Options
Driver Signing / Driver installation rights ???
Markie
Member Posts: 54 ■■□□□□□□□□
Hi all.
Ok, Im studying for the 270 exam and Ive come across something that has kinda confused me.
Its to do with "Driver Signing". In particular, the Driver Signing Options which can be accessed as follows:
--- right click on My Computer
--- click on Hardware tab
--- click on Driver Signing tab
You then get the Driver Signing Options box. Once there you get two configuration choices to make.
1. When users attempt to install an unsigned driver, you can configure how you want windows to react. Windows can either block all such installations, warn the user before attempting to install the unsigned driver or to ignore the fact that a driver is infact unsigned (and thus automatically install the unsigned driver.
2. You can check or uncheck an Administrator option to "make this action the system default"
Its this second point thats causing the confusion. Here's why:
As far as I can tell, the only built-in local group that can install device drivers is the Administrators group.
So, lets say for example, we pick the "ignore" option, meaning users can install any hardware driver (signed or unsigned).
What would then be the point of ticking the "Make this the system default" option, as Administrators are the only group that could install the driver anyway.
I guess Im just saying that it seems to be a redundant option.
Is there some sort of Group Policy setting or something that can be changed to give users (other than Administrators) device driver installation rights? If there is, then this option might make more sense to me.
I hope someone can help.
Mark
Ok, Im studying for the 270 exam and Ive come across something that has kinda confused me.
Its to do with "Driver Signing". In particular, the Driver Signing Options which can be accessed as follows:
--- right click on My Computer
--- click on Hardware tab
--- click on Driver Signing tab
You then get the Driver Signing Options box. Once there you get two configuration choices to make.
1. When users attempt to install an unsigned driver, you can configure how you want windows to react. Windows can either block all such installations, warn the user before attempting to install the unsigned driver or to ignore the fact that a driver is infact unsigned (and thus automatically install the unsigned driver.
2. You can check or uncheck an Administrator option to "make this action the system default"
Its this second point thats causing the confusion. Here's why:
As far as I can tell, the only built-in local group that can install device drivers is the Administrators group.
So, lets say for example, we pick the "ignore" option, meaning users can install any hardware driver (signed or unsigned).
What would then be the point of ticking the "Make this the system default" option, as Administrators are the only group that could install the driver anyway.
I guess Im just saying that it seems to be a redundant option.
Is there some sort of Group Policy setting or something that can be changed to give users (other than Administrators) device driver installation rights? If there is, then this option might make more sense to me.
I hope someone can help.
Mark
The oxen is slow but the earth is patient!!!!
Comments
-
OptionsMarkie
Member Posts: 54 ■■□□□□□□□□
Well, just after I posted, I did find the answer to 1 of my questions.
It seems you can in fact give other users (in addition to administrators) the right to install drivers by configuring local security policy as follows:
--- Start
--- Control Panel
--- Administrative Tools
--- Local Security Policy
--- Local Policies
--- User Rights Assignment
--- Load and Unload Device Drivers (note: administrators are included by default)
You can then add a user or group to give them the necessary right to install/uninstall the device drivers.
Anyone disagree?
Even with this feature, I still think the "make this action the system default" option (in Driver Signing Options) is still kind of redundant as I doubt many administrators would play with the default settings in Local Security Policy anyway.
I still feel like Im missing something!!
MarkThe oxen is slow but the earth is patient!!!! -
Options
sprkymrk
Member Posts: 4,884 ■■■□□□□□□□
How about multiple administrators on a machine?
Just a thought.All things are possible, only believe. -
Optionspryde7
Member Posts: 74 ■■□□□□□□□□
"Make this option the default"
You must check that box to make that option apply to all drivers in future that fall in that category for the entire system inclusive of all accounts with privileges to install drivers. -
OptionsMarkie
Member Posts: 54 ■■□□□□□□□□
Thanks for the comment sprkymrk.
I had kinda thought about the multiple administrator secnario as well.
But when you think about, that still doesn't make a whole lot of sense.
I mean, lets say for example, in "Driver Signing Options", we select the "block" option and then we check the administrator option box.
Effectively, we have then tried to stop any unsigned drivers being installed by all administrators on the machine.
If a particular administrator really needed to install an unsigned driver, he/she could just change the setting to the required level (i.e. warn or ignore).
I suppose it could make some sense if the company had a strong policy of only installing signed drivers and all administrators agreed to comply with company policy.
Despite this, I still think it is a rather redundant option.
The fact that not too many people are posting me must mean that most of you agree with me.
MarkThe oxen is slow but the earth is patient!!!!