*Prevent Device Metadata Retrieval From The Internet Applies only to Windows 7 and Windows Server 2008 R2 If you enable this policy setting, Windows does not retrieve device metadata for
Trang 1Administrators can prevent users from modifying the Device Installation Settings on their computers by using Group Policy For more information, see the section titled “Managing Device Installation Using Group Policy” later in this chapter
Using the Devices and printers Folder
Devices And Printers is a new Start menu and Control Panel item in Windows 7 that provides users with a single location where they can discover, connect, configure, use, and manage devices connected to their computers In previous versions of Windows, there was no central location where users could view and manage wired and wireless devices connected to their computers Beginning with Windows 7, however, users can now use the Devices And Printers folder to view and manage all devices connected to or discovered by their computer, includ-ing printers, fax machines, scanners, cameras, removable storage devices, networked devices, paired WiFi and Bluetooth devices, multifunction devices (which appear as a single device), and other machines
Figure 17-1 shows the Devices And Printers folder on a computer that has a printer, cam, and music player attached to it
web-FIgURE 17-1 The new Devices And Printers folder in Windows 7
Features of the Devices And Printers folder include:
n A context-sensitive command bar that varies depending upon the device selected Regardless of which device is selected, the command bar always displays the Add A Device (which is used for discovering and connecting with wireless devices) and Add A Printer (which launches the Add Printer wizard) options
Trang 2n A context-sensitive right-click menu that also varies depending upon the device selected For example, you can access the properties for a device by right-clicking the device and selecting Properties These properties pages are extensible by the device manufacturer, who can add additional tabs and register them for device management and configuration purposes Note that the default double-click action for the right-click menu is also configurable
n A device metadata system and a set of XML schemas that device vendors can use to customize the way their devices are presented to users in the Devices And Printers folder For example, Devices And Printers can automatically download additional meta-data for a newly connected device to display a photorealistic image of the device and additional manufacturer information that is not available from the hardware or device driver For more information, see the section titled “Device Metadata System” later in this chapter
n Integration with the new Device Stage feature of Windows 7, which is discussed in the next section of this chapter
The Windows 7 computer itself appears as a device within the Devices And Printers folder
As Figure 17-2 illustrates, right-clicking your computer device icon displays a menu of actions that you can perform to configure and manage your computer
FIgURE 17-2 The context menu for the computer device icon in Devices And Printers
note advanced users can perform even more device configuration tasks, such as rolling back drivers, by right-clicking the computer device icon in Devices and printers, selecting System properties, and selecting Device Manager.
Trang 3Understanding Device Stage
Device Stage is a new, intuitive visual interface for supported devices that makes it easier for users to configure, use, and manage devices connected to their computers Microsoft is work-ing with IHVs to help them support Device Stage for their devices Currently, Device Stage
is supported by only a small selection of multifunction printers, music players, and mobile phones
Figure 17-3 shows the new UI for a device that supports Device Stage, which shows ing information and various tasks from which the user can choose to use and manage the device In addition, when the Device Stage UI is open for a device, a photo-realistic shell icon for the device is displayed on the taskbar Clicking this icon displays a thumbnail preview of the device and of the Device Stage UI for the device
brand-FIgURE 17-3 An example of the Device Stage user interface for a compatible device
Understanding the Device Experience architecture
Figure 17-4 shows the architecture of the new device experience in Windows 7 New elements
of Windows 7 include:
n Two new UIs (the Devices And Printers folder and the Device Stage experience)
n Two underlying features (Device Display Object and Device Metadata System) that make the new UIs possible
The device manufacturer must supply the following for each device:
n XML metadata for the device, which includes both Device Stage XML and Device Display XML metadata
n Vendor applications for using the device, which may be Web applications and/or Windows applications
n Device drivers for physical layer connectivity with and use of the deviceThese features of the Windows 7 device experience are described in more detail below
Trang 4Physical Layer (USB, Wi-Fi, Bluetooth, …)
WindowsApplications Windows Features
DeviceMetadataSystem
Function Discovery
Device Display Object
Devices and Printers
Device Display XMLDevice Stage XML
Device StageWindows Shell
Partner HardwareWindows
FIgURE 17-4 The architecture of the new device experience in Windows 7
DEVICE CONTaINERS
Because of the growing popularity of multifunction devices, such as printer/copier/fax /scanners, the PnP architecture has been enhanced in Windows 7 to support the detecting and grouping together of the different functions that a device supports This new feature is
called device container, a new PnP device property that groups device functions together into
a single container representing the physical device Device containers preserve the existing devnode model of Windows while providing users with a more natural representation of a
physical device (A devnode is an internal structure that represents a device on a system It
contains the device stack and information about whether the device has been started and which drivers have registered for notification on the device Each device on a computer has a devnode, and these devnodes are organized into a hierarchical device tree The Plug and Play Manager creates a devnode for a device when the device is configured )
By using device containers, a multifunction device such as a printer/copier/fax/scanner can
be presented to the user as a single device icon in the Devices And Printers folder (and also in the Device Stage interface if this is supported by the device) Device containers are identified by
a container ID, which is a globally unique identifier (GUID) that is individual to each physical device The container ID for a device is generated automatically by PnP All devnodes belong-ing to the device container on a given bus share the same container ID
DEVICE DISpLaY OBJECT
The Device Display Object is responsible for acquiring the XML metadata for a device and using it to render that device in the Devices And Printers folder (and in the Device Stage UI if the device supports Device Stage) The Device Display Object includes the Device Metadata
Trang 5Retrieval Client (DMRC), which matches devices to Device Stage metadata packages The vice Display Object is an internal feature of Windows 7 and is not configurable
De-DEVICE METaDaTa SYSTEM
The Device Metadata System is new in Windows 7 and provides a process for defining and distributing metadata packages for devices that users connect to their computers Device metadata is information that enriches the way that devices are displayed by and used with Windows; it consists of two types of metadata:
n Device Display XMl metadata This type of metadata is conceptually similar to
sleeve art for music CDs and allows a photorealistic device icon to be displayed along with additional device information, such as manufacturer, model, and description fields Figure 17-5 shows an example of how Device Display XML metadata can enhance how the device is displayed in the Devices And Printers folder (The bottom portion of the Devices And Printers window in the figure has been enlarged by dragging its upper border upward )
n Device Experience XMl metadata This type of metadata is conceptually similar to
a simple Web page and is used by the Device Stage UI For example, such metadata can enable branding by allowing background and overlay images to be displayed and can display a large, photorealistic image of the device, provide real-time device status information, display a vendor logo and marketing information, and describe what the user can do with the device See Figure 17-3 earlier in this chapter for an example of how this metadata can be used to display a device that supports Device Stage
FIgURE 17-5 Device Display XML metadata can enhance how a device is displayed
Trang 6The device metadata system for Windows 7 delivers device metadata in the form of a package This package consists of XML files, graphics files, and icon files and typically contains the following:
n PackageInfo.xml Contains the hardware IDs, model ID, timestamp, schemas, and
index and locale information for the device
n DeviceInfo.xml Contains additional device information with an icon file for the
device
n WindowsInfo.xml Contains additional information needed by Windows
If the device supports Device Stage, the following additional metadata files are included in the device metadata package:
n Behavior.xml Defines the layout of the Device Stage UI with any branding graphics
included by the vendor
n Task.xml Defines the tasks that the user can perform with the device using the
Device Stage interface with associated icons and commands for these tasks
n Resource.xml Contains any localized resources needed for the Device Stage interface
note XML metadata can be associated with a device using either the hardware ID or model ID of the device, with model ID being the preferred method
IHVs that create metadata packages for their devices must submit this metadata to Windows Quality Online Services (Winqual) This must be done to validate the quality of the metadata and digitally sign the package to guard against tampering Once the package has been signed by Winqual, it can be distributed to users by the following methods:
n Embedding the metadata in the hardware of the device
n Including the metadata in the vendor’s software that is included with the device
n Installing the metadata on user's computers as an Original Equipment Manufacturer (OEM) add-on
n Making the metadata available for download from Windows Metadata and Internet Services (WMIS)
When a device is first connected to a Windows 7 computer, Windows acquires the metadata for the device by using the following process:
1. The DMRC checks the computer's local metadata cache and metadata store for data that applies to the device
2. If no metadata is found for the device, the DMRC visits the WMIS Web site to determine whether any metadata is available for the device
3. If no metadata is available for the device from WMIS, a standard icon is displayed for the device and descriptive information found in the device's driver is displayed The
Trang 7device is then displayed in the Unspecified Device section at the bottom of the Devices And Printers folder
4. If metadata is found and downloaded for the device from WMIS, the Device Display Object feature parses the metadata and uses it to display the device in the Devices And Printers folder (and in the Device Stage interface if the device supports Device Stage) Users can opt out of downloading metadata from WMIS by configuring the Device Instal-lation Settings on their computers For more information, see the section titled “Configur-ing Device Installation Settings” earlier in this chapter Administrators can also prevent the downloading of metadata from WMIS by using Group Policy See the following section titled
“Managing Device Installation Using Group Policy” for information
note Some older systems may display some internal devices, such CD/DVD-ROM drives, USB root hubs, and other devices, as separate devices in the Devices and printers folder because the system is reporting these devices as removable when they actually are not
Updating the basic input/output (BIOS) on these older systems may resolve this problem.
Managing Device Installation Using Group policy
Group Policy is the recommended method for managing device installation behavior across
an enterprise network where Active Directory Domain Services is deployed The following sections summarize the various policy settings available for managing the device installation experience on Windows 7
Managing Device Installation Behavior
Policy settings for controlling device installation behavior in Windows 7 are found under the following node in Group Policy Object Editor:
Computer Configuration\Policies\Administrative Templates\System\Device InstallationPolicies controlling device installation behavior, described in Table 17-1, are per-computer policies only They may apply to Windows Vista and Windows Server 2008 only, to Windows
7 and Windows Server 2008 R2 only, or to all of these platforms—see the first column of the table for more information on which platforms to apply each policy Policy settings that are new in Windows 7 are prefixed with an asterisk (*) Policy settings that were introduced in Windows Vista but have now been deprecated in Windows 7 are prefixed with two asterisks (**)
Although configured policy settings will be available for use on the computer without a reboot, they will take effect for only device installations initiated after the policy settings have been applied In other words, the policy settings are not retroactive, and they will not affect the state of any devices that were installed previously
Trang 8TABlE 17-1 Policies for Managing Device Installation Behavior
Allow Remote Access To The Plug And Play Interface
(Applies to Windows Vista or later versions)
Specifies whether remote access to the PnP interface is allowed
If you enable this setting, remote connections to the PnP face will be allowed
inter-If you disable or do not configure this setting, the PnP interface will not be available remotely
Note that this policy should be enabled only if the administrator
of the system requires the ability to retrieve information about devices on this system from another remote computer, such as using Windows Device Manager to connect to this system from a remote computer
Configure Device Installation Timeout
(Applies to Windows Vista or later versions)
Specifies the number of seconds the system will wait for a device installation task to complete If the task is not completed within the specified number of seconds, the system will terminate the installation
If you disable or do not configure this setting, the system will wait 300 seconds (5 minutes) for any device installation task to complete before terminating installation
**Do Not Create System Restore Point When New Device Driver In-stalled
(Applies only to Windows Vista and Windows Server 2008)
If you enable this setting, system restore points will not be created when a new device driver is installed or updated
If you disable or do not configure this setting, a system restore point will be created whenever a new driver is installed or an existing device driver is updated
Do Not Send A Windows Error Report When A Generic Driver Is Installed On A Device
(Applies to Windows Vista or later versions)
If you enable this setting, a Windows error report will not be sent when a generic driver is installed
If you disable or do not configure this setting, a Windows error report will be sent when a generic driver is installed
Trang 9POlICy NAME DESCRIPTION
*Prevent Creation
Of A System Restore Point During Device Activity That Would Normally Prompt Creation Of A Restore Point
(Applies to Windows Vista or later versions)
Lets you prevent Windows from creating a system restore point during device activity that normally prompts Windows to create
a system restore point Windows usually creates restore points for certain driver activity, such as the installation of an unsigned driver A system restore point enables you to restore your system
to its state before the activity more easily
If you disable or do not configure this policy setting, Windows creates a system restore point as it normally does
Note: This policy setting replaces the Do Not Create System Restore Point When New Device Driver Installed policy setting used in Windows Vista
*Prevent Device Metadata Retrieval From The Internet
(Applies only to Windows 7 and Windows Server
2008 R2)
If you enable this policy setting, Windows does not retrieve device metadata for installed devices from the Internet This policy setting overrides the setting in the Device Installation Settings dialog box on the user's computer
If you disable or do not configure this policy setting, the setting
in the Device Installation Settings dialog box controls whether Windows retrieves device metadata from the Internet
*Prevent Windows From Sending An Error Report When
A Device Driver Requests Additional Software During Installation
(Applies only to Windows 7 and Windows Server
2008 R2)
If you enable this policy setting, Windows does not send an error report when a device driver that requests additional software is installed
If you disable or do not configure this policy setting, Windows sends an error report when a device driver that requests additional software is installed
Trang 10POlICy NAME DESCRIPTION
Prioritize All Digitally Signed Drivers Equally During The Driver Ranking And Selection Process
(Applies to Windows Vista or later versions)
When selecting which driver to install, do not distinguish between drivers signed by a Windows Publisher certificate and drivers signed by others
If you enable this setting, all valid Authenticode signatures are treated equally for the purpose of selecting a device driver to install Selection is based on other criteria (such as matching hardware or compatible IDs) rather than whether the driver was signed by a Windows Publisher certificate or by another Authenticode certificate A signed driver is still preferred over
an unsigned driver However, drivers signed by Windows Publisher certificates are not preferred over drivers signed by other Authenticode certificates
If you disable or do not configure this setting, drivers signed by
a Windows Publisher certificate are selected for installation over drivers signed by other Authenticode certificates
Note: In Windows Vista, this policy setting was named Treat All Digitally Signed Drivers Equally In The Driver Ranking And Selection Process
*Specify Search Order For Device Driver Source Locations
(Applies only to Windows 7 and Windows Server
2008 R2)
If you enable this policy setting, you can select whether Windows searches Windows Update first, searches Windows Update last, or does not search Windows Update
If you disable or do not configure this policy setting, members
of the Administrators group can determine the order in which Windows searches source locations for device drivers
Turn Off “Found New Hardware”
Balloons During Device Installation
(Applies to Windows Vista or later versions)
If you enable this setting, “Found New Hardware” balloons will not appear while a device is being installed
If you disable or do not configure this setting, “Found New ware” balloons will appear while a device is being installed unless the driver for the device has suppressed the balloons
Hard-Best practices for configuring these policy settings include the following:
n To ensure that users of Windows 7 computers have an optimal device experience, enable the Specify Search Order For Device Driver Source Locations policy setting and configure the setting to Search Windows Update First This will prevent users from
Trang 11being able to modify their device installation settings, as described in the section titled
“Configuring Device Installation Settings” earlier in this chapter
n If you enable the Configure Device Installation Timeout policy setting, you cannot specify a time shorter than the default value of 300 seconds Some devices, such as re-dundant array of independent disks (RAID) controllers and other boot-critical devices, can take a long time to initialize, and the default value for this setting was chosen to accommodate PnP installation of such devices to prevent boot failure The reason an installation time-out value is specified at all is that improperly written driver installa-tion packages can stop responding during installation, causing the system itself to stop responding This was a problem in earlier versions of Windows because an improperly written driver could cause an interactive prompt to be displayed in the background where it couldn’t be accessed In Windows Vista, however, device installation has been moved out of Newdev dll into the PnP service (DrvInst exe), and the PnP service starts a separate, new process instance for each device installation These architectural changes
to how device installation works in Windows Vista make it much harder for an erly written driver to make the PnP service stop responding If the installation process instance does stop responding, however, the time-out value set here kills the process and displays the Add New Hardware wizard, allowing the user to specify a different driver to install However, the reason for allowing administrators to be able to config-ure this policy setting is that if the administrator knows that the installation of some driver package(s) on some device(s) will take longer than the default time-out period (but not actually stop responding from the UI), she can allow the system to wait for a longer period of time for the installation to complete
improp-Managing Driver Installation Behavior
Policy settings for controlling driver installation behavior, including driver signing and driver search, are found under Computer Configuration\Policies\Administrative Templates\System
\Driver Installation or User Configuration\Policies\Administrative Templates\System\Driver Installation, or both However, the only driver installation policy setting that still applies in Windows 7 is the one that can be used to manage the driver installation behavior for standard users, specifically the following machine policy setting:
Computer Configuration\Policies\Administrative Templates\System\Driver Installation
\Allow Non-Administrators To Install Drivers For These Device Setup ClassesThis policy applies to Windows Vista or later versions and can be used to specify a list
of device setup class GUIDs describing device drivers that standard users can install on the system Enabling this setting allows users to install new drivers for the specified device setup classes (The drivers must be signed according to Windows Driver Signing Policy or by pub-lishers already in the TrustedPublisher store ) Disabling this policy setting or leaving it Not Configured means that only members of the local Administrators built-in group can install new device drivers on the system
Trang 12To configure this policy, follow these steps:
1. Using Group Policy Object Editor on a Windows Vista computer, open the Group Policy object (GPO) linked to the organizational unit (OU) where your target users have their computer accounts
2. Navigate to the policy setting and double-click it to open it
3. Enable the policy Click Show and then click Add
4. Type the GUID for the device setup class for the device type that you want to allow standard users to be able to install on computers targeted by the GPO For example,
to allow users to install imaging devices, such as digital cameras and scanners, type
{6bdd1fc6-810f-11d0-bec7-08002be2092f} in the Add Item text box Continue by
adding other GUIDs as needed
MoRe inFo For a list of device setup classes and their GUIDs, see
http://msdn2.microsoft.com/en-US/library/ms791134.aspx.
Blocking Installation of Removable Devices
Policy settings for blocking device installation are found under the following node in the Group Policy Object Editor:
Computer Configuration\Policies\Administrative Templates\System\Device Installation
\Device Installation Restrictions
Trang 13Policies for blocking device installation, described in Table 17-2, are per-computer policies only All but one of these policies apply to Windows Vista or later versions (the policy setting marked with an asterisk applies only to Windows 7 and Windows Server 2008 R2) In addition, two of these policy settings (marked with a double asterisk) have been updated in Windows 7 with new functionality
Configured policy settings will be applied during the next background refresh of Group Policy In other words, these policies do not require a reboot or logon/logoff to take effect after you configure them
TABlE 17-2 Computer Policies for Blocking Device Installation
POlICy NAME DESCRIPTION
Allow Administrators
To Override Device Installation Restriction Policies
(Applies to Windows Vista or later versions)
Allows members of the Administrators group to install and update the drivers for any device, regardless of other policy settings
If you enable this setting, administrators can use Add Hardware wizard or Update Driver wizard to install and update the drivers for any device
If you disable or do not configure this setting, administrators are subject to all policies that restrict device installation
If this computer is a Remote Desktop server, enabling this policy also affects redirection of the specified devices from a Remote Desktop client to this computer
Allow Installation Of Devices That Match Any Of These Device IDs
(Applies to Windows Vista or later versions)
Specifies a list of PnP hardware IDs and compatible IDs that describe devices that can be installed This setting is intended for use only when the Prevent Installation Of Devices Not Described By Other Policy Settings setting is enabled and does not take precedence over any policy setting that would prevent a device from being installed
If you enable this setting, any device with a hardware ID or ible ID that matches an ID in this list can be installed or updated
compat-if that installation has not been prevented speccompat-ifically by any of the following policy settings: Prevent Installation Of Devices That Match Any Of These Device IDs, Prevent Installation Of Devices For These Device Classes, or Prevent Installation Of Removable Devices
If another policy setting prevents a device from being installed, the device cannot be installed even if it is also described by a value in this policy setting
If you disable or do not configure this setting and no other policy describes the device, the Prevent Installation Of Devices Not Described By Other Policy Settings setting determines whether the device can be installed
If this computer is a Remote Desktop server, enabling this policy also affects redirection of the specified devices from a Remote Desktop client to this computer
Trang 14POlICy NAME DESCRIPTION
Allow Installation
Of Devices Using Drivers That Match These Device Setup Classes
(Applies to Windows Vista or later versions)
Specifies a list of device setup class GUIDs describing devices that can be installed This setting is intended for use only when the Prevent Installation Of Devices Not Described By Other Policy Settings setting is enabled and does not have precedence over any setting that would prevent a device from being installed
If you enable this setting, any device with a hardware ID or ible ID that matches one of the IDs in this list can be installed or updated if that installation has not been specifically prevented by any of the following policy settings: Prevent Installation Of Devices That Match Any Of These Device IDs, Prevent Installation Of De-vices For These Device Classes, or Prevent Installation Of Remov-able Devices If another policy setting prevents a device from being installed, the device cannot be installed even if it is also described
compat-by a value in this setting
If you disable or do not configure this setting and no other policy describes the device, the setting Prevent Installation Of Devices Not Described By Other Policy Settings determines whether the device can be installed
If this computer is a Remote Desktop server, enabling this policy also affects redirection of the specified devices from a Remote Desktop client to this computer
Display A Custom Message Title When Installation Is Prevented By Policy
(Applies to Windows Vista or later versions)
Specifies a customized message that is displayed to the user in the title of the notification balloon when policy prevents the installation
of a device
If you enable this setting, this text is displayed as the title text of the message displayed by Windows Vista whenever device installa-tion is prevented by policy
If you disable or do not configure this setting, Windows Vista displays a default title whenever device installation is prevented by policy
Note: In Windows Vista, this policy was named Display A Custom Message When Installation Is Prevented By Policy (Balloon Title) Display A Custom
Message When Installation Is Prevented By Policy
(Applies to Windows Vista or later versions)
Specifies a customized message that is displayed to the user in the text of the notification balloon when policy prevents the installa-tion of a device
If you enable this setting, this text is displayed as the main body text of the message displayed by Windows Vista whenever device installation is prevented by policy
Trang 15POlICy NAME DESCRIPTION
If you disable or do not configure this setting, Windows Vista displays a default message whenever device installation is prevented by policy
Note: In Windows Vista, this policy was named Display A Custom Message When Installation Is Prevented By Policy (Balloon Text) Prevent Installation
Of Devices Not Described By Other Policy Settings
(Applies to Windows Vista or later versions)
This setting controls the installation policy for devices that are not specifically described by any other policy
If you enable this setting, any device that is not described by either Allow Installation Of Devices That Match These Device IDs or Allow Installation Of Devices For These Device Classes cannot be installed
or have its driver updated
If you disable or do not configure this setting, any device that is not described by the Prevent Installation Of Devices That Match Any Of These Device IDs, Prevent Installation Of Devices For These Device Classes, or Deny Installation Of Removable Devices policies can be installed and have its driver updated
If this computer is a Remote Desktop server, enabling this policy also affects redirection of the specified devices from a Remote Desktop client to this computer
**Prevent Installation
Of Devices That Match Any Of These Device IDs
(Applies to Windows Vista or later versions and is updated in Windows 7)
Lets you specify a list of PnP hardware IDs and compatible IDs for devices that Windows is prevented from installing This policy setting takes precedence over any other policy setting that allows Windows to install a device
If you enable this policy setting, Windows is prevented from ing a device whose hardware ID or compatible ID appears in the list you create If you enable this policy setting on a remote desktop server, the policy setting affects redirection of the specified devices from a remote desktop client to the remote desktop server
install-If you disable or do not configure this policy setting, devices can
be installed and updated as allowed or prevented by other policy settings
Note: This policy has been updated in Windows 7 to add active uninstall functionality, that is, to enable the removal of devices that were installed before the application of the policy (for example, during an OEM preload of Windows onto a system) To enable retroactive uninstall functionality, enable the policy setting and select the Also Apply To Matching Devices That Are Already Installed check box Then be sure to enable and configure the Time (In Seconds) To Force Reboot When Required For Policy Changes To Take Effect policy setting because uninstalling previously installed devices will trigger a reboot
Trang 16retro-POlICy NAME DESCRIPTION
**Prevent Installation
Of Devices Using Drivers That Match These Device Setup Classes
(Applies to Windows Vista or later versions and is updated in Windows 7)
Lets you specify a list of device setup class GUIDs for device drivers that Windows is prevented from installing This policy setting takes precedence over any other policy setting that allows Windows to install a device
If you enable this policy setting, Windows is prevented from ing or updating device drivers whose device setup class GUIDs appear in the list you create If you enable this policy setting on
install-a remote desktop server, the policy setting install-affects redirection of the specified devices from a remote desktop client to the remote desktop server
If you disable or do not configure this policy setting, Windows can install and update devices as allowed or prevented by other policy settings
Note: This policy has been updated in Windows 7 to add retroactive uninstall functionality, that is, to enable the removal of devices that were installed before the application of the policy (for example, during an OEM preload of Windows onto a system) To enable retroactive uninstall functionality, enable the policy setting and select the Also Apply To Matching Devices That Are Already Installed check box Then be sure to also enable and configure the Time (In Seconds) To Force Reboot When Required For Policy Changes To Take Effect policy setting because uninstalling previously installed devices will trigger a reboot
Prevent Installation
Of Removable Devices
(Applies to Windows Vista or later versions)
Prevents removable devices from being installed
If you enable this setting, removable devices may not be installed, and existing removable devices cannot have their drivers updated
If you disable or do not configure this setting, removable devices can be installed and existing removable devices can be updated as permitted by other policy settings for device installation
Note: This policy setting takes precedence over any other policy settings that allow a device to be installed If this policy setting prevents a device from being installed, the device cannot be installed or updated, even if it matches another policy setting that would allow installation of that device
For this policy, a device is considered removable when the drivers for the device to which it is connected indicate that the device is removable For example, a USB device is reported to be removable
by the drivers for the USB hub to which the device is connected
If this computer is a Remote Desktop server, enabling this policy also affects redirection of the specified devices from a Remote Desktop client to this computer
Trang 17POlICy NAME DESCRIPTION
*Time (In Seconds)
To Force Reboot When Required For Policy Changes To Take Effect
(Applies only to Windows 7 and Windows Server
2008 R2)
If you enable this setting, set the number of seconds that you want the system to wait until a reboot to enforce a change in device installation restriction policies (The default is 120 seconds )
If you disable or do not configure this setting, the system will not force a reboot
Note: If no reboot is forced, the device installation restriction right will not take effect until the system is restarted
MoRe inFo For information on how to identify device IDs for pnp devices, see
http://msdn2.microsoft.com/en-us/library/ms791083.aspx.
Managing Device Redirection Behavior
A new addition to Windows 7 is a number of policy settings that you can use to control the redirection of USB devices on your system These policy settings are supported only on Windows 7 and Windows Server 2008 R2 and are machine policies that are found in the following location:
Computer Configuration\Policies\Administrative Templates\System\Device Redirection
\Device Redirection RestrictionsThe two policies available for configuration are as follows:
n Prevent Redirection Of USB Devices Prevents redirection of USB devices
• If you enable this setting, an alternate driver for USB devices cannot be loaded
• If you disable or do not configure this setting, an alternate driver for USB devices can be loaded
n Prevent Redirection Of Devices That Match Any Of These Device IDs Prevents
redirection of specific USB devices (see Figure 17-6)
• If you enable this setting, an alternate driver for the USB device cannot be loaded
• If you disable or do not configure this setting, an alternate driver for the USB device can be loaded
Trang 18FIgURE 17-6 Details of the new Prevent Redirection Of Devices That Match Any Of These Device IDs policy setting
Troubleshooting Device Installation
The following sections outline specific troubleshooting steps with regard to device tion For general guidance on troubleshooting hardware problems in Windows 7, see Chapter
installa-30, “Troubleshooting Hardware, Driver, and Disk Issues ”
Using Event Logs
Windows event logs can be useful for troubleshooting device installation problems and driver issues In addition to checking the System Event Log, you should check the Operational Event Logs under Applications And Services Logs\Microsoft\Windows\DriverFrameworks-UserMode when experiencing problems installing devices and device drivers For more information on using Event Viewer, see Chapter 21, “Maintaining Desktop Health ”
Using WinSaT
WinSAT is a tool included in Windows 7 that provides a benchmark of system performance based on ratings of the following hardware:
n Processor
n Physical memory (RAM)
n Hard disk (%SystemDrive% only)
Trang 19n Graphics and gaming graphicsWinSAT results are saved in both the registry and in an XML file saved in the %SystemRoot%
\Performance\WinSAT\Datastore directory You can also run WinSAT on demand by opening Performance Information And Tools in Control Panel and clicking Re-run The Assessment WinSAT stores a history of up to one hundred system assessments and discards the oldest assessment when the limit is reached WinSAT never deletes the initial assessment produced during the Machine Out-Of-Box Experience (MOOBE)
WinSAT can also be useful to determine which drivers are slowing down the boot process
or blocking a system from Sleep mode Problem drivers will be flagged under Performance Issues with messages such as “Drivers are causing Windows to start slowly” or “Drivers are interfering with Windows entering sleep mode ” The solution to these situations is usually to update the problem drivers However, these messages might also be reported as a result of configuration issues with devices
Using Windows Error Reporting
When a device driver or device install fails for any reason, the user is prompted to send mation to Microsoft using WER, where Microsoft, ISVs, and IHVs can analyze the information and provide updated drivers if needed When a user makes a report, an entry is created on the WER site, logging the problem Data is collected for the following types of device installation failures:
infor-n Device errors Errors with distinct Device Manager codes
n Import errors Problems staging device drivers
n Install errors Reported when a driver has successfully staged but fails to install when
the device is connected to the system
n Driver not found Reported when a matching driver package cannot be located
n Driver protection errors WRP processing errors: driver is flagged as protected but
fails to meet criteria
n generic driver found Reported when a specific driver for a device is not available
and Windows Vista installs a generic driver
n Windows Update errors When a user encounters one of these errors and elects to
report it, additional data is collected The data gathered depends on the nature of the problem
In each case, WER tracks the following information:
n Number of users (hits) who have seen the same problem in the last 30 days
n Number of hits per locale (English, German, French, and so on)
n Number of hits by operating system version
n Total number of hits
n Bugs filed on this problem
Trang 20Developers use the information gathered to track high-profile driver requests and petition manufacturers to provide drivers through either Windows Update or the WER interface itself Both internal Microsoft employees and manufacturers have access to WER data and the
Winqual site found at https://winqual.microsoft.com If a driver becomes available, it can be
added to the response portion of the WER interface After users elect to report the data, they are prompted to fill out a survey (Note that if the IHV or ISV creates a response for the given error, the user can see the response without filling out a survey ) This response may be edited
to provide a link to the driver on the third-party Web site, which should decrease the number
of support calls requesting drivers for devices
note By default, Windows 7 sends a Windows error report when a generic driver is installed on a device You can use Group policy to modify this behavior See the section titled “Managing Device Installation Behavior” earlier in this chapter for more information.
Using the SetupapI Log File
In Windows XP, the SetupAPI log found under %Windir% is a plain text log file that you can use to troubleshoot issues with installing devices Beginning with Windows Vista, this log
is moved to %Windir%\Inf and consists of two separate log files: SetupAPI app log and SetupAPI dev log Each log file is made up of distinct sections, with each section representing one device install
<Log Header>
>>> Section header Device Driver install section 1
<<< End Section
>>> Section header Device Driver install section 2
<<< End Section
>>> Section header Device Driver install section 3
<<< End Section
…
The INF file for the device driver controls device installation, and the SetupAPI logs record
a series of entries corresponding to each instruction in the INF file, along with whether the action succeeded or failed When parsing these logs to troubleshoot device installation issues,
a good place to start is looking for problem descriptions such as “device did not install” or
“wrong driver installed” or a message saying “Exit status: FAILURE” The following example illustrates a device installation problem reported in the SetupAPI logs
Trang 21>>> [Device Install (Hardware initiated) - 9E60-177B6A619B96}]
USB\VID_045E&PID_00BD\{0D51C6EB-7E08-D342->>> Section start 2006/08/17 13:40:16.348 ump: Creating Install Process: DrvInst.exe 13:40:16.348 ndv: Retrieving device info
ndv: Setting device parameters
ndv: Building driver list
dvi: {Build Driver List} 13:40:16.645 dvi: Searching for hardware ID(s):
dvi: usb\vid_045e&pid_00bd&rev_0100 dvi: usb\vid_045e&pid_00bd
dvi: Searching for compatible ID(s):
dvi: usb\class_ff&subclass_ff&prot_ff dvi: usb\class_ff&subclass_ff
dvi: usb\class_ff dvi: Enumerating INFs from path list 'C:\Windows\INF' inf: Searched 0 potential matches in published INF directory inf: Searched 34 INFs in directory: 'C:\Windows\INF'
dvi: {Build Driver List - exit(0x00000000)} 13:40:16.818 ndv: Selecting best match
dvi: {DIF_SELECTBESTCOMPATDRV} 13:40:16.819 dvi: No class installer for 'Microsoft® Fingerprint Reader' dvi: No CoInstallers found
dvi: Default installer: Enter 13:40:16.821 dvi: {Select Best Driver}
!!! dvi: Selecting driver failed(0xe0000228) dvi: {Select Best Driver - exit(0xe0000228)}
!!! dvi: Default installer: failed!
!!! dvi: Error 0xe0000228: There are no compatible drivers for this device
dvi: {DIF_SELECTBESTCOMPATDRV - exit(0xe0000228)} 13:40:16.824 ndv: {Core Device Install}
ndv: Device install status=0xe0000203 ndv: Performing device install final cleanup
ndv: Queueing up error report since device installation failed
ndv: {Core Device Install - exit(0xe0000203)}
ump: Server install process exited with code 0xe0000203 13:40:16.832
<<< Section end 2006/08/17 13:40:16.837
<<< [Exit status: FAILURE(0xe0000203)]
The problem reported is failure to install the Microsoft Fingerprint Reader, and the cause of the problem is reported in the error message “There are no compatible drivers for this device ”
By default, Windows Vista and later versions log device behavior in the SetupAPI logs at a more verbose level than in previous versions of Windows You can use the following DWORD registry value to configure the verbosity level for these logs:
HKLM\Software\Microsoft\Windows\CurrentVersion\Setup\LogLevel
Trang 22The default setting for this value is 0x2000ffff For information on how to configure logging levels for the SetupAPI logs, see the white paper, “Debugging Device Installation in
Windows Vista,” found at http://www.microsoft.com/whdc/driver/install/diagnose.mspx
Using Driver INF Files
WRP protects the integrity of system files and system registry settings, including device drivers and device settings Drivers are added to the list of WRP-protected files on the system only if they have been specifically flagged for protection by WRP when being staged to the driver store
When a driver package has been specifically flagged for WRP protection and that driver package is staged to the driver store, an event is logged to the event logs to indicate this
To verify that a third-party driver you plan to install will be protected using WRP, open the INF file for the driver and look for Pnplockdown=1 in the [Version] section Microsoft recom-mends that ISVs who develop third-party drivers for Windows 7 include this setting (called
the lockdown flag) in their INF files, which causes WRP to prevent users with administrative
privileges from deleting or modifying the driver files referenced in the INF file However, this
is only a recommendation; ISVs are not required to include this setting in case compatibility issues should arise
Using Device Manager Error Codes
Device Manager error codes are the codes that accompany icons displayed with exclamation
points (also known as bangs) in the Device Manager console (Devmgmt msc) To view these
error codes, open the properties of the problem device in Device Manager and look under Device Status on the General tab You can view the hardware ID of the problem device by selecting Hardware Ids from the Property list box on the Details tab When you parse SetupAPI logs, this ID can be useful for gaining further understanding of why the device did not install or is not working properly
Windows 7 reports the same Device Manager error codes as previous versions of Windows
Knowledge Base article 245386, found at http://support.microsoft.com/kb/245386, documents
these codes, explaining the meaning of each and the kinds of scenarios that can cause them to
be reported
note During a device installation, if a user is prompted to install the device in the future and responds by choosing No, a driver must still be installed Otherwise, the pnp service will continue to redetect the driver and prompt for installation In this scenario, the Null driver (which actually means that the device is configured not to use a driver) is installed and Device Manager displays error code 28 If the user later wants to install the device, the user must select the Update Driver option in Device Manager because the device previously was assigned an error code because it could not be installed with any driver.
Trang 23Device Manager error codes are reported only during device installation; they are never reported during driver staging This means that if a Device Manager error code is reported, the problem occurred during device installation and not driver staging A good place to start troubleshooting is looking at how physical installation of the device occurred and whether it was done properly Device Manager error codes are also reported in the SetupAPI dev log file See the section titled “Using the SetupAPI Log File” earlier in this chapter for more information
Using Driver Verifier
Another device driver troubleshooting tool is Driver Verifier, which can monitor kernel-mode drivers and graphics drivers and detect illegal function calls or other actions that could corrupt the system Driver Verifier can subject drivers to a variety of stresses to uncover improper driver behavior The Driver Verifier Manager tool (Verifier exe) is located in %WinDir%\System32 and
can be run either graphically (press Windows Logo Key+R, type verifier, and press Enter) or from an elevated command prompt using various parameters (type verifier /? to learn more
about these parameters)
MoRe inFo For more information about using Driver Verifier, see
http://msdn2.microsoft.com/en-us/library/ms792872.aspx.
Repairing Driver Store Corruption
If the driver store becomes corrupt, new drivers cannot be added to it and Windows may not be able to copy driver files from it The inability to add new drivers or install new devices could therefore indicate problems with the driver store Possible causes of driver store corrup-tion can include:
n Interrupted write operations from sudden power loss
n Damaged clusters on %SystemDrive% (use ChkDsk exe to resolve)
n Bad memory being accessed during memory-mapped input/output (I/O)
n Malware or possibly even misbehaving anti-malware software
If you suspect that driver store corruption is the problem, contact Microsoft Product Support Services (PSS) for troubleshooting
Repairing Index File Corruption
If the files used to index the driver store are missing or corrupt, new drivers cannot be added
to the driver store The inability to add new drivers or install new devices could therefore indicate problems with these index files Possible causes of index file corruption are similar to causes of driver store corruption
If index files become corrupt, restore them from your most recent system backup The three index files for the driver store are Infpub dat, Infstore dat, and Drvindex dat, and they are found under %SystemRoot%\Inf You can also use System Restore to restore index files
Trang 24because these files are added to protection points, but this approach is generally not mended because reverting to a previous restore point can affect other aspects of the system and its installed software Restoring from backup is therefore preferred
recom-diReCt FRoM tHe SoURCe
Troubleshooting Driver Signing IssuesSampath Somasundaram, SDET
DMI Team, Windows
If you see a Windows Security dialog box with a check box that says Windows Can’t Verify The publisher Of This Driver Software, you should verify the validity of the driver signature by checking the following:
1 See whether the INF file contains the CatalogFile=FileName entry and whether the FileName matches the CaT file in the same directory.
2 If the preceding step is successful, double-click the catalog file, view the ture, view the certificate, and check the Certification path tab Verify that the entire chain of certificates is trusted If not, add them all to the trusted root
signa-Ca store on the local computer The last one should be added to the lisher store.
Trustedpub-If you see a Windows Security dialog box with a check box that says always Trust Software From Some_name, install the certificate in the Trustedpublisher store on the local computer alternatively, you can select the check box and click Install, and the system will add the certificate automatically to the Trustedpublisher store Note that you must use Mmc.exe to install the certificate, not the Certmgr.exe UI, because Certmgr.exe installs the certificate in the current user’s store only.
If the package is signed but an unsigned dialog box still shows, determine whether any older unsigned versions of the driver are in the driver store Open a command prompt and type pnputil.exe –e To remove a driver from the driver store, type pnptuil –d OEMfilename.inf, where OEMFilename.inf is the OEM file name listed by pnputil –e for the driver package.
To check whether the catalog file actually contains the driver files, use the Signtool.exe utility from the WDK/platform Software Development Kit (SDK) and type signtool verify /c catalogfilename filename.
Finally, to determine why your new latest freshly signed driver is losing to in-box drivers, do the following:
n Select the option to treat all signing as equal.
n Compare the date of your driver with that of the in-box driver.
n Check the version to see whether the dates are equal.
Trang 25Understanding Power Management
The goal of power management in Windows is to maximize energy efficiency This is plished by minimizing the amount of power used while automatically providing required performance on demand Power management is an increasingly important issue for businesses
accom-as a result of rising energy costs and energy consumption by today's desktop and mobile computers In the United States, the Environmental Protection Agency has estimated that PCs
at home and in the workplace use about 2 percent of all electrical energy consumed Leaving
a PC on at home can add up to 8 percent to the total household power usage for the average home
By contrast, putting a PC into Sleep mode for 14 hours a day can save between 600 and
760 kWh per year of electricity consumption In 2009, this means savings of approximately
$63,000 per year per 1,000 PCs for which this is done The business and environmental importance of improving the power efficiency of PCs is compelling, and Microsoft has made numerous enhancements in this area in Windows 7
power Management Enhancements in Windows 7
Windows XP delivered improvements in the area of power management, such as support for hibernation and standby and the ability of Windows to automatically power down monitors and hard drives to reduce energy consumption Windows Vista built upon these advances with a number of improved power management capabilities, including:
n Improved support for ACPI 2 0 In addition, Windows Vista also provides support for selected features of ACPI 3 0
n Standard (non-ACPI) HALs are no longer supported in Windows Vista; only the ACPI Programmable Interrupt Controller (PIC) HAL and ACPI Advanced Programmable Interrupt Controller (APIC) HAL are supported in Windows Vista
n Simplified power plan model, including three default power plans:
• Balanced Automatically balances system performance with energy consumption—
for example, by speeding up the processor when performing CPU-intensive ties, such as playing a 3D game, and slowing down the processor when performing activities that require little CPU, such as editing a document in Microsoft Office Word Balanced is the default power plan in Windows Vista
activi-• Power Saver Saves power at the expense of maximum performance On mobile
systems, this helps to maximize battery life On desktop and server platforms, it works to reduce energy consumption
• High Performance Maximizes system performance at the expense of power
savings
n Mobile users can easily switch between power plans using the enhanced battery meter
in the notification area or the battery tile in Windows Mobility Center Desktop and server users can switch power plans in Power Options in Control Panel