Unfortunately, users can really throw a monkey wrench into your configuration by installing an unapproved device driver, for example. There are however some group policy settings that you can use in both Windows XP and Vista to reduce the chance of this happening.
Note: These group policy settings are located in the Group Policy Editor under User Configuration | Administrative Templates | System.
Configure Driver Search Locations
When Windows looks for a device driver it searches four specific locations; first the hard disk and if no suitable device drivers are found, it moves to the floppy drive (assuming one exists), then CD/DVD drive, and then to Windows Update.
Although the Configure Driver Search Locations setting won't let you change the search order, you can exclude certain locations from search. If you wanted to keep users from getting updated device drivers from Windows Update, for example, you could enable this setting and then choose the Don't Search Windows Update option. You also have the option of disabling the user's ability to search floppy drives and CD/DVD drives for device drivers. The only medium that you cannot disable is the hard disk.
Code Signing for Device Drivers
As the name implies, Code Signing for Device Drivers controls the way Windows behaves when a user tries to install an unsigned device driver.
The Code Signing for Device Drivers setting is disabled by default, but if enabled, administrators can choose to either warn the user about the dangers of unsigned device drivers or block the request altogether. There is also an option labeled Ignore. If you choose this option then Windows will simply ignore the fact that a device driver is unsigned, and will treat the driver as though it is perfectly safe.
Turn off Windows Update Device Driver Search Prompt
The last group policy setting I'd like to mention here is called Turn off Windows Update Device Driver Search Prompt. By default Windows asks the user for consent before it goes to Windows Update to look for updated device drivers. If you enable this setting though, then the users will not be prompted.
There are a couple of caveats to this particular group policy setting. First, it's only effective if the Administrative Templates | System | Internet Communication Management | Internet Communication | Turnoff Windows Update Device Driver Searching setting is either disabled or has not been configured. If it is enabled, Windows does not bother to check Windows Update for updated device drivers.
The other caveat is that it normally applies only to users who have local administrative permissions. Again though, this ceases to be an issue if you just enable the Turn off Windows Update Device Driver Searching setting.
This was first published in March 2009