0

I am having this problem that I am being stuck for a couple of days now. I have a request to modify policies on Windows 10 21H2, using PowerShell script. To be more specific I am trying to use modify the policy to whitelist USB devices. I am NOT on the step to add the instanceId to the policy.

First thing I need to enable the policy but I am not able to do so.

Policy mention above:

https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.DeviceInstallation::DeviceInstall_Classes_Allow

I am running the following command:

New-Item -Path "HKLM:\Software\Policies\Microsoft\Windows\DeviceInstall\Restrictions" -Force | Out-Null
New-ItemProperty -Path "HKLM:\Software\Policies\Microsoft\Windows\DeviceInstall\Restrictions" -Name "AllowDeviceClasses" -Value 1 -Type DWord -Force

gpupdate /force

The first command is creating the path on the registry editor, the second one is adding the value "1" to enable the policy, and the last one updating the policies.

The policy in question is the:

"Allow installation of devices using drivers that match these device setup classes"

Policy not update AFTER running the script

What I have tried so far, didn't help me. Not even ChatGPT could help me on this one. Hope some of you guys can help me.

jujuzinho
  • 11
  • 4
  • If you are modifying the registry manually, you might need to re-login or reboot, but definitely not `gpupdate`. If you are in an environment that utilizes GPOs, `gpupdate` might immediately overwrite the setting. If it does, it will do it also automatically after 90+/-30 minutes. So is your server member of a domain? – stackprotector Mar 16 '23 at 07:13
  • @stackprotector no, its not a part of a domain, this machine will be used offline. I have created few users before that, the only thing I have done. After creating the users I tried to run this commands for whitelist the USB storages devices. – jujuzinho Mar 17 '23 at 00:00

1 Answers1

0

Imho you have a wrong understanding of how GPOs and policies work.

The system behavior (with respect to configuration which is potentially subject to policy control) depends on registry settings found in hklm\software\policies or hkcu\software\policies. The gpedit/gpupdate GPO toolset is just one possible option for distributing such registry settings. Entering such settings via regedit or script will result in the same system behavior as distributing them via GPO, but you won't see such manual registry changes inversely in gpedit. gpupdate is pointless and will not do anything for registry settings not defined and distributed via GPO.

As already indicated by @stackprotector you just need to be aware of the tiebreaker rule: If you try modifying policy registry settings manually (regedit, script, ...), which are also configured in one of your GPOs, the GPO will always win and periodically overwrite your manual settings.

Halfix
  • 81
  • 1
  • 1
  • 4
  • I see now. The machine will operate offline. So there isn't a way to change those policies using Power Shell? If yes, how? – jujuzinho Mar 17 '23 at 00:01
  • That's not what I tried to explain. If you want to apply a policy-type system setting you just need to set the proper value in hklm|hkcu\software\policies. You can do that via GPO, via script, via regedit, via any procedure that can modify the registry. If a given registry setting you have added (by any tool) to hklm|hkcu\software\policies doesn't result in the expected system behavior, that is a completely different case and question. – Halfix Mar 17 '23 at 07:47
  • So if I understood correctly, the USB whitelist should work after I run the commands, even if the values hasn't changed on 'gpedit.msc', right? Because even after running the commands and the files were created on the registry, the USB whitelist is still not working. I can connect any USB. – jujuzinho Mar 20 '23 at 01:23
  • No, not necessarily. Setting the appropriate registry value is just the first step. That doesn't mean the setting applies instantly. There is no general rule when policy-type settings apply. It's completely up to the targeted system component when to pick up and adopt a given setting. Some settings apply instantly, some apply after a period of time, some apply at next launch of the affected component (what for core system services may be at next reboot). There is no option available to tell the system "apply all policy settings now" - I assume that is what you were looking for. – Halfix Mar 20 '23 at 07:25
  • Not sure if I understood, very complicated this to me, I just wanted enable the policy "Allow installation of devices using drivers that match these device setup classes" using PowerShell. – jujuzinho Mar 20 '23 at 23:10