Category: At least Windows Vista

This policy setting allows you to specify a list of Plug and Play hardware IDs and compatible IDs for devices that Windows is prevented from installing. This policy setting takes precedence over any other policy setting that allows Windows to install a device. If you enable this policy setting Windows is prevented from installing a device whose hardware ID or compatible ID appears in the list you create. If you enable this policy setting on a remote desktop server the policy setting affects redirection of the specified devices from a remote desktop client to the remote desktop server. If you disable or do not configure this policy setting devices can be installed and updated as allowed or prevented by other policy settings.

This policy setting allows you to specify a list of Plug and Play hardware IDs and compatible IDs for devices that Windows is allowed to install. Use this policy setting only when the “Prevent installation of devices not described by other policy settings” policy setting is enabled. Other policy settings that prevent device installation take precedence over this one. If you enable this policy setting Windows is allowed to install or update any device whose Plug and Play hardware ID or compatible ID appears in the list you create unless another policy setting specifically prevents that installation (for example the “Prevent installation of devices that match any of these device IDs” policy setting the “Prevent installation of devices for these device classes” policy setting or the “Prevent installation of removable devices” policy setting). If you enable this policy setting on a remote desktop server the policy setting affects redirection of the specified devices from a remote desktop client to the remote desktop server. If you disable or do not configure this policy setting and no other policy setting describes the device the “Prevent installation of devices not described by other policy settings” policy setting determines whether the device can be installed.

This policy setting allows you to specify a list of device setup class globally unique identifiers (GUIDs) for device drivers that Windows is prevented from installing. This policy setting takes precedence over any other policy setting that allows Windows to install a device. If you enable this policy setting Windows is prevented from installing or updating device drivers whose device setup class GUIDs appear in the list you create. If you enable this policy setting on a remote desktop server the policy setting affects redirection of the specified devices from a remote desktop client to the remote desktop server. If you disable or do not configure this policy setting Windows can install and update devices as allowed or prevented by other policy settings.

This policy setting allows you to determine whether members of the Administrators group can install and update the drivers for any device regardless of other policy settings. If you enable this policy setting members of the Administrators group can use the Add Hardware wizard or the Update Driver wizard to install and update the drivers for any device. If you enable this policy setting on a remote desktop server the policy setting affects redirection of the specified devices from a remote desktop client to the remote desktop server. If you disable or do not configure this policy setting members of the Administrators group are subject to all policy settings that restrict device installation.

This policy setting allows you to prevent Windows from creating a system restore point during device activity that would normally prompt Windows to create a system restore point. Windows normally creates restore points for certain driver activity such as the installation of an unsigned driver. A system restore point enables you to more easily restore your system to its state before the activity. If you enable this policy setting Windows does not create a system restore point when one would normally be created. If you disable or do not configure this policy setting Windows creates a system restore point as it normally would.

This policy setting allows you to determine how drivers signed by a Microsoft Windows Publisher certificate are ranked with drivers signed by other valid Authenticode signatures during the driver selection and installation process. Regardless of this policy setting a signed driver is still preferred over a driver that is not signed at all. If you enable or do not configure this policy setting drivers that are signed by a Microsoft Windows Publisher certificate and drivers that are signed by other Authenticode certificates are prioritized equally during the driver selection process. Selection is based on other criteria such as version number or when the driver was created. If you disable this policy setting drivers that are signed by a Microsoft Windows Publisher certificate are selected for installation over drivers that are signed by other Authenticode certificates.

This policy setting requires the user to enter Microsoft Windows credentials using a trusted path to prevent a Trojan horse or other types of malicious code from stealing the user’s Windows credentials. Note: This policy affects nonlogon authentication tasks only. As a security best practice this policy should be enabled. If you enable this policy setting users will be required to enter Windows credentials on the Secure Desktop by means of the trusted path mechanism. If you disable or do not configure this policy setting users will enter Windows credentials within the user’s desktop session potentially allowing malicious code access to the user’s Windows credentials.

This policy setting controls whether administrator accounts are displayed when a user attempts to elevate a running application. By default administrator accounts are not displayed when the user attempts to elevate a running application. If you enable this policy setting all local administrator accounts on the PC will be displayed so the user can choose one and enter the correct password. If you disable this policy setting users will always be required to type a user name and password to elevate.

This policy setting applies to applications using the Cred SSP component (for example: Remote Desktop Connection). If you enable this policy setting you can specify the servers to which the user’s saved credentials cannot be delegated (saved credentials are those that you elect to save/remember using the Windows credential manager). If you disable or do not configure (by default) this policy setting this policy setting does not specify any server. Note: The “Deny delegating saved credentials” policy setting can be set to one or more Service Principal Names (SPNs). The SPN represents the target server to which the user credentials cannot be delegated. The use of a single wildcard character is permitted when specifying the SPN. For Example:TERMSRV/host. humanresources. fabrikam. com Remote Desktop Session Host running on host. humanresources. fabrikam. com machineTERMSRV/* Remote Desktop Session Host running on all machines. TERMSRV/*. humanresources. fabrikam. com Remote Desktop Session Host running on all machines in . humanresources. fabrikam. comThis policy setting can be used in combination with the “Allow delegating saved credentials” policy setting to define exceptions for specific servers that are otherwise permitted when using wildcard characters in the “Allow delegating saved credentials” server list.

This policy setting applies to applications using the Cred SSP component (for example: Remote Desktop Connection). If you enable this policy setting you can specify the servers to which the user’s fresh credentials cannot be delegated (fresh credentials are those that you are prompted for when executing the application). If you disable or do not configure (by default) this policy setting this policy setting does not specify any server. Note: The “Deny delegating fresh credentials” policy setting can be set to one or more Service Principal Names (SPNs). The SPN represents the target server to which the user credentials cannot be delegated. The use of a single wildcard character is permitted when specifying the SPN. For Example:TERMSRV/host. humanresources. fabrikam. com Remote Desktop Session Host running on host. humanresources. fabrikam. com machineTERMSRV/* Remote Desktop Session Host running on all machines. TERMSRV/*. humanresources. fabrikam. com Remote Desktop Session Host running on all machines in . humanresources. fabrikam. comThis policy setting can be used in combination with the “Allow delegating fresh credentials” policy setting to define exceptions for specific servers that are otherwise permitted when using wildcard characters in the “Allow delegating fresh credentials” server list.