Using GP Preferences to block any device

First of all, as I sit here typing this email its snowing…which is still a complete novelty to me being from a hot place like Australia. Heres the view from my office window. Being March its not supposed to still be snowing though I love it anyway….till I try to drive home tonight…


Anyhow, what you really wanted to know was how to block stuff using GPP. Using GPP you can essentially block any device class, for Vista or Windows XP, with the catch that its providing you have the device on the machine you are editing the policy on!

The GPEdit tool looks at what devices you have on your machine as a model for what to block. So what happens if you don't have that exact device or device class on your machine?

Here's two options to try (note: haven't tried either of these):

  • Install Vista SP1 and RSAT and create the device block policy from there. Use targetting to target to Vista or XP.


  • Create GPP on the Vista SP1 RSAT workstation and get it to roughly as close to the class as you can get it.
  • Save the policy
  • Go to the Vista or XP workstation that has the device class ID’s that you want and obtain the correct labels, device classes and GUID's.
  • Go into the policy object in SYSVOL and edit the devices.xml file that you saved with the policy in Step 2 and insert the correct classes and labels.
  • Target the modified policy to XP

Here's what the XML looks something like:

<?xml version="1.0" encoding="utf-8" ?>

<Devices clsid="{4DD26924-3F32-47aa-BF33-36D51BD1E54E}">

<Device clsid="{2E1C95D0-85FB-403a-A57C-A508854FB7C8}" name="Communications Port (COM1)" image="1" changed="2009-02-13 19:18:51" uid="{B5D25964-D8D3-4412-8C80-59B0AF51A6B0}">

<Properties deviceAction="DISABLE" deviceClass="[0eOB7][Ports (COM & LPT) !!! ]" deviceType="Communications Port (COM1)" deviceClassGUID="{4D36E978-E325-11CE-BFC1-08002BE10318}" deviceTypeID="ACPI\PNP0501\1" />



As I mentioned, I haven't tried this out though if it works for you please let me know!

Disclaimer: You do this at your own risk. Neither myself nor Microsoft make any warranties about this suggestion. If it works for you great, though its unsupported…

Comments (0)

Skip to main content