Administrators can create organizational policies that define how devices are managed by using Group Policy. You can disable the installation of removable devices completely, or you can take a more surgical approach by allowing or preventing the installation of removable devices.
Before undertaking this effort, make sure you understand the two ways by which you can choose devices to allow or prevent such installations:
Device identification strings This is the most granular way to allow or prevent the installation of hardware devices. By using this method, you can identify specific devices to include in the policy.
Device setup classes By using device setup classes, you take a group-based approach to allow or prevent hardware devices from being installed. For example, you could prevent the installation of any device that’s a scanner.
To identify the hardware string and class for a hardware device:
Plug the device into a Windows-based computer.
Open Device Manager.
Open the Properties page for the newly installed device.
Navigate to the device’s Details page.
Select the Hardware Ids property to view all the hardware IDs associated with the device (Figure 1).
Select the Compatible Ids property to view the device class for the new device (Figure 1).
Figure 1. Hardware IDs for a USB thumb drive
Figure 2. Compatible IDs for a USB thumb drive
Note that there are multiple options for both hardware ID and class ID. For the hardware ID, the options give you a way to be somewhat granular in how you handle devices. For example, you could choose to prevent or allow just SanDisk devices or prevent or allow just the specific device model.
REAL WORLD: COPY AND PASTE THE HARDWARE ID
To save a lot of trouble, copy and paste the hardware IDs rather than trying to type them and match the number of underscore characters. You will minimize errors this way.
High-security organizations do not generally allow the use of any removable devices on a system. To do so would enable an insider to just connect a USB thumb drive and steal corporate assets or other secrets. By using Group Policy, it’s possible to disable the installation of removable devices completely. The Group Policy described in the following list will, when set, enable you to disable the installation of removable devices on as many computers in your organization as you like:
Policy name Prevent Installation Of Removable Devices.
Policy path Windows Settings, Administrative Templates, System, Device Installation, Device Installation Restrictions.
Policy description This policy setting enables you to prevent Windows from installing removable devices. A device is considered removable when its driver indicates that the device is removable. For example, a USB device is reported to be removable by the drivers for the USB hub to which the device is connected. This policy setting takes precedence over any other policy setting that allows Windows to install a device.
Enabled If you enable this policy setting, it prevents Windows from installing removable devices, and the drivers for existing removable devices cannot be updated. If you enable this policy setting on a remote desktop server, the policy setting affects redirection of removable devices from a remote desktop client to the remote desktop server.
Disabled or not configured If you disable or do not configure this policy setting, Windows can install and update device drivers for removable devices as allowed or prevented by other policy settings.
The ability to prevent the installation of removable devices is nice, but it is a heavy-handed approach to the problem. Other policies are available by which you can be a bit more granular in how you handle allowed and disallowed devices.
For these policies, you need to know the class of the device.
The following Group Policy enables you to specify device classes that are not allowed to be installed in the organization:
Policy name Prevent installation of devices using drivers that match these devices’ setup classes.
Policy description This policy setting enables you to specify a list of device setup class globally unique identifiers (GUIDs) for device drivers that Windows is prevented from installing. This policy setting takes precedence over any other policy setting that allows Windows to install a device.
Enabled If you enable this policy setting, Windows is prevented from installing or updating device drivers whose device setup class GUIDs appear in the list you create. If you enable this policy setting on a remote desktop server, the policy setting affects redirection of the specified devices from a remote desktop client to the remote desktop server.
Disabled or not configured If you disable or do not configure this policy setting, Windows can install and update devices as allowed or prevented by other policy settings.
The following Group Policy enables you to specify device classes that are allowed to be installed in the organization. Use this policy only when you also configure the Prevent Installation Of Devices Not Described By Other Policy Settings policy setting. This policy overrides the hardware installation restrictions for any device classes you list.
Policy description This policy setting enables you to specify a list of device setup class GUIDs for device drivers that Windows is allowed to install. Use this policy setting only when the Prevent Installation Of Devices Not Described By Other Policy Settings policy setting is enabled. Other policy settings that prevent device installation take precedence over this one.
Enabled If you enable this policy setting, Windows is allowed to install or update device drivers whose device setup class GUIDs appear in the list you create unless another policy setting specifically prevents installation. (Examples are the Prevent Installation Of Devices That Match These Device IDs policy setting, the Prevent Installation Of Devices For These Device Classes policy setting, and the Prevent Installation Of Removable Devices policy setting). If you enable this policy setting on a remote desktop server, the policy setting affects redirection of the specified devices from a remote desktop client to the remote desktop server.
Disabled or not configured If you disable or do not configure this policy setting, and no other policy setting describes the device, the Prevent Installation Of Devices Not Described By Other Policy Settings policy setting determines whether the device can be installed.
The following Group Policy enables you to specify device IDs that are not allowed to be installed in the organization. You need to specify hardware IDs when enabling this policy.
Policy name Prevent installation of devices that use any of these device IDs.
Policy description This policy setting enables you to specify a list of plug-and-play hardware IDs and compatible IDs for devices that Windows is prevented from installing. This policy setting takes precedence over any other policy setting that allows Windows to install a device.
Enabled If you enable this policy setting, Windows is prevented from installing a device whose hardware ID or compatible ID appears in the list you create. If you enable this policy setting on a remote desktop server, the policy setting affects redirection of the specified devices from a remote desktop client to the remote desktop server.
Disabled or not configured If you disable or do not configure this policy setting, devices can be installed and updated as allowed or prevented by other policy settings.
The following Group Policy enables you to specify device IDs that are allowed to be installed in the organization. You need to specify hardware IDs when enabling this policy.
Policy name Allow installation of devices that use any of these device IDs.
Policy description This policy setting enables you to specify a list of plug-and-play hardware IDs and compatible IDs for devices that Windows is allowed to install. Use this policy setting only when the Prevent Installation Of Devices Not Described By Other Policy Settings policy setting is enabled. Other policy settings that prevent device installation take precedence over this one.
Enabled If you enable this policy setting, Windows is allowed to install or update any device whose plug-and-play hardware ID or compatible ID appears in the list you create unless another policy setting specifically prevents that installation. (Examples are the Prevent Installation Of Devices That Match Any Of These Device IDs policy setting, the Prevent Installation Of Devices For These Device Classes policy setting, and the Prevent Installation Of Removable Devices policy setting). If you enable this policy setting on a remote desktop server, the policy setting affects redirection of the specified devices from a remote desktop client to the remote desktop server.
As an administrator, it might be necessary to install a device that is generally restricted in the organization. To accomplish this goal, use the following policy settings:
Policy name Allow administrators to override Device Installation Restriction policies.
Policy description This policy setting enables you to determine whether members of the Administrators group can install and update the drivers for any device regardless of other policy settings.
Enabled If you enable this policy setting, members of the Administrators group can use the Add Hardware Wizard or the Update Driver Wizard to install and update the drivers for any device. If you enable this policy setting on a remote desktop server, the policy setting affects redirection of the specified devices from a remote desktop client to the remote desktop server.
Disabled or not configured If you disable or do not configure this policy setting, members of the Administrators group are subject to all policy settings that restrict device installation.
