TechNet Home > Windows Server TechCenter > Security Services

Using Windows Server 2003 in a Managed Environment

Driver Protection

On This Page
Benefits and Purposes of Driver ProtectionBenefits and Purposes of Driver Protection
Overview: Using Driver Protection in a Managed EnvironmentOverview: Using Driver Protection in a Managed Environment
How Driver Protection Communicates with Sites on the InternetHow Driver Protection Communicates with Sites on the Internet
Controlling Driver Protection to Limit the Flow of Information to and from the InternetControlling Driver Protection to Limit the Flow of Information to and from the Internet
Alternate Methods for Controlling Driver ProtectionAlternate Methods for Controlling Driver Protection
Procedure for Disabling How Driver Protection Communicates over the InternetProcedure for Disabling How Driver Protection Communicates over the Internet

Benefits and Purposes of Driver Protection

The Driver Protection feature in the Microsoft Windows Server 2003 family prevents the operating system from loading drivers that are known to cause stability problems (for example, preventing the operating system from booting). These drivers are listed in a Driver Protection List database included with the operating system. Driver Protection checks this database during operating system upgrades and at run time. These checks are performed to determine whether to load a driver under one of the operating systems in the Windows Server 2003 family.

Driver Protection also displays up-to-date content about these driver problems in Help and Support Center, including links to sites where users can find a solution. Driver Protection relies on Windows Update and Dynamic Update to update the database files so that users are presented with the most current information available on protected drivers. Users cannot directly disable Driver Protection.

Drivers are added to the Driver Protection List based on feedback from end users about problems that can be reproduced and confirmed at Microsoft. The main reasons a driver is added to this list are:

A Windows Server 2003 family operating system cannot boot with this driver loaded.

Setup cannot be completed with this driver loaded.

End users experience data corruption when this driver is loaded.

Decisions to add drivers to this list are made in consultation with the vendors who produce and distribute these drivers. Microsoft engages and informs these vendors before adding a driver to the Driver Protection List.

A listing of the content in the Driver Protection List for the Windows Server 2003 family is available as part of a white paper that provides additional information about Driver Protection on the Windows Platform Development Web site at:

http://www.microsoft.com/whdc/driver/security/drv_protect.mspx

This section of the white paper explains how to control Driver Protection in a managed environment.

Overview: Using Driver Protection in a Managed Environment

Users have no direct control over whether to download files required by Driver Protection for updating the Driver Protection List. In a managed environment it is unlikely that users will be allowed to send and receive driver information freely; this function would normally be controlled in some fashion by the IT department. You can indirectly block Driver Protection from downloading files by disabling Windows Update or by avoiding the use of Dynamic Update. Details on the methods and procedures for controlling Driver Protection are described in the following subsections.

How Driver Protection Communicates with Sites on the Internet

This subsection summarizes the communication process:

Specific information sent or received: No information is sent to the Internet about the users system. Driver Protection downloads updated versions of the following files:

drvmain.sdb, apphelp.chm, apphelp.sdb, and apphelp.dll.

Default and recommended settings: Driver Protection is enabled by default. Recommended settings are described in the next subsection, "Controlling Driver Protection to Limit the Flow of Information to and from the Internet."

Triggers: Driver Protection is triggered if the device driver is on the Driver Protection List when the operating system starts, when a new application or device is installed, or during the installation or upgrade of the operating system.

User notification: The notification that the user receives when Driver Protection is triggered differs according to when the driver load request occurs:

If a driver on the Driver Protection List is matched when the operating system starts, the operating system displays a pop-up Help balloon titled "Devices or Applications disabled," in the taskbar notification area when the user logs on. If the user clicks that Help balloon, additional driver information and links to solutions for that problem are displayed in Help and Support Center.

If a driver on the Driver Protection List is matched during the setup of a Windows Server 2003 family operating system (for an upgrade from Windows NT 4.0 or Windows 2000), a message will appear in the Report System Compatibility window before the operating system upgrade is completed.

Users have two options at this point:

They can cancel Setup and find an alternate driver solution before installing the new operating system. If the driver that users install solves the problem, Setup will continue normally.

They can continue the upgrade process without first installing a driver that solves the problem. In this case, Setup may disable the driver in order to be completed. When users later log on, the operating system displays the pop-up Help balloon described in the previous case.

If a driver on the Driver Protection List is matched during installation of a new application or device, and that driver uses system installation services (SetupAPI), the operating system displays a notification during installation and blocks the installation of that driver.

If a driver is not installed using system installation services, the operating system cannot block the installation of that driver. It can, however, block the driver from loading. If the driver is blocked, a notification will appear every time the operating system attempts to load that driver under an operating system in the Windows Server 2003 family. For example, if a CD writing program that does not use system installation services installs a driver that is included on the Driver Protection List, the Windows Server 2003 family operating systems will display the pop-up Help balloon mentioned previously after the setup for that program is completed.

Logging: If Driver Protection finds a match for a driver in the Driver Protection List, operating systems in the Windows Server 2003 family log an event in the event log.

Encryption: The data packages downloaded to the users system by Microsoft are digitally signed.

Access: No data is uploaded from the users computer.

Privacy statement: Driver Protection is covered by the same privacy statement that covers Windows Update.

Transmission protocol and port: The transmission protocol used is HTTP and the port is 80.

Ability to disable: You cannot disable Driver Protection directly. Disabling Windows Update or avoiding the use of Dynamic Update will, however, block Driver Protection from updating the database files for the Driver Protection List on the server. (Of course you can also block the updating of Driver Protection database files by preventing access to the Internet, or by blocking HTTP over port 80.)

Controlling Driver Protection to Limit the Flow of Information to and from the Internet

You cannot disable Driver Protection directly. To block the downloading of updates for the Driver Protection database files, you can disable the settings for Windows Update and (during setup) avoid the use of Dynamic Update. (Of course you can also block downloading by preventing access to the Internet, or by blocking HTTP over port 80.)

How Controlling Driver Protection can Affect Users and Applications

Driver Protection blocks known problem drivers from loading, but it does not block any associated applications that depend on those drivers. Therefore, the behavior of applications that depend on drivers that are blocked varies depending on the implementation of the application. Some applications, such as antivirus programs, install drivers in order to provide their core functionality. For these applications, Driver Protection may cause the application not to work at all. Other applications, such as CD-burning programs, use drivers for portions of their feature set. For these applications, only those features that do not depend on the driver may work.

If you decide to disable Driver Protection from pulling down updated versions of the Driver Protection List database, drivers that affect system stability will continue to be blocked. The operating system, however, will use the version of the Driver Protection List database that comes with the operating system to identify the drivers to block, instead of a more accurate, up-to-date version of the list.

Alternate Methods for Controlling Driver Protection

A more drastic measure to take would be to disable the Upload Manager service (uploadmgr) that manages synchronous and asynchronous file transfers between clients and servers on the network. Disabling this service will block the upload of the anonymous hardware profile data (although users will still be able to complete the Hardware Wizard). The operating system will, however, use the version of the Driver Protection List database that comes with the operating system to identify the drivers to block, instead of a more accurate, up-to-date version of the list. The following subsection gives the procedure for this method.

Procedure for Disabling How Driver Protection Communicates over the Internet

You cannot disable Driver Protection directly but can do so indirectly by controlling its ability to connect to the Internet by disabling Windows Update or avoiding the use of Dynamic Update. See the sections in this white paper titled "Windows Update and Automatic Updates" and "Dynamic Update," for more information about these methods.

As mentioned in the previous subsection, a more drastic method for disabling Driver Protection is to disable the Upload Manager service.

To Disable how Driver Protection Communicates over the Internet by Disabling the Upload Manager service

1.

Click Start, and then either click Control Panel, or point to Settings and then click Control Panel.

2.

Double-click Administrative Tools, and then double-click Services.

3.

In the details pane, right-click Upload Manager, and then click Properties.

4.

Click the Log On tab, then click the hardware profile that you want to configure, and then click Disable.

Important: If this service is disabled, any services that explicitly depend on it will fail to start.


**
In This Article
Introduction to Internet Communication
Activation and Registration for a New Installation or an Upgrade
Application Help
Certificate Support and the Update Root Certificates Component
Device Manager
Driver Protection
Dynamic Update
Event Viewer
File Association Web Service
Help and Support Center: The Headlines and Online Search Features
HyperTerminal
Internet Explorer 6.0
Internet Information Services 6.0
Internet Protocol Version 6 (IPv6)
NetMeeting
Online Device Help
Outlook Express 6.0 (Included in Internet Explorer 6.0)
Plug and Play
Program Compatibility Wizard
Remote Assistance
Search Companion
Terminal Server Licensing
Windows Error Reporting
Windows Media Player
Windows Media Services
Windows Time Service
Windows Update and Automatic Updates
Appendix A: Resources for Learning About Automated Installation and Deployment
Appendix B: Resources for Learning About Group Policy
Appendix C: Message Queuing
Appendix D: Connection Manager
Appendix E: Passport Manager Administration
Appendix F: Internet Connection Sharing and Related Networking Features
Appendix G: Add Network Place Wizard
Appendix H: New Connection Wizard
Additional Resources
**