Plug and Play and Internet Communication (Windows Server 2003)

  • Article

Applies To: Windows Server 2003 with SP1

This section provides information about:

  • The benefits of Plug and Play

  • How Plug and Play communicates with sites on the Internet

  • How to control Plug and Play to prevent the flow of information to and from the Internet

Benefits and Purposes of Plug and Play

Windows Plug and Play provides ease of support for installing devices on computers in your network. You can simply plug in a Plug and Play device and the operating system does the rest by installing any necessary drivers, updating the system, and allocating resources. After you install a Plug and Play device, the driver is configured and loaded dynamically, typically without requiring user input.

Plug and Play in the Microsoft Windows Server 2003 family provides the following services:

  • Detects a Plug and Play device and determines its hardware resource requirements and device identification number (Plug and Play ID).

  • Locates an appropriate device driver for newly installed devices.

  • Allocates hardware resources.

  • Dynamically loads, initializes, and unloads drivers.

  • Notifies other drivers and applications when a new device is available.

  • In conjunction with power management, handles stop and start processes for devices during hibernation, standby, and startup and shutdown operations.

  • Supports a wide range of device types.

Overview: Using Plug and Play in a Managed Environment

When you install a Plug and Play device, and you are connected to the Internet, the operating system automatically accesses Windows Update to search for a device driver.

Note

Some buses, such as Peripheral Component Interconnect (PCI) and universal serial bus (USB), take full advantage of Plug and Play. Older buses, such as Industry Standard Architecture (ISA), do not take full advantage of Plug and Play and require more user interaction to ensure that devices are correctly installed.

In order to install devices using the hardware wizards, you must be logged on as an administrator or a member of the Administrators group. You then use the hardware wizards, such as the Hardware Update Wizard, to search the Windows Update site for device drivers. All drivers obtained through Windows Update are signed by Windows Hardware Quality Labs (WHQL). The WHQL provides compatibility testing services to test hardware and drivers for Windows operating systems.

As an IT administrator in a highly managed network environment, you want to control the ability of administrators to install new hardware and to thereby access the Internet automatically when the operating system searches for device drivers. For a more secure environment you can control how administrators update and install hardware devices by using Group Policy.

There are also policy settings you can use to disable any access to Windows Update. If you do prevent certain administrators from automatically accessing Windows Update, there is the option for manually downloading the updates from the Windows Update Catalog, whereby they can be distributed on your organization's network as needed.

Using Group Policy to disable automatic updating and access to Windows Update, and to configure driver search locations, is described in the subsection, "Controlling Automatic Device Updating to Prevent the Flow of Information to and from the Internet."

How Plug and Play Communicates with Sites on the Internet

There are two instances when a computer running a product in the Windows Server 2003 family operating system will access the Internet as part of Plug and Play:

  • When Plug and Play searches for a driver for newly installed hardware

  • When an administrator updates the driver for existing hardware

When you connect a new hardware device and there is no driver available on the computer, the operating system will use the Windows Update service to search for available drivers on the Windows Update site. If an appropriate driver is found on the Windows Update site, the operating system copies it and installs it on your computer. If your computer is not connected to the Internet, a message prompts you to connect to the Internet.

As part of Plug and Play, when the operating system searches for a device driver, interaction with the Internet takes place as follows:

  • Specific information sent or received: The Code Download Manager (CDM) calls Windows Update to find and download device drivers. The CDM also calls Help and Support Center, which logs Plug and Play IDs for devices that Microsoft does not have drivers for. Neither of these communications is under the direct control of Plug and Play. The CDM handles all of the communication between the computer and Windows Update. None of the communication between the computer and the Internet uniquely identifies the user.

  • Default and recommended settings: Plug and Play is enabled by default. Recommended settings are presented in the following subsection, "Controlling Automatic Device Updating to Prevent the Flow of Information to and from the Internet."

  • Triggers: When an administrator adds hardware or updates a driver on a computer, and the computer is connected to the Internet, Windows Update is automatically contacted for driver updates.

  • User notification: When searching for a device driver Windows Update sends a list of available drivers to the user's computer.

  • Logging: If you use a Plug and Play driver with a non-Plug and Play device, any associated issues or problems are recorded in the event log.

  • Encryption: Data transfer is based on interaction with Windows Update. The data is transferred using HTTPS.

  • Transmission protocol and ports: The transmission protocols and ports are HTTP 80 and HTTPS 443.

  • Ability to disable: Plug and Play cannot be disabled as system instability would result. You can disable access to Windows Update using Group Policy.

Controlling Automatic Device Updating to Prevent the Flow of Information to and from the Internet

Windows Server 2003 family operating systems will automatically update device drivers using Plug and Play, and they will even search for compatible drivers for non-Plug and Play devices. You therefore might want to exercise various levels of control over administrators' ability to install new hardware and to update hardware devices and drivers.

Using Group Policy there are several levels of control you can configure in order to prevent Plug and Play and associated hardware wizards from accessing the Internet. You can target search locations for drivers, or you can prevent users and computers from automatically accessing the Windows Update Web site in any instance. You can disable automatic updating for some servers and enable it for others, and then have client computers and servers access an intranet server for selected updates.

You can use Group Policy to:

  • Control whether Windows Update is included when Plug and Play searches for a device driver.

    This procedure is presented in the next subsection.

  • Eliminate automatic update calls to Windows Update.

    Policy settings related to automatic updating are located at Computer Configuration\Administrative Templates\Windows Components\Windows Update.

    If you disable Configure Automatic Updates, any updates that are available on the Windows Update Web site must be downloaded and installed manually.

  • Remove access to Windows Update.

    The policy setting for Windows Update is located at User Configuration\Administrative Templates\Windows Components\Windows Update.

    When you enable the policy setting Remove access to use all Windows Update features, you block access to the Windows Update site from the Windows Update hyperlink on the Start menu and also on the Tools menu in Microsoft Internet Explorer. Automatic updating is also disabled; you will neither be notified about nor will you receive critical updates from Windows Update. This policy setting also prevents Device Manager from automatically installing driver updates from the Windows Update Web site.

    The Windows Update site is located at:

    https://go.microsoft.com/fwlink/?LinkId=284

Procedure for Controlling Where Plug and Play Searches for Drivers

When you install new hardware, the operating system automatically searches four different locations for drivers in the following order: the hard drive, the floppy drive, the CD-ROM drive, and Windows Update. The default approach is to search all four locations successively until the correct device driver is found; however, you can configure the driver search locations to remove selected locations.

Included here is the procedure for configuring the Group Policy setting Configure driver search locations. For additional procedures to configure policy settings for Windows Update, see the section Windows Update, Automatic Updates, and Internet Communication (Windows Server 2003) in this white paper.

To disable Windows Update as a driver search location for Plug and Play devices

  1. Use the resources described in Appendix B: Resources for Learning About Group Policy (Windows Server 2003) to learn about Group Policy and the Group Policy Management Console. Apply Group Policy objects (GPOs) to an organizational unit, a domain, or a site, as appropriate for your situation.

  2. Click User Configuration, click Administrative Templates, and then click System.

  3. In the details pane, double-click Configure driver search locations, and then select Enabled.

  4. Select Don't Search Windows Update.

For more information about Windows Update, see the Windows Update Web site at:

https://windowsupdate.microsoft.com/