18.9.7.1.2 (L1) Ensure 'Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria' is set to 'Enabled'

Information

This policy setting will change the evaluation order in which Allow and Prevent policy settings are applied when more than one install policy setting is applicable for a given device. This policy setting ensures that overlapping device match criteria is applied based on an established hierarchy where more specific match criteria supersedes less specific match criteria.

The hierarchical order of evaluation for policy settings that specify device match criteria is as follows:

Device instance IDs > Device IDs > Device setup class > Removable devices

Device instance IDs

- Prevent installation of devices using drivers that match these device instance IDs
- Allow installation of devices using drivers that match these device instance IDs

Device IDs

<xhtml:ol start='3'> - Prevent installation of devices using drivers that match these device IDs
- Allow installation of devices using drivers that match these device IDs

Device setup class

<xhtml:ol start='5'> - Prevent installation of devices using drivers that match these device setup classes
- Allow installation of devices using drivers that match these device setup classes

Removable devices

<xhtml:ol start='7'> - Prevent installation of removable devices

The recommended state for this setting is: Enabled

Applying a layered order evaluation of the prevent and allow installation policies allows for more granular control, therefore ensuring that overlapping device match criteria is applied based on the established hierarchy.

Solution

To establish the recommended configuration via GP, set the following UI path to Enabled :

Computer Configuration\Policies\Administrative Templates\System\Device Installation\Device Installation Restrictions\Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria

Note: This Group Policy path is provided by the Group Policy template DeviceInstallation.admx/adml that is included with the Microsoft Windows 10 Release 1903 Administrative Templates (or newer).

Impact:

When restricting and ordering Plug and Play devices, this policy setting provides more granular control than the older setting,

Prevent installation of devices not described by other policy settings

.

If conflicting policy settings are enabled at the same time, the

Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria

policy setting will be enabled and the other policy setting will be ignored.

Item Details

Audit Name: CIS Microsoft Windows 10 EMS Gateway v3.0.0 L1

Category: ACCESS CONTROL, MEDIA PROTECTION

References: 800-53|AC-6(10), 800-53|MP-7

Plugin: Windows

Control ID: ece5ea7d841a117553713499e0918ed5ac2777f44d4abebf8e774d2369e74bc1

Detections

Analytics

18.9.7.1.2 (L1) Ensure 'Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria' is set to 'Enabled'

Information

Solution

See Also

Item Details