WinSecWiki > Security Settings > Local Policies > Security Options > Devices > Unsigned driver installation behavior
Devices: Unsigned driver installation behavior
This policy controls Windows behavior when a user tries to install a unsigned device driver – one that hasn’t been certified and signed by WHQL (Windows Hardware Quality Lab). Note that this policy only affects the “normal” installation of device drivers via the Windows Setup API; it doesn’t protect against “backdoor” installation methods used by some malware such as registering .sys files as system services. Choices:
- Silently succeed
- Warn but allow installation
- Do not allow installation
Normally Windows warns the user but allows the installation if the tell it to proceed. The idea of this policy is to allow you to prevent users from loading potentially unstable or even malicious drivers since drivers run in kernel mode where software can do the most damage.
Bottom line
Disabling this policy is a good idea but be aware of some caveats. Unattended installations will fail if you attempt to install unsigned drivers and while eliminating support calls due to bad device drivers, it may create new calls due to users not being able to install devices like PDAs etc.
Back to top