Windows 7 / Getting Started

Blocking Installation of Removable Devices

Policy settings for blocking device installation are found under the following node in the Group Policy Object Editor:

Computer Configuration\Policies\Administrative Templates\System\Device Installation \Device Installation Restrictions

Policies for blocking device installation, described in Table below, are per-computer policies only. All but one of these policies apply to Windows Vista or later versions (the policy setting marked with an asterisk applies only to Windows 7 and Windows Server 2008 R2). In addition, two of these policy settings (marked with a double asterisk) have been updated in Windows 7 with new functionality.

Configured policy settings will be applied during the next background refresh of Group Policy. In other words, these policies do not require a reboot or logon/logoff to take effect after you configure them.

Computer Policies for Blocking Device Installation
Allow Administrators To Override Device Installation Restriction Policies
(Applies to Windows Vista or later versions		Allows members of the Administrators group to install and update the drivers for any device, regardless of other policy settings.
If you enable this setting, administrators can use Add Hardware wizard or Update Driver wizard to install and update the drivers for any device.
If you disable or do not configure this setting, administrators are subject to all policies that restrict device installation. If this computer is a Remote Desktop server, enabling this policy also affects redirection of the specified devices from a Remote Desktop client to this computer.
Allow Installation Of Devices That Match Any Of These Device IDs

(Applies to Windows Vista or later versions)		Specifies a list of PnP hardware IDs and compatible IDs that describe devices that can be installed. This setting is intended for use only when the Prevent Installation Of Devices Not Described By Other Policy Settings setting is enabled and does not take precedence over any policy setting that would prevent a device from being installed.
If you enable this setting, any device with a hardware ID or compatible ID that matches an ID in this list can be installed or updated if that installation has not been prevented specifically by any of the following policy settings: Prevent Installation Of Devices That Match Any Of These Device IDs, Prevent Installation Of Devices For These Device Classes, or Prevent Installation Of Removable Devices. If another policy setting prevents a device from being installed, the device cannot be installed even if it is also described by a value in this policy setting.
If you disable or do not configure this setting and no other policy describes the device, the Prevent Installation Of Devices Not Described By Other Policy Settings setting determines whether the device can be installed.
If this computer is a Remote Desktop server, enabling this policy also affects redirection of the specified devices from a Remote Desktop client to this computer.
Allow Installation Of Devices Using Drivers That Match These Device Setup Classes
(Applies to Windows Vista or later versions)		Specifies a list of device setup class GUIDs describing devices that can be installed. This setting is intended for use only when the Prevent Installation Of Devices Not Described By Other Policy Settings setting is enabled and does not have precedence over any setting that would prevent a device from being installed.
If you enable this setting, any device with a hardware ID or compatible ID that matches one of the IDs in this list can be installed or updated if that installation has not been specifically prevented by any of the following policy settings: Prevent Installation Of Devices That Match Any Of These Device IDs, Prevent Installation Of Devices For These Device Classes, or Prevent Installation Of Removable Devices. If another policy setting prevents a device from being installed, the device cannot be installed even if it is also described by a value in this setting.
If you disable or do not configure this setting and no other policy describes the device, the setting Prevent Installation Of Devices Not Described By Other Policy Settings determines whether the device can be installed.
If this computer is a Remote Desktop server, enabling this policy also affects redirection of the specified devices from a Remote Desktop client to this computer.
Display A Custom Message Title When Installation Is Prevented By Policy
(Applies to Windows Vista or later versions)		Specifies a customized message that is displayed to the user in the title of the notification balloon when policy prevents the installation of a device.
If you enable this setting, this text is displayed as the title text of the message displayed by Windows Vista whenever device installation is prevented by policy.
If you disable or do not configure this setting, Windows Vista displays a default title whenever device installation is prevented by policy.
Note: In Windows Vista, this policy was named Display A Custom Message When Installation Is Prevented By Policy (Balloon Title).
Display A Custom Message When Installation Is Prevented By Policy
(Applies to Windows Vista or later versions)		Specifies a customized message that is displayed to the user in the text of the notification balloon when policy prevents the installation of a device.
If you enable this setting, this text is displayed as the main body text of the message displayed by Windows Vista whenever device installation is prevented by policy.
If you disable or do not configure this setting, Windows Vista displays a default message whenever device installation is prevented by policy.
Note: In Windows Vista, this policy was named Display A Custom Message When Installation Is Prevented By Policy (Balloon Text).
Prevent Installation Of Devices Not Described By Other Policy Settings

(Applies to Windows Vista or later versions)		This setting controls the installation policy for devices that are not specifically described by any other policy.
If you enable this setting, any device that is not described by either Allow Installation Of Devices That Match These Device IDs or Allow Installation Of Devices For These Device Classes cannot be installed or have its driver updated.
If you disable or do not configure this setting, any device that is not described by the Prevent Installation Of Devices That Match Any Of These Device IDs, Prevent Installation Of Devices For These Device Classes, or Deny Installation Of Removable Devices policies can be installed and have its driver updated.
If this computer is a Remote Desktop server, enabling this policy also affects redirection of the specified devices from a Remote Desktop client to this computer.
**Prevent Installation Of Devices That Match Any Of These Device IDs
(Applies to Windows Vista or later versions and is updated in Windows 7)		Lets you specify a list of PnP hardware IDs and compatible IDs for devices that Windows is prevented from installing. This policy setting takes precedence over any other policy setting that allows Windows to install a device.
If you enable this policy setting, Windows is prevented from installing a device whose hardware ID or compatible ID appears in the list you create. If you enable this policy setting on a remote desktop server, the policy setting affects redirection of the specified devices from a remote desktop client to the remote desktop server.
If you disable or do not configure this policy setting, devices can be installed and updated as allowed or prevented by other policy settings.
Note: This policy has been updated in Windows 7 to add retroactive uninstall functionality, that is, to enable the removal of devices that were installed before the application of the policy (for example, during an OEM preload of Windows onto a system). To enable retroactive uninstall functionality, enable the policy setting and select the Also Apply To Matching Devices That Are Already Installed check box. Then be sure to enable and configure the Time (In Seconds) To Force Reboot When Required For Policy Changes To Take Effect policy setting because uninstalling previously installed devices will trigger a reboot.
**Prevent Installation Of Devices Using Drivers That Match These Device Setup Classes
(Applies to Windows Vista or later versions and is updated in Windows 7)		Lets you specify a list of device setup class GUIDs for device drivers that Windows is prevented from installing. This policy setting takes precedence over any other policy setting that allows Windows to install a device.
If you enable this policy setting, Windows is prevented from installing or updating device drivers whose device setup class GUIDs appear in the list you create. If you enable this policy setting on a remote desktop server, the policy setting affects redirection of the specified devices from a remote desktop client to the remote desktop server.
If you disable or do not configure this policy setting, Windows can install and update devices as allowed or prevented by other policy settings.
Note: This policy has been updated in Windows 7 to add retroactive uninstall functionality, that is, to enable the removal of devices that were installed before the application of the policy (for example, during an OEM preload of Windows onto a system). To enable retroactive uninstall functionality, enable the policy setting and select the Also Apply To Matching Devices That Are Already Installed check box. Then be sure to also enable and configure the Time (In Seconds) To Force Reboot When Required For Policy Changes To Take Effect policy setting because uninstalling previously installed devices will trigger a reboot.
Prevent Installation Of Removable Devices
(Applies to Windows Vista or later versions)		Prevents removable devices from being installed.
If you enable this setting, removable devices may not be installed, and existing removable devices cannot have their drivers updated.
If you disable or do not configure this setting, removable devices can be installed and existing removable devices can be updated as permitted by other policy settings for device installation.
Note: This policy setting takes precedence over any other policy settings that allow a device to be installed. If this policy setting prevents a device from being installed, the device cannot be installed or updated, even if it matches another policy setting that would allow installation of that device.
For this policy, a device is considered removable when the drivers for the device to which it is connected indicate that the device is removable. For example, a USB device is reported to be removable by the drivers for the USB hub to which the device is connected. If this computer is a Remote Desktop server, enabling this policy also affects redirection of the specified devices from a Remote Desktop client to this computer.
*Time (In Seconds) To Force Reboot When Required For Policy Changes To Take Effect
(Applies only to Windows 7 and Windows Server 2008 R2)		If you enable this setting, set the number of seconds that you want the system to wait until a reboot to enforce a change in device installation restriction policies. (The default is 120 seconds.)
If you disable or do not configure this setting, the system will not force a reboot.
Note: If no reboot is forced, the device installation restriction right will not take effect until the system is restarted.

More Info For information on how to identify device IDs for PnP devices, see http://msdn2.microsoft.com/en-us/library/ms791083.aspx.

[Previous] [Contents] [Next]

In this tutorial:

  1. Managing Devices and Services
  2. Understanding Device Installation and Management
  3. Device Enhancements in Windows 7
  4. Display Enhancements in Windows 7
  5. Understanding Device Installation
  6. Driver Store and Driver Packaging
  7. Driver Staging vs Installation
  8. Driver Staging and Installation Process
  9. Detailed Installation Process
  10. Managing Driver Packages
  11. Using PnPutil.exe
  12. Using Dism.exe
  13. Driver Signing
  14. Driver Ranking
  15. Installing and Using Devices
  16. Enhancements to the Device Installation Experience in Windows 7
  17. Scenario 1: Driver found in Driver Store
  18. Scenario 2: Driver found on Windows Update
  19. Scenario 3: Driver in Driver Store, But Better Driver on Windows Update
  20. Scenario 5: No Driver Can Be Found for the device
  21. Scenario 6: Vendor -supplied media is available
  22. Scenario 7: Additional Device Software is Available For Download from vendor
  23. Configuring Device Installation Settings
  24. Using the Devices And Printers Folder
  25. Understanding Device Stage
  26. Understanding the Device Experience Architecture
  27. Device Containers
  28. Device display object
  29. Device Metadata System
  30. Managing Device Installation Using Group Policy
  31. Managing Device Installation Behavior
  32. Managing Driver Installation Behavior
  33. Blocking Installation of Removable Devices
  34. Managing Device Redirection Behavior
  35. Troubleshooting Device Installation
  36. Using Windows Error Reporting
  37. Using the SetupAPI Log File
  38. Using Driver INF Files
  39. Using Device Manager Error Codes
  40. Using Driver Verifier
  41. Repairing Driver Store Corruption
  42. Repairing Index File Corruption
  43. Understanding Power Management
  44. Power Management Enhancements in Windows 7
  45. New Power Policies in Windows 7
  46. Configuring Power Management Settings
  47. Configuring Power Management Settings Using the Power Options Utility in Control Panel
  48. Configuring Power Management Settings Using Group Policy
  49. Configuring Power Management Settings Using the Powercfg Utility
  50. Understanding Services
  51. Service Enhancements in Windows 7
  52. Managing Services
  53. Managing Services Using Task Manager
  54. Managing Services Using the Sc.exe Command