So, we have a central store for our group policies (ADMX files), a network share for our software, a SharePoint for our documents and…what about device drivers?
That thing that gives all IT departments headaches. All that helpdesk calls from annoyed users that want to install they’re scanner or printer but the drivers simply don’t install or the user must be a member of the local administrators to do so.
With this in mind, Microsoft since Windows Vista created a very nice way to solve this issue in a very easy setup that really addresses this problem.
It’s called Central Driver Store, and gets you in the control, of that users that want to bring some kind of device to the enterprise that needs a driver and: The users don’t have admin rights to install them or the driver isn’t on the base image.
In other words, amongst other things, this helps your enterprise to get in track with the ‘next big thing’ called IT Consumerization.
Configuring everything right
Setting up the Drive Store
Well, this one is the simplest step. Just find a place where you want to put all the drivers and create a network share. Everyone need to have access to this share so “Everyone” or “Authenticated Users” should have “Read” permission on the share and “Read/Execute” on the folder.
For the purposes of this article, the network share name will be CentralDrivers.
Under the CentralDrivers folder you can create sub-folders that matches the drivers inside them. For example: LAN; Video; Audio; etc. Off course this is just an example and you can setup your share as you want it.
Putting the Drivers in the Central Driver Store
Since Windows Vista Microsoft created a Local Driver Store where the entire drivers packages are located. This can be found at C:\Windows\System32\DriverStore\FileRepository\.
Now, let’s use as an example a scanner driver you want to make available on your Central Driver Store:
- Install the scanner on a clean machine (usually a test machine on lab)
- Navigate to the Local Driver Store
- Here, you’ll find that the drivers aren’t named in a “user friendly” way but just order the folder sorting for modified data and you should easily get the recently installed scanner drivers
- Just copy the “not user friendly” folder to your Central Driver Store and then rename it as you like it most
You now have that scanner drivers available on your Central Driver Store if someone need them.
Making the Client Know About the Central Driver Store
Now that our scanner driver is on the Central Driver Store, we need to setup the client machines so they could have a new place to look for drivers.
Using your “standard deployment software” or a GPO or a startupscript/logonscript, deploy the following registry key, customizing it to match the network share previously created:
Key: HKLM\Software\Microsoft\Windows\CurrentVersion\DevicePath
Value: %SystemRoot%\Inf;\\SERVERNAME\SHARE
Allowing a Standard User to Install a Driver from the Central Driver Store
On a perfect world or a very nice managed enterprise ordinary users shouldn’t be prompted for elevated credentials when installing managed hardware.
To achieve this objective 3 items must be met:
- The driver must be in the Central Driver Store
- The driver setup class must be allowed
- The driver publisher must be trusted
Well, the item 1 it’s done. to meet the item 2 you need to find out the driver setup class.
So, you should do has following:
- Go to the folder of your previously copied driver on the Central Driver Store
- Open the *.inf file with notepad (or other text editor)
- At the top of the file you should fine a line named ClassGUID with a GUID inside brackets like the example below:
ClassGUID={4D36E979-E325-11CE-BFC1-08002BE10318} - On a GPO linked to your managed computers navigate to:
Computer Configuration | Administrative Templates | System | Driver Installation - Now, enable the GPO called “Allow non-administrators to install drivers for these device setup classes”
- Click on the “Show” button and past the previously found GUID (just from the start to the end of the brackets) like the example below:
The item 3 should only be necessary if in your test machine where you extract the drivers from the Local Driver Store, you get a message similar to the example below:
If so…you need to:
- Select the option “Always trust software from “DMITest” and press Install
- When the installation finishes go to Start –> Run and execute certmgr.msc
- Navigate to “Trusted Publisher” and the select “Certificates”
- Right click on the certificate (in this example it’s something like DMI Test Team Sound) and export it
This certificate now needs to be deployed on all your computers. An easy way it’s using GPOs.
The End
And finally it’s all done! You can now have a centralized store for all your hardware drivers and they can be automatically installed on all machines when a device it’s connected to a managed computer on your network.
No comments:
Post a Comment