Windows supports the Plug and Play specifications that define how a computer can detect and configure newly added hardware and automatically install the device driver. Prior to Plug and Play, users needed to manually configure devices before attaching them to the computer.

Plug and Play hardware, combined with a Plug and Play–compatible operating system such as Windows Vista® and Windows Server® 2008, allow a user to plug in the hardware and Windows searches for an appropriate device driver package, automatically configuring it to work without interfering with other devices.

Because device driver software runs as if it is a part of the operating system with unrestricted access to the entire computer, it is critical that only known and authorized device drivers be permitted. To support this requirement for security, Windows Vista and Windows Server 2008 break the installation process into two steps:

Device installation in Windows

Device and device driver installation in Windows Vista and Windows Server 2008 operates as shown in the following diagram. "PnP" in the diagram refers to the Plug and Play service running in Windows. If any of the described security checks fail, or if an appropriate device driver package cannot be found, then the process stops.

Flowchart - Windows device driver installation
  1. When a user inserts a device, Windows detects the new hardware and signals the Plug and Play service to make the device operational.

  2. Plug and Play identifies the device.

  3. Plug and Play searches the driver store for a driver package that matches the device. If a matching package is not found, go to step 4. If a matching package is found, skip to step 8.

  4. Windows searches for a matching driver package by looking in the following locations, stopping as soon as a matching package is found:

  5. Windows checks that the user has permission to place the driver package in the driver store. The user must have administrator credentials, or computer policy is set to allow standard users to install devices that have this identifier. For more information about this policy, see Configure Computer Policy to Allow Non-Administrators to Install Specific Devices.

  6. Windows checks that the driver package has a valid digital signature. If the driver package is signed by a certificate that is valid, but not found in the Trusted Publishers store, then Windows prompts the user for confirmation.

  7. Windows places a copy of the driver package in the driver store.

  8. PnP copies the driver files from the driver store to their operational locations, typically %systemroot%\windows32\drivers.

  9. PnP configures the registry to instruct Windows how to use the newly installed drivers.

  10. PnP starts the newly installed drivers. This step is repeated at each computer restart to reload the drivers.

In Windows Vista and Windows Server 2008, the process described in steps 3 through 7 is referred to as staging. During staging, Windows performs security checks, and then places the driver package in a secure location so it can by accessed by the Plug and Play service. In Windows Vista and Windows Server 2008 staging can be performed by an administrator as a separate step. For more information, see Stage a Device Driver in the Driver Store.

If you are an administrator for multiple computers, staging the device driver packages for your users provides significant benefit. Windows performs all of the required security checking during staging, including the verification of administrator rights and validation of digital signatures. After a driver package has been successfully staged, any user that logs on to that computer can install the drivers in the driver store by simply plugging in the appropriate device. There are no prompts, and no special permissions are required. The user simply plugs in the device and it works, without administrator or help desk intervention.