Prevent Installation of a Device by Device Setup Class

  • Article

Applies To: Windows Server 2008

You can use this procedure to prevent installation of any device that uses a driver that belongs to a specified device setup class.

A device setup class is identified in the .inf file of the device driver package for the device.

If this policy is enabled, in addition to preventing installation of the affected devices, it also prevents users from updating the device drivers for already installed devices that match the policy.

Membership in the local Administrators group, or equivalent, is the minimum required to complete this procedure.

To prevent installation of a device with a specified device setup class GUID

  1. Open the Group Policy Management Editor. To do so, click Start, and then in the Start Search box, type mmc gpedit.msc.

  2. In the navigation pane, open the following folders: Local Computer Policy, Computer Configuration, Administrative Templates, System, Device Installation, and Device Installation Restrictions.

  3. In the details pane, double-click Prevent installation of devices using drivers that match these device setup classes.

  4. Click Enabled, and then click Show.

  5. In the Show Contents dialog box, click Add.

  6. In the Add Item dialog box, type the GUID for the device setup class that applies to your device. Ensure that you include the curly brace characters on either side of the value.

  7. Click OK to save your changes. You can repeat steps 5 and 6 for other devices.

  8. Click OK to save the completed list, and then click OK to save the policy setting.

Additional considerations

  • To determine the device setup class GUID for your device, see Determine the Device Setup Class for Your Device.

  • To prevent this policy from affecting a member of the Administrators group, see Allow Administrators to Override Device Installation Restriction Policies.

  • This policy setting takes precedence over any other policy settings that allow a device to be installed. If this policy setting prevents a device from being installed, the device cannot be installed or updated, even if it matches another policy setting that otherwise allows installation of that device.

  • If you edit policy settings locally on a computer, you will affect the settings on only that one computer. If you configure the settings in a Group Policy object (GPO) hosted in an Active Directory domain, then the settings apply to all computers that are subject to that GPO. For more information about Group Policy in an Active Directory domain, see Group Policy (https://go.microsoft.com/fwlink/?LinkId=55625).