One of the most underutilized feature in Windows for home users has got to be group policy. Anything that you can think of when it comes to administering and securing the operating system is laid out in group policy settings. With that being said though, one could argue that many home users really don’t need to configure their home computers at all hence why group policy is never used. This is true being how most casual users don’t need a reason to block access to the Control Panel or requiring users on the same computer to see the same wallpaper upon each and every log on. Enterprises and businesses however, love group policy. As an administrator, I could easily configure some group policy settings on a Windows server operating system and push those settings out to 1,000 client machines all without me having to manually configure them on each and every computer. It doesn’t matter if those machines are in different geographic locations. Group policy is a flexible and proven infrastructure for administrators to configure their Windows clients. One question I’m sure many users have asked themselves at one point or another is it possible to actually restrict/prevent the installation of certain hardware devices so that users can’t use them? The answer to this question is a definitive yes! With group policy, many things are actually possible in Windows and so we’ll take a look at just how we can prevent the installation of certain devices on a Windows machine in this article.
Just What is Group Policy?
Group policy is without a doubt my favorite feature in Windows. This feature dates back to as far as Windows 2000 and with each new iteration, Microsoft has provided more and more policies for administrators/users to play with. One of the main purposes of group policy is locking down a computer to just the way you want it to be. There are literally thousands and thousands of group policy settings that you can configure, although you obviously wouldn’t need to touch each and every one but just the settings that apply to your scenario or business needs. However, group policy can be as simple or as complex as you want it to be. I’ve actually written an introduction on this subject matter and I highly recommend you go over it to gain some beginner’s knowledge before proceeding with the rest of this article.In Part 2, I went over the concept of Multiple Local Group Policy Objects. Here however, device installation restriction is a computer side configuration and not user side. Therefore MLGPO’s do not apply although I’d still recommend reading about it if the technology of group policy interests you.
Why Restrict Devices on Local Machines?
This is a very valid question. The answer though is it really depends on your situation. In organizations, companies have the headache of dealing with a myriad of user devices. Devices such as smart phones, tablets and USB drives have made it very convenient for a user to simply plug the device in and save data to it. I’m sure you’ve seen a movie where the bad/good guy sneaks his way into a company headquarter, plugs in a simple USB device and within seconds, they now have all of the top secret documents and plans to drive that company into the ground or to use for blackmailing. Many organizations that require a high level of secrecy are required to make sure that data and documents can only be accessed on internal computers and only on internal computers. Once those data makes their way onto a thumb drive, either maliciously or accidentally by a user, then that secrecy is breached and many headaches will ensue. To prevent this from happening, those organizations need to prevent users from installing devices onto their own machines in the first place.
As a casual user, you’ve probably now regretted reading up to this point in the article because you realize that this problem does not apply to you. If however, you are in charge of administering a small lab environment or for example a cafe where you provide computers for public use, restricting device installations can be a good idea just as long as you understand that doing so might cause users to be quite upset with you! By restricting some or all devices to be installed, you have reduced the attack surface of your computers. If a malware infested USB drive gets plugged in to the system, there is a very good chance that the malware will not spread because if the USB driver doesn’t get loaded, then the system basically won’t recognize the USB device and therefore, prevent the USB device from getting installed. As a regular computer user, have you ever had the need to share a computer with more than one person? Have someone installed a device onto that computer that caused the computer to behave strangely? Well, this is the perfect scenario to uninstall that device and prevent it from ever loading again.
How Device Installation Restriction Works
When you plug in that new USB device you’ve just purchased, what basically happens is the computer will query the device to see what type of hardware it is. The device in return will provide information such as its hardware ID and other sorts of useful data to the computer that will help identify itself. The computer will use this information to see if it has a compatible driver installed to use for communication with that specific device. There are many ways to identify a device to a computer system. The most specific would be the hardware ID that specifically identifies that device for what it is. With this specific hardware ID, there can be no mistake as to what that device actually is or who made it. However, the computer sometimes won’t have a specific device driver for that specific device! If Windows actually included every single device driver for every single device ever made, you would need a very big hard drive to install Windows on because the size required would be tremendous! Instead, what Windows can do in these circumstances is use a generic device driver instead. For example, the computer could figure out what type of device class or group the hardware belongs too by looking at the compatible ID. I’m sure you are aware that there are many, many different types of USB thumb drives in existence today. However, they all work in the same fashion for the most part. Therefore, the computer system can load a very generic USB driver for those devices. The good news for doing so is that you as the user won’t have to worry about hunting down a specific device driver for each and every hardware device you plug in to the system. The disadvantage however is that when you have more advance devices like a $500 inkjet printer, while the generic driver does allow you to print to the device, it won’t allow you to perform more advanced functions. For that to work, you will need to use the manufacturer provided device driver for that specific printer model.
Device Installation Restriction Settings in Group PolicyI am performing this demo on a Windows 8 machine but all the steps and group policy settings are the same for Windows 7 as well.
There are 10 different group policy settings that pertains to device installation restrictions. The good news is that not every single one will apply. The group policy settings is located in:
Computer Configuration/Administrative Templates/System/Device Installation/Device Installation Restrictions
Let’s go over each one briefly, although each policy setting already have a good description for it by default :
Allow Administrators to Override Device Installation Restrictions: This allows a user who is also an administrator on the computer to bypass device installation restrictions. Ideally, you should be the only administrator on the local machine and each and every other user accounts are standard users. If those other users also have administrative permissions, they can easily disable the group policy settings you’ve configured here.
Allow installation of devices using drivers that match these device setup classes: A device setup class you can think of as a bunch of similar devices grouped together. Device class GUID (globally unique identifiers) entries entered in this policy will be allowed to install.
Prevent installation of devices using drivers that match these setup classes: Device GUIDs entered here are disallowed from installing. Prevent policies have higher priority over allowed polices. If a device class GUID is configured for both allow and disallow policies, then the devices will not be allowed to install.
Display a custom message when installation is prevented by a policy setting: If a user tries to install a device driver in Device Manager, you can configure a custom message for the user to see. You can usually ignore this setting as Windows provides a default message.
Display a custom message title when device installation is prevented by a policy setting: Similar to the above policy but allows you to configure a custom message title instead. You can usually ignore this setting unless you wish to provide a custom title.
Allow installation of devices that match any of these device IDs: Specific hardware and compatible IDs (not setup classes) you enter in this policy will be allowed to install.
Prevent installation of devices that match any of these device IDs: Specific hardware and compatible IDs you enter in this policy are forbidden from being installed.
Time (in seconds) to force reboot when required for policy changes to take effect: When there is a change in device installation restriction policies, the computer will forced to reboot after the time configured in this policy. Home users can usually ignore this setting.
Prevent installation of removable devices: This ‘catch all’ policy setting forbids any device driver that lists itself as “removable” from being installed. This policy will forbid a device from being installed even if the specific device ID is configured as ‘allowed’ in other policies.
Prevent installation of devices not described by other policy settings: This ultimate restriction policy restricts any new devices from being installed unless they are specifically configured in a ‘allowed’ policy. Think of this policy setting as the ultimate device smack down on device installation!
Where Do I Start?!
If you read the actual description for the restriction policies, some of them are only valid if another setting is enabled. Here are some scenarios I can think of:
Preventing all removable devices from installing – This one is pretty easy. Just enable the “Prevent installation of removable devices” policy and you’re good to go. As long as the driver is considered removable and have not yet been installed on the machine, this policy will block the driver from being installed. The bad news is that if you rely solely on this policy to prevent removable devices from installing, there are some devices that you may think is “removable” but the driver it uses it not. Therefore, the device will be able to install.
Prevent all devices from installing – This drastic scenario prevents all new devices from being loaded. If you really do not want your users to install any new devices into the system (not just removable drives, mind you), then you would enable the “Prevent installation of devices not described by other policy settings”.
Prevent all devices from installing with exceptions – Here, you want to prevent all unknown devices from getting installed except for those you deem appropriate. First enable the “Prevent installation of devices not described by other policy settings” policy. Next, configure the hardware IDs or device setup class GUID in the “Allow installation of devices that match any of these device IDs” or the “Allow installation of devices using drivers that match these device setup classes”, respectively. What happens here is that the devices you define in these two “allow” policies will be the exception. If a device itself or the device setup class it falls under is not defined, then the device will be blocked from installing.
Preventing only certain devices/classes from installing: To prevent specific devices or classes from installing, simply configure them in the appropriate “prevent” policies either for the hardware IDs or device setup class policy. For example, if you have a printer that is known to cause havoc on the system when installed, you can specifically block that printer from being installed. All other devices that does not match that printer ID or if it does not fall under its setup class will be allowed to install.
Notes to Consider Before We Start
Before we begin playing around with device installation restrictions, there are a couple of things you need to take into consideration:
– When restricting devices based on hardware/compatible IDs and setup classes, you have the option of preventing devices that have already been installed on the system from loading again. For example, if a user has already connected and installed the driver for the Amazon Kindle device on the system prior to you configuring device installation restrictions, then that means the driver has already been loaded. When you apply the restriction policy to specifically restrict the Kindle from installing, you can specify in the policy to also apply the policy to matching devices that have already been installed. This will immediately force Windows to unload the driver and the user will not be able to use the device again.
– When you apply broad restriction settings such as preventing all removable devices from installing or the policy setting to prevent all devices from installing, devices that have already been pre-installed will able to continue functioning even after the policies have been applied by group policy. For example, if a user plugged in a USB drive to the system prior to the setting of preventing all removable devices from installing takes effect, the user will still be able to use that thumb drive. In order to actually prevent devices that have already been installed from working, you will need to manually uninstall the driver in device manager. This can be a challenge if you don’t actually have that specific device on hand. More on this later.
– If you are serious about deploying device installation restrictions in your production environment, it is imperative that you absolutely perform test after test to make sure that the results are indeed what you are looking for.
– Device installation restrictions is rendered useless if a user has the ability to boot into another operating system. Group policy only takes effect when the computer has booted into the Windows environment. Once the system is booted into a Linux or alternative operating system, it’s all fair game.