Windows Server 2012 : Managing and Troubleshooting Hardware (part 8) - Restricting device installation using Group Policy

Restricting device installation using Group Policy

In addition to specifying driver installation and search restrictions, you can use Group Policy settings to allow or prevent installation of devices based on the device type. The related policy settings are found under Computer Configuration\Administrative Templates\System\Device Installation\Device Installation Restrictions and include the following:

• Allow Administrators To Override Device Installation Restriction Policies

• Allow Installation Of Devices Using Drivers That Match These Device Setup Classes

• Prevent Installation Of Drivers That Match These Device Setup Classes

• Allow Installation Of Devices That Match Any Of These Device IDs

• Prevent Installation Of Devices That Match Any Of These Device IDs

• Prevent Installation Of Removable Devices

• Prevent Installation Of Devices Not Described By Other Policy Settings

• Time (In Seconds) To Force Reboot When Required

You can configure these policies by following these steps:

1. Access the policy for the appropriate site, domain, or organizational unit (OU).

2. Expand Computer Configuration, then Administrative Templates, then System, then Device Installation, and then Device Installation Restrictions.

3. Double-tap or double-click the appropriate policy to view its Properties dialog box.

4. Set the state of the policy as Not Configured if you don’t want the policy to be applied, Enabled if you want the policy to be applied, or Disabled if you want to block the policy from being used (all as permitted by the Group Policy configuration).

5. If you are enabling the policy and it has a Show option, tap or click Show to use the Show Contents dialog box to specify which device IDs should be matched to this policy. Tap or click OK twice.

Device installation restrictions will not take effect until computers are restarted. To force computers to restart when device installation restrictions are changed, you can enable and configure the Time (In Seconds) To Force Reboot When Required policy. For example, you might want to force computers to restart within 60 minutes of the policy change. If so, you’d enter 3600 in the Reboot Timeout (In Seconds) box.

Rolling back drivers

Occasionally, you’ll find that an updated driver doesn’t work as expected. It could cause problems, such as device failure or system instability. Generally, this shouldn’t occur when you’ve installed signed device drivers. However, it can sometimes occur with any device driver—even those published through Windows Update.

If you suspect that an updated driver is causing the system or device problems you are experiencing, you can attempt to recover the system to the previously installed device driver. To do this, follow these steps:

1. If you are having problems starting the system, you need to start the system in safe mode.

2. In Computer Management, select the Device Manager node. You should now see a complete list of devices installed on the system. By default, this list is organized by device type.

3. Press and hold or right-click the device you want to manage, and then select Properties. This opens the Properties dialog box for the device.

4. Tap or click the Driver tab, and then tap or click Roll Back Driver. When prompted to confirm the action, tap or click Yes.

5. Tap or click Close to close the driver’s Properties dialog box.

Important

If the driver file hasn’t been updated, a backup drive file won’t be available. In this case, the Roll Back Driver button will be disabled and you will not be able to tap or click it. In this case, you should check the manufacturer’s website for available versions of the driver for the device.

Removing device drivers for removed devices

Windows device drivers for Plug and Play devices are loaded and unloaded dynamically. You can remove the driver for a device only when the device is plugged in. This means the proper way to remove a device from a system is first to uninstall its related device driver and then remove the device from the system.

One reason for uninstalling a device is to remove a device that you no longer use or need. Start by uninstalling the related device driver. Open Computer Management, and then select the Device Manager node. Press and hold or right-click the device you want to remove, and then select Uninstall. When prompted, tap or click OK to confirm that you want to remove the driver. Windows Server 2012 will then remove the related files and registry settings.

At this point, you can shut down the system and remove the related hardware component if you want to. However, you might first want to check to see how the computer operates without the device in case some unforeseen problem or error occurs. So, rather than removing the device, you’ll want to disable it. Disabling the device prevents Windows from reinstalling the device automatically the next time you restart the system. You disable a device by pressing and holding or right-clicking it in Device Manager and then selecting Disable.

Sometimes when you are troubleshooting and trying to get a device to work properly, you might want to uninstall or unplug the device temporarily. Here, you could disable the device and then monitor the system to see whether problems previously experienced reoccur, or you could reinstall the device to see whether normal operations are restored. Uninstalling and then reinstalling the device forces Windows to go back to the device’s original device and registry settings, which can sometimes recover the device.

After you uninstall a device driver, one way to get Windows Server 2012 to reinstall the device is to restart the computer. You can also try to rescan for devices using Device Manager by selecting the computer node in the main pane and then selecting Scan For Hardware Changes on the Action menu. Either way, the operating system should detect the uninstalled device as new hardware and then automatically reinstall the necessary device driver.

Uninstalling, reinstalling, and disabling device drivers

Uninstalling a device driver uninstalls the related device. When a device isn’t working properly, sometimes you can completely uninstall the device, restart the system, and then reinstall the device driver to restore normal operations. You can uninstall and then reinstall a device by following these steps:

1. Open Computer Management, and then select the Device Manager node. You should now see a complete list of devices installed on the system. By default, this list is organized by device type.

2. Press and hold or right-click the device you want to manage, and then select Uninstall. When prompted to confirm the action, tap or click OK.

3. Restart the system. Windows Server 2012 should detect the presence of the device and automatically reinstall the necessary device driver.
   

To prevent a device from being reinstalled automatically, disable the device instead of uninstalling it. You disable a device by pressing and holding or right-clicking it in Device Manager and then selecting Disable.