Is there any way to control “Device Installation Restrictions” via the Registry (instead of Group Policy) for users on Windows Home Editions?

5

1

We have group policy restrictions in place to prevent device installation for certain hardware IDs (see below), but group policy is only available for Windows Pro/Ultimate editions and not Windows Home. I’ve looked into adding Group Policy to Windows Home via 3rd party solutions (such as the one found here), however it is not a complete up-to-date version of Group Policy and is missing the options for “Device Installation Restrictions”. I’m also slightly hesitant to deploy 3rd party group policy solutions on my client’s machines.

Group Policy Location: (Computer Configuration -> Administrative Templates -> System -> Device Installation -> Device Installation Restrictions -> Prevent installation of devices that match any of these Device IDs)

I looked into achieving the same functionality via the registry, and seem to have found at least some of the registry keys used to control this via Group Policy, but when I manually edit them, it does not work properly. Part of this may have to do with the GUIDs created in the registry under “Group Policy Objects” (see below picture). Is anyone familiar with creating group policy objects via the registry and getting them to remain persistent?

            Registry Location shown below: HKCU -> Software -> Microsoft -> Windows -> CurrentVersion -> Group Policy Objects

The keys which are affected by the standard “Group Policy Device Installation Restrictions” are:

Device Installation Restrictions: HKCU -> Software -> Microsoft -> Windows -> CurrentVersion -> Group Policy Objects -> GUID (unsure how this is generated) -> Software -> Policies -> Microsoft -> Windows -> DeviceInstall -> Restrictions -> DenyDeviceIDs

[Example](https://drive.google.com/open?id=0B1e6MVnnsu5gdTZlaGR2amdyM0VaUXRtNTZrc1AxdmtxNENV)

EDIT

The reg keys you pointed to below do indeed control this set of group policy objects. Big help, thanks!

Interestingly enough, when I configure the proper reg keys on 2 identical Surface Pro 4 tablets, I can control “Device Installation Restrictions” on one machine which I previously configured “Device Installation Restrictions” on through the official Group Policy UI (gpedit). Setting these keys you referenced through the registry and rebooting (or running gpupdate.exe /force through Command Prompt) does work and cause the specific device to become enabled/disabled.

When I configure the same set of keys on another Surface Pro 4, which has never had group policy set through the Group Policy UI (gpedit), this tablet will not reflect the reg changes live, even after rebooting or running gpupdate.exe /force. It seems as though something else may be controlling this? Both are Windows Pro, so all the proper group policy components should exist on this machine.

Any ideas here? It seems like there is another registry setting perhaps which may control something here?

Dirk

Posted 2017-03-16T17:09:23.403

Reputation: 93

Your example link is 404 – DavidPostill – 2017-03-16T20:57:45.043

Answers

6

As far as I can tell, the Group Policy Objects branch is only a cache of the active GPOs. Windows actually checks this Registry location for computer policy settings:

HKLM\SOFTWARE\Policies

For the Prevent installation of devices that match any of these Device IDs setting, Group Policy uses this key:

HKLM\Software\Policies\Microsoft\Windows\DeviceInstall\Restrictions

The DenyDeviceIDs DWORD is set to 1 when the policy is Enabled. The DenyDeviceIDsRetroactive DWORD corresponds to the Also apply to matching devices that are already installed checkbox: 1 for checked, 0 for not.

The restricted entries are kept in a subkey of Restrictions that also is named DenyDeviceIDs. One value on that key is one restriction. Each value's name should be the same as its data.

Tip: I found this information using the Element Inspector tool in my own open-source application, Policy Plus.

You'll need to reboot for the changes to take effect.

Note that even if you set all the Registry settings exactly right, it's possible that Home editions might not respect them. Most Group Policy settings work just fine on all editions, but there are a few that don't; the components that make use of them might not be there on Home. If you find that these settings don't work, you'll need to upgrade to Pro.

Ben N

Posted 2017-03-16T17:09:23.403

Reputation: 32 973

hey Ben, can you take a look at my edit? Interesting behavior on machines that DO have windows pro... – Dirk – 2017-03-17T23:18:11.213

@Dirk Hmm, that is interesting. I don't notice any special requirements surrounding this setting. On the machines that did work, were any other similar settings already configured? Was the DeviceInstall Registry branch exactly the same between working and non-working machines? Also compare that branch between a non-working manual configuration and a working UI configuration. – Ben N – 2017-03-17T23:32:03.837

On the machine that did work, Group Policy had previously been configured, but for other items not specifically tied to “Device Installation Restrictions”. The other group policy items were removed a few months ago. The “Device Install” registry branch on both the working and non-working machines are the same. I’ve tried on 3 different Surface Pro machines, and only 1 of which will properly recognize these registry settings when I manually update them. Compared things in the registry, and they all appear to be the same, both on manually configured and UI configured machines. – Dirk – 2017-03-20T22:50:11.243

@Dirk This forum thread and this guide note that the policy might not work for devices that have previously been connected. For it to apply to those, you need to uninstall their associated drivers. Does that have any effect?

– Ben N – 2017-03-20T22:58:01.653

1Hey Ben, thanks!! I was able to get the group policy working on Windows Home using your info. I didn’t actually need to uninstall the drivers themselves, however I did “uninstall” the offending device from the Device Manager after manually inserting the GP registry keys. When you try to reinstall the device (as Windows Update would try), you get an error saying that Group Policy is preventing the device from being reinstalled. This is in essence what I’m looking for... continued below – Dirk – 2017-03-23T21:07:02.123

1After performing this, the offending device was in a “trouble state” in the device manager (with the yellow triangle warning symbol), and I disabled it from there to prevent Windows from yelling at me for hardware which wasn’t installed properly. At this point I expect Windows Update won’t be able to reinstall the device any longer due to the group policy restrictions, but if anything changes I’ll let you know. I really appreciate the help, thank you!! – Dirk – 2017-03-23T21:07:14.883

Asked: 2017-03-16T17:09:23.403

Viewed: 6 981 times

Active: 2017-03-17T23:16:46.280