We help IT Professionals succeed at work.

We've partnered with Certified Experts, Carl Webster and Richard Faulkner, to bring you two Citrix podcasts. Learn about 2020 trends and get answers to your biggest Citrix questions!Listen Now

x

How did the Unsigned non-driver installation behavior Group Policy setting (Windows 2000 only) port to Windows 2003 Group Policy?  Or did it?

Medium Priority
3,569 Views
Last Modified: 2012-05-06
On our Windows 2003 R2 domain controllers, we see the following registry setting:

HKEY_LOCAL_MACHINE\Software\Microsoft\Non-Driver Signing = 1

According to MS KB822798, this was set by the Unsigned non-driver installation behavior Group Policy setting in Windows 2000.  Is there a Group Policy setting in Windows 2003 which sets this?  If no policy setting currently exists in Windows 2003, what is the recommended way of setting this in Windows 2003 Group Policy?

Thanks in advance.
Comment
Watch Question

CERTIFIED EXPERT
Top Expert 2013

Commented:
Yes the policy exists in windows 2003 too
http://msdn.microsoft.com/en-us/library/ms814360.aspx
Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options
Devices: Unsigned driver installation behavior
 
Thanks
Mike

Author

Commented:
Mike,

Your post is not what I am lookig for.  The referenced article is for a Windows 2000 system and the text of your post 'Devices: Unsigned driver installation behavior' deals with unsigned drivers.

Im looking for the 'Unsigned NON-DRIVER installation behavior' group policy setting in Windows 2003.
CERTIFIED EXPERT
Top Expert 2013

Commented:
ok
Screen shots are from a W2K3 DC (no W2K boxes in the environment.
 
Thanks
Mike

Unsigned-1.JPG
Unsigned-2.JPG
Unsigned3.JPG
CERTIFIED EXPERT
Top Expert 2013

Commented:
Quick follow up here is some guidance on the setting from the DISA security guide
 
http://www.unifiedcompliance.com/matrices/live/02038.html
The DISA Windows Server 2003 Security Checklist Version 6 § 5.3.8.13 states that the system should warn users if they are about to install an unsigned driver or not install drivers if they are unsigned. The "Devices: Unsigned driver installation behavior" value should be set to either "Warn but allow installation" or "Do not allow installation".
Where I  work we use the DISA, NSA and Microsoft guides for security guidance
Thanks
Mike

Author

Commented:
Mike,

Again, we are interested in Unsigned NON-Driver installation, not Unsigned Driver Installation.
CERTIFIED EXPERT
Top Expert 2013

Commented:
sorry about that man, my bad on that
I can't find the setting in 2003
I also went through the GP spreadsheet
http://www.microsoft.com/downloads/details.aspx?FamilyID=7821c32f-da15-438d-8e48-45915cd2bc14&displaylang=en
Doesn't seem to be in there natively.
 
Commented:
I agree.  I dont see it anywhere as well.

So Im going to write a custom ADM template to make the registry change via a 2003 Group Policy.  That should work and leave a good audit trail.

Not the solution you were looking for? Getting a personalized solution is easy.

Ask the Experts

Commented:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Non-Driver Signing\Policy
change Policy value from "01" to "00"
Access more of Experts Exchange with a free account
Thanks for using Experts Exchange.

Create a free account to continue.

Limited access with a free account allows you to:

  • View three pieces of content (articles, solutions, posts, and videos)
  • Ask the experts questions (counted toward content limit)
  • Customize your dashboard and profile

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.