ASD's Blueprint for Secure Cloud

Drivers and Peripherals

This section describes the design decisions associated with drivers and peripherals on Windows 10 and 11 endpoints configured according to guidance in ASD's Blueprint for Secure Cloud.

Estimated reading time: 3 minutes

Drivers enable hardware and software to function within a SOE. Drivers are essentially written code that enable Windows to recognise physical components of a computer such as printers, keyboards, mouse, graphics cards and peripherals. It is critical these drivers are supported on the Operating System version and are deployed at the right time.

Drivers that are essential to the hardware platform can be deployed in the base reference image, during device deployment task sequence through MECM, via Microsoft Intune or later by Microsoft Windows Update. Drivers such as network drivers are critical during the deployment phase, whereas a microphone driver is not. The more generic a reference image, the lower the deployment and maintenance costs.

Other drivers like printer drivers can be deployed after the end user has logged onto the device using either a “Follow Me Print” or “Defined print queue list” selected by the end user.

Peripheral installation can natively be controlled through Group Policies or Intune (administrative templates or the Device installation CSP). As device identifiers may be spoofed, a defence in depth approach should be followed using additional methods of protection such as:

  • Denying write to removable media unless the device is encrypted by BitLocker.
  • Blocking of unsigned and untrusted executables.
  • Ensuring Microsoft Defender is actively scanning for threats on removable media.

When restricting the installation of peripherals, there are many common human input devices (HID) (e.g. mice, keyboards etc.) where a blanket allow approach may be taken to avoid additional operational overheads, see System-Defined Device Setup Classes.

Bluetooth pairing and allowed services are also controllable. The default state of Windows allows all services, thus care should be taken to define only the Bluetooth services required.

Security & Governance

  • None identified

Design

  • None identified

References

  • None identified

Do you have a suggestion on how the above page could be improved? Get in touch! ASD's Blueprint for Secure Cloud is an open source project, and we would love to get your input. Submit an issue on our GitHub, or send us an email at blueprint@asd.gov.au

Acknowledgement of Country icon

Acknowledgement of Country
We acknowledge the Traditional Owners and Custodians of Country throughout Australia and their continuing connections to land, sea and communities. We pay our respects to them, their cultures and their Elders; past, present and emerging. We also recognise Australia's First Peoples' enduring contribution to Australia's national security.

Authorised by the Australian Government, Canberra