deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-06-20 21:03:42 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

Merge branch 'device-control-intune' of https://cpubwin.visualstudio.com/it-client/_git/it-client into device-control-intune

Browse Source
This commit is contained in:
Justin Hall
2018-12-13 15:53:33 -08:00
parent 9c27c97215 4aec628449
commit b15acd195a
2 changed files with 6 additions and 27 deletions
Download Patch File Download Diff File Expand all files Collapse all files

29
windows/client-management/mdm/policy-csp-deviceinstallation.md
View File

@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: MariciaAlforque
ms.date: 12/01/2018
ms.date: 12/14/2018
---
# Policy CSP - DeviceInstallation
@ -86,11 +86,8 @@ If you enable this policy setting, Windows is allowed to install or update any d
If you disable or do not configure this policy setting, and no other policy setting describes the device, the "Prevent installation of devices not described by other policy settings" policy setting determines whether the device can be installed.
For more information about hardware IDs and compatible IDs, see [Device Identification Strings](https://docs.microsoft.com/windows-hardware/drivers/install/device-identification-strings).
Peripherals can be specified by their [hardware identity](https://docs.microsoft.com/windows-hardware/drivers/install/device-identification-strings). For a list of common identifier structures, see [Device Identifier Formats](https://docs.microsoft.com/en-us/windows-hardware/drivers/install/device-identifier-formats). Test the configuration prior to rolling it out to ensure it allows the devices expected. Ideally test various instances of the hardware. For example, test multiple USB keys rather than only one.
To get the hardware ID for a device, open Device Manager, right-click the name of the device and click **Properties**. On the **Details** tab, select **Hardware Ids** from the **Property** menu:
![Hardware IDs](images/hardware-ids.png)
<!--/Description-->
> [!TIP]
@ -200,11 +197,8 @@ This setting allows device installation based on the serial number of a removabl
If you disable or do not configure this policy setting, and no other policy setting describes the device, the "Prevent installation of devices not described by other policy settings" policy setting determines whether the device can be installed.
For a list of Class and ClassGUID entries for device setup classes, see [System-Defined Device Setup Classes Available to Vendors](https://docs.microsoft.com/windows-hardware/drivers/install/system-defined-device-setup-classes-available-to-vendors).
Peripherals can be specified by their [hardware identity](https://docs.microsoft.com/windows-hardware/drivers/install/device-identification-strings). For a list of common identifier structures, see [Device Identifier Formats](https://docs.microsoft.com/en-us/windows-hardware/drivers/install/device-identifier-formats). Test the configuration prior to rolling it out to ensure it allows the devices expected. Ideally test various instances of the hardware. For example, test multiple USB keys rather than only one.
To get the ClassGUID for a device, open Device Manager, right-click the name of the device and click **Properties**. On the **Details** tab, select **Class GUID** from the **Property** menu:
![Class GUIDs](images/class-guids.png)
<!--/Description-->
> [!TIP]
@ -461,15 +455,7 @@ If you enable this policy setting, Windows is prevented from installing a device
If you disable or do not configure this policy setting, devices can be installed and updated as allowed or prevented by other policy settings.
For more information about hardware IDs and compatible IDs, see [Device Identification Strings](https://docs.microsoft.com/windows-hardware/drivers/install/device-identification-strings).
You can get the hardware ID in Device Manager. For example, USB drives are listed under Disk drives:
![Disk drives](images/device-manager-disk-drives.png)
Right-click the name of the device, click **Properties** > **Details** and select **Hardware Ids** as the **Property**:
![Hardware IDs](images/disk-drive-hardware-id.png)
Peripherals can be specified by their [hardware identity](https://docs.microsoft.com/windows-hardware/drivers/install/device-identification-strings). For a list of common identifier structures, see [Device Identifier Formats](https://docs.microsoft.com/en-us/windows-hardware/drivers/install/device-identifier-formats). Test the configuration prior to rolling it out to ensure it blocks the devices expected. Ideally test various instances of the hardware. For example, test multiple USB keys rather than only one.
<!--/Description-->
> [!TIP]
@ -564,12 +550,7 @@ If you enable this policy setting, Windows is prevented from installing or updat
If you disable or do not configure this policy setting, Windows can install and update devices as allowed or prevented by other policy settings.
For a list of Class and ClassGUID entries for device setup classes, see [System-Defined Device Setup Classes Available to Vendors](https://docs.microsoft.com/windows-hardware/drivers/install/system-defined-device-setup-classes-available-to-vendors).
To get the ClassGUID for a device, open Device Manager, right-click the name of the device and click **Properties**. On the **Details** tab, select **Class GUID** from the **Property** menu:
![Class GUIDs](images/class-guids.png)
Peripherals can be specified by their [hardware identity](https://docs.microsoft.com/windows-hardware/drivers/install/device-identification-strings). For a list of common identifier structures, see [Device Identifier Formats](https://docs.microsoft.com/en-us/windows-hardware/drivers/install/device-identifier-formats). Test the configuration prior to rolling it out to ensure it blocks the devices expected. Ideally test various instances of the hardware. For example, test multiple USB keys rather than only one.
<!--/Description-->
> [!TIP]

4
windows/security/threat-protection/device-control/control-usb-devices-using-intune.md
View File

@ -47,7 +47,7 @@ For more information about controlling USB devices, see the [Microsoft Secure bl
| Control | Description |
|----------|-------------|
| [Block installation and usage of removable USB storage](#block-installation-and-usage-of-removable-USB-storage) | Users cannot install and cannot use removable USB storage |
| [Block installation and usage of removable USB storage](#block-installation-and-usage-of-removable-USB-storage) | Users can't install or use removable USB storage |
| [Only allow installation and usage of specifically approved USB peripherals](#only-allow-installation-and-usage-of-specifically-approved-usb-peripherals) | Users can only install and use approved peripherals that report specific USB properties in their firmware |
| [Prevent installation of specifically prohibited USB peripherals](#prevent-installation-of-specifically-prohibited-usb-peripherals) | Users can't install or use prohibited peripherals that report specific USB properties in their firmware |
@ -86,8 +86,6 @@ Windows Defender ATP also allows installation and usage of only specifically app
![Custom profile](images/custom-profile-prevent-device-ids.png)
Instead of recommending a particular device ID to select, I would recommend we point the reader to the documentation on hardware identity . That has information about how the identities work overall and link to the common identifier structures (https://docs.microsoft.com/en-us/windows-hardware/drivers/install/device-identifier-formats). From there they can make an educated choice. One suggestion we can put, is to ensure to test the configuration prior to rolling it out to ensure it blocks and allows the devices expected. In testing, ideally various instances of the hardware should be used (i.e. two USB keys rather than only one example).
Peripherals that are allowed to be installed can be specified by their [hardware identity](https://docs.microsoft.com/windows-hardware/drivers/install/device-identification-strings). For a list of common identifier structures, see [Device Identifier Formats](https://docs.microsoft.com/en-us/windows-hardware/drivers/install/device-identifier-formats). Test the configuration prior to rolling it out to ensure it blocks and allows the devices expected. Ideally test various instances of the hardware. For example, test multiple USB keys rather than only one.
For a SyncML example that allows installation of specific device IDs, see [DeviceInstallation/AllowInstallationOfMatchingDeviceIDs CSP](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-deviceinstallation#deviceinstallation-allowinstallationofmatchingdeviceids). To allow specific device classes, see [DeviceInstallation/AllowInstallationOfMatchingDeviceSetupClasses CSP](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-deviceinstallation#deviceinstallation-allowinstallationofmatchingdevicesetupclasses).