Hi,
Windows Group Policies have to ability to prevent installation specific devices.
These policies are located in the GPO Path
Computer Configuration/Administrative Templates/System/Device Installation
The device installation can be prevented my multiple properties.
-Hardware ID, Vendor ID
-Instance ID
-Device/Hardware Class
-Removable Storage
-…
For example a specific device. A Logilink Wifi Card. Determine the Hardware ID (class,…) by pnputil or the Windows device manager
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 | D:\> pnputil /enum-devices /ids...Instanz-ID: USB\VID_148F&PID_5370\1.0Gerätebeschreibung: 802.11n USB Wireless LAN CardKlassenname: NetKlassen-GUID: {4d36e972-e325-11ce-bfc1-08002be10318}Herstellername: Ralink Technology , Corp.Status: GestartetTreibername: netr28ux.infHardware-IDs: USB\VID_148F&PID_5370&REV_0101 USB\VID_148F&PID_5370Kompatible IDs: USB\Class_FF&SubClass_FF&Prot_FF USB\Class_FF&SubClass_FF USB\Class_FF... |
Set the policy. Take note of the “Also apply to matching devices that are already installed” switch.
“Device Installation Restrictions/Prevent installation of devices that match any of these device IDs”
Apply the policy
1 | D:\> gpupdate /force /target:Computer |
And open the device manager
If a device is blocked a Event with ID 402 is logged to the Windows Kernel-PNP Log.
1 2 3 4 | PS D:\> Get-WinEvent -FilterHashtable @{"LogName"="Microsoft-Windows-Kernel-PnP/Configuration";"ID"="402" }TimeCreated Id LevelDisplayName Message----------- -- ---------------- -------20.04.2023 22:33:21 402 Warnung Die Konfiguration des Geräts USB\VID_148F&PID_5370\1.0 wurde durch eine Richtlinie blockiert |
Michael