Allow Standard Users to Install Drivers For Devices from Specified Setup Classes
Applies To: Windows Server 2008
You can use this procedure to allow standard users to install device drivers for devices that belong to a specified device setup class.
By default, standard users can only install drivers that are present in the driver store. Also by default, only administrators can stage device drivers in the driver store. This policy allows a standard user to stage a device driver package, and thus install a device whose device setup class is listed in the policy setting.
Membership in the local Administrators group, or equivalent, is the minimum required to complete this procedure.
To allow standard users to install a device in a specific device setup class
Open the Group Policy Management Editor. To do so, click Start, and then in the Start Search box, type
mmc gpedit.msc
.In the navigation pane, open the following folders: Local Computer Policy, Computer Configuration, Administrative Templates, System, Device Installation.
In the details pane, double-click Allow non-administrators to install drivers for these device setup classes.
Click Enabled, and then click Show.
In the Show Contents dialog box, click Add.
In the Add Item dialog box, type the GUID for the device setup class that applies to your device. Ensure that you include the curly brace characters on either side of the value.
Click OK to save your changes. You can repeat steps 5 and 6 for other devices.
Click OK to save the completed list, and then click OK to save the policy setting.
Additional considerations
When this setting is enabled and a non-administrator installs a device, the wizard does not search the Microsoft Update Web site or Windows Server Update Services (WSUS) for drivers. If you want to use this setting to allow non-administrators to install device drivers that are not included in Windows Vista, make the drivers available through some means other than Windows Server Update Services (WSUS). For example, use Staging Device Driver Packages in the Driver Store, or use the DevicePath registry key, as described in Modify the DevicePath Registry Key.
To determine the device setup class GUID for your device, see Determine the Device Setup Class for Your Device. Also, for a list of system supplied setup classes, see "System-Supplied Device Setup Classes" at https://go.microsoft.com/fwlink/?LinkId=82268.
By default, only an administrator can choose to trust a signature from a certificate that is not in the Trusted Publishers store. For this policy to be effective in allowing a standard user to complete installation without elevated privileges, then the certificate used to sign the device driver package must be from a Trusted Publisher. See Deploying Certificates to the Trusted Publishers Store.
This policy setting does not have the same effect as those described in Allowing Installation of Only Permitted Devices. Those settings allow or prevent installation at the device level, while this setting allows standard users to stage device drivers in the driver store, which by default they cannot.
If you edit policy settings locally on a computer, you will affect the settings on only that one computer. If you configure the settings in a Group Policy object (GPO) hosted in an Active Directory domain, then the settings apply to all computers that are subject to that GPO. For more information about Group Policy in an Active Directory domain, see Group Policy (https://go.microsoft.com/fwlink/?LinkId=55625).