How To Prevent Devices From Installing in Windows

One of the most underutilized feature in Windows for home users has got to be group policy. Anything that you can think of when it comes to administering and securing the operating system is laid out in group policy settings. With that being said though, one could argue that many home users really don’t need to configure their home computers at all hence why group policy is never used. This is true being how most casual users don’t need a reason to block access to the Control Panel or requiring users on the same computer to see the same wallpaper upon each and every log on. Enterprises and businesses however, love group policy. As an administrator, I could easily configure some group policy settings on a Windows server operating system and push those settings out to 1,000 client machines all without me having to manually configure them on each and every computer. It doesn’t matter if those machines are in different geographic locations. Group policy is a flexible and proven infrastructure for administrators to configure their Windows clients. One question I’m sure many users have asked themselves at one point or another is it possible to actually restrict/prevent the installation of certain hardware devices so that users can’t use them? The answer to this question is a definitive yes! With group policy, many things are actually possible in Windows and so we’ll take a look at just how we can prevent the installation of certain devices on a Windows machine in this article.

Just What is Group Policy?

Group policy is without a doubt my favorite feature in Windows. This feature dates back to as far as Windows 2000 and with each new iteration, Microsoft has provided more and more policies for administrators/users to play with. One of the main purposes of group policy is locking down a computer to just the way you want it to be. There are literally thousands and thousands of group policy settings that you can configure, although you obviously wouldn’t need to touch each and every one but just the settings that apply to your scenario or business needs. However, group policy can be as simple or as complex as you want it to be. I’ve actually written an introduction on this subject matter and I highly recommend you go over it to gain some beginner’s knowledge before proceeding with the rest of this article.

Introduction to Local Group Policy Objects: Part 1

Introduction to Local Group Policy Objects: Part 2

In Part 2, I went over the concept of Multiple Local Group Policy Objects. Here however, device installation restriction is a computer side configuration and not user side. Therefore MLGPO’s do not apply although I’d still recommend reading about it if the technology of group policy interests you.

Why Restrict Devices on Local Machines?

This is a very valid question. The answer though is it really depends on your situation. In organizations, companies have the headache of dealing with a myriad of user devices. Devices such as smart phones, tablets and USB drives have made it very convenient for a user to simply plug the device in and save data to it. I’m sure you’ve seen a movie where the bad/good guy sneaks his way into a company headquarter, plugs in a simple USB device and within seconds, they now have all of the top secret documents and plans to drive that company into the ground or to use for blackmailing. Many organizations that require a high level of secrecy are required to make sure that data and documents can only be accessed on internal computers and only on internal computers. Once those data makes their way onto a thumb drive, either maliciously or accidentally by a user, then that secrecy is breached and many headaches will ensue. To prevent this from happening, those organizations need to prevent users from installing devices onto their own machines in the first place.

As a casual user, you’ve probably now regretted reading up to this point in the article because you realize that this problem does not apply to you. If however, you are in charge of administering a small lab environment or for example a cafe where you provide computers for public use, restricting device installations can be a good idea just as long as you understand that doing so might cause users to be quite upset with you! By restricting some or all devices to be installed, you have reduced the attack surface of your computers. If a malware infested USB drive gets plugged in to the system, there is a very good chance that the malware will not spread because if the USB driver doesn’t get loaded, then the system basically won’t recognize the USB device and therefore, prevent the USB device from getting installed. As a regular computer user, have you ever had the need to share a computer with more than one person? Have someone installed a device onto that computer that caused the computer to behave strangely? Well, this is the perfect scenario to uninstall that device and prevent it from ever loading again.

How Device Installation Restriction Works

At a high level, the really only important thing that you must always remember is that in order for a hardware device to work properly on a system, there must be a corresponding driver to accompany it. Think of the driver as the software that allows your Windows machine to communicate with the actual physical device. If you have some type of hardware but can’t find the appropriate driver/software for it, then you’ve basically just have in your hands a piece of hardware device. By itself, it may look pretty and sophisticated but without the software to allow the computer to interact with it, then the device is practically worthless. When upgrading operating systems, many users are afraid for the fact that their current devices might not work on the new operating system. It could be that their device is very old and the manufacturer simply refuses to support it anymore. By not creating a new device driver for the new operating system, the user is basically left with no choice but to not upgrade to the newer operating system.

Restrictions ApplyWhen you plug in that new USB device you’ve just purchased, what basically happens is the computer will query the device to see what type of hardware it is. The device in return will provide information such as its hardware ID and other sorts of useful data to the computer that will help identify itself. The computer will use this information to see if it has a compatible driver installed to use for communication with that specific device. There are many ways to identify a device to a computer system. The most specific would be the hardware ID that specifically identifies that device for what it is. With this specific hardware ID, there can be no mistake as to what that device actually is or who made it. However, the computer sometimes won’t have a specific device driver for that specific device! If Windows actually included every single device driver for every single device ever made, you would need a very big hard drive to install Windows on because the size required would be tremendous! Instead, what Windows can do in these circumstances is use a generic device driver instead. For example, the computer could figure out what type of device class or group the hardware belongs too by looking at the compatible ID. I’m sure you are aware that there are many, many different types of USB thumb drives in existence today. However, they all work in the same fashion for the most part. Therefore, the computer system can load a very generic USB driver for those devices. The good news for doing so is that you as the user won’t have to worry about hunting down a specific device driver for each and every hardware device you plug in to the system. The disadvantage however is that when you have more advance devices like a $500 inkjet printer, while the generic driver does allow you to print to the device, it won’t allow you to perform more advanced functions. For that to work, you will need to use the manufacturer provided device driver for that specific printer model.

Device Installation Restriction Settings in Group Policy

I am performing this demo on a Windows 8 machine but all the steps and group policy settings are the same for Windows 7 as well.

There are 10 different group policy settings that pertains to device installation restrictions. The good news is that not every single one will apply. The group policy settings is located in:

Computer Configuration/Administrative Templates/System/Device Installation/Device Installation Restrictions

Policy Settings

Let’s go over each one briefly, although each policy setting already have a good description for it by default :

Allow Administrators to Override Device Installation Restrictions: This allows a user who is also an administrator on the computer to bypass device installation restrictions. Ideally, you should be the only administrator on the local machine and each and every other user accounts are standard users. If those other users also have administrative permissions, they can easily disable the group policy settings you’ve configured here.

Allow installation of devices using drivers that match these device setup classes: A device setup class you can think of as a bunch of similar devices grouped together. Device class GUID (globally unique identifiers) entries entered in this policy will be allowed to install.

Prevent installation of devices using drivers that match these setup classes: Device GUIDs entered here are disallowed from installing. Prevent policies have higher priority over allowed polices. If a device class GUID is configured for both allow and disallow policies, then the devices will not be allowed to install.

Display a custom message when installation is prevented by a policy setting: If a user tries to install a device driver in Device Manager, you can configure a custom message for the user to see. You can usually ignore this setting as Windows provides a default message.

Display a custom message title when device installation is prevented by a policy setting: Similar to the above policy but allows you to configure a custom message title instead. You can usually ignore this setting unless you wish to provide a custom title.

Allow installation of devices that match any of these device IDs: Specific hardware and compatible IDs (not setup classes) you enter in this policy will be allowed to install.

Prevent installation of devices that match any of these device IDs: Specific hardware and compatible IDs you enter in this policy are forbidden from being installed.

Time (in seconds) to force reboot when required for policy changes to take effect: When there is a change in device installation restriction policies, the computer will forced to reboot after the time configured in this policy. Home users can usually ignore this setting.

Prevent installation of removable devices: This ‘catch all’ policy setting forbids any device driver that lists itself as “removable” from being installed. This policy will forbid a device from being installed even if the specific device ID is configured as ‘allowed’ in other policies.

Prevent installation of devices not described by other policy settings:  This ultimate restriction policy restricts any new devices from being installed unless they are specifically configured in a ‘allowed’ policy. Think of this policy setting as the ultimate device smack down on device installation!

Where Do I Start?!

If you read the actual description for the restriction policies, some of them are only valid if another setting is enabled. Here are some scenarios I can think of:

Preventing all removable devices from installing – This one is pretty easy. Just enable the “Prevent installation of removable devices” policy and you’re good to go. As long as the driver is considered removable and have not yet been installed on the machine, this policy will block the driver from being installed. The bad news is that if you rely solely on this policy to prevent removable devices from installing, there are some devices that you may think is “removable” but the driver it uses it not. Therefore, the device will be able to install.

Prevent all devices from installing – This drastic scenario prevents all new devices from being loaded. If you really do not want your users to install any new devices into the system (not just removable drives, mind you), then you would enable the “Prevent installation of devices not described by other policy settings”.

Prevent all devices from installing with exceptions – Here, you want to prevent all unknown devices from getting installed except for those you deem appropriate. First enable the “Prevent installation of devices not described by other policy settings” policy. Next, configure the hardware IDs or device setup class GUID in the “Allow installation of devices that match any of these device IDs” or the “Allow installation of devices using drivers that match these device setup classes”, respectively. What happens here is that the devices you define in these two “allow” policies will be the exception. If a device itself or the device setup class it falls under is not defined, then the device will be blocked from installing.

Preventing only certain devices/classes from installing: To prevent specific devices or classes from installing, simply configure them in the appropriate “prevent” policies either for the hardware IDs or device setup class policy. For example, if you have a printer that is known to cause havoc on the system when installed, you can specifically block that printer from being installed. All other devices that does not match that printer ID or if it does not fall under its setup class will be allowed to install.

Notes to Consider Before We Start

Before we begin playing around with device installation restrictions, there are a couple of things you need to take into consideration:

– When restricting devices based on hardware/compatible IDs and setup classes, you have the option of preventing devices that have already been installed on the system from loading again. For example, if a user has already connected and installed the driver for the Amazon Kindle device on the system prior to you configuring device installation restrictions, then that means the driver has already been loaded. When you apply the restriction policy to specifically restrict the Kindle from installing, you can specify in the policy to also apply the policy to matching devices that have already been installed. This will immediately force Windows to unload the driver and the user will not be able to use the device again.

– When you apply broad restriction settings such as preventing all removable devices from installing or the policy setting to prevent all devices from installing, devices that have already been pre-installed will able to continue functioning even after the policies have been applied by group policy. For example, if a user plugged in a USB drive to the system prior to the setting of preventing all removable devices from installing takes effect, the user will still be able to use that thumb drive. In order to actually prevent devices that have already been installed from working, you will need to manually uninstall the driver in device manager. This can be a challenge if you don’t actually have that specific device on hand. More on this later.

– If you are serious about deploying device installation restrictions in your production environment, it is imperative that you absolutely perform test after test to make sure that the results are indeed what you are looking for.

– Device installation restrictions is rendered useless if a user has the ability to boot into another operating system. Group policy only takes effect when the computer has booted into the Windows environment. Once the system is booted into a Linux or alternative operating system, it’s all fair game.

Page 2: Device Installation Restrictions –>

VN:F [1.9.22_1171]
Rating: 3.7/5 (3 votes cast)
How To Prevent Devices From Installing in Windows, 3.7 out of 5 based on 3 ratings

Pages: 1 2

Comments

  1. Hi There,

    I have enabled this policy. When i plug in the USB Storage device for the first time i do get a pop up saying that the device has been blocked. How ever if i try to use the same device again by unplugging and plugging the device i do not get the pop up message stating that this device has been blocked. How can we set this GPO so that the pop up message comes up even if the same device is plugged in again.

  2. Nice article. I just ran into a similar problem with HID devices as well. You have to allow the HID interface as well as the device ITSELF to install.

  3. Thank you very much

  4. I love the information you have here. We would like to block all the cell phones that get plugged in our stations from installing drivers as that is causing us some issues. The problem is where do I get all the Hardware ID’s I need of all the different phones that are plugged in. Unless I go do every desk and ask to see their phone for a few minutes, that is not very realistic. I have looked around on the Internet and so far I have not found a resource. Any ideas?

    • Hey Dave. I understand your situation and the first solution that popped into my head is using a technique called white-listing. Basically, anything that isn’t specifically listed on an “allowed” list will be blocked by default. Therefore, you wouldn’t need to manually find out what phones your users are using. Because you haven’t listed them as “allowed” on the computer, then the driver will be blocked automatically. The catch to using a white list is manageability. As you can probably tell, a white list can cause many types of administrative nightmares at first. That is why if you will be using this technique, it is imperative that you test your settings on a pilot group first. I really would hate for you to lose your job because you’ve accidentally prevented your boss from installing a printer!

      Group Policy does have a white list of sort. If you enable the “Prevent installation of devices not described by other policy settings” policy setting, then you’ve effectively prevented all devices from installing. You would then configure the “Allow installation of devices that match any of these device IDs” policy to act as your white list for allowed devices. Of course you would also want to enable the “Allow Administrators to Override Device Installation Restrictions” as that should be self explanatory. You might also want to experiment with the “Prevent installation of removable devices” setting as some smart phones can be considered as “removable” within Windows device manager.

      Once again, take absolute care if you will be trying this out as you will definitely need to get approval from higher ups. You really don’t want to do this without any prior planning nor without letting anyone know about it! If this isn’t your idea of a solution, then you’ll most likely need to look at third party software to help solve your problem. However, I don’t have much expertise in this area so I can’t help much in that regard. You can also send me a private email and we can continue our conversation there.

  5. Thanks for the info. Is it possible to restrict devices based on their serial numbers instead of models and revisions? Our management would like to prevent users to use their personal devices even if it is the same model with the company owned devices. Thanks!

    • WOW…that is a pretty sticky situation you’re in! If I understand correctly, let’s say for example your company allows users to use company issued iPhone 4’s. You want to prevent users from using their own iPhone 4’s which they bought themselves while in company headquarters. You only want to allow them to use the iPhone 4’s issued by the company while on premise.

      Unfortunately, while you can use USBDeview to get the serial number from those unwanted devices (as long as the device is of a certain type), I don’t know of how you would use that information in Group Policy to restrict them. Also, blocking via serial number can be very difficult as the user just has to switch devices (without telling IT department) and be able to bypass the restrictions. The old fashion approach would be to update your company’s security and best practices guidelines and making sure that every person understands what is and what is not acceptable in the company headquarters and that violations will have consequences. Sometimes, companies spend way too much time purchasing equipment and third-party software to solve human issues when what they should do first is use “scare tactics”.

      If all else fails, then would I consider looking into third party applications as I don’t think Microsoft has what you want to do built-in via Group Policy.

Speak Your Mind

*


(humans only, please) *