none
White Listing devices using Group Policy

    Question

  • Hello Everyone,

    Recently my company purchased some small Brother 720D scanners for the staff to use.  Currently we have a policy that does not allow removable storage devices to be plugged in to the computers.  I have read numerous articles and how to's on white listing certain devices, however I cannot seem to get this to work.  One special note is that these Brother scanners use a Micro USB connection and when it is plugged into the computer Windows reads it as a disk drive.  I was under the impression that once I entered the Hardware ID into my read/write restriction policy that the staff would be able to use the scanner, but not a flash drive. Here is what I've tried so far:

    Computer Config>Policies>System>Device Installation>Device Installation Restrictions

    The two settings I have enabled for this policy are "Allow Installation of devices that match any of these device IDs" & "Prevent Installation of devices not described by other policy settings"

    Within the "Allow Installation of devices that match any of these device IDs" I have added the Hardware ID from the Scanner.  When I open the scanner's properties from the Devices and Printers Menu, I have the option of selecting the scanner itself, something called E:\, and a generic USB Mass Storage Device.  With the E:\ I was only able to use a compatible ID, but with the scanner and the generic USB Mass Storage Device I used a hardware ID.  I have noticed that the compatible ID for E:\ (wpdbusenum\fs), appears to be the same as the USB flash drives I have tested.  The problem is I cannot seem to get the scanner to work without this ID built in.  Can anyone point me in the direction of some how-to-videos, or offer up their advice?

    Thank you!

    Monday, May 04, 2015 7:12 PM

Answers

  • Hi,
    Thanks for posting here. May I know if the scanner has a drive needs to be installed on the computer?

     If you want just enable the scanner connect to the computer but forbid other removable devices, you could set the following policies to check how it works:
    1.    First, please find your scanner's Hardware ID.
    2.    Enter Hardware ID into the Group Policy Setting Computer Configuration –> Administrative Templates –> System –>Device Installation –> Device Installation Restrictions -> “Allow installation of devices that match any of these device IDs”
    3.    Within this policy you will want to set it Enable, and then click on the “Show” button to enter your Scanner hardware ID.
    4.    The other related policy is the Group Policy Setting Computer Configuration –> Administrative Templates –> System –>Device Installation –> Device Installation Restrictions -> “Prevent installation of devices not described by other policy settings”, set it Enable.

    Also you can check the below link for more reference:
    https://technet.microsoft.com/en-us/library/cc731387%28WS.10%29.aspx?f=255&MSPPError=-2147217396

    Hope It helps.

    Best Regards,

    Elaine


    Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Wednesday, May 06, 2015 7:05 AM
    Moderator

All replies

  • Hi,
    Thanks for posting here. May I know if the scanner has a drive needs to be installed on the computer?

     If you want just enable the scanner connect to the computer but forbid other removable devices, you could set the following policies to check how it works:
    1.    First, please find your scanner's Hardware ID.
    2.    Enter Hardware ID into the Group Policy Setting Computer Configuration –> Administrative Templates –> System –>Device Installation –> Device Installation Restrictions -> “Allow installation of devices that match any of these device IDs”
    3.    Within this policy you will want to set it Enable, and then click on the “Show” button to enter your Scanner hardware ID.
    4.    The other related policy is the Group Policy Setting Computer Configuration –> Administrative Templates –> System –>Device Installation –> Device Installation Restrictions -> “Prevent installation of devices not described by other policy settings”, set it Enable.

    Also you can check the below link for more reference:
    https://technet.microsoft.com/en-us/library/cc731387%28WS.10%29.aspx?f=255&MSPPError=-2147217396

    Hope It helps.

    Best Regards,

    Elaine


    Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Wednesday, May 06, 2015 7:05 AM
    Moderator
  • Thank you for the response Elaine. Yes the scanner does have a driver that it installs when it is plugged into our computers. I have also tried to download a new driver directly from Brother, but I got the same results.
    Tuesday, May 19, 2015 2:23 PM
  • Hi,

    Thanks a lot for your update,  can you use the compatible ID to have a try.

    Compatible IDs are the identifiers which Windows uses to select a device driver if the operating system cannot find a match with the device ID or any of the other hardware IDs. Compatible IDs are listed in the order of decreasing suitability. These strings are optional, and, when provided, they are very generic, such as Disk. When a match is made using a compatible ID, you can typically use only the most basic functions of the device

    When you install a device, such as a printer, a USB storage device, or a keyboard, Windows searches for driver packages that match the device you are attempting to install. During this search, Windows assigns a "rank" to each driver package it discovers with at least one match to a hardware or compatible ID. The rank indicates how well the driver matches the device. Lower rank numbers indicate better matches between the driver and the device. A rank of zero represents the best possible match. A match with the device ID to one in the driver package results in a lower (better) rank than a match to one of the other hardware IDs. Similarly, a match to a hardware ID results in a better rank than a match to any of the compatible IDs. After Windows ranks all of the driver packages, it installs the one with the lowest overall rank.

    In your case, the hardware ID doesn't work, please try with the compatible ID and let us know the result.

    Best Regards,

    Elaine


    Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Monday, May 25, 2015 8:26 AM
    Moderator