Summary: We can have users add hardware/drivers that is already in the local driver store, Windows Update, and pre-defined paths (CDROM, DVD, USB drive). If drivers are not found the device is unknown in device manager and a user only has read access to device manager. We need a way for a user to reinstall drivers for that unknown device and/or point to drivers if not found when installing. The settings we already changed is the classes GUID allow and path. By default Windows 7 allows users and administrators to install devices with their device drivers. When a device is inserted Windows will search Windows Update for the appropriate driver for the device. If Windows finds one on Windows Update it will install it. If it can’t find an appropriate driver on Windows Update it will search the local driver store. If it finds an appropriate driver in the local driver store it will install it. If Windows can’t find a driver by now it will have to be done manually but only a local administrator can do it. Only local administrators can modify the local driver store. A non-administrator cannot manually install drivers for a device that we have seen. There is a registry key that can be modified that will allow windows to search other locations for drivers. These locations can be local drives, removable devices by drive letter, and network locations. If Windows finds drivers for the device in those locations it should install the driver. In the testing that Mike and I did we took my cell phone and set it up as a modem. I know for a fact that Windows does not have the drivers for my phone as a modem in the local driver store or on Windows Update. When we plugged the phone in as a standard user Windows searched Windows Update then the local driver store but couldn’t find the drivers so the device was not installed. We could not find a way to manually install the drivers for the device. We logged in as the local administrator and removed the device from device manager then unplugged the device from the workstation. We then plugged the phone back into the workstation and it did the same thing. It searched Windows Update then the local driver store but didn’t install because those locations do not have the drivers for that device. We went into device manager and uninstalled the device and unplugged the phone. We then added the drives A:, B:, D:, E:, F:, and G: in the registry located at: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion Devicpeath (We left what was already there and added ;A:;B:;D:;E:;F:;G: You have to separate paths with a semi-colon. When you export the registry it exports it as HEX so remember that if you want to import drive paths.) We rebooted and logged on as a standard user. We plugged the phone back in and Windows searched Windows Update, the local driver store, then it began to search drives A, B, D, E, F, and G. It finally found the drivers buried on drive G and installed all the drivers for the device. We logged in as the local administrator and removed the device from device manager with the option to also uninstall the drivers then unplugged the device from the workstation. We then plugged the phone back into the workstation and it did the same thing where it searched the A, B, D, E, F, and G drives, found the drivers, and installed the software for the device. The problem that we ran into was if a user plugs in a device where Windows does not find the drivers it will throw it in device manager waiting for someone to fix it by giving it the drivers. Non-administrator users only have read access to Device Manager thus can’t install the drivers. We also tried Devices and Printers and the device was listed there with a ! on it. We did a troubleshoot option on it and Windows said it needed drivers. We clicked fix and it gave an error. The details said something about elevated so I’m thinking you need to be running as an administrator to update drivers in the devices and printers area.

Hello gadgetadam, This is the security risk with allowing non-admins to install deivce drivers, this exposes kernel mode so it's not recommended. run gpedit.msc under Computer Configuration Windows Settings Security Settings Local Policies User Rights assignments See Load and Unload device Drivers Read the explaination along with the warnings and see if this is what you are looking for. Thanks, Darrell Gorter This posting is provided "AS IS" with no warranties, and confers no rights

Nope and I unmakred it as the Answer. That's for loading kernel mode drivers. Like I said if we modify the driver search path a user can insert or install a device and Windows will search Windows Update, the local driver store, then the driver path. If it finds the drivers then it installs them. No prompts to point to drivers. The device goes into device manager where a user has read access so it would be up to an admin to updated the drivers. The client wants users to be able to install drivers if they don't have the media inserted when adding the device. I have a call into MS but I'm pretty sure there is no work around for this request but I have to do due dillangance.

No method can help us to allow non-administrator to access Device Manager.Arthur Xie - MSFT

This is insane.. I have 300 users running as Local Administrators because there's an outside chance that code might be introduced into the kernel by a malicious driver. Our business is at risk 24/7 because of this inability.

Have you tried adding them as Power Users and seeing if that makes any difference? Otherwise, as Microsoft states, there is no way for a non-admin to add a driver. This link also shows how to add to the driver store, in case that will help. Once the driver is added to the driver store, the user won't be prompted, it will just install. http://technet.microsoft.com/en-us/library/cc770927(WS.10).aspx (while this IS the link for Server 2008, Windows 7 has the exact same feature. The below text was copied directly from it's help) Microsoft PnP Utility Usage: ------ pnputil.exe [-f | -i] [ -? | -a | -d | -e ] <INF name> Examples: pnputil.exe -a a:\usbcam\USBCAM.INF -> Add package specified by USBCAM.INF pnputil.exe -a c:\drivers\*.inf -> Add all packages in c:\drivers\ pnputil.exe -i -a a:\usbcam\USBCAM.INF -> Add and install driver package pnputil.exe -e -> Enumerate all 3rd party packages pnputil.exe -d oem0.inf -> Delete package oem0.inf pnputil.exe -f -d oem0.inf -> Force delete package oem0.inf pnputil.exe -? -> This usage screen Also, a side note. Just because the client (or boss) wants something, doesn't mean they should have it. Sometimes a thorough explanation of the degradation of security is all they need to make an about-turn on their stance. It might mean your IT team being proactive about updating the driver store and making use of remote management tools, but in the end, it will provide a more secure environment for you and your client/boss. I am sure you already know this... so I am just mentioning it as a side note.

JaymzR-What? Please explain.

Power Users group in 7 is just for backward compatibility. From my understanding it's just there for XP apps that look to see what groups a user is in. Users are either users or admins on a W7 box. A user can add a driver as long as it's in Microsoft Update or in the local driver store. An admin or GPO can also add paths of where to look 3rd but if it can't find it then an admin has to get involved. Pre-populating the driver store really isn't practical because it requires admin rights and more work than specifying a path for drivers. I agree, just because someone wants something doesn't mean it's correct or right but sometimes when you're brought in on a project there are unrealistic expectations. This was one of them and after doing due diligence we have an answer.