Since my Upgrade to Windows 10 Pro (from Windows 7 Pro) the following message appears (in the right bottom corner) when connecting new devices:
The installation of this device is forbidden by system policy. Please contact your system administrator.
Edit:
This happens with absolutely any device: USB stick, docking station, mouse, Windows phone, ...
Thus automatic driver installation does not work. Manual installation works. I want automatic installation to work as this is annoying, especially if you connect the
notebook to a docking station and have to install a gazillion drivers one by one...
The System is in a domain.
Edit: The AD is running on a Windows 2012 R2 Essentials machine. This server is the only Windows server in the domain (and in the whole local network).
My Account has local admin rights.
Edit: I am also the domain admin.
The group policies under
Computer Configuration -> Administrative Templates -> System -> Device Installation -> Device Installation Restrictions
are not configured anymore.
They used to be configured under Windows 7 as I had to prevent the update of a graphics card driver.
The settings under
System Properties -> Hardware -> Device Installation Settings
are also set to
"Yes, do this automatically"
The problem occurs without virus scanner, too. After the upgrade Avira Antivir Pro had been removed from the system, but the problem still occured.
gpresult /R shows no used group policies (sorry, German output):
RSOP-Daten für abc\foo auf bar: Protokollmodus
--------------------------------------------------------
Betriebssystemkonfiguration: Mitglied der Domäne/Arbeitsgruppe
Betriebssystemversion: 10.0.10586 Standortname: Nicht zutreffend
Roamingprofil:Nicht zutreffend Lokales Profil: C:\Users\foo Langsame
Verbindung? Nein
BENUTZEREINSTELLUNGEN
----------------------
Letzte Gruppenrichtlinienanwendung: 13.07.2016, um 13:12:59
Gruppenrichtlinieanwendung von: gnarl.abc.local Schwellenwert für
langsame Verbindung:500 kbps Domänenname: abc Domänentyp: WindowsNT 4
Angewendete Gruppenrichtlinienobjekte
--------------------------------------
Nicht zutreffend
Folgende herausgefilterte Gruppenrichtlinien werden nicht angewendet.
----------------------------------------------------------------------
Richtlinien der lokalen Gruppe Filterung: Nicht angewendet (Leer)
Der Benutzer ist Mitglied der folgenden Sicherheitsgruppen
----------------------------------------------------------
Jeder Administratoren
Leistungsprotokollbenutzer
Benutzer
INTERAKTIV
KONSOLENANMELDUNG
Authentifizierte Benutzer
Diese Organisation
LOKAL
Von der Authentifizierungsstelle bestätigte ID
Hohe Verbindlichkeitsstufe
Edit:
reg query HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows shows the following keys:
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Appx
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\BITS
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DataCollection
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeliveryOptimization
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EnhancedStorageDevices
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\IPSec
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Network Connections
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\NetworkConnectivityStatusIndicator
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\NetworkProvider
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\safer
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\SettingSync
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WcmSvc
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WorkplaceJoin
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WSDAPI
What could be the problem? What can I try?
Answer
There is a chance that registry keys of the policy still remain in the registry. Open regedit
as an admin, and go to:
HKLM\Software\Policies\Microsoft\Windows\DeviceInstall
If you see DeviceInstall
folder, delete it (it's safe, because it's not there by default). Now, restart your computer and see if the problem still persists.
Update:
Windows shows a default behavior in each case. In our example, it's driver installation. By default, windows applies no restrictions to installation of legitimate drivers, so configuring the group policy to NOT restrict the driver installation makes no difference. But, in this case, and I have no idea why on the earth, windows default behavior has changed to restrict driver installation, which means not configuring group policy, no longer means no restriction. So, there are 2 ways to fix this:
Group policy: Set Computer Configuration\Administrative Templates\System\Device Installation\Device Installation Restrictions\Prevent installation of devices not described by other policy settings
to Disabled
Registry: This is the manual way, that does the exact same as above, but doesn't show up in group policy. However, changing the group policy later, will change this value. Open regedit
as admin and go to:
HKLM\Software\Policies\Microsoft\Windows\DeviceInstall\Restrictions
If you don't find DeviceInstall
create it, and also create Restrictions
as it's sub-folder (to correspond the registry key above). Now, add this registry key here and restart:
Key Name: DenyUnspecified
Key Type: REG_DWORD
Key Value: 0
No comments:
Post a Comment