none
Allow administrators to override device installation policy - Not working

    Question

  • I am trying to lock down unauthorised hardware installation on our domain and was doing some testing. I couldn't get the group policy option, Allow administrators to override device installation policy exception working on the domain. So I started testing on a Windows 7 machine in a workgroup. Following the instructions, "Step-By-Step Guide to Controlling Device Installation Using Group Policy" for the Prevent installation of all devices. I can prevent the installation of new hardware with Prevent installation of devices not described by other policy settings but the policy setting Allow administrators to override device installation policy still does not work.

    If I log in as the administrator user I get the message that system policy prevents me from installing the hardware. If I log in as a standard user, I get the same message as expected. Though if I then use an elevated prompt from the device manager to install the drivers by clicking Change Settings it seems to work well but nothing happens and the device status says;

    The drivers for this device are not installed. (Code 28)

    The installation of this device is forbidden by system policy. Contact your system administrator.

    To find a driver for this device, click Update Driver.

    The event log gives these messages:

    Event Id 20003
    Driver Management has concluded the process to add Service disk for Device Instance ID USBSTOR\DISK&VEN_KINGSTON&PROD_DATATRAVELER_2.0&REV_\4B494E4753544F4E2A63880FA3&0 with the following status: 0.
    
    Event Id 20001
    Driver Management concluded the process to install driver FileRepository\disk.inf_amd64_neutral_10ce25bbc5a9cc43\disk.inf for Device Instance ID USBSTOR\DISK&VEN_KINGSTON&PROD_DATATRAVELER_2.0&REV_\4B494E4753544F4E2A63880FA3&0 with the following status: 0x0.
    
    Event Id 20005
    Driver Management has restricted the installation of Device Instance ID STORAGE\VOLUME\_??_USBSTOR#DISK&VEN_KINGSTON&PROD_DATATRAVELER_2.0&REV_#4B494E4753544F4E2A63880FA3&0#{53F56307-B6BF-11D0-94F2-00A0C91EFB8B} because of a Device Installation Restriction policy setting.
    
    Event Id 20001
    Driver Management concluded the process to install driver NULL Driver for Device Instance ID STORAGE\VOLUME\_??_USBSTOR#DISK&VEN_KINGSTON&PROD_DATATRAVELER_2.0&REV_#4B494E4753544F4E2A63880FA3&0#{53F56307-B6BF-11D0-94F2-00A0C91EFB8B} with the following status: 0xe0000248.

    I can only conclude that the Allow administrators to override device installation policy does not work. I get the same behaviour in Windows 10 and if I swap Prevent installation of devices not described by other policy settings to Prevent installation of removable devices. I see that other users in the TechNet forums here have had a similar problem but if they found a resolution they never said so in their posts. Is their a solution to this?

    Tuesday, February 09, 2016 2:12 PM

Answers

  • Hello,

    According to my research, this setting will have no effect unless you set one of the "Prevent" options listed below. If one of the policy settings prevents a USB device from being installed, and the "Allow administrators to override Device Installation Restriction policies " option is set, an admin can go into device manager to install the device. Doing a simple "Action->Scan for Hardware Changes" will not work however. An administrative user will have to go into Device Manager, find the device that was prevented from automatically installing, then right click it and choose "Update Driver Software..." This should force the installation of the device.

    Hope this helps.

    Regards,

    Yan Li


    Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.


    Wednesday, February 10, 2016 6:39 AM
    Moderator