Detections
Analytics
18.9.7.1.1 (L1) Ensure 'Allow installation of devices that match any of these device IDs' is set to 'Enabled: <Org Specific Device IDs>'
Information
This policy setting allows a specific list of Plug and Play hardware IDs and compatible IDs for devices that Windows is allowed to install.The recommended state for this setting is: Enabled: <Org Specific Device IDs>
Note This policy setting is intended to be used only when the
Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria
policy setting is enabled, however it may also be used with the
Prevent installation of devices not described by other policy settings
policy setting for legacy policy definitions. The
Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria
is included as a benchmark recommendation in Section 8.8.7 Device Installation.
Note #2: For a step by step guide for Managing Device Installation with Group Policy, visit:
Manage Device Installation with Group Policy
.
Preventing the installation of devices that are not approved, can help with the prevention of data theft and unauthorized copies of company data being leaked via removable media.
It is important to note that this setting does not eliminate data theft, but creates a layer of security to help prevent it.
Solution
To establish the recommended configuration via GP, set the following UI path to Enabled and the Organization must specify which device IDs are allowed to be installed/used on the system before applying the GPO:Computer Configuration\Policies\Administrative Templates\System\Device Installation\Device Installation Restrictions\Allow installation of devices that match any of these device IDs
Note: To create a list of devices, click Show, after enabling the policy. In the Show Contents dialog box, in the Value column, type a Plug and Play hardware ID or compatible ID (for example, gendisk, USB\COMPOSITE, USB\Class_ff).
Note #2: This Group Policy path is provided by the Group Policy template DeviceInstallation.admx/adml that is included with the Microsoft Windows 10 Release 21H2 Administrative Templates (or newer).
Impact:
Plug and Play devices whose hardware IDs and compatible IDs are not on the specified list, will not install on the system.
Note: When this policy setting is enabled together with the
Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria
policy setting, Windows is allowed to install or update any device whose Plug and Play hardware ID or compatible ID appears in the list created, unless another policy setting at the same or higher layer in the hierarchy specifically prevents that installation. If the
Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria
policy setting is not enabled with this policy setting, then any other policy settings specifically preventing installation will take precedence. The aforementioned policy is included as a benchmark recommendation in Section 8.8.7 Device Installation.
Note #2: This policy setting will be used in conjunction with the
Prevent installation of devices not described by other policy settings
(8.8.7 Device Installation). Windows will be able to install or update any device whose Plug and Play hardware ID or compatible ID appears in the list that is created, unless another policy setting specifically prevents that installation (for example, the
Prevent installation of devices that match any of these device IDs
policy setting, the
Prevent installation of devices for these device classes
policy setting, the
Prevent installation of devices that match any of these device instance IDs
policy setting, or the
Prevent installation of removable devices
policy setting).
See Also
Item Details
Audit Name: CIS Microsoft Windows 10 EMS Gateway v3.0.0 L1
Category: ACCESS CONTROL, MEDIA PROTECTION
References: 800-53|AC-6(10), 800-53|MP-7
Plugin: Windows
Control ID: 9ef03365c6d3bc376c6350adde04aa6a463c8493116bf53b79df65c08c7d402b