none
Device Installation Restrictions - Not working as expected

    Question

  • I'm trying to conduct a simple test of Device Installation Restrictions.  I've created a GPO and only enabled Prevent installation of removable devices.  I created a new test OU, blocking inheritance, put a test computer in the OU (tested putting the user in the OU also, to block any user GPOs).  I've confirmed that the GPO is being applied to the computer via a dummy environment variable and these registry keys are getting added (all are included here, but I've tried just deny removable and then just deny specific IDs):

    [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeviceInstall\Restrictions]
    "DenyRemovableDevices"=dword:00000001
    "DenyDeviceIDs"=dword:00000001
    "DenyDeviceIDsRetroactive"=dword:00000001
    
    [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeviceInstall\Restrictions\DenyDeviceIDs]
    "1"="USBSTOR\\DiskVerbatimSTORE_N_GO______PMAP"
    
    

    Even with the GPO applied and the reg keys present, USB drives can be plugged in and used.  I've also tried setting Prevent installation of devices that match any of these Device IDs, but that doesn't work either. 

    Clients are Windows 7 Professional 64 bit SP1.  Servers are 2008 R2.

    I've reviewed the following with no help
    Allow Administrators to Override Device Installation Restriction Policies
    http://technet.microsoft.com/en-us/library/cc753015(v=ws.10).aspx

    Step-By-Step Guide to Controlling Device Installation Using Group Policy
    http://msdn.microsoft.com/en-us/library/bb530324.aspx


    Tuesday, May 05, 2015 7:41 PM

All replies

  • Hi,

    If you want to forbid the access of all the removable storage connected on your computer, then you can simply go to the Removable Storage Access>> All Removable Storage Classes: Deny All Access.

    Would you please have a try and then let me know the result?

    Best Regards,

    Elaine


    Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Wednesday, May 06, 2015 7:43 AM
    Moderator
  • I will try that as a test, but ultimately it will not be what I need.  I'm first testing the notion of blocking everything, just because it's easier to see if it works.  Ultimately, I'll need to block everything except a whitelist, so the settings specified in my original post would need to get figured out. 
    Wednesday, May 06, 2015 12:18 PM
  • Removable Storage Access>> All Removable Storage Classes: Deny All Access works, but now I need to be able to dial it back.  Any ideas?
    Wednesday, May 06, 2015 1:19 PM
  • I've tried using only the Prevent installation of devices not described by other policy settings.  This prevents the installation of new devices but it does not prevent the connection of previously used devices.  Specifying prevent by ID, retroactive, doesn't work.
    Wednesday, May 06, 2015 6:19 PM
  • If I start with Prevent installation of devices not described by other policy settings, it appears to block installation of new devices.  Having trouble getting consistent results out of Allow installation of devices that match any of these device IDs.  It also appears that once a device has been denied installation, it can't be installed no matter what the policy says. 
    Friday, May 08, 2015 1:44 PM
  • Hi,

    The Prevent installation of devices not described by other policy setting will block the new devices but not for the already existing devices. This is the excepted behavior which is by design.

    By the way, Prevent installation of devices that match these device IDs, this policy setting takes precedence over any other policy settings that allow users to install a device. This policy setting prevents users from installing a device even if it matches another policy setting that would allow installation of that device. So if you add the device ID in this policy setting and enable this policy, even if you allow the installation in the another policy the device can't be installed.

    Best Regards,

    Elaine


    Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    • Proposed as answer by Elaine JingModerator Monday, May 25, 2015 7:51 AM
    • Unproposed as answer by m.siib Monday, May 25, 2015 12:22 PM
    Monday, May 18, 2015 6:24 AM
    Moderator
  • @ Elaine Jing  Yes, this is quite clear.

    I've been mostly successful using a combination of the Prevent installation of devices not described by other policy settings and Allow installation of devices that match any of these device IDs. This has worked for generic USB thumb drives but I'm having trouble getting the Ironkey devices to work.  It seems that they install in stages, presenting a USB\ hardware id first and then after that gets installed a USBSTOR\ hardware id.  This is not what the generics do, they just present the USBSTOR\ hardware id.  To get one to work, I had to add 8 different hardware IDs to the policy.



    • Proposed as answer by Elaine JingModerator Monday, May 25, 2015 7:54 AM
    • Unproposed as answer by m.siib Monday, May 25, 2015 12:22 PM
    Monday, May 18, 2015 12:04 PM