Scenario Overview

Applies To: Windows 7, Windows Server 2008 R2

Windows 7 and Windows Server 2008 R2 include several features that allow an administrator to make device driver installation easier for users.

  • Windows Vista and Windows 7 both support downloading and installing device driver packages from Windows Update. However, Windows 7 improves this scenario by making Windows Update the preferred source. The recommended configuration is for Windows 7 to search Windows Update first, and only search the local driver store and devicepath folder if a suitable driver cannot be found on Windows Update. This helps to ensure that the latest available device driver is always the preferred driver and the one installed by default. Windows Update can be disabled by an administrator in environments where only locally tested and approved devices are to be used.

  • You can stage driver packages in a protected area of a user's computer called the driver store. A standard user, without any special privileges or permissions, can install a driver package that is in the driver store. Staging drivers is commonly done when you are preparing an image that will be used to deploy new computers in your organization. Having device driver packages that are needed by your organization’s computers and peripheral devices already staged and ready to use makes attaching a supported device a simple process for a user.

  • You can configure client computers to automatically search an administrator-specified list of folders (and their subfolders) when a new device is attached to the computer. This setting is a registry key discussed later in this guide, and referred to as the devicepath folders. These folders can be local to the computer or hosted on a network share. When a device driver package is accessible in this manner, Windows will not need to prompt the user to insert media. These features improve the user experience and reduce help desk support costs by allowing standard users to install approved driver packages without requiring additional permissions or the assistance of an administrator.

Note

In this guide, the terms device driver package, driver package, or package refer to the not yet installed complete set of files required to install the device driver.
The terms device driver or driver refer to the installed, configured, and operational software required to use a hardware device on a Windows computer.
The term administrator refers to any user logged on to the computer with an account that is a member of the local Administrators group.
The term standard user refers to any user logged on to the computer with an account that has no elevated permissions through group membership or other delegation of rights.

In this guide, you create a test certificate, and manually install it in the certificate store of the client computer. This manual process is fine for a lab, but in an enterprise production environment, use more scalable procedures, such as the following:

  • A commercially acquired digital certificate. This is an important option if the certificate must be usable by computers outside of your organization. These certificates typically must be purchased from a third-part certification authority (CA).

  • Certificates generated by an internal CA computer, such as a computer running Windows Server and Active Directory Certificate Services (AD CS). This is a good option when certificates for many purposes are required within the organization, because the cost for acquiring that many commercial certificates could be prohibitive.

  • However you create or acquire the certificate, use Group Policy to deploy the certificates to client computers. Group Policy allows you to have the certificate automatically installed to all managed computers in a domain, organizational unit, or site.

To maintain and safeguard the stability of the operating system, only administrators can install unsigned device driver packages. An organization's administrator can use the procedures in this guide to sign packages that were not previously signed by the vendor to make the packages usable in the organization. The administrator can also use this procedure to replace the vendor's signature with one created by the organization's certificate. If all packages are signed with the organization's certificate, it reduces the number of certificates that need to be deployed to the client computers on your network.

If a standard user attempts to install a device whose driver package is not yet staged in the driver store, Windows 7 attempts to stage the driver package. If the driver package is downloaded from Windows Update, or from a folder referenced in the devicepath registry key, then staging succeeds with no interaction required by the user. If the driver package did not come from one of those “trusted” sources then staging succeeds only if the user can supply administrator credentials, or the driver package is for a device with a setup class identifier that is permitted via device installation policy on the computer. If the user cannot complete staging, then the user cannot install that device.

Driver package signing and staging scenarios

This guide describes several tasks that involve delivering device driver packages to client computers.

Signing a device driver package

This task describes the steps required to create a test certificate, use the certificate to sign a device driver package, validate that the device driver package is properly signed, and then configure a client computer to accept that signature.

Staging a device driver package in the driver store

This scenario describes the steps required to place a device driver package in the Windows 7 driver store, and demonstrates how a driver package is installed from the store when its corresponding hardware device is plugged into the computer.

By staging a driver package, an administrator enables the user to plug in the corresponding device and Windows 7 installs the device driver with no requirement for elevated permissions, or the need for the user to approve a digital signature. The driver package files are all available on the client computer, and have been security checked, so they install silently and the device works.

Configuring clients to search a shared network folder for device driver packages

This scenario describes the steps required to configure a client computer to search for device driver packages on a designated shared network folder when Windows detects a new hardware device, and configure the system to allow standard users to install those driver packages.

Device driver packages can be placed on a network share accessible to all client computers. Windows 7 and Windows Vista support a registry setting that allows you to configure the list of folders that the Windows searches to find driver packages that are not already in the driver store. This list can include a network path to a folder on a server.

Device drivers located on a network share are still staged in the driver store as part of installation, and all requirements for staging are still enforced. If the driver packages on that network folder are signed with trusted certificates, and you have granted the user permissions (through device installation policy) to install devices of this device setup class, then the installation succeeds silently. If the package has not been signed, or if the appropriate device installation policy is not configured, then the user is prompted to accept the publisher and is prompted to supply administrator credentials.