Device Management and Installation Step-by-Step Guide: Signing and Staging Device Drivers in Windows 7 and Windows Server 2008 R2
Applies To: Windows 7, Windows Server 2008 R2
This step-by-step guide uses a sample device and driver to demonstrate how to securely deliver device driver packages to client computers in a lab environment so that a standard user can install them without any assistance from an administrator or user interface prompts.
This guide focuses on the new features in Windows® 7. Although not typically used as a desktop operating system, these features are also present in Windows Server® 2008 R2. Most of these features also are relevant in Windows Vista and Windows Server 2008. However, the user interface for device installation is substantially changed in Windows 7, necessitating a new version of this guide. For the version of this guide that is relevant to Windows Vista and Windows Server 2008, see Device Management and Installation Step-by-Step Guide: Signing and Staging Device Drivers in Windows Vista and Windows Server 2008 in the Windows Server Technical Library.
The steps provided in this guide are intended only for use in a test lab environment. This Step-by-Step guide is not meant to be used in a production environment, and should be used with discretion as a stand-alone document.
When this guide refers to “earlier versions of Windows”, it means Windows XP, Windows Server 2003, and Windows 2000.
You can perform the following tasks:
Digitally sign device driver packages by using digital certificates, and then place those certificates on client computers so that users do not have to determine whether a device driver or its publisher is "trusted."
Stage device driver packages in the protected driver store on a client computer so that a standard user can install the package without requiring administrator rights.
Configure client computers to search specified shared network folders for a driver package when a new hardware device is discovered and a driver package is not already staged on the local computer.
Who should use this guide?
This guide is for the following audiences:
IT professionals responsible for deploying device drivers to client computers running Windows 7 or later versions of Windows.
IT planners and analysts who are evaluating Windows 7 for their client computers.
Security architects who are responsible for implementing trustworthy computing
Administrators who want to become familiar with the technology
Benefits of signing and staging driver packages
Because device driver software runs as a part of the operating system with unrestricted access to the entire computer, it is critical that only known and authorized device drivers are permitted. Signing and staging your device driver packages on client computers by using the techniques described in this guide provide the following benefits:
Improved security. In earlier versions of Windows, standard users could not install device driver packages without assistance from an administrator. To get around this limitation, users often logged on by using accounts that were members of the Administrator's group. The rights associated with Administrator group membership allow a user to carry out required tasks, but they also allow the user to carry out actions that can compromise security or configure the computer so that it does not run correctly.
With Windows 7 and Windows Server 2008 R2, you can allow standard users to install approved device driver packages without compromising computer security.
Reduced support costs. Users are limited to installing only those devices that your organization has tested and is prepared to support. You therefore maintain the security of the computer while simultaneously reducing the demands on your helpdesk.
Better user experience. A driver package that is staged in the driver store or that is accessible from a network share or Windows Update works automatically when the user plugs in the device. Drivers that are available on Windows Update can now be downloaded and installed by standard users without Administrator permissions. The user interaction required has been dramatically reduced, and in most cases eliminated altogether. Installation takes place with no prompts or dialog boxes. From the user’s perspective, you just plug in the device and it works.