Monday, September 25, 2017

Is there any way to control “Device Installation Restrictions” via the Registry (instead of Group Policy) for users on Windows Home Editions?


We have group policy restrictions in place to prevent device installation for certain hardware IDs (see below), but group policy is only available for Windows Pro/Ultimate editions and not Windows Home. I’ve looked into adding Group Policy to Windows Home via 3rd party solutions (such as the one found here), however it is not a complete up-to-date version of Group Policy and is missing the options for “Device Installation Restrictions”. I’m also slightly hesitant to deploy 3rd party group policy solutions on my client’s machines.


Group Policy Location: (Computer Configuration -> Administrative Templates -> System -> Device Installation -> Device Installation Restrictions -> Prevent installation of devices that match any of these Device IDs)


I looked into achieving the same functionality via the registry, and seem to have found at least some of the registry keys used to control this via Group Policy, but when I manually edit them, it does not work properly. Part of this may have to do with the GUIDs created in the registry under “Group Policy Objects” (see below picture). Is anyone familiar with creating group policy objects via the registry and getting them to remain persistent?


            Registry Location shown below: HKCU -> Software -> Microsoft -> Windows -> CurrentVersion -> Group Policy Objects

The keys which are affected by the standard “Group Policy Device Installation Restrictions” are:


Device Installation Restrictions: HKCU -> Software -> Microsoft -> Windows -> CurrentVersion -> Group Policy Objects -> GUID (unsure how this is generated) -> Software -> Policies -> Microsoft -> Windows -> DeviceInstall -> Restrictions -> DenyDeviceIDs


[Example](https://drive.google.com/open?id=0B1e6MVnnsu5gdTZlaGR2amdyM0VaUXRtNTZrc1AxdmtxNENV)


EDIT


The reg keys you pointed to below do indeed control this set of group policy objects. Big help, thanks!


Interestingly enough, when I configure the proper reg keys on 2 identical Surface Pro 4 tablets, I can control “Device Installation Restrictions” on one machine which I previously configured “Device Installation Restrictions” on through the official Group Policy UI (gpedit). Setting these keys you referenced through the registry and rebooting (or running gpupdate.exe /force through Command Prompt) does work and cause the specific device to become enabled/disabled.


When I configure the same set of keys on another Surface Pro 4, which has never had group policy set through the Group Policy UI (gpedit), this tablet will not reflect the reg changes live, even after rebooting or running gpupdate.exe /force. It seems as though something else may be controlling this? Both are Windows Pro, so all the proper group policy components should exist on this machine.


Any ideas here? It seems like there is another registry setting perhaps which may control something here?


Answer



As far as I can tell, the Group Policy Objects branch is only a cache of the active GPOs. Windows actually checks this Registry location for computer policy settings:


HKLM\SOFTWARE\Policies

For the Prevent installation of devices that match any of these Device IDs setting, Group Policy uses this key:


HKLM\Software\Policies\Microsoft\Windows\DeviceInstall\Restrictions

The DenyDeviceIDs DWORD is set to 1 when the policy is Enabled. The DenyDeviceIDsRetroactive DWORD corresponds to the Also apply to matching devices that are already installed checkbox: 1 for checked, 0 for not.


The restricted entries are kept in a subkey of Restrictions that also is named DenyDeviceIDs. One value on that key is one restriction. Each value's name should be the same as its data.


Tip: I found this information using the Element Inspector tool in my own open-source application, Policy Plus.


You'll need to reboot for the changes to take effect.


Note that even if you set all the Registry settings exactly right, it's possible that Home editions might not respect them. Most Group Policy settings work just fine on all editions, but there are a few that don't; the components that make use of them might not be there on Home. If you find that these settings don't work, you'll need to upgrade to Pro.


No comments:

Post a Comment

hard drive - Leaving bad sectors in unformatted partition?

Laptop was acting really weird, and copy and seek times were really slow, so I decided to scan the hard drive surface. I have a couple hundr...