We do use this however like you said its quite tricky to get that set up the way you want. In the end we went with a group with security filtering to remove certain users from the policy. It doesn’t sound like that’s what you want but its what we went with and has worked well for us
From: [email protected] [mailto:[email protected]] On Behalf Of Steve Whitcher Sent: Thursday, February 23, 2017 7:16 AM To: [email protected] Subject: [NTSysADM] Anyone using Device Installation Restrictions Group Policies? We are currently using Symantec Endpoint Protection's Device Control Policies to block use of unapproved USB devices on our computers. We'll be switching to a different antivirus program soon, so I need to replace the device control functionality. I've begun testing the Device Installation Restrictions group policy settings, but it's not working quite as well as I'd hoped. The goal is to block all USB devices except those that are whitelisted by hardware ID or device setup class. I've enabled the settings for: * Allow administrators to override Device Installation Restriction policies * Allow installation of devices using drivers that match these device setup classes * Allow installation of devices that match any of these device IDs * Prevent installation of devices not described by other policy settings The 2 'allow installation' settings are configured with a list of hardware ID's and device setup classes which should be allowed. In testing, I found that the policies are blocking installation of all devices, including those which I believe should be allowed. Some devices I expect to be allowed because they should fall under a whitelisted device setup class. For example, I added device setup class {745a17a0-74d3-11d0-b6fe-00a0c90f57da} to the allow list, which should allow all HID devices. But when I plug in a USB keyboard, installation is blocked. If I allow that specific keyboard's hardware ID, it will be installed, and then changes to appear in device manager as an HID device, which is allowed automatically. If a device is whitelisted by hardware ID, the initial detection of that device and hardware ID will be allowed, but then another device appears in device manager with a different hardware ID (obviously the same hardware, but detected a bit differently) and that device gets blocked. If I add that new hardware ID to the whitelist, then another new device appears and is blocked... In some cases I got about 4-5 layers deep before the device was fully installed and available for use. It doesn't seem like I should have to individually allow the hardware ID's listed at each subsequent level of device detection. Still, while that would be a big pain, it is possible. My bigger concern here is that the later devices detected & whitelisted were using very generic hardware ID's, and that by whitelisting those generic ID's I might end up allowing other devices which do not have the same hardware ID, but do fit the same generic hardware ID. Is anyone using these Device Installation Restriction policies in their environment? If so, did you run into these issues? How did you deal with them? Thanks, Steve Whitcher ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ The information contained in this communication and all accompanying documents from Coilcraft may be confidential and/or legally privileged, and is intended only for the use of the recipient(s) named above. If you are not the intended recipient you are hereby notified that any review, disclosure, copying, distribution or the taking of any action in reliance on the contents of this transmitted information is strictly prohibited. If you have received this communication in error, please return it to the sender immediately and destroy the original message or accompanying materials and any copy thereof. If you have any questions concerning this message, please contact the sender.
