Sean: In the previous video, we looked at device management and we looked at the concept of drivers for devices, updating drivers, rolling back drivers and also checking out our drivers with sign. What we're gonna do in this video is we are going to control devices by genre, using a group policy. So, let's go to my device manager where we updated the display adapter before. We'll have a look at the display adapter and what we'll see is, there is a tab called details and it says device description, Microsoft Hyper 'V' Video. What we really want to look at is a couple of things here. We want to have a look at something called the device class called display and the device class GUID, so that's a Globally Unique Identifier, which is the identifier for the display, and I'm gonna copy that. 

Now, what you need to understand about the class and the GUID, is it's not this specific device, it's not even this manufacturer's device. The display, the class display, encompasses all display adapters, just like if I went to, for example, the keyboard. So, if I went to my keyboard and did the exactly the same thing, I would go to my details, I would see there's a device class, keyboard, and the GUID. And that GUID is relevant for all keyboards, be them an internal keyboard on the laptop, an external one that you plug in via USB or even a wireless keyboard. It doesn't matter who manufactured it, either. So, everything, again one more example for you here, if I go into this PC, have a look at my hard drive, look at its properties, I have, for my hardware, I can see I've got my virtual hard disc which is a disc drive, a virtual DVD which is a DVD. Let's the click the disc drive, look at its properties, there's the details tab, there is the device class, disc drive, and there is the GUID. 

So, what we can take away from this is that every device, be it a, an internal in-built device, be it something you plugged in, be it from the same manufacturer or from a different manufacturer, every device has a class, or what I would call a genre, and a class GUID. And we can use those GUIDs to control what devices you can or can't install. Now, I'm gonna do all of this on the local machine, but you would do this in a, a domain policy, normally. So, I'm gonna type in 'gpedit.msc' to bring up my local group policy. And if I expand my local group policy, and I go into the computer configuration Admin Templates, go into System, I have a folder called Device Installation. And you can see in the Device Installation, there are some various options. We're gonna concentrate on one called Device Installation Restrictions and I'm going to look at this in two ways. We're gonna have, 'You can install any device you want unless I say no,' or we can have, 'You can't install any device unless I say yes.' 

So, let's start with allow installation of devices that match a specific class. So, if I enable this, you'll notice I can click show and then I will be able to paste in the GUID of my display adapter. And if, if I apply that, what we have is, ‘Allow installation devices using drivers that match this class.' So, effectively, we are only allowing installation of drivers that match this class if we combine with this one here, which is a rule that says, 'Prevent installation devices not described by other policy settings.' So, the two of these combined effectively say you cannot install any genre of device except for the genre that I have allowed. And this will be very, very useful, because you might want, for example, your users to install a printer, but you don't want them to attach an external hard drive. So, that is, 'No, unless I say yes.' 

Another way that we could do that, and so what we'll do is we'll quickly put these back to not configured, is we can do this one that says, 'Prevent installation of device drivers that match a specific class.' I click enabled, I drop that in and we select apply. Now, just before I select apply, this is, 'You can install any genre of device except for this genre here.' Before I click apply, there's a little button here that says, 'Also apply to matching devices that are already installed.' So, these group policies are all about installing devices, they do not affect devices that are already installed. So, if I said, 'You can't install any devices except for these,' it's all about future devices that you install. So, I might say, if I said here, 'Also apply to matching devices that are already installed,' then I'm effectively, not only am I going to stop you installing new video adapter drivers, I'll also stop this one working, which of course will break Windows. Same with a hard drive, so if I put the genre disc drive in there and put the GUID and said, 'Apply this to devices that are already installed,' I would simply stop the internal hard drive working, so be very, very careful if you're gonna check that box. Click okay and now you can see we have got this configured to allow all installation except for this. 

So, in this video, we have talked about devices being in genres and every genre having a unique GUID, which stands for a globally unique identifier. We can use group policy to control installation via GUID and we can either say, 'No, you can't install anything unless I say yes,' or, 'Yes, you can still anything unless I say no.' Finally, we would put this in a domain GPO and apply it to all Windows 10 devices.