With each new version of Windows 10 that Microsoft releases, new features and other enhancements have been introduced to the platform. But the consensus among my IT pro colleagues concerning the most recent version 1909, which was rolled out earlier this month, is that it looks more like a patch for existing capabilities, not a new version of Windows 10.
In fact, most of my colleagues find this latest release to be boring. But that’s OK. Because many of us who work in the IT field are longing for the days when Windows was boring. Because at least from a business point of view, boring is often better.
A few goodies in Windows 10 version 1909
Nevertheless, if you dig a bit deeper into what’s new in the latest version of Windows 10 you can find a few goodies that may catch your attention and interest. One of these enhancements in Windows 10 version 1909 is a new feature that enables administrators to have more granular control over whether new devices can be installed.
The basic idea is this. In the past on earlier versions of Windows, administrators have been able to allow or block the installation of devices based on a number of different device attributes. For example, in Windows 7 you could use Group Policy to prevent installation of all devices by default on targeted systems. You could then enable some additional policy settings that would allow installation only of devices having specific Hardware IDs you specify or belonging to certain Device Setup Classes you indicate. By following this approach administrators could lock down what kinds of devices would automatically install on Windows systems when the device is inserted into or connected to the system. Remember that by default Windows allows installation of any device provided the device driver is already staged within the driver store (or the user has administrator permissions).
As an example of how to do this, let’s say you wanted to allow Windows to automatically install a certain kind of USB device but prevent installation of all other kinds of USB devices when these devices are connected to the computer. You would first need to know the Hardware ID of the device you want to allow. To do this you could plug your USB device into a Windows computer and open Device Manager and find the Hardware ID of your device. Then you could open the GPO targeting the computers you want to manage in this fashion and enable the following policy setting along with specifying the Hardware ID of your USB device within this setting:
Computer Configuration \ Administrative Templates \ System \ Device Installation \ Device Installation Restrictions \ Allow installation of devices that match any of these device IDs
That’s all well and good, but what if you wanted to do something more granular than this? For example, let’s say you have two identical USB flash drives from the same vendor and you want to allow Windows to mount one of them when you plug it into a computer but not mount the other one when it’s plugged in. This kind of device restriction policy just wasn’t possible in earlier versions of Windows or even in Windows 10. But with the recent release of Windows 10 version 1909, you can now do exactly this by using two of the several new Group Policy settings introduced in this version of Windows 10. These two policy settings mirror each other and are defined as follows:
System \ Device Installation \Device Installation Restrictions \ Allow installation of devices that match any of these device instance IDs
System \ Device Installation \ Device Installation Restrictions \ Prevent installation of devices that match any of these device instance IDs
What the policy settings do
The first policy setting allows you to specify a list of Plug and Play device instance IDs for devices that Windows is allowed to install. The Description field of this policy setting says that you should use it only when the “Prevent installation of devices not described by other policy settings” policy setting is enabled. This is because other policy settings that prevent device installation take precedence over this one. The Description field continues by saying that if you enable this policy setting, Windows is allowed to install or update any device whose Plug and Play device instance ID appears in the list you create, unless another policy setting specifically prevents that installation (for example, the “Prevent installation of devices that match any of these device IDs” policy setting, the "Prevent installation of devices for these device classes” policy setting, the “Prevent installation of devices that match any of these device instance IDs” policy setting, or the “Prevent installation of removable devices” policy setting). If you enable this policy setting on a remote desktop server, the policy setting affects redirection of the specified devices from a remote desktop client to the remote desktop server. The Description field concludes by mentioning that if you disable or do not configure this policy setting, and no other policy setting describes the device, the “Prevent installation of devices not described by other policy settings” policy setting determines whether the device can be installed. The Description of the second policy setting mirrors the first one except it focuses on preventing rather than allowing installation of devices.
So how does this work exactly? Aren’t two identical USB flash drives the same in every way? Not quite: They may be of the same brand and make and model and have the same storage capacity, but under the hood they will each have a uniquely different Device ID that is a vendor-defined identification string reported by the device’s enumerator. This Device ID is then used by the Plug and Play manager of Windows to create another string called a Device Instance ID which is assigned to the device node in the system’s device tree. The two new policy settings in Windows 10 version 1909 now let you control the installation of devices based on Device Instance ID. This is possible because the Device Instance ID is persistent across system restarts.
This new capability for more granular device control in Windows 10 is bound to be useful in certain kinds of government or corporate environments where high security must be maintained. Remember that USB flash drives are a major attack vector for introducing malware into Windows machines. But they’re also a huge convenience when it comes to needing to quickly transfer files between unconnected machines or save copies of files so you can take them home to work on them. Balancing security against convenience is always tricky, but now with Windows 10 version 1909 organizations now have one additional tool in their arsenal that allows users to use certain designated USB flash drives with their machines while blocking the use of all other flash drives — including those that are visibly identical to the ones you’ve allowed.
Just make sure you label your allowed ones properly so they don’t get lost in a drawer full of similar ones.
Featured image: Shutterstock