Steps for Configuring a Shared Network Folder to Hold Signed Device Driver Packages
Applies To: Windows 7, Windows Server 2008 R2
You might not want to stage every driver package that is approved for use. Instead, you can place the signed driver packages on a shared network folder and configure your client computers to search that folder whenever a new device is plugged into the computer. You specify the folders to search by setting the DevicePath registry key.
A driver package hosted in a shared network folder must be properly signed with a certificate that is installed on the client computer, because it must still be staged in the driver store as part of the installation.
The folders in DevicePath are searched as part of the same phase as searching the driver store. By modifying the Specify search order for device driver source locations group policy setting as discussed in Requirements for Device Driver Signing and Staging, you can specify whether the DevicePath and driver store search occurs before or after the Windows Update search. You can also choose to disable Windows Update search completely when you want all drivers to come from your collection of tested and approved drivers that you maintain in the DevicePath folders.
Important
For simplicity, this guide uses a local folder to demonstrate the use of the DevicePath registry entry. In a production environment, use a shared network folder to which all of your users have read permissions.
Steps outline: Configure a shared network folder to hold signed device driver packages
Step 1: Create the folder to contain device driver packages
Step 2: Configure the client computer to search the folder for driver packages
Step 3: Configure the client computer to allow standard users to install the device
Step 4: Remove the device driver and driver package installed in the previous procedure
Step 5: Attempt installation of the device driver package.
Step 1: Create the folder to contain device driver packages
With Windows 7, you can configure the client computers to search additional folders for driver packages that are not found in the driver store.
In this procedure, you create a folder on DMI-Client1, and then copy the signed device driver package to the folder.
To create a folder to contain device driver packages
Log off, and then log back in as DMI-Client1\TestAdmin.
Open a command prompt that has Administrator permissions by right-clicking a Command Prompt shortcut and then clicking Run as Administrator.
Create a new folder. At the command prompt, type:
md c:\drivershareAt a command prompt, type the following command to place a copy of your signed driver package on the folder:
xcopy /s c:\toaster\device c:\drivershare
Step 2: Configure the client computer to search the folder for driver packages
Windows 7 and Windows Vista support a Registry setting that allows you to specify additional folders that Windows searches for a driver package for newly detected hardware. By default this value specifies only the folder %SystemRoot%\Inf. You can add other folders to this value, separated by semicolons, to make Windows search additional folders. These other locations can be local folders, or specified with a network path, such as \\servername\sharename.
To configure the client computer to search the added folder for driver packages
At the command prompt type:
regedit
Warning
Incorrectly editing the registry can severely damage your system. Before making changes to the registry, back up any valued data on the computer.
In Registry Editor, navigate to:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
In the details pane, double-click DevicePath.
Add a semi-colon to end of the existing text, and then add the path to your folder. The result should be similar to:
%SystemRoot%\inf;c:\drivershare
Important
Do not remove the %SystemRoot%\inf file path from the DevicePath registry entry.
- Click OK to save the new value, and then minimize, but do not close Registry Editor. You will use Registry Editor again later.
Step 3: Configure the client computer to allow standard users to install the device
In previous versions of Windows, a standard user cannot place a driver package in the driver store. In Windows 7, properly signed driver packages from DevicePath or Windows Update can be staged and installed without requiring administrator permissions.
In Windows Vista you can use a computer policy together with the globally unique ID (GUID) of the device's setup class to allow standard users to stage the device driver package.
You only need to complete the steps in this procedure if you have client computers running Windows Vista that will require the device drivers that you place on a DevicePath folder.
Note
The procedures shown here work well on a single computer, but do not scale well to a large number of computers. To apply computer configuration to a large number of managed systems, use Group Policy and Active Directory. For more information about Group Policy and Active Directory, see the Additional Resources section at the end of this guide.
The device setup class GUID can be found in two places, the driver package .inf file, and the Device Properties dialog box for a currently installed device.
To find the GUID for a device setup class in the driver package .inf file
Open the .inf file by using Notepad. At the command prompt, type:
Notepad c:\toaster\device\toastpkg.infIn the [Version] section, find the line that begins with ClassGuid=, and make note of the value. For the sample Toaster device it looks like:
ClassGuid={B85B7C50-6A01-11D2-B841-00C04FAD5171}Select the GUID value, including the { } characters, right-click it, and then click Copy.
Close Notepad, ensuring that you do not save any changes.
Alternatively, if you have a computer with the device already installed and operational, you can see the GUID as part of the device properties.
To find the GUID for a device setup class in the device properties page
In Device Manager, find and right-click the Toaster Package Sample Toaster device, and then click Properties.
On the Toaster Package Sample Toaster Properties dialog box, click the Details tab.
In the Property list, select Device class guid.
Make note of the value. It is the same value that you saw in the .inf file.
Right-click the GUID, and then select Copy.
Click OK to close the device properties page.
Now that you have the GUID that applies to the device you want to install, you can add it to the list in the computer policy that specifies which devices can be installed by standard users.
To configure the computer to allow standard users to install devices that have a specified device setup class
At the command prompt, type:
gpedit.mscIn the navigation pane of the Group Policy Management Editor, navigate to Computer Configuration/Administrative Templates/System/Driver Installation.
In the right-hand pane, double-click the policy Allow non-administrators to install devices for these device classes.
In the policy dialog box, select Enabled, and then click Show.
In the Show Contents dialog box, click Add.
In the Add Item text box, right-click and select Paste to insert the GUID.
{B85B7C50-6A01-11D2-B841-00C04FAD5171}Click OK three times to close the dialog boxes and return to the Policy Editor.
Close the Group Policy Management Editor.
At the x86 Free Build Environment command prompt with administrator permissions, apply the policy to your current session by typing:
gpupdate /force
Note
GPUpdate cannot display the User Account Control dialog box to request administrative credentials, so you must run it from a command prompt with administrator permissions.
Step 4: Remove the device driver and driver package installed in the previous procedure
Before you can install the device driver from the additional folder, you must first uninstall the current device driver and remove its driver package from the driver store.
Note
You need to remove the previously installed packages only because this guide is demonstrating an additional way to install a driver package.
To uninstall the currently installed device
In Device Manager, right click the Toaster Package Sample Toaster device entry, and then click Uninstall.
In the Confirm Device Removal dialog box, select Delete the driver software for this device, and then click OK.
Selecting the checkbox ensures that the copy of the device driver package that was staged in the driver store is deleted.
The device disappears from the Device Manager window.
Run the Enum.exe tool that simulates unplugging the Toaster device. At the command prompt with administrator permissions, type:
Enum -u 1The device is unplugged, and the device driver removed from memory.
If you did not check the Delete the driver software for this device checkbox when you uninstalled the device, you can do so now with the pnputil program. At the command prompt, type the command to remove the driver package from the driver store:
pnputil.exe -d oem##.infIn this command,
##is the number you noted in an earlier procedure. If you do not remember the number, runpnputil -e, and then look for the Toaster device in the output list.The package is deleted from the driver store.
Run the command
pnputil.exe -eagain to verify that the package is deleted.
Step 5: Attempt installation of the device driver package.
Now that the driver package is in the folder, and the client computer is configured to search there for driver packages when new devices are plugged in, you can install the device.
Note
The Enum command executed in the following procedure does not automatically display the User Account Control dialog when it attempts to use administrator permissions. This is by design, and requires that you explicitly run the program from a command prompt with administrator permissions. This is a requirement of the simulation software, not the device driver installation process.
To install the driver package from the network share
Log off, and then log on as DMI-Client1\TestUser.
Open a command prompt with administrator rights. Click Start, All Programs, and Accessories. Right-click Command Prompt, and then click Run as administrator.
On the User Account Control page, you are asked to specify an administrator account and its password. Select TestAdmin, enter its password, and then click Yes.
The command prompt opens.
Start Device Manager so you can view the installed device. At the command prompt with administrator permissions, type the following command:
mmc devmgmt.mscRearrange the program windows so you can use the command prompt while still seeing the contents of Device Manager.
Change to the c:\toaster folder. At the command prompt, type the following command:
cd \toasterRun the Enum.exe tool that simulates plugging in a Toaster device. At the command prompt, type:
Enum -p 1Windows will start the installation process. A new node appears in Device Manager in the Other devices section.
On computers running Windows Vista only, the Found New Hardware dialog box appears. Click Locate and install driver software (recommended). This dialog box does not appear on computers running Windows 7.
Because the driver package cannot be found in the driver store, Windows searches the folders identified in the DevicePath registry entry, and finds the driver package in the folder.
It might take a few moments to complete the staging of the driver package, and the subsequent installation. If you click the device installation icon, a message appears indicating that drivers are installing, followed by a message that states: Toaster Package Sample Toaster installed.
Because the computer policy allows a standard user to place the driver package for this class in the driver store (on computers running Windows Vista), and because the package is properly signed by a trusted publisher, the installation of the driver package completes with no further user interruptions. The Unknown Device entry is replaced by the Toaster entry.
.gif)