Forum Discussion
Updating a computer with Device Installation Restrictions GPO applied loses all installed drivers
Even if the update is re detecting hardware and installing fresh drivers, I would have expected it to remember what devices were already installed and allow the installation of those drivers. That's basically how the GPO works normally, it doesn't affect anything that is already installed, only prevents the installation of new devices.
Generally, we only add the hardware ID of 'accessory' type devices to the explicit allow list, basically anything that will be added to the computer after the initial imaging. This is because all integrated hardware gets detected and drivers installed during the imaging process well before GPOs are applied to the computer. Adding every possible hardware ID for every integrated component of every computer model we use, and then keeping that list updated for new models, sounds like a huge hassle.
The only alternative I can think of is disabling the device installation group policy temporarily when we deploy the update. We can probably deploy the update and expect most computers will install it on a scheduled date, but there will always be some that don't get it for one reason or another. That would mean leaving the GPO disabled for perhaps weeks, until every computer has completed the 1709 update. And if this is expected with every feature update, we'll have to do it again and again.
Can you recommend any other workaround or solution to this issue?
Question : Are you rewriting the (in this case) Nvidia driver with the one that is already on the desktop or are you detecting the device and simply sending latest upgrade ? I researched this with Nvidia and for some reason their drivers also started forgetting my second display when I downloaded them in between builds. They have been working on this and at least the last 3 updates that came directly from them recognized my settings and re-applied them when the new driver was installed. The setting in question is the one that 'Activates all Displays' . It is located under 3D Settings when Configure SLI, Surround, Physx is selected when you right-click and open Nvidia Control Panel. After this is set Windows will open with all the displays being recognized and turned on. If that checkbox does not get clicked then Windows will still recognize (in my case) the two GTX cards but only the first display will be Active. I suspect the driver is fine every time and even if there is a new one installed it is not likely to be an issue. So are we talking about a setting 'within' the driver that Windows does not pickup or a configuration file that gets written over when a new build comes in ? Somehow I think Nvidia has figured this out with their driver updates but the install methodology may be different when applied by Microsoft.
Deleted - I'm not sure that the issue that you're describing is related at all to what I'm seeing. If there's a link that I'm missing, please help me understand.
The issue that I have is that after installing the feature update to v1709 on a computer with Device Installation Restriction policies set, the computer will not boot. It initially blue screens during boot, and then on subsequent attempts it goes to Startup Repair. The only way that I've been able to get windows to boot at that point has been to roll back to the previous version of windows.
If I disable the device installation restriction policies before installing the update, the update installs successfully. Windows boots and is fully operational after the update.
We see this issue during 1709->1803 upgrade. We expect that "Allow administrators to override Device Installation Restriction policies" is respected during upgrade, because uprade runs under administrative account. How (timing) you disable the "Device Installation Restriction policies" during upgrade?
I ended up going through and finding what devices were prevented from installing during the upgrade, and adding those hardware ID's to the list of allowed devices in the group policy. It definitely seems like something that should NOT be required, but at least it let me upgrade computers.
