Group policy - device installation restrictions do not match hardware IDs
I am trying, so far unsuccessfully, to use group policy device installation restrictions to control which hardware devices our users can install on Vista Enterprise SP1. Can anyone help please? In particular, we have issued encrypted (i.e. password-protected) USB memory sticks to our users, and we want them to be able to use the specific ones we issued (which happen to be Sandisk)but not any other kind of memory stick. In group policy under computer configuration -> policies -> administrative templates -> system -> device installation -> device installation restrictions I have set: - "prevent installation of devices not described by other policy settings" to be enabled - "display a custom message" (both balloon text and title) set with the text to be shown to users when installation has been blocked by the policy - "allow installation of devices that match any of these device IDs" to contain one of the device IDs of the encrypted memory stick There is a Technet article called "Managing Hardware Restrictions via Group Policy" which describes the settings above clearly, and explains how they should work. But when the policy aboveis applied to a machine in my "test" OU, I find that installation of ALL memory sticks is blocked, with my custom balloon message displayed. It does not matter which of the stick's device IDs I choose, ranging from the most specific e.g. USBSTOR\DiskSanDisk_Enterprise_FIPS_6.61 down to the least specific e.g. GenDisk (which ought to match justabout any USB storage device). I have tried with different brands of memory stick too - but in no case can I get the policy to recognise the hardware ID and allow the installation of a particular device - either all of them are blocked (if "prevent installation of devices not described by other policy settings" is enabled) or none of them are blocked (if it isn't). I can see that the group policy above is reflected in the registry of my test machine (found these entries by searching for the hardware ID I put in via group policy): HKLM\SOFTWARE\Policies\Microsoft\Windows\DeviceInstall\Restrictions has two DWORD values AllowDeviceIDs and DenyUnspecified both set to 1, a subkey called AllowDeviceIDs has string values 1, 2, 3 etc. which have the hardware IDs on the supposed "allow" list e.g. USBSTOR\DiskBUFFALO_USB_Flash_Disk__4000 for a different brand of stick. I can toggle permission for installing ALL sticks on and off successfully, simply by changing the value of DenyUnspecified between 1 and 0using regedt32. But the list of allowed hardware IDs is always ignored. What is wrong? The test machine is Vista Enterprise SP1. As of the time of writing it has all of the security and critical updates applied.
October 24th, 2008 3:28pm

I think I have found the answer. A USB memory stick seems to need to install more than one driver element. I've found that a good way to troubleshoot is to look at <windir>\inf\setupapi.dev.log and see what hardware IDs are actually being installed (or blocked from being installed by policy) when you plug in the device. Whereas a successfully-installed memory stick will have an entrylisted in device manager under "disk drives" (in my case SanDisk Enterprise FIPS USB Device), there will be another under USB controllers -> USB mass storage device. And my encrypted stick also has a read-only partition which stores the software it uses - so there's a third entry under DVD / CD-ROM drives. I have to add hardware IDs from all 3 drivers (for an ordinary memory stick it would be 2 drivers) to the group policy list before installation can work, if "prevent installation of devices not described by other policy settings" is enabled.
Free Windows Admin Tool Kit Click here and download it now
October 24th, 2008 5:43pm

Just a quick thanks for finding this out iniadenI had the same problem with the same USB Memory Stick and it's now working well.Thanks again
November 24th, 2008 7:18pm

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics