POLL: POWERSHELL VS. GUI - DO YOU WANT TO BE A DEVOP OR AN ADMIN?
Driver deployment with Microsoft Deployment Toolkit (MDT) – Part 2: Windows driver management
This article, the second in a two part series covering driver management, details managing drivers using Microsoft Deployment Toolkit (MDT), Group Policy, and best practices for enterprise use.
By Joseph Moody - Thu, July 12, 2012 - 4 comments Joseph Moody is a desktop administrator for a public school and help manage about 5,500 computers. I specialize in Active Directory, Group Policy, and software deployment.
In our previous post, we dug deep into driver management. By cleverly configuring our Task Sequences and structuring our Out-of-Box Drivers within MDT, we were able to automate the installation of user attached hardware during the imaging process.
But how can we achieve these results without reimaging our whole domain? As it turns out, quite easily!
Note: This post (once again) assumes you have MDT properly setup and configured. This post also assumes you have an environment where Group Policy Preferences can be used.
Remember all of those driver folders we created in our first post?
Yes.. those driver folders…
Go to your deployment share and try to find one of those folders. When drivers are imported, MDT sorts the drivers automatically based on the hardware type.
I don’t even know what a NTRIG_DIGITIZER is but MDT still sorts it!
So let us say that a user has called you and wants a local printer installed. Your organization is adopting this printer model so you will be getting a lot of these calls over the next month or so. You already loaded the driver into the MDT Other folder, which we created in part 1 of this series. That will only install the printer driver during the imaging process though. You don’t want to image his computer just to install the printer. In fact, you want it to install as soon as they plug it in and without having to call the helpdesk.
Enable automatic driver management
The very first thing that we need to do is allow our non-administrators to install certain device types. To do this, enable the setting below in a Group Policy Object. Note that this setting only applies to Vista and above.
Allow non-administrators to install drivers for these device setup classes – enabled
After this setting is enabled, you will next need to enter in device classes that end users can install. A device class is basically defines a set up devices. For example “4D36E979-E325-11CE-BFC1-08002BE10318” defines all printers. For the full list of system defined device classes, see http://msdn.microsoft.com/en-us/library/windows/hardware/ff553426(v=vs.85).aspx.
After the list is populated, we need to make one final edit to the GPO. Create a registry preference item that updates HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\DevicePath from “C:\windows\inf\” to “C:\windows\inf;\\SERVER\DEPLOYMENTSHARE$\Out-of-Box Drivers\”. If you have a lot of drivers or driver installation times exceeds your expectations, you can specify individual driver folders for the devices that you wish to install.
For example:
“C:\windows\inf;\\SERVER\DEPLOYMENTSHARE$\Out-of-Box Drivers\Printers\;\\SERVER\DEPLOYMENTSHARE$\Out-of-Box Drivers\Monitor”,
A restart is required for your computers to begin applying this setting and for drivers to install automatically.
Three final notes:
1. If you are ever manually installing a driver and receive a “Windows cannot verify the publisher of this driver software” – the driver needs to be signed and trusted. This applies to both 32 and 64 bit version of Windows Vista and above. An excellent guide can be found here: http://www.deploymentresearch.com/Blog/tabid/62/EntryId/63/Sign-your-unsigned-drivers-Damn-It.aspx
2. In the scenario above, we focused on drivers already imported into our DeploymentShare. Often, you will get calls to install new hardware that doesn’t have a pre-existing driver. It is much easier to manually install the device and then import the driver into the Other folder on MDT. To quickly find the new driver, browse to \\COMPUTERNAME\c$\windows\System32\DriverStore\FileRepository\. Then sort by date modified to see the new driver. Copy the path and select Import Drivers (within the Deployment Workbench).
3. Finally, enable the “Allow remote access to the Plug and Play interface” group policy setting in your environment.
Allow remote access to the Plug and Play interface – enabled
This allows for read-only remote access to device manage and proves handy in retrieving new device classes as well as checking the installation progress. That setting can be found here: Computer Configuration\Administrative Templates\System\Device Installation\
Thank you for reading this series! If you have any questions or would like to share your driver success story, let us know in the comments.
Excellent write-up thus far. Thanks so much for sharing your knowledge.
Thank you for letting us know! Let us know how it helps your environment!
Nice! New stuff to me, but sounds very useful!
Glad you like it! If you have any problems setting it up, let us know!