Unsigned driver installation behaviour

[maverick555]

Hey guys,

I am the admin of a very big network. In microsoft windows there is an option for Unsigned driver installation behaviour. I want to disable this on all of the machines present. I know how to do it manually but the manual process would take ages. Is there a way that I run a script or some through which I can just disable it over the network for all the machines.

Please reply soon. In a mess right now.



Best Regards,
Adnan Shaikh

 

[bcastner]

Group Policy can handle this without issue. I am uncertain from your note if you want to enforce or completely disable unsigned drivers. In any case, the policy objects to determine the behaviour of all workstations exist.

Start, Run, gpedit.msc

Computer Configuration
Windows Settings
Local Policies
Security Options


The key is under Devices: Unsigned driver behavior.

 

[maverick555]

Het bcastner,

thts only for local setings, I will have to go individually to eac hmachine for changing that value. Can't I do something over the network. I mean something that I push over the network and it has impact automatically on the existing machines.


Thanks

Best Regards,
Adnan Shaikh

 

[bcastner]

Local rights are strored locally but can be configured at any OU level or for the Domain.

To set users' rights on a Windows 2000 machine, go to Start/Settings/Control Panel. Double click Administrative Tools, and then double click Local Security Policy. Double click Security Settings, double click Local Policies, and then double click User Rights Assignment. Double click the user right you want to change.
Click Add, and then click the accounts to which you want to assign the right. Click OK, and then click OK again. To confirm the changes have taken effect locally, close the Local Security Policy window and then open it. The newly assigned rights should show under the Effective Settings column. If the rights are not being assigned locally, check to see what Group Policy objects are being applied through Active Directory, and whether those Group Policy objects have settings that are in conflict with the local settings.

To access the Domain and OU level, open Active Directory Users And Computers from the Administrative Tools panel. To modify the OU or domain level user rights from within Active Directory Users And Computers, select the OU or Domain that contains the objects (computers) to which you want that user right assigned. Right click the OU or domain, and then click Properties. Click the Group Policy tab, and then double click the Policy name in the Group Policy Object Links. If none exists, click New, and then double click the newly added policy.
From Computer Configuration, Windows Settings, Security Settings, Local Policies select User Rights Assignment. Double click the user right that needs to be set. Check the box next to Define These Policy Settings. Click Add. Type a name, or browse to select the user or group needing this user right. Click OK three times.

 

[maverick555]

Hey there....

We have a Windows NT Domain

Best Regards,
Adnan Shaikh

 

[bcastner]

Note you cannot do this for XP, or Windows 2003:

http://support.microsoft.com/?kbid=298503

You need to use the REG.exe facility to push a registry value through the logon script.

I should note that changing the driver signing behavior is a decidedly not great idea. Many instabilities in NT systems were traced to unsigned drivers or non-certified device drivers. This was the reason for the introduction in Win2k of the driver signing option. You cannot change the value in XP or later Microsoft OS, as it will simply change the registry values back.

You can install device drivers in Win2K in several ways. The most common way is for Win2K to attempt to install a device driver automatically when the Win2K Plug and Play (PnP) subsystem detects a new device. The user-mode Plug and Play Manager (UMPNPMGR), which \%systemroot%\system32\umpnp mgr.dll implements, waits for the PnP subsystem in the kernel to notify it that the subsystem has detected a new device. When you add a new device, UMPNPMGR locates the device driver's installation information file (INF). The INF is located either under \%systemroot%\INF, for drivers that the Win2K CD-ROM includes, or on the device driver's installation media (a 3.5" diskette or CD-ROM), for OEM drivers. INF files carry the .inf extension and are text files with somewhat complex instructions—including which files to copy from where to where, and what Registry settings to enable— that Win2K follows to install device drivers or software applications. Another way you can install a device driver is to use the Hardware Installation Wizard (HIW), implemented in \%systemroot%system32\newdev.dll. HIW follows steps similar to those UMPNPMGR takes to locate a driver's INF file.

UMPNPMGR and the HIW use services that the Setup API DLL (SETUPAPI—\%systemroot%\system32\setupapi.dll) implements to read in a driver's INF file. SETUPAPI processes instructions for installing a device driver file and checks the HKEY_LOCAL_MACHINE\ SOFTWARE\Microsoft\Driver Signing\Policy Registry value. If this value doesn't exist, SETUPAPI checks HKEY_CURRENT_USER\Software\Microsoft\Driver Signing\Policy. You set these values through the Driver Signing Options dialog box. When you direct the dialog to apply a setting as the administrative default, the dialog sets the Policy value under HKEY_LOCAL_MACHINE; otherwise, the dialog sets the value under HKEY_CURRENT_USER. UMPNPMGR checks the value under HKEY_LOCAL_ MACHINE first; if the value is set, the global policy overrides whatever individual administrators or users configure for their driver-signing policy. The 0 value directs UMPNPMGR to install unsigned drivers, a 1 value directs SETUPAPI to display a warning dialog box that asks a user for permission to install unsigned drivers, and a 2 value directs SETUPAPI not to install unsigned drivers.