Tip

Reduce unapproved device driver installs via Group Policy in XP, Vista

Running each desktop machine on tested configurations and clearly defining what versions of each file should be present are two ways to drive down support costs. As such, it's important to ensure that all desktops are configured in a consistent manner.

Unfortunately, users can really throw a monkey wrench into your configuration by installing an unapproved device driver, for example. There are however some group policy settings that you can use in both Windows XP and Vista to reduce the chance of this happening.

Note: These group policy settings are located in the Group Policy Editor under User Configuration | Administrative Templates | System.

Configure Driver Search Locations

When Windows looks for a device driver it searches four specific locations; first the hard disk and if no suitable device drivers are found, it moves to the floppy drive (assuming one exists), then CD/DVD drive, and then to Windows Update.

Although the Configure Driver Search Locations setting won't let you change the search order, you can exclude certain locations from search. If you wanted to keep users from getting updated device drivers from Windows Update, for example, you could enable this setting and then choose the Don't Search Windows Update option. You also have the option of disabling the user's ability to search floppy drives and CD/DVD drives for device drivers. The only medium that you cannot disable is the hard disk.

Code Signing for Device Drivers

As the name implies, Code Signing for Device Drivers controls the way Windows behaves when a user tries to install an unsigned device driver.

The Code Signing for Device Drivers setting is disabled by default, but if enabled, administrators can choose to either warn the user about the dangers of unsigned device drivers or block the request altogether. There is also an option labeled Ignore. If you choose this option then Windows will simply ignore the fact that a device driver is unsigned, and will treat the driver as though it is perfectly safe.

Turn off Windows Update Device Driver Search Prompt

The last group policy setting I'd like to mention here is called Turn off Windows Update Device Driver Search Prompt. By default Windows asks the user for consent before it goes to Windows Update to look for updated device drivers. If you enable this setting though, then the users will not be prompted.

There are a couple of caveats to this particular group policy setting. First, it's only effective if the Administrative Templates | System | Internet Communication Management | Internet Communication | Turnoff Windows Update Device Driver Searching setting is either disabled or has not been configured. If it is enabled, Windows does not bother to check Windows Update for updated device drivers.

The other caveat is that it normally applies only to users who have local administrative permissions. Again though, this ceases to be an issue if you just enable the Turn off Windows Update Device Driver Searching setting.

This was first published in March 2009

There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.