver at least on Windows Update, this is why connecting a Microsoft mouse results in a long delay before it becomes useable the first time you attach it to a USB port on a Windows system.
If Windows Update has no driver, and no compatible driver exists on your system, no device driver will be installed and you'll see a question mark next to the device in Device Manager.
USB devices can actually be split into multiple "sub"-devices. One of these may be something that looks like to the OS that it's a CD-ROM, with an autorun.inf which kicks off an installer.
Whether installers have automatic permission to do things on your system depends on your UAC and Group Policy or Local Security Policy settings. You should at least get the UAC pop up unless it's disabled on your system when an installer of any type runs asking for elevated permissions.
Driver installation does require admin privileges and certain driver software works in kernel mode on Windows systems - meaning it can do anything it wants on your system. So it is a possible avenue for malicious code. A more secure system will have autorun on as tight of a leash as possible, and preferably disabled.
Drivers can come from a number of sources - distributed with Windows, distributed and installable on a disc with a new device, or distributed via your PC manufactuer's support website, or available through Windows Update.
There also may be more than one type of driver that works with a device. Usually there's a generic driver that enables basic capabilities and perhaps a more specific driver that enables all capabilities. For example, Windows has a generic VGA driver that works with any graphics card, but installing the driver meant for it (from the manufacturer) will enable all of its capabilities. This is how some USB devices can work "without drivers" - they really do use drivers, but built in generic USB class ("class" being the type of device, keyboard, disk drive, etc.) drivers included with Windows.
Windows has always bundled common drivers with its OS. It also has allowed third-party companies to develop drivers and allow installation of them. Drivers do not have to come from Microsoft or Windows Update. Since new hardware for the PC keeps coming out, and Microsoft may not have included drivers with Windows or on Windows Update, you may need to install or download a manufacturer-provided driver if Windows doesn't have one for a device.
The usual process for new hardware has been run the manufacturer provided CD, install the drivers, then install the hardware (some older PCs would require you to configure jumpers on each device, such as old ISA cards). These days you might download a .msi file containing the driver and supporting software instead.
With some types of hardware, i.e. graphics cards and USB devices, you can connect the device first and then install the driver, but even to this day most printer installation CDs tell you to wait to connect a USB printer until the software and driver installation has completed.
There's no mechanism for Windows to officially pull a driver from a USB device where it doesn't already have one. The only way something like this could happen is if the USB device has a subdevice that looks like a CD-ROM to the operating system, which then causes it to act like a CD was just inserted and then it will kick off AutoRUN as would any other removeable media set to do that. CD-ROM is one of the generic device classes that Windows has built-in support for, so it will automatically work on any Windows system that has USB support (anything released this millennium does.)
Autorunby default more then a decade ago. Windows Vista and higher by default does not have Autorun enabled. It will by default request the user what to do. If you are worried about malicious drivers then prevent users from using devices that are not already registered and reconginized by the system. I understand it might not be exactly a decade I am simply rounding up to a decade