Hi,

Windows Group Policies have to ability to prevent installation specific devices.


These policies are located in the GPO Path

Computer Configuration/Administrative Templates/System/Device Installation

The device installation can be prevented my multiple properties.
-Hardware ID, Vendor ID
-Instance ID
-Device/Hardware Class
-Removable Storage
-…
For example a specific device. A Logilink Wifi Card. Determine the Hardware ID (class,…) by pnputil or the Windows device manager

D:\> pnputil /enum-devices /ids
...
Instanz-ID:                USB\VID_148F&PID_5370\1.0
Gerätebeschreibung:        802.11n USB Wireless LAN Card
Klassenname:                 Net
Klassen-GUID:                 {4d36e972-e325-11ce-bfc1-08002be10318}
Herstellername:            Ralink Technology, Corp.
Status:                     Gestartet
Treibername:                netr28ux.inf
Hardware-IDs:               USB\VID_148F&PID_5370&REV_0101
                            USB\VID_148F&PID_5370
Kompatible IDs:             USB\Class_FF&SubClass_FF&Prot_FF
                            USB\Class_FF&SubClass_FF
                            USB\Class_FF
...

Set the policy. Take note of the “Also apply to matching devices that are already installed” switch.

“Device Installation Restrictions/Prevent installation of devices that match any of these device IDs”

Apply the policy

D:\> gpupdate /force /target:Computer

And open the device manager

If a device is blocked a Event with ID 402 is logged to the Windows Kernel-PNP Log.

PS D:\> Get-WinEvent -FilterHashtable @{"LogName"="Microsoft-Windows-Kernel-PnP/Configuration";"ID"="402" }
TimeCreated                      Id LevelDisplayName Message
-----------                      -- ---------------- -------
20.04.2023 22:33:21             402 Warnung          Die Konfiguration des Geräts USB\VID_148F&PID_5370\1.0 wurde durch eine Richtlinie blockiert

Michael