Windows Longhorn: Using Group Policy to Control Device Management (Part 2)

by [Published on 31 Aug. 2006 / Last Updated on 31 Aug. 2006]

This is the second part of this article series on how to control access to devices via group policy in Longhorn Server.

If you missed the first part in this article series please read Windows Longhorn: Using Group Policy to Control Device Management (Part 1).

In Part 1 of this article series, I showed you the majority of the group policy settings that can be used to control the installation of hardware devices on workstations. In this article, I will discuss the remaining group policy settings. Later, I will also show you how to create a blanket group policy that prevents the installation of all hardware devices on workstations.

Before I Begin

Just in case you missed part 1 of this article series, the group policy settings that I am discussing are unique to Windows Longhorn Server. These group policy settings can be used to secure workstations that are running Windows vista. However, these settings have no effect on systems running Windows XP, Windows Server 2003, or older versions of Windows. You can find the group policy settings that I will be discussing in the group policy tree at: Computer Configuration\Administrative Templates\System\Device Installation\Device Installation Restrictions.

Preventing Installation of Removable Devices

As the name of this policy setting implies, the Prevent Installation of Removable Devices setting prevents users from installing removable devices. This policy is primarily designed to prevent users from attaching USB or Firewire based devices to their systems.

Prevent Installation of Devices Not Described By Other Policy Settings

The Prevent Installation of Devices Not Described by Other Policy Settings group policy setting is kind of a catch all setting. There are a couple of different ways that you can use this policy setting. One thing that you can do is to enable this setting, but not enable any other hardware installation related settings. In doing so, you will effectively prevent anyone from installing any hardware into systems to which the policy applies.

Another thing that you can do with this group policy setting is to use other policy settings to allow specific devices based on device ID or class and then enable this policy setting. In doing so, you will prevent the installation of any device that you have not specifically allowed users to install.

Preventing the Installation of All Devices

Now that I have discussed all of the various group policy settings related to device installation, I want to conclude this series by showing you how to perform a blanket denial of all device installations. If you are concerned about the installation of prohibited devices in your own organization, then this is the technique that you would most likely use.

The technique that I am about to show you not only prevents end users from installing hardware devices, but it also prevents them from installing or updating device drivers. Administrators may still install devices and / or device drivers in the usual manner.

Begin the procedure by navigating through the group policy console to Computer Configuration\Administrative Templates\System\Device Installation\Device Installation Restrictions. Next, right click on the Prevent Installation of Devices Not Described by Other Policy Settings container and select the Properties command from the resulting shortcut menu. When you do, Windows will display the Prevent Installation of Devices Not Described by Other Policies properties sheet, shown in Figure A. Now select the Enable option found on the Settings tab to enable the policy setting. Click OK to return to the main Group Policy Editor screen.


Figure A: The Prevent Installation of Devices Not Described by Other Policies properties sheet is a sort of catch all policy setting that restricts the installation of all devices that have not been specifically allowed by other policy settings

What we have done so far is to create a policy that prevents the installation of all devices. Now we need to tweak the policy so that Administrators still have the right to install devices. To do so, right click on the Allow Administrators to Override Device Installation Policies container and select the Properties command from the resulting shortcut menu. When you do, Windows will display the Allow Administrators to Override Device Installation properties sheet, shown in Figure B.


Figure B: The Allow Administrators to Override Device Installation properties sheet can be used to ensure that Administrators are still allowed to install hardware devices

You must now enable the policy by selecting the Enable option found on the Settings tab. Click OK to return to the main Group Policy Editor screen. When you look at the main Group Policy Editor screen, both of the policies that you have enabled should be listed as being enabled.

Now that you have enabled the necessary group policy settings, it is time to test those settings. To do so, log into the domain using a workstation that’s running Windows Vista. Initially, you should log in as a normal user. Remember that the policy that you have created only applies to Windows Vista. Therefore, you should log into a machine that’s running Vista, and is connected to a Longhorn Server domain with a domain user account.

After logging in, open the Control Panel and then click the System and Maintenance link. When the System and Maintenance screen appears, click on the Device Manager link. When you do, you should receive the following error message:

You do not have sufficient privileges to uninstall devices or to change device properties or device drivers. Please contact your site administrator, or logout and log in again as an administrator and try again.

This proves that the group policy settings that you have implemented are preventing users from installing devices. Now, you need to log in as a domain administrator and attempt to open the Device Manager. We have created a policy saying that Administrators are exempt from device installation restrictions, so you should be able to open the Device Manager with no problem.

Conclusion

In this article series, I have explained that users installing unauthorized devices can be a huge problem for a corporation. If for example, a user were to install a removable storage device, there is the potential for the user to copy sensitive data to the removable device. Even if your company’s data is not sensitive, allowing users to install their own hardware can increase support cost and can make it difficult to maintain an accurate hardware inventory (what belongs to the company and what belongs to the user).

In the past, solutions have included third party security products or making modifications to workstation hardware that make the installation of removable devices impossible. However, Windows Longhorn Server allows you to control who does and does not have the ability to install hardware via group policy settings. In this article series I have shown you these group policy settings and explained how they work.

If you missed the first part in this article series please read Windows Longhorn: Using Group Policy to Control Device Management (Part 1).

Featured Links