Prevent Installation of All Devices By Default

Applies To: Windows Server 2008

You can use this procedure to prevent installation of any device that is not specifically permitted by other policy settings.

If this policy is enabled, in addition to preventing installation of the affected devices, it also prevents users from updating the device drivers for already installed devices.

Membership in the local Administrators group, or equivalent, is the minimum required to complete this procedure.

To prevent installation all devices by default

1. Open the Group Policy Management Editor. To do so, click Start, and then in the Start Search box, type mmc gpedit.msc.

2. In the navigation pane, open the following folders: Local Computer Policy, Computer Configuration, Administrative Templates, System, Device Installation, and Device Installation Restrictions.

3. In the details pane, double-click Prevent installation of devices not described by other policy settings.

4. Click Enabled.

5. Click OK to save your changes.

Additional considerations

• To prevent this policy from affecting a member of the Administrators group, see Allow Administrators to Override Device Installation Restriction Policies.

• If you enable this policy setting, ensure that you make exceptions for hardware devices that you want your users to be able to install, using the procedures Allow Installation of a Device by Hardware ID and Allow Installation of a Device by Device Setup Class.

• If you edit policy settings locally on a computer, you will affect the settings on only that one computer. If you configure the settings in a Group Policy object (GPO) hosted in an Active Directory domain, then the settings apply to all computers that are subject to that GPO. For more information about Group Policy in an Active Directory domain, see Group Policy (https://go.microsoft.com/fwlink/?LinkId=55625).