Let’s learn how to Restrict Drivers Installation for non-administrators Users using the Intune Policy. The present discourse aims to elucidate the process of blocking non-administrators from installing drivers using the Intune Settings catalogue.
In some organizational contexts, users may be allowed to install drivers on corporate devices. However, in an environment with high-security requirements, it is strongly recommended that only Administrators be authorized to install drivers. If a user installs a driver without sufficient knowledge, it may inadvertently cause the system to become less stable.
In the realm of computer systems, device drivers are a critical component that warrants proper management to ensure optimal performance. In the context of efficient driver management, it is generally recommended that system administrators undertake the task.
This is due to the fact that not every user possesses the requisite knowledge and expertise to handle drivers. Moreover, it is prudent to restrict the installation of drivers on computers to non-admin users to prevent any potential issues arising from improper management.
These are the steps to create a policy that will prevent users from installing drivers. The policy creates a device configuration profile that can be deployed to devices in your organization. Let’s start..!!
- Top 3 Improvements for Drivers Policies in Intune
- Deploy Intune Audit IPsec Driver Policy
- Best Practice of Intune Driver Management from Microsoft
- How to Roll Back Device Driver to Previous Version in Windows 11
- Top 5 Features of Intune Driver Management Coming Soon
What are Drivers? – Learn More About the Drivers
What are Drivers? I understand that many of my readers possess good knowledge about drivers. However, there will be some individuals who are not familiar with the term drivers. Therefore, let me take a moment to explain what drivers are.
A driver is a type of software that facilitates communication between an operating system and a hardware device. Whenever an application needs to access data from a device, it sends a request to the operating system, which then calls upon a function implemented by the driver.
For example, If you want to print a document that you’ve edited, simply click on the print option and send the document to your printer. The operating system will then ask the printer driver to print the document. In the backend, the driver translates the document into a format that the printer can understand and gives output.
- Prevent Users From Installing Printer Drivers using Intune
- Top 5 Features of Intune Driver Management Coming Soon
- Top 3 Improvements for Drivers Policies in Intune
The driver, typically developed by the device manufacturer, is responsible for knowing how to interact with the device hardware to obtain the data. Once the driver acquires the data, it sends it back to the operating system, which in turn forwards it to the application.
Note! As per Mircosoft, Drivers don't always have to be developed by the device's manufacturer. If a device follows a published hardware standard, Microsoft can write the driver, so the device designer doesn't have to provide one.
- Enable Windows Autopatch Driver and Firmware Updates Automation
- Intune RBAC Role for Windows Drivers Update Management
Restrict Drivers Installation for Non-Administrators
We have discussed the importance of Restricting Non-Administrators from Installing Drivers. To implement this measure, let us proceed to the Intune portal. Here, we shall delve deeper into the implementation process and learn how to execute this feature effectively. Let’s start!!
- Sign in to the Microsoft Intune Admin Portal.
- Select Devices > Windows > Configuration Profiles > Create > New Policy
You will open a new window when you click Create Policy. Select Windows 10 and later in Platform, Select Profile Type as Settings Catalog and click on Create
Platform | Profile Type |
---|---|
Windows 10 and later | Settings Catalog |
Navigate to the Basics tab and input the Name and Description for the profile. Click Next to go further
In the Configuration Settings section, under Settings Catalog, click Add Settings.
NOTE! Microsoft discovered that administrators may experience performance degradation when they add more than 400 settings to a single policy. However, Microsoft is working on making improvements to address this issue.
When you click on Add Settings, you will see a Settings picker tab, as in the screenshot below. In the search bar, search for Driver Installation. Select Allow non-administrators to install drivers for these device setup classes.
NOTE! This policy setting specifies a list of device setup class GUIDs describing driver packages that non-administrator members of the built-in Users group may install on the system. If you enable this policy setting, members of the Users group may install new drivers for the specified device setup classes. The drivers must be signed according to Windows Driver Signing Policy, or be signed by publishers already in the TrustedPublisher store. If you disable or do not configure this policy setting, only members of the Administrators group are allowed to install new driver packages on the system.
To allow non-administrators to install drivers, you need to disable the settings that restrict them. Click Next to go further.
Click Next to display the Scope tags page. Add the Scope tags if you wish and click Next to assign the policy to computers. I will deploy it to the HTMD – Test Computers Group.
On the Review + Create page, carefully review all the settings you’ve defined to Restrict Non-Administrators from Installing Drivers. Once you’ve confirmed that everything is correct, select Create to implement the changes.
Monitor the Configuration Profile Deployment in Microsoft Intune
The Configuration Profile is deployed to Azure AD groups. Let’s see how we can monitor the deployment and status of installation from the Intune portal. To monitor the Intune policy assignment, follow these steps:
- Navigate to the list of Configuration Profiles and select the policy you targeted.
- Check the device and user check-in status from here.
- If you click “View Report,” you can see additional details.
End-User Experience After Restricting Non-Administrators from Installing Drivers
The report indicates that the policy has been successfully deployed to end-user devices. However, we need to verify whether the policy is applied to these devices. There are multiple ways to check the deployment status on end-user devices.
I have deployed the Configuration Profile to the HTMD – Test Computers group. This AD group has only test devices. I recommend testing the deployment on pilot devices before implementing it in production. This can help identify any potential issues and ensure a smoother roll-out.
- How to Stop Automatic Driver Installation in Windows11
- Policy to Turn Off Downloading of Print Drivers Over HTTP using Intune
After applying the policy, non-admin users will not be able to install any drivers. Only the administrator will have the permission to install drivers. It’s important to note that these changes may take some time to come into effect, so it’s recommended to test these settings with a small group of users before applying them to a larger group.
Thank you for your patience in reading this post. I look forward to seeing you in the next post. Keep supporting the HTMD Community.
We are on WhatsApp. To get the latest step-by-step guides and news updates, Join our Channel. Click here – HTMD WhatsApp.
Author
About Author – Sujin Nelladath has over 10 years of experience in SCCM device management and Automation solutions. He writes and shares his experiences related to Microsoft device management technologies, Azure, and PowerShell automation.